With the rapid development and popularization of computer technology and network technology, network security has become one of the focus issues of people's attention. In recent years, security technology and security products have made great progress, and some technologies and products have become increasingly mature. However, the functions and performance of a single security technology or security product have their limitations and can only meet the specific security needs of the system and the network. Therefore, how to effectively utilize existing security technologies and security products to ensure the security of systems and networks has become one of the current research hotspots in the field of information security.
First, let's take a look at the most used security device firewalls and intrusion detection on the network at this stage. To ensure the secure use of networks, it is necessary to study their limitations and vulnerabilities.
1. Limitations and vulnerabilities of firewalls
A firewall is a combination of a series of components set up between different networks (such as trusted intranets and untrusted public networks) or network security domains. It is the only entrance and exit of information between different networks or network security domains. It can control (allow, reject, monitor) information flow into and out of the network according to the enterprise's security policies, and has strong resistance to attacks. It is the infrastructure that provides information security services and realizes network and information security, but it also has limitations.
1. The firewall cannot prevent attacks that do not pass through the firewall. The firewall cannot be checked without data passing through the firewall, such as dialing up and surfing the Internet.
2. Firewalls cannot solve attacks and security issues from internal networks. "Tight outside and loose inside" is the characteristic of general local area networks. A tightly defended firewall may also be in chaos. For example, by sending emails with *s and URLs with *s through social engineering, the machine of the *s actively connects to the attacker, which will instantly destroy the iron wall. In addition, the firewall can only look at the attacks between hosts within the firewall and be helpless like bystanders.
3. The firewall cannot prevent security threats caused by the latest unset policies or misconfiguration. The various strategies of the firewall are also set after the attack method is analyzed by experts and given its characteristics. If a new cracker in the world who discovered a host vulnerability has selected your network with the first attack object, then the firewall will not help you.
4. The firewall cannot prevent contactable man-made or natural damage. A firewall is a security device, but the firewall itself must exist in a secure place.
5. The firewall cannot solve vulnerabilities in TCP/IP and other protocols. The firewall itself is implemented based on TCP/IP and other protocols, and it cannot solve the vulnerabilities of TCP/IP operations. For example, use DOS or DDOS attacks.
6. Most firewall attacks on ports that are legally open to the server cannot be stopped. For example, using the open port 3389 to obtain super permissions of win2k that have not been sp patched, and using the asp program to conduct script attacks. Because its behavior seems "reasonable" and "legal" at the firewall level, it is simply released.
7. The firewall cannot prevent the transfer of virus-infected files. The firewall itself does not have the function of detecting and killing viruses. Even if it integrates third-party antivirus software, there is no software that can detect and kill all viruses.
8. Firewalls cannot prevent data-driven attacks. Data-driven attacks may occur when some seemingly harmless data are mailed or copied to the host of the intranet and executed.
9. The firewall cannot prevent internal secret leakage. A legal user inside the firewall actively leaks the secrets, and the firewall is powerless to do anything about it.
10. The firewall cannot prevent the threat of its own security vulnerabilities. Firewalls protect others sometimes cannot protect themselves, because there is currently no manufacturer that absolutely guarantees that the firewalls will not have security vulnerabilities. The firewall is also an OS, and it also has its hardware system and software, so it still has vulnerabilities and bugs. So it may also be subject to attacks and software/hardware failures.
2. Escape technology for IDS
The firewall has many of the above limitations, and it is also in the gateway position, so it is impossible to make too many judgments on incoming and outgoing attacks, otherwise it will seriously affect network performance. If the firewall is compared to a gate guard, intrusion detection is an uninterrupted camera in the network. Intrusion detection continuously collects network data through bypass monitoring, which has no impact on the operation and performance of the network. At the same time, it determines whether there is an attempt to attack and alarm the administrator through various means. Not only can you discover external attacks, but you can also discover internal malicious behavior. Therefore, intrusion detection is the second gate of network security, a necessary supplement to the firewall, and constitutes a complete network security solution. However, due to the limitations of NIDS itself, Black Hat Clubs are constantly introducing new technologies to avoid or cross the Network Intrusion Detection System (NIDS), and the balance of victory is tilting towards the Black Hat.
1. Weaknesses in string matching
By combining string processing technology and character replacement technology, we can implement string disguise for complex points. For WEB requests, we do not have to use a command interpreter, just use a hexadecimal URL in our request. The following request can be interpreted by the target WEB server as /etc/passwd:
GET %65%74%63/%70%61%73%73%77%64
Or GET %65%74%63/%70a%73%73%77d
In order to capture all variations of this string, IDS may require more than 1000 feature codes for string matching, which has not considered UNICODE!
2. Session splicing (session splicing, more suitable for session segmentation)
It is to put the session data into multiple data packets and send it out:
+-------------------------+
| packet number | content |
|---------------+---------|
| 1 | G |
|---------------+---------|
| 2 | E |
|---------------+---------|
| 3 | T |
|---------------+---------|
| 4 | 20 |
|---------------+---------|
| 5 | / |
|---------------+---------|
| 6 | H |
+---------------+---------+
In this way, only a few bytes of data are delivered at a time, it is possible to avoid monitoring of string matching intrusion detection systems.
3. Fragment attack
The so-called fragment coverage is to send fragment coverage data in previous fragments. For example:
Fragment 1 GET
Fragment 2 a.? (buffer overflow data)
The first character of the second fragment covers the last character of the first fragment. After these two fragments are reorganized, they become GET? (buffer overflow data).
4. Denial of service
Another relatively brutal method is to deny service, consume the processing power of the detection equipment, and make real attacks escape detection. The hard disk space is filled, making it impossible for the detection device to record the log. Make the detection device generate alarms beyond its processing capacity. Makes system administrators unable to study all alarms. Hang off the detection device. For IDS, such IDSs are nowhere to be found and therefore are very difficult to deal with.
3. Network hidden danger scanning system surfaces
The ideal way to deal with attempts to destroy systems is of course to build a completely secure, vulnerable system, but in reality, this is simply impossible. Miller of the University of Wisconsin in the United States gave a research report on today's popular operating systems and applications, pointing out that the software cannot be free of vulnerabilities and flaws.
Therefore, a practical method is to establish a relatively easy-to-implement security system, and at the same time establish a corresponding security auxiliary system according to certain security policies. Vulnerability scanner is such a type of system. As for the current security situation of the system, there are certain vulnerabilities in the system, so there are potential security threats. However, if we can discover these vulnerabilities through network scanning as early as possible based on the specific application environment, and take appropriate measures to repair them in a timely manner, we can effectively prevent the occurrence of intrusion incidents. Although it is very valuable to make up for the lost sheep, for the key business of "not afraid of ten thousand, but only afraid of one", preparing for the future is the ideal state.
So how do we choose a professional network hidden danger scanning system? Generally speaking, it must meet the following standards:
1. Whether it has passed various national certifications
At present, the authoritative departments of the country that conduct certification of security products include the Ministry of Public Security’s Information Security Product Evaluation Center, the National Information Security Product Evaluation Center, the People’s Liberation Army Security Product Evaluation Center, and the National Bureau of Secrets Evaluation Certification Center.
2. Number of vulnerabilities and speed of upgrade
The number of vulnerabilities is an important indicator for examining vulnerability scanners. The number of latest vulnerabilities, the methods of vulnerability updates and upgrades, and whether the upgrade methods can be mastered by non-professional personnel, making the frequency of vulnerability library upgrades more important. For example, the RJ-iTop network hidden danger scanning system once a week, with a number of vulnerabilities reaching as many as 1,502 (as of July 9, 2004).
3. The safety of the product itself
Scan the operating system platform on which the product runs is safe and the product itself is an important factor that users should consider. For example, the RJ-iTop network hidden danger scanning system adopts a specially optimized Linux system that combines soft and hard, shuts down unnecessary ports and services, and encrypts the transmitted data.
4. Whether it supports CVE international standards
The purpose is to provide a standardized naming of all known vulnerabilities and security breaches. Provide better coverage, easier collaboration and enhanced security to enterprises.
5. Whether it supports distributed scanning
The product has the characteristics of flexibility, easy to carry and penetrate firewalls. Because there is no longer a single network that does not divide VLANs; some of the data packets sent by the scanner will be filtered by the router and firewall, reducing the accuracy of the scan.
Setting up firewalls and IDSs in the network does not mean that our network is absolutely safe, but properly set up firewalls and IDSs will at least make our network more solid and provide more attack information for us to analyze. Firewall, antivirus, intrusion detection, and vulnerability scanning belong to the protection and detection links in the PDR and P2DR models respectively. These security technologies are organized in an orderly manner around security strategies, collaborate and interact with each other, forming a dynamic adaptive prevention system.
Finally, what I want to say is still the saying "No technology in the world can truly guarantee absolute security."
Because security issues are a comprehensive problem from devices to people, from every service program on the server to firewalls, IDS and other security products. Work at any link is just one of the steps toward safety.