CN115378734A - Vulnerability screening system and method based on industrial firewall - Google Patents
Vulnerability screening system and method based on industrial firewall Download PDFInfo
- Publication number
- CN115378734A CN115378734A CN202211241162.5A CN202211241162A CN115378734A CN 115378734 A CN115378734 A CN 115378734A CN 202211241162 A CN202211241162 A CN 202211241162A CN 115378734 A CN115378734 A CN 115378734A
- Authority
- CN
- China
- Prior art keywords
- screening
- vulnerability
- module
- security
- analysis
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000012216 screening Methods 0.000 title claims abstract description 355
- 238000000034 method Methods 0.000 title claims abstract description 21
- 238000012038 vulnerability analysis Methods 0.000 claims abstract description 43
- 238000007726 management method Methods 0.000 claims description 35
- 238000004458 analytical method Methods 0.000 claims description 20
- 230000007246 mechanism Effects 0.000 claims description 14
- 238000013523 data management Methods 0.000 claims description 12
- 238000002360 preparation method Methods 0.000 claims description 4
- 230000002265 prevention Effects 0.000 claims description 3
- 230000003068 static effect Effects 0.000 claims description 3
- 238000007619 statistical method Methods 0.000 claims description 3
- 238000012550 audit Methods 0.000 claims description 2
- 238000007689 inspection Methods 0.000 claims description 2
- 230000006399 behavior Effects 0.000 abstract description 6
- 230000001010 compromised effect Effects 0.000 abstract description 4
- 230000000875 corresponding effect Effects 0.000 description 18
- 238000010586 diagram Methods 0.000 description 9
- 239000000243 solution Substances 0.000 description 8
- 238000013507 mapping Methods 0.000 description 7
- 238000012106 screening analysis Methods 0.000 description 7
- 230000005540 biological transmission Effects 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 3
- 238000002347 injection Methods 0.000 description 3
- 239000007924 injection Substances 0.000 description 3
- 230000008569 process Effects 0.000 description 3
- 241000721662 Juniperus Species 0.000 description 2
- 235000014510 cooky Nutrition 0.000 description 2
- 238000005457 optimization Methods 0.000 description 2
- 230000008439 repair process Effects 0.000 description 2
- 238000012546 transfer Methods 0.000 description 2
- 241000283086 Equidae Species 0.000 description 1
- 230000002155 anti-virotic effect Effects 0.000 description 1
- 238000013475 authorization Methods 0.000 description 1
- 239000003795 chemical substances by application Substances 0.000 description 1
- 230000002596 correlated effect Effects 0.000 description 1
- 230000009193 crawling Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000002708 enhancing effect Effects 0.000 description 1
- 238000011156 evaluation Methods 0.000 description 1
- 230000008676 import Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 230000003449 preventive effect Effects 0.000 description 1
- 239000011347 resin Substances 0.000 description 1
- 229920005989 resin Polymers 0.000 description 1
- 238000000060 site-specific infrared dichroism spectroscopy Methods 0.000 description 1
- 230000008685 targeting Effects 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
- XLYOFNOQVPJJNP-UHFFFAOYSA-N water Substances O XLYOFNOQVPJJNP-UHFFFAOYSA-N 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/168—Implementing security features at a particular protocol layer above the transport layer
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Computing Systems (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computer And Data Communications (AREA)
Abstract
本申请实施例提供一种基于工业防火墙的漏洞筛查系统及方法,涉及工控安全技术领域。该基于工业防火墙的漏洞筛查系统包括多个漏洞筛查模块,可以采用不同的漏洞筛查模块对不同的筛查目标进行漏洞筛查,从而可以全面精准地筛查工业控制系统中存在的各种脆弱性问题,例如各种安全漏洞、安全配置问题和不合规行为,通过输出的漏洞分析报告在工业控制系统受到危害之前为管理员提供漏洞分析数据,以便管理员可以进行专业有效的漏洞分析和修补。
Embodiments of the present application provide a vulnerability screening system and method based on an industrial firewall, which relate to the technical field of industrial control security. The vulnerability screening system based on industrial firewall includes multiple vulnerability screening modules, and different vulnerability screening modules can be used to perform vulnerability screening on different screening targets, so that it can comprehensively and accurately screen various vulnerabilities existing in the industrial control system. Vulnerability issues, such as various security vulnerabilities, security configuration issues, and non-compliance behaviors, the output vulnerability analysis report provides the administrator with vulnerability analysis data before the industrial control system is compromised, so that the administrator can conduct professional and effective vulnerability analysis Analyze and fix.
Description
技术领域technical field
本申请实施例涉及工控安全技术领域,特别地,涉及一种基于工业防火墙的漏洞筛查系统及方法。The embodiments of the present application relate to the technical field of industrial control security, and in particular, relate to a vulnerability screening system and method based on an industrial firewall.
背景技术Background technique
随着工业技术的发展,工业控制系统在工业信息化中具有不可忽视的重要地位。工业控制系统广泛应用于高端制造业、电力、能源、交通运输、水利等方面。工业控制系统是国家关键基础设施和信息系统的重要组成部分,同时也成为了国际敌对势力和黑客的攻击目标。With the development of industrial technology, industrial control system has an important position that cannot be ignored in industrial informationization. Industrial control systems are widely used in high-end manufacturing, electric power, energy, transportation, water conservancy and other aspects. The industrial control system is an important part of the country's critical infrastructure and information systems, and it has also become the target of international hostile forces and hackers.
例如,2014年出现了专门针对工业控制系统的新型攻击—— Havex,其变种多且危害大。又例如,2019年3月委内瑞拉电力系统 遭遇全国大面积的断网事件。诸如此类的工控安全事件是攻击者利用 工业控制系统的“漏洞”对整个工业控制系统发起的攻击导致的。可 见,对于重要的基础工业设施,如何在攻击者进行攻击前发现漏洞是 目前亟待解决的问题。For example, in 2014, a new type of attack targeting industrial control systems—Havex—has many variants and great harm. Another example is that in March 2019, the Venezuelan power system suffered a large-scale network outage across the country. Such industrial control security incidents are caused by attackers using the "loopholes" of the industrial control system to launch attacks on the entire industrial control system. It can be seen that for important basic industrial facilities, how to find vulnerabilities before attackers attack is an urgent problem to be solved.
发明内容Contents of the invention
本申请实施例提供一种基于工业防火墙的漏洞筛查系统及方法,以改善上述问题。Embodiments of the present application provide a vulnerability screening system and method based on an industrial firewall to improve the above problems.
第一方面,本申请实施例提供一种基于工业防火墙的漏洞筛查系统。该基于工业防火墙的漏洞筛查系统包括:漏洞筛查模块,所述漏洞筛查模块包括多个漏洞筛查模块,不同的漏洞筛查模块具有不同的筛查功能;数据管理模块,所述数据管理模块与所述漏洞筛查模块连接,用于对所述漏洞筛查模块上传的漏洞分析报告进行管理;网页界面模块,所述网页界面模块分别与所述漏洞筛查模块和数据管理模块连接,所述网页界面模块通过SSL加密通道和浏览器与用户进行交互。In the first aspect, the embodiment of the present application provides a vulnerability screening system based on an industrial firewall. This vulnerability screening system based on industrial firewall includes: a vulnerability screening module, the vulnerability screening module includes a plurality of vulnerability screening modules, and different vulnerability screening modules have different screening functions; a data management module, the data The management module is connected with the vulnerability screening module, and is used to manage the vulnerability analysis report uploaded by the vulnerability screening module; the webpage interface module, the webpage interface module is connected with the vulnerability screening module and the data management module respectively , the web page interface module interacts with the user through the SSL encrypted channel and the browser.
第二方面,本申请实施例提供一种基于工业防火墙的漏洞筛查方法,应用于上述基于工业防火墙的漏洞筛查系统。该基于工业防火墙的漏洞筛查方法包括:在采用上述基于工业防火墙的漏洞筛查系统发现筛查目标时,所述基于工业防火墙的漏洞筛查系统获取所述筛查目标的目标信息,所述目标信息根据所述筛查目标确定;所述基于工业防火墙的漏洞筛查系统根据获取到的目标信息对所述筛查目标进行漏洞筛查和分析,以确定所述筛查目标是否存在安全漏洞。In a second aspect, the embodiment of the present application provides a vulnerability screening method based on an industrial firewall, which is applied to the aforementioned vulnerability screening system based on an industrial firewall. The vulnerability screening method based on the industrial firewall includes: when the above-mentioned vulnerability screening system based on the industrial firewall is used to find the screening target, the vulnerability screening system based on the industrial firewall obtains the target information of the screening target, the The target information is determined according to the screening target; the vulnerability screening system based on the industrial firewall performs vulnerability screening and analysis on the screening target according to the obtained target information to determine whether there is a security hole in the screening target .
本申请实施例提供一种基于工业防火墙的漏洞筛查系统及方法,该基于工业防火墙的漏洞筛查系统包括多个漏洞筛查模块,可以采用不同的漏洞筛查模块对不同的筛查目标进行漏洞筛查,从而可以全面精准地筛查工业控制系统中存在的各种脆弱性问题,例如各种安全漏洞、安全配置问题和不合规行为,通过输出的漏洞分析报告在工业控制系统受到危害之前为管理员提供漏洞分析数据,以便管理员可以进行专业有效的漏洞分析和修补。The embodiment of the present application provides a vulnerability screening system and method based on an industrial firewall. The vulnerability screening system based on an industrial firewall includes a plurality of vulnerability screening modules, and different vulnerability screening modules can be used for different screening targets. Vulnerability screening, so that various vulnerabilities in industrial control systems can be comprehensively and accurately screened, such as various security vulnerabilities, security configuration problems and non-compliance behaviors, and the output vulnerability analysis report is compromised in the industrial control system Previously, administrators were provided with vulnerability analysis data, so that administrators can conduct professional and effective vulnerability analysis and patching.
附图说明Description of drawings
为了更清楚地说明本申请实施例中的技术方案,下面将对实施例描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本申请的一些实施例,对于本领域技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其它的附图。In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings that need to be used in the description of the embodiments will be briefly introduced below. Obviously, the drawings in the following description are only some embodiments of the present application. For those skilled in the art, other drawings can also be obtained based on these drawings without any creative effort.
图1是本申请一实施例提供的基于工业防火墙的漏洞筛查系统的机构框图;Fig. 1 is the institutional block diagram of the vulnerability screening system based on industrial firewall provided by an embodiment of the present application;
图2是本申请一示例性实施例提供的单机部署管理机制下的网络拓扑图的示意图;FIG. 2 is a schematic diagram of a network topology diagram under a stand-alone deployment management mechanism provided by an exemplary embodiment of the present application;
图3是本申请一示例性实施例提供的分布式管理机制下的网络拓扑图的示意图;FIG. 3 is a schematic diagram of a network topology diagram under a distributed management mechanism provided by an exemplary embodiment of the present application;
图4是本申请一实施例提供的基于工业防火墙的漏洞筛查方法的流程示意图。Fig. 4 is a schematic flowchart of a vulnerability screening method based on an industrial firewall provided by an embodiment of the present application.
具体实施方式Detailed ways
为了使本技术领域的人员更好地理解本申请方案,下面将结合本申请实施例中的附图,对本申请实施例中的技术方案进行清楚、完整地描述。In order to enable those skilled in the art to better understand the solutions of the present application, the technical solutions in the embodiments of the present application will be clearly and completely described below in conjunction with the drawings in the embodiments of the present application.
请参阅图1,图1是本申请一实施例提供的基于工业防火墙的漏洞筛查系统的机构框图。基于工业防火墙的漏洞筛查系统100包括相互连接的多个漏洞筛查模块110、数据管理模块120以及网页界面模块130。基于工业防火墙的漏洞筛查系统100采用浏览器/服务器(Browser/Server,B/S)管理模式和Linux系统。基于工业防火墙的漏洞筛查系统100包括业务库、知识库以及合规库,这些数据库在漏洞筛查过程中被调用,这些数据库包含的内容可以根据实际需求进行动态设置和更改。基于工业防火墙的漏洞筛查系统100部署于核心交换机单独的一条链路上。Please refer to FIG. 1 . FIG. 1 is a structural block diagram of a vulnerability screening system based on an industrial firewall provided by an embodiment of the present application. The
多个漏洞筛查模块110中的不同的漏洞筛查模块具有不同的筛查功能。多个漏洞筛查模块110可以分别对多个筛查目标进行漏洞筛查和分析,并生成多个漏洞筛查模块110各自对应的漏洞分析报告。多个漏洞筛查模块110可以将漏洞分析报告发送给数据管理模块120,以便数据管理模块120存储并管理漏洞分析报告,以便后续查阅或者调用。多个漏洞筛查模块110也可以将漏洞分析报告同时发送给用户,以便用户基于漏洞分析报告做出对应的操作,例如修补操作。Different vulnerability screening modules in the plurality of
数据管理模块120与多个漏洞筛查模块110连接,用于对多个漏洞筛查模块130上传的漏洞分析报告进行管理。具体请见图1,数据管理模块120可以包括报告管理子模块,报告管理子模块可以用于报告管理。The
在一些可选的实施方式中,数据管理模块120可以包括多个管理子模块以分别管理不同的系统数据。多个管理子模块可以根据实际管理需求进行设置,作为一种示例,如图1所示,数据管理模块120可以包括日志管理、资产管理、任务管理、报告管理、系统管理、升级管理等管理子模块。需要说明的是,各个管理子模块可以独立管理数据并执行对应的决策操作。例如,可以在升级管理子模块中设置升级周期。在基于工业防火墙的漏洞筛查系统100部署后或者升级后,升级管理子模块可以设置计时器开始计时,当计时时长满足升级周期时,升级管理子模块可以通过网络或者本地数据包,对漏洞库和软件进行在线升级或本地升级,从而确保基于工业防火墙的漏洞筛查系统100的实时性和准确性,提升系统安全。In some optional implementation manners, the
网页界面模块130分别与多个漏洞筛查模块110和数据管理模块120连接。网页界面模块130通过安全套接层(Secure Socket Layer,SSL)加密通道和WEB浏览器将漏洞分析报告输出给用户。其中SSL是一种安全安全保密协议,SSL加密通道指的是浏览器和WEB服务器之间构建的加密的安全通道。用户可以使用浏览器,通过SSL加密通道与网页界面模块进行交互,以便用户管理基于工业防火墙的漏洞筛查系统100。如图1所示,用户可以包括但不限于管理员、审计员以及操作员等。The
在一些可选的实施方式中,如图1所示,多个漏洞筛查模块110可以包括工控漏洞筛查模块111、系统漏洞筛查模块112、WEB漏洞筛查模块113、数据库安全筛查模块114、安全基线筛查模块115以及APP漏洞筛查模块116。In some optional implementations, as shown in Figure 1, multiple
工控漏洞筛查模块111可以用于对工业控制系统中的预先指定的筛查目标进行漏洞筛查和分析,并生成对应的漏洞分析报告。其中预先指定的筛查目标可以是用户指定的筛查目标或者基于工业防火墙的漏洞筛查系统100确定的筛查目标。工控漏洞筛查模块111支持远程、非接触式漏洞筛查,可以降低在对工业控制系统进行安全漏洞筛查的过程中因工控漏洞带来的经济风险。The industrial control
在一些可选的实施方式中,预先指定的筛查目标可以是工业控制系统中的特定设备或者系统。特定设备或者系统可以包括但不限于数据采集与监视控制系统(SupervisoryControl And Data Acquisition,SCADA)、分布式控制系统(Distributed ControlSystem,DCS)、可编程控制器(Programmable Logic Controller,PLC)等控制系统。In some optional implementation manners, the pre-designated screening target may be a specific device or system in the industrial control system. Specific equipment or systems may include, but are not limited to, supervisory control and data acquisition (SCADA), distributed control system (Distributed Control System, DCS), programmable logic controller (Programmable Logic Controller, PLC) and other control systems.
在一些可选的实施方式中,工控漏洞筛查模块111还可以对基于以太网传输控制协议/网际协议(Transmission Control Protocol/Internet Protocol,TCP/IP)的Modbus协议ModbusTCP和S7等协议存在的安全漏洞进行筛查和分析。In some optional implementation manners, the industrial control
在一些可选的实施方式中,工控漏洞筛查模块111还可以对传统的工业控制系统中使用的信息技术(Information Technology,IT)设备或系统进行漏洞筛查。In some optional implementation manners, the industrial control
系统漏洞筛查模块112用于对操作系统、应用服务、数据库以及网络设备进行漏洞筛查和分析,并生成对应的漏洞分析报告。系统漏洞筛查模块112支持的Windows操作系统包括但不限于NT、2000、XP、2003、Win7、Win10、2008、2012、2016等。系统漏洞筛查模块112支持的Linux操作系统包括但不限于Amazon Linux、CentOS、Debian、Fedora、Red Hat、SuSE以及Ubuntu等。系统漏洞筛查模块112支持的Unix操作系统包括但不限于AIX、FreeBSD、HP-UX、Solaris以及Mac OS X等。系统漏洞筛查模块112支持的应用服务可以包括但不限于Microsoft Internet Explorer、PHP、IIS、Apache、Tomcat、PHP以及Adobe Flash等。系统漏洞筛查模块112支持的数据库包括但不限于Oracle、MySQL、SQL Server、DB2、Informix、MsSQL以及SyBase等。系统漏洞筛查模块112支持的虚拟化平台包括但不限于Vmware EXSi以及XenServer等。系统漏洞筛查模块112支持的安全设备包括juniper和网神等。The system
系统漏洞筛查模块112还可以包括但不限于智能服务识别功能、授权登录筛查功能以及安全优化筛查功能等。例如,智能服务识别功能启动时,系统漏洞筛查模块112可以根据上述应用服务判定筛查目标具体属于何种应用服务。授权登录筛查功能启动时,系统漏洞筛查模块112需要在用户授权登录之后才能开始漏洞筛查。安全优化筛查功能启动时,系统漏洞筛查模块112会在原本的漏洞筛查基础上,获取更多的筛查数据,选择更精准复杂的算法对筛查目标进行漏洞筛查。The system
需要说明的是,系统漏洞筛查模块112运行时,多个漏洞筛查模块110中的除系统漏洞筛查模块112外的其他模块(例如工控漏洞筛查模块111、WEB漏洞筛查模块113、数据库安全筛查模块114、安全基线筛查模块115以及APP漏洞筛查模块116)不运行,因为系统漏洞筛查模块112是对筛查目标整体进行筛查,其他筛查模块是侧重于某一方面进行筛查。其他筛查模块相较于系统漏洞筛查模块112的筛查结果更加准确,系统漏洞筛查模块112相比于单一的其他筛查模块的筛查结果更加全面,系统漏洞筛查模块112相比于其他筛查模块同时进行漏洞筛查耗费的计算资源更少和计算时间更短。It should be noted that when the system
WEB漏洞筛查模块113用于对WEB应用进行漏洞筛查和分析,并生成对应的漏洞分析报告。WEB漏洞筛查模块113支持OWASP TOP 10漏洞筛查,例如,SQL注入、跨站脚本攻击XSS、网站挂马、网页木马、以及CGI漏洞等。其中OWASP Top 10 是由开放 WEB 应用程序安全项目建立的,可免费提供有关 WEB应用程序安全的文章和其他信息。WEB漏洞筛查模块113支持的协议可以包括但不限于超文本传输协议(Hyper Text Transfer Protocol,HTTP)和HTTPS等,其中HTTPS 协议是由 HTTP 加上安全传输层(Transport LayerSecurity,TLS)协议/ SSL 协议构建的可进行加密传输、身份认证的网络协议。WEB漏洞筛查模块113支持的WEB服务器可以包括但不限于IIS、Websphere、Weblogic、Apache、Tomcat以及Nginx等。WEB漏洞筛查模块113支持的编程语言可以包括但不限于Asp、Jsp、.Net、J2EE以及Php等。WEB漏洞筛查模块113支持的数据库类型可以包括但不限于Access、MySQL、Oracle、DB2、PostgreSQL、SyBase、Informix、sqlite以及MSSQL SERVER等。WEB漏洞筛查模块113支持的第三方组件可以包括但不限于WordPress、eWebEditor、FCKeditor以及Struts2等国内外常见的第三方组件。The WEB
WEB漏洞筛查模块113可以对json和base64数据进行解析和筛查,支持自定义Cookie进行深入筛查。WEB漏洞筛查模块113支持基于basic和Cookie等认证方式的Web漏洞筛查。WEB漏洞筛查模块113还支持被动筛查,支持用户录入url,从而能够筛查一些常规页面爬取软件筛查不到的url,以便用户及时发现WEB网站中存在的安全漏洞,避免信息安全事件的发生。The WEB
WEB漏洞筛查模块113还用于采用WEB漏洞验证机制对筛查到的WEB漏洞进行验证。具体可以将筛查漏洞时发现的测试数据包记录下来,用于取证。对于注入漏洞,可以自动识别数据库类型,获取实例名称/数据库名称(InstanceName)和用户名称(UserName),从而可以有效降低误报率。The WEB
数据库安全筛查模块114用于对各种数据库进行漏洞筛查和分析,并生成对应的漏洞分析报告。数据库包括但不限于Oracle、Mysql、Sqlserver、Sybase、DB2、Informix、Postgresql、Kingbase以及达梦等。数据库安全筛查模块114采取的漏洞筛查策略可以包括但不限于权限绕过漏洞、SQL注入漏洞以及访问控制漏洞等。The database
数据库安全筛查模块114包括两种漏洞筛查方式,即授权筛查和非授权筛查。用户可以不同的情景(授权与否)选择漏洞筛查方式,并选取相应的漏洞筛查策略实现对数据库的安全筛查,筛查完成后自动生成筛查分析报告,筛查分析报告包含了筛查出的漏洞详细描述和修复建议,以便用户及时发现数据库中存在的安全漏洞,保障用户的数据安全。The database
数据库安全筛查模块114还可以通过对数据库对象和二进制文件等进行比对,以确定数据中心潜在的木马。The database
安全基线筛查模块115用于对当前漏洞筛查网络下的系统基线进行漏洞筛查和分析,并生成对应的漏洞分析报告。安全基线筛查模块115提供专业的配置加固建议与合规性报表。安全基线筛查模块115支持的操作系统可以包括但不限于Windows、Linux(Centos、Debian、Fedora、Redhat、Suse以及Ubuntu等)、Unix(Aix、HP-UX以及Solaris等)以及国产操作系统(中标麒麟和红旗等)等。安全基线筛查模块115支持的中间件可以包括但不限于IIS、Apache、Tomcat、Weblogic、Websphere、Nginx、Jboss以及Resin等。安全基线筛查模块115支持的数据库可以包括但不限于Oracle、Mysql、DB2、Informix、Mssql以及Sybase等。安全基线筛查模块115支持的虚拟化平台可以包括但不限于Vmware EXSi和XenServer等。安全基线筛查模块115支持的安全设备可以包括但不限于juniper和网神等。The security
安全基线筛查模块115支持多种协议远程登录系统进行基线筛查,可以包括但不限于服务器信息块(Server Message Block,SMB)、远程终端协议(Telnet协议)以及安全外壳协议(Secure Shell Protocol,SSH)等。安全基线筛查模块115支持代理本地筛查,提供了专用的Windows配置检查工具。安全基线筛查模块115支持在线设备基线筛查和离线设备基线筛查。基线筛查过程只检查系统的配置情况,不对系统配置进行任何修改,从而可以确保业务持续性和业务安全,让安全配置维护工作变得有条不紊而且简单、易于操作,方便用户及时发现信息系统中存在的不安全配置,提高目标系统的安全防护水平。The security
APP漏洞筛查模块116用于采取静态分析的方式对APP进行漏洞筛查和分析,并生成对应的漏洞分析报告。采用静态分析的方式,可以准确发现安卓应用程序包(Androidapplication package,APK)中存在的组件安全、配置安全、数据安全以及恶意行为等安全风险,从而大幅提升移动APP的安全性,避免因APP漏洞造成业务损失。The APP
在一些可选的实施方式中,多个漏洞筛查模块110还包括WIFI安全筛查模块。WIFI安全筛查模块用于对WIFI无线网络进行漏洞筛查和分析,并生成对应的漏洞分析报告。具体可以对接入点和WIFI信道进行识别,搜索出服务器标识(Service Set Identifier,SSID)、硬件厂商以及MAC地址等信息和各无线节点所连接的客户端相应的MAC地址等信息。此外,多个漏洞筛查模块110还可以对WIFI进行弱密码筛查,并生成漏洞分析报告。In some optional implementation manners, the multiple
在一些可选的实施方式中,多个漏洞筛查模块110还包括大数据漏洞筛查模块。大数据漏洞筛查模块用于对大数据组件进行漏洞筛查和安全合规性检查,并生成统计分析报告。安全配置合规性检查可以包括但不限于Hadoop、Spark、Hbase、Solr以及ES等。通过生成统计分析报告,可以提供详细的漏洞描述和漏洞修复建议,从而增强大数据平台各组件安全的合规性。In some optional implementation manners, the multiple
在一些可选的实施方式中,在进行漏洞筛查生成筛查结果之后,多个漏洞筛查模块110可以分别采用报告和图形的形式对筛查结果进行分析,生成多个漏洞筛查模块110各自对应的漏洞分析报告,其中报告内容包括漏洞风险级别、漏洞类别、漏洞描述、漏洞类型以及漏洞解决方法。基于工业防火墙的漏洞筛查系统100提供有关漏洞的包括公共漏洞和暴露(Common Vulnerabilities & Exposures,CVE)编号支持的国际权威机构记录和与厂商补丁相关的链接,使得管理员和普通用户可以快速准确地解决各种安全问题,以便用户能够具体了解某台主机或者某个漏洞的详细信息。漏洞分析报告可以提供行政人员、技术员、安全专家以及自定义报表等样式,输出的漏洞分析报告的格式可以包括但不限于以.html、.doc、.docx或.pdf为后缀的文件格式等。同时,可以将筛查结果与信息安全等级保护的合规库进行关联分析,生成满足规范要求的等级保护测评报告。In some optional implementations, after vulnerability screening is performed to generate screening results, multiple
在一些可选的实施方式中,基于工业防火墙的漏洞筛查系统100包括单机部署管理机制和分布式管理机制。基于工业防火墙的漏洞筛查系统100还包括决策模块,所述决策模块用于在筛查到当前漏洞筛查网络是分布式网络时,确定所述基于工业防火墙的漏洞筛查系统100采用分布式管理机制进行漏洞筛查,或者在筛查到当前漏洞筛查网络不是分布式网络时,确定所述基于工业防火墙的漏洞筛查系统100采用单机部署管理机制进行漏洞筛查。作为一种示例,采用单机部署管理机制的网络拓扑图如图2所示,采用分布式管理机制的网络拓扑图如图3所示。可见,在采用分布式管理机制时,下级基于工业防火墙的漏洞筛查系统会向上级基于工业防火墙的漏洞筛查系统上传筛查结果或者上传筛查分析报告。或者下级基于工业防火墙的漏洞筛查系统也可以将其获取到的筛查目标的目标信息上传至上述基于工业防火墙的漏洞筛查系统,以使上级基于工业防火墙的漏洞筛查系统统一执行漏洞筛查和分析操作。In some optional implementation manners, the industrial firewall-based
在一些可选的实施方式中,所述基于工业防火墙的漏洞筛查系统100还包括Windows安全加固模块,所述Windows安全加固模块用于对Windows操作系统进行安全加固,其中加固内容可以包括但不限于配置管理、网络管理、接入管理、日志审计以及恶意代码防范等。其中配置管理可以包括但不限于主机配置、用户策略、身份鉴别、补丁管理以及软件管理等。网络管理可以包括但不限于服务端口和防火墙等。接入管理可以包括但不限于外设管理、自动播放、远程登录以及无线网卡等。恶意代码防范可以包括但不限于数据保护和防病毒软件等。In some optional implementations, the industrial firewall-based
在一些可选的实施方式中,所述基于工业防火墙的漏洞筛查系统100还包括筛查准备模块,所述筛查准备模块用于发现当前漏洞筛查网络中的筛查目标和所述筛查目标的目标信息,所述目标信息根据所述筛查目标确定。其中筛查目标可以包括但不限于当前漏洞筛查网络中的存活主机、网络设备以及数据库等。目标信息可以包括但不限于主机名称、IP地址、端口、操作系统、软件版本、负责人以及地区等。通过筛查准备模块,可以为漏洞筛查做准备。In some optional implementations, the industrial firewall-based
在一些可选的实施方式中,所述基于工业防火墙的漏洞筛查系统100还包括网络拓扑生成模块,所述网络拓扑生成模块用于生成当前漏洞筛查网络下的网络拓扑图。其中网络拓扑图可以如图2或图3所示。网络拓扑生成模块为动态模块,用户可以对网络拓扑生成模块进行更改,可以对网络拓扑生成模块执行查询操作,例如查询各资产的详细信息。网络拓扑生成模块支持资产导出、导入,方便用户快速发现、统计全网的信息资产,了解每个资产的安全风险等级。In some optional implementation manners, the industrial firewall-based
本申请实施例提供的基于工业防火墙的漏洞筛查系统,包括多个漏洞筛查模块,可以采用不同的漏洞筛查模块对不同的筛查目标进行漏洞筛查,从而可以全面精准地筛查工业控制系统中存在的各种脆弱性问题,例如各种安全漏洞、安全配置问题和不合规行为,通过输出的漏洞分析报告在工业控制系统受到危害之前为管理员提供漏洞分析数据,以便管理员可以进行专业有效的漏洞分析和修补。The vulnerability screening system based on the industrial firewall provided by the embodiment of the present application includes multiple vulnerability screening modules, and different vulnerability screening modules can be used to perform vulnerability screening on different screening targets, so that the industrial firewall can be screened comprehensively and accurately. Various vulnerability problems in the control system, such as various security vulnerabilities, security configuration problems and non-compliance behaviors, provide the administrator with vulnerability analysis data before the industrial control system is compromised through the output vulnerability analysis report, so that the administrator Professional and effective vulnerability analysis and patching are possible.
请参阅图4,图4是本申请一实施例提供的基于工业防火墙的漏洞筛查方法的流程示意图。该基于工业防火墙的漏洞筛查方法可以应用于上述图1所示的基于工业防火墙的漏洞筛查系统100。该基于工业防火墙的漏洞筛查方法可以包括以下步骤S110-S120。Please refer to FIG. 4 . FIG. 4 is a schematic flowchart of a vulnerability screening method based on an industrial firewall provided by an embodiment of the present application. The vulnerability screening method based on an industrial firewall can be applied to the above-mentioned
步骤S110,在采用基于工业防火墙的漏洞筛查系统发现筛查目标时,所述基于工业防火墙的漏洞筛查系统获取所述筛查目标的目标信息,所述目标信息根据所述筛查目标确定。Step S110, when the vulnerability screening system based on the industrial firewall is used to find the screening target, the vulnerability screening system based on the industrial firewall acquires the target information of the screening target, and the target information is determined according to the screening target .
其中,筛查目标指的是具有漏洞筛查需求的设备或系统或协议等。如前所述,筛查目标可以包括但不限于当前漏洞筛查网络中的存活主机、网络设备以及数据库等。Among them, the screening target refers to the equipment or system or protocol that needs to be screened for vulnerabilities. As mentioned above, screening targets may include but not limited to surviving hosts, network devices, and databases in the current vulnerability screening network.
目标信息与筛查目标具有映射关系,该映射关系可以是一对一映射、一对多映射、多对一映射、多对多映射中的其中一种。该映射关系可以预设设置并存储在系统中,以便根据筛查目标直接获取与筛查目标对应的目标信息。目标信息可以包括但不限于主机名称、网际互联协议(Internet Protocol,IP)地址、端口、操作系统、软件版本、负责人以及地区等。The target information has a mapping relationship with the screening target, and the mapping relationship may be one of one-to-one mapping, one-to-many mapping, many-to-one mapping, and many-to-many mapping. The mapping relationship can be preset and stored in the system, so that target information corresponding to the screening target can be directly obtained according to the screening target. Target information may include but not limited to host name, Internet Protocol (Internet Protocol, IP) address, port, operating system, software version, person in charge, and region.
在一些可选的实施方式中,基于工业防火墙的漏洞筛查系统可以对与其连接的设备或者系统按照预设顺序进行排序,按照排列顺序依次确定与其连接的设备或者系统为筛查目标。其中,预设顺序可以根据实际需求进行设置,例如预设顺序可以是设备或者系统接入顺序。In some optional implementations, the vulnerability screening system based on the industrial firewall can sort the devices or systems connected to it according to a preset order, and determine the devices or systems connected to it as screening targets in sequence according to the sorting order. Wherein, the preset sequence may be set according to actual requirements, for example, the preset sequence may be a device or system access sequence.
在一些可选的实施方式中,基于工业防火墙的漏洞筛查系统可以对与其连接的设备或者系统设置不同的漏洞筛查周期,按照漏洞筛查周期从与其连接的设备和系统中确定筛查目标。其中漏洞筛查周期可以根据实际需求进行设置,例如漏洞筛查周期可以是一周、一天或者一个月。In some optional implementations, the vulnerability screening system based on the industrial firewall can set different vulnerability screening cycles for the devices or systems connected to it, and determine the screening targets from the devices and systems connected to it according to the vulnerability screening cycle . The vulnerability screening cycle can be set according to actual needs, for example, the vulnerability screening cycle can be one week, one day, or one month.
步骤S120,所述基于工业防火墙的漏洞筛查系统根据获取到的目标信息对所述筛查目标进行漏洞筛查和分析,以确定所述筛查目标是否存在安全漏洞。In step S120, the industrial firewall-based vulnerability screening system performs vulnerability screening and analysis on the screening target according to the acquired target information, so as to determine whether the screening target has security vulnerabilities.
在一些可选的实施方式中,所述基于工业防火墙的漏洞筛查系统可以确定筛查目标的类型,采用与筛查目标的类型对应的漏洞筛查模块对筛查目标进行漏洞筛查与分析。例如,筛查目标为数据库,则可以采用数据库安全筛查模块对数据库进行漏洞筛查与分析。In some optional implementation manners, the vulnerability screening system based on the industrial firewall can determine the type of the screening target, and use a vulnerability screening module corresponding to the type of the screening target to perform vulnerability screening and analysis on the screening target . For example, if the screening target is a database, the database security screening module can be used to screen and analyze vulnerabilities in the database.
在一些可选的实施方式中,若筛查目标包括多个,则可以同时并行采用与多个筛查目标对应的漏洞筛查模块,分别对多个筛查目标进行漏洞筛查与分析。例如,筛查目标包括数据库、WEB应用和系统基线,则可以采用数据库安全筛查模块对数据库进行漏洞筛查与分析,采用WEB漏洞筛查模块对WEB应用进行漏洞筛查与分析,采用安全基线筛查模块对系统基线进行漏洞筛查与分析。从而可以提高筛查准确性和效率。In some optional implementation manners, if there are multiple screening targets, the vulnerability screening modules corresponding to the multiple screening targets may be used in parallel to perform vulnerability screening and analysis on the multiple screening targets respectively. For example, if the screening targets include databases, WEB applications, and system baselines, you can use the database security screening module to screen and analyze vulnerabilities in databases, use the WEB vulnerability screening module to screen and analyze vulnerabilities in WEB applications, and use the security baseline The screening module performs vulnerability screening and analysis on the system baseline. This can improve screening accuracy and efficiency.
在一些可选的实施方式中,在对筛查目标进行漏洞筛查后,可以生成筛查分析报告,进一步,可以将筛查分析报告通过邮件或者电话方式向用户通告,并提供对应的预防措施建议。若筛查目标包括多个,则可以获取筛查目标的优先级,根据筛查目标的优先级依次将多个筛查分析报告发送至用户。其中优先级可以自定义,通常数据库和操作系统的优先级高于应用服务的优先级。In some optional implementations, after the screening target is screened for vulnerabilities, a screening analysis report can be generated, further, the screening analysis report can be notified to the user by email or telephone, and corresponding preventive measures can be provided Suggest. If there are multiple screening targets, the priority of the screening target can be obtained, and multiple screening analysis reports are sent to the user in sequence according to the priority of the screening target. Among them, the priority can be customized. Usually, the priority of the database and the operating system is higher than that of the application service.
本申请实施例提供的基于工业防火墙的漏洞筛查方法,通过包括多个漏洞筛查模块的基于工业防火墙的漏洞筛查系统,可以采用不同的漏洞筛查模块对不同的筛查目标进行漏洞筛查,从而可以全面精准地筛查工业控制系统中存在的各种脆弱性问题,例如各种安全漏洞、安全配置问题和不合规行为,通过输出的漏洞分析报告在工业控制系统受到危害之前为管理员提供漏洞分析数据,以便管理员可以进行专业有效的漏洞分析和修补。The vulnerability screening method based on the industrial firewall provided by the embodiment of the present application, through the vulnerability screening system based on the industrial firewall including multiple vulnerability screening modules, different vulnerability screening modules can be used to perform vulnerability screening for different screening targets In this way, various vulnerability problems in the industrial control system can be comprehensively and accurately screened, such as various security vulnerabilities, security configuration problems and non-compliance behaviors. Administrators provide vulnerability analysis data so that administrators can conduct professional and effective vulnerability analysis and repair.
综上所述,本申请实施例提供一种基于工业防火墙的漏洞筛查系统及方法,涉及工控安全技术领域。该基于工业防火墙的漏洞筛查系统包括多个漏洞筛查模块,可以采用不同的漏洞筛查模块对不同的筛查目标进行漏洞筛查,从而可以全面精准地筛查工业控制系统中存在的各种脆弱性问题,例如各种安全漏洞、安全配置问题和不合规行为,通过输出的漏洞分析报告在工业控制系统受到危害之前为管理员提供漏洞分析数据,以便管理员可以进行专业有效的漏洞分析和修补。In summary, the embodiments of the present application provide a vulnerability screening system and method based on an industrial firewall, which relate to the technical field of industrial control security. The vulnerability screening system based on industrial firewall includes multiple vulnerability screening modules, and different vulnerability screening modules can be used to perform vulnerability screening on different screening targets, so that it can comprehensively and accurately screen various vulnerabilities existing in the industrial control system. Vulnerability issues, such as various security vulnerabilities, security configuration issues, and non-compliance behaviors, the output vulnerability analysis report provides the administrator with vulnerability analysis data before the industrial control system is compromised, so that the administrator can conduct professional and effective vulnerability analysis Analyze and fix.
最后应说明的是:以上实施例仅用于说明本申请的技术方案,而非对其限制。尽管参照前述实施例对本申请进行了详细的说明,本领域技术人员应当理解:其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分技术特征进行等同替换;而这些修改或者替换,并不驱使相应技术方案的本质脱离本申请各实施例技术方案的精神和范围。Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of the present application, rather than to limit them. Although the present application has been described in detail with reference to the aforementioned embodiments, those skilled in the art should understand that: they can still modify the technical solutions described in the aforementioned embodiments, or perform equivalent replacements for some of the technical features; and these modifications or The replacement does not make the essence of the corresponding technical solutions deviate from the spirit and scope of the technical solutions of the various embodiments of the present application.
Claims (10)
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202211241162.5A CN115378734A (en) | 2022-10-11 | 2022-10-11 | Vulnerability screening system and method based on industrial firewall |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202211241162.5A CN115378734A (en) | 2022-10-11 | 2022-10-11 | Vulnerability screening system and method based on industrial firewall |
Publications (1)
Publication Number | Publication Date |
---|---|
CN115378734A true CN115378734A (en) | 2022-11-22 |
Family
ID=84072859
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202211241162.5A Pending CN115378734A (en) | 2022-10-11 | 2022-10-11 | Vulnerability screening system and method based on industrial firewall |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN115378734A (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN115695044A (en) * | 2022-11-29 | 2023-02-03 | 贵州电网有限责任公司 | IT asset safety control platform and management method |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108737425A (en) * | 2018-05-24 | 2018-11-02 | 北京凌云信安科技有限公司 | Fragility based on multi engine vulnerability scanning association analysis manages system |
CN113704767A (en) * | 2021-08-10 | 2021-11-26 | 北京凌云信安科技有限公司 | Vulnerability scanning engine and vulnerability worksheet management fused vulnerability management system |
-
2022
- 2022-10-11 CN CN202211241162.5A patent/CN115378734A/en active Pending
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108737425A (en) * | 2018-05-24 | 2018-11-02 | 北京凌云信安科技有限公司 | Fragility based on multi engine vulnerability scanning association analysis manages system |
CN113704767A (en) * | 2021-08-10 | 2021-11-26 | 北京凌云信安科技有限公司 | Vulnerability scanning engine and vulnerability worksheet management fused vulnerability management system |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN115695044A (en) * | 2022-11-29 | 2023-02-03 | 贵州电网有限责任公司 | IT asset safety control platform and management method |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN108737425B (en) | Vulnerability management system based on multi-engine vulnerability scanning correlation analysis | |
Liu et al. | A survey: Typical security issues of software-defined networking | |
CN111819544B (en) | Pre-deployment security analyzer service for virtual computing resources | |
Tselios et al. | Enhancing SDN security for IoT-related deployments through blockchain | |
KR102454075B1 (en) | Technology for a scalable security architecture for virtualized networks | |
CN113704767A (en) | Vulnerability scanning engine and vulnerability worksheet management fused vulnerability management system | |
CN104410617B (en) | A kind of information security attacking & defending department framework of cloud platform | |
US20190222568A1 (en) | Non-Intrusive Security Enforcement for Federated Single Sign-On (SSO) | |
CN104573516B (en) | A kind of industrial control system trusted context management-control method and platform based on safety chip | |
CN103368973B (en) | A kind of cloud operating system security system | |
CN105933361B (en) | Big data security protection cloud system based on trusted calculation | |
US20140089661A1 (en) | System and method for securing network traffic | |
Kumar et al. | Exploring security issues and solutions in cloud computing services–a survey | |
WO2016173199A1 (en) | Mobile application single sign-on method and device | |
Zhu et al. | Kub-Sec, an automatic Kubernetes cluster AppArmor profile generation engine | |
O'Neill et al. | {TrustBase}: An architecture to repair and strengthen certificate-based authentication | |
US20240411652A1 (en) | Predictive model for handling network configuration failures | |
CN115378734A (en) | Vulnerability screening system and method based on industrial firewall | |
US11683350B2 (en) | System and method for providing and managing security rules and policies | |
CN118041630A (en) | Electric power system network security defense method, device, equipment and medium | |
Maloney et al. | Cyber-physical system security automation through blockchain remediation and execution (SABRE) | |
Binkowski et al. | Securing 3rd party app integration in docker-based cloud software ecosystems | |
Yacob | Securing sensitive data in the cloud: a new era of security through zero trust principles | |
Shah et al. | Efficient solution for NoSQL database security in blockchain-based applications | |
Zoure et al. | VeriNeS: Runtime verification of outsourced network services orchestration |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20221122 |
|
RJ01 | Rejection of invention patent application after publication |