CN110086812B - Safe and controllable internal network safety patrol system and method - Google Patents
Safe and controllable internal network safety patrol system and method Download PDFInfo
- Publication number
- CN110086812B CN110086812B CN201910357390.0A CN201910357390A CN110086812B CN 110086812 B CN110086812 B CN 110086812B CN 201910357390 A CN201910357390 A CN 201910357390A CN 110086812 B CN110086812 B CN 110086812B
- Authority
- CN
- China
- Prior art keywords
- intranet
- safety
- security
- asset
- network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
Abstract
The invention relates to the field of computer security, in particular to a safe and controllable intranet safety patrol system and a safe and controllable intranet safety patrol method, wherein an intranet asset mark is installed on network equipment in an intranet; judging whether the intranet asset mark comprises login credential information or not; if yes, executing vulnerability scanning with login credentials on the network equipment; otherwise, performing vulnerability scanning without login credentials on the network device. According to the method and the device, vulnerability scanning is carried out on the network equipment in the intranet only when the vulnerability scanning accords with specific conditions, the characteristic conditions are that the intranet asset mark information sent by the network equipment contains login certificate information, and the host system can be effectively prevented from being accidentally injured in the vulnerability scanning process.
Description
Technical Field
The invention relates to the field of computer security, in particular to a safe and controllable intranet safety patrol system and a safe and controllable intranet safety patrol method.
Background
With the increasing popularity of network applications, network security, especially "intranet security", has become one of the key issues facing IT applications, and various products aiming at intranet security represented by intranet policemen are increasingly valued by users.
The intranet safety patrol police system is a network safety product aiming at the active management, control and monitoring of internal networks and private networks, aims at solving the safety management, safety control and behavior monitoring of the private networks in enterprises and governments, effectively controls the potential safety hazard of the internal networks by a technical means in an active safety management and safety control mode, visualizes the potential safety hazard of the networks by monitoring and recording the behaviors of each network, greatly improves the safety of the internal private networks, and really ensures that each network user legally uses data and information in an authorized range.
Currently, an intranet security patrol system in the mainstream lacks an effective security boundary detection mechanism, so that when a target IP address is given again or an IP address range is given, penetration test and security audit are easily generated on other non-target host systems except the IP address or an address segment, sometimes, the system cannot play a role in security reinforcement, even damages a host in a core generation network, and affects the operation of normal system services.
Currently, mainstream intranet security products lack a boundary auditing mechanism and an effective target host security detection authentication identifier, and when penetration testing and security evaluation are performed on an intranet host, diffusion or false attack may be caused due to interconnection of internal local area networks, so that some normally-operated non-target host systems are threatened by an intranet security patrol system. Some POC systems that do not wish to be scanned and detected falsely injure the host system due to the operation of the vulnerability verification script, which leads to information disclosure, unauthorized access, and even automatic attacks, for example, cause the system to crash: the persistent blue (bug number ms17-010) bug verification script may make the host of the Windows system blue screen, resulting in denial of service.
Disclosure of Invention
In order to solve the above problems, an object of the present invention is to provide an intranet security patrol system and method, which only perform vulnerability scanning on a network device in an intranet when the intranet security patrol system meets a specific condition, where the intranet asset flag information sent by the network device includes login credential information.
Based on this, the invention provides a safe and controllable intranet safety patrol system, which is characterized by comprising: the system comprises an asset management module, a vulnerability scanning module, a security audit module and a network management module;
the asset management module is used for receiving intranet asset mark information sent by network equipment in the intranet; the intranet asset mark information is used for asset authentication identification and asset management;
the vulnerability scanning module is used for judging whether the network equipment in the intranet has login credential information in the intranet asset mark or not, and if so, vulnerability scanning is carried out on the network equipment; if not, not scanning the vulnerability of the network equipment; the asset management module remotely manages the network device and the security device using login credential information;
the security audit module is used for auditing the network equipment and the security equipment and finding out the equipment with the security problem;
and the network management module is used for carrying out safety repair on the problem equipment.
As a preferred technical solution, the asset management module is further configured to configure network asset library units having different attributes; the network asset library unit is used for configuring intrusion detection tasks and security audit tasks of network equipment in the network asset library.
As a preferred technical solution, the intranet asset flag information further includes operation flag information; the operation mark information is used for discovering the network equipment and the safety equipment in the intranet;
as a preferred solution, the security issues include: discovering behaviors of wrong configuration, abnormal login and violation of security policy; the act of violating a security policy includes: a system-level security policy of the network device and a system-level security policy of the security device.
As a preferred technical scheme, the network management module is further configured to determine whether the security problem can be automatically and safely repaired, and if so, perform automatic and safe repair; if not, sending a cooperation notice or a safety warning to an intranet safety officer.
Based on the above, the invention also provides a safe and controllable intranet safety patrol method, which is characterized by comprising the following steps:
installing marks, namely installing intranet asset marks on network equipment in an intranet;
vulnerability scanning, namely judging whether the intranet asset mark comprises login credential information; if so, executing vulnerability scanning on the network equipment; and if not, not executing vulnerability scanning on the network equipment.
As a preferred technical scheme, after installing the mark and before scanning the vulnerability, the intranet security patrol method further comprises the following steps; registering assets, namely judging whether the intranet asset mark comprises operation mark information or not, and if so, registering the network equipment as vulnerability scanning equipment; if not, the intranet safety patrol method is ended.
As a preferred technical solution, after the vulnerability is scanned, the intranet security patrol method further includes: and safety audit, namely performing safety audit on the loophole scanning equipment.
As a preferred technical solution, after the vulnerability is scanned, the intranet security patrol method further includes: and safety repair, namely performing safety repair operation on the loophole scanning equipment, wherein the safety repair comprises the following steps: policy enforcement, version updating, bug fixing and patch updating.
Therefore, the safety controllable internal network safety patrol system and the method provided by the invention consider that the network equipment is expected to be scanned and detected only when the network equipment contains login certificate information. And the system which does not want to be scanned and detected does not carry out vulnerability scanning because the system does not contain login credential information, thereby avoiding the operation of vulnerability verification scripts. The POC (POC) of avoiding the vulnerability scanning process from accidentally damaging the host system to cause information leakage, unauthorized access and even automatic attack to cause the system to be paralyzed, such as: the persistent blue (bug number ms17-010) bug verification script can make the host of the Windows system blue screen, which causes the occurrence of phenomena such as denial of service and the like.
Drawings
Fig. 1 is a network topology diagram of an intranet security patrol system according to an embodiment of the present invention;
FIG. 2 is a block diagram of an intranet security patrol system according to an embodiment of the present invention;
FIG. 3 is a flowchart of an intranet security patrol method according to an embodiment of the present invention;
fig. 4 is a flow chart of an intranet security patrol method incorporating an asset registration step in an embodiment of the present invention.
Detailed Description
The following detailed description of embodiments of the present invention is provided in connection with the accompanying drawings and examples. The following examples are intended to illustrate the invention but are not intended to limit the scope of the invention.
Example 1
Referring to fig. 1, the intranet security patrol server provided by the present invention can be installed on a core switch of an intranet, so that the intranet security patrol server can manage network devices in the intranet conveniently.
Referring to fig. 2, the safety controllable intranet safety patrol system provided by the invention comprises: the system comprises an asset management module, a vulnerability scanning module, a security audit module and a network management module;
and the asset management module is used for receiving intranet asset mark information sent by the network equipment in the intranet.
The vulnerability scanning module is used for judging whether the network equipment in the intranet has login credential information in the intranet asset mark or not, and if so, vulnerability scanning is carried out on the network equipment; otherwise, the vulnerability scanning is not carried out on the network equipment;
the safety audit module is used for carrying out safety audit on network equipment and safety equipment in the intranet, namely finding out the equipment with the safety problem in the intranet;
and the network management module is used for carrying out safety repair on the problem equipment.
In the embodiment of the present invention, the identifier may be a Mutex semaphore of the network device, and may be used for asset authentication and asset management. And after the intranet asset mark is installed, the network equipment in the intranet automatically sends the encrypted intranet asset mark information to the intranet patrol server. The encryption process may use HTTPS protocol, RSA encryption algorithm, MD5 encryption algorithm, etc., but is not limited to the above encryption means.
The vulnerability scanning module supports a plug-in verification type detection mechanism to detect and verify vulnerabilities of network equipment in an intranet, and mainly carries out quick response and risk investigation on newly-developed security vulnerabilities of the internet, evaluates discovered vulnerabilities, and is in linkage work with the asset management module.
In order to avoid diffusion or error attack, the vulnerability scanning module detects whether login credential information is stored in the intranet asset mark information of the collected network equipment, if the login credential information is available, the vulnerability scanning activity of the network equipment is within an authorized range in the intranet security patrol system; if not, the intranet safety patrol system does not authorize the vulnerability scanning module to perform vulnerability scanning on the network equipment.
The safety audit module is mainly used for carrying out safety audit on various servers (such as Web servers, database servers, FTP servers, mail servers and the like), network equipment such as PC (personal computer), routers, switches and the like, and safety equipment such as firewalls and the like. And the security audit module analyzes intranet asset representation information containing login credentials sent by the network equipment to perform security policy audit of a host system level and a network security system level. The safety audit module can read the information of the audit log and identify safety problems from the audit log, such as: misconfiguration, abnormal login, behavior violating security policies, and the like.
The network management module carries out automatic safety repair on the detected target system according to the safety problems found by the safety audit module, and the safety repair comprises the following contents: the method comprises the steps of strategy reinforcement, version updating, vulnerability repair and patch updating, wherein for the safety repair which cannot be automatically processed by the network management module and needs the cooperation of safety management personnel, a cooperation notice or a safety warning is sent to an intranet safety personnel.
Example 2
On the basis of embodiment 1, the intranet asset flag information further includes operation flag information. After receiving the operation mark, the intranet patrol server registers the asset information as evidence for intrusion detection, security audit and asset management in the subsequent stage.
According to the attributes of network equipment, an intranet security officer can use the network asset library unit in the asset management module to divide IT assets and create different asset libraries. Through the network asset library unit, an intranet security officer can flexibly create an intrusion detection task and a security audit task. And the network asset library unit supports asset management functions of adding and deleting assets and the like, starts or self-defines intrusion detection of found network equipment, and an intranet security officer can screen out network equipment meeting conditions through a keyword search function and add the network equipment into a vulnerability scanning task.
Example 3
Referring to fig. 3, it is a flow chart of the safety controllable intranet patrol method provided by the present invention. The intranet safety patrol method comprises the following steps:
installing marks, namely installing intranet asset marks on network equipment in an intranet;
vulnerability scanning, namely judging whether the intranet asset mark comprises login credential information; if so, executing vulnerability scanning on the network equipment; otherwise, no vulnerability scanning is performed on the network device.
Security audit, which is to perform security audit on the loophole scanning equipment;
and safety repair, namely performing safety repair operation on the loophole scanning equipment, wherein the safety repair comprises the following steps: policy enforcement, version updating, bug fixing and patch updating.
The terms in this example have the same meanings as in the present invention in the embodiment 1 and the embodiment 2. Here, the description is omitted.
Example 4
Referring to fig. 4, in this embodiment, on the basis of embodiment 3, the intranet asset flag information further includes operation flag information. After receiving the operation mark, the intranet patrol server registers the asset information as evidence for intrusion detection, security audit and asset management in the subsequent stage.
On the basis of embodiment 3, the intranet patrol method provided by the application is additionally provided with the following steps after the mark is installed and before vulnerability scanning: registering assets, namely judging whether the intranet asset mark comprises operation mark information or not, and if so, registering the network equipment as vulnerability scanning equipment; if not, the intranet safety patrol method is ended.
According to the attributes of network equipment, an intranet security officer can use the network asset library unit in the asset management module to divide IT assets and create different asset libraries. Through the network asset library unit, an intranet security officer can flexibly create an intrusion detection task and a security audit task. And the network asset library unit supports asset management functions of adding and deleting assets and the like, starts or self-defines intrusion detection of found network equipment, and an intranet security officer can screen out network equipment meeting conditions through a keyword search function and add the network equipment into a vulnerability scanning task.
Therefore, the safety controllable internal network safety patrol system and the method provided by the invention consider that the network equipment is expected to be scanned and detected only when the network equipment contains login certificate information. And the system which does not want to be scanned and detected does not carry out vulnerability scanning because the system does not contain login credential information, thereby avoiding the operation of vulnerability verification scripts. The POC (POC) of avoiding the vulnerability scanning process from accidentally damaging the host system to cause information leakage, unauthorized access and even automatic attack to cause the system to be paralyzed, such as: the persistent blue (bug number ms17-010) bug verification script can make the host of the Windows system blue screen, which causes the occurrence of phenomena such as denial of service and the like.
The above description is only a preferred embodiment of the present invention, and it should be noted that, for those skilled in the art, various modifications and substitutions can be made without departing from the technical principle of the present invention, and these modifications and substitutions should also be regarded as the protection scope of the present invention.
Claims (10)
1. The utility model provides a safe controllable intranet safety patrol police system which characterized in that includes: the system comprises an asset management module, a vulnerability scanning module, a security audit module and a network management module;
the asset management module is used for receiving intranet asset mark information sent by network equipment in an intranet; the intranet asset mark information is used for asset authentication identification and asset management;
the vulnerability scanning module is used for judging whether the network equipment in the intranet has login credential information in the intranet asset mark or not, and if so, vulnerability scanning is carried out on the network equipment; if not, not scanning the vulnerability of the network equipment; the asset management module remotely manages the network device and the security device using login credential information;
the security audit module is used for auditing the network equipment and the security equipment and finding out the equipment with the security problem;
and the network management module is used for carrying out safety repair on the problem equipment.
2. The intranet safety patrol system according to claim 1, wherein:
the asset management module is also used for configuring network asset library units with different attributes;
the network asset library unit is used for configuring intrusion detection tasks and security audit tasks of network equipment in the network asset library.
3. The intranet safety patrol system according to claim 2, wherein:
the intranet asset mark information also comprises operation mark information;
and the operation mark information is used for discovering the network equipment and the safety equipment in the intranet.
4. The intranet safety patrol system according to claim 1, wherein:
the security issues include: discovering behaviors of wrong configuration, abnormal login and violation of security policy;
the act of violating a security policy includes: a system-level security policy of the network device and a system-level security policy of the security device.
5. The intranet safety patrol system according to claim 1 or 4, wherein:
the content of the network management module for performing the safety repair on the problem equipment comprises the following steps: policy enforcement, version updating, bug fixing and patch updating.
6. The intranet safety patrol system according to claim 1 or 4, wherein:
the network management module is also used for judging whether the safety problem can be automatically and safely repaired, and if so, automatically and safely repairing; if not, sending a cooperation notice or a safety warning to an intranet safety officer.
7. A safe and controllable intranet safety patrol method is characterized by comprising the following steps:
installing marks, namely installing intranet asset marks on network equipment in an intranet;
vulnerability scanning, namely judging whether the intranet asset mark comprises login credential information; if so, executing vulnerability scanning on the network equipment; and if not, not executing vulnerability scanning on the network equipment.
8. The intranet security patrol method according to claim 7, wherein after installing the logo and before scanning for the vulnerability, the intranet security patrol method further comprises;
registering assets, namely judging whether the intranet asset mark comprises operation mark information or not, and if so, registering the network equipment as vulnerability scanning equipment; if not, the intranet safety patrol method is ended.
9. The intranet security patrol method according to claim 8, wherein after the vulnerability scanning, the intranet security patrol method further comprises:
and safety audit, namely performing safety audit on the loophole scanning equipment.
10. The intranet security patrol method according to claim 9, wherein after the vulnerability scanning, the intranet security patrol method further comprises:
and safety repair, namely performing safety repair operation on the loophole scanning equipment, wherein the safety repair comprises the following steps: policy enforcement, version updating, bug fixing and patch updating.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910357390.0A CN110086812B (en) | 2019-04-29 | 2019-04-29 | Safe and controllable internal network safety patrol system and method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910357390.0A CN110086812B (en) | 2019-04-29 | 2019-04-29 | Safe and controllable internal network safety patrol system and method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110086812A CN110086812A (en) | 2019-08-02 |
| CN110086812B true CN110086812B (en) | 2021-11-30 |
Family
ID=67417763
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910357390.0A Active CN110086812B (en) | 2019-04-29 | 2019-04-29 | Safe and controllable internal network safety patrol system and method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110086812B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111711613B (en) * | 2020-05-26 | 2022-05-13 | 微梦创科网络科技(中国)有限公司 | Network security vulnerability scanning method and system |
| CN112464249A (en) * | 2020-12-10 | 2021-03-09 | 北京冠程科技有限公司 | Asset equipment attack vulnerability repairing method, device, equipment and storage medium |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101610174A (en) * | 2009-07-24 | 2009-12-23 | 深圳市永达电子股份有限公司 | A kind of log correlation analysis system and method |
| CN103118003A (en) * | 2012-12-27 | 2013-05-22 | 北京神州绿盟信息安全科技股份有限公司 | Risk scanning method, device and system based on assets |
| CN107809433A (en) * | 2017-11-06 | 2018-03-16 | 中国联合网络通信集团有限公司 | Assets management method and device |
| CN108322446A (en) * | 2018-01-05 | 2018-07-24 | 深圳壹账通智能科技有限公司 | Intranet assets leak detection method, device, computer equipment and storage medium |
| CN108737425A (en) * | 2018-05-24 | 2018-11-02 | 北京凌云信安科技有限公司 | Fragility based on multi engine vulnerability scanning association analysis manages system |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050097199A1 (en) * | 2003-10-10 | 2005-05-05 | Keith Woodard | Method and system for scanning network devices |
| CN106650458B (en) * | 2016-10-17 | 2019-09-06 | 杭州迪普科技股份有限公司 | A kind of scan method and device of loophole |
| CN108416408A (en) * | 2018-03-21 | 2018-08-17 | 联想(北京)有限公司 | Methods, devices and systems for asset management |
-
2019
- 2019-04-29 CN CN201910357390.0A patent/CN110086812B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101610174A (en) * | 2009-07-24 | 2009-12-23 | 深圳市永达电子股份有限公司 | A kind of log correlation analysis system and method |
| CN103118003A (en) * | 2012-12-27 | 2013-05-22 | 北京神州绿盟信息安全科技股份有限公司 | Risk scanning method, device and system based on assets |
| CN107809433A (en) * | 2017-11-06 | 2018-03-16 | 中国联合网络通信集团有限公司 | Assets management method and device |
| CN108322446A (en) * | 2018-01-05 | 2018-07-24 | 深圳壹账通智能科技有限公司 | Intranet assets leak detection method, device, computer equipment and storage medium |
| CN108737425A (en) * | 2018-05-24 | 2018-11-02 | 北京凌云信安科技有限公司 | Fragility based on multi engine vulnerability scanning association analysis manages system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110086812A (en) | 2019-08-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10264104B2 (en) | Systems and methods for malicious code detection accuracy assurance | |
| CN114978584A (en) | Network security protection safety method and system based on unit cell | |
| US10587647B1 (en) | Technique for malware detection capability comparison of network security devices | |
| CN112637220B (en) | Industrial control system safety protection method and device | |
| CN113660224B (en) | Situation awareness defense method, device and system based on network vulnerability scanning | |
| WO2017034072A1 (en) | Network security system and security method | |
| KR102433928B1 (en) | System for Managing Cyber Security of Autonomous Ship | |
| CN113407949A (en) | Information security monitoring system, method, equipment and storage medium | |
| KR101768079B1 (en) | System and method for improvement invasion detection | |
| CN113411295A (en) | Role-based access control situation awareness defense method and system | |
| CN110086812B (en) | Safe and controllable internal network safety patrol system and method | |
| CN115720161A (en) | Network security vulnerability type analysis, vulnerability detection and information protection method | |
| CN113660222A (en) | Situation awareness defense method and system based on mandatory access control | |
| CN111314370B (en) | Method and device for detecting service vulnerability attack behavior | |
| KR101614809B1 (en) | Practice control system of endpoint application program and method for control the same | |
| KR101767591B1 (en) | System and method for improvement invasion detection | |
| US11108800B1 (en) | Penetration test monitoring server and system | |
| KR20100067383A (en) | Server security system and server security method | |
| JP2005228177A (en) | Security management system, security management method, and program | |
| US20230336591A1 (en) | Centralized management of policies for network-accessible devices | |
| CN117195235A (en) | User terminal access trusted computing authentication system and method | |
| Pattanavichai | Design Network Model for Information Security Management Standard depend on ISO 27001. | |
| Karie et al. | Cybersecurity Incident Response in the Enterprise | |
| CN116961977A (en) | Security detection method, apparatus, device and computer program product | |
| CN116668166A (en) | Software and hardware cooperated data security monitoring system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |