CN106559391B - Vulnerability scanning method and device - Google Patents
Vulnerability scanning method and device Download PDFInfo
- Publication number
- CN106559391B CN106559391B CN201510628977.2A CN201510628977A CN106559391B CN 106559391 B CN106559391 B CN 106559391B CN 201510628977 A CN201510628977 A CN 201510628977A CN 106559391 B CN106559391 B CN 106559391B
- Authority
- CN
- China
- Prior art keywords
- virtual machine
- information
- vulnerability scanning
- identifier
- scanning
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 36
- 230000005540 biological transmission Effects 0.000 claims description 18
- 238000012423 maintenance Methods 0.000 abstract description 10
- 230000009286 beneficial effect Effects 0.000 description 7
- 101100059544 Arabidopsis thaliana CDC5 gene Proteins 0.000 description 5
- 101100289995 Caenorhabditis elegans mac-1 gene Proteins 0.000 description 5
- 101150115300 MAC1 gene Proteins 0.000 description 5
- 238000010586 diagram Methods 0.000 description 4
- 238000012546 transfer Methods 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 3
- 230000004083 survival effect Effects 0.000 description 3
- 101100244969 Arabidopsis thaliana PRL1 gene Proteins 0.000 description 2
- 102100039558 Galectin-3 Human genes 0.000 description 2
- 101100454448 Homo sapiens LGALS3 gene Proteins 0.000 description 2
- 101150051246 MAC2 gene Proteins 0.000 description 2
- 230000001960 triggered effect Effects 0.000 description 2
- 238000004891 communication Methods 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 230000001360 synchronised effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
本发明的实施例提供了一种漏洞扫描的方法及装置,其中该方法包括:获取用户输入的扫描请求;根据扫描请求,从控制器上获取一信息列表,信息列表中记录了每一服务器上所部署的虚拟机的第一信息;根据扫描请求,从信息列表中定位出需要进行漏洞扫描的目标虚拟机,并对目标虚拟机进行漏洞扫描,本发明的实施例通过多种方式定位目标虚拟机,使得通过一套漏洞扫描设备便能实现对网络的漏洞扫描,进而便于漏洞扫描设备的部署和运维管理。
Embodiments of the present invention provide a method and device for vulnerability scanning, wherein the method includes: acquiring a scanning request input by a user; The first information of the deployed virtual machine; according to the scanning request, locate the target virtual machine that needs to be scanned for vulnerabilities from the information list, and perform vulnerability scanning on the target virtual machine. The embodiment of the present invention locates the target virtual machine in various ways. This makes it possible to scan the network through a set of vulnerability scanning equipment, which facilitates the deployment and operation and maintenance management of the vulnerability scanning equipment.
Description
Technical Field
The present invention relates to the field of network technologies, and in particular, to a vulnerability scanning method and apparatus.
Background
With the rapid development of network technology, tens of thousands of network security vulnerabilities are published, and network attackers are in endless and increasingly severe. In addition, because a system administrator is careless or inexperienced, the network vulnerability cannot be discovered artificially. The vulnerability scanning equipment for scanning objects such as various webpages, application systems, network environments and the like can detect potential safety hazards of an intranet host, remind safety management personnel of carrying out system upgrade and attack prevention on vulnerabilities, and therefore the vulnerability scanning equipment is concerned.
The traditional vulnerability scanning equipment identifies the type and version of a target host system and a service program by identifying and scanning the working state of a target host, identifies the state of a target host port, analyzes the vulnerability of the system according to the known vulnerability information, and finally generates a scanning result report. The most commonly used host alive scanning techniques include response (echo) scanning of Control Message Protocol (ICMP), ICMP broadcast scanning, and the like.
For a traditional host survival scanning technology for vulnerability scanning, survival detection of a host is realized based on an Interconnection Protocol (IP) between networks. When the vulnerability scanning equipment and a target host network can be reached, an ICMP echo request is sent to the host, and the host is waited for an ICMP response so as to judge whether the host survives; or by broadcasting the entire network segment to detect the survival of the entire network segment. This IP-based host alive scan technique distinguishes target hosts by IP. The target host is required to have non-conflict property of IP, so that limitation is brought, the selection of the target host is limited to be distinguished only by the IP, and the flexibility and the diversity are not provided.
In addition, for a scene with multiple public clouds and multiple tenants, due to the three-layer isolation of the multiple public clouds and the multiple tenants, IP addresses can be repeated, and the adoption of the existing vulnerability scanning equipment has essential problems, so that centralized vulnerability scanning cannot be realized, namely vulnerability scanning aiming at the whole network with the multiple public clouds and the multiple tenants. The current alternative solution is to deploy distributed missed-scan devices in the public cloud, and for each tenant, each missed-scan device scans the vulnerability of a single tenant in a small range. The distributed missing scanning equipment solves the problem of multi-tenant missing scanning service, and is huge in cost, troublesome and scattered in deployment, not easy to manage in a centralized manner, too high in cost of multiple sets of missing scanning equipment, and complicated in deployment of differential missing scanning service of users.
Disclosure of Invention
The embodiment of the invention aims to provide a vulnerability scanning method and device, which can be used for positioning a target virtual machine in multiple ways, so that vulnerability scanning of a network can be realized through a set of vulnerability scanning equipment, and deployment, operation and maintenance management of the vulnerability scanning equipment are facilitated.
In order to achieve the above object, an embodiment of the present invention provides a vulnerability scanning method, which is applied to vulnerability scanning equipment, and the method includes:
acquiring a scanning request input by a user;
acquiring an information list from a controller according to the scanning request, wherein the information list records first information of the virtual machine deployed on each server;
and positioning a target virtual machine needing vulnerability scanning from the information list according to the scanning request, and carrying out vulnerability scanning on the target virtual machine.
According to the scanning request, a target virtual machine which needs to be subjected to vulnerability scanning is positioned from the information list, and vulnerability scanning is carried out on the target virtual machine, and the vulnerability scanning method specifically comprises the following steps:
acquiring characteristic information of a virtual machine to be scanned in a scanning request, wherein the characteristic information of the virtual machine to be scanned comprises a physical address, an IP address, a subnet identifier and/or a tenant identifier;
inquiring whether first information matched with the characteristic information of the virtual machine to be scanned exists in the information list, wherein the first information comprises a physical address, an IP address, a subnet identification, a tenant identification and an identification of a virtual switch corresponding to the virtual machine;
when first information matched with the characteristic information exists in the information list, taking a virtual machine corresponding to the first information as a target virtual machine, and determining a path for vulnerability scanning of the target virtual machine according to the first information;
and scanning the target virtual machine for vulnerabilities through the path.
The embodiment of the invention also provides a vulnerability scanning device, which is applied to vulnerability scanning equipment and comprises the following steps:
the first acquisition module is used for acquiring a scanning request input by a user;
the second acquisition module is used for acquiring an information list from the controller according to the scanning request, wherein the information list records first information of the virtual machine deployed on each server;
and the positioning module is used for positioning the target virtual machine needing vulnerability scanning from the information list according to the scanning request and carrying out vulnerability scanning on the target virtual machine.
Wherein, the orientation module includes:
the device comprises a first acquisition unit, a second acquisition unit and a third acquisition unit, wherein the first acquisition unit is used for acquiring the characteristic information of the virtual machine to be scanned in the scanning request, and the characteristic information of the virtual machine to be scanned comprises a physical address, an IP address, a subnet identifier and/or a tenant identifier;
the device comprises an inquiring unit, a determining unit and a scanning unit, wherein the inquiring unit is used for inquiring whether first information matched with the characteristic information of the virtual machine to be scanned exists in an information list, the first information comprises a physical address, an IP (Internet protocol) address, a subnet identifier, a tenant identifier and an identifier of a virtual switch corresponding to the virtual machine, and the determining unit is triggered when the first information matched with the characteristic information exists in the information list;
the determining unit is used for taking the virtual machine corresponding to the first information as a target virtual machine according to the triggering of the inquiring unit, and determining a path for carrying out vulnerability scanning on the target virtual machine according to the first information;
and the scanning unit is used for carrying out vulnerability scanning on the target virtual machine through the path.
The embodiment of the invention also provides vulnerability scanning equipment which comprises the vulnerability scanning device.
The embodiment of the invention also provides a vulnerability scanning method which is applied to a controller and comprises the following steps:
acquiring second information of the virtual machine deployed on each server from the virtual switch;
storing the second information into an information list;
and transmitting the information list to vulnerability scanning equipment.
The obtaining of the second information of the virtual machine deployed on each server from the virtual switch specifically includes:
and acquiring second information of the virtual machine deployed on each server from the virtual switch through an openflow protocol, wherein the second information of the virtual machine comprises a physical address, an IP (Internet protocol) address, a subnet identifier and a tenant identifier of the virtual machine.
Wherein, store the second information into an information list, include specifically:
adding an identifier of a virtual switch corresponding to a virtual machine to which the second information belongs to the second information to obtain first information;
and storing the first information into an information list.
The embodiment of the invention also provides a vulnerability scanning device, which is applied to a controller and comprises the following components:
a third obtaining module, configured to obtain, from the virtual switch, second information of the virtual machine deployed on each server;
the storage module is used for storing the second information into an information list;
and the first transmission module is used for transmitting the information list to the vulnerability scanning equipment.
Wherein, the third acquisition module includes:
and the second obtaining unit is used for obtaining second information of the virtual machine deployed on each server from the virtual switch through an openflow protocol, wherein the second information of the virtual machine comprises a physical address, an IP address, a subnet identifier and a tenant identifier of the virtual machine.
Wherein, the storage module includes:
the adding unit is used for adding the identifier of the virtual switch corresponding to the virtual machine to which the second information belongs in the second information to obtain first information;
and the storage unit is used for storing the first information into the information list.
The embodiment of the invention also provides a controller which comprises the vulnerability scanning device.
The embodiment of the invention also provides a vulnerability scanning method, which is applied to the virtual switch and comprises the following steps:
acquiring second information of the virtual machine deployed on the server;
and transmitting the second information of the virtual machine to the controller.
Wherein, the second information of the virtual machine is transmitted to the controller, specifically:
and transmitting second information to the controller through an openflow protocol, wherein the second information of the virtual machine comprises a physical address, an IP address, a subnet identifier and a tenant identifier of the virtual machine.
The embodiment of the invention also provides a vulnerability scanning device, which is applied to a virtual switch and comprises the following steps:
the fourth obtaining module is used for obtaining second information of the virtual machine deployed on the server;
and the second transmission module is used for transmitting the second information of the virtual machine to the controller.
Wherein the second transmission module includes:
and the transmission unit is used for transmitting second information to the controller through an openflow protocol, wherein the second information of the virtual machine comprises a physical address, an IP (Internet protocol) address, a subnet identifier and a tenant identifier of the virtual machine.
The embodiment of the invention also provides a virtual switch which comprises the vulnerability scanning device.
The scheme of the invention at least comprises the following beneficial effects:
in the embodiment of the invention, the target virtual machine which needs to be subjected to vulnerability scanning is positioned from the information list acquired from the controller according to the acquired scanning request, and the vulnerability scanning is carried out on the target virtual machine, so that the problem that the target virtual machine can only be distinguished by IP (Internet protocol) and the vulnerability scanning needs to be carried out on the network by deploying a plurality of sets of vulnerability scanning equipment is solved, the target virtual machine is positioned in a plurality of ways, the vulnerability scanning on the network can be realized by one set of vulnerability scanning equipment, and the deployment, operation and maintenance management effects of the vulnerability scanning equipment are further facilitated.
Drawings
Fig. 1 is a flowchart of a vulnerability scanning method applied to a vulnerability scanning apparatus in a first embodiment of the present invention;
fig. 2 is a schematic diagram of a vulnerability scanning apparatus, a controller and a virtual switch in a first embodiment of the present invention;
fig. 3 is a schematic structural diagram of a vulnerability scanning apparatus applied to a vulnerability scanning device in a second embodiment of the present invention;
FIG. 4 is a flowchart illustrating a vulnerability scanning method applied to a controller according to a fourth embodiment of the present invention;
FIG. 5 is a schematic structural diagram of a vulnerability scanning apparatus applied to a controller according to a fifth embodiment of the present invention;
fig. 6 is a flowchart of a vulnerability scanning method applied to a virtual switch in a seventh embodiment of the present invention;
fig. 7 is a schematic structural diagram of an apparatus for vulnerability scanning applied to a virtual switch in an eighth embodiment of the present invention.
Detailed Description
Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
First embodiment
As shown in fig. 1, a first embodiment of the present invention provides a vulnerability scanning method, which is applied to vulnerability scanning equipment, where the method includes:
step S11, obtaining a scanning request input by a user;
in the first embodiment of the present invention, the scanning request carries feature information of a virtual machine to be scanned, and the feature information of the virtual machine to be scanned includes a physical (MAC) address, an IP address, a subnet identifier, and/or a tenant identifier of the virtual machine to be scanned, so that a vulnerability scanning device can distinguish a target virtual machine based on one or more of the physical address, the IP address, the subnet identifier, and the tenant identifier, and thus, a vulnerability scanning on a network can be implemented by a set of vulnerability scanning device, and deployment, operation, and maintenance management of the vulnerability scanning device are facilitated.
Step S12, according to the scanning request, obtaining an information list from the controller, wherein the information list records the first information of the virtual machine deployed on each server;
in the first embodiment of the present invention, the above-described server refers to a physical server.
In the first embodiment of the present invention, the first information of the virtual machine includes a physical address, an IP address, a subnet identifier, a tenant identifier, and an identifier of a virtual switch to which the virtual machine corresponds. It should be noted that the controller and the Virtual Switch (VSW) deployed on each server form an overlay network, where the physical address, the IP address, the subnet (VXLAN) identifier, and the Tenant (Tenant) identifier of the virtual machine in the first information are obtained by the controller from the virtual switch through the openflow protocol.
In the first embodiment of the present invention, the vulnerability scanning device may synchronize the information list on the controller in the form of a simple File Transfer, for example, a File Transfer Protocol (FTP) synchronization controller.
And step S13, positioning a target virtual machine needing vulnerability scanning from the information list according to the scanning request, and carrying out vulnerability scanning on the target virtual machine.
In a first embodiment of the present invention, the step S13 specifically includes:
the method comprises the steps that firstly, the characteristic information of a virtual machine to be scanned in a scanning request is obtained, and the target virtual machine is conveniently positioned according to the characteristic information in the following process;
secondly, inquiring whether first information matched with the characteristic information of the virtual machine to be scanned exists in the information list, when the first information matched with the characteristic information exists in the information list, taking the virtual machine corresponding to the first information as a target virtual machine, and determining a path for carrying out vulnerability scanning on the target virtual machine according to the first information;
it should be noted that the above-mentioned path for performing vulnerability scanning on the target virtual machine mainly refers to determining an identifier of a virtual switch corresponding to the target virtual machine, so that the vulnerability scanning device sends a request (for example, an ICMP echo request) to the target virtual machine through the virtual switch.
And thirdly, scanning the vulnerability of the target virtual machine through the determined path.
In the first embodiment of the present invention, the vulnerability scanning mode for the target virtual machine may be implemented in an existing mode, for example, the vulnerability scanning is performed by sending a request (for example, an ICMP echo request) to the target virtual machine through the path determined in the third step (i.e., the virtual switch corresponding to the target virtual machine). And then generating a vulnerability scanning report according to the response condition of the target virtual machine, so that an administrator can conveniently take corresponding security measures (such as system upgrade and the like).
In the first embodiment of the present invention, the vulnerability scanning device positions the target virtual machine in multiple ways, so that a set of vulnerability scanning device can scan vulnerabilities of a network (for example, a public cloud multi-tenant network), thereby facilitating deployment, operation and maintenance management of the vulnerability scanning device, and providing a vulnerability scanning report in a unified manner, thereby facilitating horizontal and vertical comparison. In addition, in the first embodiment of the present invention, the conventional underlying Network is not changed, and the virtual switch collects the physical address, the IP address, the subnet identifier, and the tenant identifier of the virtual machine by using the communication of the overlay Network, and reports them to the controller, so that the present invention is suitable for a Software Defined Network (SDN).
It should be noted that the conventional network includes a virtual machine or a physical server, so vulnerability scanning can be implemented according to the above steps S11 to S13 only by adding an access switch and an SDN controller that support the openflow protocol or by adding a virtual switch in the conventional network that supports the openflow protocol.
In the first embodiment of the present invention, the steps S11 to S13 are further described as a specific example. As shown in fig. 2, there are two users in the SDN network, Tenant 1(Tenant ID1) and Tenant 2(Tenant ID2), Tenant ID1 and Tenant ID2 represent the Tenant identities of Tenant 1 and Tenant 2, respectively, and the VXLAN identities of Tenant 1 and Tenant 2 are VXLAN ID1 and VXLAN ID2, respectively. Tenant 1 creates 4 Virtual Machines (VMs), VM1(MAC1, 10.1.1.2), VM2(MAC2, 10.1.1.3), VM3(MAC3, 10.1.1.4), VM4(MAC4, 10.1.1.5), where MAC1, MAC2, MAC3 and MAC4 represent the physical addresses of VM1, VM2, VM3 and VM4, respectively, 10.1.1.2, 10.1.1.3, 10.1.1.4 and 10.1.1.5 represent the IP addresses of VM1, VM2, VM3 and VM4, respectively, the lan identification and vxnad identification corresponding to VM4, VM4 and VM4 are vxnad 4 and vnad 4, respectively, and VM4 are located on a server equipped with VSW4, and VSW4 are located on a server equipped with VSW4, and thus table information of VSW4 and VSW 382 are shown as VSW4, respectively. For Tenant 2, there are also 4 virtual machines, respectively VM5(MAC5, 10.1.1.2), VM6(MAC6, 10.1.1.3), VM7(MAC7, 10.1.1.4), VM8(MAC8, 10.1.1.5), where MAC5, MAC6, MAC7, and MAC8 represent the physical addresses of VM5, VM6, VM7, and VM8, respectively, 10.1.1.2, 10.1.1.3, 10.1.1.4, and 10.1.1.5 represent the IP addresses of VM5, VM6, VM7, and VM8, respectively, the lan identification and the lan identification corresponding to VM8, and VM8 are vxnat 8 and Tenant ID 8, respectively, and VM8 and VSW 8 are located on a server equipped with VSW 8, and VSW 8 are located on a table, so that VSW 8 and VSW 8 store information on a table, respectively, and table 3, and table.
| MAC address | IP address | VXLAN identification | Tenant identification |
| MAC 1 | 10.1.1.2 | VXLAN ID1 | Tenant ID1 |
| MAC 2 | 10.1.1.3 | VXLAN ID1 | Tenant ID1 |
TABLE 1
| MAC address | IP address | VXLAN identification | Tenant identification |
| MAC 3 | 10.1.1.4 | VXLAN ID1 | Tenant ID1 |
| MAC 4 | 10.1.1.5 | VXLAN ID1 | Tenant ID1 |
TABLE 2
| MAC address | IP address | VXLAN identification | Tenant identification |
| MAC 5 | 10.1.1.2 | VXLAN ID2 | Tenant ID2 |
| MAC 6 | 10.1.1.3 | VXLAN ID2 | Tenant ID2 |
TABLE 3
| MAC address | IP address | VXLAN identification | Tenant identification |
| MAC 7 | 10.1.1.4 | VXLAN ID2 | Tenant ID2 |
| MAC 8 | 10.1.1.5 | VXLAN ID2 | Tenant ID2 |
TABLE 4
| MAC address | IP address | VXLAN identification | Tenant identification | Identification of VSWs |
| MAC 1 | 10.1.1.2 | VXLAN ID1 | Tenant ID1 | VSW1 |
| MAC 2 | 10.1.1.3 | VXLAN ID1 | Tenant ID1 | VSW1 |
| MAC 3 | 10.1.1.4 | VXLAN ID1 | Tenant ID1 | VSW2 |
| MAC 4 | 10.1.1.5 | VXLAN ID1 | Tenant ID1 | VSW2 |
| MAC 5 | 10.1.1.2 | VXLAN ID2 | Tenant ID2 | VSW3 |
| MAC 6 | 10.1.1.3 | VXLAN ID2 | Tenant ID2 | VSW3 |
| MAC 7 | 10.1.1.4 | VXLAN ID2 | Tenant ID2 | VSW4 |
| MAC 8 | 10.1.1.5 | VXLAN ID2 | Tenant ID2 | VSW4 |
TABLE 5
After the vulnerability scanning device obtains the scanning request input by the user, the information list shown in table 5 is synchronized from the controller. For example, when the feature information of the virtual machine to be scanned carried in the scan request is the virtual machine with IP 10.1.1.2 and TenantID1, the vulnerability scanning device finds that the scan path is the target host VM1(MAC1) through VSW1 by searching the information list shown in table 5, and then the vulnerability scanning device sends a request to the target host through VSW1 to perform vulnerability scanning. Similarly, if the feature information of the virtual machines to be scanned carried in the scanning request is all the virtual machines under Tenant ID1, the vulnerability scanning device finds that the target hosts of the scanning path VSW1 are VM1 and VM2 and the scanning path VSW2 by searching the information list shown in table 5, and the target hosts are VM3 and VM 4. Similarly, if the feature information of the virtual machines to be scanned carried in the scan request is all the virtual machines below Tenant ID1 and VXLAN ID1, the vulnerability scanning device finds that the target hosts of the scan path VSW1 are VM1 and VM2 and scan path VSW2 by searching the information list shown in table 5, and the target hosts are VM3 and VM 4. This enables the user to complete a customized scan request.
Second embodiment
As shown in fig. 3, a second embodiment of the present invention provides a vulnerability scanning apparatus, which is applied to vulnerability scanning equipment, and the apparatus includes:
a first obtaining module 31, configured to obtain a scanning request input by a user;
a second obtaining module 32, configured to obtain an information list from the controller according to the scanning request, where the information list records first information of the virtual machine deployed on each server;
and the positioning module 33 is configured to position a target virtual machine that needs vulnerability scanning from the information list according to the scanning request, and perform vulnerability scanning on the target virtual machine.
Wherein, the positioning module 33 includes:
the device comprises a first acquisition unit, a second acquisition unit and a third acquisition unit, wherein the first acquisition unit is used for acquiring the characteristic information of the virtual machine to be scanned in the scanning request, and the characteristic information of the virtual machine to be scanned comprises a physical address, an IP address, a subnet identifier and/or a tenant identifier;
the device comprises an inquiring unit, a determining unit and a scanning unit, wherein the inquiring unit is used for inquiring whether first information matched with the characteristic information of the virtual machine to be scanned exists in an information list, the first information comprises a physical address, an IP (Internet protocol) address, a subnet identifier, a tenant identifier and an identifier of a virtual switch corresponding to the virtual machine, and the determining unit is triggered when the first information matched with the characteristic information exists in the information list;
the determining unit is used for taking the virtual machine corresponding to the first information as a target virtual machine according to the triggering of the inquiring unit, and determining a path for carrying out vulnerability scanning on the target virtual machine according to the first information;
and the scanning unit is used for carrying out vulnerability scanning on the target virtual machine through the path.
In the second embodiment of the present invention, the vulnerability scanning device positions the target virtual machine in multiple ways, so that a set of vulnerability scanning device can scan vulnerabilities of a network (for example, a public cloud multi-tenant network), thereby facilitating deployment, operation and maintenance management of the vulnerability scanning device, and providing a vulnerability scanning report in a unified manner, thereby facilitating horizontal and vertical comparison.
It should be noted that the apparatus for vulnerability scanning applied to the vulnerability scanning device provided in the second embodiment of the present invention is an apparatus for applying the method for vulnerability scanning applied to the vulnerability scanning device, that is, all embodiments of the method for vulnerability scanning applied to the vulnerability scanning device are applicable to the apparatus, and can achieve the same or similar beneficial effects.
Third embodiment
A third embodiment of the present invention provides a vulnerability scanning apparatus, which includes the vulnerability scanning apparatus applied to the vulnerability scanning apparatus.
It should be noted that the vulnerability scanning apparatus provided in the third embodiment of the present invention is a vulnerability scanning apparatus including the vulnerability scanning apparatus applied to the vulnerability scanning apparatus, that is, all embodiments of the vulnerability scanning apparatus applied to the vulnerability scanning apparatus are applicable to the vulnerability scanning apparatus, and all embodiments can achieve the same or similar beneficial effects.
Fourth embodiment
As shown in fig. 4, a fourth embodiment of the present invention provides a vulnerability scanning method applied to a controller, where the method includes:
step S41, acquiring second information of the virtual machine deployed on each server from the virtual switch;
in a fourth embodiment of the present invention, the above-described server refers to a physical server.
In a fourth embodiment of the present invention, the controller and the vsw deployed on each server form an overlay network, and the controller may obtain, from the virtual switch, second information of the virtual machine deployed on each server through an openflow protocol, where the second information of the virtual machine includes a physical address, an IP address, a subnet identifier, and a tenant identifier of the virtual machine.
Step S42, storing the second information into an information list;
in a fourth embodiment of the present invention, after acquiring the second information of the virtual machine, the controller adds an identifier of a virtual switch corresponding to the virtual machine to which the second information belongs to the second information to obtain the first information, and stores the first information in the information list.
And step S43, transmitting the information list to the vulnerability scanning equipment.
In a fourth embodiment of the present invention, the controller may transmit the information list to the vulnerability scanning device in a simple File Transfer manner, for example, using a File Transfer Protocol (FTP) Protocol.
In a fourth embodiment of the present invention, the controller updates the information list in real time when the user creates, deletes or changes the virtual machine.
In the fourth embodiment of the present invention, the controller transmits the information list to the vulnerability scanning device, so that the vulnerability scanning device can locate the target virtual machine in multiple ways, and the vulnerability scanning device can scan the vulnerability of the network (for example, a public cloud multi-tenant network) through one set of vulnerability scanning device, thereby facilitating deployment, operation and maintenance management of the vulnerability scanning device, and uniformly issuing a vulnerability scanning report, thereby facilitating the horizontal and vertical comparison.
In the fourth embodiment of the present invention, the above step S42 is further described by an embodiment. Assuming that the second information of the virtual machine stored on the virtual switch (VSW ID1) is shown in table 6, the information list on the controller is shown in table 7, where MAC1, IP1, VXLAN ID1 and Tenant ID1 respectively represent the physical address, IP address, subnet identification and Tenant identification of the virtual machine, and VSW ID1 represents the identification of the virtual switch corresponding to the virtual machine.
| MAC address | IP address | VXLAN identification | Tenant identification |
| MAC 1 | IP1 | VXLAN ID1 | Tenant ID1 |
TABLE 6
| MAC address | IP address | VXLAN identification | Tenant identification | Identification of VSWs |
| MAC 1 | IP1 | VXLAN ID1 | Tenant ID1 | VSW ID1 |
TABLE 7
Fifth embodiment
As shown in fig. 5, a fifth embodiment of the present invention provides a vulnerability scanning apparatus, which is applied to a controller, and includes:
a third obtaining module 51, configured to obtain, from the virtual switch, second information of the virtual machine deployed on each server;
wherein, the third obtaining module 51 includes:
and the second obtaining unit is used for obtaining second information of the virtual machine deployed on each server from the virtual switch through an openflow protocol, wherein the second information of the virtual machine comprises a physical address, an IP address, a subnet identifier and a tenant identifier of the virtual machine.
The storage module 52 is used for storing the second information into an information list;
wherein the storage module 52 includes:
the adding unit is used for adding the identifier of the virtual switch corresponding to the virtual machine to which the second information belongs in the second information to obtain first information;
and the storage unit is used for storing the first information into the information list.
And the first transmission module 53 is configured to transmit the information list to the vulnerability scanning device.
In a fifth embodiment of the present invention, the controller transmits the information list to the vulnerability scanning device, so that the vulnerability scanning device can locate the target virtual machine in multiple ways, and the vulnerability scanning device can scan the vulnerability of the network (for example, a public cloud multi-tenant network) through one set of vulnerability scanning device, thereby facilitating deployment, operation and maintenance management of the vulnerability scanning device, and providing a vulnerability scanning report in a unified manner, thereby facilitating the horizontal and vertical comparison.
It should be noted that, the apparatus for vulnerability scanning applied to a controller according to the fifth embodiment of the present invention is an apparatus for applying the method for vulnerability scanning applied to a controller, that is, all embodiments of the method for vulnerability scanning applied to a controller are applicable to the apparatus, and can achieve the same or similar beneficial effects.
Sixth embodiment
The fourth embodiment of the invention provides a controller, which comprises the vulnerability scanning device applied to the controller.
It should be noted that the controller provided in the sixth embodiment of the present invention is a controller including the apparatus for bug scanning applied to the controller, that is, all embodiments of the apparatus for bug scanning applied to the controller are applicable to the controller, and all can achieve the same or similar beneficial effects.
Seventh embodiment
As shown in fig. 6, a seventh embodiment of the present invention provides a vulnerability scanning method applied to a virtual switch, where the method includes:
step S61, acquiring second information of the virtual machine deployed on the server;
in a seventh embodiment of the present invention, the above-described server refers to a physical server.
In a seventh embodiment of the present invention, when a user creates, deletes or changes a virtual machine, the virtual switch updates the second information of the virtual machine in real time.
In step S62, the second information of the virtual machine is transmitted to the controller.
In a seventh embodiment of the present invention, the virtual switch may transmit second information to the controller through an openflow protocol, where the second information of the virtual machine includes a physical address, an IP address, a subnet identifier, and a tenant identifier of the virtual machine.
In a seventh embodiment of the present invention, the virtual switch transmits the second information of the virtual machine to the controller, so that the controller generates an information list according to the second information, and transmits the information list to the vulnerability scanning device, so that the vulnerability scanning device can locate the target virtual machine in multiple ways, and a set of vulnerability scanning device can scan vulnerabilities of a network (for example, a public cloud multi-tenant network), thereby facilitating deployment and operation and maintenance management of vulnerability scanning devices, and providing a vulnerability scanning report in a unified manner, thereby facilitating horizontal and vertical comparison.
In a seventh embodiment of the present invention, further describing the above second information by a specific example, the second information of the virtual machine acquired by the virtual switch is shown in table 8, where MAC1, IP1, VXLAN ID1, and Tenant ID1 respectively represent the physical address, IP address, subnet identification, and Tenant identification of the virtual machine.
| MAC address | IP address | VXLAN identification | Tenant identification |
| MAC 1 | IP1 | VXLAN ID1 | Tenant ID1 |
TABLE 8
Eighth embodiment
As shown in fig. 7, an eighth embodiment of the present invention provides an apparatus for vulnerability scanning, which is applied to a virtual switch, and includes:
a fourth obtaining module 71, configured to obtain second information of the virtual machine deployed on the server;
and a second transmission module 72, configured to transmit the second information of the virtual machine to the controller.
Wherein, the second transmission module 72 includes:
and the transmission unit is used for transmitting second information to the controller through an openflow protocol, wherein the second information of the virtual machine comprises a physical address, an IP (Internet protocol) address, a subnet identifier and a tenant identifier of the virtual machine.
In an eighth embodiment of the present invention, the virtual switch transmits the second information of the virtual machine to the controller, so that the controller generates an information list according to the second information, and transmits the information list to the vulnerability scanning device, so that the vulnerability scanning device can locate the target virtual machine in multiple ways, and a set of vulnerability scanning device can scan vulnerabilities of a network (for example, a public cloud multi-tenant network), thereby facilitating deployment and operation and maintenance management of vulnerability scanning devices, and providing a vulnerability scanning report in a unified manner, thereby facilitating horizontal and vertical comparison.
It should be noted that the apparatus for vulnerability scanning applied to the virtual switch provided by the eighth embodiment of the present invention is an apparatus for applying the method for vulnerability scanning applied to the virtual switch, that is, all embodiments of the method for vulnerability scanning applied to the virtual switch are applicable to the apparatus, and can achieve the same or similar beneficial effects.
Ninth embodiment
A ninth embodiment of the present invention provides a virtual switch, including the above apparatus for vulnerability scanning applied to the virtual switch.
It should be noted that the virtual switch provided in the ninth embodiment of the present invention is a virtual switch including the apparatus for vulnerability scanning applied to the virtual switch, that is, all embodiments of the apparatus for vulnerability scanning applied to the virtual switch are applicable to the virtual switch, and all can achieve the same or similar beneficial effects.
While the foregoing is directed to the preferred embodiment of the present invention, it will be understood by those skilled in the art that various changes and modifications may be made without departing from the spirit and scope of the invention as defined in the appended claims.
Claims (15)
1. A vulnerability scanning method is applied to vulnerability scanning equipment and is characterized by comprising the following steps:
acquiring a scanning request input by a user, wherein the scanning request comprises: acquiring characteristic information of a virtual machine to be scanned in the scanning request, wherein the characteristic information of the virtual machine to be scanned comprises a physical address, an IP address, a subnet identifier and/or a tenant identifier of the virtual machine;
acquiring an information list from a controller according to the scanning request, wherein the information list records first information of the virtual machine deployed on each server, and the first information comprises a physical address, an IP address, a subnet identifier, a tenant identifier and an identifier of a virtual switch corresponding to the virtual machine; the vulnerability scanning equipment adopts a simple file transmission mode to synchronize an information list on the controller, wherein the information list comprises: the physical address, the IP address, the subnet identifier, the tenant identifier of the virtual machine and the identifier of a virtual switch corresponding to the virtual machine;
and positioning a target virtual machine needing vulnerability scanning from the information list according to the scanning request, and carrying out vulnerability scanning on the target virtual machine.
2. The method according to claim 1, wherein the locating, according to the scanning request, a target virtual machine that needs vulnerability scanning from the information list, and performing vulnerability scanning on the target virtual machine specifically include:
after the characteristic information of the virtual machine to be scanned in the scanning request is obtained, whether first information matched with the characteristic information of the virtual machine to be scanned exists or not is inquired in the information list;
when first information matched with the characteristic information exists in the information list, taking a virtual machine corresponding to the first information as a target virtual machine, and determining a path for vulnerability scanning of the target virtual machine according to the first information;
and scanning the target virtual machine for vulnerabilities through the path.
3. The utility model provides a vulnerability scanning's device, is applied to vulnerability scanning equipment which characterized in that, the device includes:
the first obtaining module is used for obtaining a scanning request input by a user and comprises: acquiring characteristic information of a virtual machine to be scanned in the scanning request, wherein the characteristic information of the virtual machine to be scanned comprises a physical address, an IP address, a subnet identifier and/or a tenant identifier of the virtual machine;
a second obtaining module, configured to obtain an information list from a controller according to the scanning request, where the information list records first information of a virtual machine deployed on each server, and the first information includes a physical address, an IP address, a subnet identifier, a tenant identifier, and an identifier of a virtual switch corresponding to the virtual machine; the vulnerability scanning equipment adopts a simple file transmission mode to synchronize an information list on the controller, wherein the information list comprises: the physical address, the IP address, the subnet identifier, the tenant identifier of the virtual machine and the identifier of a virtual switch corresponding to the virtual machine;
and the positioning module is used for positioning a target virtual machine needing vulnerability scanning from the information list according to the scanning request and carrying out vulnerability scanning on the target virtual machine.
4. The apparatus of claim 3, wherein the positioning module comprises:
the first acquisition unit is used for acquiring the characteristic information of the virtual machine to be scanned in the scanning request;
the query unit is used for querying whether first information matched with the characteristic information of the virtual machine to be scanned exists in the information list and triggering the determination unit when the first information matched with the characteristic information exists in the information list;
the determining unit is used for taking the virtual machine corresponding to the first information as a target virtual machine according to the triggering of the inquiring unit, and determining a path for carrying out vulnerability scanning on the target virtual machine according to the first information;
and the scanning unit is used for carrying out vulnerability scanning on the target virtual machine through the path.
5. Vulnerability scanning device, characterized in that it comprises means of vulnerability scanning according to any of claims 3-4.
6. A vulnerability scanning method is applied to a controller and is characterized by comprising the following steps:
acquiring second information of the virtual machine deployed on each server from the virtual switch, wherein the second information of the virtual machine comprises a physical address, an IP (Internet protocol) address, a subnet identifier and a tenant identifier of the virtual machine;
storing the second information into an information list, wherein the information list comprises: the physical address, the IP address, the subnet identifier, the tenant identifier of the virtual machine and the identifier of a virtual switch corresponding to the virtual machine;
transmitting the information list to vulnerability scanning equipment; and the vulnerability scanning equipment synchronizes an information list on the controller in a simple file transmission mode, positions a target virtual machine needing vulnerability scanning from the information list according to the scanning request, and scans the vulnerability of the target virtual machine.
7. The method according to claim 6, wherein the obtaining the second information of the virtual machine deployed on each server from the virtual switch specifically includes:
and acquiring second information of the virtual machine deployed on each server from the virtual switch through the openflow protocol.
8. The method of claim 6, wherein storing the second information into an information list comprises:
adding an identifier of a virtual switch corresponding to a virtual machine to which the second information belongs to the second information to obtain first information;
and storing the first information into the information list.
9. The vulnerability scanning device is applied to a controller and comprises:
a third obtaining module, configured to obtain, from a virtual switch, second information of a virtual machine deployed on each server, where the second information of the virtual machine includes a physical address, an IP address, a subnet identifier, and a tenant identifier of the virtual machine;
the storage module is used for storing the second information into an information list, and the information list comprises: the physical address, the IP address, the subnet identifier, the tenant identifier of the virtual machine and the identifier of a virtual switch corresponding to the virtual machine;
the first transmission module is used for transmitting the information list to vulnerability scanning equipment; and the vulnerability scanning equipment synchronizes an information list on the controller in a simple file transmission mode, positions a target virtual machine needing vulnerability scanning from the information list according to the scanning request, and scans the vulnerability of the target virtual machine.
10. The apparatus of claim 9, wherein the third obtaining module comprises:
and the second obtaining unit is used for obtaining second information of the virtual machine deployed on each server from the virtual switch through an openflow protocol.
11. The apparatus of claim 9, wherein the storage module comprises:
an adding unit, configured to add, to the second information, an identifier of a virtual switch corresponding to a virtual machine to which the second information belongs, to obtain first information;
and the storage unit is used for storing the first information into the information list.
12. A controller comprising means for vulnerability scanning as claimed in any one of claims 9 to 11.
13. A vulnerability scanning method is applied to a virtual switch and is characterized by comprising the following steps:
acquiring second information of a virtual machine deployed on a server, wherein the second information of the virtual machine comprises a physical address, an IP address, a subnet identifier and a tenant identifier of the virtual machine;
transmitting the second information of the virtual machine to a controller, specifically: transmitting the second information to a controller through an openflow protocol; the vulnerability scanning equipment synchronizes an information list on a controller in a simple file transmission mode, a target virtual machine needing vulnerability scanning is located from the information list according to the scanning request, vulnerability scanning is carried out on the target virtual machine, and the information list comprises: the virtual machine comprises a physical address, an IP address, a subnet identifier, a tenant identifier of the virtual machine, and an identifier of a virtual switch corresponding to the virtual machine.
14. The vulnerability scanning device is applied to a virtual switch, and is characterized by comprising:
the fourth obtaining module is configured to obtain second information of the virtual machine deployed on the server, where the second information of the virtual machine includes a physical address, an IP address, a subnet identifier, and a tenant identifier of the virtual machine;
the second transmission module is used for transmitting the second information of the virtual machine to the controller; the vulnerability scanning equipment synchronizes an information list on a controller in a simple file transmission mode, positions a target virtual machine needing vulnerability scanning from the information list according to the scanning request, and scans vulnerabilities of the target virtual machine, wherein the information list comprises: the physical address, the IP address, the subnet identifier, the tenant identifier of the virtual machine and the identifier of a virtual switch corresponding to the virtual machine;
the second transmission module includes:
and the transmission unit is used for transmitting the second information to the controller through an openflow protocol.
15. A virtual switch comprising means for vulnerability scanning as claimed in claim 14.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510628977.2A CN106559391B (en) | 2015-09-28 | 2015-09-28 | Vulnerability scanning method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510628977.2A CN106559391B (en) | 2015-09-28 | 2015-09-28 | Vulnerability scanning method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106559391A CN106559391A (en) | 2017-04-05 |
| CN106559391B true CN106559391B (en) | 2021-01-01 |
Family
ID=58415780
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510628977.2A Active CN106559391B (en) | 2015-09-28 | 2015-09-28 | Vulnerability scanning method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106559391B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US11956270B2 (en) | 2022-02-11 | 2024-04-09 | Oracle International Corporation | Parallel network-based vulnerability scanning |
Families Citing this family (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107171979A (en) * | 2017-06-30 | 2017-09-15 | 广州市品高软件股份有限公司 | Vulnerability scanning method and system based on cloud computing and SDN |
| CN107563205A (en) * | 2017-09-20 | 2018-01-09 | 杭州安恒信息技术有限公司 | Typical smart machine leak detection method and permeability apparatus |
| CN111131131B (en) * | 2018-10-31 | 2023-04-18 | 中移(苏州)软件技术有限公司 | Vulnerability scanning method and device, server and readable storage medium |
| CN111585949B (en) * | 2020-03-18 | 2023-04-07 | 平安科技(深圳)有限公司 | Vulnerability scanning method and related equipment |
| CN112532658B (en) * | 2021-02-08 | 2021-05-07 | 腾讯科技(深圳)有限公司 | Cloud network escape event scanning method and device and computer readable storage medium |
| CN114116810A (en) * | 2021-12-09 | 2022-03-01 | 中科计算技术西部研究院 | Distributed leakage scanning system and method |
| CN115296865B (en) * | 2022-07-05 | 2025-04-25 | 北京瑞和云图科技有限公司 | A shared leak scanning method in a multi-network environment |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103236963A (en) * | 2013-04-25 | 2013-08-07 | 西北工业大学 | VMWare virtual machine remote detection method |
| CN103607426A (en) * | 2013-10-25 | 2014-02-26 | 中兴通讯股份有限公司 | Security service ordering method and security service ordering device |
| CN103825891A (en) * | 2014-02-19 | 2014-05-28 | 曙光云计算技术有限公司 | Security flaw scanning system under cloud network environment |
| CN104796388A (en) * | 2014-01-21 | 2015-07-22 | 中国移动通信集团公司 | Network equipment scanning method and system and related devices |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8584239B2 (en) * | 2004-04-01 | 2013-11-12 | Fireeye, Inc. | Virtual machine with dynamic data flow analysis |
| US8391288B2 (en) * | 2007-01-31 | 2013-03-05 | Hewlett-Packard Development Company, L.P. | Security system for protecting networks from vulnerability exploits |
| US8336079B2 (en) * | 2008-12-31 | 2012-12-18 | Hytrust, Inc. | Intelligent security control system for virtualized ecosystems |
| US20100199351A1 (en) * | 2009-01-02 | 2010-08-05 | Andre Protas | Method and system for securing virtual machines by restricting access in connection with a vulnerability audit |
| US20100175108A1 (en) * | 2009-01-02 | 2010-07-08 | Andre Protas | Method and system for securing virtual machines by restricting access in connection with a vulnerability audit |
-
2015
- 2015-09-28 CN CN201510628977.2A patent/CN106559391B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103236963A (en) * | 2013-04-25 | 2013-08-07 | 西北工业大学 | VMWare virtual machine remote detection method |
| CN103607426A (en) * | 2013-10-25 | 2014-02-26 | 中兴通讯股份有限公司 | Security service ordering method and security service ordering device |
| CN104796388A (en) * | 2014-01-21 | 2015-07-22 | 中国移动通信集团公司 | Network equipment scanning method and system and related devices |
| CN103825891A (en) * | 2014-02-19 | 2014-05-28 | 曙光云计算技术有限公司 | Security flaw scanning system under cloud network environment |
Non-Patent Citations (1)
| Title |
|---|
| "面向云的高性能漏洞扫描引擎模块的设计与实现";李楠;《中国优秀硕士学位论文全文数据库信息科技辑》;20131115;全文 * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US11956270B2 (en) | 2022-02-11 | 2024-04-09 | Oracle International Corporation | Parallel network-based vulnerability scanning |
| US12267353B2 (en) | 2022-02-11 | 2025-04-01 | Oracle International Corporation | Parallel network-based vulnerability scanning |
Also Published As
| Publication number | Publication date |
|---|---|
| CN106559391A (en) | 2017-04-05 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106559391B (en) | Vulnerability scanning method and device | |
| US20210152443A1 (en) | Technologies for annotating process and user information for network flows | |
| CN107070691B (en) | Cross-host communication method and system of Docker container | |
| US9832136B1 (en) | Streaming software to multiple virtual machines in different subnets | |
| CN102316001B (en) | Virtual network connection configuration realizing method and network equipment | |
| EP3313025A2 (en) | Data packet forwarding | |
| US8880669B2 (en) | Method and apparatus to detect unidentified inventory | |
| US20090182864A1 (en) | Method and apparatus for fingerprinting systems and operating systems in a network | |
| TW201904234A (en) | Method and device for virtual network link detection | |
| US10841274B2 (en) | Federated virtual datacenter apparatus | |
| CN107547242B (en) | The acquisition methods and device of VM configuration information | |
| CN107547349A (en) | A kind of method and device of virtual machine (vm) migration | |
| Kreeger et al. | Network Virtualization Overlay Control Protocol Requirements | |
| WO2016115698A1 (en) | Data packet forwarding method, apparatus and device | |
| CN109474443B (en) | Configuration method, device and system of newly added server and communication equipment | |
| EP3300300B1 (en) | Method, device and system for configuring user equipment forwarding table | |
| CN108234217A (en) | Networking equipment method of automatic configuration, electronic equipment and storage medium | |
| CN105657078B (en) | A kind of data transmission method, device and multitiered network manager | |
| WO2014142258A1 (en) | Communication system, control device, address allocation method, and program | |
| CN104301446A (en) | Message processing method, switch device and system | |
| CN112866036B (en) | Network traffic simulation method, system and computer storage medium for cloud computing platform | |
| CN103780494A (en) | User information obtaining method and device | |
| KR101491322B1 (en) | Self-configuring local area network security | |
| CN110049148B (en) | Method for acquiring IP address of virtual machine in Vcenter environment | |
| CN109428824A (en) | Host Topology g eneration method and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |