1. Overview of Network Security Evaluation
Network security evaluation is the security quality assurance of network information systems and IT technology products.
Network security evaluation refers to obtaining the network security status information of the evaluation object through a series of technical management methods in accordance with certain standards and specifications, and giving a comprehensive judgment on the corresponding network security situation. The network security evaluation objects usually include information systems. The constituent elements or the information system itself, as shown in the figure.
2. Types of network security assessment
2.1 Classification based on assessment objectives
According to the target of the assessment, network security assessment can be divided into the following three types:
( 1) Evaluation of the security level of the network information system is the evaluation of the security level protection status of the information system that does not involve state secrets in accordance with the relevant laws and regulations of the national network security level protection, and in accordance with the relevant management norms and technical standards. Activity. The network information system security level evaluation mainly detects and evaluates whether the information system meets the requirements of the determined security level in terms of security technology and security management. For information systems that do not meet the requirements, analyze and evaluate their potential threats, weak links, and existing security protection measures, comprehensively consider the importance of information systems and the security threats they face, and put forward corresponding rectification suggestions, and after system rectification Re-testing and confirmation are carried out to ensure that the security protection measures of the network information system meet the basic security requirements of the corresponding security level. At present, the network information system security level evaluation adopts the network security level protection 2.0 standard.
(2) The network information system security acceptance evaluation is based on the requirements of relevant policy documents, following the principles of openness, fairness and justice, according to the project acceptance objectives and acceptance scope applied by users, combined with the realization objectives and assessment indicators of the project security construction plan, to evaluate the project Carry out safety testing and evaluation on the implementation status to evaluate whether the project meets the various safety technical indicators and safety assessment objectives in the safety acceptance requirements, and provide reference for the overall system acceptance and next-step safety planning.
(3) Network information system security risk assessment is to evaluate the threats faced by the system and the possibility of security incidents caused by vulnerabilities from the perspective of risk management, and to judge the impact on the system once a security incident occurs in combination with the value of assets involved in the security incident. Influence, put forward targeted methods and measures to resist threats, control the risk within an acceptable range, achieve the goal of stable system operation, and provide technical reference for ensuring the safe construction and stable operation of the information system. Network information system security risk assessment is carried out from two aspects: technology and management. The main contents include system investigation, asset analysis, threat analysis, technology and management vulnerability analysis, security function test, risk analysis, etc., issue a risk assessment report, and put forward security suggestions.
2.2 Classification based on assessment content
According to the elements of the network information system, network security evaluation can be divided into two types:Technical Security EvaluationandManage Security Assessments. Among them, technical security evaluation mainly includes security testing and evaluation of physical environment, network communication, operating system, database system, application system, data and storage system and other related technologies. Management security assessment mainly includes security assessments of management institutions, management systems, management processes, personnel management, system construction, and system operation and maintenance.
2.3 Classification based on implementation
According to the implementation method of network security assessment, the assessment mainly includes security function testing, security management testing, code management testing, code security auditing, security penetration, information system attack testing, etc.
(1) Security function detection , based on the security objectives and design requirements of the network information system, evaluate the implementation status of the security functions of the information system, and check whether the security functions meet the objectives and design requirements.
(2) Security management detection : According to the management objectives of the network information system, check and analyze the security status of the management elements and mechanisms, and evaluate whether the security management meets the requirements of the security management objectives of the information system. The main methods are: interview research, on-site inspection, document review, security baseline comparison, social engineering, etc.
(3) Code security review is the process of static security scanning and review of custom-developed application source code to identify coding defects and loopholes that may lead to security problems.
( 4) Security penetration testing . By simulating a hacker to conduct a penetration test on the target system, discover, analyze and verify the security risks such as host security vulnerabilities, sensitive information leakage, SQL injection vulnerabilities, cross-site scripting vulnerabilities and weak passwords, evaluate the system's ability to resist attacks, and propose security reinforcement suggestion.
( 5) Information system attack test . Analyze the existing protection equipment and technology of the application system according to the various attack test requirements put forward by the user, determine the attack test plan and test content; use special test equipment and test software to test the anti-attack ability of the application system, and issue corresponding tests Report. Test indicators include: types and capabilities of defensive attacks, such as denial of service attacks, malicious code attacks, etc.
2.4 Classification based on confidentiality of evaluation objects
- Secret-related information system evaluation : The secret-related information system evaluation is based on national confidentiality standards, from the perspective of risk assessment, using scientific analysis methods and effective technical means, through the threats and existing vulnerabilities of secret-related information systems Conduct analysis to discover hidden dangers and risks of security and confidentiality in the system, and at the same time propose targeted protection strategies and safeguards to provide a scientific basis for the national confidentiality work department's administrative approval of confidential information systems.
- Non-confidential information system evaluation : Non-confidential information system evaluation is based on public national information security standards, industry standards, information security specifications or business information security requirements, using network information security technology methods and tools to analyze the network security faced by the information system Threats and potential safety hazards, comprehensive assessment of network security status and improvement suggestions are given to guide the information security construction and guarantee work of relevant departments.
3. Network security evaluation process and content
3.1 Evaluation process and content of network security level protection
The network security level protection evaluation process and content are shown in the figure below.
According to the network security level protection 2.0 standard specification, the network information system security level evaluation process includes four basic evaluation activities: evaluation preparation activities, program preparation activities, thread evaluation activities, and report preparation activities.
3.2 Process and content of network security penetration testing
The network security penetration testing process can be divided into five stages: entrustment acceptance, preparation, implementation, comprehensive evaluation and conclusion, as shown in the figure
4. Network Security Evaluation Technology and Tools
(1) Vulnerability scanning
Vulnerability scanning is often used to obtain security vulnerability information of evaluation objects. Commonly used vulnerability scanning tools include network security vulnerability scanners, host security vulnerability scanners, database security vulnerability scanners, and web application security vulnerability scanners. Among them, the network security vulnerability scanner obtains the security vulnerability information of the evaluation object through remote network access. Common network vulnerability scanning tools include Nmap, Nessus, and OpenVAS. Typical host vulnerability scanning tools include Microsoft Security Baseline Analyzer, COPS, etc. Database vulnerability scanning tools include Anhuajin and database vulnerability scanning system (commercial product), THC-Hydra, SQLMap, etc. Web application security vulnerability scanners include w3af (open source), NIkto, AppScan, AWVS, etc.
(2) Security penetration testing
Security penetration testing uses hackers to conduct security attacks on the test object to verify the effectiveness of the security protection mechanism. According to the general information of the evaluation object, security penetration testing can be divided into three categories:
- Black box test: only need to provide the test target address, and authorize the test team to test from the designated test point. (Initially only know who is the target to be tested)
- White box testing: It is necessary to provide as detailed test object information as possible. Based on the obtained information, the test team formulates a special penetration plan to conduct high-level security testing on the system. This method is suitable for advanced persistent threat actor simulation.
- Gray box testing: Part of the test object information needs to be provided, and the test team simulates threat actors of different levels to infiltrate based on the obtained information. This method is suitable for mobile banking and code security testing.
Commonly used testing tools for security penetration testing include Metasploit, dictionary generator, GDB, Backtrack4, Burpsuit, OllyDbg, IDA Pro, etc.
(3) Code security review
Code security review refers to the security compliance inspection of the source code or binary code of the evaluation object in accordance with security programming specifications and business security specifications such as C, Java, and OWASP. Commonly used code security inspection tools include HP Fortify, FindBugs, PMD, 360 Code Guard, etc.
(4) Protocol analysis
Protocol analysis is used to detect the security of the protocol. Common protocol analysis tools include TCPDump and Wireshark.
TCPDump provides command line mode, flexible packet filtering rules, and is a powerful network protocol analysis tool. The functions of the TCPDump command are as follows.
There are generally three types of keywords in the expression of TCPDUMP
(1) Type keywords, mainly including host, net, port
- host specifies the host.
host 192.168.1.1- net specifies the network address (network segment).
net 192.168.1.0- port specifies the port.
port 23(Note: If no type is specified, the default type is host)
(2) Transmission direction keywords, mainly including src, dst, dst or src, dst and src, these keywords indicate the transmission direction of strong communication content. For example:
src 192.168.1.1src followed by source addressdst net 192.168.1.0specify target network- If no direction keyword is specified, the default is
src or dstthe keyword(3) Protocol keyword, indicating the protocol content of the monitoring packet, mainly including FDDI, IP, ARP, RARP, TCP, UDP and other types.
#tcpdump的应用非常灵活,下面举例说明
#(1)截获 1.1.1.1 主机收到和发出的所有数据包
tcpdump host 1.1.1.1
#(2)截获主机1.1.1.1 和主机 1.1.1.2 或主机 1.1.1.3的通信(在命令中使用括号时,一定要在括号前加转义字符 "\")
tcpdump host anad \(1.1.1.2 or 1.1.1.3\)
#(3)监听主机1.1.1.1 与主机1.1.1.2 之外的其它所有主机通信的IP包
tcpdump ip host 1.1.1 and 1.1.1.2
#(4)获取主机1.1.1.1接收或发出的Telnet包
tcpdump tcp port 23 host 1.1.1.1
(5) Performance test
It is used to evaluate the performance status of the evaluation object, and check the performance pressure of the evaluation object or the impact of safety on performance. Commonly used performance testing tools include performance monitoring tools (built-in operating system), Apache JMeter (open source), LoadRunner (commercial), SmartBits (commercial), etc.
5. Quality management and standards for network security evaluation
- The quality management of network security evaluation is the basic work of evaluation credibility. The quality management of network security evaluation mainly includes the establishment of quality management system of evaluation institutions, management of evaluation implementation personnel, management of evaluation implementation equipment, management of evaluation implementation methods, control of evaluation implementation documents, Evaluation of non-conforming work control, system operation supervision, and continuous improvement . At present, the main international standards for the establishment of the quality management system of evaluation institutions are
ISO 9000: The China National Accreditation Service for Conformity Assessment (CNAS for short) is responsible for the accreditation of certification bodies, laboratories, inspection bodies and other relevant units, and confirms the quality management system and technical capabilities of the institutions applying for accreditation. - Network security standards are the basis for evaluation work. At present, the types of domestic information security evaluation standards can be divided into information system security level protection evaluation standards, product evaluation standards, risk evaluation standards, password application security, industrial control system information security protection capability evaluation, etc.