About the issue of the Internet cafe server Wanxiang Network Management being attacked ~ advance ~

Indeed, the IT industry integrates global supply chains and markets. The reporter had no intention of studying the macro IT environment, but when the reporter devoted all his energy to security, interesting results emerged: security is also flat.

From security gateways, firewalls, UTM, anti-virus, IDS/IPS, VPN, to intranet identity authentication, security clients, security logs, and network management systems, it seems Independent security products have changed, whether from the earlier security linkage, 802.1X, or the recent integration of private security protocols, security and directory services, all reflect a trend: security is closely related The connection is "you have me

and I have you."

The first element of information security is to formulate "enterprise security specifications", and this "security specification" It is precisely the integration of various business departments and various security products of the enterprise, covering storage, business transmission, behavioral security, network infrastructure, operational security, system protection and All levels of physical connection.

In other words, security is no longer a traditional single device, or a network-independent device as some manufacturers say.

In fact, the development in the past three years has proven that in the future, information security will gradually focus on system solutions based on user needs. Within

this complete security solution, all parts are organically connected, showing a flat network relationship in which technology and needs are intertwined.

So while most people are still obsessed with the "blue ocean strategy" that has no boundaries, reporters are beginning to pay attention to the flattening of information security

At the same time, in order to let more readers understand the current situation of information security, the reporter specially created the "Security is Flat" series

to study new technologies and new applications of information security with everyone.

As the beginning of this series, the reporter started with "Identity Authentication and Intranet Security". This pair of inseparable security elements

has become the hottest topic in the current security industry. Many enterprise users are full of questions about the relationship and deployment of the two, and remember

The author also specifically consulted IT security experts from Cisco, CA, Juniper, Digital China, Sangfor, Xinhua Life Insurance Group and Fujian Industrial Bank to share their experiences with readers.

The general trend is to start with two-factor authentication

There are currently three major technology trends in the information security industry: first, trusted computing; second, identity authentication and intranet security; third,

Unified Threat Management (UTM). According to IDC's statistical report in January this year, identity authentication and intranet security currently have the greatest demand.

The "2006-2010 China IT Security Market Analysis and Forecast" report recently released by IDC shows that the top security vendors are all involved in identity authentication and intranet security.

In the identity authentication process, it is generally based on username and password. According to the survey results of the US "Network World" in August this year, more than 60% of enterprises are no longer confident about traditional authentication methods.

The so-called two-factor authentication is for traditional identity authentication. Ye Yibin, security product manager of Sangfor, told reporters that with the proliferation of various spyware and keylogging tools, corporate IT personnel have found that relying solely on a single identification of username and password

The certification system is very unsafe. Double-factor authentication is based on hardware establishment of rights and establishes a certificate system to perform client authentication.

In addition, the use of two-factor authentication can also ensure the uniqueness of the client's login to the network. Wang Jinghui, security product manager of Digital China Network, said that the generation of security certificates can extract other information, such as the MAC address of the network card, the serial number of the client CPU, etc. Therefore, when a laptop enters the corporate network for the first time, the first step is for the authentication system to generate a username and password. The second step is for the system to collect the characteristics of the laptop and then extract unique information. , in order to generate a unique corresponding certificate.

All authentication information

can be imported into the authentication server to check the client's unique login.

According to statistics from the United States and China, more than 70% of government departments are using certificate systems to ensure the security and reliability of identity authentication

In addition, most online banking services adopt the certificate model.

IT experts from China Merchants Bank revealed that the bank has now adopted secure digital certificates in the professional version of its online banking system,

and saved them through USB Keys. The USB Key stores the user's personal digital certificate. The bank and the user each have a public key

and a private key. The user only needs to remember a password to use it.

The IT manager of Xinhua Life Insurance Group told reporters that the USB Key authentication mode has been fully implemented in Xinhua Life

It is mainly used for daily OA services. The implementer of the project, security experts from CA, said that many large enterprises have begun to adopt certificate systems. Enterprises like Xinhua Life Insurance are very concerned about the security of system data flows, especially those that are concerned about A lot to the desktop and

to user files.

In addition to digital certificates, there is also a two-factor authentication method, namely dynamic tokens. Dynamic tokens generate a 5-6-digit authentication serial number every minute based on a time-based algorithm

. On the client side, the user uses a electronic watch-like hardware to calculate the token serial number generated every minute

. Then when users log in to the system, they only need to enter the user name and serial number of the corresponding time period, and they can log in safely.

Interestingly, the reporter found that many IT security vendors themselves are using dynamic token technology. For example, the SSL VPN within Digital China Network uses a dynamic token secure login method. Dynamic tokens avoid the process of memorizing passwords, and their lifespan is generally three

years. However, dynamic tokens are more expensive because they have a fairly accurate built-in clock.

2006-11-17 12:51 Namebus

The beauty of flat and secure intranet security

As mentioned before, the current trend in the security industry is flattening. No matter how powerful an authentication system is, it will still not be able to bring more value if it only exists in isolation. In fact, the authentication system is increasingly becoming a subsystem of intranet security. It ensures that when security problems occur on the enterprise network, the intranet security mechanism can ultimately locate specific equipment or specific devices. On personnel.

You must know that implementing security issues to the point has been the dream of enterprise IT personnel for many years. The person in charge of IT security of Xinhua Life Insurance told reporters

In the past, enterprises configured IDS, but once there was a problem with the network, the IDS would continuously alarm and then send a lot of alarms to the network management personnel

Suspicious IP address information. The network administrator is not a computer, and asking it to locate a certain device from a bunch of IP addresses is simply self-abuse.

Using the authentication system, you can first ensure the authenticity and legitimacy of network users. Only when the scope of legitimate users is defined can positioning be possible.

At present, many security vendors have begun to improve their own intranet security technology and integrate it with the identity authentication system. Wang Jinghui introduced

that they have combined the waterproof wall (client system), DCBI authentication system, IDS, and firewall to form DCSM intranet security management technology. As the embodiment of 3DSMP technology. In DCSM technology, five elements of control are proposed: user name, user account, IP address, switch port, and VLAN are bound together to further perform access control.

On this basis, the intranet security mechanism can judge users based on IDS/IPS alarms: For example, is an attack launched for a certain user?

Or a certain Whether the user is infected with a specific virus, for example, if the user is found scanning a specific port number, it can be determined that the user is infected with a worm virus

. At this time, the DCBI control center will issue a real-time alarm. If the alarm is invalid, the system can block a user's network connection.

Since the system can know the switch port and VLAN where the user is located through the complete authentication process, the blocking will be very accurate.

It is not difficult to see that a secure authentication system plays the role of network access control NAC in the intranet security solution. Cisco security engineers

said that a complete set of authentication mechanisms combined with intranet security management software can achieve rich access control functions.

In addition, generally this type of management software does not need to be installed. As long as it is distributed through the server, it can be pushed to every computer trying to access the network

.

Liang Xiaodong, security product manager of Juniper, also said that combining the authentication system with the intranet security system can ensure that the overall network design is more secure.

And through built-in security protocols, more security products, such as firewalls, IDS/IPS, UTM, VPN, etc., can interact with each other to the greatest extent. Users can also choose different modules according to their own budget and financial situation, which provides the flexibility of safe deployment.

During the interview process, the reporter found that various security vendors have reached a consensus on intranet security issues. Perhaps as Wang Jinghui said

although enterprise users have complete infrastructure, including a full set of anti-virus systems, the situation in the past two years is that viruses have broken out on a large scale

Not only has the number of incidents not decreased, but it has increased, and a large number of security incidents have broken through from the intranet.

So to sum up, to implement a complete intranet security mechanism, the first step is to implement a centralized security certification; the second step is to deploy a monitoring system.

Let IDS/IPS monitor the behavior in the network to determine whether there is some kind of attack or encounter some kind of virus; the third step is to implement it specifically. After the problem is identified, it is important to allow the system to perform properly. The traditional method of blocking IP is not effective against current attacks

and viruses, because the MAC address and IP address of current attacks and viruses can change. Therefore, the effective way is that after the security authentication is passed, the system can locate the user of a certain IP and then determine which switch the relevant event occurred

Orally. This way, when taking action, you can avoid blocking the entire IP subnet. In addition, by using the 802.1X protocol, the entire security system can interact with the switch, so that the client computer where the security incident occurs can be more accurately located.

[align=center]

Two-factor authentication[/align][/td][td][align=center]Digital certificate

[/align ][/td][td][align=center]It is very secure and can be used in conjunction with AD

. [/align][/td][td][align=center]Commonly found in financial institutions, government departments

[/align][/td][td][align=center]System development High complexity

There are certain certificate security risks[/align][/td][/tr][tr][td][align=center]Dynamic token[/align][/td ][td][align=center]It has the highest security

, and there is basically no single point of security troubles[/align][/td][td][align=center]IT security Manufacturers use [/align][/td][td][align=center]

The cost is high[/align][/td][/tr][/table]

2006-11-17 12:54 Namebus

Smart User Hybrid Authentication Mode

Indeed, pure two-factor authentication plays a very high role in ensuring security. But it is undeniable that the IT management problems it brings cannot be ignored.

The security editor of the American "Network World" wrote that many medium-sized enterprise users in the United States with an annual turnover of 150 million to 1 billion US dollars

do not consider two-factor authentication. question. Because they believe that the two-factor authentication system is not only difficult to configure, but also costs a lot of money to purchase and implement, especially its management and maintenance complexity.

Back in China, reporters found that there were indeed many similar problems. The key to this problem is that these medium-sized companies happen to be in the growth stage of the market, and the number of user accounts increases like rabbits. Therefore, the security budget and manpower required for certification are not proportional. In this mode,

Deploying the most secure two-factor authentication system will certainly put greater pressure on the enterprise's IT department.

However, this does not mean that authentication security cannot be solved. In fact, many companies have already started taking action. Here, the reporter is happy to see that a "hybrid authentication" model with Chinese characteristics has been put into use.

As the name suggests, "hybrid authentication" integrates traditional identity authentication with two-factor authentication in order to obtain the best cost performance.

Here, please follow the reporter to see the typical applications of Fujian Industrial Bank. Fujian Industrial Bank organically combines human authentication and machine authentication in its authentication system. In the field of OA offices, the traditional "username + password" method is used. However, in the ATM machines scattered in various places, double-factor authentication is adopted, by collecting the serial number of the ATM machine. Automatic wireless

authentication with the Radius server in the background, thus ensuring the need for security supervision.

“Through this hybrid authentication model, we not only ensure the simplicity and efficiency of the OA system, but also reduce the operating costs of the enterprise

network on the basis of security.” The IT security director of Fujian Industrial Bank explained, "This is to use limited funds on the production network."

Similar certification can indeed ensure the security and interests of enterprises. Yan Shifeng, security product manager of Digital China Network, once admitted to reporters that if domestic enterprises generally adopt the hybrid authentication model, it can greatly standardize hidden security issues in corporate networks, including one

>

The access control of some private devices and wireless devices can be solved at low cost.

In fact, the model with Chinese characteristics is more than just that. Ye Yibin once jokingly said to a reporter: "In this world, no country in the world likes to send text messages more than the Chinese." Therefore, the use of text messages for security authentication has also become a major feature.

The cost of SMS authentication is very low. The client only needs a mobile phone, and the server is similar to a SMS mass sending machine with a SIM card. When users log in, they use their mobile phones to receive user names and passwords. This mode can even specify the period of user security authentication. However, Ye Yibin also pointed out that although SMS authentication is safe and low-cost, it cannot be integrated with the enterprise directory service (AD), so its ease of use is challenged.

2006-11-17 12:57 Namebus

The concept of system integration flatness is released

In recent years, there has been a problem in the US security community: how to avoid Debris flow problem of intranet security. The root cause of the so-called debris flow problem is the phenomenon of multiple account passwords. You must know that no matter how complete the authentication system is, or how well the authentication system is integrated with intranet security technology, it is difficult for users to avoid the problem of entering passwords for multiple accounts.

Login accounts, passwords, email accounts, passwords, office accounts, passwords, etc., as well as multiple accounts and passwords, have attracted the attention of enterprise IT personnel

. Because people have difficulty remembering different account names and passwords, this often leads to security risks. In fact, during

Europe's InfoSecurity conference in August 2004, 70% of London commuters happily shared their

The original intention of login information is just to save you from remembering account names and passwords.

For this reason, unifying security authentication, intranet security, including account passwords in VPN information is an issue that cannot be ignored. Wang Jinghui said that at present, various manufacturers hope to integrate authentication systems and intranet security equipment, including VPN, UTM, etc., with the enterprise's AD. He believes that this is definitely a good idea.

Because currently many enterprises use AD and Microsoft has many products, all modules in security technology can be integrated, including the in-depth development of authentication systems

and AD. In many cases, it is unrealistic and quite troublesome for enterprise IT personnel to maintain two or more account systems.

The reasonable method is to combine it with the user's existing authentication system, and currently the most commonly used one is the domain account. In this regard, the enterprise's VPN, dynamic VPN, and authentication system can all use the same AD account to achieve single sign-on (Single Sign On).

From a larger perspective, the entire network access control stage can be combined with AD. As Cisco's security engineers said, the current overall security technology must at least be combined with AD and Radius authentication, because these two are the most commonly used.

Interestingly, according to statistics from the US "Network World" and this newspaper in 2005, both Chinese and American users have quite a lot of AD deployed in corporate networks. , which also reflects that Windows certification has the widest scale. But to integrate AD with intranet security

The biggest challenge at present is that security vendors must have a special understanding of Microsoft products and require certain technical support to develop accordingly

Taking Xinhua Life Insurance's authentication system as an example, the traditional Windows login domain interface has been modified, and the new interface has been integrated with the backend AD and enterprise mail systems, allowing access to all applications with one login.

In addition, according to the specific needs of users, Wang Jinghui said that intranet security technology can be further combined with LDAP and X.509 certificates.

The reporter learned that many domestic government departments are currently doing similar work. Take the security system of the Henan Family Planning Commission as an example. The digital certificates of the Henan Family Planning Commission are all generated based on the certification system of the original CA company. Therefore, when they deploy other security equipment, they cannot reinvent the wheel and develop another one, otherwise multiple authentication problems will occur. This requires the security vendor to cooperate with the original CA vendor to exchange data on the authentication interface - the security vendor is responsible for submitting certification information, and the CA vendor is responsible for certification and return information. Finally, the security system combined with the CA certificate can also achieve one-time three-point authentication (identity, domain, VPN).

The reporter noticed that the security editor of "Network World" in the United States has recently been very enthusiastic about the concept of unified authentication management UIM. He believes that

double-factor authentication, enterprise central AD, and back-end authentication will be By integrating the server, trust warehouse, and some network access control modules,

the most complete UIM system can be formed.

The reason is simple—authentication is almost inevitable: many applications use power-distributed or ownership-based authentication methods and databases,

so want to take advantage of a simple authentication platform It is almost impossible to support all applications. And this is the basis for UIM's existence.

In this regard, the view of domestic security manufacturers is that UIM is very important and can solve the authentication management problems of enterprise users. However, from the perspective of the security of the larger intranet

UIM is still Not all. Yan Shifeng's view is that a complete set of intranet security technology includes at least three aspects: First Network

Access Control NAC (can also be regarded as UIM). It ensures that only legal and healthy hosts can access the network, including user identity authentication and access control management of access devices; second, network terminal management NTM.

It solves the problems of ease of use, unified management, and terminal security of enterprise office terminals; third, network security operation management NSRM. It can dynamically ensure the security and stable operation of network equipment and network lines, automatically discover network faults, automatically solve them and alarm.

See, an identity authentication system involves all components of the entire intranet security. No one should doubt the flattening of security

by now, but remember, the flattening has only just begun.

Editor's thoughts: Flat safety lacks standards

Safety is flat, but there is a lack of standards in flat technology. Whether it is identity authentication or larger intranet security, each country does not have a corresponding universal standard. In fact, even the 802.1X protocol cannot be completely universal among various security manufacturers.

As for intranet security technology, currently no domestic or foreign manufacturer is large enough to have strong capabilities to integrate the products of different professional security manufacturers

into one. Therefore, A lot of it depends on everyone working together. Therefore, in the industry there are Tianrongxin's TOPSEC, CheckPoint's OPSEC, and Digital China's own protocol SOAP.

The industry needs standards, but there are none. Wang Jinghui reluctantly told reporters that each manufacturer had to define its own communication interface and key agreement mechanism, and also ensure that all data in the protocol tunnel is encrypted. However, he also believes that the current status can meet market demand

.

I remember that as early as 2000, someone had raised the issue of unifying safety standards, but it could not be done. To take a step back, the current trend in the security market is that the speed of changes and updates is very fast. When developing a security protocol, you must consider protecting the user's existing and existing investments and making legacy equipment usable. But the current situation is that the past equipment has become obsolete before the protocol is released. From this perspective, unifying the security protocols of all manufacturers is of no value.

Moreover, governments of various countries have their own ideas on security, and international manufacturers may not agree to an agreement.

____________________

I came, I saw, then I left.

囧~~~~~

My hands are numb, Even if it’s not right, I still have to give it