Cloud & Telecom Security

五一节将至，预祝大家节日快乐。

偶然从网络上发现下面的一幅卡通图片，讲的是云计算。点击看原文链接

Two basic kinds of online websites are online banks and online games. Unlike what we were doing for traditional system security, we must take care of both front-end servers and customers’ applications. Yeah, customer’s desktops and applications! A lot different!

No matter what mode is, C/S or B/C,  we need to make sure both careless users and vulnerable applications are in good security posture. This brings by far tough challenges to security team. Un-registered game server(SiFu in Chinese), phishing website , Cheating Program(WaiGua in Chinese ), variable trojans, leaked password, or compromised users’ system , lots of servers reside in distribute IDCs , different operating systems and applications , all of this make security mess up .

Here is an economic way for your reference. Read more…

本文回顾综述了业界在移动核心网中利用对等网络技术的进展，以及中国电信业界在此领域内的努力和贡献等。对相关的性能和安全问题进行了研究分析。最后，文章给出了未来研究方向的分析和展望。
关键词：对等网络  分布式技术
International Standards of Mobile Core Network Based On P2P Technology
Abstract: This paper reviewed the new progress at mobile core network based on P2P technology. Technological challenges, including performance and security problems, are investigated. Finally, the trend analysis and roadmap were given.
Key Words: Peer to Peer Network, Distributed Network Technology Read more…

真是令人激动的一个服务，一个很酷的“产品” by Google – 三国历史地图。可以查看历史地图，也可以现代地图，也可以半透明层叠地图。

可以清晰地看到新野-襄阳-当阳-江陵-夏口-赤壁-华容-夷陵-夷道-猇亭等著名历史名迹。

更为令人兴奋的是作者还把若干著名历史事件的地图轨迹展现出来，可以清楚地看到赤壁之战的战略态势。

那是十多年前，我从旧书摊掏回一本历史地图集，至今还经常拿出来翻一翻。如果Google或者那家Web内容大师能将其搬上互联网，供大家查询娱乐，善莫大焉！

这段时间，看了易中天先生的《品三国》，黎东方先生的《细说三国》，很是过了三国的瘾。对百家讲坛的“通俗”/“创新”也有了新的认识。回头抽时间再和大家分享这方面的想法。

回头再看面前的三国地图，仿佛又回到了刚上研究生的时代，同学师兄弟一起玩三国的喜怒哀乐再现眼前，一时间金戈铁马，热血豪情，滚滚长江东逝水，浪花淘尽英雄！ Read more…

2008年10月16日，Gartner如期推出了今年对于2009年前十位最重要的战略性技术的瞻望和预测。以下是我的不算翻译的一个翻译，希望方便大家的阅读分享。

1 虚拟化 Virtualization。 虚拟化这个词已经流行了较长一段时间了，还有更早些的按需(On-demand)计算。大概五年前，我刚刚加入CA后一个月，还特地赶到CA在美国的总部，参加了一次管理按需计算的Workshop和培训。时光荏苒，白驹过隙，当下服务器厂商已经将虚拟化功能技术特色作为重要的售前方案元素来推荐和比较。
2 云计算 Cloud Computing。按照Gartner的描述，云计算具有以下几个关键特征：a 将容量能力按照服务交付；b 服务的交付高度可扩展并充满弹性；c 使用互联网技术和技巧来开发和交付服务；d 用以对外部客户交付服务的设计。可以认为，设计之初就具备的高度弹性和扩展性是“云计算”能够带来的最大收益。 Read more…

CNCERT released their annual report on the overall security status at China for 2007. You can download this report at their website. This report is in Chinese.

At this report, some numbers and trends are highlighted.

Compared against those numbers at 2006, security incidents and botnet(zombie) hosts at China increased rapidly, or even upsoared.

• website phishing – 1.4 times
• malicious code at web pages – 2.6 times
• defaced websites – 1.5 times
• Trojaned hosts – 22 times….

where the Trojaned hosts are estimated to up to one million (995,154) IPs compared against 44717 IPs at 2006.

SPIT是指Spam over Internet Telephony，在互联网电话（稍微不同于IP电话）上的垃圾骚扰性活动，可能是个莫名奇妙的留言、广告，或者一段自动播放的恶意、其他蓄意的电话等。很多报道和文章中都将它列为VoIP的一个重要安全威胁之一。换句话说，那时的电话不像当前的PSTN那样被运营商严格控制，从信令到话音信息都在当前这个极具威胁的互联网上传输，这样就可能会被Man-In-The-Middle攻击，可能会被窃听，可能会被劫持，可能会被插入，欺骗等等。

Gartner的专家Lawrence Orans在一篇报道中指出SPIT不会和当前的SPAM这样泛滥起来，原因是SPIT没有SPAM那样的业务模式 – business model.

SPAM – 发出垃圾邮件，用户看到了其中的诱惑性内容，点击链接，引导到某个网站，可能完成某种交易或者操作。从而，SPAMMER就盈利了。而SPIT则不会，播放一段录音，用户即使耐心的听完，也不可能、不方便拿笔记下来某个链接，到某个website上输入，完成某个交易。所以，SPIT不会带来特别明显的利益，所以也就不会泛滥。

据说未来可能会出现，听广告、打免费电话的业务。LO的观点有道理，但是SPIT也可能会出现新的业务模式，从而带来前来的利欲熏心者。

We have talked about VOIP legal monitoring and source location. In H.323 , softswitch or IMS VOIP network, it can possibly be done through signaling analysis. But as to P2P VOIP, especially encrypted P2P VOIP such as SKYPE, it is very difficult to identify P2P voice traffic.

Traffic classification and traffic identification can be useful in both ISP and enterprise environment, as well as in various occasions:

• Network planning and design
• Security policy such as legal monitoring, blocking
• QOS policy such as rate limitation, prioritization
• Pricing

Now there are two kinds of P2P traffic identification algorithms: transport layer based or payload based. Read more…

As an annual meeting, China VOIP Conference & EXPO, China FMC/IMS Summit, China Enterprise IP communication Solutions Conference had hold on 23~24th, May, Beijing. Check here for its official website. I like to share some highlights of this meeting.

1. Three kinds of VOIP tech in China
Following the steps of VOIP standard development, there are three kinds of VOIP networks in China.

# H.323
H.323 is ITU-T standard framework for multimedia service in Non-QoS guaranteed network. The main service providers in china all have their own H.323 network. China Unicom has the biggest H.323 network in the world providing both audio and video services. It covers almost the whole China, has more than 1800K gateways and carries one billion mintues calls every month. This may own to the original multi-layer GK network structure which greately improves the scalability of H.323.

# Softswitch
Softswitch is a next generation network infrastructure based on SIP, H.248 and other protocols proposed by IEEE and ITU-T. Now, all 17951 call of China mobile and more than one third long distance call of China Telecom are carried by softswitch. China Netcom has been using softswitch to replace the Class 4 switch since 2005. CRC(China Railway Communication CO..,Ltd.) and China Satcom (China Satellite Communication Corporation) also have their softswitch network.

# IMS
The first proposal by 3GPP Release 5, IMS(IP multimedia subsystem) has the advantage in providing mobile and multimedia service. It is also the most promising framework of fix and mobile Convergence. ETSI TISPAN and ITU-T began work on IMS infrastructure in the end of 2005. Thus, the main service providers in China are paying attention to IMS and deploying trial network of IMS now. Read more…

There have been a lot of discussions and even debate on whether or not enterprises should permit Skype. The focus point here is its security issues. I list out ten security concerns to Skype before. However, it’s indeed of value. It can help lower the voice communication cost and very convenient. There are more and more value-added service on it. Anyway, nobody can oversee the existence of hundreds of millions subscribers of Skype. It means business opportunity to many startups and technical geeks. They are proud of their hacking and breaking-into of Skype. Read more…

Solomon’s blog shared an very interesting idea: to use Skype as a home security system. When you work at office or go out for travel, you can connect back to watch what’s happening at your home. So cool !

1. Open two new accounts.
* 2. On account 1 add new user two as your ONLY contact
* 3. Re-log in as account 1 and set as follows:
Go to tools–>options–>advanced–>(tick) automatically answer Incoming calls–>
Then go to Tools–>options–>Video–>(tick) start video automatically and Only People in My contacts–>save.
Leave this account online
* 4)Log in as account 2 from another PC.

But I am wondering if there is not some security here, the world will share your home view with you, as long as they find that account. So please do remember to configure youself as the only person can talk with this account.

Skype is now proud of its millions of online subscribers. At the same, those Trojan makers are becoming more interested at Skype too. It’s a news at NetworkAsia by: Network World Asia Staff

During this trip to Raleigh, NC, I bought some credit at Skype so that I can call China using the free Internet at the Hotel. The quality of SkypeOut is very impressively good, while the price is just 0.17c. Skype has been an International carrier, without nation barriers, even to China.

Another Trojan horse is spreading through the Internet telephone network of Skype Ltd.

The malicious code, known as both Warezov and Stration, is similar to an earlier version detected in February, but with a new URL (uniform resource locator) and a new version of the malicious code, according to an alert posted Thursday by Websense Inc.

Websense warns Skype users to watch for the message “Check up this,” with a URL containing a hyperlink.

The code itself isn’t self-propogating but when it runs, the URL is sent to everyone on the user’s contact list.

When users click on the link, they are redirected to a site that is hosting a file named file_01.exe. Users are then prompted to run the file and if they do, several other files are downloaded and run. The downloaded files are other versions of the Waresov/Stration malicious code.

Once the Trojan is installed in a system, it tries to connect to a Yahoo Inc. mail server to send an SMTP (Simple Mail Transfer Protocol) message.

However, that server doesn’t appear to be operating, according to Websense.

Skype, a division of eBay Inc., offers a number of Internet-based services, including VOIP (voice over Internet Protocol) and instant messaging.

It’s a good site on “Telecom Terminology”. I found it when I search “TFN” at google.com. Hope it help you also. Check it out.

During these days, I am struggling to find an answer for myself – Will VoIP really help enterprises save money?

In the industry, VoIP is almost a “must” for newly deployed voice systems, particularly for long distance calls. The reason to do so seems to be obvious – VoIP helps save money. After checking the data on WAN costs and the cost saved with VoIP, I find it’s very difficult for me to convince myself. The data comes from my direct data from real world and some other reference data from a huge MNC told me the same story.

If you use dedicated leased lines to carry  VoIP, it’s not cost-saving, while VoIP over Internet saves money. 

In fact, during an open discussion, consultants from a very famous VoIP vendor admitted this judgement. But they insisted that VoIP/IP Telephony will help improve productivity, by short numbers, enterprise announcement, and etc. However, productivity is very difficult to measure, isn’t it? Of course, the last reason to deploy VoIP/IPT devices is to protect investment. This is another difficult-to-measure reason.

By accident, I found this old article by Tim Hills which discussed VoIP vs PSTN very interestingly. Here is some of its contents:

Why Bother With VOIP?

It’s NOT about old wine in new bottles

VOIP Risks

VOIP + IP/MPLS works – but how well?

VOIP Reliability

Failures will happen – will new technologies help?

Management Challenges

IP/MPLS management is at last coming up to speed for voice needs

Improving VOIP QOS

Carriers are learning to reimplement the past to improve VOIP QOS

The question seems to have very straight forward answer. Access routers, firewalls, security proxies, and optional intrusion detection systems (IDS) or intrusion prevention systems (IPS) and DMZ … That’s enough? For a small to medium size enterprise, maybe yes. However, for a MNC with tens of offices worldwide, the thing becomes much more complicated.

Generally speaking, almost every security manager or IT manager agree that Internet interfaces are one of most important security threat sources. Every Internet interface means money to protect them. In the orther hand, in CIO’s notebook, there has always been one strategy to make use of cheap and reliable Internet when possible. Local Internet access means lower WAN cost.

That’s something complex that need your balancing between security risk and protection cost and WAN cost. See diagram. A easy answer you’d better permit Internet for most of sites where the Internet is cheap and reliable, while choose different security safeguards at the Internet border and VPN borders. Back to your real world, that’s up to you, my friend.