Design And Implementation Of Proxy For Vulnerability Scanners Based On Cloud Computing

With the rapid development of today’s network, various system and network vulnerabilities continue to emerge. As old vulnerabilities still exist, new vulnerabilities are constantly exposed. Vulnerability scanning is a kind of technology that can find most of the existing vulnerabilities accurately and timely, and at the same time provide effective remedies to eliminate the threats. In addition, with the development of cloud computing, cloud-based vulnerability scanning has gradually become the trend in providing security services. However, during vulnerability scanning, the scanner will inevitably encounter a situation where it is unable to complete the scanning task due to limitations of the NAT in the network environment. That is, when the target host is behind the NAT network, the scanner can not engage initiative communication with the inside host, which means that the scanning packets can not reach the target host, therefore, unable to complete the vulnerability scanning task.This paper mainly does the following related work. Firstly, this paper analyzes the principle of network-based vulnerability scanning and focuses on the research of charateristics of cloud-based vulnerability scanning. Then, this paper gives a detailed analysis of NAT and its impact on vulnerability scanning. After that, this paper puts forward the way of increasing a proxy for the vulberability scanner to solve the problem caused by NAT, summarizing the problems that the scanning proxy should resolve and its function requirements. This paper, combining the extension of TURN that supports TCP with the Socks5protocol, puts forward a cloud-based vulnerability scanning proxy method. The proxy is able to help the scanner to do NAT traversal to finish scanning task, especially the most restrictive symmetric one. The main idea of the method is to integrate the port aggregation function of the Socks5protocol into the TURN, making the destination port of the scanning packets sent by the scanner converge into one single port before reaching the TURN server. In this way, the burden of the TURN server is lessened and the quantity limitation of the TURN server’s OS ports will not become the bottleneck of the proxy. At the same time, this paper designs and implements the proxy and built a simulation testing enviroment to test its functionality and scalability. As a result of the testing experiment, the cloud-based vulnerability scanning proxy passed the functional test and is proved to have the necessary scalability.