Cloud & Telecom Security

Almost every enterprise IT security managers are facing the same problems: how to control the internet? how to implement the granular security policy at the perimeter ? When you dig the Internet, you must find a bunch of discussions and threads, among which the discussions and debates between Thomas and Antishinder are quite interesting.

The assertions by Bluecoat is as the following:

• The ISA firewall cannot be as secure as Blue Coat proxies because it runs on a general purpose server that has ongoing security vulnerabilities
• The ISA firewall is unable to inspect traffic inside an SSL tunnel
• The ISA firewall is unable to inspect and manage peer-to-peer, instant messaging and multimedia connections
• The ISA firewall has limited support for granular access control
• The ISA firewall’s network performance is inferior to Blue Coat’s proxy performance

The fight back from Thomas is very strong. Personally speaking, I think the origin of this debate depends on your attitude of hardware or software security devices. The former will help lower the installation and operation cost, while the latter has lower price. So if your enterprise is very lucky to be mature on server operations, the software proxy solution is as good as, or better than the hardware solution.

More and more colleagues start to use Skype to talk with their family when they are in business trip, enjoying free oversea communications with earphones. No doubt, I do the same way. Why not? Do you like to pay those telecom companies at around tens of cents per minutes while you can talk freely? That’s the right reason why Skype has been growing so fast.

When I checked their newest version at their website tonight, I found a beta version 3.1 with an interesting feature, SkypeFind. That’s something like a business bulletin, but with a unprecedented large number of subscribers. The current beta version is 3.1.0.112, while the latest stable version is 3.0.0.218.

At the new version, unyte is a built-in feature, which enables friends share desktop and applications remotely. Another new feature – Shared Sketch Pad is very interesting too.

[Tags]Skype,Web2.0[/Tags]

Today SANS announced the 2006 version of their annual “Top-20 Internet Security Attack Targets” and for the first time, VoIP is included as one of the threats. It was listed as N1:

 N1.1 Description

VoIP technology has seen rapid adoption during the past year. At the same time, there has been an increase in security scrutiny of typical components of a VoIP network such as the call proxy and media servers and the VoIP phones themselves. Various products such as Cisco Unified Call Manager , Asterisk and a number of VoIP phones from various vendors have been found to contain vulnerabilities that can either lead to a crash or a complete control over the vulnerable server/device. By gaining a control over the VoIP server and phones, an attacker could carry out VoIP phishing scams, eavesdropping, toll fraud or denial-of-service attacks.

Since many VoIP servers especially the ones at VoIP service providers are an interface between SS7 (traditional phone signaling) and IP networks, an attacker capable of compromising a vulnerable VoIP server could even potentially manipulate the SS7 signaling interconnection to disrupt services on the Public Switched Telephone Network (PSTN).

See more comments and report at VoIPsa blog.

Bill recommended one “new” application to me. That’s Hamachi. It gave me a very complicated feeling.

It’s a wonderful software application, which provides us a virtual LAN over Internet. It’s a typical overlay network application, which makes use of P2P technology and has the capability to tranverse the NAT/FW enterprise perimeter. Additionally, it brings us an interesting function – Web Proxy:

Built-in Web proxy
An option to use Hamachi as a simple web proxy. This way your Hamachi peers may configure their Web browsers to access the Internet via your computer and therefore protect their Web traffic while it is in transition between you and them.

This feature is typically used for securing Web surfing from untrusted locations including cybercafes, coffee houses, hotels, etc

Obviously, founders of Hamachi have learned the lesson from Skype. They has done a lot of effort to open their protocols and algorithm in the identity, authentication, and communications among system components. That will be a door-knocker to those enterprise IT managers, because there must be growing security and system management software to support Hamachi, as long as Hamachi’s installation get enough base. According to their website, Hamachi has over 3,000,000 users at June 17, while this number was merely 2,000,000 in April, growing 50% in two months.

It’s a wonderful remote collaboration tool, as well as a virtual networking platform, particularly in the current booming broadband world.

At the other hand, the overspreading of such kind of softwares (for others, see vnn.cn, softether.com) has been eroding and further eliminating the enterprises’ network perimeter, leading the compomise of security policy. It requires that firewalls and networking devices should support more and more layer-7 applications, in particular P2P overlay networking traffic. Morever, Traditional IDS and UTM won’t work in face of virtual LANs.

Let’s keep an eye on them together. See my comment in chinese.

Here is coming an eye-catching blog at VoIP security at VoIPsa Blog.

See comment at Register, named "Net Neutrality bid gone for good" by Andrew.  A bunch of Internet giants expressed their discontent to Net Neutrality, for its mistiness and injustice. Andrew is hoping a "more coherent and professional fashion", and even "with better branding". The key point in my brain, for its possible recoming, is the benefit balance between transmission network (typically those tradional telcos) operators and CP/SPs. The latter would not like to let the former "tame" the Internet, but "foster".  

See the story by Andrew…. Read more…

FT.com reports that “Skype says texts are censored by China” by Alison Maitland. It’s incredible, both from technical and political aspects. I do believe it’s a distorted story by western reporters. Every skypers can testify the lie and absurdness. It betrays the fact that the scepticism and bias to China are expanded from VoIP to text chat. See what he said at the below:

Skype, the fast-growing internet communications company that belongs to Ebay, has admitted that its partner in China has filtered text messages, defending this compliance with censorship laws as the only way to do business in the country. In a Financial Times interview, Niklas Zennström, Skype’s chief executive, responded to accusations that the company had censored text messages containing words like “Falun Gong” – a banned movement – and “Dalai Lama”. He said that Tom Online, its joint venture partner in China, was complying with local law.

“Tom had implemented a text filter, which is what everyone else in that market is doing,” said Mr Zennström. “Those are the regulations.”

He claimed that compliance with Chinese censorship was no different from obeying rules governing business in western countries. China, along with the US and Germany, is one of Skype’s three biggest markets in terms of active users of its free telephony service, which routes encrypted calls between computers via the internet.

Entering the controversy that has seen Yahoo, Google and Microsoft heavily criticised for working with China’s censorship rules, Mr Zennström said: “I may like or not like the laws and regulations to operate businesses in the UK or Germany or the US, but if I do business there I choose to comply with those laws and regulations. I can try to lobby to change them, but I need to comply with them. China in that way is not different.”

[Tags]Skype,China[/Tags]

There are pungent comments, criticism, satire, etc to those ISPs and telecom operators on their blocking, filtering and even passive attitude to P2P, from all over the internet. However, from the stand of ISPs, they have a lot of broken-hearted story to tell to their subscribers, shareholders, and those regulatory authorities. It seems that the earth has been divided into two camps: one is P2P pros, one is the P2P cons. But who is the judge ?

See an absorbing discussion named ISP Rise Against P2P Users at slashdot.org. The below is some excerpt…

bananaendian writes “Spencer Kelly from BBC’s Click program writes about the emerging backslash against high bandwidth P2P users. Apparently it has been estimates that up to one third of internet’s traffic is caused by BitTorrent file-sharing program. Especially ISPs who are leasing their bandwidth by the megabyte are more inclined to resort to ‘shaping your traffic’ by throttling ports, setting bandwidth limits or even classifying accounts according services used. What is your ISPs policy regarding P2P and is it fair for them to put restrictions and conditions on its use.”

ISP: Backslash
P2P: Forward slash. Riposte.
ISP: Touche. QOS Packet Filtering!
P2P. Lunge. Encryption!
ISP: En guard. Subpoena compliance.
P2P: Aahaaah! Ubiquitous Mesh Networks.
ISP: Arrrgh! [dies].

Where is BadAnalogyGuy when you need him?
–
Hello, Dad? I’m in jail.

[tags]Telecom,P2P,Voip[/Tags]

The first lawsuit on copyrights infringing by P2P software at mainland, China, was reported yesterday.

Kuro is a web site company providing music share services with their P2P based software. According to its website logo, it provides downloading and sharing of more than half a million MP3 pop songs and other music, using a software named Kuro, which is reported to be developed by a Taiwan software company.

A music and culture company at Shanghai, Busheng, claimed that Kuro illegally spreads up to 59 songs, owned by them, without any payment and even notification.

P2P is a sort of excellent technical model to allow mass file downloading and sharing. The number of P2P based applications is keep a rocket growth, along with strong law dissention. A couple of countries are legislating to regulate the development and application of P2P sharing and downloading. In greater China region, first law suit on BT (the most famous file sharing software based P2P) was reported at HongKong at last year, where the defendants were sentenced guilty and put into prison for 3 months.

Although the P2P sharing companies are often harassed by legal issues, but nobody would like to overlook their potentials to impact the Internet. A recent acquisition report of VeryCD by Google betrayed the background business value of such P2P sharing platforms. VeryCD is the central government of the new-rich P2P sharing platform – eMule, where you can find numerous movies, songs, books, and other electronic media, sharing by those millions of eMulers.

There are flooding IM clients waiting for your choice, isn’t it? But which one do you like? which one fit your interests the best? I believe you must not have time to review them on by one. In fact, even if you have time, you just won’t like to do that.

IM Watch is doing that for you. It lists out and reviews almost each one you have heard of, (except the most popular one at China – QQ of Tecent,) covering Gtalk, Skype, GAIM, AIM, Unyte, Gizmo Project, Chatzilla, Psi, PhoneGaim, Yahoo Messenger, …..

For a more comprehansive collection of various IM clients, see Betanews.

A week before, Anonymizer announced the availability of its Operation: Anti-Censorship software, which is “designed to circumvent Chinese government efforts to block access to certain Web sites”, according to the report of Infoworld. Read more…

IT and security managers are paying more and more attention to those threats introduced by the blooming IM and P2P applications. The demands pump the growth of IM/P2P security market. The acquisition of IMLogic by Symantec bolstered the morale of vendors and VC in this area. The independent biggest boy – Facetime is striving to make their bigger fortune by release of their newest version of IMAuditor Enterprise Edition 7.0.

It’s a “Comprehensive Solution for Managing Inbound Threats, Information Leakage and Regulatory Compliance”, with “broader support for IM including Skype 2.0, WebEx support for logging and archival of chat sessions within a web meeting, and enhanced reporting for multiple public and enterprise instant messaging solutions including Microsoft Live Communications Server, IBM Lotus SameTime, Reuters, Parlano, and Jabber.” remarked at marketwatch. See the following feature changes at IMAuditor 7.0:

• – Administrator Dashboards — Role-based dashboards in IMAuditor 7 provide a snapshot of key traffic and configuration information to administrators and reviewers, allowing them to monitor operationsand easily drill down for further details.
• – Enhanced Visibility and Reporting — Enables organizations more detailed visibility with several new security reports for SpIM, Day Zero URL blocking and Restricted Phrase filters. Allows creation of customer reports in either table or chart formats, and also enables scheduled delivery of reports in HTML and .PDF formats.
• - New User Interface (UI) — All Enterprise Edition components now share a consistent UI with special emphasis on usability and ease of navigation. The user interface has been designed to anticipate common user actions and provide logical groups of related operations to help administrators accomplish their tasks more effectively and in less time.
• – WebEx Support — Ensures compliance by logging and archiving integrated WebEx chat sessions using existing messaging archiving solutions.
• – Skype 2.0 and QQ Support — Utilizes behavioral-based detections of session behavior and other attributes to allow enterprises to control and enforce policy on the latest versions of Skype and QQ communications. — Anti-virus Scanning — Adds support for Computer Associates eTrust to the list of supported third-party products for virus scanning of IM-based file attachments.

See detailed product description at Facetime.com.

It’s very impressive to find Skype2.0 and QQ in its support list. Skype is the most toughest P2P application to detect and control, while QQ is the most popular IM application in China.

“There will be more and more of these (greynet) applications coming on to the market, while other IM networks such as Yahoo were starting to add Skype-like features to avoid detection.” TechWorld reported.

“The adoption of instant messaging applications and their rapid convergence with P2P, VoIP, and Web conferencing technologies can expose organisations to significant business risks,” agreed Robert Mahowald of IDC.

The attitude of those telco companies towards new P2P applications is very sensitive and abuzz, not only those two fix line telecom operators in China, but also other telecom giants, such as AT&T, Verizon and Qwest are pondering and evaluating what the P2P will bring to their networks. See the following article from LightReading.

RBOCs Wait & See on P2P

AT&T Inc.(NYSE:T-messageboard), Verizon Communications Inc. (NYSE: VZ-messageboard), and Qwest Communications International Inc. (NYSE: Q – messageboard) don’t have hard, fast policies in place to deal with consumerpeer-to-peer traffic. Despite the hype about P2P traffic volumes on carrier networks, these phone companies say they're fine to watch and wait for now.

One network operator CTO is even skeptical that P2P really causes as much congestion in networks as has been hyped. (See P2P Fuels Global Bandwidth Binge.)

In separate conversations with leading technology executives from three of the four largest carriers in the U.S., Light Reading has learned that even while the industry is abuzz over P2P traffic, the big boys don't see it as stopping up their networks… yet. They are, however, quick to draw a distinctionbetween their proposed TV services and the other stuff that traverses the open Internet.

"I think the view that we're looking at is: You have managed services and you have unmanaged services," says Chris Rice, AT&T's executive VP of network planning and engineering. "Peer-to-peer services are unmanaged." Read more…

There was a report on “VoIP in China” at TMCnet.com and Theregister retailed it yesterday. VoIP technology is a revolution brought by the IP prevalence. It lowers the operation costs of both the carriers and the consumers. See my previous post on “Skype blocked at China“, where I expressed my points on the way in China for Skype and other web phones.

In fact, the revenue growth of those two fix line operators (China Telecom and China Netcom) depends on their broad-band internet access and some of the value-added services. But the growth of such two kind of services can not fill the revenue hole by voice revenue decline. Especially when the leading mobile operator – China Mobile claimed a few days ago that they would by far lower their roaming and inbound call price. That’s a hard time for CTG and CNC, hurted by the “replacing consumption”. The contribution of their PHS products is just to collect money by burning more money.

At 2007, the main four operators will get their own 3G licenses. And the consolidation and upgrade of their BSS/OSS systems will be reaching a milestone to support more multiple-play products. It’s a critical point for CTG and CNC, who have huge scale local communication networks. Theoretically they will have a fair competition base.

Currently there are a drastic argument at engadget.com, arose by a post on “China gives VoIP two year sentence”. I agree and appreciate the comments from Terence and LG and etc. China never ban Skype, never claim Skype illegal. People can use Skype just as other part of the world. China just doesn’t want to grant such a license to permit INTERCONNECT with PSTN. That’s the right of a government to decide when and how to grant such licenses, no business with the socialism and politics. Read more…

At recent Blackhat Europe, Philippe BIONDI and Fabrice DESCLAUX published their latest investigation on Skype titiled “Silver Needle in the Skype“. Previously a test by Network World studied the cryptography algorithm underneath Skype and drew a conclusion that Skype is security enough for end users.  Another whitepaper by Tom Berson expressed the similar viewpoint.  But, with heavy reverse engineering of Skype, Philippe and Fabrice investigated deeply how Skype operates and exchange information. The following is their conclusion:

Good points
      Skype was made by clever people
      Good use of cryptography
Bad points
      Hard to enforce a security policy with Skype
      Jams traffic, can’t be distinguished from data exfiltration
      Incompatible with traffic monitoring, IDS
      Impossible to protect from attacks (which would be obfuscated)
      Total blackbox. Lack of transparency.
      No way to know if there is/will be a backdoor
      Fully trusts anyone who speaks Skype.

I agree mostly to the author by my Top Ten Concern to Skype Security.