Cloud & Telecom Security

It’s very exciting to get the login page of https://imo.im. It’s amazing. It’s a web-based multi-client instant messager. At this moment, it can support MSN, Yahoo, AIM / ICQ, Google Talk, MySpace, and Skype. Yes, and Skype.

I used my MSN account to do the first ride. It has multiple crisp and slim windows embeded in the webpage, one small window for a session. The login and chatting are very responsive.  It support Chinese (double byte characters) very well.

Then I began to test Skype. The Skype login is quite fast. It works! I am wondering how these guys simulate a Skype client to login. You know two years ago it became top news when somebody re-engineered the Skype protocol and developed their own Skype-compatible client.

I know imo.im is using SSL. However, before users are rushing to transfer to imo.im, they must solve security concerns. That’s far away to convince users at its security. For example, how they handle the user data, including the account information, password, and chat history.  Actually when I recommend imo.im to one of my friends, I was told that he did not want to test this because he didn’t want to exposure his account information.

All in all, this is my first ride with imo.im. Its user experience is by far better than previous web IMs. In addition, it supports Skype. It’s great plus. However, there is a long way for them before users are convinced to drop their trational GUI IM clients.

I believe you must be using one or more instant messager(s) to keep in touch with your friends and colleagues. You will have a long list for IMs if you like to keep “on-line” to many community and friends, ICQ, MSN, YIM, AIM, Skype, QQ, and new coming MySpaceIM, etc. The concept of “presence” has been becoming one important elements in Web 2.0 style personal life.

A week ago, Pidgin released its newest version 2.2.0 with a lot of new features and bug-fixing. I just upgraded my Pidgin to it. It can support a lot of popular IM clients: Read more…

Generally speaking, it’s a good news. No doubt, it will help data sharing and inter-operateability among different vendors so that the effectiveness and response time might be improved. The key point is the promotion. The similar case is that of IDMEF(Intrusion Detection Message Exchange Format) and CVSS (Common Vulnerability Scoring System). It took a long way for IDMEF to be adopted by those major vendors of IDS/IPS and scanners.

If the data is true, every month 13,500 URLs will be added into the library. If one URL has an average length close to 100 bytes, that means roughly 1.3MB increasement to this library. So it’s predicted this library might be over-flooded in the near future if no better algorithm is in place. The below is the full story. Read more…

Following the analysis on the comparison of IM/P2P security management between telecom nework and enterprise network, this post further investigates the security threats to telecom networks coming from IM/P2P applications and recommends some countermeasures to those telecom operators. This post was published in Chinese at Comm-weekly named Finding IM/P2P Security Policy.

In fact, this is the second part of a whole review of IM/P2P security management. See the first part.

《电信网IM/P2P的安全管理》本文发表于通信产业报，发表时的名称是：《寻找IM/P2P安全策略》

1 即时消息和P2P带来的安全威胁
我们已经知道，即时消息和P2P应用在带来方便性、实时性、新业务商机的同时，也给最终用户、企业网络和电信网络带来多方位的安全威胁。通常来说，这些安全威胁包括：

• 防火墙等边界安全措施被短路
• 管理员难以控制文件数据的共享和流动
• 带来病毒、木马、蠕虫等
• 导致知识产权损失、泄密等
• 大量使用非标准、不公开协议，使用动态、随即、非固定的端口
• 难以检测、过滤和管理
• 隐藏于HTTP管道中的各种潜在的隐秘通道

尤其是高强度加密技术、P2P技术和IM技术的结合，进一步提高了安全管理的技术难度和成本。

IM和P2P应用给电信运营商网络带来的安全威胁不止于普通企业网的安全威胁，更为重要是基本电信业务收入、带宽利用、信息安全管理等多方位、深层次的威胁。下面从三个方面展开分析。

• 基本电信业务收入锐减

互 联网经济的快速发展强力带动了电信增值业务的增长，但是增值业务相对于基本电信业务－话音业务来说，比例还相对较低。几大运营商刚刚发布的半年财务报表也 印证了这一点。这样，由于基于IM/P2P的VoIP应用大量分流了基本的话音业务，导致整体业务收入下降。其中，PC到PC引起的分流只是其中一部分， 另外相当一部分是由于不符合行业法规、违法经营的PC到电话、电话到电话的VoIP业务引起的。运营商一方面必须意识到传统话音业务的萎缩是大势所趋，迅 速加强自身市场和技术革新，寻找新的业务增长点；另外一方面，也需要提高技术管控能力，对网络中的违规VoIP业务及时有效识别和管理。

• 网络被低价值流量充满

按 照普遍接受的流量统计数据，目前P2P应用占宽带流量50－60％（白天）到90％（晚上），企业用户的40%。P2P已经成为宽带的杀手级应用，尤其是 IP音频和视频文件的共享。现在固网运营商流行的宽带大包月的情况下，这些洪水般的流量充斥着当前不断扩容中的宽带城域网，却没有带来投资预期的营收增 长，造成当前运营商扩容投资与营收增长不成比例的窘境。可以考虑通过先进的技术手段改良计费模型和资费策略，利用资费杠杆和质量控制手段优化网络的利用效 率。

• 信息安全管理

当前互联网缺少有效的身份识别和信息管理手段，造成大量的垃圾性的、骚扰性的、甚至反动的、不健康的邮件、短信、即时消息、视频文件等在网络中传播。随之而来的家庭、社会、政府对于宽带网络发展的担忧，对运营商业务发展带来了消极不利的影响。

因此，IM/P2P的安全威胁和对策需要引起电信运营商管理层和安全主管的高度重视，研究部署有效的安全管理措施，兴利除弊，减轻带宽压力，降低安全风险。

2 电信网IM/P2P的安全管理

在IM/P2P的安全管理方面，电信网络与普通企业网络想必具有明显的差异性。

对于电信运营商来说，除了作为一个企业网需要按照企业网络的特点来保护自己的支撑网以外，还需要参照附图所示，分步骤实现以下安全管理目标：

※ 治理话音和其它大带宽应用
※ 提高电信网络利用效率
※ 改进计费模型，提高ARPU
※ 提高信息控制能力

相对于企业网络，电信网络的IM/P2P安全管理又具有以下两个重要特点：

※ 粗粒度安全策略。在宽带网络中能够快速识别并重组应用和会话，实施针对不同应用和会话类型的安全和资费策略。这种识别通常实现到分类，达到资费策略所需要 的粒度即可，例如文件共享类、VoIP类、视频类，以及各种子类。由于电信网络不具备对用户的行政管理和桌面（终端）管理手段，所以，技术上很难、也不需 要通过企业网络管理中具备的多种手段综合来实现细粒度的治理目标。这种粗粒度还体现在检测准确率的要求上，电信网络允许部分漏报，在80％以上的准确过滤 和封堵，即可明显达到业务目标。而这样的准确率在企业网络通常是不能接受的。
※ 高性能和健壮性。电信网络IM/P2P的管理工具需要支持千兆以太网环境下高速对应用进行分类，重组应用和会话，实施安全策略，产生计费数据。另外，还需要支持高可用性部署。

3 综述

解决IM/P2P引发的新的安全问题需要运用各种措施进行探索，例如在网络架构组织、协议体系、资费模式、终端设备管理等多方面的安全措施和机制的融合，并且在重要的网络项目立项、新业务开发和引入等生命周期的开始阶段就集成考虑IM/P2P应用的影响。

电 信运营商总是不断地寻求新的技术手段以最大限度地挖掘网络潜力、提高每用户营收、提高单位带宽的营收、寻找新的利润增长点、开发新的业务组合、降低客户流 失。这些新的措施中就包括了对IM/P2P业务流的控制与开发利用、对家庭和SOHO用户提供等级化（差异化）服务以替代当前施行中的大包月资费、对商业 客户提供服务质量保障（SLA）、提升自身在未来话音、视频和数据三重业务（Triple Play）市场的竞争力。

所以，对网络中的IP分组数据除了保证其可达性、延时、安全性等之外，对其有效的监视、分类和控制是运营商能够立足于3G/NGN年代的基础能力，也是更具宏观意义的电信网络安全管理。

“Identifying P2P users using traffic analysis” is a good article by Yiming Gong published at securityfocus infocus column.

With the emergence of Napster in the fall of 1999, peer to peer (P2P) applications and their user base have grown rapidly in the Internet community. With the popularity of P2P and the bandwidth it consume, there is a growing need to identify P2P users within the network traffic.
……

 while we can find similar idea at the paper named “Transport Layer Identification of P2P Traffic”, bye Thomas Karagiannis and etc. this paper help advance the idea and methodology there.  It’s not reasonable to connent “identifying” with “blocking P2P at China”, just because Yiming from China talked about “Identifying of P2P traffic”. For those telco operators, “identifying” can enable telco operators bill P2P traffic precisely so as to launch more telecom service packages to the market. Only under support from network service providers, P2P applications obtain a healthy environment to develop.

IM (Instant Message) and P2P(Peer to Peer) are two of the most popular terms at Internet at the moment. This below diagram depicts the relationship between them with examples. What they are bring to end users, software vendors and the internet service providers? business opportunities, security threats. what’s your opinion?
 

do you use Gizmo? or do you have the experience to use it ever?

according to Scott Granneman, at his article at securityfocus.com, Gizmo seems a skype-killer, a real alternative to skype, just like what Yahoo comments.

how about your view point and experience? share with me, with us?

By accident, I found a good article on PC Magzine

Divulging company secrets is only one of the serious threats posed by IM and P2P applications. Both provide new entry points to your network for intrusions, data theft, denial-of-service attacks, viruses, and worms. In fact, security vendor Symantec reported in one of its biannual Internet Security Threat Reports that the number of attacks over IM and P2P systems quadrupled from January to June 2003. Both applications are adept at bypassing firewalls using port-scanning and tunneling techniques. And none of the popular IM clients offers strong authentication or encryption, so they are vulnerable to account hijacking and eavesdropping for valuable or damaging company information divulged by unwitting employees.

Then there are the bandwidth issues. Since each P2P node is acting as both a client and a server, your precious network bandwidth may be devoured not only by your internal P2P and IM users but also by P2P users all over the planet downloading songs from your users’ shared directories.

And don’t forget the legal issues. The Recording Industry Association of America (RIAA) has repeatedly warned Fortune 1000 companies that they could be liable for employees that break copyright laws by using their networks to download, store, or distribute music or movies illegally. In fact, the RIAA sued one Arizona-based software company in 2002, resulting in a settlement of $1 million. Companies that don’t prevent downloading of pornographic material risk hostile-workplace lawsuits and negative publicity.

…

Although worldwide VoIP market is booming, and Skype got wooed by millions of users, its road to China is not so bright as in other world, especially its VoIP revenue.

We know there are four kinds of voip services: phone to phone, phone to PC, PC to phone, PC to PC. In China, the phone to phone and phone to PC is clearly defined as the basic telecom services that no cooperates besides those six services providers (China Mobile, China Telecom, China Netcom, China Unicom, China Railcom, China Satellite Com.) can touch.

As to the PC to phone market, there are still legal restrictioins from the specifications of the Ministry of Information Industry (MII). According to the notification no. 413(2005) at July 18, MII expressed their serious attitude on the ban of commercial PC-phone voip services, except the trial at four cities countrywide: two for China Telecom at South China(Shenzhen and ShangRao, Jiangxi Province), while two for China Netcom at North China(Changchun, Jilin Province and Tai’an, Shandong Province). During the service trial by Shenzhen Telecom(a subsidiary company of China Telecom), the price of IP phone is lowered to 0.20RMB/minute(~2.5cents per minute), no matter domestic or international calls.

The joint venture with TOM won’t help to walk around the restriction, unless it pursue another joint-venture with China Telecom or China Netcom. But without clear outlook to commercial benefits, joint ventures are not attractive to those two fixed line carriers at all.

Considering those disadvantages from legal restriction, most revenue of Skype’s SkypeIn and SkypeOut will be originated only from the international calls. So the marketing approaches shown below might be suitable for Skype into China:

• the First, continuously fight for a increasing market share at IM and PC to PC VoIP market, competing against QQ, MSN, YIM, Google Talk, Sina UC, Netease PP and etc. Skype’s competitive advantages come from its voice quality, encryption, ease of use, and etc.
• the Second, cooperation with those smartphone/handset/pda hardware vendors for solutions like USB-plugable PC phones.

Security management of IM/P2P is a great challenge to both telecom and enterprise networks. Although there are much similiarity between these two kinds of networks, security management of IM/P2P for telecom networks has many special requirements, comparing against those for enterprise networks. I hope the below diagram help depict the difference. There are more and more commercial products to address such kind of demands, such as Fortinet, Allot, Facetime, IMLogic, Bluecoat, etc.

At the same time, those telecom vendors, such as Cisco, Juniper, and Huawei, have been launching more corresponding functions to their existing products. Currently, the NBAR (Network Based Application Recognition) of Cisco has the capability to recognize hundreds of applications at the network layer. While the DPI (Deep Packet Inspection) technology has been adopted by many of vendors to enhance with more fine-grained policy the security management capability to applications.

Stuart Henshall wrote a good post at skypejournal. I agree. IM/P2P applications are becoming so popular that almost every internet users make use of one or more at their everyday life and biz. Their biz value are exceeding common applications. Let’s look them as platforms, just like those operating systems, networking systems. in other words, dorminators at IM/P2P will capture benefit just like MSFT and telco’s.

MSFT acquired Groove at April this year and re-orged itself into 3 BU from 7, where windows and MSN merged into one. further reactions are expected against the competing from Skype, Dianji(China), Google, and etc.

However, there are not reactions rolled out from those telco companies. In China, China Telecom was developing its own IM last year to provide chat/soft phone and other services, however, no marketing program yet.

For the past couple of days, Erik has posted discussions on SIP based P2P and security issues. These discussions are in audio format and are really interviews with Cullen Jennings, Rohan Mahy and Erik’s interview to Voxilla. The following is a quick summary and my thoughts. But it is different to summarize an audio portion compare to a written one; it is easier to go back to a written page; it is easier to search for a segment. This is to suggest that I might not have fully got the points made by the speakers. If you have not already heard these pieces, you may do well to give a listen. Erik and Cullen talk about an ad-hoc meeting of people interested in SIP based P2P system at the recent IETF meeting. It really looks like this meeting was a big “tent”; because it included people who are interested in this technology for different applications. For more, click P2P, SIP and Security.

There are many definitions to peer to peer technology. The following is some characteristics of P2P:

Everything except the client/server model
可以认为除了C/S架构之外的所有东西都是P2P架构的，实际上C/S才是特殊的，而P2P则是普遍的。
Network of nodes with equivalent capabilities/responsibilities (symmetrical)
P2P网络中的节点具有对等的能力和责任，是对称的。
Nodes are both Servers and clients called “Servents”
P2P网络中的节点同时即是服务器，也是客户端。

At wikipedia, Peer-to-Peer stands for:

A peer-to-peer (or P2P) computer network is a network that relies on the computing power and bandwidth of the participants in the network rather than concentrating it in a relatively low number of servers. P2P networks are typically used for connecting nodes via largely ad hoc connections. Such networks are useful for many purposes. Sharing content files (see file sharing) containing audio, video, data or anything in digital format is very common, and realtime data, such as telephony traffic, is also passed using P2P technology.

Do you believe that a researcher from China claimed that he has broken into the protocol used by Skype, ie. he can open skypenet without the skype client. In fact, a mini-skype is under developing with his own code.

http://publishblog.blogchina.com/blog/tb.b?diaryID=1546484

Might you want to skype him at: callto://shreksz/

I installed Google Talk and uninstalled it today. ie. I choose Skype instead of GT. Skype encrypts its traffic while GT not.

PS: see my late post at GTalk vs Skype.