Design and Implement of Common Network Security Scanning system. By Abhishek Kamalayagari. OUTLINE. WHAT THE PAPER IS ABOUT??? INTRODUCTION SCANNING METHODS COMMON NETWORK SECURITY SCANNING SYSTEM CONCLUSION REFERENCES. WHAT THE PAPER IS ABOUT?.
WHAT THE PAPER IS ABOUT???
COMMON NETWORK SECURITY SCANNING SYSTEM
Emphasizes network security scanning system’s role in providing network security.
Its positive and negative sides.
Talks about some popular scanning methods.
To get high performance, a network security scanning system based on libnet and libcap is provided.
Port scanning: most popular, tells which machines are up ,ports open on each machine, services running on each host and some information about the OS.
Vulnerability scanning: tells which machines are vulnerable to “known vulnerabilities”.
Remote operation detection : weaknesses and vulnerabilities of a system linked to underlying OS especially in networking environment.
Nessus: vulnerability scanning, remote OS detection, it is based on plug-in.
Goal is to determine potential vulnerabilities on the tested systems
has two parts: a) server—performs scanning
b) client– manage server and gives results to the user.
Server: nessusd ( nessus daemon)
It’s vulnerability data is compatible with CVE.
Uses NASL to write plug-ins.
CVE—Common Vulnerabilities and Exposures.
Managed by MITRE corp.
It is a list or dictionary of publicly known information security vulnerabilities and exposures.
It has CVE identifiers that are unique.
CVE’s common identifiers enable data exchange between security products and provide a baseline index point for evaluating coverage of tools and services.
Port scanning:aim is to find some open ports in the remote host.
TCP and UDP make up TCP/IP protocol suite.
There are 65535 ports in total for applications and protocols.
Send protocol packet to the remote host,get the response packet, result identifies the status of remote host.
Port scanning has three ways:
a)open scanning: needs whole network connection
b)half scanning: doesn’t finish whole connection ex:SYN
c) Stealth scanning: uses techniques for slowing the scan
Open is fast ,produces more log,but can be easily detected,stealth can avoid IDS,firewall but sometimes gives error result.
Remote OS detection is important because different OS has different Kernel and implementation styles
Even after you know the vulnerability,knowing OS could help in exploiting it.
Intruder can use OS specific hacking tools to crack the target.
Example tools: tool Ring means Remote identification next generation designed to identify remote OS with minimal target disturbance.
Xprobe, another tool, uses matrix based fingerprinting approach.
Scan a specified set of ports on remote host and tries to detect the service offered at each port for its known vulnerabilities which can lead some threats to the system.
Result is a security assessment of whole system,attacks possible.
Vulnerabilities are two types:by programmer,by administrator.
Scanners are 2 types: host scanner,network scanner.
Ssytem architecture: has 9 modules.
There are 3 security scanning modules in this system. If needed more scanning modules can be added.
Needs 2 important function:
Realized by libnet and libcap.
Scanning system need strong log analysis module.
System can be placed in front of and behind firewall.
Written by Mike D.Schiffman, libnet is a c library.
It can create and send packet for many different protocols and protocol block
It can create two types of packet
a)Based on link layer—needs to create link layer protocol block by itself
b)Based on raw socket—create protocol from the IP protocol layer
Build protocol block
tcp = libnet_build_tcp(
src_prt, /* source port */
dst_prt, /* destination port
0x01010101, /* sequence number
0x02020202, /* acknowledgement
TH_SYN, /* control flags */
32767, /* window size */
0, /* checksum */
0, /* urgent pointer */
LIBNET_TCP_H + payload_s, /* TCP packet size
payload, /* payload */
payload_s, /* payload size */
l, /* context */
0); /* ptag */
It is a packet capture library.
Designed by van Jacobson,craig Leres and Steven McCanne.
Uses BPF mechanism to get the special packets quickly.
BPF contains 2 components:
a)Filter and b)kernel.
Kernel buffer has two buffers:
Store buffer and hold buffer.
Filter expression includes 3 qualifiers:
a)type: host,net and port
b)Direction : network path containing src,dst
c)protocol: expresses the protocol used in the packet.
Complex filter rules can be build using ‘and’ , ‘or’…
System can analyze the packet to get more useful information.
A common network scanning system is designed and implemented, which can help administrator to asses the security weaknesses and identify the risks and refine the security policy.
It can find vulnerability before the hacker intrude the system by intrusions like trojans,DOS attack,buffer overflow etc…
It is based on libnet and libcap which can make it more transparent.
Wentao Liu, Design and Implement of Common Network Security scanning system,