CN115378734A - Vulnerability screening system and method based on industrial firewall - Google Patents
Vulnerability screening system and method based on industrial firewall Download PDFInfo
- Publication number
- CN115378734A CN115378734A CN202211241162.5A CN202211241162A CN115378734A CN 115378734 A CN115378734 A CN 115378734A CN 202211241162 A CN202211241162 A CN 202211241162A CN 115378734 A CN115378734 A CN 115378734A
- Authority
- CN
- China
- Prior art keywords
- screening
- vulnerability
- module
- security
- modules
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000012216 screening Methods 0.000 title claims abstract description 337
- 238000000034 method Methods 0.000 title claims abstract description 19
- 238000012038 vulnerability analysis Methods 0.000 claims abstract description 44
- 238000007726 management method Methods 0.000 claims description 43
- 230000007246 mechanism Effects 0.000 claims description 17
- 238000013523 data management Methods 0.000 claims description 12
- 238000004458 analytical method Methods 0.000 claims description 10
- 230000002787 reinforcement Effects 0.000 claims description 7
- 238000002360 preparation method Methods 0.000 claims description 5
- 230000002265 prevention Effects 0.000 claims description 3
- 230000003068 static effect Effects 0.000 claims description 3
- 238000007619 statistical method Methods 0.000 claims description 3
- 238000012550 audit Methods 0.000 claims description 2
- 238000012795 verification Methods 0.000 claims description 2
- 230000008439 repair process Effects 0.000 abstract description 7
- 230000006399 behavior Effects 0.000 abstract description 6
- 238000013507 mapping Methods 0.000 description 7
- 239000000243 solution Substances 0.000 description 7
- 238000012106 screening analysis Methods 0.000 description 6
- 238000010586 diagram Methods 0.000 description 4
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 3
- 238000002347 injection Methods 0.000 description 3
- 239000007924 injection Substances 0.000 description 3
- 230000008569 process Effects 0.000 description 3
- 241000721662 Juniperus Species 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 2
- 235000014510 cooky Nutrition 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000005457 optimization Methods 0.000 description 2
- 230000002155 anti-virotic effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000010219 correlation analysis Methods 0.000 description 1
- 230000009193 crawling Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000011156 evaluation Methods 0.000 description 1
- 230000008676 import Effects 0.000 description 1
- 238000007689 inspection Methods 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 239000011347 resin Substances 0.000 description 1
- 229920005989 resin Polymers 0.000 description 1
- 238000012552 review Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
- XLYOFNOQVPJJNP-UHFFFAOYSA-N water Substances O XLYOFNOQVPJJNP-UHFFFAOYSA-N 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/168—Implementing security features at a particular protocol layer above the transport layer
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Computing Systems (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computer And Data Communications (AREA)
Abstract
The embodiment of the application provides a vulnerability screening system and method based on an industrial firewall, and relates to the technical field of industrial control safety. The vulnerability screening system based on the industrial firewall comprises a plurality of vulnerability screening modules, different vulnerability screening modules can be adopted to screen vulnerabilities of different screening targets, various vulnerability problems such as various security vulnerabilities, security configuration problems and non-compliance behaviors existing in the industrial control system can be screened comprehensively and accurately, vulnerability analysis data are provided for an administrator through output vulnerability analysis reports before the industrial control system is damaged, and therefore the administrator can conduct professional and effective vulnerability analysis and repair.
Description
Technical Field
The embodiment of the application relates to the technical field of industrial control safety, in particular to a vulnerability screening system and method based on an industrial firewall.
Background
With the development of industrial technology, industrial control systems have a significant position in industrial informatization. The industrial control system is widely applied to the aspects of high-end manufacturing industry, electric power, energy, transportation, water conservancy and the like. Industrial control systems are an important component of national key infrastructure and information systems, and are also targets of attack by international adversarial forces and hackers.
For example, a new type of attack, havex, that is specific to industrial control systems, appeared in 2014, which is varied and harmful. As another example, a 3 month venezuela power system in 2019 encounters a large area of a national grid outage event. Such industrial control security events are the result of an attack on the entire industrial control system by an attacker exploiting a "hole" in the industrial control system. It can be seen that, for an important infrastructure, how to find a vulnerability before an attacker attacks is an urgent problem to be solved at present.
Disclosure of Invention
The embodiment of the application provides a vulnerability screening system and method based on an industrial firewall so as to improve the problems.
In a first aspect, an embodiment of the present application provides a vulnerability screening system based on an industrial firewall. The vulnerability screening system based on the industrial firewall comprises: the vulnerability screening module comprises a plurality of vulnerability screening modules, and different vulnerability screening modules have different screening functions; the data management module is connected with the vulnerability screening module and is used for managing vulnerability analysis reports uploaded by the vulnerability screening module; and the webpage interface module is respectively connected with the vulnerability screening module and the data management module, and interacts with a user through the SSL encryption channel and the browser.
In a second aspect, an embodiment of the present application provides a vulnerability screening method based on an industrial firewall, which is applied to the vulnerability screening system based on an industrial firewall. The vulnerability screening method based on the industrial firewall comprises the following steps: when the vulnerability screening system based on the industrial firewall is adopted to find a screening target, the vulnerability screening system based on the industrial firewall acquires target information of the screening target, and the target information is determined according to the screening target; and the vulnerability screening system based on the industrial firewall screens and analyzes the vulnerability of the screened target according to the acquired target information so as to determine whether the screened target has a security vulnerability.
The embodiment of the application provides a vulnerability screening system and a vulnerability screening method based on an industrial firewall, the vulnerability screening system based on the industrial firewall comprises a plurality of vulnerability screening modules, different vulnerability screening modules can be adopted to screen vulnerabilities of different screening targets, various vulnerability problems such as various security vulnerabilities, security configuration problems and non-compliance behaviors existing in an industrial control system can be screened comprehensively and accurately, vulnerability analysis data are provided for an administrator through an output vulnerability analysis report before the industrial control system is damaged, and therefore the administrator can conduct professional and effective vulnerability analysis and repair.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
FIG. 1 is a block diagram of a mechanism of an industrial firewall-based vulnerability screening system according to an embodiment of the present application;
FIG. 2 is a schematic diagram illustrating a network topology under a standalone deployment management mechanism according to an exemplary embodiment of the present application;
FIG. 3 is a schematic diagram of a network topology under a distributed management mechanism provided by an exemplary embodiment of the present application;
fig. 4 is a schematic flowchart of a vulnerability screening method based on an industrial firewall according to an embodiment of the present application.
Detailed Description
In order to make the technical solutions better understood by those skilled in the art, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application.
Referring to fig. 1, fig. 1 is a block diagram of a mechanism of an industrial firewall-based vulnerability screening system according to an embodiment of the present disclosure. The industrial firewall-based vulnerability screening system 100 includes a plurality of vulnerability screening modules 110, a data management module 120, and a web interface module 130 connected to each other. The industrial firewall-based vulnerability screening system 100 adopts a Browser/Server (B/S) management mode and a Linux system. The industrial firewall-based vulnerability screening system 100 comprises a business library, a knowledge library and a compliance library, wherein the databases are called in the vulnerability screening process, and the contents contained in the databases can be dynamically set and changed according to actual requirements. The industrial firewall based vulnerability screening system 100 is deployed on a single link of a core switch.
Different vulnerability screening modules of the plurality of vulnerability screening modules 110 have different screening functions. The plurality of vulnerability screening modules 110 may respectively perform vulnerability screening and analysis on the plurality of screening targets, and generate vulnerability analysis reports corresponding to the plurality of vulnerability screening modules 110. The vulnerability screening modules 110 may send vulnerability analysis reports to the data management module 120 so that the data management module 120 stores and manages the vulnerability analysis reports for later review or invocation. The vulnerability screening modules 110 may also simultaneously send vulnerability analysis reports to the user so that the user may perform corresponding operations, such as patching operations, based on the vulnerability analysis reports.
The data management module 120 is connected to the vulnerability screening modules 110, and is configured to manage vulnerability analysis reports uploaded by the vulnerability screening modules 130. Referring specifically to fig. 1, the data management module 120 may include a report management sub-module, and the report management sub-module may be used for report management.
In some alternative embodiments, the data management module 120 may include a plurality of management submodules to manage different system data, respectively. A plurality of management submodules may be set according to actual management requirements, and as an example, as shown in fig. 1, the data management module 120 may include management submodules such as log management, asset management, task management, report management, system management, upgrade management, and the like. It should be noted that each management submodule may independently manage data and perform a corresponding decision operation. For example, an upgrade period may be set in the upgrade management submodule. After the vulnerability screening system 100 based on the industrial firewall is deployed or upgraded, the upgrade management submodule can set a timer to start timing, and when the timing duration meets the upgrade period, the upgrade management submodule can perform online upgrade or local upgrade on the vulnerability library and software through a network or a local data packet, so that the real-time performance and the accuracy of the vulnerability screening system 100 based on the industrial firewall are ensured, and the system safety is improved.
The web interface module 130 is connected to the vulnerability screening modules 110 and the data management module 120, respectively. The WEB interface module 130 outputs the vulnerability analysis report to the user through a Secure Socket Layer (SSL) encryption channel and a WEB browser. The SSL is a secure and secure protocol, and the SSL encryption channel refers to an encrypted secure channel constructed between the browser and the WEB server. A user may interact with the web interface module through the SSL encryption channel using a browser to facilitate user management of the industrial firewall-based vulnerability screening system 100. As shown in FIG. 1, users may include, but are not limited to, administrators, auditors, and operators, among others.
In some optional embodiments, as shown in fig. 1, the plurality of vulnerability screening modules 110 may include a industrial control vulnerability screening module 111, a system vulnerability screening module 112, a WEB vulnerability screening module 113, a database security screening module 114, a security baseline screening module 115, and an APP vulnerability screening module 116.
The industrial control vulnerability screening module 111 may be configured to perform vulnerability screening and analysis on a screening target specified in advance in the industrial control system, and generate a corresponding vulnerability analysis report. Wherein the pre-specified screening target may be a user-specified screening target or a screening target determined by the industrial firewall-based vulnerability screening system 100. The industrial control vulnerability screening module 111 supports remote and non-contact vulnerability screening, and can reduce economic risks caused by industrial control vulnerabilities in the process of screening security vulnerabilities of an industrial control system.
In some alternative embodiments, the pre-specified screening target may be a particular device or system in an industrial control system. The specific device or System may include, but is not limited to, a Supervisory Control And Data Acquisition (SCADA), a Distributed Control System (DCS), a Programmable Logic Controller (PLC), and other Control systems.
In some optional embodiments, the industrial Control vulnerability screening module 111 may also screen and analyze security vulnerabilities existing in protocols such as Modbus Protocol Modbus TCP and S7 based on an ethernet Transmission Control Protocol/Internet Protocol (TCP/IP).
In some optional embodiments, the industrial control vulnerability screening module 111 may also perform vulnerability screening on Information Technology (IT) equipment or systems used in conventional industrial control systems.
The system vulnerability screening module 112 is used for screening and analyzing vulnerabilities of the operating system, the application service, the database and the network device, and generating a corresponding vulnerability analysis report. The Windows operating systems supported by the system bug screening module 112 include, but are not limited to NT, 2000, XP, 2003, win7, win10, 2008, 2012, 2016, and the like. The Linux operating systems supported by the system vulnerability screening module 112 include, but are not limited to, amazon Linux, centOS, debian, fedora, red Hat, suSE, and Ubuntu. Unix operating systems supported by the system vulnerability screening module 112 include, but are not limited to, AIX, freeBSD, HP-UX, solaris, and Mac OS X, among others. The application services supported by the system vulnerability screening module 112 may include, but are not limited to, microsoft Internet Explorer, PHP, IIS, apache, tomcat, PHP, and Adobe Flash. The databases supported by the system vulnerability screening module 112 include, but are not limited to, oracle, mySQL, SQL Server, DB2, informix, msSQL, syBase, and the like. Virtualization platforms supported by system vulnerability screening module 112 include, but are not limited to, vmware EXSi, xenServer, and the like. The security devices supported by the system vulnerability screening module 112 include juniper, netserver, and the like.
The system vulnerability screening module 112 may also include, but is not limited to, intelligent service identification functionality, authorized login screening functionality, security optimization screening functionality, and the like. For example, when the intelligent service identification function is started, the system vulnerability screening module 112 may determine, according to the application services, what application services the screening target specifically belongs to. When the authorized login screening function is started, the system vulnerability screening module 112 needs to start vulnerability screening after the user authorizes login. When the security optimization screening function is started, the system vulnerability screening module 112 may obtain more screening data based on the original vulnerability screening, and select a more precise and complex algorithm to screen the target for vulnerabilities.
It should be noted that, when the system vulnerability screening module 112 runs, other modules (for example, the industrial control vulnerability screening module 111, the WEB vulnerability screening module 113, the database security screening module 114, the security baseline screening module 115, and the APP vulnerability screening module 116) in the plurality of vulnerability screening modules 110 except for the system vulnerability screening module 112 do not run, because the system vulnerability screening module 112 screens the whole screening target, and the other screening modules focus on screening in a certain aspect. Compared with the screening results of the system vulnerability screening module 112, the other screening modules are more accurate, the screening results of the system vulnerability screening module 112 are more comprehensive than those of a single other screening module, and the system vulnerability screening module 112 consumes less computing resources and has shorter computing time than other screening modules for simultaneously screening vulnerabilities.
The WEB vulnerability screening module 113 is configured to screen and analyze vulnerabilities of the WEB application, and generate a corresponding vulnerability analysis report. The WEB vulnerability screening module 113 supports OWASP TOP 10 vulnerability screening, for example, SQL injection, cross-site scripting attack XSS, website trojan, webpage trojan, CGI vulnerability and the like. Wherein the OWASP Top 10 is established by an open WEB application security project, and articles and other information related to the WEB application security can be provided free of charge. The protocols supported by the WEB vulnerability screening module 113 may include, but are not limited to, hypertext Transfer Protocol (HTTP), HTTPs, and the like, where the HTTPs is a network Protocol that is constructed by HTTP plus Security Transport Layer (TLS) Protocol/SSL Protocol and is capable of performing encrypted transmission and identity authentication. The WEB servers supported by the WEB vulnerability screening module 113 may include, but are not limited to IIS, websphere, weblogic, apache, tomcat, and Nginx, etc. The programming languages supported by the WEB vulnerability screening module 113 may include, but are not limited to, asp, jsp,. Net, J2EE, and Php, etc. The database types supported by the WEB vulnerability screening module 113 may include, but are not limited to, access, mySQL, oracle, DB2, postgreSQL, syBase, informix, sqlite, MSSQL SERVER, and the like. The third-party components supported by the WEB vulnerability screening module 113 may include, but are not limited to, common third-party components at home and abroad, such as WordPress, webeditor, FCKeditor, and Struts 2.
The WEB vulnerability screening module 113 can analyze and screen json and base64 data, and supports in-depth screening of custom Cookie. The WEB vulnerability screening module 113 supports WEB vulnerability screening based on authentication modes such as basic and Cookie. The WEB vulnerability screening module 113 also supports passive screening and supports a user to enter urls, so that urls which cannot be screened by conventional page crawling software can be screened, users can find security vulnerabilities existing in WEB websites in time, and information security events are avoided.
The WEB vulnerability screening module 113 is further configured to verify the screened WEB vulnerability by using a WEB vulnerability verification mechanism. Specifically, the test data packet found during vulnerability screening can be recorded for evidence collection. For the leak injection, the database type can be automatically identified, and an instance name/database name (InstanceName) and a user name (UserName) are obtained, so that the false alarm rate can be effectively reduced.
The database security screening module 114 is configured to perform vulnerability screening and analysis on various databases and generate corresponding vulnerability analysis reports. Databases include, but are not limited to, oracle, mysql, sqlserver, sybase, DB2, informix, postgresql, kingbase, and Damomeng, among others. Vulnerability screening policies adopted by database security screening module 114 may include, but are not limited to, rights bypass vulnerabilities, SQL injection vulnerabilities, access control vulnerabilities, and the like.
The database security screening module 114 includes two vulnerability screening methods, namely authorized screening and unauthorized screening. The user can select the vulnerability screening mode under different situations (whether authorized or not), selects a corresponding vulnerability screening strategy to realize the security screening of the database, and automatically generates a screening analysis report after the screening is finished, wherein the screening analysis report comprises screened vulnerability detailed description and repair suggestions, so that the user can find the security vulnerability in the database in time, and the data security of the user is guaranteed.
The database security screening module 114 may also determine potential trojan horses in the data center by comparing database objects with binary files and the like.
The security baseline screening module 115 is configured to perform vulnerability screening and analysis on a system baseline in a current vulnerability screening network, and generate a corresponding vulnerability analysis report. The security baseline screening module 115 provides professional configuration reinforcement recommendations and compliance reports. The operating systems supported by the security baseline screening module 115 may include, but are not limited to, windows, linux (Centos, debian, fedora, redhat, suse, and Ubuntu, etc.), unix (Aix, HP-UX, and Solaris, etc.), and the homemade operating systems (the winning numbers kylin and Red flag, etc.), among others. Middleware supported by the secure baseline screening module 115 may include, but is not limited to, IIS, apache, tomcat, weblogic, websphere, nginx, jboss, and Resin, among others. The databases supported by the secure baseline screening module 115 may include, but are not limited to, oracle, mysql, DB2, informix, mssql, and Sybase, among others. Virtualization platforms supported by the security baseline screening module 115 may include, but are not limited to, vmware EXSi, xenServer, and the like. The security devices supported by the security baseline screening module 115 may include, but are not limited to junipers and netherds, among others.
The security baseline screening module 115 supports a plurality of protocols for remote login system to perform baseline screening, which may include, but is not limited to, server Message Block (SMB), remote terminal Protocol (Telnet Protocol), secure Shell Protocol (SSH), and the like. The secure baseline screening module 115 supports proxy local screening, providing a dedicated Windows configuration checking tool. The security baseline screening module 115 supports online device baseline screening and offline device baseline screening. The baseline screening process only checks the configuration condition of the system and does not modify the system configuration, thereby ensuring the service continuity and the service safety, leading the maintenance work of the safety configuration to be orderly, simple and easy to operate, facilitating the users to find the unsafe configuration existing in the information system in time and improving the safety protection level of the target system.
The APP vulnerability screening module 116 is configured to perform vulnerability screening and analysis on the APP in a static analysis manner, and generate a corresponding vulnerability analysis report. By adopting a static analysis mode, the safety risks such as component safety, configuration safety, data safety and malicious behaviors existing in an Android Application Package (APK) can be accurately found, so that the safety of the mobile APP is greatly improved, and the service loss caused by APP loopholes is avoided.
In some optional embodiments, the plurality of vulnerability screening modules 110 further includes a WIFI security screening module. And the WIFI security screening module is used for screening and analyzing the vulnerabilities of the WIFI wireless network and generating a corresponding vulnerability analysis report. Specifically, the access point and the WIFI channel may be identified, and information such as a server Identifier (SSID), a hardware manufacturer, and an MAC address and information such as an MAC address corresponding to a client connected to each wireless node may be searched. In addition, a plurality of vulnerability screening modules 110 can also screen WIFI for weak passwords and generate vulnerability analysis reports.
In some optional embodiments, the plurality of vulnerability screening modules 110 further includes a big-data vulnerability screening module. The big data vulnerability screening module is used for carrying out vulnerability screening and safety compliance inspection on the big data assembly and generating a statistical analysis report. The security configuration compliance checks may include, but are not limited to, hadoop, spark, hbase, solr, ES, and the like. By generating a statistical analysis report, detailed vulnerability description and vulnerability repair suggestions can be provided, so that the safety compliance of each component of the strong data platform is improved.
In some optional embodiments, after generating the screening result by screening the vulnerability, the plurality of vulnerability screening modules 110 may respectively analyze the screening result in the form of a report and a graph, and generate vulnerability analysis reports corresponding to the plurality of vulnerability screening modules 110, where the report content includes vulnerability risk level, vulnerability category, vulnerability description, vulnerability type, and vulnerability solution. The industrial firewall-based vulnerability screening system 100 provides international authority records including public vulnerability and exposure (CVE) number support and a link related to vendor patches related to Vulnerabilities, so that administrators and general users can quickly and accurately solve various security problems, and users can specifically know detailed information of a certain host or a certain vulnerability. The vulnerability analysis report can provide styles of administrative staff, technicians, security experts, custom reports and the like, and the format of the output vulnerability analysis report can include, but is not limited to, a file format suffixed with html,. Doc,. Docx or. Pdf, and the like. Meanwhile, the screening result and a compliance library for information security level protection can be subjected to correlation analysis, and a level protection evaluation report meeting the standard requirement is generated.
In some alternative embodiments, the industrial firewall-based vulnerability screening system 100 includes a stand-alone deployment management mechanism and a distributed management mechanism. The vulnerability screening system 100 based on the industrial firewall further comprises a decision module, wherein the decision module is used for determining that the vulnerability screening system 100 based on the industrial firewall adopts a distributed management mechanism to screen vulnerabilities when the current vulnerability screening network is a distributed network, or determining that the vulnerability screening system 100 based on the industrial firewall adopts a stand-alone deployment management mechanism to screen vulnerabilities when the current vulnerability screening network is not the distributed network. As an example, a network topology using a standalone deployment management mechanism is shown in FIG. 2, and a network topology using a distributed management mechanism is shown in FIG. 3. Therefore, when a distributed management mechanism is adopted, the lower-level vulnerability screening system based on the industrial firewall uploads a screening result or a screening analysis report to the upper-level vulnerability screening system based on the industrial firewall. Or the lower-level industrial firewall-based vulnerability screening system can also upload the acquired target information of the screening target to the industrial firewall-based vulnerability screening system, so that the higher-level industrial firewall-based vulnerability screening system can uniformly perform vulnerability screening and analysis operations.
In some optional embodiments, the industrial firewall-based vulnerability screening system 100 further includes a Windows security reinforcement module, which is used for performing security reinforcement on a Windows operating system, wherein the reinforcement content may include, but is not limited to, configuration management, network management, access management, log audit, malicious code prevention, and the like. Wherein configuration management may include, but is not limited to, host configuration, user policy, authentication, patch management, software management, and the like. Network management may include, but is not limited to, service ports, firewalls, and the like. Access management may include, but is not limited to, peripheral management, auto-play, telnet, and wireless network cards, among others. Malicious code prevention may include, but is not limited to, data protection, anti-virus software, and the like.
In some optional embodiments, the industrial firewall-based vulnerability screening system 100 further includes a screening preparation module, which is configured to discover a screening target in a current vulnerability screening network and target information of the screening target, where the target information is determined according to the screening target. Wherein the screening targets may include, but are not limited to, live hosts, network devices, databases, etc. in the current vulnerability screening network. The target information may include, but is not limited to, host name, IP address, port, operating system, software version, responsible person, and region, etc. Through the screening preparation module, preparation can be made for vulnerability screening.
In some optional embodiments, the industrial firewall-based vulnerability screening system 100 further includes a network topology generation module, which is configured to generate a network topology map under the current vulnerability screening network. Wherein the network topology can be as shown in fig. 2 or fig. 3. The network topology generating module is a dynamic module, and a user can change the network topology generating module and can perform query operation on the network topology generating module, for example, query detailed information of each asset. The network topology generation module supports asset export and import, and is convenient for a user to quickly discover and count information assets of the whole network and know the safety risk level of each asset.
The vulnerability screening system based on the industrial firewall comprises a plurality of vulnerability screening modules, wherein different vulnerability screening modules can be adopted to screen vulnerabilities of different screening targets, so that various vulnerability problems such as various security vulnerabilities, security configuration problems and non-compliance behaviors existing in an industrial control system can be screened comprehensively and accurately, vulnerability analysis data are provided for an administrator through output vulnerability analysis reports before the industrial control system is damaged, and the administrator can perform professional and effective vulnerability analysis and repair.
Referring to fig. 4, fig. 4 is a schematic flowchart illustrating a vulnerability screening method based on an industrial firewall according to an embodiment of the present disclosure. The industrial firewall-based vulnerability screening method can be applied to the industrial firewall-based vulnerability screening system 100 shown in fig. 1. The industrial firewall-based vulnerability screening method can comprise the following steps S110-S120.
Step S110, when a screening target is found by adopting the industrial firewall-based vulnerability screening system, the industrial firewall-based vulnerability screening system acquires target information of the screening target, and the target information is determined according to the screening target.
The screening target refers to equipment or a system or a protocol with vulnerability screening requirements, and the like. As previously mentioned, the screening targets may include, but are not limited to, live hosts, network devices, databases, etc. in the current vulnerability screening network.
The target information has a mapping relationship with the screening target, and the mapping relationship may be one of a one-to-one mapping, a one-to-many mapping, a many-to-one mapping, and a many-to-many mapping. The mapping relationship may be preset and stored in the system, so as to directly acquire target information corresponding to the screening target according to the screening target. The target information may include, but is not limited to, a host name, an Internet Protocol (IP) address, a port, an operating system, a software version, a person in charge, a region, and the like.
In some optional embodiments, the vulnerability screening system based on the industrial firewall may sort the devices or systems connected thereto according to a preset order, and sequentially determine the devices or systems connected thereto as the screening target according to the sort order. The preset sequence may be set according to actual requirements, for example, the preset sequence may be a device or system access sequence.
In some optional embodiments, the industrial firewall-based vulnerability screening system may set different vulnerability screening periods for devices or systems connected thereto, and determine a screening target from the devices and systems connected thereto according to the vulnerability screening periods. The vulnerability screening period can be set according to actual needs, for example, the vulnerability screening period can be a week, a day or a month.
And S120, the vulnerability screening system based on the industrial firewall screens and analyzes vulnerabilities of the screened targets according to the acquired target information so as to determine whether security vulnerabilities exist in the screened targets.
In some optional embodiments, the industrial firewall-based vulnerability screening system may determine a type of the screening target, and perform vulnerability screening and analysis on the screening target by using a vulnerability screening module corresponding to the type of the screening target. For example, if the screening target is a database, the database security screening module may be used to screen and analyze the database for vulnerabilities.
In some optional embodiments, if the screening target includes a plurality of targets, vulnerability screening modules corresponding to the plurality of screening targets may be concurrently adopted to respectively screen and analyze the plurality of screening targets for vulnerabilities. For example, if the screening target includes a database, a WEB application, and a system baseline, a database security screening module may be used to screen and analyze the database for vulnerabilities, a WEB vulnerability screening module may be used to screen and analyze the WEB application for vulnerabilities, and a security baseline screening module may be used to screen and analyze the system baseline for vulnerabilities. Thereby, the screening accuracy and efficiency can be improved.
In some optional embodiments, after the vulnerability screening is performed on the screening target, a screening analysis report may be generated, and further, the screening analysis report may be notified to the user through an email or a telephone, and a corresponding precautionary measure recommendation may be provided. If the screening target comprises a plurality of screening targets, the priority of the screening target can be obtained, and a plurality of screening analysis reports are sequentially sent to the user according to the priority of the screening target. Wherein the priority can be customized, and the priority of the database and the operating system is higher than that of the application service.
According to the vulnerability screening method based on the industrial firewall, which comprises the vulnerability screening modules, vulnerability screening can be performed on different screening targets by adopting different vulnerability screening modules, so that various vulnerability problems such as various security vulnerabilities, security configuration problems and non-compliance behaviors existing in the industrial control system can be screened comprehensively and accurately, vulnerability analysis data are provided for an administrator through an output vulnerability analysis report before the industrial control system is damaged, and the administrator can perform professional and effective vulnerability analysis and repair.
In summary, the embodiment of the present application provides a vulnerability screening system and method based on an industrial firewall, and relates to the technical field of industrial control security. The vulnerability screening system based on the industrial firewall comprises a plurality of vulnerability screening modules, different vulnerability screening modules can be adopted to screen different screening targets for vulnerabilities, various vulnerability problems such as various security vulnerabilities, security configuration problems and non-compliance behaviors existing in the industrial control system can be screened comprehensively and accurately, vulnerability analysis data are provided for an administrator through output vulnerability analysis reports before the industrial control system is damaged, and therefore the administrator can conduct professional and effective vulnerability analysis and repair.
Finally, it should be noted that: the above embodiments are only used for illustrating the technical solutions of the present application, and not for limiting the same. Although the present application has been described in detail with reference to the foregoing embodiments, it will be understood by those skilled in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; such modifications and substitutions do not necessarily depart from the spirit and scope of the corresponding technical solutions in the embodiments of the present application.
Claims (10)
1. A vulnerability screening system based on an industrial firewall is characterized by comprising:
the system comprises a plurality of vulnerability screening modules, wherein different vulnerability screening modules have different screening functions;
the data management module is connected with the plurality of vulnerability screening modules and is used for managing vulnerability analysis reports uploaded by the plurality of vulnerability screening modules;
and the webpage interface module is respectively connected with the plurality of vulnerability screening modules and the data management module, and outputs the vulnerability analysis report to a user through the SSL encryption channel and the browser.
2. The system of claim 1, wherein the plurality of vulnerability screening modules include an industrial control vulnerability screening module, a system vulnerability screening module, a WEB vulnerability screening module, a database security screening module, a security baseline screening module, and an APP vulnerability screening module, wherein:
the industrial control vulnerability screening module is used for screening and analyzing vulnerabilities of a screening target appointed in advance in the industrial control system and generating a corresponding vulnerability analysis report;
the system vulnerability screening module is used for screening and analyzing vulnerabilities of an operating system, an application service, a database and network equipment and generating a corresponding vulnerability analysis report, and when the system vulnerability screening module runs, other modules except the system vulnerability screening module in the vulnerability screening modules do not run;
the WEB vulnerability screening module is used for screening and analyzing vulnerabilities of WEB applications and generating corresponding vulnerability analysis reports, and is also used for verifying screened WEB vulnerabilities by adopting a WEB vulnerability verification mechanism;
the database security screening module is used for screening and analyzing vulnerabilities of various databases and generating corresponding vulnerability analysis reports;
the security baseline screening module is used for screening and analyzing the system baseline under the current vulnerability screening network and generating a corresponding vulnerability analysis report;
the APP vulnerability screening module is used for screening and analyzing the vulnerability of the APP in a static analysis mode and generating a corresponding vulnerability analysis report.
3. The system of claim 1, wherein the plurality of vulnerability screening modules further comprises a WIFI security screening module, and the WIFI security screening module is configured to screen and analyze a WIFI wireless network for vulnerabilities and generate corresponding vulnerability analysis reports.
4. The system of claim 1, wherein the plurality of vulnerability screening modules further comprises a big data vulnerability screening module for vulnerability screening and security compliance checking of big data components and generating statistical analysis reports.
5. The system according to any one of claims 2 to 4, wherein after the vulnerability screening is performed to generate the screening results, the plurality of vulnerability screening modules analyze the screening results in a form of reports and graphs respectively to generate vulnerability analysis reports corresponding to the plurality of vulnerability screening modules, wherein the report content includes vulnerability risk level, vulnerability category, vulnerability description, vulnerability type and vulnerability solution.
6. The system of claim 1, wherein the industrial firewall-based vulnerability screening system comprises a stand-alone deployment management mechanism and a distributed management mechanism, and further comprises a decision module, wherein the decision module is configured to determine that the industrial firewall-based vulnerability screening system screens vulnerabilities using the distributed management mechanism when the current vulnerability screening network is a distributed network, or determine that the industrial firewall-based vulnerability screening system screens vulnerabilities using the stand-alone deployment management mechanism when the current vulnerability screening network is not a distributed network.
7. The system of claim 1, wherein the industrial firewall-based vulnerability screening system further comprises a Windows security reinforcement module for performing security reinforcement on a Windows operating system, wherein the reinforcement content includes configuration management, network management, access management, log audit and malicious code prevention.
8. The system according to claim 1, wherein the industrial firewall-based vulnerability screening system further comprises a screening preparation module, the screening preparation module is configured to discover a screening target in a current vulnerability screening network and target information of the screening target, and the target information is determined according to the screening target.
9. The system according to claim 1, wherein the industrial firewall-based vulnerability screening system further comprises a network topology generation module, and the network topology generation module is configured to generate a network topology map under a current vulnerability screening network.
10. A vulnerability screening method based on an industrial firewall is characterized by comprising the following steps:
when a screening target is discovered by adopting the industrial firewall-based vulnerability screening system according to any one of claims 1-9, the industrial firewall-based vulnerability screening system acquiring target information of the screening target, wherein the target information is determined according to the screening target;
and the vulnerability screening system based on the industrial firewall screens and analyzes the vulnerability of the screened target according to the acquired target information so as to determine whether the screened target has a security vulnerability.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211241162.5A CN115378734A (en) | 2022-10-11 | 2022-10-11 | Vulnerability screening system and method based on industrial firewall |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211241162.5A CN115378734A (en) | 2022-10-11 | 2022-10-11 | Vulnerability screening system and method based on industrial firewall |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115378734A true CN115378734A (en) | 2022-11-22 |
Family
ID=84072859
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211241162.5A Pending CN115378734A (en) | 2022-10-11 | 2022-10-11 | Vulnerability screening system and method based on industrial firewall |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115378734A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115695044A (en) * | 2022-11-29 | 2023-02-03 | 贵州电网有限责任公司 | IT asset safety control platform and management method |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108737425A (en) * | 2018-05-24 | 2018-11-02 | 北京凌云信安科技有限公司 | Fragility based on multi engine vulnerability scanning association analysis manages system |
| CN113704767A (en) * | 2021-08-10 | 2021-11-26 | 北京凌云信安科技有限公司 | Vulnerability scanning engine and vulnerability worksheet management fused vulnerability management system |
-
2022
- 2022-10-11 CN CN202211241162.5A patent/CN115378734A/en active Pending
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108737425A (en) * | 2018-05-24 | 2018-11-02 | 北京凌云信安科技有限公司 | Fragility based on multi engine vulnerability scanning association analysis manages system |
| CN113704767A (en) * | 2021-08-10 | 2021-11-26 | 北京凌云信安科技有限公司 | Vulnerability scanning engine and vulnerability worksheet management fused vulnerability management system |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115695044A (en) * | 2022-11-29 | 2023-02-03 | 贵州电网有限责任公司 | IT asset safety control platform and management method |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108737425B (en) | Vulnerability management system based on multi-engine vulnerability scanning correlation analysis | |
| Liu et al. | A survey: Typical security issues of software-defined networking | |
| Tselios et al. | Enhancing SDN security for IoT-related deployments through blockchain | |
| Doelitzscher et al. | An agent based business aware incident detection system for cloud environments | |
| CN113704767A (en) | Vulnerability scanning engine and vulnerability worksheet management fused vulnerability management system | |
| US8327441B2 (en) | System and method for application attestation | |
| AU2018224839A1 (en) | Systems and methods for context-based mitigation of computer security risks | |
| AU2014207540A1 (en) | Systems and methods for identifying and reporting application and file vulnerabilities | |
| Casola et al. | A methodology for automated penetration testing of cloud applications | |
| Zhu et al. | Kub-Sec, an automatic Kubernetes cluster AppArmor profile generation engine | |
| JP2018503922A (en) | Test system for testing a computer of a computer system in a test network | |
| US20230342179A1 (en) | Compliance across multiple cloud environments | |
| Yadav et al. | Iot-pen: A penetration testing framework for iot | |
| CN115378734A (en) | Vulnerability screening system and method based on industrial firewall | |
| Islam et al. | Coding practices and recommendations of spring security for enterprise applications | |
| CN111212077A (en) | Host access system and method | |
| Putra et al. | Infrastructure as code for security automation and network infrastructure monitoring | |
| Binkowski et al. | Securing 3rd party app integration in docker-based cloud software ecosystems | |
| CN116760636A (en) | Active defense system and method for unknown threat | |
| US11683350B2 (en) | System and method for providing and managing security rules and policies | |
| Holm et al. | A manual for the cyber security modeling language | |
| Yacob | Securing sensitive data in the cloud: a new era of security through zero trust principles | |
| Zwarico | O‐RAN Security | |
| Rimoli et al. | Semi-Automatic PenTest Methodology based on Threat-Model: The IoT Brick Case Study | |
| Kumarasinghe et al. | A prototypical adoption security model for major vulnerabilities in cloud computing |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |