CN111131131A - Vulnerability scanning method and device, server and readable storage medium - Google Patents
Vulnerability scanning method and device, server and readable storage medium Download PDFInfo
- Publication number
- CN111131131A CN111131131A CN201811288071.0A CN201811288071A CN111131131A CN 111131131 A CN111131131 A CN 111131131A CN 201811288071 A CN201811288071 A CN 201811288071A CN 111131131 A CN111131131 A CN 111131131A
- Authority
- CN
- China
- Prior art keywords
- target
- vulnerability scanning
- private address
- address
- scanning tool
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a vulnerability scanning method, a vulnerability scanning device, a server and a readable storage medium, wherein the method comprises the following steps: determining a target private address to be scanned and determining a target subnet where the target private address is located; judging whether a target network interface positioned in the target subnet exists in the network interfaces of the vulnerability scanning tool in the server; if so, adopting the vulnerability scanning tool to carry out vulnerability scanning on the host corresponding to the target private address; and if not, adding a network interface positioned in the target subnet to the vulnerability scanning tool, and adopting the vulnerability scanning tool to carry out vulnerability scanning on the host corresponding to the target private address. When the vulnerability scanning tool has a network interface located in a subnet where the address to be scanned is located, the vulnerability scanning tool can access the host corresponding to the address to be scanned, so that private address scanning can be realized, and security vulnerability scanning service is provided for the private address in the cloud platform.
Description
Technical Field
The invention relates to the technical field of information security, in particular to a vulnerability scanning method, a vulnerability scanning device, a server and a readable storage medium.
Background
The cloud host integrates IT (Information Technology) infrastructure capabilities such as computing, storage and network resources, and can provide on-demand and pay-per-demand server leasing services based on a cloud computing model. The client can deploy the required server environment through the self-service platform of the web interface. The IP address of the cloud Host is configured in a Dynamic manner, typically through DHCP (Dynamic Host Configuration Protocol), and the address is accompanied with it and does not change during the whole life cycle. For the cloud host itself, whether as a provider of a service or a requester of a service, it is a mandatory requirement to have an IP address. If the address is unavailable or inoperable, other problems such as service interruption can be caused.
The vulnerability refers to the problem of application in a computer including a cloud host, and the existing problem can be utilized by people to acquire information and even control the computer, so that the cloud host can be safely monitored based on vulnerability scanning, and the vulnerability scanning is to utilize a safety verification code in a security vulnerability scanner to realize remote vulnerability monitoring and discover the problem of the host in time.
The existing vulnerability scanning method can only scan public network addresses, namely floating ip, namely, can only scan addresses which can access a target host. However, in practice, for Cloud hosts providing key services, not every host has a public Network address, most hosts only have a Virtual Network address, which is generally called a Private address, and such Cloud hosts only having the Private address use an SDN (Software Defined Network) to manage VPCs (Virtual Private Cloud) to implement the Virtual Private Cloud.
Disclosure of Invention
The invention provides a vulnerability scanning method, a vulnerability scanning device, a server and a readable storage medium, which are used for solving the problem that security vulnerability scanning cannot be carried out on a host only with a private address in the prior art.
The invention provides a vulnerability scanning method, which is applied to a server and comprises the following steps:
determining a target private address to be scanned and determining a target subnet where the target private address is located;
judging whether a target network interface positioned in the target subnet exists in the network interfaces of the vulnerability scanning tool in the server;
if so, adopting the vulnerability scanning tool to carry out vulnerability scanning on the host corresponding to the target private address;
and if not, adding a network interface positioned in the target subnet to the vulnerability scanning tool, and adopting the vulnerability scanning tool to carry out vulnerability scanning on the host corresponding to the target private address.
Further, the vulnerability scanning tool is deployed in the server in the form of a virtual secure image, and is assigned with its corresponding private address.
Further, the determining the target private address to be scanned includes:
judging whether the received target address to be scanned is a private address or a public network address;
if the target address is a private address, determining the private address as a target private address to be scanned;
and if the target address is a public network address, searching a private address corresponding to the public network address, and determining the searched private address as the target private address to be scanned.
Further, before determining the target subnet where the target private address is located, the method further includes:
judging whether a vulnerability scanning tool in the server is started or not;
if yes, carrying out the subsequent steps;
if not, starting the vulnerability scanning tool and carrying out the subsequent steps.
Further, after the network interface located in the target subnet is added to the vulnerability scanning tool, before vulnerability scanning is performed on the host corresponding to the target private address by using the vulnerability scanning tool, the method further includes:
and restarting the vulnerability scanning tool.
Further, before the vulnerability scanning is performed on the host corresponding to the target private address by using the vulnerability scanning tool, the method further includes:
judging whether the private address corresponding to the vulnerability scanning tool is located in a target security group where the target private address is located;
if yes, carrying out the subsequent steps;
and if not, removing the limitation of the target security group, accessing the vulnerability scanning tool in the target security group, and performing subsequent steps.
The invention provides a vulnerability scanning device, which is applied to a server, and the method comprises the following steps:
the device comprises a determining module, a scanning module and a scanning module, wherein the determining module is used for determining a target private address to be scanned and determining a target subnet where the target private address is located;
the first judgment module is used for judging whether a target network interface positioned in the target subnet exists in the network interfaces of the vulnerability scanning tool in the server;
the scanning module is used for adopting the vulnerability scanning tool to carry out vulnerability scanning on the host corresponding to the target private address when the judgment result of the first judgment module is yes; and when the judgment result of the first judgment module is negative, adding a network interface positioned in the target subnet to the vulnerability scanning tool, and adopting the vulnerability scanning tool to carry out vulnerability scanning on the host corresponding to the target private address.
Further, the vulnerability scanning tool is deployed in the server in the form of a virtual secure image, and is assigned with its corresponding private address.
Further, the determining module is specifically configured to determine whether the received target address to be scanned is a private address or a public network address; if the target address is a private address, determining the private address as a target private address to be scanned; if the target address is a public network address, searching a private address corresponding to the public network address, and determining the searched private address as a target private address to be scanned;
further, the apparatus further comprises:
the second judgment module is used for judging whether the vulnerability scanning tool in the server is started or not; if yes, triggering the determining module; if not, starting the vulnerability scanning tool and triggering the determining module.
Further, the scanning module is further configured to restart the vulnerability scanning tool after a network interface located in the target subnet is added to the vulnerability scanning tool.
Further, the apparatus further comprises:
the third judging module is used for judging whether the private address corresponding to the vulnerability scanning tool is located in the target security group where the target private address is located; if yes, triggering the scanning module; if not, the limitation of the target security group is removed, the vulnerability scanning tool is accessed into the target security group, and the scanning module is triggered.
The invention provides a server, which comprises a memory and a processor;
the processor is used for reading the program in the memory and executing the steps of any one of the methods.
The present invention provides a computer readable storage medium storing a computer program executable by a server, the program, when run on the server, causing the server to perform the steps of any of the methods described above.
The invention provides a vulnerability scanning method, a vulnerability scanning device, a server and a readable storage medium, wherein the method comprises the following steps: determining a target private address to be scanned and determining a target subnet where the target private address is located; judging whether a target network interface positioned in the target subnet exists in the network interfaces of the vulnerability scanning tool in the server; if so, adopting the vulnerability scanning tool to carry out vulnerability scanning on the host corresponding to the target private address; and if not, adding a network interface positioned in the target subnet to the vulnerability scanning tool, and adopting the vulnerability scanning tool to carry out vulnerability scanning on the host corresponding to the target private address. When the vulnerability scanning tool is located at a network interface of a subnet where the address to be scanned is located, the vulnerability scanning tool is communicated with a host corresponding to the address to be scanned, and the vulnerability scanning tool can access the host corresponding to the address to be scanned, so that private address scanning can be realized, and security vulnerability scanning service is provided for the private address in the cloud platform.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a schematic diagram of a vulnerability scanning process provided in embodiment 1 of the present invention;
fig. 2 is a schematic view of a vulnerability scanning process provided in embodiment 6 of the present invention;
fig. 3 is a schematic structural diagram of a server according to embodiment 7 of the present invention;
fig. 4 is a schematic structural diagram of a server according to embodiment 8 of the present invention;
fig. 5 is a schematic diagram of a vulnerability scanning apparatus according to an embodiment of the present invention.
Detailed Description
In order to implement security vulnerability scanning of a host only having a private address, embodiments of the present invention provide a vulnerability scanning method, apparatus, server and readable storage medium.
In order to make the objects, technical solutions and advantages of the present invention clearer, the present invention will be described in further detail with reference to the accompanying drawings, and it is apparent that the described embodiments are only a part of the embodiments of the present invention, not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Example 1:
fig. 1 is a schematic diagram of a vulnerability scanning process provided in an embodiment of the present invention, where the process includes the following steps:
s101: determining a target private address to be scanned and determining a target subnet where the target private address is located.
The vulnerability scanning method provided by the embodiment of the invention is applied to a server, and specifically can be used for installing a security application for vulnerability scanning in the server, wherein the security application is a software program for executing a vulnerability scanning process, and a vulnerability scanning tool is deployed in the server so as to scan vulnerabilities for a host corresponding to a target address to be scanned.
Generally, a cloud service provider provides a self-server interface for a user, a cloud tenant can automatically turn on and off various functions according to own requirements, and the same vulnerability scanning function can be configured and completed by the cloud tenant, namely, the cloud tenant can issue a security vulnerability scanning task to a server through the self-server interface, a target address to be scanned is input when the security vulnerability scanning task issued by the cloud tenant, and the target address to be scanned input by the cloud tenant can be a private address and can be a public network address.
The server can determine a target private address to be scanned according to a target address input by the cloud tenant, and determine a target subnet where the target private address is located according to the determined target private address.
Because the server manages the cloud host on the cloud platform where the server is located, the server can determine the subnet where the private address is located according to the determined private address. Specifically, the process of determining the subnet where the private address is located belongs to the prior art, and is not described in detail in the embodiment of the present invention.
The cloud platform where the server is located can be an OpenStack platform, and the cloud host located on the cloud platform can be a virtual private network (VPC) network managed by an SDN core switch.
The vulnerability scanning tool deployed in the server is a virtual security vulnerability scanner, can simultaneously scan public network addresses and private addresses, and fills up the service gap that the existing vulnerability scanning method can not scan the private addresses.
S102: judging whether a target network interface positioned in the target subnet exists in the network interfaces of the vulnerability scanning tool in the server; if yes, S103 is carried out; if not, proceed to S104.
A vulnerability scanning tool is deployed in the server, and the vulnerability scanning tool is provided with one or more network interfaces corresponding to the vulnerability scanning tool, wherein the network interfaces are hardware software interfaces distributed by the SDN core switch so as to realize the intercommunication of the vulnerability scanning tool and the cloud host under the virtual environment of the cloud platform.
The server can judge whether a certain network interface is positioned in a certain subnet, so that the server can judge whether a target network interface positioned in a target subnet exists in the network interfaces of the vulnerability scanning tool. The specific server may be configured to determine whether a certain network interface is located in a certain subnet, where the server detects whether the certain network interface can communicate with a certain address or a host in the subnet, and may store a list of network interfaces located in the subnet in the server.
And after judging whether a target network interface positioned in the target subnet exists in the network interfaces of the vulnerability scanning tool, the server executes different operations according to different judgment results.
S103: and adopting the vulnerability scanning tool to carry out vulnerability scanning on the host corresponding to the target private address.
If the server determines that a target network interface located in a target subnet exists in the network interfaces of the vulnerability scanning tool, the vulnerability scanning tool can be considered to be accessed into the target subnet, namely the vulnerability scanning tool is placed in the VPC network, the vulnerability scanning tool can access the host corresponding to the target private address to be scanned, and the host intercommunication corresponding to the private address to be scanned is realized, so that vulnerability scanning of the host corresponding to the target private address is realized.
The process of using a vulnerability scanning tool to scan vulnerabilities of a host belongs to the prior art, and is not described in detail in the embodiment of the present invention.
S104: and adding a network interface positioned in the target subnet for the vulnerability scanning tool, and adopting the vulnerability scanning tool to carry out vulnerability scanning on the host corresponding to the target private address.
If the server determines that the target network interface located in the target subnet does not exist in the network interfaces of the vulnerability scanning tool, the vulnerability scanning tool is not connected to the target subnet, namely the vulnerability scanning tool is not placed in the VPC network, the vulnerability scanning tool cannot access the host corresponding to the target private address to be scanned, and the host intercommunication corresponding to the private address to be scanned cannot be realized. However, in order to scan the vulnerability of the host corresponding to the target private address, the server may add a network interface located in the target subnet to the vulnerability scanning tool, so that after the network interface is added, the vulnerability scanning tool is communicated with the host corresponding to the private address to be scanned.
Specifically, when the server adds a network interface located in a target subnet to the vulnerability scanning tool, the network interface located in the target subnet may be allocated to the vulnerability scanning tool through an SDN core switch of the OpenStack platform, and the SDN core switch may call an OpenStack neutral interface to add a network interface located in the target subnet to the vulnerability scanning tool.
The process of using a vulnerability scanning tool to scan vulnerabilities of a host belongs to the prior art, and is not described in detail in the embodiment of the present invention.
After vulnerability scanning of the host is finished, the vulnerability scanning tool can upload a scanning report to a security application in the server, the cloud tenant can check the scanning result through a client corresponding to the security application, certainly, the security application can generate a corresponding scanning report form according to the scanning result in order to make the cloud tenant more visually check the scanning result, and the scanning result checked by the cloud tenant is the corresponding scanning report form.
In the embodiment of the invention, when the vulnerability scanning tool has a network interface located in a subnet where the address to be scanned is located, the vulnerability scanning tool is communicated with the host corresponding to the address to be scanned, and the vulnerability scanning tool can access the host corresponding to the address to be scanned, so that private address scanning can be realized, security vulnerability scanning service is provided for the private address in the cloud platform, and for tenants, security scanning tasks are only required to be set and issued, no additional related setting is required, so that security vulnerability scanning monitoring of the virtual host can be realized, and the situation that part of hosts only having private addresses cannot perform security vulnerability monitoring is avoided.
Example 2:
in order to implement that a cloud tenant issues a security scanning task to a vulnerability scanning tool, on the basis of the above embodiment, in the embodiment of the present invention, the vulnerability scanning tool is deployed in the server in the form of a virtual security mirror image, and a corresponding private address is allocated to the vulnerability scanning tool.
After the private address corresponding to the vulnerability scanning tool is distributed to the vulnerability scanning tool, the scanner can communicate with the security application in the server through the routing strategy, and then a security scanning task issued by the cloud tenant is received.
The vulnerability scanning tool is deployed in the server in the form of a Virtual secure image, so that the vulnerability scanning tool can be started as required by a cloud tenant, and when the vulnerability scanning tool is deployed in the server in the form of the Virtual secure image, for example, the vulnerability scanning tool can be made into an OpenStack platform where a Kernel-based Virtual Machine (KVM) image deployment server is located, and a corresponding private address is allocated to the vulnerability scanning tool based on the OpenStack platform.
According to the embodiment of the invention, the corresponding private address is distributed to the vulnerability scanning tool, so that the vulnerability scanning tool can receive the issued security scanning task, and vulnerability scanning is realized.
Example 3:
on the basis of the foregoing embodiments, in the embodiments of the present invention, the determining a target private address to be scanned includes:
judging whether the received target address to be scanned is a private address or a public network address;
if the target address is a private address, determining the private address as a target private address to be scanned;
and if the target address is a public network address, searching a private address corresponding to the public network address, and determining the searched private address as the target private address to be scanned.
The vulnerability scanning tool in the embodiment of the invention has the vulnerability scanning capability of the host corresponding to the private address and the vulnerability scanning capability of the host corresponding to the public network address, and the process of carrying out vulnerability scanning on the host corresponding to the public network address belongs to the prior art.
After receiving a target address to be scanned, which is input by a cloud tenant, the server can judge whether the target address is a private address or a public network address, and determine different target private addresses according to different judgment results. The process of determining whether a certain address is a private address or a public network address belongs to the prior art, and is not described in detail in the embodiments of the present invention.
If the server determines that the target address is a private address, the server may determine that the private address is a target private address to be scanned, and perform a subsequent vulnerability scanning process.
If the server determines that the target address is a public network address, the server can search a private address corresponding to the public network address, determine the searched private address corresponding to the public network address as a target base oil address to be scanned, and perform a subsequent vulnerability scanning process.
Specifically, when the server searches for the private address corresponding to the public network address, the server may search for the private address corresponding to the public network address through the OpenStack interface. The finding of the private address corresponding to the public network address through the OpenStack interface belongs to the prior art, and is not described in detail in the embodiment of the present invention.
In the embodiment of the invention, when the vulnerability scanning is carried out, the host corresponding to the private address of the target address to be scanned is carried out with the vulnerability scanning, the vulnerability scanning process is more uniform, the adaptability of the vulnerability scanning tool to different requirements is improved, and the flexibility of the vulnerability scanning is improved.
Example 4:
to implement vulnerability scanning, on the basis of the foregoing embodiments, in an embodiment of the present invention, before determining a target subnet where the target private address is located, the method further includes:
judging whether a vulnerability scanning tool in the server is started or not;
if yes, carrying out the subsequent steps;
if not, starting the vulnerability scanning tool and carrying out the subsequent steps.
The vulnerability scanning tool can execute the vulnerability scanning process after being started, so that the server can judge whether the vulnerability scanning tool is started or not before determining the target subnet where the target private address is located.
Specifically, the timing when the server determines whether the vulnerability scanning tool has been started may be after the target private address to be scanned is determined, before the target subnet where the target private address is located is determined, or may be after the target private address to be scanned is determined.
If the bug scanning tool is deployed in the server as the KVM image, the KVM image may be understood as an instance of the bug scanning tool, and at this time, when the server determines whether the bug scanning tool is started, it may be determined whether the instance of the bug scanning tool is started.
If the server determines that the vulnerability scanning tool is started, the server considers that the started vulnerability scanning tool can execute the vulnerability scanning process, so that the subsequent step of determining the target subnet where the target private address is located can be continued.
If the server determines that the vulnerability scanning tool is not started, the server considers that the vulnerability scanning tool which is not started at present cannot execute the vulnerability scanning process, and the server needs to start the vulnerability scanning tool to ensure that the started vulnerability scanning tool can execute the vulnerability scanning process.
Specifically, when the server starts the vulnerability scanning tool, the vulnerability scanning tool instance may be started through an openstack nova boot interface, and the process of starting the vulnerability scanning tool instance through the openstack nova boot interface belongs to the prior art and is not described in detail in the embodiment of the present invention.
According to the embodiment of the invention, after the vulnerability scanning tool is ensured to be started, the subsequent process of determining the target subnet where the target private address is located is carried out, so that the execution of the subsequent vulnerability scanning is ensured.
Example 5:
on the basis of the foregoing embodiments, in an embodiment of the present invention, after adding the network interface located in the target subnet to the vulnerability scanning tool, before performing vulnerability scanning on the host corresponding to the target private address by using the vulnerability scanning tool, the method further includes:
and restarting the vulnerability scanning tool.
After a network interface is added to the vulnerability scanning tool, the vulnerability scanning tool is generally restarted to update the interface configuration of the vulnerability scanning tool, so that the vulnerability scanning tool is communicated with a host corresponding to a target private address through the added network interface.
The process of restarting the bug scanning tool by the server may be the same as the process of restarting other tools or programs in the server, and details are not described in the embodiment of the present invention.
Example 6:
on the basis of the foregoing embodiments, in an embodiment of the present invention, before performing vulnerability scanning on the host corresponding to the target private address by using the vulnerability scanning tool, the method further includes:
judging whether the private address corresponding to the vulnerability scanning tool is located in a target security group where the target private address is located;
if yes, carrying out the subsequent steps;
and if not, removing the limitation of the target security group, accessing the vulnerability scanning tool in the target security group, and performing subsequent steps.
To implement security protection of a network, a host typically joins a security group that can function as a firewall, but other devices outside the security group may not be able to communicate with hosts within the security group due to the isolation limitations of the security group, and thus to implement vulnerability scanning, it is necessary to ensure that the private address of the vulnerability scanning tool is in the same security group as the target private address.
Therefore, before the vulnerability scanning tool is adopted to carry out vulnerability scanning on the host corresponding to the target private address, the server can judge whether the private address corresponding to the vulnerability scanning tool is located in the target security group where the target private address is located.
If the server determines that the private address corresponding to the vulnerability scanning tool is located in the security group where the target private address is located, the server considers that the vulnerability scanning tool is not limited by the target security group when the vulnerability scanning tool performs vulnerability scanning on the host corresponding to the target private address, so that a subsequent vulnerability scanning process of the host corresponding to the target private address by adopting the vulnerability scanning tool can be directly performed.
If the server determines that the private address corresponding to the vulnerability scanning tool is not located in the security group where the target private address is located, the server considers that the vulnerability scanning tool is possibly limited by the target security group where the vulnerability scanning tool is located when the vulnerability scanning tool scans the host corresponding to the target private address, so that the limitation of the target security group can be removed, the vulnerability scanning tool is accessed into the target security group, and then the subsequent vulnerability scanning process of the host corresponding to the target private address by adopting the vulnerability scanning tool is performed.
The foregoing embodiments are described below with a specific embodiment, as shown in fig. 2, a server is installed with a secure application for executing a vulnerability scanning process, and the server employs an OpenStack platform in which a virtual vulnerability scanning tool instance is deployed.
After receiving a security scanning task newly built by a cloud tenant, the security application judges whether a target address is a public network address according to the target address to be scanned input by the cloud tenant when issuing the security scanning task; if the target address is determined to be a public network address, a private address corresponding to the public network address is searched, the searched private address is determined to be a target private address to be scanned, and if the target address is determined to be a private address, the private address is determined to be the target private address to be scanned.
After the target private address is determined, whether a vulnerability scanning tool is deployed in the OpenStack platform or not is judged, if not, a vulnerability scanning tool instance is newly built, and if yes, the vulnerability scanning tool instance does not need to be newly built.
And when the vulnerability scanning tool is determined to be deployed in the OpenStack platform, determining a target subnet where a target private address to be scanned is located. Judging whether the vulnerability scanning tool is accessed to the target subnet, namely judging whether a target network interface positioned in the target subnet exists in the network interfaces of the vulnerability scanning tool; if the vulnerability scanning tool is located in the security group of the target private address, the limitation of the target security group of the target private address is updated, if not, a network interface located in the target subnet is added to the vulnerability scanning tool, the vulnerability scanning tool is restarted, then the limitation of the target security group of the target private address is updated, at this moment, whether the vulnerability scanning tool is located in the security group of the target private address or not can be considered to be not judged, and the limitation of the target security group is removed and updated before vulnerability scanning is carried out each time.
And after the limitation of the target security group where the target private address is located is updated, adopting a vulnerability scanning tool to carry out vulnerability scanning on the host corresponding to the target private address, and determining to complete the scanning.
In the embodiment of the invention, when the private address of the vulnerability scanning tool and the target private address are in the same security group, the vulnerability scanning tool can bypass the restriction of the security group, so as to realize vulnerability scanning.
Example 7:
on the basis of the foregoing embodiments, an embodiment of the present invention further provides a server 300, as shown in fig. 3, including: a processor 301 and a memory 302;
the processor 301 is configured to execute the program in the read memory 302, and perform the following processes:
determining a target private address to be scanned and determining a target subnet where the target private address is located;
judging whether a target network interface positioned in the target subnet exists in the network interfaces of the vulnerability scanning tool in the server;
if so, adopting the vulnerability scanning tool to carry out vulnerability scanning on the host corresponding to the target private address;
and if not, adding a network interface positioned in the target subnet to the vulnerability scanning tool, and adopting the vulnerability scanning tool to carry out vulnerability scanning on the host corresponding to the target private address.
Based on the same inventive concept, the embodiment of the invention also provides a server, and as the principle of solving the problems of the server is similar to the commercial address selection method, the implementation of the server can refer to the implementation of the method, and repeated parts are not described again.
In fig. 3, the bus architecture may include any number of interconnected buses and bridges, with one or more processors represented by processor 301 and various circuits of memory represented by memory 302 being linked together. The bus architecture may also link together various other circuits such as peripherals, voltage regulators, power management circuits, and the like, which are well known in the art, and therefore, will not be described any further herein. The transceiver 303 may be a number of elements including a transmitter and a receiver providing a means for communicating with various other apparatus over a transmission medium. The processor 301 is responsible for managing the bus architecture and general processing, and the memory 302 may store data used by the processor 301 in performing operations.
Alternatively, the processor 301 may be a CPU (central processing unit), an ASIC (Application specific integrated Circuit), an FPGA (Field Programmable Gate Array), or a CPLD (Complex Programmable Logic Device).
The vulnerability scanning tool is deployed in the server in the form of a virtual secure image, and is assigned its corresponding private address.
The processor 301 is specifically configured to determine whether the received target address to be scanned is a private address or a public network address; if the target address is a private address, determining the private address as a target private address to be scanned; and if the target address is a public network address, searching a private address corresponding to the public network address, and determining the searched private address as the target private address to be scanned.
The processor 301 is further configured to determine whether a vulnerability scanning tool in the server is started; if yes, determining a target subnet where the target private address is located; if not, starting the vulnerability scanning tool and determining the target subnet where the target private address is located.
The processor 301 is further configured to restart the vulnerability scanning tool after a network interface located in the target subnet is added to the vulnerability scanning tool.
The processor 301 is further configured to determine whether a private address corresponding to the vulnerability scanning tool is located in a target security group where the target private address is located; if so, adopting the vulnerability scanning tool to carry out vulnerability scanning on the host corresponding to the target private address; if not, the limitation of the target security group is removed, the vulnerability scanning tool is accessed into the target security group, and the vulnerability scanning tool is adopted to carry out vulnerability scanning on the host corresponding to the target private address.
In the embodiment of the invention, when the vulnerability scanning tool has a network interface located in a subnet where the address to be scanned is located, the vulnerability scanning tool is communicated with the host corresponding to the address to be scanned, and the vulnerability scanning tool can access the host corresponding to the address to be scanned, so that private address scanning can be realized, and security vulnerability scanning service is provided for the private address in the cloud platform.
Example 8:
on the basis of the foregoing embodiments, an embodiment of the present invention further provides a server 400, as shown in fig. 4, including: the system comprises a processor 401, a communication interface 402, a memory 403 and a communication bus 404, wherein the processor 401, the communication interface 402 and the memory 403 complete mutual communication through the communication bus 404;
the memory 403 has stored therein a computer program which, when executed by the processor 401, causes the processor 401 to perform the steps of:
determining a target private address to be scanned and determining a target subnet where the target private address is located;
judging whether a target network interface positioned in the target subnet exists in the network interfaces of the vulnerability scanning tool in the server;
if so, adopting the vulnerability scanning tool to carry out vulnerability scanning on the host corresponding to the target private address;
and if not, adding a network interface positioned in the target subnet to the vulnerability scanning tool, and adopting the vulnerability scanning tool to carry out vulnerability scanning on the host corresponding to the target private address.
The vulnerability scanning method provided by the embodiment of the invention is applied to the server.
The communication bus mentioned in the above server may be a Peripheral Component Interconnect (PCI) bus, an Extended Industry Standard Architecture (EISA) bus, or the like. The communication bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown, but this does not mean that there is only one bus or one type of bus.
The communication interface 402 is used for communication between the above-described server and other devices.
The Memory may include a Random Access Memory (RAM) or a Non-Volatile Memory (NVM), such as at least one disk Memory. Alternatively, the memory may be at least one memory device located remotely from the processor.
The processor may be a general-purpose processor, including a central processing unit, a Network Processor (NP), and the like; but may also be a Digital instruction processor (DSP), an application specific integrated circuit, a field programmable gate array or other programmable logic device, discrete gate or transistor logic, discrete hardware components, or the like.
In the embodiment of the invention, when the processor executes the program stored in the memory and the vulnerability scanning tool has the network interface located in the subnet where the address to be scanned is located, the vulnerability scanning tool is communicated with the host corresponding to the address to be scanned, and the vulnerability scanning tool can access the host corresponding to the address to be scanned, so that private address scanning can be realized, and the security vulnerability scanning service is provided for the private address in the cloud platform.
Example 9:
on the basis of the foregoing embodiments, an embodiment of the present invention further provides a computer storage readable storage medium, in which a computer program executable by a server is stored, and when the program runs on the server, the server is caused to execute the following steps:
determining a target private address to be scanned and determining a target subnet where the target private address is located;
judging whether a target network interface positioned in the target subnet exists in the network interfaces of the vulnerability scanning tool in the server;
if so, adopting the vulnerability scanning tool to carry out vulnerability scanning on the host corresponding to the target private address;
and if not, adding a network interface positioned in the target subnet to the vulnerability scanning tool, and adopting the vulnerability scanning tool to carry out vulnerability scanning on the host corresponding to the target private address.
The computer readable storage medium may be any available medium or data storage device that can be accessed by a processor in a server, including but not limited to magnetic memory such as a floppy disk, a hard disk, magnetic tape, a magneto-optical disk (MO), etc., optical memory such as a CD, DVD, BD, HVD, etc., and semiconductor memory such as a ROM, EPROM, EEPROM, nonvolatile memory (NANDFLASH), a Solid State Disk (SSD), etc.
The computer readable storage medium provided in the embodiment of the present invention stores a computer program, and when the computer program is executed by a processor, when a vulnerability scanning tool has a network interface located in a subnet where an address to be scanned is located, the vulnerability scanning tool is communicated with a host corresponding to the address to be scanned, and the vulnerability scanning tool can access the host corresponding to the address to be scanned, so as to scan a private address, and provide a security vulnerability scanning service for the private address inside a cloud platform.
Fig. 5 is a schematic diagram of a vulnerability scanning apparatus 500 according to an embodiment of the present invention, which is applied to a server, and includes:
a determining module 501, configured to determine a target private address to be scanned, and determine a target subnet where the target private address is located;
a first determining module 502, configured to determine whether a target network interface located in the target subnet exists in a network interface of a vulnerability scanning tool in the server;
a scanning module 503, configured to scan a vulnerability of the host corresponding to the target private address by using the vulnerability scanning tool when the determination result of the first determining module 502 is yes; and when the judgment result of the first judgment module 502 is negative, adding a network interface positioned in the target subnet to the vulnerability scanning tool, and adopting the vulnerability scanning tool to perform vulnerability scanning on the host corresponding to the target private address.
The vulnerability scanning tool is deployed in the server in the form of a virtual secure image, and is assigned its corresponding private address.
The determining module 501 is specifically configured to determine whether the received target address to be scanned is a private address or a public network address; if the target address is a private address, determining the private address as a target private address to be scanned; and if the target address is a public network address, searching a private address corresponding to the public network address, and determining the searched private address as the target private address to be scanned.
The device further comprises:
a second determining module 504, configured to determine whether a vulnerability scanning tool in the server is started; if yes, triggering the determining module 501; if not, the vulnerability scanning tool is started, and the determining module 501 is triggered.
The scanning module 503 is further configured to restart the vulnerability scanning tool after a network interface located in the target subnet is added to the vulnerability scanning tool.
The device further comprises:
a third determining module 505, configured to determine whether a private address corresponding to the vulnerability scanning tool is located in a target security group where the target private address is located; if yes, the scanning module 503 is triggered; if not, the limitation of the target security group is removed, the vulnerability scanning tool is accessed into the target security group, and the scanning module 503 is triggered.
In the embodiment of the invention, when the vulnerability scanning tool has a network interface located in a subnet where the address to be scanned is located, the vulnerability scanning tool is communicated with the host corresponding to the address to be scanned, and the vulnerability scanning tool can access the host corresponding to the address to be scanned, so that private address scanning can be realized, and a security vulnerability scanning service is provided for the private address in the cloud platform.
For the system/apparatus embodiments, since they are substantially similar to the method embodiments, the description is relatively simple, and reference may be made to some descriptions of the method embodiments for relevant points.
It is to be noted that, in this document, relational terms such as first and second, and the like are used solely to distinguish one entity or operation from another entity or operation without necessarily requiring or implying any actual such relationship or order between such entities or operations.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While the preferred embodiments of the present application have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including preferred embodiments and all alterations and modifications as fall within the scope of the application.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present invention without departing from the spirit and scope of the invention. Thus, if such modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalents, the present invention is also intended to include such modifications and variations.
Claims (14)
1. A vulnerability scanning method is applied to a server and comprises the following steps:
determining a target private address to be scanned and determining a target subnet where the target private address is located;
judging whether a target network interface positioned in the target subnet exists in the network interfaces of the vulnerability scanning tool in the server;
if so, adopting the vulnerability scanning tool to carry out vulnerability scanning on the host corresponding to the target private address;
and if not, adding a network interface positioned in the target subnet to the vulnerability scanning tool, and adopting the vulnerability scanning tool to carry out vulnerability scanning on the host corresponding to the target private address.
2. The method of claim 1, wherein the vulnerability scanning tools are deployed in the server in the form of virtual secure images and are assigned their corresponding private addresses.
3. The method of claim 1, wherein the determining the target private address to scan comprises:
judging whether the received target address to be scanned is a private address or a public network address;
if the target address is a private address, determining the private address as a target private address to be scanned;
and if the target address is a public network address, searching a private address corresponding to the public network address, and determining the searched private address as the target private address to be scanned.
4. The method of claim 1, wherein prior to determining the target subnet in which the target private address is located, the method further comprises:
judging whether a vulnerability scanning tool in the server is started or not;
if yes, carrying out the subsequent steps;
if not, starting the vulnerability scanning tool and carrying out the subsequent steps.
5. The method of claim 1, wherein after the adding the network interface located in the target subnet to the vulnerability scanning tool, before performing vulnerability scanning on the host corresponding to the target private address using the vulnerability scanning tool, the method further comprises:
and restarting the vulnerability scanning tool.
6. The method of claim 2, wherein before performing vulnerability scanning on the host corresponding to the target private address using the vulnerability scanning tool, the method further comprises:
judging whether the private address corresponding to the vulnerability scanning tool is located in a target security group where the target private address is located;
if yes, carrying out the subsequent steps;
and if not, removing the limitation of the target security group, accessing the vulnerability scanning tool in the target security group, and performing subsequent steps.
7. The vulnerability scanning device is applied to a server, and the method comprises the following steps:
the device comprises a determining module, a scanning module and a scanning module, wherein the determining module is used for determining a target private address to be scanned and determining a target subnet where the target private address is located;
the first judgment module is used for judging whether a target network interface positioned in the target subnet exists in the network interfaces of the vulnerability scanning tool in the server;
the scanning module is used for adopting the vulnerability scanning tool to carry out vulnerability scanning on the host corresponding to the target private address when the judgment result of the first judgment module is yes; and when the judgment result of the first judgment module is negative, adding a network interface positioned in the target subnet to the vulnerability scanning tool, and adopting the vulnerability scanning tool to carry out vulnerability scanning on the host corresponding to the target private address.
8. The apparatus of claim 7, wherein the vulnerability scanning tool is deployed in the server in the form of a virtual secure image, and the vulnerability scanning tool is assigned its corresponding private address.
9. The apparatus according to claim 7, wherein the determining module is specifically configured to determine whether the received target address to be scanned is a private address or a public network address; if the target address is a private address, determining the private address as a target private address to be scanned; and if the target address is a public network address, searching a private address corresponding to the public network address, and determining the searched private address as the target private address to be scanned.
10. The apparatus of claim 7, wherein the apparatus further comprises:
the second judgment module is used for judging whether the vulnerability scanning tool in the server is started or not; if yes, triggering the determining module; if not, starting the vulnerability scanning tool and triggering the determining module.
11. The apparatus of claim 7, wherein the scanning module is further configured to restart the vulnerability scanning tool after adding a network interface located within the target subnet for the vulnerability scanning tool.
12. The apparatus of claim 8, wherein the apparatus further comprises:
the third judging module is used for judging whether the private address corresponding to the vulnerability scanning tool is located in the target security group where the target private address is located; if yes, triggering the scanning module; if not, the limitation of the target security group is removed, the vulnerability scanning tool is accessed into the target security group, and the scanning module is triggered.
13. A server, comprising a memory and a processor;
the processor, which is used for reading the program in the memory, executes the steps of the method of any one of claims 1-6.
14. A computer-readable storage medium, in which a computer program executable by a server is stored, which program, when run on the server, causes the server to carry out the steps of the method according to any one of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811288071.0A CN111131131B (en) | 2018-10-31 | 2018-10-31 | Vulnerability scanning method and device, server and readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811288071.0A CN111131131B (en) | 2018-10-31 | 2018-10-31 | Vulnerability scanning method and device, server and readable storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111131131A true CN111131131A (en) | 2020-05-08 |
| CN111131131B CN111131131B (en) | 2023-04-18 |
Family
ID=70485639
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811288071.0A Active CN111131131B (en) | 2018-10-31 | 2018-10-31 | Vulnerability scanning method and device, server and readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111131131B (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113132387A (en) * | 2021-04-20 | 2021-07-16 | 山石网科通信技术股份有限公司 | Processing method and device for vulnerability scanning flow, storage medium and processor |
| CN114205137A (en) * | 2021-12-08 | 2022-03-18 | 中国人寿保险股份有限公司深圳市分公司 | Network security scanning method and device, computer equipment and storage medium |
| CN116016509A (en) * | 2022-12-19 | 2023-04-25 | 中国联合网络通信集团有限公司 | Private cloud data processing method, device, equipment and storage medium |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102724176A (en) * | 2012-02-23 | 2012-10-10 | 北京市计算中心 | Intrusion detection system facing cloud calculating environment |
| CN103825891A (en) * | 2014-02-19 | 2014-05-28 | 曙光云计算技术有限公司 | Security flaw scanning system under cloud network environment |
| US20140245443A1 (en) * | 2013-02-27 | 2014-08-28 | Sayan Chakraborty | Cyber Defense Systems And Methods |
| CN106559391A (en) * | 2015-09-28 | 2017-04-05 | 中国移动通信集团公司 | A kind of method and device of vulnerability scanning |
| CN107171979A (en) * | 2017-06-30 | 2017-09-15 | 广州市品高软件股份有限公司 | Vulnerability scanning method and system based on cloud computing and SDN |
| CN108063755A (en) * | 2017-11-08 | 2018-05-22 | 携程旅游信息技术(上海)有限公司 | vulnerability scanning method, system, storage medium and electronic equipment |
| CN108111542A (en) * | 2018-01-30 | 2018-06-01 | 深圳大学 | Internet of Things ddos attack defence method, device, equipment and medium based on SDN |
| CN108512935A (en) * | 2018-04-16 | 2018-09-07 | 腾讯科技(深圳)有限公司 | data service system, method, server and computer readable storage medium |
-
2018
- 2018-10-31 CN CN201811288071.0A patent/CN111131131B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102724176A (en) * | 2012-02-23 | 2012-10-10 | 北京市计算中心 | Intrusion detection system facing cloud calculating environment |
| US20140245443A1 (en) * | 2013-02-27 | 2014-08-28 | Sayan Chakraborty | Cyber Defense Systems And Methods |
| CN103825891A (en) * | 2014-02-19 | 2014-05-28 | 曙光云计算技术有限公司 | Security flaw scanning system under cloud network environment |
| CN106559391A (en) * | 2015-09-28 | 2017-04-05 | 中国移动通信集团公司 | A kind of method and device of vulnerability scanning |
| CN107171979A (en) * | 2017-06-30 | 2017-09-15 | 广州市品高软件股份有限公司 | Vulnerability scanning method and system based on cloud computing and SDN |
| CN108063755A (en) * | 2017-11-08 | 2018-05-22 | 携程旅游信息技术(上海)有限公司 | vulnerability scanning method, system, storage medium and electronic equipment |
| CN108111542A (en) * | 2018-01-30 | 2018-06-01 | 深圳大学 | Internet of Things ddos attack defence method, device, equipment and medium based on SDN |
| CN108512935A (en) * | 2018-04-16 | 2018-09-07 | 腾讯科技(深圳)有限公司 | data service system, method, server and computer readable storage medium |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113132387A (en) * | 2021-04-20 | 2021-07-16 | 山石网科通信技术股份有限公司 | Processing method and device for vulnerability scanning flow, storage medium and processor |
| CN114205137A (en) * | 2021-12-08 | 2022-03-18 | 中国人寿保险股份有限公司深圳市分公司 | Network security scanning method and device, computer equipment and storage medium |
| CN116016509A (en) * | 2022-12-19 | 2023-04-25 | 中国联合网络通信集团有限公司 | Private cloud data processing method, device, equipment and storage medium |
| CN116016509B (en) * | 2022-12-19 | 2024-05-14 | 中国联合网络通信集团有限公司 | Private cloud data processing method, device, equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111131131B (en) | 2023-04-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108549580B (en) | Method for automatically deploying Kubernets slave nodes and terminal equipment | |
| CN109067877B (en) | Control method for cloud computing platform deployment, server and storage medium | |
| CN110661658B (en) | Node management method and device of block chain network and computer storage medium | |
| US9210162B2 (en) | Certificate based connection to cloud virtual machine | |
| CN110661647A (en) | Life cycle management method and device | |
| CN111131131B (en) | Vulnerability scanning method and device, server and readable storage medium | |
| WO2016037479A1 (en) | Method, device and system for optimizing virtualized network function (vnf) | |
| KR102010942B1 (en) | Network function virtualization-based failure handling method and device | |
| CN104572372A (en) | System and method for building server performance testing environment | |
| CN104410672A (en) | Method of upgrading network function virtualization application as well as method and device for forwarding business | |
| WO2019153532A1 (en) | Deployment method and apparatus for monitoring system, and computer device and storage medium | |
| CN112860282B (en) | Cluster plug-in upgrading method, device and server | |
| EP3522449B1 (en) | Service state transition method and device | |
| CN112269694B (en) | Management node determining method and device, electronic equipment and readable storage medium | |
| CN108319492B (en) | Method, device and system for resetting physical machine | |
| CN112162825A (en) | Equipment configuration method, device, equipment and storage medium | |
| CN108628733B (en) | Method and device for testing batch service processing operation | |
| CN108595195B (en) | Application program updating method, device, terminal and storage medium | |
| CN111488163B (en) | Firmware updating method and device, electronic equipment and storage medium | |
| CN116743762A (en) | Service registration cluster flow switching method, flow switching device and storage medium | |
| CN109495298B (en) | Method and device for managing nodes in OpenStack system | |
| CN109284137B (en) | Hypervisor-based QNX operating system starting method and device | |
| CN110688130A (en) | Physical machine deployment method, physical machine deployment device, readable storage medium and electronic equipment | |
| US20230325203A1 (en) | Provisioning dpu management operating systems using host and dpu boot coordination | |
| CN110286996A (en) | Container instance IP switching method, device, computer equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |