Vulnerability Scanning And Patching System Based On Physical Isolated Network

With the continuous development of Internet, more and more military offices, scientific research departments have set up their own network information system. However, the vulnerabilities of the original complex system gradually emerged with the constant expansion of the system upgrade, increasing complexity of network environment, and irreducible vulnerabilities. A variety of protocol design, system configuration and management operation vulnerabilities often become the goal of the attackers, and then testing and patching vulnerabilities are the effective means of improving system security. While the military LAN is isolated from the Internet, they can't be prompt in receiving patch information which is published by software providers; the vulnerabilities cannot be quickly fixed. In this paper, we proposed a vulnerability scanning and patching system based on a scanning agent. The network is divided into several logical subnets, then the vulnerabilities of all the hosts in the subnets are detected by the scanning agent, at the same time, patches are downloaded from the control center to patch the vulnerabilities. While our techniques have the advantages of fast scanning speed, well targeted, little impact on the network, wide availability and low costs, it is suitable for the military LAN in discovering and patching vulnerabilities of the hosts.In summary, this paper makes the following contributions:We studied the technical principles and design models of several vulnerability detection systems by contrasting the systems which are different in the aspect of what they are based on, hosts or internets, and studying the features of the distributed systems, in spite of the advantages and disadvantages they all hold, we find that the vulnerability scanning and patching system based on a scanning agent has become the future trends.Since the military LAN is isolated from the Internet, we propose a distributed vulnerability scanning and patching system model based on a scanning agent, and implement the system prototype. We use simple matching rules to improve the efficiency of the system. The characteristics of the distributed scanning slow down the impact on network traffic, reduce the influence of the normal use of the network, make the design simple, bring low operation costs, so it is suitable for the vulnerability scanning and patching in the small and medium enterprises.