Cloud & Telecom Security

Bill recommended one “new” application to me. That’s Hamachi. It gave me a very complicated feeling.

It’s a wonderful software application, which provides us a virtual LAN over Internet. It’s a typical overlay network application, which makes use of P2P technology and has the capability to tranverse the NAT/FW enterprise perimeter. Additionally, it brings us an interesting function – Web Proxy:

Built-in Web proxy
An option to use Hamachi as a simple web proxy. This way your Hamachi peers may configure their Web browsers to access the Internet via your computer and therefore protect their Web traffic while it is in transition between you and them.

This feature is typically used for securing Web surfing from untrusted locations including cybercafes, coffee houses, hotels, etc

Obviously, founders of Hamachi have learned the lesson from Skype. They has done a lot of effort to open their protocols and algorithm in the identity, authentication, and communications among system components. That will be a door-knocker to those enterprise IT managers, because there must be growing security and system management software to support Hamachi, as long as Hamachi’s installation get enough base. According to their website, Hamachi has over 3,000,000 users at June 17, while this number was merely 2,000,000 in April, growing 50% in two months.

It’s a wonderful remote collaboration tool, as well as a virtual networking platform, particularly in the current booming broadband world.

At the other hand, the overspreading of such kind of softwares (for others, see vnn.cn, softether.com) has been eroding and further eliminating the enterprises’ network perimeter, leading the compomise of security policy. It requires that firewalls and networking devices should support more and more layer-7 applications, in particular P2P overlay networking traffic. Morever, Traditional IDS and UTM won’t work in face of virtual LANs.

Let’s keep an eye on them together. See my comment in chinese.

A startup company in China, BMST Co. Ltd., is bringing security managers and auditors a ground-breaking product which can audit SSH and Windows Remote Desktop Protocol (RDP) as a network bridge transparent to the upper layer applications. The product is named Session Auditor. It can record, replay, query, correlate those session data from most of popular protocols used in the daily network and system maintenance and operations, such as SSH, RemoteDesktop(RDP), Telnet, FTP, HTTP, Rlogin, VNC, and even those SQL query in Oracle, Sybase, MS SQL and etc. The most brilliant point is its unprecedented audit capability to the two most popular encrypted protocols, ie. SSH and RDP, making it unique in the competition against common sniffer products as well as forensics tools.

The founders of BMST have put their product at much larger background – the wave of compliance.

In the wake of Enron and WorldCom the role of internal auditors in corporate governance has taken on whole new meaning. Compliance is a long journey that enterprise excutives and IT managers have to take. Although there have been too much in your work breakdown structure task list, however, “Audit” is the right one that you can never overlook for seconds. Audit systems help executives assure everything runing as expected and defined.

Generally speaking, “audit system” for information systems are seperated into two kinds, one is management layer auditing, another one is technical layer auditing. The former is mapped to those auditing tools, particularly based on best practices and standards, such as ISO27001(BS7799), Cobit. But as to the technical layer auditing, there are too many tools and approaches in IT managers’ table. Typically it’s implemented by those log collection and analysis tools in the IDC’s security product category of SIEM(Security Information and Event Management). Those logs are designed to record only the event results, without the details of the activities and operations. In other words, if security managers and auditors want to do in depth investigation and forensics, those logs can’t help any more. Read more…

什么是“审计”？

我们知道，审计（Audit）是指检查、验证目标的准确性和完整性，用以检查和防止虚假数据和欺骗行为，以及是否符合既定的标准、标竿和其它审计原 则。各国各级政府、组织一般都设有专门独立的审计部、审计委员会、审计署等机构。审计早年用于财务系统，到现在词典、字典中的“审计”（也包括 Audit）的定义都是针对财务系统。在当今的世界里，几乎所有企业、机构和组织的财务系统都运行在信息系统上面，所以信息手段成为财务审计的一种技术的 同时，财务审计也间接带动了通用信息系统的审计。在美国安然公司（Enron）和世通（WorldCom）财务欺诈案爆发后，在2002年美国紧急出台了 萨班斯法案（SOX, or SOA），赋予了“审计”新的意义，这里也包括了信息系统的审计。“审计”成为企业内控、信息系统治理、安全风险控制等的不可或缺的关键手段。

另据新闻报 导，在最近结束的IATA年会上达成一个重要共识：所有成员航空公司都要进行运行安全审计（IOSA），申请加入IATA的成员在正式加入前必须通过 IOSA审计。目前所有的成员公司要在2007年之前完成审计，否则不予保留会员资格。审计已经逐渐成为越来越多的政府部门、行业分支、大企业等加强治理 的重要手段。

美国信息系统审计的权威专家Ron Weber将它定义为“收集并评估证据以决定一个计算机系统是否有效做到保护资产、维护数据完整、完成目标，同时最经济的使用资源”。

审计系统主要包括两种形态

• 基于主机的审计（主机、网络等各种日志）
• 基于网络的审计（网络会话和行为）

它们分别依赖不同的手段来收集审计信息，面向不同的风险和威胁：

1 前者收集并分析各种日志。这是较早的、较为传统的审计方式，登入、登出、添加、删除、修改、更新等活动，应用日志、操作系统日志、数据库日志、网络设备的 日志等。按照IDC的新定义，SIEM（安全信息和事件管理）类安全产品负责收集安全设备和其它信息系统的日志和事件告警，进行过滤、相关、分析等处理。 一般说来，前两年如火如荼采购中的SOC产品（如果喜欢叫平台也可以）基本上都属于IDC的SIEM类。

2 后者直接查看数据本身。由于各种先进的攻击方法的出现、由于IDS的漏报、由于当前对于内部滥用和误用（这些都很难从安全设备的日志中发现）的担心，对于 网络和应用数据本身的记录、回放、分析等形成了另外一个审计分支。这类产品最早的出处应该是雷神（Raytheon ）公司的SilentRunner（如果大家还记得的话，后来被CA公司收购，现在产品的名字叫Network Forensics），专门用于分析网络流量和海量日志，从中发现IDS等安全设备不能发现的潜在威胁和事件，违反安全策略和规则的行为。另外NAI公司 的Sniffer，或者后来的开源软件TCPDUMP虽然缺少上层的分析层和展现层，也有一部分这方面的功能。NAI公司分家后，Sniffer公司继承 了网络取证分析产品InfiniStream Security Forensics。Niksun公司的NetDetector, NetVCR, NetX等系列产品可以“连续的流量记录和存储”、帮助分析网络中的流量、监控网络行为“网络异常及入侵检测”、以及帮助进行符合性分析和事件取证“网络 审计分析”等。

近两年来，随着对操作行为本身进行审计的需求的提升，于是产生了一种使用应用代理进而建立堡垒主机的方式来控制网络访问活动、并获得操作数据进行记 录并分析的审计系统。这类系统的代表包括Symark公司的PowerBroker，以及Bluecoat公司的ProxySG等。这类审计系统需要客户 端显式地配置代理指向的地址，并可能需要进行二次验证以符合代理的安全策略。

国内已经开始有越来越多的公司开始涉足并推出自己的安全审计产品，除去上述第一种的日志收集产品之外，还出现了相当多的网络镜像方式获得数据，进行 会话重组和协议分析，可以根据安全策略发送Reset包主动中断网络连接（有些还可以进行身份认证和授权验证），这类产品的代表包括清华紫光的ACA、以 及复旦光华的S_Audit等。前者与认证、授权等结合，面向运行维护需求，而后者则加入了很多HTTP、IM等应用的分析展现功能，面向企业内部安全使 用控制。

[待续]

richardong 2006-09-15 评论

zhaol 2006-12-26 评论