CN108900527A - A kind of security configuration check system - Google Patents
A kind of security configuration check system Download PDFInfo
- Publication number
- CN108900527A CN108900527A CN201810801100.2A CN201810801100A CN108900527A CN 108900527 A CN108900527 A CN 108900527A CN 201810801100 A CN201810801100 A CN 201810801100A CN 108900527 A CN108900527 A CN 108900527A
- Authority
- CN
- China
- Prior art keywords
- security configuration
- assets
- function
- equipment
- configuration
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000012795 verification Methods 0.000 claims abstract description 12
- 238000007726 management method Methods 0.000 claims description 25
- 238000012545 processing Methods 0.000 claims description 23
- 238000007689 inspection Methods 0.000 claims description 20
- 238000001514 detection method Methods 0.000 claims description 12
- 238000004458 analytical method Methods 0.000 claims description 7
- 238000007619 statistical method Methods 0.000 claims description 5
- 230000026676 system process Effects 0.000 claims description 4
- 238000005516 engineering process Methods 0.000 claims description 3
- 238000000605 extraction Methods 0.000 claims description 3
- 238000012544 monitoring process Methods 0.000 claims description 3
- 230000001360 synchronised effect Effects 0.000 claims description 3
- 230000009191 jumping Effects 0.000 abstract description 7
- 238000000034 method Methods 0.000 abstract description 7
- 230000005574 cross-species transmission Effects 0.000 abstract description 4
- 230000008569 process Effects 0.000 abstract description 4
- 230000002452 interceptive effect Effects 0.000 abstract description 3
- 238000010586 diagram Methods 0.000 description 6
- 241001269238 Data Species 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 2
- 238000011160 research Methods 0.000 description 2
- 238000012360 testing method Methods 0.000 description 2
- 241000896693 Disa Species 0.000 description 1
- 241000721662 Juniperus Species 0.000 description 1
- 241001397173 Kali <angiosperm> Species 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 239000012141 concentrate Substances 0.000 description 1
- 230000007123 defense Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000011156 evaluation Methods 0.000 description 1
- 238000009472 formulation Methods 0.000 description 1
- 239000000203 mixture Substances 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 238000011076 safety test Methods 0.000 description 1
- 239000000523 sample Substances 0.000 description 1
- 238000010937 topological data analysis Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/12—Discovery or management of network topologies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/10—Active monitoring, e.g. heartbeat, ping or trace-route
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/02—Topology update or discovery
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/02—Standardisation; Integration
- H04L41/0213—Standardised network management protocols, e.g. simple network management protocol [SNMP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/168—Implementing security features at a particular protocol layer above the transport layer
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/08—Protocols specially adapted for terminal emulation, e.g. Telnet
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Health & Medical Sciences (AREA)
- Cardiology (AREA)
- General Health & Medical Sciences (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a kind of security configuration check systems,Need to export the access mode of target device in long-range checking process,The user name and password of login,As long as checking target and tool being IP reachable,And check the open related service of target and port,It can be carried out remotely checking,For remotely check can by specify concurrent access number come and meanwhile check multiple equipment,It is through for being unable to IP,But certain intermediate equipments can be passed through,For example Bastion Host jumps,It can be by jumping listing function,The assets information and log-on message of the intermediate equipment jumped are set,By jumping rear access target equipment,For needing dynamic password,It then can be by sharing interactive function,Manual entry forms active session to corresponding intermediate equipment or Bastion Host,Access target equipment acquires security configuration progress security configuration baseline verification after system passes through the session connection to intermediate equipment or Bastion Host,Result is verified in finally output configuration.
Description
Technical field
The present invention relates to checking system technical field more particularly to a kind of security configuration check systems.
Background technique
On the basis of the baseline security standards system that research and service security combine, with reference to standard both domestic and external, specification,
And mature experience forms the Baseline security model for being directed to operation system.In these reference contents, most worth reference
It is based on SCAP(Security Content Automation Protocol)FDCC project(Federal Desktop
Core Configuration, federal desktop core configuration plan).
The target of FDCC is that deployment incorporates the standard desk of security configuration in 450,000 multiple stage computers of U.S. federal government
Face operating system, to reduce the security breaches and illegal configuration in millions of federal computers, while reduce buying and operation at
This.This project is carried out inside United States Air Force earliest, and air force creates with the help of NSA, NIST and DISA
Then the standard configuration of two kinds of prevalence Windows operating system ensures that all relevant computer providers are being matched in buying
It send and security configuration is installed in the time.This behave is successful, configured by using standard security, it was demonstrated that it is adopted
Purchaser's formula can improve overall safety state, while significantly reduce buying and safe operation cost.
In May, 2007, NIST proposes information security automation plan(ISAP).The plan is by including country's peace
Multiple departments such as the overall situation, Defense Information Systems Agency, national technical standard research institute, Department of Homeland Security initiate.Its target is exactly
Loophole, the management of configuration and safety test and accordance can be automated, while matched counterpart peace of dishing out
Full content automation protocol(SCAP), it be one by specific, standardized mode make Vulnerability Management, safety detection and
The policy compliance system consistent with the requirement of FISMA.It also proposed the code requirement to FDCC simultaneously.These meters
It draws, system and requirement embody U.S. government and implement Federal Information safety management method with automation tools(FISMA)Want
It asks and steps important paces.
Implement FISMA and require the foothold for having different height, not only to meet the general of FISMA formulation top
, will also be after information system classification, in management layer all over the information security requirement of property, technological layer and operation level selection are suitable
Safety control measures.Suitable safety control measures have been selected, finally to have been implemented in the configuration of information system.
The FDCC based on SCAP embodies the characteristic of two aspects in brief:
Standardization:On the basis of NVD, NCP, the safety inspection item of a set of goal systems is constructed, these check items are by pacifying
The related scopes of examination such as full loophole, security configuration are constituted, and provide frame for the operation of standardized technical security.
Automation:FDCC then on this basis, for the characteristic of desktop host system, constructs safety inspection requirement, and lead to
The tool of automation is crossed to execute, provides support for the technical security operation of automation.
It is a time-consuming and laborious thing in terms of really completing complete and effective check item in terms of standardization.Needle
To FDCC project, 6 technical standard branch such as CVE, CCE, CPE, SCCDF, OVAL, CVSS have been used by U.S. federal government
Column(With reference to:http://nvd.nist.gov/scap.cfm), for U.S. federal desktop core system(With Windows platform
Based on)Safety inspection item;And in terms of automation, then be by tool automatically or semi-automatically to goal systems carry out safety
The inspection of check item.Also have much projects relevant to SCAP in open source field, wherein it is important have OpenSCAP,
OVALDi and eSCAPe etc., these projects form the development and utilization system to the complete set of SCAP, and eSCAPe is used for
The generation of SCAPContent, and OpenSCAP, OVALDi are used to execute the scanning based on SCAP, but are the absence of checking system.
Summary of the invention
The object of the invention is that providing a kind of security configuration check system to solve the above-mentioned problems.
The present invention is achieved through the following technical solutions above-mentioned purpose:
A kind of security configuration check system, including
Basic platform includes basic software platform and hardware foundation platform;
System process layer includes data processing and system service;
Kernel service layer includes security configuration verification engine, report form statistics analysis engine, assets scanning engine and network topology point
Analyse engine;
External access layer, for showing the system function and third party's calling interface, function shows to include security configuration inspection, money
It produces scanning, configuration template library, report management and subscriber management function to show, third party's interface tune based on webservice is provided
With.
It is currently preferred, the basic software platform contain for the system provide calculating, storage, correspondence with foreign country it is hard
Part equipment;The basic software platform contains the system-specific operating system, file system, hard disk encryption and decryption, program and adds solution
Close, network service, database, Web service, etc. program execution environments.
Currently preferred, the data processing is internal system interface, provides system access database, access system text
Part, data are synchronous, the bottom datas processing business such as input and output processing, while data processing can realize efficient access database,
It is data cached, high concurrent, multiple threads function;System services layer is mainly used for data acquisition interface management, acquisition content is taken out
It takes, the scheduling and monitoring of acquisition tasks, the acquisition for providing external system data for upper layer is supported, can be accessed by acquisition interface
Target device obtains system information, finger print information and the security configuration information of target device.
Currently preferred, the security configuration verification engine is analyzed by acquiring the security configuration of target device,
It was found that the configuration of safety requirements is not met in terms of security configuration, so that the security configuration suggestion of equipment or system is provided, thus
The general safety of lifting means is horizontal, the mode of access target mainly include telnet, SSH, NETBIOS, HTTP and HTTPS into
Row remote access.
Currently preferred, the statistical analysis processing engine implementation verifies configuration the processing of result, including to configuration
Task result various dimensions statistical analysis is verified, task timing variations, multitask is compared, and multitask various dimensions merge, according to inspection
Item statistics, while statisticalling analyze processing engine implementation security configuration and verifying statistical forms output.
Currently preferred, the assets scanning engine, asset identification is obtained for assets detection with assets information, including
Assets detection, assets fingerprint recognition, assets service identification and asset management functions, the support of assets detecting function pass through automatically scanning
Technology finds information technoloy equipment and networked devices in the reachable network of IP, and automatically provides the fingerprint of equipment, and judge equipment is
Unite type, by input destination device address segment information, the information such as scanning strategy, obtain assets whether survive, assets fingerprint and
The information such as service.
It is currently preferred, the Network topology engine include addressing and Route Selection, establishment of connection, holding and
It terminates, network layer device includes router and three-tier switch, and router is used to realize the addressing and routing to network packet
The operation such as forwarding, three-tier switch is exactly the interchanger with some routers function, and the most important purpose of three-tier switch is
Accelerate the data exchange inside large-scale local area network, its routing function is also that can accomplish a road for this purpose service
By repeatedly forwarding.
Currently preferred, the external access layer is for showing the system function and third party's calling interface, function exhibition
Show and shown including security configuration inspection, assets scanning, configuration template library, report management, subscriber management function, provides and be based on
Third party's interface of webservice calls, and function displayed page is based on B/S framework and is embodied as user's offer Graphic User circle
Face may be mounted at Chinese operating system, and all operations are all based on menu mode, while providing detailed help function.
The beneficial effects of the present invention are:
The present invention needs to export the user name and password of the access mode of target device, login in long-range checking process, as long as
It checks target and tool is IP reachable, and check the open related service of target and port, so that it may remotely checked, for
Long-range check can go directly for being unable to IP by specifying concurrent access number while checking multiple equipment, but can lead to
Cross certain intermediate equipments, for example Bastion Host jumps, and the money of the intermediate equipment jumped can be arranged by jumping listing function
Information and log-on message are produced, it, then can be by sharing session for needing dynamic password by jumping rear access target equipment
Function, manual entry to corresponding intermediate equipment or Bastion Host form active session, and system passes through the session connection to centre
Access target equipment acquisition security configuration carries out the verification of security configuration baseline after equipment or Bastion Host, and finally output configuration is verified
As a result.
Detailed description of the invention
Fig. 1 is the structural schematic diagram of security configuration check system of the present invention;
Fig. 2 is the flowage structure schematic diagram of security configuration inspection of the present invention;
Fig. 3 is the flowage structure schematic diagram of security configuration verification engine of the present invention;
Fig. 4 is the structural schematic diagram of Network Topology Discovering System of the present invention;
Fig. 5 is the structural schematic diagram of the Topology Discovery of network layer of the present invention;
Fig. 6 is the structural schematic diagram of external access layer of the present invention.
Specific embodiment
The present invention will be further explained below with reference to the attached drawings:
As depicted in figs. 1 and 2:A kind of security configuration check system, including
Basic platform includes basic software platform and hardware foundation platform;
System process layer includes data processing and system service;
Kernel service layer includes security configuration verification engine, report form statistics analysis engine, assets scanning engine and network topology point
Analyse engine;
External access layer, for showing the system function and third party's calling interface, function shows to include security configuration inspection, money
It produces scanning, configuration template library, report management and subscriber management function to show, third party's interface tune based on webservice is provided
With.
As shown in Figure 1, system process layer includes data processing and system service.
Data processing is internal system interface, provides system access database, accesses system file, data are synchronous, input
The bottom datas processing business such as output processing.Data processing simultaneously can realize efficient access database, data cached, high concurrent,
The functions such as multiple threads.
The scheduling and monitoring that system services layer is mainly used for data acquisition interface management, acquires content extraction, acquisition tasks,
The acquisition for providing external system data for upper layer is supported, can obtain target device by acquisition interface access target equipment
System information, finger print information and security configuration information.
As shown in Figure 1, kernel service layer mainly includes that security configuration verification engine, report form statistics analysis engine, assets are swept
Retouch engine, Network topology engine.
As shown in figure 3, security configuration verification engine is analyzed by acquiring the security configuration of target device, discovery is being pacified
Full configuration aspect does not meet the configuration of safety requirements, so that the security configuration suggestion of equipment or system is provided, thus lifting means
General safety it is horizontal, the mode of access target mainly includes as follows:
1) it is remotely accessed by telnet, SSH, NETBIOS, HTTP and HTTPS etc.
2) local inspection can directly be carried out for the operating system of Windows system
Need to export the access mode of target device, the user name and password of login in long-range checking process, as long as checking mesh
Mark is IP reachable with tool, and checks the open related service of target and port, so that it may remotely be checked.For remotely examining
Look into can by specify concurrent access number come and meanwhile check multiple equipment.
It is through for being unable to IP, but can be by certain intermediate equipments, for example Bastion Host jumps, and can pass through jump
Turn listing function, the assets information and log-on message of the intermediate equipment jumped are set, by jumping rear access target equipment.For
Need dynamic password, then it can be by sharing interactive function, manual entry is formed to corresponding intermediate equipment or Bastion Host
Active session, access target equipment acquires security configuration progress after system passes through the session connection to intermediate equipment or Bastion Host
Security configuration baseline is verified, and result is verified in finally output configuration.
Finally according to security configuration inspection as a result, risk score can be carried out, the result of security configuration can be according to pre-
The security configuration requirement first defined, whether judging that the inspection item of relevant configuration in target device or system is up to standard, check item
Purpose determines that result includes six states:Meet, do not meet, is to be confirmed, is not applicable, acquisition failure, being not carried out.
Grade distinction is carried out to all inspection items, and is assigned to different weighted values.Grade distinction be segmented into it is optional,
Generally, important three grades.Based on the weight of each configuration item, beaten according to up to standard situation of the hundred-mark system to destination host
Point, export the risk score result of quantitative target device.
The security configuration for supporting intranet network and industrial control equipment configuration to verify mainstream networked devices verifies function.
The security configuration of industrial control equipment, which is verified, to be supported, the factories such as Siemens, Schneider, Rockwell, Yokogawa and SUPCON
The equipment, including engineer station, operator station, HMI, PLC, DCS, PCS, SCADA, opc server, industrial switch etc. of family,
Such as:
· SIMATIC S7 200
· SIMATIC S7 300
· SIMATIC S7 400
· SIMATIC S7 1200
1500 series of SIMATIC S7 etc.;
· Scalance W series
· Scalance X series
· PCS
· Step7
· TIA Portal
WinCC etc.;
Support security configuration acquisition and the core of the operating system, application software and the network equipment of the information system more than 20 kinds of mainstreams
Function is looked into, such as:
· Windows2000/2003Server/2008Server/2012Server/XP/Vista/Win7/Win8/Win10
· Solaris 8/9/10
· AIX 5.x
· HP-UNIX 11i
Red Hat/Fedora/Centos/Kali/Ubuntu/SUSE etc.
· Oracle 8i/9i/10g/11g
· Microsoft SQL SERVER2000/2005/2008
· DB2
· Informix
· Sybase
· Cisco IOS
· Juniper JunOS。
As shown in Figure 1, statistical analysis processing engine implementation verifies configuration the processing of result, including to configuration verification task
As a result various dimensions statistically analyze, and task timing variations, multitask is compared, and multitask various dimensions merge(According to place province, city, portion
Door, operation system etc.), counted according to check item(The more check items of single device, more tables of equipment check items, the more check items of more equipment).
Processing engine implementation security configuration is statisticallyd analyze simultaneously verifies statistical forms output.
The evaluation of system compliance classification grade:Inspection result is advised according to closing, advises check item type based on closing(Such as:Log is examined
Meter, system file, account management, purview certification etc.), determine that closing rule integrated level evaluates compliance, and classification scoring.
Whole scoring:Grade distinction is carried out to all inspection items, and is assigned to different weighted values.Grade distinction can be with
It is divided into optional, general, important three grades.Based on the weight of each configuration item, according to hundred-mark system to the feelings up to standard of destination host
Condition is given a mark, and the risk score result of quantitative target device is exported.
As shown in Figure 1, assets scanning engine, asset identification is obtained for assets detection with assets information, including assets are visited
Survey, assets fingerprint recognition, assets service identification and asset management functions.
Assets detecting function supports to find that information technoloy equipment and networking in the reachable network of IP are set by automatically scanning technology
It is standby, and the fingerprint of equipment is automatically provided, judge the system type of equipment.By inputting destination device address segment information (IP
Deng), the information such as scanning strategy, obtain assets whether survive, the information such as assets fingerprint and service.The target of assets detection includes letter
Operating system, database and the network equipment in breath system, the system for amounting to identification are more than 20 kinds.
Engineer station, operator station, HMI, PLC, DCS, PCS, SCADA, opc server, industry in networked devices hand over
It changes planes, the factories such as equipment, including Siemens, Schneider, Rockwell, Yokogawa and SUPCON of industry control producer including mainstream
The equipment of family.
The scanning strategy that assets detection can be configured carries out finger print information acquisition to desired asset, including:
Concurrent scan interval;
Concurrent scan number;
Scan time-out time;
Assets fingerprint identification function mainly identifies corresponding assets, main identification pair according to the finger print information of the assets of extraction
Behaviour as including the IT of mainstream producer and the fingerprint characteristic of networked devices or system, in including but not limited to above-mentioned information system
Make system, database, the network equipment;Engineer station, operator station, HMI, PLC, DCS, PCS, SCADA in networked devices,
Opc server, industrial switch etc.;
The output of assets fingerprint recognition includes the information such as company-information, product type and the corresponding system version number of assets.
Assets service identification function and mainly detect and service identification by the port for target device come to target device
The network service of unlatching and port are identified.
It supports low speed and non-attacking safety detection, the end of target device is scanned in the case where not influencing target device
Mouthful, the data packet of transmission is normal TCP/UDP connection packet, and any exception will not be caused to target device;
Asset management functions mainly automatically identify the information of the target device scanned, normalized and are saved, together
When also manual asset management, including assets is supported to add, modify, delete, inquire manually.
As shown in Figure 4 and Figure 5, Network topology engine aims at the topological analysis to target network, shows network
Routing node and network path.Topology Discovery includes the Topology Discovery of link layer and the Topology Discovery of network layer, and link layer is opened up
It flutters and finds to concentrate on the Topology Discovery to link layer device such as interchanger and host etc..The Topology Discovery of network layer can be found that net
The integrated connection situation of network, the equipment such as main router found in network
Network layer is ISO(International Standard Organization)The third of defined OSI master pattern
Layer, between transport layer and data link layer.The purpose of network layer is the data transparent transmission realized between two end systems,
Concrete function includes addressing and Route Selection, establishment of connection, holding and termination etc..Network layer device includes router and three layers
Interchanger, router are used to realize the operations such as addressing and the routing forwarding to network packet, and three-tier switch is exactly with portion
Divide the interchanger of router feature.The most important purpose of three-tier switch is to speed up the data exchange inside large-scale local area network, it
Routing function be also that can accomplish once to route for this purpose service, repeatedly forward.
Network layer topology discovery refers to the discovery to the connection relationship between network layer network element.The topology of network layer
It was found that including the connection between discovery router and the connection between router and subnet.The topology discovery method of network layer has
Many kinds, there are four types of common network layer topology discovery algorithms:Network layer topology based on ICMP agreement finds algorithm, is based on
The network layer topology of DNS agreement finds algorithm, based on OSPF agreement, wherein with the Topology Discovery based on ICMP agreement
Application range is most wide, to find efficiency of algorithm highest based on the network layer topology of SNMP agreement.
ICMP is Internet Control Message Protocol, it is a sub-protocol of TCP/IP protocol suite, for IP host,
Control message is transmitted between router.The most common function used in ICMP agreement is using ICMP agreement report in network design
The echo request of text(Echo Request)And return response(Echo Reply)Message.It can be used to test purpose station
It is no reachable and whether respond.User sends icmp packet with Ping order to determine whether destination address is reachable.
ICMP realizes that Topology Discovery is realized based on Ping and Traceroute tool, and Ping program is used to detect mesh
Host it is whether reachable, inaccessible detection host can be excluded in this way, improve detection efficient save detection time.
Traceroute program, which is used to detect, reaches the router that destination host is passed through.
This method has relatively good versatility, can find network topology in certain degree.The disadvantage is that due to
It needs to inject a large amount of ICMP data packet into network, increases network load.On the other hand the time of search is long.Simultaneously
Based on the considerations of current network security, some network administrators can close router to ICMP forwarding capability, cause topology probe
Failure.
As shown in fig. 6, externally access layer is for showing the system function and third party's calling interface.Function shows to include peace
Full configuration inspection, assets scanning, configuration template library, report management, subscriber management function displaying etc..It provides and is based on webservice
Third party's interface call.
Function displayed page is based on B/S framework and is embodied as user's offer graphic user interface, may be mounted at Chinese behaviour
Make system, all operations are all based on menu mode, while providing detailed help function.
In conclusion the present invention needs to export the user of the access mode of target device, login in long-range checking process
Name and password as long as inspection target and tool are IP reachable, and check the open related service of target and port, so that it may carry out
It is long-range to check, for remotely check can by specify concurrent access number come and meanwhile check multiple equipment, it is straight for being unable to IP
It reaches, but can be by certain intermediate equipments, for example Bastion Host jumps, and it can be by jumping listing function, setting jumps
Intermediate equipment assets information and log-on message, then may be used by jumping rear access target equipment for needing dynamic password
With by sharing interactive function, manual entry to corresponding intermediate equipment or Bastion Host form active session, and system is by being somebody's turn to do
Access target equipment acquisition security configuration carries out the verification of security configuration baseline after session connection to intermediate equipment or Bastion Host, most
Result is verified in output configuration afterwards.
For industrial equipment module, industrial software, and the related different characteristics of IT infrastructure and the peace of industrial environment
Full management requires, and creates detailed operable security baseline, can be used as product access, network access testing, the acceptance of work, system
O&M configuration, self-assessment, security hardening, safety patrol inspection authoritative guide, so that whole promote industrial control system safety
Property.
Those skilled in the art do not depart from essence and spirit of the invention, can there are many deformation scheme realize the present invention,
The foregoing is merely preferably feasible embodiments of the invention, and not thereby limiting the scope of the invention, all with this
The variation of equivalent structure made by description of the invention and accompanying drawing content, is intended to be included within the scope of the present invention.
Claims (8)
1. a kind of security configuration check system, which is characterized in that including
Basic platform includes basic software platform and hardware foundation platform;
System process layer includes data processing and system service;
Kernel service layer includes security configuration verification engine, report form statistics analysis engine, assets scanning engine and network topology point
Analyse engine;
External access layer, for showing the system function and third party's calling interface, function shows to include security configuration inspection, money
It produces scanning, configuration template library, report management and subscriber management function to show, third party's interface tune based on webservice is provided
With.
2. security configuration check system according to claim 1, which is characterized in that the basic software platform contain for
The system provides calculating, stores, the hardware device of correspondence with foreign country;The basic software platform contains system-specific operation
System, file system, hard disk encryption and decryption, program encryption and decryption, network service, database, Web service program execution environments.
3. security configuration check system according to claim 1, which is characterized in that the data processing connects for internal system
Mouthful, system access database is provided, accesses system file, data are synchronous, input and output Treated Base data processing business, simultaneously
Data processing can realize efficient access database, data cached, high concurrent, multiple threads function;System services layer is mainly used
In data acquisition interface management, the scheduling and monitoring of acquisition content extraction, acquisition tasks, external system data are provided for upper layer
Acquisition is supported, system information, finger print information and the safety of target device can be obtained by acquisition interface access target equipment
Configuration information.
4. security configuration check system according to claim 1, which is characterized in that the security configuration verification engine passes through
The security configuration of acquisition target device is analyzed, and discovery does not meet the configuration of safety requirements in terms of security configuration, to give
The security configuration suggestion of equipment or system out, so that the general safety of lifting means is horizontal, the mode of access target mainly includes
Telnet, SSH, NETBIOS, HTTP and HTTPS are remotely accessed.
5. security configuration check system according to claim 1, which is characterized in that the statistical analysis handles engine implementation
The processing of result is verified configuration, including task result various dimensions statistical analysis, task timing variations, multitask are verified to configuration
Compare, multitask various dimensions merge, and count according to check item, while statisticalling analyze processing engine implementation security configuration and verifying statistics
Analytical statement output.
6. security configuration check system according to claim 1, which is characterized in that the assets scanning engine, assets are known
Not Yong Yu assets detection with assets information obtain, including assets detection, assets fingerprint recognition, assets service identify and asset management
Function, the support of assets detecting function find information technoloy equipment and networked devices in the reachable network of IP by automatically scanning technology, and
And the fingerprint of equipment is automatically provided, the system type of equipment is judged, by inputting destination device address segment information, scanning strategy letter
Breath, obtain assets whether survive, assets fingerprint and information on services.
7. security configuration check system according to claim 1, which is characterized in that the Network topology engine includes
Addressing and Route Selection, establishment of connection, holding and termination, network layer device includes router and three-tier switch, router
For realizing the addressing and routing forwarding operation to network packet, three-tier switch is exactly the friendship with some routers function
It changes planes, the most important purpose of three-tier switch is to speed up the data exchange inside large-scale local area network, its routing function is also to be
This purpose service, it can accomplish once to route, repeatedly forward.
8. security configuration check system according to claim 1, which is characterized in that the external access layer is for showing this
System function and third party's calling interface, function show to include security configuration inspection, assets scanning, configuration template library, report pipe
Reason, subscriber management function are shown, are provided third party's interface based on webservice and are called, function displayed page is based on B/S frame
Structure is embodied as user and provides graphic user interface, may be mounted at Chinese operating system, all operations are all based on menu
Mode, while detailed help function being provided.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810801100.2A CN108900527A (en) | 2018-07-20 | 2018-07-20 | A kind of security configuration check system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810801100.2A CN108900527A (en) | 2018-07-20 | 2018-07-20 | A kind of security configuration check system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN108900527A true CN108900527A (en) | 2018-11-27 |
Family
ID=64351432
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810801100.2A Pending CN108900527A (en) | 2018-07-20 | 2018-07-20 | A kind of security configuration check system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108900527A (en) |
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110493254A (en) * | 2019-09-03 | 2019-11-22 | 国家计算机网络与信息安全管理中心 | Industrial Yunan County's overall evaluating method and device |
| CN110633571A (en) * | 2019-09-30 | 2019-12-31 | 广州竞远安全技术股份有限公司 | Efficient online checking method and device for information system security configuration |
| CN111078481A (en) * | 2019-12-19 | 2020-04-28 | 哈尔滨安天科技集团股份有限公司 | Method and device for acquiring configuration check list, electronic equipment and storage medium |
| CN111562938A (en) * | 2020-04-20 | 2020-08-21 | 杭州迪普科技股份有限公司 | Method and device for checking configuration information of PLC and computer equipment |
| CN113010901A (en) * | 2021-04-25 | 2021-06-22 | 深圳市位元领航科技有限公司 | Automatic safety inspection method and terminal based on asset model |
| CN113518054A (en) * | 2020-04-09 | 2021-10-19 | 中国铁道科学研究院集团有限公司电子计算技术研究所 | Safety configuration acquisition method for railway industry information system |
| WO2022033699A1 (en) * | 2020-08-14 | 2022-02-17 | Telefonaktiebolaget Lm Ericsson (Publ) | Generation of a security configuration profile for a network entity |
| CN114079647A (en) * | 2020-08-11 | 2022-02-22 | 中国移动通信集团安徽有限公司 | Method, device and system for IP address filing verification and computing equipment |
| CN115086063A (en) * | 2022-07-05 | 2022-09-20 | 中国联合网络通信集团有限公司 | Baseline verification and/or repair method, system, object, device and system |
| CN116233122A (en) * | 2023-05-06 | 2023-06-06 | 上海观安信息技术股份有限公司 | Heterogeneous server login method, device, equipment and medium |
| CN111562938B (en) * | 2020-04-20 | 2024-05-24 | 杭州迪普科技股份有限公司 | Method and device for checking configuration information of PLC and computer equipment |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20130174263A1 (en) * | 2010-07-01 | 2013-07-04 | Mariano Nunez Di Croce | Automated security assessment of business-critical systems and applications |
| CN103390133A (en) * | 2012-05-07 | 2013-11-13 | 恒安嘉新(北京)科技有限公司 | Automatic Windows system security configuration check method |
| CN105227383A (en) * | 2015-11-06 | 2016-01-06 | 广东电网有限责任公司电力科学研究院 | A kind of device of network topology investigation |
| CN108183895A (en) * | 2017-12-26 | 2018-06-19 | 广东电网有限责任公司信息中心 | A kind of networked asset information acquisition system |
| CN108600260A (en) * | 2018-05-09 | 2018-09-28 | 国家计算机网络与信息安全管理中心 | A kind of industry Internet of Things security configuration check method |
-
2018
- 2018-07-20 CN CN201810801100.2A patent/CN108900527A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20130174263A1 (en) * | 2010-07-01 | 2013-07-04 | Mariano Nunez Di Croce | Automated security assessment of business-critical systems and applications |
| CN103390133A (en) * | 2012-05-07 | 2013-11-13 | 恒安嘉新(北京)科技有限公司 | Automatic Windows system security configuration check method |
| CN105227383A (en) * | 2015-11-06 | 2016-01-06 | 广东电网有限责任公司电力科学研究院 | A kind of device of network topology investigation |
| CN108183895A (en) * | 2017-12-26 | 2018-06-19 | 广东电网有限责任公司信息中心 | A kind of networked asset information acquisition system |
| CN108600260A (en) * | 2018-05-09 | 2018-09-28 | 国家计算机网络与信息安全管理中心 | A kind of industry Internet of Things security configuration check method |
Non-Patent Citations (1)
| Title |
|---|
| 王万宁: ""安全基线管理系统的研究与实现"" * |
Cited By (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110493254A (en) * | 2019-09-03 | 2019-11-22 | 国家计算机网络与信息安全管理中心 | Industrial Yunan County's overall evaluating method and device |
| CN110633571A (en) * | 2019-09-30 | 2019-12-31 | 广州竞远安全技术股份有限公司 | Efficient online checking method and device for information system security configuration |
| CN111078481A (en) * | 2019-12-19 | 2020-04-28 | 哈尔滨安天科技集团股份有限公司 | Method and device for acquiring configuration check list, electronic equipment and storage medium |
| CN111078481B (en) * | 2019-12-19 | 2023-12-26 | 安天科技集团股份有限公司 | Method, device, electronic equipment and storage medium for acquiring configuration checklist |
| CN113518054A (en) * | 2020-04-09 | 2021-10-19 | 中国铁道科学研究院集团有限公司电子计算技术研究所 | Safety configuration acquisition method for railway industry information system |
| CN111562938A (en) * | 2020-04-20 | 2020-08-21 | 杭州迪普科技股份有限公司 | Method and device for checking configuration information of PLC and computer equipment |
| CN111562938B (en) * | 2020-04-20 | 2024-05-24 | 杭州迪普科技股份有限公司 | Method and device for checking configuration information of PLC and computer equipment |
| CN114079647B (en) * | 2020-08-11 | 2023-07-21 | 中国移动通信集团安徽有限公司 | Method, device, system and computing equipment for checking IP address record |
| CN114079647A (en) * | 2020-08-11 | 2022-02-22 | 中国移动通信集团安徽有限公司 | Method, device and system for IP address filing verification and computing equipment |
| WO2022033699A1 (en) * | 2020-08-14 | 2022-02-17 | Telefonaktiebolaget Lm Ericsson (Publ) | Generation of a security configuration profile for a network entity |
| CN113010901B (en) * | 2021-04-25 | 2024-03-01 | 深圳市位元领航科技有限公司 | Automatic security inspection method and terminal based on asset model |
| CN113010901A (en) * | 2021-04-25 | 2021-06-22 | 深圳市位元领航科技有限公司 | Automatic safety inspection method and terminal based on asset model |
| CN115086063A (en) * | 2022-07-05 | 2022-09-20 | 中国联合网络通信集团有限公司 | Baseline verification and/or repair method, system, object, device and system |
| CN116233122B (en) * | 2023-05-06 | 2023-07-04 | 上海观安信息技术股份有限公司 | Heterogeneous server login method, device, equipment and medium |
| CN116233122A (en) * | 2023-05-06 | 2023-06-06 | 上海观安信息技术股份有限公司 | Heterogeneous server login method, device, equipment and medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108900527A (en) | A kind of security configuration check system | |
| US20210326451A1 (en) | Automated security assessment of business-critical systems and applications | |
| CN108183895B (en) | Network asset information acquisition system | |
| US10313382B2 (en) | System and method for visualizing and analyzing cyber-attacks using a graph model | |
| CN108737425A (en) | Fragility based on multi engine vulnerability scanning association analysis manages system | |
| CN106411578B (en) | A kind of web publishing system and method being adapted to power industry | |
| US9094434B2 (en) | System and method for automated policy audit and remediation management | |
| US7805510B2 (en) | Hierarchy for characterizing interactions with an application | |
| CN108600260A (en) | A kind of industry Internet of Things security configuration check method | |
| US7627891B2 (en) | Network audit and policy assurance system | |
| US8656006B2 (en) | Integrating traffic monitoring data and application runtime data | |
| JP2021528749A (en) | Automatic packetless network reachability analysis | |
| US20100305990A1 (en) | Device classification system | |
| CN109639705A (en) | Cloud platform safety detection method | |
| WO2022093007A1 (en) | An improved computer implemented system and method for cybersecurity management platform of a monitored network | |
| Adamović | Penetration testing and vulnerability assessment: introduction, phases, tools and methods | |
| Lupia et al. | ICS Honeypot Interactions: A Latitudinal Study | |
| Putra et al. | Infrastructure as code for security automation and network infrastructure monitoring | |
| Antunes et al. | A monitoring and testing framework for critical off-the-shelf applications and services | |
| KR102314557B1 (en) | System for managing security control and method thereof | |
| CN108768916A (en) | A kind of method and device obtaining security configuration information | |
| Betancourt et al. | Linking intrusion detection system information and system model to redesign security architecture | |
| Zhang et al. | Toward comprehensive network verification: Practices, challenges and beyond | |
| CN112347485B (en) | Processing method for acquiring loopholes and automatically penetrating multiple engines | |
| Ziro et al. | Improved Method for Penetration Testing of Web Applications. |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| CB02 | Change of applicant information | ||
| CB02 | Change of applicant information |
Address after: No. 1 road 210000 Jiangsu Dongji city of Nanjing province Jiangning economic and Technological Development Zone Applicant after: XINLIAN TECHNOLOGY (NANJING) Co.,Ltd. Address before: No. 1 road 210000 Jiangsu Dongji city of Nanjing province Jiangning economic and Technological Development Zone Applicant before: NANJING FANGHENG INFORMATION TECHNOLOGY Co.,Ltd. |
|
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20181127 |