Cloud & Telecom Security

【说在前面的话】前面已有一些留言说起匿名转载问题，呼吁喜欢埋头“生吞活剥”的网编们提高一下自己的工作品味，尊重原创作者的劳动，署上作者原名和URL，这也是尊重自己的劳动，不要把自己的青春浪费在制造互联网垃圾冗余信息上面。如果您做不到这一点，谢绝转载！
【事先声明】本人不保证内容 正确性，不对后面文字中的分析和预测给您的企业和工作所产生的任何后果承担责任，因为您也不会和我分享您你的收益。呵呵，所以，我说了，您听了，您赚了，您亏了，您笑了、您不屑、您怒了，都与本文和作者无关。

上回书（http://sbin.cn/blog/2009/06/01/cloud-computing-1/）说到了云计算大背景下的一些东家长、西家短的陋见，Chinacloud.cn上刘鹏教授做了大量的、很全面的资料收集，感兴趣者可以自助前往。 故谚云: 云是天上的雾, 雾是地上的云。不管是跳进云里，还是把拉到上，总是要腾云驾雾一番了。书归正传，讨论一下云计算对安全圈的启发 – 这个那个产品和技术会如何演变。在后面的文字中将会讨论到风险评估和渗透测试、安全管理中心、终端安全、身份和访问控制（也包含信任管理）、安全审计、Web应用和生命周期安全、符合性认证和培训等。 Read more…

The traditional security products, including firewall, IDS, and anti-virus are very familiar to us. They are occupying most of security market share. And we know the UTM, IPS, and SOC are the ongoing stars. However, what’s about the future? From the view of ISO/OSI model, we know we have done too much on the network layer; we had focused on this layer and developed lots of products based on it.

Maybe the reason is like this: in the past, we implement the IT infrastructure without security built in it. Internet spread widely in few years as security just can’t keep up with it. This has brought a lot of breaches or exposure at the networking layer. Read more…

坦白说，在LinkedIn上提问之前，就安全度量指标系统而言，我并没有做过更多的学习和研究。在得到大家的热烈指导和响应后，我越来越发现原来有这么多的资源和信息已经在哪里，可以借鉴。写了前面三段关于安全的度量指标体系的帖子后，我开始读Andy的“安全度量”。

Andy(Andrew Jaquith)的“安全度量”(Security Metrics: Replacing Fear, Uncertainty, and Doubt)这本书是一本不错的书。几个星期前从网上找来了PDF的英文版，前几天买了中文版（电子工业出版社，2007年12月）。这两天在深圳出差，抽路上的时间把书读了一遍。下面是点到为止式的一些评论。 Read more…

Today I addressed on TelecomSec 2007 summit at Beijing. My topic is “Security As A Service of telecom operators”. Here is the slides I used.

Actually I began to thinking security value-added services by telecom operators when I worked for China Telecom before 2000. At that time, it’s only an idea, because the focus of management of China Telecom was totally to grow up number of subscribers and the revenue, without much interests to value-added services.

At Telecomsec 2006, just a year ago, I addressed on “Value of Telecom Security “. I do believe it’s time for China telecom operators to roll out security value-added services. Because the growth of subscribers and ARPU have been shrinking. How to grow benefit and improve user loyalty are the pain of telco executives. At the same time, along with the projects of ITSM inside telecom operators, operation maturity and internal governance have been improved a lot, compared against a couple of years ago. Read more…

Feld expressed his dislike to those fashion words in his famous blog:

I’m personally going to boycott the phrase “Web 3.0” since “Web 2.0” makes me tired enough. There have been some great quips going around the system about this, including Gordon Weakliem’s “I haven’t even gotten around to upgrading to Web 1.0 Service Pack 2”, Michael Parekh’s “Web 2007 versions”, Peter Rip’s “Web 2.0 + 1”, and Nick Bradbury’s “Web 3.0 Does Not Validate.” While I recognize the inevitability of the newest increment of the Web x.0 label, I don’t have to like it.

My points is that they are interesting stuff. Some guys like to use fashion words to attract eyeballs. As long as they can illustrate the essential points, just let it be.

I use Security 2.0 to describe the new trends in network security area, e.g. internal control, identity and access management, and etc. That differentiate themselves from the original anti-virus plus firewall plus IDS. No matter what you call them, they just exist there. right?

什么是“审计”？

我们知道，审计（Audit）是指检查、验证目标的准确性和完整性，用以检查和防止虚假数据和欺骗行为，以及是否符合既定的标准、标竿和其它审计原 则。各国各级政府、组织一般都设有专门独立的审计部、审计委员会、审计署等机构。审计早年用于财务系统，到现在词典、字典中的“审计”（也包括 Audit）的定义都是针对财务系统。在当今的世界里，几乎所有企业、机构和组织的财务系统都运行在信息系统上面，所以信息手段成为财务审计的一种技术的 同时，财务审计也间接带动了通用信息系统的审计。在美国安然公司（Enron）和世通（WorldCom）财务欺诈案爆发后，在2002年美国紧急出台了 萨班斯法案（SOX, or SOA），赋予了“审计”新的意义，这里也包括了信息系统的审计。“审计”成为企业内控、信息系统治理、安全风险控制等的不可或缺的关键手段。

另据新闻报 导，在最近结束的IATA年会上达成一个重要共识：所有成员航空公司都要进行运行安全审计（IOSA），申请加入IATA的成员在正式加入前必须通过 IOSA审计。目前所有的成员公司要在2007年之前完成审计，否则不予保留会员资格。审计已经逐渐成为越来越多的政府部门、行业分支、大企业等加强治理 的重要手段。

美国信息系统审计的权威专家Ron Weber将它定义为“收集并评估证据以决定一个计算机系统是否有效做到保护资产、维护数据完整、完成目标，同时最经济的使用资源”。

审计系统主要包括两种形态

• 基于主机的审计（主机、网络等各种日志）
• 基于网络的审计（网络会话和行为）

它们分别依赖不同的手段来收集审计信息，面向不同的风险和威胁：

1 前者收集并分析各种日志。这是较早的、较为传统的审计方式，登入、登出、添加、删除、修改、更新等活动，应用日志、操作系统日志、数据库日志、网络设备的 日志等。按照IDC的新定义，SIEM（安全信息和事件管理）类安全产品负责收集安全设备和其它信息系统的日志和事件告警，进行过滤、相关、分析等处理。 一般说来，前两年如火如荼采购中的SOC产品（如果喜欢叫平台也可以）基本上都属于IDC的SIEM类。

2 后者直接查看数据本身。由于各种先进的攻击方法的出现、由于IDS的漏报、由于当前对于内部滥用和误用（这些都很难从安全设备的日志中发现）的担心，对于 网络和应用数据本身的记录、回放、分析等形成了另外一个审计分支。这类产品最早的出处应该是雷神（Raytheon ）公司的SilentRunner（如果大家还记得的话，后来被CA公司收购，现在产品的名字叫Network Forensics），专门用于分析网络流量和海量日志，从中发现IDS等安全设备不能发现的潜在威胁和事件，违反安全策略和规则的行为。另外NAI公司 的Sniffer，或者后来的开源软件TCPDUMP虽然缺少上层的分析层和展现层，也有一部分这方面的功能。NAI公司分家后，Sniffer公司继承 了网络取证分析产品InfiniStream Security Forensics。Niksun公司的NetDetector, NetVCR, NetX等系列产品可以“连续的流量记录和存储”、帮助分析网络中的流量、监控网络行为“网络异常及入侵检测”、以及帮助进行符合性分析和事件取证“网络 审计分析”等。

近两年来，随着对操作行为本身进行审计的需求的提升，于是产生了一种使用应用代理进而建立堡垒主机的方式来控制网络访问活动、并获得操作数据进行记 录并分析的审计系统。这类系统的代表包括Symark公司的PowerBroker，以及Bluecoat公司的ProxySG等。这类审计系统需要客户 端显式地配置代理指向的地址，并可能需要进行二次验证以符合代理的安全策略。

国内已经开始有越来越多的公司开始涉足并推出自己的安全审计产品，除去上述第一种的日志收集产品之外，还出现了相当多的网络镜像方式获得数据，进行 会话重组和协议分析，可以根据安全策略发送Reset包主动中断网络连接（有些还可以进行身份认证和授权验证），这类产品的代表包括清华紫光的ACA、以 及复旦光华的S_Audit等。前者与认证、授权等结合，面向运行维护需求，而后者则加入了很多HTTP、IM等应用的分析展现功能，面向企业内部安全使 用控制。

[待续]

richardong 2006-09-15 评论

zhaol 2006-12-26 评论

On April 19, 2006 Novell announced the acquisition of e-Security, Inc. for $72 M USD. e-Security is a small private company focus on security information and event management. As you know from my “SOC in China”, it’s the first SOC product implemented at China, introduced by iS-One. It becomes the prey of Novell, which was famous for its netware and Unix and now for its directory. Both of them are struggling to make a life under the competition from those big management software vendors.

It’s an important event at SOC/SIM market, after the acquisition of neuSecure by Micromuse and then by IBM finally.

SOC (Securit Operations Center) keeps abuzz in China security market after 2003. In fact, I kicked off the first SOC project at Nov. 2002, internally when I worked for iS-One as the Chief Strategy Office. After the project initiation, I digged a lot of web information related to SOC. At that period of time, SOC were mainly operated for MSS (Managed Security Service) providers, e.g ISS had six SOC globally. I tried to transfer the concept of SOC from MSS to enterprise security operations and was lucky to win the customer’s buy-in. Then we don’t have such product or even Proof of Concept (PoC) platform at all. We negotiated with eSecurity and made the final decision to build our first SOC upon it.

The first SOC project was finished at about June 2003 and thereafter SOC became a warming-up security market opportunity.

Today most of the major players at China security market claim to have their own SOC platforms and solutions, while many of enterprises are starting to plan and build their own SOC. To be mentioned, most of these SOC projects don’t reach their initial expectation.

While SOC was becoming popular at enterprise security management area, a few pioneer security companies in China began to make their fortune at MSS market with SOC. 263.com, Unihub, Beijing Capital Information Co. and etc. tasted this market at early to around 2002, but they found it difficult to make profit.

A major security vendor – Topsec rolled out their SOC to provide MSS servcies at 2004, built on SOC product from ArcSight, while MSS is one of meaning that another major security vendor Venustech interprets their M2S vision.

To be optimistic, SOC has been entering a new stage where SOC serves for enterprise internal security operations and MSS providers.

Technorati Tags: SOC, Security, MSS,Audit

时间如白马过隙，匆匆忙忙中2005年就结束了，现在2006年的时针转的似乎比去年更快。有朋友提醒说总该回首一下、前瞻一下，拖了一段时间，总算写下几段文字，也算对自己和朋友有个交代。

2005年不能算是安全市场的丰收年，写下战国七雄的文字后，未料到其中已有玩家遭遇“宏智”-like的不幸，我自认不是乌鸦嘴，这事肯定与我无关，-:(

还是看看后面的技术发展吧。我借用了Gartner公司的新技术发展曲线，将若干我想到的安全技术都拎出来，给他们找了个位置。欢迎大家批评、评论。

请看： Read more…

This post was published at cww.com.cn , 2004, where I summarized the 9 common mistakes at a Security Operations Center(SOC) project, which was becoming hotter and hotter at China. In brief, they are:

1. unbalanced resource investment on security elements and management
2. unmatched organization structure
3. misunderstanding of SOC as a pure product. It’s a project on management
4. without consideration of IT infrastructure accordingly
5. wrong project goal
6. not enough support from the software vendors and/or system integrators
7. without thorough understanding of the SOC products under implementation
8. withoug corresponding management processes, such as monitoring and incidents management
9. regarding the finish of the product implemantation as the end of the SOC construction.

Read more…

There are many of projects targeted at building a Security Operations Center (SOC). A SOC helps centrally monitor and control all your security elements and policy. It consists of a technical platform and an organizational team with security focus. The following diagram depicts the processes and activities inside and outside a SOC.

At China, it’s an honour to me to lead the team to design and build up the first SOC for a province mobile company at 2002. Thereafter, more and more SOC projects, especially at province companies of China Mobile, emerged. Security Command Center (CA), eSecurity, Arcsight, netForensics, Intellitactics, and other products from Micromuse, NetIQ, and even IBM and Symantec, began to fight against to each other.

Most of local security vendors choose the way to introduce those foreign SIM products into their own SOC solutions, as the bottom layer to collect and correlate security events/incidents, e.g. Lenovo and Topsec from ArcSight, iS-One from eSecurity, BOCO from netForensics, and so on. while Venustech is re-evaluating among those products after a period of time touching with Arcsight. For more information about those local security companies in China, please refer to my previous post.

Following the analysis on the comparison of IM/P2P security management between telecom nework and enterprise network, this post further investigates the security threats to telecom networks coming from IM/P2P applications and recommends some countermeasures to those telecom operators. This post was published in Chinese at Comm-weekly named Finding IM/P2P Security Policy.

In fact, this is the second part of a whole review of IM/P2P security management. See the first part.

《电信网IM/P2P的安全管理》本文发表于通信产业报，发表时的名称是：《寻找IM/P2P安全策略》

1 即时消息和P2P带来的安全威胁
我们已经知道，即时消息和P2P应用在带来方便性、实时性、新业务商机的同时，也给最终用户、企业网络和电信网络带来多方位的安全威胁。通常来说，这些安全威胁包括：

• 防火墙等边界安全措施被短路
• 管理员难以控制文件数据的共享和流动
• 带来病毒、木马、蠕虫等
• 导致知识产权损失、泄密等
• 大量使用非标准、不公开协议，使用动态、随即、非固定的端口
• 难以检测、过滤和管理
• 隐藏于HTTP管道中的各种潜在的隐秘通道

尤其是高强度加密技术、P2P技术和IM技术的结合，进一步提高了安全管理的技术难度和成本。

IM和P2P应用给电信运营商网络带来的安全威胁不止于普通企业网的安全威胁，更为重要是基本电信业务收入、带宽利用、信息安全管理等多方位、深层次的威胁。下面从三个方面展开分析。

• 基本电信业务收入锐减

互 联网经济的快速发展强力带动了电信增值业务的增长，但是增值业务相对于基本电信业务－话音业务来说，比例还相对较低。几大运营商刚刚发布的半年财务报表也 印证了这一点。这样，由于基于IM/P2P的VoIP应用大量分流了基本的话音业务，导致整体业务收入下降。其中，PC到PC引起的分流只是其中一部分， 另外相当一部分是由于不符合行业法规、违法经营的PC到电话、电话到电话的VoIP业务引起的。运营商一方面必须意识到传统话音业务的萎缩是大势所趋，迅 速加强自身市场和技术革新，寻找新的业务增长点；另外一方面，也需要提高技术管控能力，对网络中的违规VoIP业务及时有效识别和管理。

• 网络被低价值流量充满

按 照普遍接受的流量统计数据，目前P2P应用占宽带流量50－60％（白天）到90％（晚上），企业用户的40%。P2P已经成为宽带的杀手级应用，尤其是 IP音频和视频文件的共享。现在固网运营商流行的宽带大包月的情况下，这些洪水般的流量充斥着当前不断扩容中的宽带城域网，却没有带来投资预期的营收增 长，造成当前运营商扩容投资与营收增长不成比例的窘境。可以考虑通过先进的技术手段改良计费模型和资费策略，利用资费杠杆和质量控制手段优化网络的利用效 率。

• 信息安全管理

当前互联网缺少有效的身份识别和信息管理手段，造成大量的垃圾性的、骚扰性的、甚至反动的、不健康的邮件、短信、即时消息、视频文件等在网络中传播。随之而来的家庭、社会、政府对于宽带网络发展的担忧，对运营商业务发展带来了消极不利的影响。

因此，IM/P2P的安全威胁和对策需要引起电信运营商管理层和安全主管的高度重视，研究部署有效的安全管理措施，兴利除弊，减轻带宽压力，降低安全风险。

2 电信网IM/P2P的安全管理

在IM/P2P的安全管理方面，电信网络与普通企业网络想必具有明显的差异性。

对于电信运营商来说，除了作为一个企业网需要按照企业网络的特点来保护自己的支撑网以外，还需要参照附图所示，分步骤实现以下安全管理目标：

※ 治理话音和其它大带宽应用
※ 提高电信网络利用效率
※ 改进计费模型，提高ARPU
※ 提高信息控制能力

相对于企业网络，电信网络的IM/P2P安全管理又具有以下两个重要特点：

※ 粗粒度安全策略。在宽带网络中能够快速识别并重组应用和会话，实施针对不同应用和会话类型的安全和资费策略。这种识别通常实现到分类，达到资费策略所需要 的粒度即可，例如文件共享类、VoIP类、视频类，以及各种子类。由于电信网络不具备对用户的行政管理和桌面（终端）管理手段，所以，技术上很难、也不需 要通过企业网络管理中具备的多种手段综合来实现细粒度的治理目标。这种粗粒度还体现在检测准确率的要求上，电信网络允许部分漏报，在80％以上的准确过滤 和封堵，即可明显达到业务目标。而这样的准确率在企业网络通常是不能接受的。
※ 高性能和健壮性。电信网络IM/P2P的管理工具需要支持千兆以太网环境下高速对应用进行分类，重组应用和会话，实施安全策略，产生计费数据。另外，还需要支持高可用性部署。

3 综述

解决IM/P2P引发的新的安全问题需要运用各种措施进行探索，例如在网络架构组织、协议体系、资费模式、终端设备管理等多方面的安全措施和机制的融合，并且在重要的网络项目立项、新业务开发和引入等生命周期的开始阶段就集成考虑IM/P2P应用的影响。

电 信运营商总是不断地寻求新的技术手段以最大限度地挖掘网络潜力、提高每用户营收、提高单位带宽的营收、寻找新的利润增长点、开发新的业务组合、降低客户流 失。这些新的措施中就包括了对IM/P2P业务流的控制与开发利用、对家庭和SOHO用户提供等级化（差异化）服务以替代当前施行中的大包月资费、对商业 客户提供服务质量保障（SLA）、提升自身在未来话音、视频和数据三重业务（Triple Play）市场的竞争力。

所以，对网络中的IP分组数据除了保证其可达性、延时、安全性等之外，对其有效的监视、分类和控制是运营商能够立足于3G/NGN年代的基础能力，也是更具宏观意义的电信网络安全管理。

In recent days I went to visit and talk with some friends at Venustech, Nsfocus, Topsec, iS-One, BOCO, Lenovo Security, Huawei, which are big-fish players at china domestic security market. I found they are by far more mature than the exciting “gold rush” age – 2000, not only the products and services, but also the management idea and marketing strategy.

After a few years of dramastic competing against to each other, while some pioneers has expired their security business, the above survivors, though with missteps and high people turn over, are dornimating the security market and trend. Some of them are branches of public listing company, while some of them are around the corner of IPO. Each of them has its own niche customer base and competitive advantages. No company can monopoly or control a whole industry or territory.

Venustech: Strong relationship with government and product selling at e-Gov market. Recently it increased its products line by launching of a series of firewalls developed together with Horbournetworks. Venustech is on its way to IPO.

Nsfocus: Famous for its security technical experts and vulnerablity discovery.

Topsec: The first security company at China with firewall products. After a few years of “bourgeois” performance at the arena, Topsec began to introduce venturing capital from SoftBank and OEM an IDS products from Korea in order to build one more complete “total solution”. TNA (Trusted Network Arch) has been its marketing security model. Topsec is on its way to IPO.

iS-One: The leader of security market before 2003, where I worked as Chief Strategy Officer during 2000-2003, founded the R&D department and lead the team to develop a series of firewall/IDS products, named as LinkTrust series. In fact, at around the late 2000, a research project targeted at security management platform was kicked off, while a three-in-one (firewall, IDS, and anti-virus) roadmap was defined with a high expectation. Regardless what happened thereafter, I am proud of the vision to security technology trend.

BOCO: A strong system integrator at telecom industry. Its security division is penetrating into more and more existing customers of its network management solutions.

Lenovo Security: Security division was splitted from Lenovo group at the first half of this year.

Huawei: A telecom giant and will-be dorminator of security market.

请点击访问【中国安全市场进入战国时代（最终版）】 。
如同在安全焦点上的“大潘怒了”带来的热烈讨论所言，2000年以来的愈演愈烈的市场竞争使得每一个生存者都伤痕累累，“踏着其他公司的尸骨，擦着 自己的伤口”，其言戚戚切切者！每一个生存者都有生存者的道理，都有生存的理由。我们应该有一个共识，虽然中国市场以强调“关系”著称，但是客户关系可以 “一时”，不能“一世”，只能战术上起作用，不能战略上决定公司的发展态势。况且，大家的“关系”会逐渐达成一种平衡或者制约，最终能够决定你是否能够生 存的是公司股东和管理层的视野、公司治理和成熟度、产品和技术先进性、稳定性、财务（现金流）的稳健等这些内在因素。华为们的成长和胜利、宏智们的倒塌值 得我们思考。

安全市场的竞争一方面在国内市场激烈展开，另外一方面“走向世界”的赛跑也在上演。中国的经济现在正处于外向型经济主导的上升 期，基本上所有蓬勃发展的公司都在外向贸易上收获颇丰。华为、中兴、UT的成功为国内的民族企业指明了进攻方向。走出去海阔天空！这个观点得到了主导安全 公司高层的多数认可。“安全”不能因为国内政策壁垒的保护而闭上自己转向海外蔚蓝色的眼睛！

中国安全市场进入“战国时代”

Read more…

Cont’ to Security SNR

What’s the Security SNR of a Security Information Managment(SIM) system or process?

什么是安全信息管理过程中的安全信噪比？

我 们知道，信噪比是信号量强度与噪声强度之比。那么什么是安全信号量强度，什么是安全噪声强度呢? 信号与噪声取决于该事件是否对安全管理员有用，有用即信号，无用即噪声。但是没有绝对的有用，也没有绝对的无用。绝对意义上来说，任何一个安全事件或IT 事件都有一定的含义。所以，这里我们提出一个概念，即相对于安全管理员的注意力（精力）和安全管理的资源来说，管理员有条件分派注意力（精力）去有效处理 的事件就是信号，无法引起管理员注意的事件是噪声。

参照上次的贴图，安全信息管理系统(SIM) 的作用就是将海量安全事件从一样的形态（管理员无法区分并注意任意个）区分开来，将其中的某一些的特定属性升高，以通知管理员该事件的特殊性。这样的事件的数量应该以安全管理员和安全管理小组能够有效处理为限度。

所以，一个SIM系统的信噪比特性在于其处理海量安全事件，根据实际使用环境有针对性的分析事件含义，将可定制、可调优数量的安全事件以特定形式通知安全管理员，并能有效跟踪其处理过程和结果。