Information security: Principles and applications of network security vulnerability protection technology.

The security threats posed by attackers based on vulnerabilities to network system security mainly include:. Leakage of sensitive information, unauthorized access, identity impersonation, denial of service

Vulnerabilities threaten the security of network systems at all times. To achieve network system security, one of the key issues is to solve the vulnerability problem, including vulnerability detection, vulnerability patching, and vulnerability preventionetc.

(2) Current status of network security vulnerabilities:

Product vulnerabilities in network information systems have become a common security issue.

At present, relevant departments in my country have establishedNational Information Security Vulnerability Database CNNVD and National Information Security Vulnerability Sharing Platform CNVD to address security vulnerability management issues. , formulated and issued a series of vulnerability standard specifications, mainly including "Information Security Technology Security Vulnerability Classification (GB/T 33561 2017)", "Information Security Technology Security Vulnerability Level Classification Guidelines (GB/T30279 2013)" and "Information Security Technology Security Vulnerability Identification and Description Specification (GB/T 28458-2012) "Information Security Technology Information Security Vulnerability Management Specification (GB/T 30276 2013)"

Classification and management of network security vulnerabilities:

(1) Sources of network security vulnerabilities:

The vulnerabilities of network information systems mainly come from two aspects: The aspect isnon-technical security vulnerabilities< /span>, Mainly involves network structure, communication protocols, equipment, software products, system configuration, application systems, etc. technical security vulnerabilities, involving management organizational structure, management system, management process, personnel management, etc.; on the other hand, there are

(2) Classification of network security vulnerabilities:

1. CVE vulnerability classification:

CVE is a dictionary of security vulnerabilities built and maintained by the American MITRE company. CVE Gives a unified identification and standardized description of disclosed security vulnerabilities. Its goal is to facilitate the sharing of vulnerability data< /span>.

2. cvss vulnerability classification standard:

CVSS is a common vulnerability scoring system . The score is calculated based on basic metric scoring, It is composed of timing score and environment score.

Basic metric score:Defined by attack vector, attack complexity, privilege requirements, user interaction, integrity impact, confidentiality impact, Determined by parameters such as usability impact and influence scope.

Timing metric score:Based on vulnerability exploit code maturity, patch level, vulnerability report Reliability and other parameters determine.

Environmental Metric Score:ByIntegrity Requirements, Confidentiality Requirements, Availability Requirements, Revision Basic score and so on.

3. Classification of information security vulnerabilities in my country:

National Information Security Vulnerability Database (CNNVD) vulnerability classification:

CNNVD divides information security vulnerabilities into: configuration errors, code issues, resource management errors, numerical errors, information leakage, race conditions, input validation, buffer errors, formatted strings, cross-site scripting, path traversal, post-linking, SQL injection, code injection, command injection, operating system command injection, security feature issues, authorization issues, trust management, encryption issues, insufficient verification of data reliability, cross-site request forgery, permissions and access control, access control errors and information insufficient.

National Information Security Vulnerability Sharing Platform (CNVI) Vulnerability Classification:

CNVD divides vulnerabilities into 11 types according to the causes of vulnerabilities: input verification errors, access verification errors, number of unexpected situation handling errors, number of boundary condition errors, configuration errors, race conditions, environment errors, design errors, buffer errors, and others Error, unknown error.

OWASP TOP 10 vulnerability classification:

The OW ASP (Open Web Application Security Program) organization publishes the top ten security vulnerabilities in web applications.

(3) Network security vulnerability release:

Security vulnerability publishing is generally performed bysoftware and hardware developers, security organizations, hackers or users.

There are mainly ways to publish vulnerabilities: websites, emails and security forums.

Vulnerability information disclosure content generally includes:Vulnerability number, release date, security hazard level, vulnerability name, vulnerability impact platform, vulnerability resolution suggestions, etc..

(4) Obtaining network security vulnerability information:

There are four main sources of vulnerability information at home and abroad:First, network security emergency response agencies; second, network security manufacturers; third, IT product or system providers; fourth, Cybersecurity Organization.

1. CERT ：

The world's first computer security emergency response organization.

2. Security Focus Vulnerability

Security Focus Vulnerability Database is a vulnerability information database developed and maintained by Security Focus. It structures many originally scattered computer security-related discussion results into a database.

3. National Information Security Vulnerability Database CNNVD

CNNVD is the China Information Security Evaluation Center (hereinafter referred to as the "Evaluation Center")In order to effectively perform vulnerability analysis and risk assessment functions, it is responsible for the construction, operation and maintenance of national information security vulnerability data Management platform, designed to provide services for national information security assurance.

4. National Information Security Vulnerability Sharing Platform CNVD

The National Information Security Vulnerability Sharing Platform (CNVD) is organized by the National Computer Network Emergency Response Technology Coordination Center in conjunction with important domestic information system units, basic telecommunications operators, network security vendors, Information security vulnerability information sharing knowledge base established by software vendors and Internet companies.

5. Manufacturer vulnerability information

Manufacturer vulnerability information is the security vulnerability information of its products published by the manufacturer itself.

(5) Network security vulnerability management process:

1. Network informationConfirmation of system assets: Conduct a thorough investigation of the assets in the network information system , establish information asset files.

2. Network securityVulnerability information collection:Use security vulnerability tools or manual methods to collect and organize information Information about the system's asset security vulnerabilities, including security vulnerability types, current patch levels, and affected assets.

3. Network securityVulnerability assessment:The quantitative assessment method of network security vulnerability and security threat can use the international The more common CVSS on the Internet, the highest CVSS vulnerability score is 10 points. The higher the CVSS score of the vulnerability, the higher the security threat of the vulnerability.

4. Network SecurityVulnerability Elimination and Control:Common ways to eliminate and control network security vulnerabilities The method is to install patch packages, upgrade the system, update the signature database of IPS IDS, and change the management process.

5. Network SecurityVulnerability Change Tracking:Security administrators must try to track vulnerability status on an ongoing basis Patch vulnerabilities in information systems.

Network security hole scanning technology and applications:

(1)Network security hole scanning:

Network security vulnerability scanning is a technology used to detect vulnerabilities in the system. It is a software or device with vulnerability scanning function, referred to as Vulnerability scanner< a i=2>. The vulnerability scanner checks remotely or locally whether there areknown vulnerabilities in the system. Vulnerability scanners generally include user interface, scanning engine, vulnerability scanning result analysis, vulnerability information and configuration parameter library and other main functional modules. The specific module functions are introduced as follows :

User Interface:The user interface accepts and processes user input, customizes scan strategies, starts and terminates scan operations, analyzes scan result reports, etc. At the same time, the system scanner operating status is displayed.

Scan engine: The scan engine responds to and processes user interface operation instructions, reads the scanning policy and executes the scanning task, and saves the scan result.

Vulnerability scan result analysis:Read the scan result information and form a scan report.

Vulnerability information and configuration parameter library:Vulnerability information and configuration parameter library saves and manages network security vulnerability information, configures scanning strategies, and provides security Vulnerability related data query and management functions.

Vulnerability scanners are mainly divided into three types, namelyhost vulnerability scanner, network vulnerability scanner, and dedicated vulnerability scanner: a>

Host Vulnerability Scanner:

This can be done without establishing a network connection. The technical principle is generally to detect vulnerabilities, such as improper configuration, by checking the contents and security attributes of key files in the local system. , weak user passwords, vulnerable software versions, etc. The host vulnerability scanner runs on the same host as the target system and can only perform stand-alone detection.

Network Vulnerability Scanner:

The technical principle is to establish a network connection with the target machine to be scanned, and then send a specific network request for vulnerability checking. The difference between a network vulnerability scanner and a host vulnerability scan is that a network vulnerability scanner needs to establish a network connection with the scanned target. Network vulnerability scanners facilitate remote inspection of networked target systems. However, network vulnerability scanners can only obtain limited target information because they do not have local access rights to the target system, and their checking capabilities are limited by vulnerability checks in various network services, such as Web FTP Telnet SSH POP3 SMTP SNMP etc.

Dedicated vulnerability scanner:

Specialized vulnerability scanners are mainlysecurity vulnerability checking tools for specific systems, such as database vulnerability scanners, network device vulnerability scanners, Web vulnerability scanner, industrial control vulnerability scanner.

Network security vulnerability disposal technology and applications:

(1) Network security vulnerability discovery technology:

The discovery methods of network security vulnerabilities mainly rely on: manual security analysis, tool automated detection and artificial intelligence-assisted analysis. The usual method of discovering security vulnerabilities is to summarize the discovered security vulnerabilities to form a vulnerability signature library, and then use the vulnerability library to identify them through manual security analysis or program intelligence.

Vulnerability discovery technologies mainly include: text search, lexical analysis, range checking, state machine checking, error injection, fuzz testing, dynamic taint analysis, formal verification, etc.

(2) Network security vulnerability patching technology:

Patch management is a systematic and recurring work, which mainly consists of six links, namely status analysis, patch tracking, patch verification, patch installation, emergency response and patch inspectionCheck.

(3) Network security vulnerability exploitation prevention technology:

Network security vulnerability exploitation prevention technology mainly targets the conditions that trigger exploitation of vulnerabilities to interfere or intercept them to prevent attackers from successfully exploiting vulnerabilities.

(1) Address space randomization technology:

Buffer overflow attacks are attacks that exploit buffer overflow vulnerabilities and overwrite the original return address of the program with the shellcode address. Address Space Layout Randomization (ASLR) is to randomize the address of the program loaded into the memory by , so that the attacker cannot determine the return address value of the program in advance, thereby reducing the attack Probability of success.

(2) Data execution prevention:

Data Execution Prevention (DEP) means that the operating system marks a specific memory area as non-executable through, so that the code cannot run in the specified memory area< /span>. Using DEP, the stack area of the application can be effectively protected from being exploited by attackers.

（3）SEHOP

The principle is to prevent attackers from using Structured Exception Handler (SEH) to rewrite.

(4) Stack protection

The technical principle of Stack Protection is to set the stack integrity mark to detect whether the function call return address has been tampered with, so as to Prevent attackers from exploiting buffer vulnerabilities.

(5) Virtual patch

The working principle of virtual patching is For target system programs that have not yet been permanently patched for vulnerabilities, without modifying the executable program, the network traffic entering the target system is detected and Filter out vulnerability attack packets to protect target system programs from attacks. Virtual patching uses intrusion blocking, web firewall and other related technologies to "patches" target system programs, making it impossible for hackers to exploit vulnerabilities to attack.

Main products and technical indicators of network security vulnerability protection:

(1) Network security vulnerability scanner:

The product technical principle of the network security vulnerability scanner isutilizing disclosed vulnerability information and characteristics to automatically analyze the target system through programs , to confirm whether there are corresponding security vulnerabilities in the target system.

Vulnerability scanners are both powerful tools for attackers and essential for defenders. Vulnerability scanners can be used to automatically check the vulnerabilities of information systems in order to eliminate security risks in a timely manner.

Network security vulnerability scanning productsCommon technical indicators are explainedas follows:

1. Number of vulnerability scanning hosts:Number of product scanning hosts, whether there is 1P or domain name limit.

2. Concurrency number of vulnerability scans: The number of concurrent scanning tasks supported by the product.

3. Vulnerability scanning speed: The efficiency of the product in completing the scanning vulnerability task within unit time.

4. Vulnerability detection capability: The product checks the number and type of vulnerabilities and provides vulnerability knowledge Whether the library covers mainstream operating systems, databases, and network devices.

5. Database vulnerability checking function:For Oracle, MySQL, MS SQL, DB2, Sybase , PostgreSQL, Mongo DB and other database vulnerability checking support levels.

6. Web application vulnerability checking function: SQL injection, cross-site scripting, website malware , web Trojans, CGI vulnerabilities, etc.

7. Password check function:Types of password guessing methods supported by the product, common password guessing The method is to use SMB Telnet FTP SSH POP3 Tomcat SQL Server MySQL Oracle Sybase DB2 SNMP for password guessing. Whether to support the user name dictionary, password dictionary and user name and password combination dictionary provided by plug-in users.

8. Standard compatibility:Whether the product vulnerability information is compatible with mainstream standards such as CVE CNNVD CNVD BugTraq, and provides CVE Compatible Certificate.

9. Difficulty of deployment environment:How complex is the deployment environment required by the product? Supports virtualized VM platform deployment.

(2) Network security vulnerability service platform:

The network security industry has launched vulnerability-related products and services, such asvulnerability boxes, patching vulnerability response platforms, and network threat intelligence services etc.

(3) Network security vulnerability protection gateway:

Extract and identify vulnerability exploitation signature patterns from network traffic Prevent attackers from exploiting vulnerabilities in target systems.

Common products are in the form of IPS, Web Firewall (WAF for short) , Unification etc.(UTM) Threat Management

Study books: Tutorial for Information Security Engineers.