论文标题:计算机网络脆弱性评估系统的设计与实现
The Design and Implementation of A Computer Network Vulnerabilities Assessment System
论文作者 邢栩嘉
论文导师 林闯,论文学位 硕士,论文专业 计算机技术工程
论文单位 清华大学,点击次数 75,论文页数 93页File Size2799k
2004-06-01论文网 http://www.lw23.com/lunwen_973997852/ 网络安全,脆弱性评估,漏洞扫描,水晶报表,XML
Network Security, Vulnerability Assessment, Hole Scan, Crystal Report, XML
在计算机安全领域,特别是网络安全领域,对计算机系统进行脆弱性评估十分重要。连接在网络上的计算机系统中存在的漏洞可能让网络上其它地方的恶意攻击者侵入计算机系统的内部,从而导致计算机系统内数据的完整性、可用性、机密性遭到破坏。网络脆弱性评估的最终目的是要指导系统管理员在“安全代价”和“侵入可能性”这两者之间找到平衡。脆弱性评估方法经历了从手动评估到自动评估的阶段,现在正在由局部评估向整体评估发展,由基于规则的评估方法向基于模型的评估方法发展。然而能够实际应用于产品当中的还只有基于规则的自动化的评估方法。这类产品一般被称作漏洞扫描产品或者安全隐患扫描产品。目前计算机安全市场上的安全产品主要可分为反病毒、防火墙、商用密码、CA系统以及入侵检测与漏洞扫描。其中反病毒、防火墙和入侵检测这三类与网络攻击相关的产品都是属于被动防御的范畴,而漏洞扫描产品则属于主动防御。它能够在可能的黑客攻击发生之前找出系统存在的漏洞,并提醒系统管理员将其修补。本文的工作是设计并实现一个易于使用、功能强大的计算机网络脆弱性评估系统。系统主要面向有经验的系统管理员。本系统采用了客户端/服务器的结构。服务器运行于Linux平台,实现保存扫描插件、保存默认配置参数、加载扫描插件对目标系统进行安全扫描、向客户机发送扫描状态和结果、记录操作日志等功能。对服务器的直接操作通过仅限于最小功能的专用Shell进行。客户端运行于Windows平台,负责管理、控制服务器执行漏洞扫描任务,实现扫描任务管理、扫描策略管理、状态/消息显示、扫描结果报表的生成和输出、用户分级管理等功能。本系统的报表部分可以有两种设计和实现方法:关系数据库 + 数据库访问程序、XML + XSL。我们最后采用了XML + XSL的方法实现本系统的报表,但是本文对这两种方法都进行了较详细的说明和比较。
Computer vulnerability assessment is an important sector in the application area of computer security, especially in the area of network security. The vulnerabilities of computers on network could be exploited by attackers, which could break the integrity, availability and/or confidentiality of internal data. The goal of vulnerability assessment is to help administrators to balance the cost and effect of security. The methods being used to assess the vulnerabilities have come out of the manual age and into the automatic age. And now they are heading towards global assessment from part assessment, towards model-based assessment from rule-based assessment. However, only rule-based automatic method can be applied into a realistic vulnerability assessment tools by now. And these tools are called hole-scan tools.There are mainly six families in the security products market: Anti-Virus, Firewall, Crypto, Certificate Authority, Intrusion Detection and Vulnerability Assessment. Anti-Virus, Firewall and IDS are all passive defending system while Vulnerability Assessment system is an active defending system. It could find out vulnerabilities of computer system before attackers and notify administrators to prevent system from being destroyed by applying some patches or changing some configuration.The work based on this paper is to design and implement an easy-to-use and powerful computer vulnerability assessment system. This system is for experienced system administrators. The system is Client/Server Structure. The server is running on a linux platform and the client is running on a windows platform. User can operate the server only through a mini-functional shell. The server receives commands from the client and doing scanning job and logging any operations. The client offers task management, policy management, user management and other functions. There are two methods which could be used to generate the report of this system: Relational Database System + Database Access Applications, XML + XSL. We choose the second one finally. But we give out a comparison of the two methods in details in this paper.
|
