slaider
Monitoring cyberspace and an early warning tool

card product

» Products » Monitoring cyberspace and an early warning tool » Vulnerability Management System
Vulnerability Management System

1. Abstract

Vulnerability management system is capable of detecting all vulnerability risks in the network, providing professional and effective security analysis and repair advice, and auditing repair result according to security management process so as to reduce attack influence to the largest extent.

 

2. Architecture

Figure 1 System Architecture Diagram

 

 

Vulnerability management System adopts the modular design, which is divided into three layers: service layer, core framework layer and user interaction layer. Each layer is divided into different functional modules.

 

2.1 Service layer

Service layer provides basic services support for the platform, including basic services: database service, scanning service, web service, etc.

 

2.2 Core framework

Core framework provides the basic functional framework for vulnerability scanning, and supports module extension for these functional frameworks.

 

2.3 User interaction module

User interaction module orients at the users of vulnerability management system, which provides user interaction in the form of Web UI (Web Management System). The Web UI can use the REST API provided by the core framework to invoke relevant functions within the core framework.

 

3 Functions

 

3.1 Vulnerability Scanning

It allows scan network device, operating system, middleware, project control system, Web application and database, features huge vulnerability base and check items, and ensures comprehensiveness of vulnerability coverage and accuracy of the check by intelligent vulnerability discovery.

 

3.2 Asset Management

It identifies IT asset information (IP, operation system, application software, service, etc.) in the network (virtual, cloud and physical environment) automatically and classify asset automatically based on scan task and includes it in asset management module for unified management. It supports asset grouping function.

Asset management is a key function of vulnerability management system. Vulnerability here means asset vulnerability. The platform digs connection between asset and vulnerability and achieve effective vulnerability plan, management and presentation by asset management, so as to reach the final goal of vulnerability management control and risk elimination and to provide all-round information support from perspective of asset.

 

3.3 Vulnerability Comparison

It will present distribution trend of vulnerability dynamically according to vulnerability scan result. Comparative analysis on multiple scan result will reflect vulnerability recovery graphically.

 

3.4 Vulnerability Scoring

Risk value is calculated by time dimension and weighting based on vulnerability and malicious software information, and common vulnerability scoring system (CVSS) rate assignment is provided. We will know vulnerability severity and risk sized by vulnerability scoring, and prioritize the threats according to risk level.

 

3.5 Suggestions on Vulnerability Repairing

All reported vulnerabilities have complete solution which describes repair method in detail, such as patch upgrade (provide download link) or configuration method.

 

3.6 Compliance Check

There is a number of built-in strategy, such as PCI, FDCC, CIS which allows to check if system meets company’s strategy requirement.

 

3.7 Scheduled Task

It allows to make periodic scan task and to perform security assessment on network regularly, including internal policies, PCl DSS, NERC CIP, FISMA, HIPAA/HITECH, SANs CSC, DISASTIGs, USGCB, CIS,OWASP, etc. With scheduled task, it will check target asset automatically and generate vulnerability reports (CERT, SANS, NVD) with remediation, assignment step by step and the evaluation of workload.

 

3.8 Statement

It has a variety of built-in statement templates which provides vulnerability statistics, comparative analysis, vulnerability distribution trend and detailed vulnerability suggestion.

 

3.9 The Third Party Integration

Vulnerability management platform can integrate with the third party risk management system, allow seamless integration with penetration test platform and provide remote scan, vulnerability identification, replay of attacks and automatic vulnerability verification functions.

 

3.10 Weak Password Check

It supports weak password check for service such as FTP, FTPS, IMAP, IMAPS, Mysql, MSSQL, POP3, POP3S, PostgreSQL, RDP, SMB, SSH, SNMP and Telnet, and support user-defined import to dictionary database.

 

4 Features

  • Wide coverage: it possesses a large vulnerability database (100,000+).
  • Low false alarm rate: the vulnerability detection contains over 300,000 check items which ensures correctness of vulnerability to the largest extent.
  • Timely update: vulnerability updates automatically in every week in average (Microsoft Tuesday patch finishes update within 24h), so that security personnel can check the latest vulnerability the first time. Support online/offline update.
  • Flexible and effective: it allows distributed deployment and automatic regular visit, and a variety of scan and report templates to meet different customers’ requirements.
  • Vulnerability management system is divided into standard version and enhanced version by application scenario and function.

 

5 Deployment Mode

 

5.1 Single Deployment

Deploy only one vulnerability management system to scan company network for purpose of checking its security condition. Access vulnerability management system to the network by link-type. As long as it can communicate with target system, it can perform vulnerability check. Application scenario: environment in which enterprise structure is simple, no strict requirement on scan speed, and node is fewer. (Small and medium enterprise)

 

 

Figure 2 Single Deployment

 

 

 

Features of this deployment:

1. Simple construction and flexible deployment. As only one system is deployed at headquarter, it is easy to set up, no need to change network structure, just access to network by link type.

2. Low cost and easy maintenance. As only one system is deployed, construction cost is low, and single deployment makes system maintenance more convenient.

 

5.2 Distributed Deployment

Deploy one vulnerability management platform console at headquarter, and deploy vulnerability management platform scan engine at each branch office or subordinate institution. The headquarter assigns scan task, scan engine in each branch office will scan and return scan result to vulnerability management platform console at headquarter, the console will summarize results.

Application scenario: Environment which has a lot of branch office or subordinate institution, complicated network, numerous node and has strict requirements on bandwidth of each region. (Large scale enterprise)

 

 

Figure 3 Distributed Deployment

 

 

 

Features of this deployment:

1. Scattered malfunction: as each scan engine is independent from each other, it improves system security significantly. One engine malfunction will only affect one unit rather than the whole system.

2. High capacity and load capacity: the distributed system lightens network burden, reduces requirements on device performance and features obvious advantages in batch scan of large scale asset and scan speed.

 

6 Hardware and Specification

 

6.1  Hardware

 

Figure 4  System Appearance

 

 

 

Hardware Specification

Model

19 inch 1U Standard

Processor

Intel i5 Processor

Memory

DDR3 16GB

Internet Access

Gigabit electricity mouth 6,RJ-45 interface

Hardware

1*SATA 500G

Display output

Built-in VGA interface

USB

2*USB Interface

COM

1*RJ45 interface COM

Power Supply

250W Industrial Power, 220VAC±10%

Temperature

Working Temperature: -10℃~45℃

Storage Temperature: -40℃~85℃

Relative Humanity

95% Relative humidity

Noise

<50DB

MTBF

≥50000h

Size

W*H*D=480mm*44.4mm*420mm

 

 
6.2 Standard Version

VM-STD-H1 V7

 

Type

Item

Specification

Performance

Maximum concurrently scanned IP

128

Average time-consuming of black-box scan

If there are 16 vulnerability per asset, average time-consuming is 4 minutes (12 seconds-30 minutes)

White-box scan average time-consuming

If there are 300 vulnerabilities per asset, average time-consuming is 7.5 mins (12 seconds-40 mins)

Default scan concurrency

10 hosts scan concurrently, and each host process 10 procedures

Maximum concurrency

30-50 (Memory and CPU performance needs to be increased)

Capacity of vulnerability libraries

100,000+

Number of vulnerability check items

300,000+

Function

Scope of supported vulnerability assessment

Operating system (Windows, Linux, UNIX, OS, etc), Database (SQL Server, DB2, Oracle, MySQL, etc), Web application, middle ware, Network Device (Router, Switch, Firewall, etc)

Asset discovery scanning

Support detection of online assets and related information by network scanning

Black box vulnerability assessment

Evaluate vulnerability by using network remote fingerprint detection

White box vulnerability assessment

Use login credentials to process login scan

Scanning strategy template

There are 8 built-in scanning strategy templates for different vulnerability assessment requirements

Customized scanning strategy

The scanning policy template can be customized

Exploitable vulnerability information

Indicates vulnerabilities that have public exploitation methods, and the source information of relevant exploitation is provided

Vulnerability Judgement decision fundament

Support to view the judgment basis of scanned vulnerability

Asset group management

Support group management of network assets

Dynamic asset group

Support to filter network assets according to specific conditions

Comparison report

Support comparison report of two scanning results

Report format

HTML/PDF

Number of built-in report templates

3

Vulnerability remedy solution

Provide detailed vulnerability remedy solutions

 

 

6.3       Enhanced Version

VM-ENT-H1 V7

 

Type

Item

Specification

Performance

Maximum concurrently scanned IP

1024+

Average time-consuming of black-box scan

If there are 16 vulnerability per asset, average time- consuming is 4 minutes (12 seconds-30 minutes)

Average time-consuming of white-box scan

If there are 300 vulnerabilities per asset, average time-consuming is 7.5 mins (12 seconds-40 mins)

Default scanning concurrency

10 hosts scan concurrently, and each host process 10 procedures

Maximum concurrency

30-50 (Memory and CPU performance needs to be increased)

Capacity of vulnerability libraries

100,000+

Number of vulnerability check items

300,000+

Function

Scope of supported vulnerability assessment

Operating system (Windows, Linux, UNIX, OS, etc), Database (SQL Server, DB2, Oracle, MySQL, etc), Web application, middle ware, Network device (Router, Switch, Firewall, etc)

Asset discovery scanning

Support detection of online assets and related information by network scanning

Black box vulnerability assessment

Evaluate vulnerability by using network remote fingerprint detection

White box vulnerability assessment

Use login credentials to process login scanning

Scanning strategy templates

There are 8 built-in scanning strategy templates for different vulnerability assessment requirements

Customized scanning strategy

The scanning policy template can be customized

Exploitable vulnerability information

Indicates vulnerabilities that have public exploitation methods, and the source information of relevant exploitation is provided

Vulnerability judgement decision fundament

Support to view the judgment basis of scanned vulnerability

Asset group management

Support group management of network assets

Dynamic asset group

Support to filter network assets according to specific conditions

Scheduled task

Support automated scanning assessment planned based on time or cycle

Comparison report

Support comparison report of two scanning results

Report format

HTML/PDF

Number of built-in report templates

5

Custom reports

Users can create customized reports

Virtual Scanning (VMware NSX)

Support virtual scanning

Open API

Open application programming interfaces to users

Distributed deployment

Support distributed multi-engine deployment

Vulnerability remedy solution

Provide detailed vulnerability remedy solutions

Vulnerability Management System
Write the E-Mail, we will contact you within days.



Write the E-Mail, we will contact you within days.