Background technology
Along with the fast development of attack technology, in information system, the safety problem of information assets becomes more and more important.Router/switch is one of topmost information assets in information system, and routers/switch implements security baseline monitoring and management is one of important method of security of information assets in a kind of protection information system.
Information security baseline configuration monitor and managment is by carrying out automation inspection to the information assets configuration compliance of various information system mostly, the relevant configuration of the information assets of the various information system in the monitored scope of Real-time Collection, and then by the configuration of the actual time safety of equipment and system is compared with the security baseline in security baseline storehouse, the safety defect of accurate discovery and navigation system or equipment existence and risk, and make corresponding report, but lack corresponding automatic reparation means.
At present, once the safety defect existed in discovery system or equipment and risk, government bodies, enterprises and institutions adopt the method for manually repairing for the system safety configuration that there is security risk.Due to information system in most of government bodies and enterprises and institutions information assets substantial amounts and security baseline is of a great variety, this method not only workload is large, loaded down with trivial details, and the information assets risk easily causing leaking through some configuration and make information system.
For the monitoring of security of information assets baseline and the problem of management of information system, document [1] has been set forth the classification of network security baseline and has been realized tool, the automation of the inspection of communications network security baseline.Document [2] provides baseline knowledge base and checks the construction process of list collection, gives the reform advice configured for defective security baseline.The baseline library of every security configuration information and customization is compared by document [3], and its comparison result can form various report output, can provide expert advice and complementary analysis to result.A kind of method automatically generating patch download list in windows service end is proposed in document [4].Said method does not all propose to implement automatically to repair to security configuration leak, does not systematically provide the restorative procedure of routers/switch security configuration leak yet.
Related documents: [1] Ma Guangyu; Shen Jing. how to play the effect of communications network security baseline better, 2011. [2] Zou Yulin. the security configuration check system of Security-Oriented grade test and appraisal, 2013. [3] Chen Zhihua. security baseline management application .2013. [4] Liu in enterprise accompany. based on the patch management systems research & design of OVAL Hole Detection, 2011.
Summary of the invention
For the problems referred to above, the present invention proposes a kind of router/switch security configuration leak autonomous repair technology scheme based on security baseline configuration specification.
Technical scheme of the present invention provides a kind of router/switch security configuration leak self-repairing method, for automatically repairing the security configuration leak of router or switch, comprise and set up security configuration baseline library according to security baseline configuration specification in advance, then perform gatherer process and repair process based on security configuration baseline library;
Described security configuration baseline library comprises the essential information of each security configuration baseline item involved by security baseline configuration specification, the essential information of each security configuration baseline item comprises security configuration baseline item title, security configuration baseline value, security configuration acquisition instructions and security configuration leak repair instruction, and for the security configuration baseline item ID of unique identification security configuration baseline item title;
Described gatherer process, comprises Telnet router/switch, performs every security configuration information of corresponding security configuration acquisition instructions Real-time Collection router/switch, obtains configuration data; Item by item security configuration value in the security configuration information collected is compared to the corresponding security configuration baseline item in security configuration baseline library, security configuration leak is defined as to the collection gained security configuration not meeting security configuration baseline value, and security configuration leak is kept in security configuration vulnerability database, obtain leak data; Described security configuration vulnerability database comprises the essential information of security configuration leak, the essential information of each security configuration leak comprises security configuration value in security configuration leak item title, the security configuration information that collects, and the security configuration leak ID consistent with security configuration baseline item ID;
Described repair process, comprise when there being the configuration leak do not repaired in security configuration vulnerability database, obtain security configuration leak from security configuration vulnerability database, obtain security configuration baseline value and the security configuration leak reparation instruction of corresponding security configuration baseline item according to security configuration leak ID from security configuration baseline library; Telnet router/switch, performing security configuration leak and repair instruction, is security configuration baseline value to the reparation of security configuration leak.
And Telnet router/switch adopts SSH or Telnet agreement.
The present invention is also corresponding provides a kind of router/switch security configuration leak automatic repair system, for automatically repairing the security configuration leak of router or switch, comprises with lower module,
Security configuration baseline library module, for setting up security configuration baseline library according to security baseline configuration specification in advance, described security configuration baseline library comprises the essential information of each security configuration baseline item involved by security baseline configuration specification, the essential information of each security configuration baseline item comprises security configuration baseline item title, security configuration baseline value, security configuration acquisition instructions and security configuration leak repair instruction, and for the security configuration baseline item ID of unique identification security configuration baseline item title;
Acquisition module, for Telnet router/switch, performs every security configuration information of corresponding security configuration acquisition instructions Real-time Collection router/switch, obtains configuration data; Item by item security configuration value in the security configuration information collected is compared to the corresponding security configuration baseline item in security configuration baseline library, security configuration leak is defined as to the collection gained security configuration not meeting security configuration baseline value, and security configuration leak is kept in security configuration vulnerability database, obtain leak data; Described security configuration vulnerability database comprises the essential information of security configuration leak, the essential information of each security configuration leak comprises security configuration value in security configuration leak item title, the security configuration information that collects, and the security configuration leak ID consistent with security configuration baseline item ID;
Repair module, for when there being the configuration leak do not repaired in security configuration vulnerability database, obtain security configuration leak from security configuration vulnerability database, obtain security configuration baseline value and the security configuration leak reparation instruction of corresponding security configuration baseline item according to security configuration leak ID from security configuration baseline library; Telnet router/switch, performing security configuration leak and repair instruction, is security configuration baseline value to the reparation of security configuration leak.
And Telnet router/switch adopts SSH or Telnet agreement.
Security configuration leak self-repairing method provided by the present invention was both suitable for router, also switch is suitable for, for the feature of router and switch, for basis for estimation provides, the method for automatically repairing is carried out to underproof security configuration with security baseline configuration specification, there is following characteristics:
(1) set up security configuration baseline library according to security baseline configuration specification, security configuration baseline library not only comprises security configuration baseline item title, security configuration baseline value, also comprises security configuration acquisition instructions and security configuration leak reparation instruction.
(2) according to security baseline configuration specification positioning security configuration leak.
(3) from security configuration baseline library, security configuration leak restorative procedure and instruction is obtained, automatically security configuration leak is repaired, greatly reduce the artificial workload revising security configuration leak, also greatly reduce the error rate of manual amendment security configuration leak, improve the efficiency of security baseline monitoring and management.
embodiment
The present invention proposes a kind of router/switch security configuration leak autonomous repair technology scheme based on security baseline configuration specification, finds safety defect and call corresponding reparation instruction to realize automatic reparation by the security configuration of router/switch and security configuration baseline library being compared.Manually carried out router/switch security configuration leak restorative procedure relative to former employing, the router/switch security configuration leak autonomous repair technology scheme that the present invention relates to greatly can improve efficiency and the accuracy of security configuration correction work in the monitoring of router/switch security baseline and management process.
Technical solution of the present invention is described in detail below in conjunction with drawings and Examples.
A kind of router/switch security configuration leak self-repairing method based on security baseline configuration specification that embodiment provides, first sets up security configuration baseline library according to security baseline configuration specification; Then, by security baseline value comparison in the router/switch security configuration that collects and security configuration baseline library, the router/switch security configuration not meeting security baseline configuration specification is demarcated as security configuration leak; Finally, to security configuration leak being detected, using corresponding security configuration to repair instruction and security configuration leak is repaired automatically.
The embody rule scene of embodiment is as Fig. 1:
Security configuration baseline library is set up in advance according to security baseline configuration specification.Security configuration baseline library is the database set up according to security baseline configuration specification, security configuration baseline library comprises the essential information of each security configuration baseline item involved by security baseline configuration specification, the essential information of each security configuration baseline item comprises security configuration baseline item title, security configuration baseline value, security configuration acquisition instructions and security configuration leak repair instruction, and each security configuration baseline item has unique security configuration baseline item ID, for unique identification security configuration baseline item title.Then gatherer process and repair process is performed based on security configuration baseline library.Security configuration acquisition instructions is the instruction obtaining router/switch configuration, and security configuration leak repairs the instruction that instruction has been router/switch configuration, can preset when specifically implementing according to the corresponding security baseline configuration specification of security configuration baseline item.
Gatherer process: adopt SSH/Telnet agreement by computer network Telnet router/switch, perform every security configuration information of corresponding router/switch security configuration acquisition instructions Real-time Collection router/switch in security configuration baseline library, obtain configuration data.During concrete enforcement, Telnet generally adopts SSH agreement, requires forbidding Telnet.Only when router/switch does not support SSH agreement, adopt Telnet.
Item by item security configuration value in the security configuration information collected is compared to the corresponding security configuration baseline item in security configuration baseline library, security configuration leak is defined as to the collection gained security configuration not meeting security configuration baseline value, and security configuration leak is kept in security configuration vulnerability database, obtain leak data.Security configuration vulnerability database is the database of storage security configuration leak data, and security configuration vulnerability database comprises security configuration leak essential information, comprising security configuration value in security configuration leak item title, the security configuration information that collects.Each security configuration leak has unique security configuration leak ID, for unique identification security configuration leak title.Security configuration baseline item ID corresponding in security configuration leak ID and security configuration baseline library is equal, conveniently retrieves information required in security configuration baseline library with security configuration leak ID.
Repair process: comprise when there being the configuration leak do not repaired in security configuration vulnerability database, obtain security configuration leak from security configuration vulnerability database, obtain security configuration baseline value and the security configuration leak reparation instruction of security configuration leak corresponding security configuration baseline item according to security configuration leak ID from security configuration baseline library; By SSH/Telnet agreement by computer network Telnet router/switch, performing security configuration leak and repair instruction, is security configuration baseline value to the reparation of security configuration leak.
During concrete enforcement, computer can be set and realize above technical scheme, continue in real time to perform security configuration gatherer process and repair process by Telnet router/switch, can stop when security configuration vulnerability database does not have security configuration leak performing, repair until user requires to start to gather again.Those skilled in the art can adopt computer software technology to realize the automatic operation of above method, such as, provide configuration automatic repair procedure, for user installation on the computer equipments such as individual PC.
Visible, the present invention can provide the function of automatically repairing to the configuration with security risk existed in detected router/switch.If detect that a certain item security configuration does not meet specification, just call corresponding reparation instruction according to the baseline criteria in security configuration baseline library and perform reparation, greatly will improve efficiency and the accuracy of configuration modifications work in security baseline monitoring and management process like this.
For the sake of ease of implementation, provide the router/switch security configuration of embodiment automatically to repair flow process as shown in Figure 2, idiographic flow is as follows:
The first step: the security configuration information carrying out Real-time Collection router/switch according to the security configuration baseline item in security configuration baseline library, security configuration information acquisition method for router/switch is, simulation hyper terminal passes through SSH/Telnet Telnet router/switch, by the security configuration acquisition instructions acquisition configuration information of router/switch.
Second step: to gathering each security configuration baseline item related to, security configuration baseline value is read from security configuration baseline library, security configuration baseline value in the security configuration value come from router/switch collection and security configuration baseline library is compared, if both are unequal, then determine that this router/switch security configuration is security configuration leak, this security configuration leak is saved in security configuration vulnerability database, security configuration leak record number adds 1 simultaneously.
3rd step: obtain security configuration leak from security configuration vulnerability database.
4th step: if the security configuration leak record number obtained from security configuration vulnerability database is not 0, there is security configuration leak in explanation, then in security configuration baseline library, finds the security configuration leak of corresponding security configuration baseline item to repair instruction according to the ID of security configuration leak.
5th step: to each security configuration leak, the security configuration leak performing acquisition respectively repairs instruction, security configuration leak restorative procedure for router/switch is: simulation hyper terminal, by SSH/Telnet Telnet router/switch, repairs by performing corresponding security configuration leak the automatic reparation that instruction realizes security configuration.The first step is returned after reparation completes.
Whether be configured to forbidding for the telnet of Cisco Catalyst 3560 switch of Cisco System Co., positioning security configuration leak is described and repairs security configuration leak process, as shown in Figure 3, concrete implementation step is as follows for implementation framework:
The software run on computers can communicate with SSH or Telnet two kinds of communication modes with router/switch, Telnet communication is plaintext communication, there is safety problem, Telnet communication is the security configuration baseline item content in security baseline configuration specification, its baseline value requires as " Telnet is forbidden ", security configuration acquisition instructions is " show run ", security configuration leak repair mode is order " line vty 0 15 " and " transport input ssh ", and these contents are kept in security configuration baseline library.
(1) the automatic repair procedure SSH of configuration run on computers communicates, the username and password of the power user of switch and switch Cisco Catalyst 3560 is used to connect, send security configuration acquisition instructions to switch after entering switch privileged mode: show run, in the result of switch feedback, found the configuration information of telnet by keyword match: transport input telnet.Illustrate that telnet is for " enabling ".
(2) automatic repair procedure is configured by comparing same baseline entry value " transport input ssh " in telnet entry value " transport input telnet " next for collection and security configuration baseline library, known configuration data value " transport input telnet " is not equal to security configuration baseline value " transport input ssh ", correct configuration should be forbidding, existing user is configured to not forbid, and is defined as a security configuration leak.The title of this security configuration leak " telnet " and configuration data value " transport input telnet " are kept in security configuration vulnerability database.
(3) record in security configuration vulnerability database is retrieved, find the security configuration leak of " telnet ", configure automatic repair procedure and in security configuration baseline library, search corresponding security configuration baseline value " transport input ssh " according to " telnet " title, then configure automatic repair procedure SSH to communicate, the username and password of the power user of switch and switch is used to connect, after entering switch privileged mode, two orders are sent successively: " line vty 0 15 " and " transport input ssh " repairs this security configuration leak to switch.
The embodiment of the present invention is also corresponding provides a kind of router/switch security configuration leak automatic repair system, for automatically repairing the security configuration leak of router or switch, comprises with lower module;
Security configuration baseline library module, for setting up security configuration baseline library according to security baseline configuration specification in advance, described security configuration baseline library comprises the essential information of each security configuration baseline item involved by security baseline configuration specification, the essential information of each security configuration baseline item comprises security configuration baseline item title, security configuration baseline value, security configuration acquisition instructions and security configuration leak repair instruction, and for the security configuration baseline item ID of unique identification security configuration baseline item title;
Acquisition module, for Telnet router/switch, performs every security configuration information of security configuration acquisition instructions Real-time Collection router/switch, obtains configuration data; Item by item security configuration value in the security configuration information collected is compared to the corresponding security configuration baseline item in security configuration baseline library, security configuration leak is defined as to the collection gained security configuration not meeting security configuration baseline value, and security configuration leak is kept in security configuration vulnerability database, obtain leak data; Described security configuration vulnerability database comprises the essential information of security configuration leak, the essential information of each security configuration leak comprises security configuration value in security configuration leak item title, the security configuration information that collects, and the security configuration leak ID consistent with security configuration baseline item ID;
Repair module, for when there being the configuration leak do not repaired in security configuration vulnerability database, obtain security configuration leak from security configuration vulnerability database, obtain security configuration baseline value and the security configuration leak reparation instruction of corresponding security configuration baseline item according to security configuration leak ID from security configuration baseline library; Telnet router/switch, performing security configuration leak and repair instruction, is security configuration baseline value to the reparation of security configuration leak.
Each module specific implementation is corresponding to method step, and it will not go into details in the present invention.
Specific embodiment described herein is only to the explanation for example of the present invention's spirit.Those skilled in the art can make various amendment or supplement or adopt similar mode to substitute to described specific embodiment, but can't depart from spirit of the present invention or surmount the scope that appended claims defines.