CN115378734A - Vulnerability screening system and method based on industrial firewall - Google Patents

Vulnerability screening system and method based on industrial firewall Download PDF

Info

Publication number
CN115378734A
CN115378734A CN202211241162.5A CN202211241162A CN115378734A CN 115378734 A CN115378734 A CN 115378734A CN 202211241162 A CN202211241162 A CN 202211241162A CN 115378734 A CN115378734 A CN 115378734A
Authority
CN
China
Prior art keywords
screening
vulnerability
module
security
analysis
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211241162.5A
Other languages
Chinese (zh)
Inventor
张超
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Luoan Technology Co Ltd
Original Assignee
Beijing Luoan Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Luoan Technology Co Ltd filed Critical Beijing Luoan Technology Co Ltd
Priority to CN202211241162.5A priority Critical patent/CN115378734A/en
Publication of CN115378734A publication Critical patent/CN115378734A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/168Implementing security features at a particular protocol layer above the transport layer

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computing Systems (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer And Data Communications (AREA)

Abstract

本申请实施例提供一种基于工业防火墙的漏洞筛查系统及方法,涉及工控安全技术领域。该基于工业防火墙的漏洞筛查系统包括多个漏洞筛查模块,可以采用不同的漏洞筛查模块对不同的筛查目标进行漏洞筛查,从而可以全面精准地筛查工业控制系统中存在的各种脆弱性问题,例如各种安全漏洞、安全配置问题和不合规行为,通过输出的漏洞分析报告在工业控制系统受到危害之前为管理员提供漏洞分析数据,以便管理员可以进行专业有效的漏洞分析和修补。

Figure 202211241162

Embodiments of the present application provide a vulnerability screening system and method based on an industrial firewall, which relate to the technical field of industrial control security. The vulnerability screening system based on industrial firewall includes multiple vulnerability screening modules, and different vulnerability screening modules can be used to perform vulnerability screening on different screening targets, so that it can comprehensively and accurately screen various vulnerabilities existing in the industrial control system. Vulnerability issues, such as various security vulnerabilities, security configuration issues, and non-compliance behaviors, the output vulnerability analysis report provides the administrator with vulnerability analysis data before the industrial control system is compromised, so that the administrator can conduct professional and effective vulnerability analysis Analyze and fix.

Figure 202211241162

Description

一种基于工业防火墙的漏洞筛查系统及方法A vulnerability screening system and method based on industrial firewall

技术领域technical field

本申请实施例涉及工控安全技术领域,特别地,涉及一种基于工业防火墙的漏洞筛查系统及方法。The embodiments of the present application relate to the technical field of industrial control security, and in particular, relate to a vulnerability screening system and method based on an industrial firewall.

背景技术Background technique

随着工业技术的发展,工业控制系统在工业信息化中具有不可忽视的重要地位。工业控制系统广泛应用于高端制造业、电力、能源、交通运输、水利等方面。工业控制系统是国家关键基础设施和信息系统的重要组成部分,同时也成为了国际敌对势力和黑客的攻击目标。With the development of industrial technology, industrial control system has an important position that cannot be ignored in industrial informationization. Industrial control systems are widely used in high-end manufacturing, electric power, energy, transportation, water conservancy and other aspects. The industrial control system is an important part of the country's critical infrastructure and information systems, and it has also become the target of international hostile forces and hackers.

例如,2014年出现了专门针对工业控制系统的新型攻击—— Havex,其变种多且危害大。又例如,2019年3月委内瑞拉电力系统 遭遇全国大面积的断网事件。诸如此类的工控安全事件是攻击者利用 工业控制系统的“漏洞”对整个工业控制系统发起的攻击导致的。可 见,对于重要的基础工业设施,如何在攻击者进行攻击前发现漏洞是 目前亟待解决的问题。For example, in 2014, a new type of attack targeting industrial control systems—Havex—has many variants and great harm. Another example is that in March 2019, the Venezuelan power system suffered a large-scale network outage across the country. Such industrial control security incidents are caused by attackers using the "loopholes" of the industrial control system to launch attacks on the entire industrial control system. It can be seen that for important basic industrial facilities, how to find vulnerabilities before attackers attack is an urgent problem to be solved.

发明内容Contents of the invention

本申请实施例提供一种基于工业防火墙的漏洞筛查系统及方法,以改善上述问题。Embodiments of the present application provide a vulnerability screening system and method based on an industrial firewall to improve the above problems.

第一方面,本申请实施例提供一种基于工业防火墙的漏洞筛查系统。该基于工业防火墙的漏洞筛查系统包括:漏洞筛查模块,所述漏洞筛查模块包括多个漏洞筛查模块,不同的漏洞筛查模块具有不同的筛查功能;数据管理模块,所述数据管理模块与所述漏洞筛查模块连接,用于对所述漏洞筛查模块上传的漏洞分析报告进行管理;网页界面模块,所述网页界面模块分别与所述漏洞筛查模块和数据管理模块连接,所述网页界面模块通过SSL加密通道和浏览器与用户进行交互。In the first aspect, the embodiment of the present application provides a vulnerability screening system based on an industrial firewall. This vulnerability screening system based on industrial firewall includes: a vulnerability screening module, the vulnerability screening module includes a plurality of vulnerability screening modules, and different vulnerability screening modules have different screening functions; a data management module, the data The management module is connected with the vulnerability screening module, and is used to manage the vulnerability analysis report uploaded by the vulnerability screening module; the webpage interface module, the webpage interface module is connected with the vulnerability screening module and the data management module respectively , the web page interface module interacts with the user through the SSL encrypted channel and the browser.

第二方面,本申请实施例提供一种基于工业防火墙的漏洞筛查方法,应用于上述基于工业防火墙的漏洞筛查系统。该基于工业防火墙的漏洞筛查方法包括:在采用上述基于工业防火墙的漏洞筛查系统发现筛查目标时,所述基于工业防火墙的漏洞筛查系统获取所述筛查目标的目标信息,所述目标信息根据所述筛查目标确定;所述基于工业防火墙的漏洞筛查系统根据获取到的目标信息对所述筛查目标进行漏洞筛查和分析,以确定所述筛查目标是否存在安全漏洞。In a second aspect, the embodiment of the present application provides a vulnerability screening method based on an industrial firewall, which is applied to the aforementioned vulnerability screening system based on an industrial firewall. The vulnerability screening method based on the industrial firewall includes: when the above-mentioned vulnerability screening system based on the industrial firewall is used to find the screening target, the vulnerability screening system based on the industrial firewall obtains the target information of the screening target, the The target information is determined according to the screening target; the vulnerability screening system based on the industrial firewall performs vulnerability screening and analysis on the screening target according to the obtained target information to determine whether there is a security hole in the screening target .

本申请实施例提供一种基于工业防火墙的漏洞筛查系统及方法,该基于工业防火墙的漏洞筛查系统包括多个漏洞筛查模块,可以采用不同的漏洞筛查模块对不同的筛查目标进行漏洞筛查,从而可以全面精准地筛查工业控制系统中存在的各种脆弱性问题,例如各种安全漏洞、安全配置问题和不合规行为,通过输出的漏洞分析报告在工业控制系统受到危害之前为管理员提供漏洞分析数据,以便管理员可以进行专业有效的漏洞分析和修补。The embodiment of the present application provides a vulnerability screening system and method based on an industrial firewall. The vulnerability screening system based on an industrial firewall includes a plurality of vulnerability screening modules, and different vulnerability screening modules can be used for different screening targets. Vulnerability screening, so that various vulnerabilities in industrial control systems can be comprehensively and accurately screened, such as various security vulnerabilities, security configuration problems and non-compliance behaviors, and the output vulnerability analysis report is compromised in the industrial control system Previously, administrators were provided with vulnerability analysis data, so that administrators can conduct professional and effective vulnerability analysis and patching.

附图说明Description of drawings

为了更清楚地说明本申请实施例中的技术方案,下面将对实施例描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本申请的一些实施例,对于本领域技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其它的附图。In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings that need to be used in the description of the embodiments will be briefly introduced below. Obviously, the drawings in the following description are only some embodiments of the present application. For those skilled in the art, other drawings can also be obtained based on these drawings without any creative effort.

图1是本申请一实施例提供的基于工业防火墙的漏洞筛查系统的机构框图;Fig. 1 is the institutional block diagram of the vulnerability screening system based on industrial firewall provided by an embodiment of the present application;

图2是本申请一示例性实施例提供的单机部署管理机制下的网络拓扑图的示意图;FIG. 2 is a schematic diagram of a network topology diagram under a stand-alone deployment management mechanism provided by an exemplary embodiment of the present application;

图3是本申请一示例性实施例提供的分布式管理机制下的网络拓扑图的示意图;FIG. 3 is a schematic diagram of a network topology diagram under a distributed management mechanism provided by an exemplary embodiment of the present application;

图4是本申请一实施例提供的基于工业防火墙的漏洞筛查方法的流程示意图。Fig. 4 is a schematic flowchart of a vulnerability screening method based on an industrial firewall provided by an embodiment of the present application.

具体实施方式Detailed ways

为了使本技术领域的人员更好地理解本申请方案,下面将结合本申请实施例中的附图,对本申请实施例中的技术方案进行清楚、完整地描述。In order to enable those skilled in the art to better understand the solutions of the present application, the technical solutions in the embodiments of the present application will be clearly and completely described below in conjunction with the drawings in the embodiments of the present application.

请参阅图1,图1是本申请一实施例提供的基于工业防火墙的漏洞筛查系统的机构框图。基于工业防火墙的漏洞筛查系统100包括相互连接的多个漏洞筛查模块110、数据管理模块120以及网页界面模块130。基于工业防火墙的漏洞筛查系统100采用浏览器/服务器(Browser/Server,B/S)管理模式和Linux系统。基于工业防火墙的漏洞筛查系统100包括业务库、知识库以及合规库,这些数据库在漏洞筛查过程中被调用,这些数据库包含的内容可以根据实际需求进行动态设置和更改。基于工业防火墙的漏洞筛查系统100部署于核心交换机单独的一条链路上。Please refer to FIG. 1 . FIG. 1 is a structural block diagram of a vulnerability screening system based on an industrial firewall provided by an embodiment of the present application. The vulnerability screening system 100 based on an industrial firewall includes a plurality of vulnerability screening modules 110 , a data management module 120 and a web interface module 130 connected to each other. The vulnerability screening system 100 based on the industrial firewall adopts a browser/server (Browser/Server, B/S) management mode and a Linux system. The vulnerability screening system 100 based on the industrial firewall includes a business database, a knowledge base and a compliance database. These databases are called during the vulnerability screening process, and the content contained in these databases can be dynamically set and changed according to actual needs. The vulnerability screening system 100 based on the industrial firewall is deployed on a separate link of the core switch.

多个漏洞筛查模块110中的不同的漏洞筛查模块具有不同的筛查功能。多个漏洞筛查模块110可以分别对多个筛查目标进行漏洞筛查和分析,并生成多个漏洞筛查模块110各自对应的漏洞分析报告。多个漏洞筛查模块110可以将漏洞分析报告发送给数据管理模块120,以便数据管理模块120存储并管理漏洞分析报告,以便后续查阅或者调用。多个漏洞筛查模块110也可以将漏洞分析报告同时发送给用户,以便用户基于漏洞分析报告做出对应的操作,例如修补操作。Different vulnerability screening modules in the plurality of vulnerability screening modules 110 have different screening functions. Multiple vulnerability screening modules 110 may perform vulnerability screening and analysis on multiple screening targets, and generate vulnerability analysis reports corresponding to each of the multiple vulnerability screening modules 110 . Multiple vulnerability screening modules 110 may send the vulnerability analysis report to the data management module 120, so that the data management module 120 stores and manages the vulnerability analysis report for subsequent reference or call. Multiple vulnerability screening modules 110 may also send vulnerability analysis reports to users at the same time, so that users can perform corresponding operations based on the vulnerability analysis reports, such as patching operations.

数据管理模块120与多个漏洞筛查模块110连接,用于对多个漏洞筛查模块130上传的漏洞分析报告进行管理。具体请见图1,数据管理模块120可以包括报告管理子模块,报告管理子模块可以用于报告管理。The data management module 120 is connected to a plurality of vulnerability screening modules 110 for managing the vulnerability analysis reports uploaded by the plurality of vulnerability screening modules 130 . Referring to FIG. 1 for details, the data management module 120 may include a report management submodule, and the report management submodule may be used for report management.

在一些可选的实施方式中,数据管理模块120可以包括多个管理子模块以分别管理不同的系统数据。多个管理子模块可以根据实际管理需求进行设置,作为一种示例,如图1所示,数据管理模块120可以包括日志管理、资产管理、任务管理、报告管理、系统管理、升级管理等管理子模块。需要说明的是,各个管理子模块可以独立管理数据并执行对应的决策操作。例如,可以在升级管理子模块中设置升级周期。在基于工业防火墙的漏洞筛查系统100部署后或者升级后,升级管理子模块可以设置计时器开始计时,当计时时长满足升级周期时,升级管理子模块可以通过网络或者本地数据包,对漏洞库和软件进行在线升级或本地升级,从而确保基于工业防火墙的漏洞筛查系统100的实时性和准确性,提升系统安全。In some optional implementation manners, the data management module 120 may include multiple management sub-modules to manage different system data respectively. A plurality of management sub-modules can be set according to actual management requirements. As an example, as shown in FIG. module. It should be noted that each management sub-module can independently manage data and perform corresponding decision-making operations. For example, the upgrade cycle can be set in the upgrade management submodule. After the vulnerability screening system 100 based on the industrial firewall is deployed or upgraded, the upgrade management submodule can set a timer to start counting. Online upgrade or local upgrade with software, so as to ensure the real-time and accuracy of the vulnerability screening system 100 based on the industrial firewall, and improve system security.

网页界面模块130分别与多个漏洞筛查模块110和数据管理模块120连接。网页界面模块130通过安全套接层(Secure Socket Layer,SSL)加密通道和WEB浏览器将漏洞分析报告输出给用户。其中SSL是一种安全安全保密协议,SSL加密通道指的是浏览器和WEB服务器之间构建的加密的安全通道。用户可以使用浏览器,通过SSL加密通道与网页界面模块进行交互,以便用户管理基于工业防火墙的漏洞筛查系统100。如图1所示,用户可以包括但不限于管理员、审计员以及操作员等。The web interface module 130 is connected to a plurality of vulnerability screening modules 110 and the data management module 120 respectively. The web interface module 130 outputs the vulnerability analysis report to the user through a secure socket layer (Secure Socket Layer, SSL) encrypted channel and a WEB browser. Among them, SSL is a security and confidentiality protocol, and an SSL encrypted channel refers to an encrypted secure channel constructed between a browser and a WEB server. The user can use the browser to interact with the web interface module through the SSL encrypted channel, so that the user can manage the vulnerability screening system 100 based on the industrial firewall. As shown in FIG. 1 , users may include but not limited to administrators, auditors, and operators.

在一些可选的实施方式中,如图1所示,多个漏洞筛查模块110可以包括工控漏洞筛查模块111、系统漏洞筛查模块112、WEB漏洞筛查模块113、数据库安全筛查模块114、安全基线筛查模块115以及APP漏洞筛查模块116。In some optional implementations, as shown in Figure 1, multiple vulnerability screening modules 110 may include an industrial control vulnerability screening module 111, a system vulnerability screening module 112, a WEB vulnerability screening module 113, and a database security screening module 114. A security baseline screening module 115 and an APP vulnerability screening module 116.

工控漏洞筛查模块111可以用于对工业控制系统中的预先指定的筛查目标进行漏洞筛查和分析,并生成对应的漏洞分析报告。其中预先指定的筛查目标可以是用户指定的筛查目标或者基于工业防火墙的漏洞筛查系统100确定的筛查目标。工控漏洞筛查模块111支持远程、非接触式漏洞筛查,可以降低在对工业控制系统进行安全漏洞筛查的过程中因工控漏洞带来的经济风险。The industrial control vulnerability screening module 111 can be used to perform vulnerability screening and analysis on pre-designated screening targets in the industrial control system, and generate a corresponding vulnerability analysis report. The pre-specified screening target may be a screening target specified by a user or a screening target determined by the industrial firewall-based vulnerability screening system 100 . The industrial control vulnerability screening module 111 supports remote and non-contact vulnerability screening, which can reduce economic risks caused by industrial control vulnerabilities during the security vulnerability screening process of the industrial control system.

在一些可选的实施方式中,预先指定的筛查目标可以是工业控制系统中的特定设备或者系统。特定设备或者系统可以包括但不限于数据采集与监视控制系统(SupervisoryControl And Data Acquisition,SCADA)、分布式控制系统(Distributed ControlSystem,DCS)、可编程控制器(Programmable Logic Controller,PLC)等控制系统。In some optional implementation manners, the pre-designated screening target may be a specific device or system in the industrial control system. Specific equipment or systems may include, but are not limited to, supervisory control and data acquisition (SCADA), distributed control system (Distributed Control System, DCS), programmable logic controller (Programmable Logic Controller, PLC) and other control systems.

在一些可选的实施方式中,工控漏洞筛查模块111还可以对基于以太网传输控制协议/网际协议(Transmission Control Protocol/Internet Protocol,TCP/IP)的Modbus协议ModbusTCP和S7等协议存在的安全漏洞进行筛查和分析。In some optional implementation manners, the industrial control vulnerability screening module 111 can also check the security of protocols such as ModbusTCP and S7 based on Ethernet Transmission Control Protocol/Internet Protocol (Transmission Control Protocol/Internet Protocol, TCP/IP). Vulnerabilities are screened and analyzed.

在一些可选的实施方式中,工控漏洞筛查模块111还可以对传统的工业控制系统中使用的信息技术(Information Technology,IT)设备或系统进行漏洞筛查。In some optional implementation manners, the industrial control vulnerability screening module 111 may also perform vulnerability screening on information technology (Information Technology, IT) equipment or systems used in traditional industrial control systems.

系统漏洞筛查模块112用于对操作系统、应用服务、数据库以及网络设备进行漏洞筛查和分析,并生成对应的漏洞分析报告。系统漏洞筛查模块112支持的Windows操作系统包括但不限于NT、2000、XP、2003、Win7、Win10、2008、2012、2016等。系统漏洞筛查模块112支持的Linux操作系统包括但不限于Amazon Linux、CentOS、Debian、Fedora、Red Hat、SuSE以及Ubuntu等。系统漏洞筛查模块112支持的Unix操作系统包括但不限于AIX、FreeBSD、HP-UX、Solaris以及Mac OS X等。系统漏洞筛查模块112支持的应用服务可以包括但不限于Microsoft Internet Explorer、PHP、IIS、Apache、Tomcat、PHP以及Adobe Flash等。系统漏洞筛查模块112支持的数据库包括但不限于Oracle、MySQL、SQL Server、DB2、Informix、MsSQL以及SyBase等。系统漏洞筛查模块112支持的虚拟化平台包括但不限于Vmware EXSi以及XenServer等。系统漏洞筛查模块112支持的安全设备包括juniper和网神等。The system vulnerability screening module 112 is used for performing vulnerability screening and analysis on operating systems, application services, databases and network devices, and generating corresponding vulnerability analysis reports. The Windows operating systems supported by the system vulnerability screening module 112 include but are not limited to NT, 2000, XP, 2003, Win7, Win10, 2008, 2012, 2016 and so on. The Linux operating systems supported by the system vulnerability screening module 112 include but are not limited to Amazon Linux, CentOS, Debian, Fedora, Red Hat, SuSE, and Ubuntu. The Unix operating systems supported by the system vulnerability screening module 112 include but are not limited to AIX, FreeBSD, HP-UX, Solaris, and Mac OS X. The application services supported by the system vulnerability screening module 112 may include but not limited to Microsoft Internet Explorer, PHP, IIS, Apache, Tomcat, PHP, and Adobe Flash. The databases supported by the system vulnerability screening module 112 include but not limited to Oracle, MySQL, SQL Server, DB2, Informix, MsSQL, and SyBase. The virtualization platforms supported by the system vulnerability screening module 112 include but not limited to Vmware EXSi and XenServer. The security devices supported by the system vulnerability screening module 112 include juniper and netgod, etc.

系统漏洞筛查模块112还可以包括但不限于智能服务识别功能、授权登录筛查功能以及安全优化筛查功能等。例如,智能服务识别功能启动时,系统漏洞筛查模块112可以根据上述应用服务判定筛查目标具体属于何种应用服务。授权登录筛查功能启动时,系统漏洞筛查模块112需要在用户授权登录之后才能开始漏洞筛查。安全优化筛查功能启动时,系统漏洞筛查模块112会在原本的漏洞筛查基础上,获取更多的筛查数据,选择更精准复杂的算法对筛查目标进行漏洞筛查。The system vulnerability screening module 112 may also include, but not limited to, an intelligent service identification function, an authorized login screening function, and a security optimization screening function. For example, when the smart service identification function is activated, the system vulnerability screening module 112 may determine which application service the screening target belongs to according to the above application services. When the authorized login screening function is started, the system vulnerability screening module 112 can start vulnerability screening only after the user is authorized to log in. When the security optimization screening function is started, the system vulnerability screening module 112 will obtain more screening data on the basis of the original vulnerability screening, and select a more accurate and complex algorithm to perform vulnerability screening on the screening target.

需要说明的是,系统漏洞筛查模块112运行时,多个漏洞筛查模块110中的除系统漏洞筛查模块112外的其他模块(例如工控漏洞筛查模块111、WEB漏洞筛查模块113、数据库安全筛查模块114、安全基线筛查模块115以及APP漏洞筛查模块116)不运行,因为系统漏洞筛查模块112是对筛查目标整体进行筛查,其他筛查模块是侧重于某一方面进行筛查。其他筛查模块相较于系统漏洞筛查模块112的筛查结果更加准确,系统漏洞筛查模块112相比于单一的其他筛查模块的筛查结果更加全面,系统漏洞筛查模块112相比于其他筛查模块同时进行漏洞筛查耗费的计算资源更少和计算时间更短。It should be noted that when the system vulnerability screening module 112 is running, other modules (such as the industrial control vulnerability screening module 111, the WEB vulnerability screening module 113, The database security screening module 114, the security baseline screening module 115, and the APP vulnerability screening module 116) do not operate, because the system vulnerability screening module 112 screens the screening target as a whole, and other screening modules focus on a certain side screening. Compared with the screening results of the system vulnerability screening module 112, the screening results of other screening modules are more accurate, and the screening results of the system vulnerability screening module 112 are more comprehensive than those of other single screening modules. Performing vulnerability screening at the same time as other screening modules consumes fewer computing resources and shorter computing time.

WEB漏洞筛查模块113用于对WEB应用进行漏洞筛查和分析,并生成对应的漏洞分析报告。WEB漏洞筛查模块113支持OWASP TOP 10漏洞筛查,例如,SQL注入、跨站脚本攻击XSS、网站挂马、网页木马、以及CGI漏洞等。其中OWASP Top 10 是由开放 WEB 应用程序安全项目建立的,可免费提供有关 WEB应用程序安全的文章和其他信息。WEB漏洞筛查模块113支持的协议可以包括但不限于超文本传输协议(Hyper Text Transfer Protocol,HTTP)和HTTPS等,其中HTTPS 协议是由 HTTP 加上安全传输层(Transport LayerSecurity,TLS)协议/ SSL 协议构建的可进行加密传输、身份认证的网络协议。WEB漏洞筛查模块113支持的WEB服务器可以包括但不限于IIS、Websphere、Weblogic、Apache、Tomcat以及Nginx等。WEB漏洞筛查模块113支持的编程语言可以包括但不限于Asp、Jsp、.Net、J2EE以及Php等。WEB漏洞筛查模块113支持的数据库类型可以包括但不限于Access、MySQL、Oracle、DB2、PostgreSQL、SyBase、Informix、sqlite以及MSSQL SERVER等。WEB漏洞筛查模块113支持的第三方组件可以包括但不限于WordPress、eWebEditor、FCKeditor以及Struts2等国内外常见的第三方组件。The WEB vulnerability screening module 113 is used for performing vulnerability screening and analysis on the WEB application, and generating a corresponding vulnerability analysis report. The WEB vulnerability screening module 113 supports OWASP TOP 10 vulnerability screening, for example, SQL injection, cross-site scripting attack XSS, website Trojan horse, web page Trojan horse, and CGI vulnerability. Among them, the OWASP Top 10 is established by the Open WEB Application Security Project, which provides free articles and other information on WEB application security. The protocols supported by the WEB vulnerability screening module 113 may include but not limited to Hypertext Transfer Protocol (Hyper Text Transfer Protocol, HTTP) and HTTPS, etc., wherein the HTTPS protocol is composed of HTTP plus Transport Layer Security (Transport Layer Security, TLS) protocol/SSL A network protocol constructed by the protocol that can perform encrypted transmission and identity authentication. The WEB servers supported by the WEB vulnerability screening module 113 may include but not limited to IIS, Websphere, Weblogic, Apache, Tomcat, and Nginx. The programming languages supported by the WEB vulnerability screening module 113 may include but not limited to Asp, Jsp, .Net, J2EE, and Php. The database types supported by the WEB vulnerability screening module 113 may include but not limited to Access, MySQL, Oracle, DB2, PostgreSQL, SyBase, Informix, sqlite, and MSSQL SERVER. The third-party components supported by the WEB vulnerability screening module 113 may include but not limited to WordPress, eWebEditor, FCKeditor, Struts2 and other common third-party components at home and abroad.

WEB漏洞筛查模块113可以对json和base64数据进行解析和筛查,支持自定义Cookie进行深入筛查。WEB漏洞筛查模块113支持基于basic和Cookie等认证方式的Web漏洞筛查。WEB漏洞筛查模块113还支持被动筛查,支持用户录入url,从而能够筛查一些常规页面爬取软件筛查不到的url,以便用户及时发现WEB网站中存在的安全漏洞,避免信息安全事件的发生。The WEB vulnerability screening module 113 can parse and screen json and base64 data, and supports custom cookies for in-depth screening. The WEB vulnerability screening module 113 supports web vulnerability screening based on authentication methods such as basic and cookies. The WEB vulnerability screening module 113 also supports passive screening, and supports users to input urls, so that some urls that cannot be screened by conventional page crawling software can be screened, so that users can timely discover security loopholes existing in WEB websites and avoid information security incidents happened.

WEB漏洞筛查模块113还用于采用WEB漏洞验证机制对筛查到的WEB漏洞进行验证。具体可以将筛查漏洞时发现的测试数据包记录下来,用于取证。对于注入漏洞,可以自动识别数据库类型,获取实例名称/数据库名称(InstanceName)和用户名称(UserName),从而可以有效降低误报率。The WEB vulnerability screening module 113 is also used to verify the screened WEB vulnerabilities by adopting a WEB vulnerability verification mechanism. Specifically, the test data packets found during vulnerability screening can be recorded for evidence collection. For injection vulnerabilities, the database type can be automatically identified, and the instance name/database name (InstanceName) and user name (UserName) can be obtained, thereby effectively reducing the false positive rate.

数据库安全筛查模块114用于对各种数据库进行漏洞筛查和分析,并生成对应的漏洞分析报告。数据库包括但不限于Oracle、Mysql、Sqlserver、Sybase、DB2、Informix、Postgresql、Kingbase以及达梦等。数据库安全筛查模块114采取的漏洞筛查策略可以包括但不限于权限绕过漏洞、SQL注入漏洞以及访问控制漏洞等。The database security screening module 114 is used for performing vulnerability screening and analysis on various databases, and generating corresponding vulnerability analysis reports. Databases include but are not limited to Oracle, Mysql, Sqlserver, Sybase, DB2, Informix, Postgresql, Kingbase, and Dameng. The vulnerability screening strategy adopted by the database security screening module 114 may include, but not limited to, authority bypassing vulnerabilities, SQL injection vulnerabilities, and access control vulnerabilities.

数据库安全筛查模块114包括两种漏洞筛查方式,即授权筛查和非授权筛查。用户可以不同的情景(授权与否)选择漏洞筛查方式,并选取相应的漏洞筛查策略实现对数据库的安全筛查,筛查完成后自动生成筛查分析报告,筛查分析报告包含了筛查出的漏洞详细描述和修复建议,以便用户及时发现数据库中存在的安全漏洞,保障用户的数据安全。The database security screening module 114 includes two vulnerability screening methods, namely authorized screening and unauthorized screening. Users can choose the vulnerability screening method in different scenarios (authorization or not), and select the corresponding vulnerability screening strategy to realize the security screening of the database. After the screening is completed, the screening analysis report is automatically generated, and the screening analysis report includes the screening analysis report. Detailed description of the detected vulnerabilities and suggestions for repairing, so that users can discover the security holes in the database in time and ensure the security of users' data.

数据库安全筛查模块114还可以通过对数据库对象和二进制文件等进行比对,以确定数据中心潜在的木马。The database security screening module 114 can also compare database objects and binary files to determine potential Trojan horses in the data center.

安全基线筛查模块115用于对当前漏洞筛查网络下的系统基线进行漏洞筛查和分析,并生成对应的漏洞分析报告。安全基线筛查模块115提供专业的配置加固建议与合规性报表。安全基线筛查模块115支持的操作系统可以包括但不限于Windows、Linux(Centos、Debian、Fedora、Redhat、Suse以及Ubuntu等)、Unix(Aix、HP-UX以及Solaris等)以及国产操作系统(中标麒麟和红旗等)等。安全基线筛查模块115支持的中间件可以包括但不限于IIS、Apache、Tomcat、Weblogic、Websphere、Nginx、Jboss以及Resin等。安全基线筛查模块115支持的数据库可以包括但不限于Oracle、Mysql、DB2、Informix、Mssql以及Sybase等。安全基线筛查模块115支持的虚拟化平台可以包括但不限于Vmware EXSi和XenServer等。安全基线筛查模块115支持的安全设备可以包括但不限于juniper和网神等。The security baseline screening module 115 is used to perform vulnerability screening and analysis on the system baseline under the current vulnerability screening network, and generate a corresponding vulnerability analysis report. The security baseline screening module 115 provides professional configuration hardening suggestions and compliance reports. The operating systems supported by the security baseline screening module 115 may include, but are not limited to, Windows, Linux (Centos, Debian, Fedora, Redhat, Suse, and Ubuntu, etc.), Unix (Aix, HP-UX, and Solaris, etc.) Kirin and Red Flag, etc.), etc. The middleware supported by the security baseline screening module 115 may include, but not limited to, IIS, Apache, Tomcat, Weblogic, Websphere, Nginx, Jboss, and Resin. The databases supported by the security baseline screening module 115 may include, but not limited to, Oracle, Mysql, DB2, Informix, Mssql, and Sybase. The virtualization platforms supported by the security baseline screening module 115 may include but not limited to Vmware EXSi, XenServer and so on. The security devices supported by the security baseline screening module 115 may include, but are not limited to, juniper, netgod, and the like.

安全基线筛查模块115支持多种协议远程登录系统进行基线筛查,可以包括但不限于服务器信息块(Server Message Block,SMB)、远程终端协议(Telnet协议)以及安全外壳协议(Secure Shell Protocol,SSH)等。安全基线筛查模块115支持代理本地筛查,提供了专用的Windows配置检查工具。安全基线筛查模块115支持在线设备基线筛查和离线设备基线筛查。基线筛查过程只检查系统的配置情况,不对系统配置进行任何修改,从而可以确保业务持续性和业务安全,让安全配置维护工作变得有条不紊而且简单、易于操作,方便用户及时发现信息系统中存在的不安全配置,提高目标系统的安全防护水平。The security baseline screening module 115 supports multiple protocols to remotely log in to the system for baseline screening, including but not limited to Server Message Block (SMB), Remote Terminal Protocol (Telnet Protocol) and Secure Shell Protocol (Secure Shell Protocol, SSH), etc. The security baseline screening module 115 supports agent local screening and provides a dedicated Windows configuration checking tool. The security baseline screening module 115 supports online device baseline screening and offline device baseline screening. The baseline screening process only checks the system configuration and does not make any changes to the system configuration, thereby ensuring business continuity and business security, making the security configuration maintenance work orderly, simple, and easy to operate, which is convenient for users to timely discover information systems. Unsafe configurations to improve the security protection level of the target system.

APP漏洞筛查模块116用于采取静态分析的方式对APP进行漏洞筛查和分析,并生成对应的漏洞分析报告。采用静态分析的方式,可以准确发现安卓应用程序包(Androidapplication package,APK)中存在的组件安全、配置安全、数据安全以及恶意行为等安全风险,从而大幅提升移动APP的安全性,避免因APP漏洞造成业务损失。The APP vulnerability screening module 116 is used to screen and analyze APP vulnerabilities in a static analysis manner, and generate a corresponding vulnerability analysis report. By using static analysis, security risks such as component security, configuration security, data security, and malicious behavior in the Android application package (APK) can be accurately discovered, thereby greatly improving the security of mobile APPs and avoiding vulnerabilities caused by APPs. cause loss of business.

在一些可选的实施方式中,多个漏洞筛查模块110还包括WIFI安全筛查模块。WIFI安全筛查模块用于对WIFI无线网络进行漏洞筛查和分析,并生成对应的漏洞分析报告。具体可以对接入点和WIFI信道进行识别,搜索出服务器标识(Service Set Identifier,SSID)、硬件厂商以及MAC地址等信息和各无线节点所连接的客户端相应的MAC地址等信息。此外,多个漏洞筛查模块110还可以对WIFI进行弱密码筛查,并生成漏洞分析报告。In some optional implementation manners, the multiple vulnerability screening modules 110 also include a WIFI security screening module. The WIFI security screening module is used to screen and analyze vulnerabilities of WIFI wireless networks, and generate corresponding vulnerability analysis reports. Specifically, the access point and WIFI channel can be identified, and information such as the server identifier (Service Set Identifier, SSID), hardware manufacturer, and MAC address and the corresponding MAC address of the client connected to each wireless node can be searched out. In addition, multiple vulnerability screening modules 110 can also perform weak password screening on WIFI, and generate a vulnerability analysis report.

在一些可选的实施方式中,多个漏洞筛查模块110还包括大数据漏洞筛查模块。大数据漏洞筛查模块用于对大数据组件进行漏洞筛查和安全合规性检查,并生成统计分析报告。安全配置合规性检查可以包括但不限于Hadoop、Spark、Hbase、Solr以及ES等。通过生成统计分析报告,可以提供详细的漏洞描述和漏洞修复建议,从而增强大数据平台各组件安全的合规性。In some optional implementation manners, the multiple vulnerability screening modules 110 also include a big data vulnerability screening module. The big data vulnerability screening module is used to perform vulnerability screening and security compliance inspection on big data components, and generate statistical analysis reports. Security configuration compliance checks may include, but are not limited to, Hadoop, Spark, Hbase, Solr, and ES. By generating statistical analysis reports, detailed vulnerability descriptions and vulnerability repair suggestions can be provided, thereby enhancing the compliance of the security of each component of the big data platform.

在一些可选的实施方式中,在进行漏洞筛查生成筛查结果之后,多个漏洞筛查模块110可以分别采用报告和图形的形式对筛查结果进行分析,生成多个漏洞筛查模块110各自对应的漏洞分析报告,其中报告内容包括漏洞风险级别、漏洞类别、漏洞描述、漏洞类型以及漏洞解决方法。基于工业防火墙的漏洞筛查系统100提供有关漏洞的包括公共漏洞和暴露(Common Vulnerabilities & Exposures,CVE)编号支持的国际权威机构记录和与厂商补丁相关的链接,使得管理员和普通用户可以快速准确地解决各种安全问题,以便用户能够具体了解某台主机或者某个漏洞的详细信息。漏洞分析报告可以提供行政人员、技术员、安全专家以及自定义报表等样式,输出的漏洞分析报告的格式可以包括但不限于以.html、.doc、.docx或.pdf为后缀的文件格式等。同时,可以将筛查结果与信息安全等级保护的合规库进行关联分析,生成满足规范要求的等级保护测评报告。In some optional implementations, after vulnerability screening is performed to generate screening results, multiple vulnerability screening modules 110 can analyze the screening results in the form of reports and graphs respectively, and generate multiple vulnerability screening modules 110 Corresponding vulnerability analysis report, which includes vulnerability risk level, vulnerability category, vulnerability description, vulnerability type, and vulnerability solution. Vulnerability screening system 100 based on industrial firewalls provides related vulnerabilities, including records of international authoritative organizations supported by Common Vulnerabilities & Exposures (CVE) numbers and links related to manufacturers' patches, so that administrators and ordinary users can quickly and accurately Solve various security issues in a timely manner, so that users can learn more about a certain host or detailed information about a certain vulnerability. Vulnerability analysis reports can provide administrators, technicians, security experts, and custom reports. The output format of vulnerability analysis reports can include but not limited to file formats with .html, .doc, .docx, or .pdf suffixes. At the same time, the screening results can be correlated with the compliance library of information security level protection to generate a level protection evaluation report that meets the requirements of the specification.

在一些可选的实施方式中,基于工业防火墙的漏洞筛查系统100包括单机部署管理机制和分布式管理机制。基于工业防火墙的漏洞筛查系统100还包括决策模块,所述决策模块用于在筛查到当前漏洞筛查网络是分布式网络时,确定所述基于工业防火墙的漏洞筛查系统100采用分布式管理机制进行漏洞筛查,或者在筛查到当前漏洞筛查网络不是分布式网络时,确定所述基于工业防火墙的漏洞筛查系统100采用单机部署管理机制进行漏洞筛查。作为一种示例,采用单机部署管理机制的网络拓扑图如图2所示,采用分布式管理机制的网络拓扑图如图3所示。可见,在采用分布式管理机制时,下级基于工业防火墙的漏洞筛查系统会向上级基于工业防火墙的漏洞筛查系统上传筛查结果或者上传筛查分析报告。或者下级基于工业防火墙的漏洞筛查系统也可以将其获取到的筛查目标的目标信息上传至上述基于工业防火墙的漏洞筛查系统,以使上级基于工业防火墙的漏洞筛查系统统一执行漏洞筛查和分析操作。In some optional implementation manners, the industrial firewall-based vulnerability screening system 100 includes a stand-alone deployment management mechanism and a distributed management mechanism. The vulnerability screening system 100 based on an industrial firewall also includes a decision module, which is used to determine that the vulnerability screening system 100 based on an industrial firewall adopts a distributed network when the current vulnerability screening network is a distributed network. The management mechanism performs vulnerability screening, or when it is detected that the current vulnerability screening network is not a distributed network, it is determined that the industrial firewall-based vulnerability screening system 100 adopts a stand-alone deployment management mechanism for vulnerability screening. As an example, a network topology diagram using a single-machine deployment management mechanism is shown in FIG. 2 , and a network topology diagram using a distributed management mechanism is shown in FIG. 3 . It can be seen that when the distributed management mechanism is adopted, the vulnerability screening system based on the industrial firewall at the lower level will upload the screening results or the screening analysis report to the vulnerability screening system based on the industrial firewall at the upper level. Or the lower-level vulnerability screening system based on industrial firewalls can also upload the target information of the screening targets obtained to the above-mentioned vulnerability screening system based on industrial firewalls, so that the upper-level vulnerability screening system based on industrial firewalls can uniformly perform vulnerability screening. Check and analyze operations.

在一些可选的实施方式中,所述基于工业防火墙的漏洞筛查系统100还包括Windows安全加固模块,所述Windows安全加固模块用于对Windows操作系统进行安全加固,其中加固内容可以包括但不限于配置管理、网络管理、接入管理、日志审计以及恶意代码防范等。其中配置管理可以包括但不限于主机配置、用户策略、身份鉴别、补丁管理以及软件管理等。网络管理可以包括但不限于服务端口和防火墙等。接入管理可以包括但不限于外设管理、自动播放、远程登录以及无线网卡等。恶意代码防范可以包括但不限于数据保护和防病毒软件等。In some optional implementations, the industrial firewall-based vulnerability screening system 100 also includes a Windows security hardening module, and the Windows security hardening module is used to perform security hardening on the Windows operating system, wherein the hardening content may include but not It is limited to configuration management, network management, access management, log audit, and malicious code prevention. The configuration management may include but not limited to host configuration, user policy, identity authentication, patch management, and software management. Network management may include, but is not limited to, service ports and firewalls, etc. Access management may include but not limited to peripheral management, autoplay, remote login and wireless network card, etc. Malicious code prevention may include but not limited to data protection and antivirus software.

在一些可选的实施方式中,所述基于工业防火墙的漏洞筛查系统100还包括筛查准备模块,所述筛查准备模块用于发现当前漏洞筛查网络中的筛查目标和所述筛查目标的目标信息,所述目标信息根据所述筛查目标确定。其中筛查目标可以包括但不限于当前漏洞筛查网络中的存活主机、网络设备以及数据库等。目标信息可以包括但不限于主机名称、IP地址、端口、操作系统、软件版本、负责人以及地区等。通过筛查准备模块,可以为漏洞筛查做准备。In some optional implementations, the industrial firewall-based vulnerability screening system 100 also includes a screening preparation module, which is used to find the screening target and the screening target in the current vulnerability screening network. Target information of the screening target, the target information is determined according to the screening target. The screening targets may include, but are not limited to, surviving hosts, network devices, and databases in the current vulnerability screening network. Target information may include but not limited to host name, IP address, port, operating system, software version, person in charge, and region. With the Screening Preparation module, you can prepare for vulnerability screening.

在一些可选的实施方式中,所述基于工业防火墙的漏洞筛查系统100还包括网络拓扑生成模块,所述网络拓扑生成模块用于生成当前漏洞筛查网络下的网络拓扑图。其中网络拓扑图可以如图2或图3所示。网络拓扑生成模块为动态模块,用户可以对网络拓扑生成模块进行更改,可以对网络拓扑生成模块执行查询操作,例如查询各资产的详细信息。网络拓扑生成模块支持资产导出、导入,方便用户快速发现、统计全网的信息资产,了解每个资产的安全风险等级。In some optional implementation manners, the industrial firewall-based vulnerability screening system 100 further includes a network topology generation module, which is configured to generate a network topology map under the current vulnerability screening network. The network topology diagram may be as shown in FIG. 2 or FIG. 3 . The network topology generation module is a dynamic module. Users can modify the network topology generation module and perform query operations on the network topology generation module, such as querying the detailed information of each asset. The network topology generation module supports asset export and import, which is convenient for users to quickly discover and count the information assets of the entire network, and understand the security risk level of each asset.

本申请实施例提供的基于工业防火墙的漏洞筛查系统,包括多个漏洞筛查模块,可以采用不同的漏洞筛查模块对不同的筛查目标进行漏洞筛查,从而可以全面精准地筛查工业控制系统中存在的各种脆弱性问题,例如各种安全漏洞、安全配置问题和不合规行为,通过输出的漏洞分析报告在工业控制系统受到危害之前为管理员提供漏洞分析数据,以便管理员可以进行专业有效的漏洞分析和修补。The vulnerability screening system based on the industrial firewall provided by the embodiment of the present application includes multiple vulnerability screening modules, and different vulnerability screening modules can be used to perform vulnerability screening on different screening targets, so that the industrial firewall can be screened comprehensively and accurately. Various vulnerability problems in the control system, such as various security vulnerabilities, security configuration problems and non-compliance behaviors, provide the administrator with vulnerability analysis data before the industrial control system is compromised through the output vulnerability analysis report, so that the administrator Professional and effective vulnerability analysis and patching are possible.

请参阅图4,图4是本申请一实施例提供的基于工业防火墙的漏洞筛查方法的流程示意图。该基于工业防火墙的漏洞筛查方法可以应用于上述图1所示的基于工业防火墙的漏洞筛查系统100。该基于工业防火墙的漏洞筛查方法可以包括以下步骤S110-S120。Please refer to FIG. 4 . FIG. 4 is a schematic flowchart of a vulnerability screening method based on an industrial firewall provided by an embodiment of the present application. The vulnerability screening method based on an industrial firewall can be applied to the above-mentioned vulnerability screening system 100 based on an industrial firewall shown in FIG. 1 . The vulnerability screening method based on industrial firewall may include the following steps S110-S120.

步骤S110,在采用基于工业防火墙的漏洞筛查系统发现筛查目标时,所述基于工业防火墙的漏洞筛查系统获取所述筛查目标的目标信息,所述目标信息根据所述筛查目标确定。Step S110, when the vulnerability screening system based on the industrial firewall is used to find the screening target, the vulnerability screening system based on the industrial firewall acquires the target information of the screening target, and the target information is determined according to the screening target .

其中,筛查目标指的是具有漏洞筛查需求的设备或系统或协议等。如前所述,筛查目标可以包括但不限于当前漏洞筛查网络中的存活主机、网络设备以及数据库等。Among them, the screening target refers to the equipment or system or protocol that needs to be screened for vulnerabilities. As mentioned above, screening targets may include but not limited to surviving hosts, network devices, and databases in the current vulnerability screening network.

目标信息与筛查目标具有映射关系,该映射关系可以是一对一映射、一对多映射、多对一映射、多对多映射中的其中一种。该映射关系可以预设设置并存储在系统中,以便根据筛查目标直接获取与筛查目标对应的目标信息。目标信息可以包括但不限于主机名称、网际互联协议(Internet Protocol,IP)地址、端口、操作系统、软件版本、负责人以及地区等。The target information has a mapping relationship with the screening target, and the mapping relationship may be one of one-to-one mapping, one-to-many mapping, many-to-one mapping, and many-to-many mapping. The mapping relationship can be preset and stored in the system, so that target information corresponding to the screening target can be directly obtained according to the screening target. Target information may include but not limited to host name, Internet Protocol (Internet Protocol, IP) address, port, operating system, software version, person in charge, and region.

在一些可选的实施方式中,基于工业防火墙的漏洞筛查系统可以对与其连接的设备或者系统按照预设顺序进行排序,按照排列顺序依次确定与其连接的设备或者系统为筛查目标。其中,预设顺序可以根据实际需求进行设置,例如预设顺序可以是设备或者系统接入顺序。In some optional implementations, the vulnerability screening system based on the industrial firewall can sort the devices or systems connected to it according to a preset order, and determine the devices or systems connected to it as screening targets in sequence according to the sorting order. Wherein, the preset sequence may be set according to actual requirements, for example, the preset sequence may be a device or system access sequence.

在一些可选的实施方式中,基于工业防火墙的漏洞筛查系统可以对与其连接的设备或者系统设置不同的漏洞筛查周期,按照漏洞筛查周期从与其连接的设备和系统中确定筛查目标。其中漏洞筛查周期可以根据实际需求进行设置,例如漏洞筛查周期可以是一周、一天或者一个月。In some optional implementations, the vulnerability screening system based on the industrial firewall can set different vulnerability screening cycles for the devices or systems connected to it, and determine the screening targets from the devices and systems connected to it according to the vulnerability screening cycle . The vulnerability screening cycle can be set according to actual needs, for example, the vulnerability screening cycle can be one week, one day, or one month.

步骤S120,所述基于工业防火墙的漏洞筛查系统根据获取到的目标信息对所述筛查目标进行漏洞筛查和分析,以确定所述筛查目标是否存在安全漏洞。In step S120, the industrial firewall-based vulnerability screening system performs vulnerability screening and analysis on the screening target according to the acquired target information, so as to determine whether the screening target has security vulnerabilities.

在一些可选的实施方式中,所述基于工业防火墙的漏洞筛查系统可以确定筛查目标的类型,采用与筛查目标的类型对应的漏洞筛查模块对筛查目标进行漏洞筛查与分析。例如,筛查目标为数据库,则可以采用数据库安全筛查模块对数据库进行漏洞筛查与分析。In some optional implementation manners, the vulnerability screening system based on the industrial firewall can determine the type of the screening target, and use a vulnerability screening module corresponding to the type of the screening target to perform vulnerability screening and analysis on the screening target . For example, if the screening target is a database, the database security screening module can be used to screen and analyze vulnerabilities in the database.

在一些可选的实施方式中,若筛查目标包括多个,则可以同时并行采用与多个筛查目标对应的漏洞筛查模块,分别对多个筛查目标进行漏洞筛查与分析。例如,筛查目标包括数据库、WEB应用和系统基线,则可以采用数据库安全筛查模块对数据库进行漏洞筛查与分析,采用WEB漏洞筛查模块对WEB应用进行漏洞筛查与分析,采用安全基线筛查模块对系统基线进行漏洞筛查与分析。从而可以提高筛查准确性和效率。In some optional implementation manners, if there are multiple screening targets, the vulnerability screening modules corresponding to the multiple screening targets may be used in parallel to perform vulnerability screening and analysis on the multiple screening targets respectively. For example, if the screening targets include databases, WEB applications, and system baselines, you can use the database security screening module to screen and analyze vulnerabilities in databases, use the WEB vulnerability screening module to screen and analyze vulnerabilities in WEB applications, and use the security baseline The screening module performs vulnerability screening and analysis on the system baseline. This can improve screening accuracy and efficiency.

在一些可选的实施方式中,在对筛查目标进行漏洞筛查后,可以生成筛查分析报告,进一步,可以将筛查分析报告通过邮件或者电话方式向用户通告,并提供对应的预防措施建议。若筛查目标包括多个,则可以获取筛查目标的优先级,根据筛查目标的优先级依次将多个筛查分析报告发送至用户。其中优先级可以自定义,通常数据库和操作系统的优先级高于应用服务的优先级。In some optional implementations, after the screening target is screened for vulnerabilities, a screening analysis report can be generated, further, the screening analysis report can be notified to the user by email or telephone, and corresponding preventive measures can be provided Suggest. If there are multiple screening targets, the priority of the screening target can be obtained, and multiple screening analysis reports are sent to the user in sequence according to the priority of the screening target. Among them, the priority can be customized. Usually, the priority of the database and the operating system is higher than that of the application service.

本申请实施例提供的基于工业防火墙的漏洞筛查方法,通过包括多个漏洞筛查模块的基于工业防火墙的漏洞筛查系统,可以采用不同的漏洞筛查模块对不同的筛查目标进行漏洞筛查,从而可以全面精准地筛查工业控制系统中存在的各种脆弱性问题,例如各种安全漏洞、安全配置问题和不合规行为,通过输出的漏洞分析报告在工业控制系统受到危害之前为管理员提供漏洞分析数据,以便管理员可以进行专业有效的漏洞分析和修补。The vulnerability screening method based on the industrial firewall provided by the embodiment of the present application, through the vulnerability screening system based on the industrial firewall including multiple vulnerability screening modules, different vulnerability screening modules can be used to perform vulnerability screening for different screening targets In this way, various vulnerability problems in the industrial control system can be comprehensively and accurately screened, such as various security vulnerabilities, security configuration problems and non-compliance behaviors. Administrators provide vulnerability analysis data so that administrators can conduct professional and effective vulnerability analysis and repair.

综上所述,本申请实施例提供一种基于工业防火墙的漏洞筛查系统及方法,涉及工控安全技术领域。该基于工业防火墙的漏洞筛查系统包括多个漏洞筛查模块,可以采用不同的漏洞筛查模块对不同的筛查目标进行漏洞筛查,从而可以全面精准地筛查工业控制系统中存在的各种脆弱性问题,例如各种安全漏洞、安全配置问题和不合规行为,通过输出的漏洞分析报告在工业控制系统受到危害之前为管理员提供漏洞分析数据,以便管理员可以进行专业有效的漏洞分析和修补。In summary, the embodiments of the present application provide a vulnerability screening system and method based on an industrial firewall, which relate to the technical field of industrial control security. The vulnerability screening system based on industrial firewall includes multiple vulnerability screening modules, and different vulnerability screening modules can be used to perform vulnerability screening on different screening targets, so that it can comprehensively and accurately screen various vulnerabilities existing in the industrial control system. Vulnerability issues, such as various security vulnerabilities, security configuration issues, and non-compliance behaviors, the output vulnerability analysis report provides the administrator with vulnerability analysis data before the industrial control system is compromised, so that the administrator can conduct professional and effective vulnerability analysis Analyze and fix.

最后应说明的是:以上实施例仅用于说明本申请的技术方案,而非对其限制。尽管参照前述实施例对本申请进行了详细的说明,本领域技术人员应当理解:其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分技术特征进行等同替换;而这些修改或者替换,并不驱使相应技术方案的本质脱离本申请各实施例技术方案的精神和范围。Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of the present application, rather than to limit them. Although the present application has been described in detail with reference to the aforementioned embodiments, those skilled in the art should understand that: they can still modify the technical solutions described in the aforementioned embodiments, or perform equivalent replacements for some of the technical features; and these modifications or The replacement does not make the essence of the corresponding technical solutions deviate from the spirit and scope of the technical solutions of the various embodiments of the present application.

Claims (10)

1.一种基于工业防火墙的漏洞筛查系统,其特征在于,包括:1. A vulnerability screening system based on industrial firewall, characterized in that, comprising: 多个漏洞筛查模块,不同的漏洞筛查模块具有不同的筛查功能;Multiple vulnerability screening modules, different vulnerability screening modules have different screening functions; 数据管理模块,所述数据管理模块与所述多个漏洞筛查模块连接,用于对所述多个漏洞筛查模块上传的漏洞分析报告进行管理;A data management module, the data management module is connected to the plurality of vulnerability screening modules, and is used to manage the vulnerability analysis reports uploaded by the plurality of vulnerability screening modules; 网页界面模块,所述网页界面模块分别与所述多个漏洞筛查模块和数据管理模块连接,所述网页界面模块通过SSL加密通道和浏览器将所述漏洞分析报告输出给用户。A webpage interface module, the webpage interface module is respectively connected with the plurality of vulnerability screening modules and data management modules, and the webpage interface module outputs the vulnerability analysis report to the user through an SSL encrypted channel and a browser. 2.根据权利要求1所述的系统,其特征在于,所述多个漏洞筛查模块包括工控漏洞筛查模块、系统漏洞筛查模块、WEB漏洞筛查模块、数据库安全筛查模块、安全基线筛查模块以及APP漏洞筛查模块,其中:2. The system according to claim 1, wherein the plurality of vulnerability screening modules include an industrial control vulnerability screening module, a system vulnerability screening module, a WEB vulnerability screening module, a database security screening module, and a security baseline Screening module and APP vulnerability screening module, in which: 所述工控漏洞筛查模块,用于对工业控制系统中的预先指定的筛查目标进行漏洞筛查和分析,并生成对应的漏洞分析报告;The industrial control vulnerability screening module is used to perform vulnerability screening and analysis on pre-designated screening targets in the industrial control system, and generate a corresponding vulnerability analysis report; 所述系统漏洞筛查模块,用于对操作系统、应用服务、数据库以及网络设备进行漏洞筛查和分析,并生成对应的漏洞分析报告,所述系统漏洞筛查模块运行时,所述多个漏洞筛查模块中的除所述系统漏洞筛查模块外的其他模块不运行;The system vulnerability screening module is used to perform vulnerability screening and analysis on operating systems, application services, databases, and network devices, and generate corresponding vulnerability analysis reports. When the system vulnerability screening module is running, the multiple Other modules in the vulnerability screening module except the system vulnerability screening module do not run; 所述WEB漏洞筛查模块,用于对WEB应用进行漏洞筛查和分析,并生成对应的漏洞分析报告,所述WEB漏洞筛查模块还用于采用WEB漏洞验证机制对筛查到的WEB漏洞进行验证;The WEB vulnerability screening module is used to screen and analyze the vulnerabilities of WEB applications, and generate corresponding vulnerability analysis reports. authenticating; 所述数据库安全筛查模块,用于对各种数据库进行漏洞筛查和分析,并生成对应的漏洞分析报告;The database security screening module is used for performing vulnerability screening and analysis on various databases, and generating a corresponding vulnerability analysis report; 所述安全基线筛查模块,用于对当前漏洞筛查网络下的系统基线进行漏洞筛查和分析,并生成对应的漏洞分析报告;The security baseline screening module is used to perform vulnerability screening and analysis on the system baseline under the current vulnerability screening network, and generate a corresponding vulnerability analysis report; 所述APP漏洞筛查模块,用于采取静态分析的方式对APP进行漏洞筛查和分析,并生成对应的漏洞分析报告。The APP vulnerability screening module is used to screen and analyze APP vulnerabilities in a static analysis manner, and generate a corresponding vulnerability analysis report. 3.根据权利要求1所述的系统,其特征在于,所述多个漏洞筛查模块还包括WIFI安全筛查模块,所述WIFI安全筛查模块用于对WIFI无线网络进行漏洞筛查和分析,并生成对应的漏洞分析报告。3. system according to claim 1, is characterized in that, described a plurality of vulnerability screening modules also comprise WIFI security screening module, described WIFI security screening module is used for carrying out vulnerability screening and analysis to WIFI wireless network , and generate the corresponding vulnerability analysis report. 4.根据权利要求1所述的系统,其特征在于,所述多个漏洞筛查模块还包括大数据漏洞筛查模块,所述大数据漏洞筛查模块用于对大数据组件进行漏洞筛查和安全合规性检查,并生成统计分析报告。4. The system according to claim 1, wherein the multiple vulnerability screening modules also include a big data vulnerability screening module, and the big data vulnerability screening module is used to perform vulnerability screening on big data components and security compliance checks, and generate statistical analysis reports. 5.根据权利要求2-4任一项所述的系统,其特征在于,在进行漏洞筛查生成筛查结果之后,所述多个漏洞筛查模块分别采用报告和图形的形式对所述筛查结果进行分析,生成所述多个漏洞筛查模块各自对应的漏洞分析报告,其中报告内容包括漏洞风险级别、漏洞类别、漏洞描述、漏洞类型以及漏洞解决方法。5. The system according to any one of claims 2-4, characterized in that, after the vulnerability screening is performed to generate screening results, the plurality of vulnerability screening modules use the forms of reports and graphs to analyze the Analyze the inspection results, and generate vulnerability analysis reports corresponding to each of the plurality of vulnerability screening modules, wherein the report content includes vulnerability risk level, vulnerability category, vulnerability description, vulnerability type and vulnerability solution. 6.根据权利要求1所述的系统,其特征在于,所述基于工业防火墙的漏洞筛查系统包括单机部署管理机制和分布式管理机制,所述基于工业防火墙的漏洞筛查系统还包括决策模块,所述决策模块用于在筛查到当前漏洞筛查网络是分布式网络时,确定所述基于工业防火墙的漏洞筛查系统采用分布式管理机制进行漏洞筛查,或者在筛查到当前漏洞筛查网络不是分布式网络时,确定所述基于工业防火墙的漏洞筛查系统采用单机部署管理机制进行漏洞筛查。6. The system according to claim 1, wherein the vulnerability screening system based on the industrial firewall includes a stand-alone deployment management mechanism and a distributed management mechanism, and the vulnerability screening system based on the industrial firewall also includes a decision-making module , the decision-making module is used to determine that the vulnerability screening system based on the industrial firewall adopts a distributed management mechanism for vulnerability screening when the current vulnerability screening network is a distributed network, or when the current vulnerability screening network is detected When the screening network is not a distributed network, it is determined that the vulnerability screening system based on the industrial firewall adopts a stand-alone deployment management mechanism for vulnerability screening. 7.根据权利要求1所述的系统,其特征在于,所述基于工业防火墙的漏洞筛查系统还包括Windows安全加固模块,所述Windows安全加固模块用于对Windows操作系统进行安全加固,其中加固内容包括配置管理、网络管理、接入管理、日志审计以及恶意代码防范。7. The system according to claim 1, wherein the vulnerability screening system based on the industrial firewall also includes a Windows security hardening module, and the Windows security hardening module is used to carry out security hardening to the Windows operating system, wherein the hardening The contents include configuration management, network management, access management, log audit and malicious code prevention. 8.根据权利要求1所述的系统,其特征在于,所述基于工业防火墙的漏洞筛查系统还包括筛查准备模块,所述筛查准备模块用于发现当前漏洞筛查网络中的筛查目标和所述筛查目标的目标信息,所述目标信息根据所述筛查目标确定。8. The system according to claim 1, wherein the vulnerability screening system based on the industrial firewall also includes a screening preparation module, and the screening preparation module is used to find the screening in the current vulnerability screening network A target and target information of the screening target, the target information is determined according to the screening target. 9.根据权利要求1所述的系统,其特征在于,所述基于工业防火墙的漏洞筛查系统还包括网络拓扑生成模块,所述网络拓扑生成模块用于生成当前漏洞筛查网络下的网络拓扑图。9. The system according to claim 1, wherein the vulnerability screening system based on the industrial firewall also includes a network topology generation module, the network topology generation module is used to generate the network topology under the current vulnerability screening network picture. 10.一种基于工业防火墙的漏洞筛查方法,其特征在于,包括:10. A vulnerability screening method based on industrial firewall, characterized in that, comprising: 在采用如权利要求1-9任一项所述的基于工业防火墙的漏洞筛查系统发现筛查目标时,所述基于工业防火墙的漏洞筛查系统获取所述筛查目标的目标信息,所述目标信息根据所述筛查目标确定;When using the vulnerability screening system based on industrial firewall according to any one of claims 1-9 to find the screening target, the vulnerability screening system based on industrial firewall obtains the target information of the screening target, the The target information is determined according to the screening target; 所述基于工业防火墙的漏洞筛查系统根据获取到的目标信息对所述筛查目标进行漏洞筛查和分析,以确定所述筛查目标是否存在安全漏洞。The vulnerability screening system based on the industrial firewall performs vulnerability screening and analysis on the screening target according to the obtained target information, so as to determine whether the screening target has security vulnerabilities.
CN202211241162.5A 2022-10-11 2022-10-11 Vulnerability screening system and method based on industrial firewall Pending CN115378734A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211241162.5A CN115378734A (en) 2022-10-11 2022-10-11 Vulnerability screening system and method based on industrial firewall

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211241162.5A CN115378734A (en) 2022-10-11 2022-10-11 Vulnerability screening system and method based on industrial firewall

Publications (1)

Publication Number Publication Date
CN115378734A true CN115378734A (en) 2022-11-22

Family

ID=84072859

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211241162.5A Pending CN115378734A (en) 2022-10-11 2022-10-11 Vulnerability screening system and method based on industrial firewall

Country Status (1)

Country Link
CN (1) CN115378734A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115695044A (en) * 2022-11-29 2023-02-03 贵州电网有限责任公司 IT asset safety control platform and management method

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108737425A (en) * 2018-05-24 2018-11-02 北京凌云信安科技有限公司 Fragility based on multi engine vulnerability scanning association analysis manages system
CN113704767A (en) * 2021-08-10 2021-11-26 北京凌云信安科技有限公司 Vulnerability scanning engine and vulnerability worksheet management fused vulnerability management system

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108737425A (en) * 2018-05-24 2018-11-02 北京凌云信安科技有限公司 Fragility based on multi engine vulnerability scanning association analysis manages system
CN113704767A (en) * 2021-08-10 2021-11-26 北京凌云信安科技有限公司 Vulnerability scanning engine and vulnerability worksheet management fused vulnerability management system

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115695044A (en) * 2022-11-29 2023-02-03 贵州电网有限责任公司 IT asset safety control platform and management method

Similar Documents

Publication Publication Date Title
CN108737425B (en) Vulnerability management system based on multi-engine vulnerability scanning correlation analysis
Liu et al. A survey: Typical security issues of software-defined networking
CN111819544B (en) Pre-deployment security analyzer service for virtual computing resources
Tselios et al. Enhancing SDN security for IoT-related deployments through blockchain
KR102454075B1 (en) Technology for a scalable security architecture for virtualized networks
CN113704767A (en) Vulnerability scanning engine and vulnerability worksheet management fused vulnerability management system
CN104410617B (en) A kind of information security attacking & defending department framework of cloud platform
US20190222568A1 (en) Non-Intrusive Security Enforcement for Federated Single Sign-On (SSO)
CN104573516B (en) A kind of industrial control system trusted context management-control method and platform based on safety chip
CN103368973B (en) A kind of cloud operating system security system
CN105933361B (en) Big data security protection cloud system based on trusted calculation
US20140089661A1 (en) System and method for securing network traffic
Kumar et al. Exploring security issues and solutions in cloud computing services–a survey
WO2016173199A1 (en) Mobile application single sign-on method and device
Zhu et al. Kub-Sec, an automatic Kubernetes cluster AppArmor profile generation engine
O'Neill et al. {TrustBase}: An architecture to repair and strengthen certificate-based authentication
US20240411652A1 (en) Predictive model for handling network configuration failures
CN115378734A (en) Vulnerability screening system and method based on industrial firewall
US11683350B2 (en) System and method for providing and managing security rules and policies
CN118041630A (en) Electric power system network security defense method, device, equipment and medium
Maloney et al. Cyber-physical system security automation through blockchain remediation and execution (SABRE)
Binkowski et al. Securing 3rd party app integration in docker-based cloud software ecosystems
Yacob Securing sensitive data in the cloud: a new era of security through zero trust principles
Shah et al. Efficient solution for NoSQL database security in blockchain-based applications
Zoure et al. VeriNeS: Runtime verification of outsourced network services orchestration

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20221122

RJ01 Rejection of invention patent application after publication