Using the vulnerability information of computer systems to improve the network security

In these years, the security problem becomes more important to everyone using computers. However, vulnerabilities on computers are found so frequently that system managers can not patch up all these vulnerabilities on hosts within the network in no time. They need to perform a risk evaluation in order to determine the priority of patching-up vulnerabilities. Besides, they may not have the administrator right on all hosts in the network, but only have the right on these network devices. To keep these vulnerabilities on hosts from exploitation, system managers can set the ACL scripts on network devices. The solution improves security in the network immediately, since some threatened service ports on hosts are blocked from accessed. This paper introduces a method to improve the network security, which consists of the network management, the vulnerability scan, the risk assessment, the access control, and the incident notification. Companioned to the network topology, the risk evaluation indicates the threatened service ports that should be blocked within ACL scripts. These procedures do not cost any extra hardware equipment. With the proposed method, the network security improves almost 40% with only 8% of threatened ports being blocked in the examined Class-B network. The 40% improvement of network security is evaluated with these two indices, the summary of CVSS values and the number of vulnerabilities in the network.