CN117896287A

CN117896287A - Method, system and device for detecting security isolation effectiveness of host network

Info

Publication number: CN117896287A
Application number: CN202410295697.3A
Authority: CN
Inventors: 孙雷亮; 李翔宇
Original assignee: North Health Medical Big Data Technology Co ltd
Current assignee: North Health Medical Big Data Technology Co ltd
Priority date: 2024-03-15
Filing date: 2024-03-15
Publication date: 2024-04-16

Abstract

The invention provides a method, a system and a device for detecting the effectiveness of security isolation of a host network, and belongs to the technical field of network security. The method comprises the following steps: collecting network information of a target host; constructing a DNSLOG platform server; detecting the opening condition of a port used by an RPC protocol of a target host, and recording the detection result of the port; according to network information and detection results of the target host, information of the target host is obtained by calling an RPC protocol and is stored in an RPC detection result file; screening out a host list of the multi-network card, and identifying an unauthorized externally connected target host by verifying a target host list of the multi-network card; generating a host list to be detected by the Internet, detecting the effectiveness of Internet security isolation of the target host by using a DNSLOG platform server, and recording the target host with detection failure; and generating a host list to be detected by the intranet, detecting the intranet security isolation effectiveness of the target host by utilizing an RPC protocol, and recording the target host with failed detection.

Description

Method, system and device for detecting security isolation effectiveness of host network

Technical Field

The invention relates to the technical field of network security, in particular to a method, a system and a device for detecting the security isolation effectiveness of a host network.

Background

In network security management, in order to ensure the security of different service servers and terminals, a plurality of different isolation networks are generally arranged by technical means to ensure that different services are isolated from each other and cannot be communicated, so that each isolation network has an independent IP network segment to form a logic isolation intranet. There are also some traffic demands requiring that a host access to two or more isolated networks simultaneously, e.g., to a traffic network and a management network simultaneously, to a traffic intranet and the internet simultaneously, etc. Accessing multiple isolated networks first creates a challenge for network security isolation management, and how to effectively and quickly verify the validity of network security isolation of a host is important.

The existing network security isolation effectiveness detection method mainly adopts the following three modes:

1. manual inspection: the operation verification is carried out by requiring a verifier to actually log in a host, and whether the safety isolation is effective or not is realized by carrying out connectivity test on different isolation networks manually; or manually checking the number of network cards and network information through network card configuration, and checking whether the configuration information of the non-isolated network exists or not mainly through a command line tool provided by a Windows system, such as an "ipconfig" command and a "netsh" command, listing the configuration information and IP addresses of all the network cards, and the like.

2. Script detection: the method comprises the steps that a verifier needs to actually log in a host to perform operation verification, manual execution or script execution conditions are required to be preset, types of script codes such as Poershell and the like need to be written in advance, the script codes comprise codes for performing connectivity test on different isolated networks, or system information is acquired by utilizing a WMI management interface of a Windows system in a code programming mode, network card information, IP addresses and the like are extracted from the system information, and whether configuration information of a non-isolated network exists is checked.

3. Third party software acquisition: the host is required to advance An Zhuangyun-dimensional plug-in, security management plug-in, desktop management and control software and other third party software, network card information, IP address and other information can be obtained through the built-in functions of the host, and connectivity detection on different isolated networks is initiated.

Therefore, although the prior art can realize the network security isolation effectiveness detection of the target host through a certain technical method, the prior art needs to be contacted with the target host in advance and is obtained through site, script placement in advance or third party software installation in advance; related system configuration operation is needed, the manual operation has high technical requirements on operators, and the time and the labor are wasted and errors are easy to occur; the third party software also needs to be put into relevant expense, and the cost is high. As a technical means of network management and security management, the management burden is seriously increased.

Disclosure of Invention

Aiming at the problems, the invention aims to provide a method, a system and a device for detecting the security isolation effectiveness of a host network, which utilize an RPC protocol to acquire all network card information of the host and acquire whether the host has an IP address of a non-affiliated network, thereby realizing remote security isolation effectiveness detection.

The invention aims to achieve the aim, and the aim is achieved by the following technical scheme: a method for detecting the effectiveness of security isolation of a host network comprises the following steps:

s1: connecting a target host in a management network, and collecting network information of the target host;

s2: constructing a DNSLOG platform server;

s3: detecting the opening condition of a port used by an RPC protocol of a target host, and recording the detection result of the port;

s4: according to the network information and the detection result of the target host, acquiring network card information, IP address information and host name information of the target host by calling an RPC protocol, and storing the network card information, the IP address information and the host name information in an RPC detection result file;

s5: screening a host list of the multiple network cards from the RPC detection result file, and identifying an unauthorized externally connected target host by verifying the target host list of the multiple network cards;

s6: related information of an unauthorized external target host is removed from the RPC detection result file, and a host list to be detected by the Internet is generated; according to a host list to be detected by the Internet, detecting the effectiveness of Internet security isolation of a target host by utilizing a DNSLOG platform server, and recording the target host with detection failure;

S7: removing a target host with failure detection from a host list to be detected by the Internet, and generating a host list to be detected by the intranet; and classifying and summarizing the target hosts according to the segment C according to a host list to be detected by the intranet, detecting the intranet security isolation effectiveness of the target hosts by using an RPC protocol, and recording the target hosts which are failed to detect.

Further, step S1 includes:

establishing connection with all target hosts in a management network;

collecting all gateway addresses of network segments to which the target host belongs, and storing the gateway addresses in a gateway address list;

and collecting the IP address or IP address network segment of the target host and storing the IP address or IP address network segment into the address list to be detected.

Further, step S2 includes:

and setting up a DNSLOG platform server in an intranet server area or a DMZ area, and setting a DNSLOG domain name to point to the server.

Further, step S3 includes:

and detecting 135 ports and 445 ports of the target host according to the address list to be detected, and recording detection results in a port detection result file.

Further, step S4 includes:

calling DCERPC protocol to obtain information of 135 port of target host according to detection result, and calling SMB protocol to obtain information of 445 port of target host;

After the information is successfully acquired, the network card information, the IP address information and the host name information of the target host are extracted and stored in the RPC detection result file.

Further, step S5 includes:

analyzing the RPC detection result file, screening out target hosts with the number of network cards or IP addresses being more than or equal to 2, and recording the target hosts in a host list of a plurality of network cards;

verifying a host list of the multi-network card by using the enterprise asset registration list, and if the target host recorded in the host list of the multi-network card is recorded as a single-network card host in the enterprise asset registration list, the target host is an unauthorized externally connected target host;

and recording all unauthorized external connected target host information into a first isolation failure host list.

Further, step S6 includes:

deleting corresponding target host information in the RPC detection result file according to the first isolation failure host list, and generating a host list to be detected by the Internet;

acquiring an authentication user name and an authentication password of a target host in a host list to be detected by the Internet;

according to the authentication user name and authentication password of the target host, initiating a DCERPC protocol by using a 135 port or initiating an SMB protocol by using a 445 port to perform user name password authentication;

After successful authentication, initiating a DNS request to a DNSLOG platform server;

and identifying the target host with the Internet security isolation failure by analyzing the log record of the DNSLOG platform server, and recording the target host in a second isolation failure host list.

Further, step S7 includes:

deleting corresponding target host information from a host list to be detected by the Internet according to the second isolation failure host list, and generating a host list to be detected by the intranet;

classifying and summarizing target hosts recorded in a host list to be detected by an intranet according to the section C, initiating a PING request to a gateway address recorded in a gateway address list by using an RPC protocol, and recording a PING request result;

screening out the successful result of PING and forming the relation mapping between the target host and the gateway;

analyzing the relation mapping, screening out the IP addresses and the target gateways which are not allowed to be communicated in the relation mapping, and storing the corresponding target host information into a third isolation failure host list according to the screening result;

and summarizing the first isolation failure host list, the second isolation failure host list and the third isolation failure host list to generate a network security isolation failure host summarizing list.

Correspondingly, the invention also discloses a system for detecting the security isolation effectiveness of the host network, which comprises the following steps:

The preparation module is used for connecting the target host computer in the management network and collecting network information of the target host computer;

the server building module is used for building a DNSLOG platform server;

the port detection module is used for detecting the port opening condition used by the RPC protocol of the target host and recording the port detection result;

the host information acquisition module is used for acquiring network card information, IP address information and host name information of the target host by calling an RPC protocol according to the network information and the detection result of the target host, and storing the network card information, the IP address information and the host name information in an RPC detection result file;

the authorization identification module is used for screening out a host list of the multi-network card from the RPC detection result file, and identifying an unauthorized externally connected target host by verifying the target host list of the multi-network card;

the internet isolation detection module is used for removing related information of the target host which is unauthorized and externally connected in the RPC detection result file and generating a host list to be detected by the internet; according to a host list to be detected by the Internet, detecting the effectiveness of Internet security isolation of a target host by utilizing a DNSLOG platform server, and recording the target host with detection failure;

the intranet isolation detection module is used for removing a target host with detection failure from a host list to be detected by the Internet, and generating a host list to be detected by the intranet; and classifying and summarizing the target hosts according to the segment C according to a host list to be detected by the intranet, detecting the intranet security isolation effectiveness of the target hosts by using an RPC protocol, and recording the target hosts which are failed to detect.

Correspondingly, the invention discloses a device for detecting the effectiveness of security isolation of a host network, which comprises the following components:

the memory is used for storing a host network security isolation effectiveness detection program;

a processor for implementing the steps of the host network security isolation validity detection method as described in any one of the above when executing the host network security isolation validity detection program.

Compared with the prior art, the invention has the beneficial effects that:

1. the invention adopts a simplified and cost-saving detection mode. The RPC protocol supported by Windows native is adopted as a detection basic principle, so that the Windows host is supported by native, any plug-in software is not required to be installed, and the implementation principle is simpler and more convenient. The detection method based on the RPC protocol can be used for remote call without touching the host in advance to perform any configuration installation operation, so that the labor cost is saved. The detection method based on the RPC protocol can be used for detecting in batches at the same time, so that the detection time is greatly shortened, and the time cost is saved; network interference caused by overlong detection time can be avoided, and the stability of the host is improved; the invention also combines DNSLOG back display technology, and can detect a risk host connected with the Internet.

2. The remote method adopted by the invention is used for detecting the security isolation effectiveness of the host network, does not need to contact a target host, can be realized by a remote call protocol, does not need a great deal of manpower investment, and saves the detection time.

3. The invention can be realized without depending on third party software, and the purchasing cost is saved.

4. The invention uses DNSLOG back display technology, and can realize internet connectivity detection by self-setting DNSLOG platform or adopting an internet third party free platform. The most important key point of network security isolation is whether a host is connected with the Internet in a illegal way, if the host is connected with the Internet, the risk of attack is exponentially increased, and if the host is connected with the Internet through an intranet core production system or a financial service server, etc., serious consequences can occur once the host is attacked. The invention can detect whether the internet is connected or not in a DNS protocol request mode, the protocol cannot carry important data conventionally, the flow plaintext can be analyzed, the detection process is transparent, and risks such as data out-of-band during detection are avoided.

It can be seen that the present invention has outstanding substantial features and significant advances over the prior art, as well as the benefits of its implementation.

Drawings

In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are required to be used in the embodiments or the description of the prior art will be briefly described below, and it is obvious that the drawings in the following description are only embodiments of the present invention, and that other drawings can be obtained according to the provided drawings without inventive effort for a person skilled in the art.

FIG. 1 is a flow chart of a method of an embodiment of the present invention.

Fig. 2 is a system configuration diagram of an embodiment of the present invention.

Fig. 3 is a block diagram of an apparatus according to an embodiment of the present invention.

In the figure, 1, a preparation module; 2. building a module by a server; 3. a port detection module; 4. a host information acquisition module; 5. an authorization identification module; 6. an Internet isolation detection module; 7. an intranet isolation detection module; 101. a processor; 102. a memory; 103. an input interface; 104. an output interface; 105. a communication unit; 106. a keyboard; 107. a display; 108. and a mouse.

Detailed Description

In order to better understand the aspects of the present invention, the present invention will be described in further detail with reference to the accompanying drawings and detailed description. It will be apparent that the described embodiments are only some, but not all, embodiments of the invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.

Referring to fig. 1, the present embodiment provides a method for detecting validity of security isolation of a host network, including the following steps:

s1: and connecting the target host in the management network, and collecting network information of the target host.

In this step, the detection host needs to be prepared in advance, and the detection host and the target can be communicated. It is necessary to prepare the target host IP address or IP address fragment in advance for use. It is necessary to prepare in advance to detect all gateway addresses of the target network for use.

Specifically, connections are first established with all target hosts at the management network. Then collecting all gateway addresses of the network segment to which the target host belongs, and storing the gateway addresses in a gateway address list; meanwhile, the IP address or IP address network segment of the target host is collected and stored in the address list to be detected.

S2: and constructing a DNSLOG platform server.

Specifically, a DNSLOG platform server is built in an intranet server area or a DMZ area and the like, and a DNSLOG domain name is set to point to the server to be used for detecting the effectiveness of Internet security isolation.

S3: detecting the opening condition of a port used by an RPC protocol of a target host, and recording the detection result of the port.

Specifically, according to the address list to be detected, the 135 port and 445 port of the target host are detected, and the detection result is recorded in the port detection result file.

It should be noted that, since the present detection method relies on the RPC protocol, it is necessary to detect the RPC protocol port opening condition. Therefore, the method selects 135 ports and 445 ports which are most widely used in the RPC protocol for detection; and detecting by using a detection host, wherein the detection target is the address of the detection target host, and recording the detection result to be used as target basic information for detecting the effectiveness of the security isolation.

S4: according to the network information and the detection result of the target host, the network card information, the IP address information and the host name information of the target host are acquired by calling the RPC protocol and are stored in an RPC detection result file.

Specifically, firstly, according to the detection result, the DCERPC protocol is called to acquire information of the 135 port of the target host, and the SMB protocol is called to acquire information of the 445 port of the target host. After the information is successfully acquired, the network card information, the IP address information and the host name information of the target host are extracted and stored in the RPC detection result file.

As an example, information acquisition is performed on the target host on the detection host according to the acquired probe recording result. Wherein, the information is acquired through the DECRPC protocol at 135, and if the acquisition fails, the information acquisition is carried out by calling 445 the port through the SMB protocol. The acquired information comprises: target host network card information, IP address information and host name information, and recording the information.

S5: screening a host list of the multiple network cards from the RPC detection result file, and identifying an unauthorized externally connected target host by verifying the target host list of the multiple network cards.

Specifically, the RPC detection result file is firstly analyzed, the target hosts with the number of network cards or IP addresses greater than or equal to 2 are screened out, and the target hosts are recorded in a host list of the multiple network cards. And then, verifying the host list of the multi-network card by using the enterprise asset registration list, and if the target host recorded in the host list of the multi-network card is recorded as a single-network card host in the enterprise asset registration list, determining that the target host is an unauthorized externally connected target host. And finally, recording all the target host information of the unauthorized external connection into a first isolation failure host list.

Therefore, the RPC detection result is analyzed, the hosts with network cards and IP addresses more than or equal to 2 are screened out, and then the hosts are compared with the hosts with enterprise assets registered as single network cards for analysis. If the target host is registered as a single network card but detected as a double network card or even a multiple network card, the target host can be judged to be invalid in security isolation because the multiple network cards can be communicated with different networks.

S6: related information of an unauthorized external target host is removed from the RPC detection result file, and a host list to be detected by the Internet is generated; and according to the host list to be detected by the Internet, detecting the effectiveness of Internet security isolation of the target host by utilizing the DNSLOG platform server, and recording the target host with detection failure.

Specifically, firstly, according to a first isolation failure host list, deleting corresponding target host information in an RPC detection result file, and generating a host list to be detected by the Internet. Then

And acquiring an authentication user name and an authentication password of the target host in the host list to be detected by the Internet. At this time, according to the authentication user name and authentication password of the target host, initiating a DCERPC protocol by using a 135 port or initiating an SMB protocol by using a 445 port to perform user name password authentication; and after the authentication is successful, initiating a DNS request to the DNSLOG platform server. And finally, identifying the target host with the Internet security isolation failure by analyzing the log record of the DNSLOG platform server, and recording the target host in a second isolation failure host list.

The principle of this step is that the target host of "unauthorized external connection" is removed from the RPC detection result, and the remaining target hosts are subjected to the internet security isolation validity detection. The specific detection mode is to make a request to the established DNSLOG platform after authentication of a host user name password, analyze log records of the DNSLOG platform, and judge that the Internet security isolation of the target host is invalid if the target host in the log is not allowed to be connected with the Internet.

Specifically, corresponding target host information is deleted from a host list to be detected by the internet according to the second isolation failure host list, and a host list to be detected by the intranet is generated. And then classifying and summarizing target hosts recorded in a host list to be detected by the intranet according to the section C, initiating a PING request to a gateway address recorded in a gateway address list by using an RPC protocol, and recording a PING request result. And then screening out the successful result of PING and forming the relation mapping between the target host and the gateway. At this time, the relationship mapping is analyzed, the IP address and the target gateway which are not allowed to be connected in the relationship mapping are screened out, and the corresponding target host information is stored in the third isolation failure host list according to the screening result.

And finally, summarizing the first isolation failure host list, the second isolation failure host list and the third isolation failure host list to generate a network security isolation failure host summarizing list.

In the step, firstly, target hosts except for unauthorized external connection in an RPC detection result are removed, then the wood hosts with invalid Internet security isolation are removed, and the rest target hosts are subjected to intranet security isolation effectiveness detection. And the detection is that the target hosts are classified and summarized according to the section C, then a PING request is initiated to a prepared gateway address list by utilizing an RPC protocol, the PING request result is recorded, and each host forms a one-to-many relation mapping of the host and the gateway. And analyzing the relation mapping, and if a mapping relation which does not allow communication occurs, obtaining the internal network security isolation failure.

And finally, summarizing the results of unauthorized external connection, internet security isolation failure and intranet security isolation failure, namely the final result of network security isolation effectiveness detection.

The invention provides a method for detecting the effectiveness of security isolation of a host network, which aims at a Windows system host, utilizes an RPC protocol to acquire all network card information of the host, can acquire whether the host has an IP address of a non-affiliated network, and discovers the host with ineffective security isolation. Under the condition of knowing account name and password, the host can be further called remotely to initiate DNSLOG request, and the DNSLOG server is matched to detect whether the DNSLOG server is connected with the Internet. The method solves the defects of the prior detection method that the host needs to be contacted and the consumption cost is high, and simultaneously meets three key requirements of saving labor cost, saving time cost and reducing cost. Combining with the characteristics of Windows host computers, a network security isolation effectiveness detection method based on the RPC protocol is designed. The method realizes remote detection and non-contact detection, and combines DNSLOG protocol to realize the detection of the key problem of 'Internet isolation detection'.

Based on the embodiment, the invention also discloses a method for detecting the security isolation effectiveness of the host network, which specifically comprises the following steps:

1. a detection 'host A' which can be communicated with the whole network is arranged in the management network, and the detection 'host A' can be communicated with the host of the detected target network segment.

2. All gateway address lists of the target network segments to be detected are prepared and stored in a gateway address list txt.

3. Preparing the target IP address or IP address network segment to be detected, and storing it in the address to be detected "

4. Setting up a DNSLOG server platform in an enterprise, assuming that the domain name of the enterprise owner is test123.com, setting up a subdomain name such as dnsylog.test123.com, and analyzing the subdomain name to the DNSLOG server in the enterprise. (DNSLOG platform construction step is not described in detail herein)

5. Reading an address to be detected, txt, and executing a port detection task in the host A, if a given IP address or an IP address network segment range is within 1C segment, directly executing the port detection task, if the given IP address or the IP address network segment range is more than 1C segment, then executing concurrent tasks, and executing 1C segment host port detection for each task, wherein the concurrency of the tasks is not more than 5 tasks.

6. The 135 port probing is performed according to the method described in step 5 and the result is output.

7. Port probing 445 is performed as described in step 5 and the result is output.

8. And (3) sequencing the results obtained in the step (6) and the step (7) according to the IP addresses, aggregating the port opening information with the host, and storing the port opening information into a file port detection result txt.

9. And reading the result in the port detection result txt, and carrying out batch RPC protocol call on the host A to acquire information.

10. In the information acquisition process of step 9, if each target host to be detected opens 135 and 445 ports simultaneously, firstly using 135 ports to call DCERPC protocol to acquire information, and if 135 ports are successfully acquired, skipping 445 ports to acquire information; if the 135 port fails to acquire information, the 445 port is used for calling the SMB protocol to acquire information; if the host computer successfully acquires information through any host computer port, acquiring information such as network card information, IP information, host name and the like of the host computer, storing the acquired information result into a file (RPC detection result. Txt), and if the two ports fail to acquire information, storing a record failure result and an IP address into the file (RPC detection failure record. Txt).

11. And analyzing the detection result recorded in the RPC detection result txt, screening out target hosts with network cards and IP addresses more than or equal to 2, and obtaining a multi-network card host list. And then analyzing whether the multi-network card host breaks through network security isolation, excluding the multi-network card host which is really set by the service, wherein other target hosts can judge that the network security isolation is invalid and store the network security isolation into a file' unauthorized external network security isolation failure host list.

13. And in the file 'RPC detection result. Txt', removing the target host recorded in the 'unauthorized external network security isolation failure host list. Txt', forming a 'to-be-Internet detection list. Txt', acquiring a host authentication user name and authentication password in the list, and carrying out detection on the host A. Specifically, first, a DCERPC protocol is initiated by using a 135 port to perform user name password authentication, and the authentication successfully initiates a DNS request, requesting a host IP address+dnslog platform address master domain name, for example 192.168.1.X.dnslog.test123.Com. If port 135 is not open or fails to detect, port 445 may be used to initiate SMB username-password authentication, after which the DNS request is initiated as well.

13. Logging in a DNSLOG five-Fu bridge platform background, checking a DNS request list, counting all requests, taking out a front-end IP address, forming a connectable Internet host list, and analyzing whether the host in the list allows connection with the Internet. If the connection to the Internet is not allowed, the host information is stored in the file "Internet Security quarantine failure host List. Txt".

14. And in the file 'RPC detection result. Txt', removing the target host recorded in the 'unauthorized external network security isolation failure host list. Txt', and removing the target host recorded in the 'Internet security isolation failure host list. Txt', thereby forming a 'to-be-detected network list. Txt'.

15. And dividing the recorded target main sentence according to the 'to-be-detected net detection list and txt' to form a to-be-detected host list according to the section C, and obtaining a host authentication user name and an authentication password.

16. And (3) carrying out detection on the host A, and firstly initiating DCERPC protocol by using a 135 port to carry out user name password authentication in the host list to be detected, wherein the authentication successfully initiates PING requests, the number of the PING requests is set to 2, and the request addresses are 'gateway address list. Txt', so that no more than 5 concurrent tasks can be carried out simultaneously. If the 135 ports are not opened or the detection fails, 445 ports can be used for initiating SMB user name password authentication, and after the authentication is successful, PING requests are also initiated, and the number of PING requests is set to 2. And outputting a PING request result.

17. Screening out the successful PING result, and forming one-to-many relation mapping by the target gateway IP address which can be communicated with each host IP address. And analyzing the relation mapping, screening out the IP addresses and target gateways which are not allowed to be communicated in the mapping relation, and storing the IP addresses and the target gateways in a file 'an intranet host network security isolation failure host list. Txt'.

18. And summarizing the results recorded in the unauthorized external network security isolation invalidation host list, txt, the Internet security isolation invalidation host list, txt and the internal network host network security isolation invalidation host list, txt to form a network security isolation invalidation host summarizing list.

Referring to fig. 2, the invention also discloses a system for detecting the validity of the security isolation of the host network, which comprises: the system comprises a preparation module 1, a server building module 2, a port detection module 3, a host information acquisition module 4, an authorization identification module 5, an Internet isolation detection module 6 and an intranet isolation detection module 7.

A preparation module 1, configured to connect to a target host in a management network, and collect network information of the target host.

The server building module 2 is used for building a DNSLOG platform server.

The port detection module 3 is configured to detect an opening condition of a port used by an RPC protocol of the target host, and record a port detection result.

The host information obtaining module 4 is configured to obtain network card information, IP address information, and host name information of the target host by calling an RPC protocol according to network information and a detection result of the target host, and store the network card information, the IP address information, and the host name information in an RPC detection result file.

And the authorization identifying module 5 is used for screening out the host list of the multi-network card from the RPC detection result file, and identifying the target host which is not authorized to be externally connected by verifying the target host list of the multi-network card.

The internet isolation detection module 6 is used for removing related information of the target host which is unauthorized and externally connected in the RPC detection result file and generating a host list to be detected by the internet; and according to the host list to be detected by the Internet, detecting the effectiveness of Internet security isolation of the target host by utilizing the DNSLOG platform server, and recording the target host with detection failure.

The intranet isolation detection module 7 is used for removing a target host with detection failure from a host list to be detected by the internet, and generating a host list to be detected by the intranet; and classifying and summarizing the target hosts according to the segment C according to a host list to be detected by the intranet, detecting the intranet security isolation effectiveness of the target hosts by using an RPC protocol, and recording the target hosts which are failed to detect.

Referring to fig. 3, the invention also discloses a device for detecting the validity of the security isolation of the host network, which comprises a processor 101 and a memory 102; the processor 101 implements the following steps when executing the host network security isolation validity detection program stored in the memory:

1. and connecting the target host in the management network, and collecting network information of the target host.

2. And constructing a DNSLOG platform server.

3. Detecting the opening condition of a port used by an RPC protocol of a target host, and recording the detection result of the port.

4. According to the network information and the detection result of the target host, the network card information, the IP address information and the host name information of the target host are acquired by calling the RPC protocol and are stored in an RPC detection result file.

5. Screening a host list of the multiple network cards from the RPC detection result file, and identifying an unauthorized externally connected target host by verifying the target host list of the multiple network cards.

6. Related information of an unauthorized external target host is removed from the RPC detection result file, and a host list to be detected by the Internet is generated; and according to the host list to be detected by the Internet, detecting the effectiveness of Internet security isolation of the target host by utilizing the DNSLOG platform server, and recording the target host with detection failure.

7. Removing a target host with failure detection from a host list to be detected by the Internet, and generating a host list to be detected by the intranet; and classifying and summarizing the target hosts according to the segment C according to a host list to be detected by the intranet, detecting the intranet security isolation effectiveness of the target hosts by using an RPC protocol, and recording the target hosts which are failed to detect.

The host network security isolation validity detection device provided in this embodiment may include, but is not limited to, a smart phone, a tablet computer, a notebook computer, a desktop computer, or the like.

Processor 101 may include one or more processing cores, such as a 4-core processor, an 8-core processor, etc. The processor 101 may be implemented in at least one hardware form of digital signal processing (Digital Signal Processor, DSP), field programmable gate array (Field-Programmable Gate Array, FPGA), programmable logic array (Programmable Logic Array, PLA). The processor 101 may also include a main processor and a coprocessor, the main processor being a processor for processing data in an awake state, also referred to as a central processor (Central Processing Unit, CPU); a coprocessor is a low-power processor for processing data in a standby state. In some embodiments, the processor 101 may be integrated with an image processor (Graphics Processing Unit, GPU) for use in connection with rendering and rendering of content to be displayed by the display screen. In some embodiments, the processor 101 may also include an artificial intelligence (Artificial Intelligence, AI) processor for processing computing operations related to machine learning.

Memory 102 may include one or more computer-readable storage media, which may be non-transitory. Memory 102 may also include high-speed random access memory, as well as non-volatile memory, such as one or more magnetic disk storage devices, flash memory storage devices. In this embodiment, the memory 102 is at least used for storing a computer program, where the computer program, after being loaded and executed by the processor 101, can implement the relevant steps of the host network security isolation validity detection method disclosed in any one of the foregoing embodiments. In addition, the resources stored in the memory 102 may also include an operating system, data, and the like, and the storage manner may be transient storage or permanent storage. The operating system may include Windows, unix, linux, among others. The data may include, but is not limited to, data involved in the host network security isolation validity detection method described above, and the like.

Further, the device for detecting validity of security isolation of a host network in this embodiment may further include:

the input interface 103 is configured to obtain a host network security isolation validity detection program imported from the outside, store the obtained host network security isolation validity detection program in the memory 102, and also be configured to obtain various instructions and parameters transmitted by an external terminal device, and transmit the various instructions and parameters to the processor 101, so that the processor 101 uses the various instructions and parameters to develop corresponding processing. In this embodiment, the input interface 103 may specifically include, but is not limited to, a USB interface, a serial interface, a voice input interface, a fingerprint input interface, a hard disk reading interface, and the like.

And an output interface 104 for outputting various data generated by the processor 101 to a terminal device connected thereto, so that other terminal devices connected to the output interface can acquire various data generated by the processor 101. In this embodiment, the output interface 104 may specifically include, but is not limited to, a USB interface, a serial interface, and the like.

And the communication unit 105 is used for establishing remote communication connection between the server operation business optimization configuration device and the external server so that the host network security isolation effectiveness detection device can mount the image file to the external server. In this embodiment, the communication unit 105 may specifically include, but is not limited to, a remote communication unit based on a wireless communication technology or a wired communication technology.

A keyboard 106 for acquiring various parameter data or instructions inputted by a user by tapping the key cap in real time.

A display 107 for displaying the relevant information of the security isolation validity detection process of the running host network in real time.

The mouse 108 may be used to assist the user in inputting data and to simplify the user's operation.

In summary, the invention uses the RPC protocol to obtain all network card information of the host and obtain whether the host has the IP address of the non-affiliated network, thereby realizing remote security isolation effectiveness detection.

In this specification, each embodiment is described in a progressive manner, and each embodiment is mainly described in a different point from other embodiments, so that the same or similar parts between the embodiments are referred to each other. For the method disclosed in the embodiment, since it corresponds to the system disclosed in the embodiment, the description is relatively simple, and the relevant points refer to the description of the method section.

Those of skill would further appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative elements and steps are described above generally in terms of functionality in order to clearly illustrate the interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.

In the several embodiments provided by the present invention, it should be understood that the disclosed systems, and methods may be implemented in other ways. For example, the system embodiments described above are merely illustrative, e.g., the division of the elements is merely a logical functional division, and there may be additional divisions when actually implemented, e.g., multiple elements or components may be combined or integrated into another system, or some features may be omitted or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be through some interface, system or unit indirect coupling or communication connection, which may be in electrical, mechanical or other form.

The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.

In addition, each functional module in the embodiments of the present invention may be integrated in one processing unit, or each module may exist alone physically, or two or more modules may be integrated in one unit.

Similarly, each processing unit in the embodiments of the present invention may be integrated in one functional module, or each processing unit may exist physically, or two or more processing units may be integrated in one functional module.

The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. The software modules may be disposed in Random Access Memory (RAM), memory, read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.

Finally, it is further noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.

The method, the system and the device for detecting the security isolation effectiveness of the host network provided by the invention are described in detail. The principles and embodiments of the present invention have been described herein with reference to specific examples, the description of which is intended only to facilitate an understanding of the method of the present invention and its core ideas. It should be noted that it will be apparent to those skilled in the art that various modifications and adaptations of the invention can be made without departing from the principles of the invention and these modifications and adaptations are intended to be within the scope of the invention as defined in the following claims.

Claims

1. The method for detecting the effectiveness of the security isolation of the host network is characterized by comprising the following steps:

s2: constructing a DNSLOG platform server;

2. The method for detecting validity of security isolation of a host network according to claim 1, wherein the step S1 includes:

establishing connection with all target hosts in a management network;

3. The method for detecting validity of security isolation of a host network according to claim 2, wherein the step S2 includes:

4. The method for detecting validity of security isolation of a host network according to claim 3, wherein the step S3 includes:

5. The method for detecting validity of security isolation of a host network according to claim 4, wherein the step S4 includes:

6. The method for detecting validity of security isolation of a host network according to claim 5, wherein the step S5 includes:

7. The method for detecting validity of security isolation of a host network according to claim 6, wherein the step S6 includes:

8. The method for detecting validity of security isolation of a host network according to claim 7, wherein the step S7 includes:

9. A host network security isolation validity detection system, comprising:

the server building module is used for building a DNSLOG platform server;

10. A host network security isolation validity detection apparatus, comprising:

a processor for implementing the steps of the host network security isolation validity detection method of any one of claims 1 to 8 when executing the host network security isolation validity detection program.