明峰's profile飞扬之家PhotosBlogListsMore  |  Tools Help |
|
|
2/8/2006 Magic Quadrant for Network Intrusion Prevention System Appliances, 2H05Magic Quadrant for Network Intrusion Prevention System Appliances, 2H05 Network intrusion prevention system (IPS) can detect and block attacks, such as worms, and act as a pre-patch shield for systems and applications. The Sasser and Zotob worms have driven network IPS to be ready for enterprise use. The market for network IPS appliances is entering a phase of maturity and consolidation. The significant benefits of an in-line attack-blocking technology can only be realized with a product that fits your security processes and is sized appropriately. The Magic Quadrant for Network Intrusion Prevention System Appliances is illustrated in Figure 1. Strategic Planning Assumption(s) Sales of stand-alone IPS appliances will be less than 10 percent of overall next-generation firewall revenue by the end of 2008 (0.7 probability). Through 2007, in-house testing will have been done for 90 percent of new acquisitions of network IPS in appliances and next-generation firewalls (0.8 probability).
Source: Gartner (November 2005) The network IPS market has its roots in the improvement and often replacement of intrusion detection systems (IDSs). IPS contains all the detection features of IDS, with two critical areas of improvement: (1) Intrusion prevention moves beyond simple attack signature detection to add vulnerability-based signatures as well as anomaly detection capabilities; and (2) network IPS sensors have high processing rates to support in-line automated blocking or handling of attacks. Essentially, network IPS adds "block attacks and let everything else through" security enforcement to the "deny everything except that what is explicitly allowed" policy enforcement provided by the first generation of firewalls. By the end of 2006, most next-generation firewalls will likely use common processing engines to support both functions in one product. The network IPS market for stand-alone appliances was approximately $246 million in 2004 (including product and maintenance but not services) and will increase to more than $400 million by the end of 2005. McAfee had the largest IPS market share of revenue, followed closely by TippingPoint and Internet Security Systems (ISS). This is a crowded market with several dozen vendors providing network IPS products, many with very small installed bases. Consolidation will likely continue because there already is increasing consistency of shortlists of vendors, particularly in larger enterprises. For more on this subject, see "The Network IPS Market Will Consolidate in 2005." Vendor lineage is stereotyped in the products: IPS from security companies tends to be strong on security function and less impressive on network performance, which is the opposite of companies in which security is not their primary business (for example, network infrastructure vendors and startups). These differences will be reduced in the midterm and, in the long term, will become almost irrelevant as the next-generation firewall market increases (see "Network Security Platforms Evolving Into Single-Appliance Solutions.") On average, solutions are priced to $50,000 per Gbps of deep inspection (this is an average, and many products provide less than 1-Gbps capability). Most vendors provide more than five models, with some entry-level products offered for less than $15,000. Maintenance fees vary considerably. Signature update fees also vary but are included with maintenance for most products. Most products include a local-management console, with dedicated management appliances resulting in an additional cost. The total cost of ownership and system management capabilities of network IPS products should be key evaluation criteria when comparing competing products. Reliability and availability are also key criteria for any in-line device. Bypass unit modules allowing fail-open for copper ports are an additional charge for Reflex, Radware (except the DefensePro 3020), and Check Point Software Technologies (for the 410 and 610 products only). With other vendors, this is included in the base price for units in recognition that this is the standard deployment mode for most. The network IPS market includes in-line devices that perform full-stream assembly of network traffic, and they provide detection, using several methods including signatures, protocol anomaly detection, and behavioral or other techniques. Network IPS is also provided within a next-generation firewall, which is the integration of an enterprise-class network firewall and network IPS. The next-generation firewall market will subsume the stand-alone network IPS appliance market (which is the subject of this Magic Quadrant) at the enterprise edge. However, this will not occur immediately because of the following factors:
The network IPS market is already in the first stage of consolidation, with Gartner seeing a more consistent list of vendors on our customers’ shortlists. With fewer companies receiving a larger share of the revenue, there are opportunities for the acquisition of companies providing quality products, but there are risks for buyers of products if the buyers are not increasing their installed base. Inclusion and Exclusion Criteria Only products that met the following criteria were included:
Products and vendors were excluded if:
The Ability to Execute criteria include:
Source: Gartner The Completeness of Vision criteria include:
Source: Gartner Leaders demonstrate balanced progress and effort on all execution and vision categories. Their actions raise the competitive bar for all products in the market, and they can change the course of the industry. To remain in the Leaders quadrant, these vendors must have demonstrated a track record of delivering successfully in enterprise IPS deployments and winning in competitive assessments. Leaders produce products that provide high signature quality, offer low latency, and have a range of models. Leaders consistently win selections and have been consistently visible on enterprise shortlists. A leading vendor is not a default choice for every buyer, and clients are warned not to assume that they should buy only from the Leaders quadrant. Challengers have products that address the typical needs of the market with strong sales, visibility and clout that add up to higher execution than niche players. Challengers often succeed in established customer bases but do not yet fare well in competitive selections. Visionaries invest in the leading/bleeding edge features that will be significant in next generation of products and give buyers early access to improved security and management. Visionaries can affect the course of technological developments in the market, but they lack the execution skills to outmaneuver challengers and leaders. There are currently no IPS vendors that meet these criteria. Niche players offer viable solutions that meet the needs of some buyers. Niche players are less likely to appear on shortlists, but they fare well when given the right opportunity. While they generally lack the clout to change the course of the market, they should not be regarded as merely following the leaders. Niche players may address subsets of the overall market (for example, the small and midsize business [SMB] segment or a vertical market), and often they can do so more efficiently than the leaders. Niche players are often smaller firms, produce only software appliances, and/or do not yet have the resources to meet all of the enterprise requirements. Acquired by 3Com earlier this year, TippingPoint did not suffer any significant drop in performance from this change. As a pure-play IPS vendor and not having to convert an IDS product, TippingPoint had the advantage of designing its products to perform well in a network environment. With a 5-Gbps product, TippingPoint devices have been shown to be well-behaved in-line devices and often win product selections in which low latency is heavily weighted. If 3Com executes correctly, TippingPoint will be able to move IPS onto a switch and also utilize 3Com channels for the SMB market when they introduce sub-11-Mbps products. 3Com showed its commitment to advancing IPS as a key product area by appointing Tippingpoint’s CTO as the 3Com CTO. TippingPoint does not offer a network firewall on its IPS and will need to do so in order to enter the next-generation firewall market. Check Point Software Technologies Check Point Software Technologies has not had a stand-alone IPS appliance for the enterprise edge. Check Point does provide a next-generation firewall in its Smart Defense offering, but it really has not had a purpose-built in-line sensor offering. Check Point InterSpect is its "internal IPS" offering, but this has had limited visibility in the network IPS appliance space, which is driven by edge requirements. To remedy this, Check Point announced its intention to acquire Sourcefire (the acquisition will be completed in the first quarter of 2006). This has the potential to provide a stronger deep-inspection engine across the Check Point platforms, particularly if Check Point integrates SourceFire RNA across its products. Check Point is financially strong, and its wide international support is important for deployments across the world. Cisco Systems entered the IPS space this year with an offering across an impressive number of platforms. In addition to the IPS appliance, Cisco IPS software can also be run on IOS platforms, on ISR routers, on IDS/IPS blades in Cisco switches, within the ASA appliance, on access routers and on PIX firewalls. Cisco’s IPS appliance is its former IDS platform with the software upgraded and reconfigured for placement in-line. Enterprises that are nearly “all Cisco” in infrastructure are good candidates for Cisco IPS, especially enterprises in which Cisco IDS is already in place. With the IPS products less than 1 year old, Cisco is not often winning in competitive product selections against other IPS. DeepNines has pursued the "far edge" placement point with IPS offering a Layer 2 transparent (no IP address) in-front-of-the-router device. DeepNines expanded this line to include traditional IPS, which can be applied to a wider number of placement points. These software appliances are close in functionality to an all-in-one appliance and may be attractive to the SMB market because they include a firewall, gateway antivirus and some anti-spyware capability. A security company with a strong history in IDS, Internet Security Systems has two significant assets outside its IPS appliance: its X-Force vulnerability research team and its MSSP business. Investing in vulnerability research has allowed ISS to be the leader in new signatures, and this capability has driven its product design around vulnerabilities rather than exploits, which is fundamental to good-performing IPS and sound signatures. ISS design investments in IPS have made it easier for it to add new protocols (for example, voice over Internet Protocol [VOIP]), for inspection within its Protocol Analysis Module (PAM). ISS has been successful in migrating its IDS customers to the Proventia G, but it is held back from greater success by not yet offering a high-performance purpose-built appliance. IPS management is integrated with other ISS products via the SiteProtector manager. Netscreen was an early innovator with deep-packet inspection after its acquisition of OneSecure. With the Juniper acquisition now behind it, innovation and new product features are again showing up in its IPS products, with full-featured appliances up to 1 Gbps inspecting a large number of protocols. As with its firewall competitor Check Point, Juniper is well-positioned in the next-generation firewall market (the hardware-based ISG firewalls provide up to 2 Gbps of deep inspection), yet Juniper has not maintained high visibility in the IPS appliance space with its IDP IPS products. Juniper’s software-based hardware IDP IPS appliance is popular with enterprises that already own Juniper infrastructure equipment. The Juniper IDP product has a range of models and a strong management console. McAfee, known more for antivirus software rather than network security, has had considerable success in the IPS field through acquisition and enhancement of the IntruShield product. McAfee is often seen on enterprise IPS short lists with its purpose-built IntruShield IPS and performs well in throughput testing. IntruShield includes Secure Sockets Layer (SSL) acceleration/inspection technology and has a 2-Gbps appliance. McAfee has been including customization for MSSPs in recognition of the growing market for customer premises and “in the cloud” managed services. For more information on this subject, see "'In the Cloud' Security Services Will Change Providers' Landscape." To maintain this lead, McAfee must incorporate a strong network firewall with its IPS (for example, a next-generation firewall), and integrate IntruShield with its other products through a unifying management console capability. NFR Security has leveraged its IDS lineage to move into the IPS space with its Sentivist product line. Although Sentivist IPS is a software appliance, NFR is seeing success at the enterprise and with the government deployments. With a separate management appliance as a mandatory, NFR is better suited to multiappliance deployments. Sentivist offers a good interface, good reporting, a minimum of configuration and is suited for sub-200-Mbps placement points. NFR recently released an Enterprise Series Sensor line for higher throughput placement points. NitroSecurity takes a nontraditional approach to IPS with an emphasis on the custom database within its software appliance IPS and detection weighted toward correlation and quarantine rather than signatures. NitroSecurity offers a Layer 2 transparent mode IPS that is seeing success in healthcare and education verticals. NitroSecurity proposes some innovative features on its IPS road map but requires increased signature emphasis, better support and financial strength to move up to competing effectively in enterprise shortlists. Radware offers purpose-built multigigabit IPS appliances up to 3 Gbps. Capitalizing on its network expertise, Radware DefensePro IPS includes solid in-line behavior, such as low latency and denial of service (DOS) features, including traffic shaping. Radware has increased its investment in vulnerability and IPS signature research but lags the leaders in proactive protection. Reflex Security is a startup IPS firm offering a low-cost software appliance requiring a minimum of configuration designed for SMBs and Type C enterprises and the MSSPs servicing them. The Reflex product overlaps the all-in-one security appliance space as it includes firewall, gateway antivirus and anti-spyware; however, it is most often deployed for its IPS capabilities. Sourcefire has leveraged its IDS lineage successfully into IPS. Sourcefire developed a purpose-built appliance this year, allowing it to compete more effectively at the enterprise. Sourcefire IPS can now receive feeds from the Sourcefire RNA vulnerability assessment product to allow the IPS to make prioritized blocking decisions and have endpoint (clients and servers) visibility (see "Use Endpoint Intelligence to Improve Security Defenses". Although Sourcefire manages the open-source Snort IDS product, its IPS is full-featured and is not to be confused with in-line original equipment manufacturer (OEM) Snort implementations. Sourcefire IPS is also available via OEM through Nortel Networks and on the Crossbeam platform. Check Point announced it would be completing proposed acquisition of Sourcefire in the first quarter of 2006. Strata Guard (renamed from BorderGuard) is a software appliance solution suited to sub-Gbps placement points. BorderGuard IPS is integrated with the StillSecure VAM vulnerability management product supporting the reality that IPS is part of a process of vulnerability remediation (see "Intrusion Prevention Process Consists of Seven Steps". Having the vulnerability management feed widens the network view for more-intelligent IPS alerting and blocking decisions. Symantec’s SNS 7000 series appliance has low visibility in the enterprise market, but this is consistent with Symantec’s focus on the SMB multifunction network security appliance space, and that the product is very new to the market. The SNS is friendly for administrators, uses the familiar LiveUpdate for signature updates, has clear incident viewing, and includes innovative elements, such as FlowChaser, which allows for identifying the source of DOS attacks. SNS has not done well in competitive IPS "bake-offs," primarily from a network performance perspective, but it is popular with enterprises that have a large Symantec investment. Top Layer Networks’ lineage is load balancing and edge-of-network DOS. This has translated well to IPS, with Top Layer offering purpose-built hardware in the multi-Gbps placement points with its 5500 appliance. Top Layer provides a balanced blend of safeguards and detection methods, including network firewall, DOS protection and traffic shaping. Top Layer lags other players in the proactive protection of narrow blocking signatures, but it does have multidevice management capabilities, low latency and good post-sales support. V-Secure takes the approach that is weighted heavily toward behavioral detection in its software appliance. Signature detection was introduced in version 8.0 in recognition that signatures are a required detection technology. V-Secure signature release times are longer than the industry average. Evaluation Criteria Definitions Product/Service: Core goods and services offered by the vendor that compete in/serve the defined market. This includes current product/service capabilities, quality, feature sets, skills, etc., whether offered natively or through OEM agreements/partnerships as defined in the market definition and detailed in the subcriteria. Overall Viability (Business Unit, Financial, Strategy, Organization): Viability includes an assessment of the overall organization's financial health, the financial and practical success of the business unit, and the likelihood of the individual business unit to continue investing in the product, to continue offering the product and to advance the state of the art within the organization's portfolio of products. Sales Execution/Pricing: The vendor’s capabilities in all pre-sales activities and the structure that supports them. This includes deal management, pricing and negotiation, pre-sales support and the overall effectiveness of the sales channel. Market Responsiveness and Track Record: Ability to respond, change direction, be flexible and achieve competitive success as opportunities develop, competitors act, customer needs evolve and market dynamics change. This criterion also considers the vendor's history of responsiveness. Marketing Execution: The clarity, quality, creativity and efficacy of programs designed to deliver the organization's message in order to influence the market, promote the brand and business, increase awareness of the products, and establish a positive identification with the product/brand and organization in the minds of buyers. This "mind share" can be driven by a combination of publicity, promotional, thought leadership, word-of-mouth and sales activities. Customer Experience: Relationships, products and services/programs that enable clients to be successful with the products evaluated. Specifically, this includes the ways customers receive technical support or account support. This can also include ancillary tools, customer support programs (and the quality thereof), availability of user groups, service-level agreements, etc. Operations: The ability of the organization to meet its goals and commitments. Factors include the quality of the organizational structure including skills, experiences, programs, systems and other vehicles that enable the organization to operate effectively and efficiently on an ongoing basis. Market Understanding: Ability of the vendor to understand buyers' wants and needs and to translate those into products and services. Vendors that show the highest degree of vision listen and understand buyers' wants and needs, and can shape or enhance those with their added vision. Marketing Strategy: A clear, differentiated set of messages consistently communicated throughout the organization and externalized through the Web site, advertising, customer programs and positioning statements. Sales Strategy: The strategy for selling product that uses the appropriate network of direct and indirect sales, marketing, service and communication affiliates that extend the scope and depth of market reach, skills, expertise, technologies, services and the customer base. Offering (Product) Strategy: The vendor's approach to product development and delivery that emphasizes differentiation, functionality, methodology and feature set as they map to current and future requirements. Business Model: The soundness and logic of the vendor's underlying business proposition. Vertical/Industry Strategy: The vendor's strategy to direct resources, skills and offerings to meet the specific needs of individual market segments, including verticals. Innovation: Direct, related, complementary and synergistic layouts of resources, expertise or capital for investment, consolidation, defensive or pre-emptive purposes. Geographic Strategy: The vendor's strategy to direct resources, skills and offerings to meet the specific needs of geographies outside the "home" or native geography, either directly or through partners, channels and subsidiaries as appropriate for that geography and market.
11/22/2005 Build Your Own Security Operations Center Discover how an SOC helps you fight intruders from the confines of a safe house. You wouldn't go into battle without a trusted group of generals strategizing your best attacks and defenses, so why try to secure your data without an infosec team and plan? If you don't have a dedicated security operations center and staff, you'll be scrambling to shore up your defenses, even as the bad guys are invading your system.
A SOC can be as simple as a set of offices or cubicles next to each other, or as sophisticated as a standalone complex with extra-large displays, two-factor physical security and a budget to match. Typically, only the largest companies have the resources to build and staff a dedicated SOC. In a recent survey of Secure Enterprise readers, 72 percent of respondents with fewer than 5,000 employees had no plans to build a SOC. Among the 28 percent who have a SOC or plan to build one, 53 percent will collocate in the network operations center, which makes sense because an existing NOC provides the framework to build in the additional functionality required for a SOC. The rest plan to house the SOC in a separate location, either a building (25 percent) or a room (22 percent).
The tasks the security operations center handles can range from typical event management and incident response to account administration, investigations and forensics. Some companies choose to outsource their SOCs, because they want the expertise and 24-hour monitoring of a dedicated security team without staffing and building a SOC. For many, it makes sense to maintain an internal SOC, especially when a NOC already exists. See "How To Set Up a War Room", for a checklist of the essentials. Make sure you've got the budget to build out and hire. But remember, not everyone can speak Perl and decode a TCP/IP packet in three seconds. In "Most-Wanted Skills," we outline the various skill sets needed.
SOC It to Them The SOC facility, like any other critical operations center, must be secure--both electronically and physically. Building a separate infrastructure is expensive and probably not worth the effort. Instead, try to use an existing, secure infrastructure. In many cases, the data center is a good fit, because it already has manned guard stations, cameras, security clearance and sign-in/sign out requirements and other physical security controls. Everyone who enters and leaves the SOC must be tracked to provide an access audit trail. Even a simple login sheet is better than nothing.
And only specific employees should have access. Network engineers, application developers and business partners, for example, don't need physical access to the SOC. The SOC manager, or leader, provides access approval. While the CISO or CIO is too high a position to make day-to-day decisions, he or she would still be responsible for the governing policies. Of course, the greatest threat to your SOC will come from malicious users gaining access to it over the network. Your SOC will access key security systems, such as firewalls, IDSs, IPSs (intrusion-prevention systems), and antivirus- and event-management consoles. It will also store confidential data, such as configuration information, trouble tickets and event logs. So your security controls must ensure the integrity and confidentiality of the data and systems. Common and successful approaches to this end include having highly restrictive firewall policies for the SOC and placing an IDS--or better yet, an IPS--with restrictive policies inline between the SOC and the rest of the company network. A nonroutable internal address space inside the SOC will give it an additional level of obscurity. Also, make sure your firewall rules lock down the environment. If remote access to the SOC is needed from within the company network, require a VPN connection. Devices within the SOC should be under the management of the SOC leader, and all changes to these devices must be tested and audited before being made. In addition, you might want to set up a VLAN (virtual LAN) to provide access to key network and security devices in the event the production network is unavailable or saturated with traffic so you can't get to it.
Network Connections But it's not all about hiding the SOC. An additional network connection will give your SOC personnel an outsider's view of your network. This link could be a T1 line or even an inexpensive DSL connection, preferably from an ISP other than the one providing your primary Internet connections. With this external view, you can perform tests to determine vulnerabilities in the event of a perimeter compromise. And if your primary or secondary network connection goes down, the ancillary network connection can be used for sending e-mail, downloading updates and performing investigations. Ideally, the account won't be tied to the primary company, nor will DNS entries indicate who owns the connection. This way, when investigating a suspected intruder or attacker, you can visit the Web site or server using an IP address that isn't traceable to your company so as not to let the culprit know you're aware of the attack. This ancillary network connection must not be tied to your production network. If possible, use an air-gap approach where there's no physical connection between the two networks. You also can set up different VLANs on a single switch or different interfaces on a firewall with a strict set of rules in place. Undoubtedly, you'll need a wireless network in the SOC so workers can roam between conference rooms and offices. However, wireless access should be limited to only specific users and systems. One possible solution is to have wireless users access the SOC network over a VPN requiring two-factor authentication. The wireless network should have virtually no access to the SOC except over the VPN, ensuring that no wireless user can gain access to critical systems. Coverage requirements are a key factor when proposing and designing a SOC. If you're seeking coverage past normal business hours, consider setting up a SOC in a remote time zone so its staffers can serve your after-hours needs without working the graveyard shift themselves. For some companies, it may make sense to maintain one SOC in North America and another in Asia or Europe, though additional security controls would have to be put in place to safeguard information flowing between the two. No SOC is complete without a place to analyze suspicious programs and test possible solutions. This is especially true for organizations unlucky enough to be hit by a zero-day or unknown exploit, worm or virus. Most of the time, even unknowns are a variant of some known worm. The variant may use a different payload or a new propagation method. Still, it may be difficult to determine what's occurring and what you must do to stop it. Enter the sandbox. A sandbox is a set of systems--or even a single system--that's separate from any other network in your organization and used to analyze the behavior of suspicious applications. You can also use a single system running a virtual machine application, such as VMWare. Set up multiple VMWare OSs to share a private network segment--for instance, you can have Windows System A as the infected system and Windows System B as the target system. Run a packet-capture tool, such as Ethereal, on System A to capture all packets going in and out of the system, then run Ethereal on System B and compare the two. Other useful tools for sandboxing, including regmon, filemon and diskmon, are available from Sysinternals. Of course, similar solutions can be found for your favorite Unix OS, too. A SOC also demands a large display to monitor the health of network traffic and load, routers and firewalls, Active Directory, DNS, production-application servers and other key items.
A Series of Unfortunate Events Security events can be generated from many devices and applications, including firewalls, routers, VPN concentrators, Web and antivirus applications, and IDS/IPS devices. The sheer number of events that many companies must collect, analyze and store can be staggering. To help, many SOC teams are turning to SEM (security event management) tools. Arcsight, GuardedNet and Network Intelligence are the leaders in this area. It's not uncommon to hear that some SEM tools process several thousand events per second. But not every event must be captured and analyzed. Use aggregation and selectively choose which types of events get captured to reduce the volume of data. You can limit your analysis to only events coming from critical servers and systems, for instance. A SEM product working with a vulnerability assessment (VA) tool can help you identify those events that are targeted toward systems vulnerable to the attacks. Make sure your VA data is up-to-date and scans are done frequently. This can be challenging when dynamic IP addressing is used, because many VA products use only the host IP address as the unique identifier. Thus, if the workstation's IP changes over time, the VA solution may have difficulty tracking it and redundant scan information will be included. As for storing the data generated from these events, the length of time to keep the logs depends on various government and industry regulations and standards, such as HIPAA, SOX and ISO 17779. Some of these don't define a retention time, but others specify a minimum of seven years. NIST, in its "Computer Security Incident Handling Guide, Special Publication 800-61," recommends retaining at least several months of data. The North American Electric Reliability Council says audit logs must be kept for three years. To help reduce log storage, some SEM tools can save log data by type. You may want to retain your IDS data for 60 days, for instance, but keep VPN logs for 120 days and application logs for years. Any SEM tool--or any event collection/aggregation tool--must be able to keep working during abnormally high event counts. IDS/IPS devices and firewalls can generate an enormous number of events during a virus or worm outbreak. You can increase the SEM's availability with multiple horizontally partitioned databases. One database can be used for events generated recently while another database is used for historical analysis. The database used for correlation and reporting may be different from the database used for the short-term events. If everything is stored on a single database, the additional load on the server will hamper its ability to run reports. You also can ensure information availability using other methods. A fault-tolerant design, for instance, keeps your system operational in the event of a network or physical infrastructure failure. With a fully redundant design, events from each device are sent to primary and secondary event collectors, which then send data to aggregation engines. Ideally, from a network-design perspective, these should all be located near the event source. Additionally, you could have two event-management databases--one at a primary SOC and the other at a secondary SOC.
Log Jam Most security devices can send their logs to a syslog server, which acts as an event collector for these various devices, but the real integration challenge comes when integrating incident logs with application logs, such as those from a Web server or Web application (for example, someone logging in). The vendors of enterprise-class SEMs offer agents or wizards to help simplify this integration, but you must decide which data elements should be captured and written to logs. Some key data to include are date and time, IP address, action performed and user name. Information on an event must be analyzed in order to be categorized as an incident. Once an event becomes an incident, the ability to track, monitor and document it becomes critical. You can record all this information on a spreadsheet or in an Access database, but these aren't scalable. Much better is a robust management program from the likes of Remedy.
Policies and Processes Because the SOC will be the first place security events are collected and managed, there must be a clear and consistent set of processes through which to execute your organization's policies and procedures. (This consistent methodology will satisfy documenting requirements specified by SOX and other regulations.) Incident-response guidelines dictate how incidents are prioritized, who performs what tasks and when to declare an enterprise-level incident. There are many models a company can use to build an incident-response process, including those from SANS, NIST, Carnegie Mellon University, IETF and RFC 2350. The basic components of an incident-response process are identification, containment, removal, recovery and post-incident analysis. Most companies tend to do the first four steps very well, but truncate the last or never bother to implement the fixes recommended by post-incident analysis. Thus, companies will find themselves dealing with the same problems again and again. Part of the process is identifying and training an incident-response team, which will usually consist of dedicated and nondedicated personnel. Having an incident-response team reduces chaos, provides consistency and ensures that all process elements, especially notification and documentation, are followed. In addition to the usual techies, such as firewall and server administrators and network operators, include a representative to communicate to the business side. This will guarantee that accurate and timely information is delivered to system users so backup and contingency plans can be implemented.
Jay Milne, CISSP, is a senior security consultant for a large healthcare provider in Northern California. He has 15 years of IT security experience and has consulted for companies such as Chevron and Genentech. Write to him at jmilne@nwc.com.
It's 6 p.m. All is quiet until you notice a growing number of hits in your IDS. Then you see a mess of trouble tickets from end users complaining about slow network performance. Resources dwindle and become unavailable. No one can get to the intranet or Internet. Servers crash. You've just been hit with an enterprise scope worm. Management, of course, wants answers--now. Bringing together network staff, security folks, local IT support and management is a challenge, but you're prepared: You have a "war room" designed for such a crisis. The resources are available, and all your "generals" know where it is and how to get to it. Here are the bare essentials: • Dedicated phone lines. The number of lines you need depends on the size of your SOC. Make sure you have at least two dedicated lines, one for conference calls and the other to make secondary calls. • A fax line. When my company network went down because of the SQL Slammer worm, we used the fax machine to get remediation instructions out to the field offices. • A dedicated printer with a local connection. • Plenty of whiteboards and a large projector screen. Make sure everyone can see what needs to be done. • A network connection to the Internet separate from your corporate network. • A secure wireless network. Limit the range of connection, and only allow authorized access. When the war room isn't in use, disconnect the wireless network from the rest of the network. • A small refrigerator stacked with Red Bull or Mountain Dew. No joke.
11/20/2005 What is "Deep Inspection"?IntroductionComputer security technology is still in its infancy. Technologies such as firewalls, antivirus, and IDS have migrated from research labs into production networks, and have become required mainstays both as essential defenses and as legally mandated compliance systems. Computer security systems are complex devices that need to meet a variety of conflicting goals: high performance, fault tolerance, easy administration – and rigorous security processing. Some vendors have staked their claim based on speed, others on cost, and still others on the defensive posture and security of their products. Unfortunately, it’s extremely difficult for the customer to sort through marketing fluff and dubious benchmarks, to determine which products actually work and which merely appear to work. Few customers are sufficiently sophisticated or willing to take the time to do their own testing and most are forced to rely on published results from trade magazines, recommendations from consultants, or industry analysts. Sadly, few of the trade magazines or analysts have the sophistication or time to perform adequate testing, either. The author’s experience indicates that large numbers of products on the market have excellent and attractive user interfaces, good performance, reasonable costs, rave reviews from loyal fans – and have taken shortcuts in their design that make them significantly less secure than other alternatives. This is not a recent development; it dates back to the early days of the firewall "market." In this article, we examine the evolution of packet filtering firewalls and their current incarnation as "Deep Inspection" firewalls. We compare the fundamental design philosophies of packet filtering firewalls with proxy gateways, and will conclude with a few historical observations regarding the relative effectiveness of conservative design philosophies when compared to their less-rigorous counterparts. Early Firewalls, Packet Filtering Firewalls and "Stateful Firewalls"The first firewalls were based on either a proxy design or a simple packet filtering ruleset. The proxy firewall operates by interposing itself in the middle of the application protocol and interpreting it while applying security controls to the application commands and data, where appropriate. The original value proposition of a proxy firewall is that the proxy is essentially a security-oriented reference implementation of the application protocol – in some cases omitting dangerous operations entirely, or providing additional controls on certain security-critical commands. Proxies have always been considered a conservative security design because the proxy reduces the likelihood of protocol backdoors or side-effects since the proxy’s designer is effectively performing a security assessment of the application protocol’s features prior to implementing them. Early packet filter firewalls implemented a simple policy-table lookup based on { source-ip, destination-ip, source-port, destination-port, SYN-seen yes/no } permit or deny. Consequently, packet filters were extremely fast since they did very little computation. They were also extremely easy to implement since they required virtually no security expertise. The simple compute requirements of packet filters, and the fact that they required no security knowledge-base, made them easy to implement in silicon so they quickly became a feature of most routers. From the beginning, proxy firewalls were recognized as being more secure, because they effectively are implementing a correctness check upon the application protocols they gateway. This is still an important property of proxy firewalls. For example, when the author first implemented the FTP proxy in the DEC SEAL firewall, he simply left out unused FTP protocol commands that allowed users to issue remote commands to the FTP server. Years later, when hackers discovered those commands and attempted to exploit them, they simply did not work against proxy-protected networks because the proxy refused to gateway the command through to the target. Sites behind packet filtering firewalls were vulnerable, if the reachable systems behind the firewall were themselves vulnerable. In 1993, "stateful" firewalls appeared on the market. The first popular stateful firewall, Checkpoint’s Firewall-1, implemented a simple connection-origin table that tracked whether a connection had originated behind the firewall and permitted response packets for that connection. A layer-7 hook to parse FTP PORT commands and update the state table allowed FTP to work transparently through the firewall. Subsequent versions of the stateful firewall added TCP sequence number interpretation, and DNS query/response matching to ensure that return packets were only allowed in response to queries that had originated from the inside. It is important to note that stateful firewalls added these features to overcome vulnerabilities in their design – attacks such as TCP RST flood attacks and DNS cache poisoning. Proxy firewalls never had these kinds of vulnerabilities. Stateful firewalls have continued to evolve; often in response to new types of hacking techniques as they have been discovered. Proxy firewalls have evolved, as well, but mostly in response to ever-higher requirements for performance and transparency. Near-Term History of Intrusion Detection, Intrusion Prevention, and FirewallsIntrusion detection technologies (IDS) have enjoyed a spectacular rise and fall. Since Dorothy Denning first proposed the concept in 1986, there were relatively few products until 1997, when a number of vendors began offering commercial network monitoring IDS. The IDS market grew rapidly through 2002, when Gartner researchers announced "IDS is the ‘pet rock’ of computer security" and recommended their customers focus instead on the up-and-coming new technology termed "Intrusion Prevention" (IPS). According to Gartner analyst Richard Stiennon, IDS was a failure for two reasons. First off, IDS generated too many "false positives" – alerts in which the IDS mistook legitimate traffic for an attack. Secondly, IDS didn’t actually do anything but generate an alert when the attack was seen. Stiennon rightly pointed out that, if you can correctly detect an attack, it would be nice to prevent it. By the end of 2003, virtually every IDS vendor was re-branding their product as an IPS, by adding in-line blocking modes to their sensors. Initially, virtually no customers used the in-line blocking modes of their IPS, because they were afraid of traffic interruptions. Some of the first IPS on the market were not effective security devices: they used simple signature-matching techniques and "knew" how to recognize and block only a few dozen worms and popular attacks. They did not sell particularly well until the massive worm outbreaks of 2004: corporations were desperate to contain worms in their networks, and worms are sufficiently easy to recognize that the IPS did a decent job blocking worm traffic on the network. IPS began to sell. The feature-similarity between IPS, IDS, and firewalls as well as single-purpose spam and anti-virus gateways, has triggered a move to consolidate these technologies into a single platform. A number of vendors have embarked on a course of technology acquisition, with the intent of embedding IPS/IDS/Firewall/AV/VPN termination capabilities into switching platforms. These combined systems offer an attractive feature-set, high performance, and a good price point when compared to having to integrate a series of separate products. The strengths and weaknesses of such systems will depend on the quality of the underlying detection and firewall engines and its IDS knowledge-base. Enter "Deep Inspection"According to David Flynn, NetScreen’s Vice President of Marketing, a survey of 1000 network managers indicated their biggest security concern was "depth of protection" against worms, trojans, email viruses, and exploits against software vulnerabilities. Flynn is quoted as noting that these types of attacks "can traverse a traditional stateful firewall even if the firewall is deployed and working as it should be." Both NetScreen and CheckPoint have bolstered their stateful firewalls by adding application-oriented checking logic into their processing modules – essentially merging IDS signatures into the firewall traffic-processing engines of their products. What is "Deep Inspection"(DI) anyhow? According to NetScreen, DI firewalls "use an Attack Object Database to store protocol anomalies and attack patterns (sometimes referred to as signatures), grouping them by protocol and security level (severity)" Packet processing is typically described as "performing application level checks as well as stateful inspection." In other words, a "Deep Inspection" is just a catchy marketing term for a stateful packet inspection firewall with some IDS signatures and some application protocol anomaly detection rules. It is important to understand that a "Deep Inspection" firewall is going to provide all of the protections of a stateful firewall, as well as whatever signatures are loaded into it. In the case of a NetScreen (circa 2003) the firewall "is designed to provide application layer protection for the most prevalent internet-facing protocols, such as HTTP, SMTP, IMAP, POP, FTP, and DNS." It is ironic to remember that one of the early complaints about proxy firewalls was that they only supported a small set of application protocols – what good is a DI firewall that only does DI on 6 of the "most prevalent" internet-facing protocols? That may be "deep" inspection but it’s certainly not very broad. When the NetScreen product was initially released, it included signatures to detect "over 250 application attacks." As far as an IDS signature set, this does not compare favorably to an IDS such as the open-source Snort, which at that time had signatures to detect over 3,000 attacks. Much like the early versions of the Snort IDS, NetScreen’s DI engine uses regular expression pattern matching to specify its signatures – a technique that most serious IDS product designers stopped using years ago because it is too simplistic to represent complex network/application states effectively. Regular expressions, however, are easily processed in silicon, using off-the-shelf regex engines that provide hardware speedups for matching, so it makes sense for a switch-based DI firewall to rely upon them. Designers of DI firewalls will probably not be able to provide sophisticated IDS engines in their products because of the performance overhead necessary to execute complex signature analysis and state tracking. The history of the IDS market shows that IDS has always been a performance-sensitive proposition – which is why most line speed IDS appliances are using multiprocessor main boards to keep up with the load. The author suspects that, unlike IDS, the DI firewalls will only be looking for a small subset of the attacks that are known at any given time, due to performance concerns. Even the "only look for a few attacks" strategy will eventually fail; Gartner reported that last year that 70 new vulnerabilities were identified per week, or over 3,500 per year. If even 10% of those are vulnerabilities that replicate across network data, the firewalls are going to very quickly have to handle very large signature-sets. Hardware acceleration will help somewhat, but typical hardware implementations in the fast-path of a switch are going to have built-in limitations on how many signatures they can effectively load at one time. DI firewalls will eventually have to deal with all of the complexity issues that caused Gartner to declare commercial IDS a "dead end." Protocol Anomaly Detection Meets The ProxyProtocol anomaly detection is an IDS technique in which rules are written that track the states of an application protocol and look for deviations from a proper state. A simple example of a protocol anomaly detection rule for FTP might be "if the user name given during the login process is longer than 45 characters, alert that as suspicious." It is possible to very tightly track the process of a protocol, at a cost of increased computing and memory use. For example, the NFR IDS protocol anomaly detector for SMTP tracked the entire SMTP command series from start to finish and would generate alerts if the client issued a "MSG From:" command before a "RCPT To:" command, or issued a "HELP" command, etc. Such tight protocol tracking is extremely powerful, because normal applications always send a message using the exact same sequence of steps but human hackers sometimes get the order wrong or attempt to trigger errors by issuing commands deliberately out of sequence. Protocol anomaly detection is a very powerful technique that is used to great effect in all commercial IDS and most DI firewalls. For detection accuracy, protocol anomaly detection pales in comparison to the processing that is performed during the normal functioning of a proxy firewall. This is because the proxy, as part of its normal operation executes the protocol. Instead of having to follow along and try to figure out what the application protocol is doing, the proxy is the application protocol: protocol anomalies represent error conditions that the proxy detects. When the author implemented the first proxy firewall, the FTP proxy logged and error and shut down if, at any time, it received commands that were out of sequence or were incorrectly formatted. Another topic of debate in the IDS and DI firewall community is the question of "detecting the exploit" or "detecting the vulnerability." When "detecting the exploit" the signature-writer develops a signature that will identify the particular attack tool. For example, the TESO mass-rooter for FTP daemons uses a specific set of buffer overruns against a variety of FTP servers. Coding to detect TESO, the signature-writer would write a minimal signature to identify the first steps of a TESO probe and generate an alert. To "detect the vulnerability" the signature writer would research the entire set of vulnerabilities that particular FTP servers might have, and then would develop a signature set that detected any one of them being exploited. Detecting the vulnerability takes considerably more research since it involves a larger number of signatures to develop. For the proxy firewall developer, this is a complete non-issue. If a new vulnerability is identified in an application, the proxy-writer assesses whether the attack vector is "legal" in the protocol, and, if it is not, the proxy wouldn’t have let it through in the first place. In the case where the attack vector is encompassed in the protocol, the proxy can be updated with a protocol-specific signature at the exact point of the protocol processing where it’s appropriate. In the long run, this approach is much more efficient and takes less work – both in terms of effort to keep the security knowledge-base up to date, but also in terms of processing speed. The proxy only needs to execute protocol-specific checks at the exact part of the protocol where they are needed, whereas a regular-expression based signature engine must compare each expression against each input as it arrives. Some Philosophy About Security DesignFundamentally, the tension between proxy firewalls and stateful filter + signature firewalls is a reflection of the deepest philosophic division that in security. It is a division that goes back to what we used to call "stance" back in the early days of firewalls:
The default deny stance is the default policy that virtually every credible firewall product executes unless told otherwise. In security, however, there are many places where we do not follow the rule of default deny. For example, antivirus products implement a "default permit" – "if you don’t know it’s a virus, then it’s OK to run it." IPS implement default permit – "if it doesn’t look like an attack, permit it." Fundamentally, default permit is not good security. A proxy firewall implements default deny. Unless the application that is talking to the proxy complies exactly with the protocol as executed by the proxy, the traffic is not going to go through. It’s not perfect, of course, since there might be an attack that is valid within the protocol, but is still damaging. That is why most proxies also add additional application specific signatures. For example, the TIS Firewall Toolkit’s HTTP proxy not only mediated the entire HTTP transaction it performed URL sanitization and did not permit unusual characters in URLs. Several of the authors’ friends who still use components of the firewall toolkit were highly amused when a piece of software that was coded in 1992 successfully defeated worms in 2002 – 10 years before the worms had been written. Similarly, the DEC SEAL’s FTP proxy from 1990 defeated FTP bounce scans when the hacker community discovered them in 1995. Peter Tippett, the author of Norton Antivirus and founder of ICSA/TruSecure once famously commented "The current philosophy of antivirus is to know the 50,000 bad things that can happen to you. It’s much more sensible to enumerate the 50 things that you want to allow to happen, but the industry just isn’t ready to think that way, yet." Perhaps that is true in the antivirus arena, but the proxy firewall’s approach has always been:
Rather than:
Security products that adopt the default permit philosophy will always be fundamentally at risk from new attacks. A signature-based DI firewall can only block attacks that are known by its signature set. When a new worm breaks out that takes advantage of a never-before-seen attack, the signature-based DI firewall will let it through. Once the signature set is updated, the firewall will be able to block the attack, however, the time between the release of the attack and the development of the signature might be a matter of hours or even days. While that window of vulnerability is open, the customer will have no alternative but to either patch host software or disable that service. Historical Performance of Security SolutionsThe history of computer security shows that many customers do not want to take the time to fully understand what they are buying. In the mid 1990’s the author was selling proxy firewall products that had a superlative history of resisting attack; yet the market leading products were simplistic "stateful" packet filters that were sold based on the fact that they were faster, cheaper, and more forgiving. Put differently: they didn’t perform as rigorous checks, so they could be fast. They were easier to code, so they were cheaper. They were more forgiving, because they were more permissive. There is ample anecdotal evidence that default deny security survives better in the long term than default permit. There is ample anecdotal evidence that default deny security is less susceptible to nasty surprises, and requires less patching. Systems that are based on the model "recognize a vulnerability and block it" inherently require "upgrade to fix the vulnerability of the week." Customers need to understand their objectives and requirements, so they can best select technology that facilitates their mission. There are situations and circumstances where less-rigorous security systems can get the job done safely. The author believes, however, that few vendors take the time to explain the design tradeoffs inherent in their products to their prospective customers. With security being such a hot topic, it’s hard for a customer to make sense of a plethora of products, all of which are asserted to be "secure." Analogies are dangerous, but choosing a security product is similar in many ways to buying a car: the customer needs to have a good idea of what kind of on-road properties are needed. Does it need to be economical and corner well, or does it need to be able to tow a 6 horse trailer safely? Or, perhaps it needs treads and 3" thick armor. What is frustrating to the author is that in the computer security space, there are some vendors asserting that what they offer is a general-purpose high fuel-efficiency sports-car main battle tank. Can you believe that? mjr. Appendix 1: Summary Matrixes
Summary observations: ASIC-based solutions are appealing to the customer for whom raw speed is a paramount consideration. Generally, where there is a choice between "doing things fast" and "doing things securely" the design decision of ASIC-based products is to "do things fast." This, necessarily, affects the system’s quality from a security standpoint. The author’s experience is that custom hardware-based security products tend to look more like "a switch with a bit of security bolted on" rather than "a security product that is really fast."
Summary observations: Proxy firewall technologies have proven time and again to be more secure than "stateful" firewalls and will prove to be more secure than "deep inspection" firewalls. The main comparison point between stateful firewalls and proxy firewalls has typically been on performance, which is an orthogonal property to security. High-performance proxy firewalls are available, and some are capable of easily handling gigabit-level traffic. Customers need to be realistic about whether performance is really an issue in the expected deployment, and should be prepared to do operational testing. The author has seen many customers cheerfully settle for inferior security because of "performance concerns" that did not actually apply. 5/24/2005 Intoto to Demonstrate Enterprise-Class Security Solutions at the Network Systems Design Conference Fall 2004
Intoto, a provider of integrated security, wireless and voice software platforms to networking equipment manufacturers, announced that it will demonstrate its advanced enterprise-class security solutions at the Fall 2004 Network Systems Design Conference. The high-performance security solutions feature Intoto's iGateway EX software platforms running on security processors from Cavium Networks and Hifn, and a communications processor from Broadcom. Additionally, Intoto will showcase its IntruPro(TM) product line, a complete intrusion prevention system for enterprise environments. The demonstrations will be held in Intoto's booth #616.
远程扩展安全访问——SSL VPN购买指南 SSL VPN是一种新型VPN(虚拟专用网络),它在支持应用类型、认证集成以及其他一些安全功能方面都表现出独有的特点。 5/10/2005 如何利用SOC来对抗恶意攻击
如何利用SOC来对抗恶意攻击 ——安全运营中心正在成为企业中必不可少的组成部分 深夜,关于Slammer蠕虫紧急电话把Eamus Halpin从睡梦拽了出来。在这种蠕虫攻击之前,他一直是仅仅依靠端口阻断来保护自己的企业免受黑客攻击和入侵的危害。在他看到Slammer肆虐全球造成的一片狼籍后,Halpin才意识到自己必须全面更新公司的网络安全措施。 iRevolution是一家总部设在伦敦的管理服务商,Halpin 正是这家公司的首席技术设计师。他回忆说:“当时我正好在西雅图出席微软公司的NDA会议,当时就有人警告我要注意Slammer对基于端口阻断式网络的破坏。”尽管iRevolution的网络错过了这种蠕虫的直接攻击,但Halpin知道那完全是运气。他说:“我花了三个小时来研究蠕虫的危害,当我知道其中的危险时,我的头发都立了起来。我们网络中存在的漏洞比瑞士奶酪还要多。” 尽管iRevolution已经建立了基本的防御措施 —防火墙、杀毒软件、入侵检测系统(IDS),但没有一种方法能够将这些安全工具的警报组合起来并形成网络健康状况的逻辑全景。 Halpin说:“所有这些工具的维护和管理都是独立进行的。它们之间从不互通信息,而且没有将企业的业务活动当作一个整体。因此,我们只能偶尔发现某种类型的病毒通过电子邮件对企业发动了攻击,但我们不能真正确定问题到底有多严重。” 为此,Halpin决定要对企业的安全措施进行一次全面的检查。他的目标是为iRevolution的内部网络建立和维持一个世界级的安全运营中心(SOC),同时也帮助企业为客户提供类似的支持。 网络运营中心(NOC)可以连续不断地监视网络,排除错误并确保最优化的性能,而SOC与之非常相似,它可以连续不断地监视和管理一系列的安全设备及事件,保持和确保网络的总体安全性。专家认为,SOC的使用在企业中变得越来越普遍,这里面有很多原因,其中最明显的原因是,安全问题已经从基于规则的点状解决方案发展成为更为普遍深入、更为关键的体系,对网络的总体健康起到了至关重要的作用。 Nemertes 研究公司高级副总裁兼联合创始人Andreas Antonopoulos解释说:“过去我们都让安全专家来管理各种类型的防火墙、IDS和诸如此类的安全措施,这主要是因为安全问题一般都发生在网络中非常具体的某个地点。但是,现在的情况已经变化,安全问题已经不再像当年那么简单。由于周边的漏洞比比皆是,所以安全措施应当被实施在应用层、网络层和存储层上。它已经成为您的端对端应用服务中的一部分,与网络性能的地位非常接近。” Sarbanes-Oxley法案(SOX)、健康保险可移植性及可说明性法案、Gramm-Leach-Bliley法案等法规方面的压力也促使企业SOC得到了进一步的发展。 Computer Associates公司eTrust部门执行安全顾问Diana Kelley说:“Sarbanes-Oxley法案就是SOC前瞻性推动力量的最好例证。如果企业的网页上出现404错误,那么企业就应当准备好承担内部控制结构不足责任。也就是说,企业要对自己的商业报告实施正确有效的控制。一旦这种控制建立起来后,企业还应对其进行监视和维护,而 SOC正是解决这一问题的一种很有效的方法。” 另外,现在市场上有一种趋势,也就是将过去外包给管理安全服务商(MSSP)的安全监视职责收回企业内部,这种情况在金融行业中尤为明显。专业网络咨询企业International Network Services 公司负责安全服务的副总裁兼首席安全官Jim Tiller认为,内部的SOC可以对企业网络实施更好的控制和监视,并且有助于降低总体成本。 Tiller说:“在有些情况下,MSSP在响应能力方面存在一些困难。但是,由于蠕虫和拒绝服务式攻击发生的频率越来越高,尤其是在金融行业中更为严重,而且此类威胁也变得越来越狡猾老练,我们的响应能力与网络的可见性息息相关,也就是说,如果我们能够清楚地了解网络中发生的一切,就能够及时做出适当的响应。通过引入管理能力,我们就能提高网络的可见性并改善企业的响应能力。” 另外,他还指出:“对于大型企业来说,在被管理的安全服务中的投资是相当巨大的,如果将这些服务收入企业内部并由企业自己来管理,从长远来看必然会给企业带来较大的利益。” 障碍 尽管我们可以很容易地理解安全运营中心存在的意义和需求,但建设一个SOC却远非如此简单的。由于很多企业中的安全和网络小组都是独立成长起来的,要让它们携手合作也绝非易事。专家认为,即使企业网络中具备强大的安全监控能力,但如果这种能力与网络运营监控完全脱节,那么就很有可能导致企业的网络发生重大的灾难。 Antonopoulos说:“在很多情况下,单从外表来看我们很难发现安全事件。例如,如果路由器停止响应,您单凭这种症状很难确定到底发生了什么问题。如果您的网络运营小组与安全运营小组彼此分隔,最终的结果只能是:两个小组分别寻找问题的根源,或者是两个小组都不去查找问题的根源,但都声称问题出在对方的小组身上。 如果我们想要修补网络中出现的问题,这种局面中隐藏的矛盾就会显得更为突出。他说:“如果两个小组都在网络上实施某些措施并对其进行监视,最终的结果可能是:网络小组的人员进行了修改,如访问控制列表,可能导致系统安全性降低;而安全小组实施的ACL又有可能对网络性能产生冲击。由于这两个职能部分没有整合,而且没有按照端对端的形式来处理问题,最终带来的只能是成堆的棘手问题。” 真正的安全运营中心(SOC)应当集成安全和网络事件信息,使安全和运营人员能够全面了解各类事件,以及事件对网络造成的影响。这样,他们就能够根据预先定义的安全策略,作出明智的响应决策。不过,说起来容易,真正实施起来还会遇到很多的困难。 起点 许多企业首先考虑的都是采购安全事件管理系统或警报关联引擎。但专家认为,这是一项战术性的错误。企业在实施安全运营中心之前,首先应当做的是进行总体风险评估,确定每一件网络资产在实际业务中的重要性。 了解业务的重要性是非常关键的,因为安全运营中心的目的不仅是实现安全事件监视,而且也要对事件作出信心十足的响应。Unisys公司负责三个安全运营中心管理工作的Summers 说:“我们需要知道,如果某台服务器停机,它对业务会产生什么样的影响,还有这些服务器是否比其它的服务器更重要?如果知道了这些问题的答案,技术问题就会非常容易解决。” 技术忠告 接下来要做的便是选择技术平台。这一步的目的是找到一种能够与各类已有安全设备协调工作的安全事件管理平台,而且该平台需要对各类警报进行关联,并且与现有的系统实现某种程度的集成,从而达到查找故障和网络运营管理的目的。专家指出,只有对网络的了解达到了这样的层次,企业才能将网络中存在的各种安全漏洞一个个的揪出来。 CA公司的Kelley说:“与我们合作的一家大型的金融服务公司发现,有人在侵入该公司遍布全球的网络。每次侵入都有所不同,似乎并不是某个特定的个人所为,但它们都来自同一个IP地址,而且每过几天就发生一次。这些侵入都没有严重到触发报警的程度,但当该公司将这些信息汇集到(安全运营中心内的)一个中心控制台时,他们才发现这个IP地址到底在对该公司的全球网络做些什么。从此,该公司开始严肃对待这件事情。” 然而,要想使您的安全运营中心具备此类全球化的监控能力,实施的过程将会非常费时,而且成本极为高昂。 除了ArcSight、Intellitactics和netForensics等新兴企业提供的集成式安全事件管理器外,多数大型网络管理公司,如CA、HP和IBM,也都提供集成在各自平台中的安全事件监视能力。但是,它们的成本都相当可观,不是一般的企业所能承受的。 Nemertes公司的Antonopoulos说:“在安全领域中,IDS与您的管理系统沟通时所用的语言通常与防火墙是不一样的。您可以在防火墙中添加一条阻断某类通信的规则,但这种规则绝对不适用于路由器。因此,安全事件监视器将是一个非常巨大的集成项目,要将所有的信息都转换成通用的格式,并在所有这些领域中将其关联起来。” Antonopoulos说:“厂商会将大型集成项目的成本转嫁到客户身上。单单是这些硬件和软件的成本通常就高达150万至300万美元。另外还有人员三班倒和认证系统集成的成本,整个算下来将是一笔非常惊人的开销。” IRevolution公司的Halpin指出,他的安全运营中心项目是基于CA公司的Unicenter网络管理功能,并且与CA的eTrust安全监视和事件关联功能集成在一起,整体成本约为100万美元,实施过程消耗的时间长达18个月。该安全运营中心自启动后已经运行了6个月,而Halpin说他现在觉得自己能够从这个SOC获得一些有价值的信息,并且能够为实际行动提供很多的帮助。 他认为:“总体来说,这笔交易还算是公平,但我的成本主要来自人员工作时间。选择工具是一回事,让工具在公司特有的环境中运转起来则是另一回事,需要耗费大量的时间并排除数量众多的各类故障。” 他说,要想让整个过程变得轻松一些,最关键的一条就是选择灵活性较高的工具。也就是说,这种工具不仅能够支持您现在正在使用的各类防火墙、IDS和网络管理平台,而且要易于定制和调节。 他说:“编写规则的过程必须非常简单。如果您能够迅速编写规则,而且拥有很好的模板和向导,那么整个过程将会变得更容易。” 但是,也许在建设安全运营中心方面最大的忠告是,您最初的100万美元投资只是第一步。因为技术总是在不断地发展,您企业的安全需求和战略也应当随时做出相应的调整。 Halpin说:“尽管我目前认为公司的安全能力和安全运营中心都具有很大的扩展能力,但我预计在三、四年之后,我们就必须将其完全丢掉,并且重新开始,因为安全技术也必须与时俱进。随着双核心处理器和其它技术的不断出现,企业的处理能力也将发生巨大的飞跃,我们绝对不能止步不前。这些发展将对技术和安全市场产生非常重大的影响,而且现在我们都知道,企业在安全方面的花费也将是没有尽头的。” 应当尽量避免的5种SOC缺陷 1. 技术上的隧道视觉。如果您完全被最新的技术和最优秀的工具吸引住,那么就有可能忽视安全运营中心的核心。而这种核心应当是基于合理风险评估和安全策略的。因此,首先要确定SOC的核心,然后才可以将注意力集中在产品和技术上,但无论产品和技术有多神奇,它们的作用仍然是为SOC核心提供支持。 2. 孤立思维。千万不要认为安全运营中心是独立于网络运营之外的孤立竖井。高效的安全运营中心需要的是完全集成的安全能力和网络监控工具,同时,与这些能力和工具相关的人员也是不可或缺的。 3. 人员配备方面的错误。不要让资深安全人员来做那些低层次的监控工作,在网络世界中,最好设置一些适当的检查和平衡机制,使网络中的权力得到分散,千万不要让单个人员掌握所有的权力。 4. 没有灵活性的工具集。您选择的工具不仅应当适用于当前的安全设备、验证系统和网络监控解决方案,而且应当易于定制,并且能够提供各类的模板和向导。需要注意的是,即使是最好的工具集也需要自己进行大量的定制和集成工作。 5. 选择便宜的路线。安全运营中心存在的目的不是为了节俭。总体而言,大型企业应当至少投资100万美元才能实施和维持一个真正的企业级安全运营中心。而且随着时间的推移,今后的投资极有可能变得更高。 如何为安全运营中心配置人员 一些专家认为,为安全运营中心配置人员也是一件非常具有挑战性的事情,其重要程度不亚于建设或购买安全运营中心。 安全运营中心需要24×7式的全天候监视,这就是最大的障碍之一。Unisys公司管理安全服务全球主管John Summers说:“有些企业的安全人员习惯于每天工作8小时,每周工作5天,但24×7式的职位通常相当于5位全职员工的工作量,其报酬自然也要高得多。”很多企业都看到了这一点,但它们希望缩减工资支出,其结果可想而知。 例如,有些企业的错误在于,它们只为安全运营中心配备最优秀的安全人员。Nemertes 研究公司高级副总裁兼联合创始人Andreas Antonopoulos说:“有些公司让那些经验丰富的安全专家呆在屏幕前执行监视工作,每6小时轮一班。但我估计您是不可能把这些人留住的,因为他们很快就会感到厌烦。”除了厌烦问题和过量使用有价值的员工外,这种战术还有可能引发巨大的安全漏洞。 Antonopoulos说:“如果您的安全策略在编写、实施、监视和符合性检查方面都是由同一个人来执行的,那么这个人可能就是最大的安全风险。没有分权就绝对谈不上检查与制衡。” 如同传统的网络运营中心一样,好的安全运营中心也应当具备多个层级的员工配置,其中第一层的人员负责接收警报和执行一些低级的故障排除工作,第二和第三层的人员负责处理更为复杂的警报和问题。在理想情况下,第一级的人员应当为企业内的网络和安全部门提供一线的响应。这样,您的资深安全专家就可以处理更为复杂的风险管理和策略编写工作,低层人员在安全运营中心内的职责主要是进行监视。这样,当警报出现时,如果第一层的人员不能确定如何处置,他就可以把球踢给第二和第三层的人员,只有这时,那些身价不菲的专家才会派上用场。 5/8/2005 Unified Threat Management: The New Firewall
  UTM perimeter-security devices combine firewalling, antivirus, and intrusion detection and prevention on a single appliance. Many throw in content filtering and antispam, making a compelling argument for one-stop security shopping. Unified threat management, a term coined by IDC, is not a new concept, however: Vendors have tried to bring these processes together for years but were stymied by performance problems. Fortunately, advances in processing, both on the main CPU and in specialized silicon, mean that performance problems can be overcome. To see how well vendors are tak- ing advantage of new technologies, we tested UTM products in our Syracuse University Real-World Labs, rating each on how well it increases protection without hurting performance. Unfortunately, we found most products wanting. Our scenario was typical: An organization with 5,000 users seeks an edge device that provides firewall, IDS/IPS, antivirus and content filtering. The organization's DMZ network hosts DNS and Web servers that communicate with a back-end Microsoft SQL Server and an SMTP server, which relays mail to an internal Exchange 2000 server (for more details, see "Test Methodology,"). Most traffic is from internal users to the Internet. We invited 11 vendors to participate. Fortinet, Internet Security Systems, Secure Computing, SonicWall and Symantec accepted our invitation. Check Point Software Technologies, Cisco Systems and Finjan Software said they couldn't ship products in time. Juniper Networks doesn't have an offering that fits, and Astaro and iPolicy Networks did not respond to our invitation.
Advanced Protection? It's time to puncture the IPS myth: All the problems inherent in intrusion detection are exacerbated by automated prevention. Certainly, there are signatures that flag malicious traffic with a high degree of probability, and you can safely block these packets. Any protocol violation--for example, characters not defined within the HTTP protocol specification, similar to RFC 822--can be intercepted with little risk of a false positive. Figuring out which other signatures can be safely blocked takes a bit more digging to determine if normal traffic will trigger an alarm. The vendors in this review take a conservative approach to setting default block policies, and that's appropriate. Each network is different, and an aggressive cookie-cutter stance will likely turn away legitimate traffic. With the exception of ISS's Proventia, changing the default action in the IPS functions of the devices tested was a simple matter of selecting the signature, or in some cases a family of signatures, and setting the action to block. Changing the default IPS setting in Proventia is a multistep process, but it can be done.
However, in our tests only Proventia properly detected our malicious traffic. The other products failed to detect at least one attack--Fortinet's FortiGate-800 came in last, detecting just two out of five. This is outcome inexcusable: All the vulnerabilities we selected are at least a year old, with publicly available exploit code waltzing through most of these devices and returning a reverse shell on our "attacker's" computer. Moreover, we told all the vendors we'd be using publicly available exploits against servers with known vulnerabilities. After testing, we shared our results, the tool we used (Metasploit 2.3) and the modules with the vendor participants. Frankly, if we didn't provide the vendors with this information, we aren't convinced they would have added new signatures. In any case, those that didn't fare well will likely have fixes by the time you read this story. We scored protection capabilities, however, based on our initial set of attacks.
We then pulled together well-known virus files and sent them over FTP and SMTP with just names, no file extensions, to see if we could sneak any through. Every product except Secure Computing's Sidewinder offered antivirus scanning of FTP traffic, and all the products successfully scanned e-mail attachments. Signature updates are automatic for the most part, with many of the products able to update manually if necessary. A few of the firewalls required that we install firmware updates and perform reboots manually, but that's par for the course. We get into the performance versus protection debate a lot. When a stateful packet-filtering firewall wins a review because of better performance, readers with application proxies flame us, saying their firewalls provide superior protection. When an application proxy wins because of better protection, readers with the stateful packet filters rail that those other devices impact network performance. The right answer lies in the middle: We want good performance and strong protection. Unfortunately, we discovered late that because of a series of errors, the tool we were using to test performance was misreporting results, and the testing scenario we wanted to create was radically different from the one we achieved. So much so that with less than 24 hours until press time, we decided to pull the performance results from this review. We couldn't develop and validate a test on such short notice, and we won't print misleading results. However, we can provide some general observations and post performance charts online.
Antivirus scanning had a significant impact on overall firewall performance, for two main reasons. Before a firewall can scan files, it must queue them. Then it scans each file in turn and decides to send it, drop it or quarantine it. This process uses memory and introduces a high degree of "burstiness" as files are queued, scanned, and passed or dumped. In addition, virus scanning is CPU- and memory-intensive, and it degrades overall traffic performance. Some firewalls, including the FortiGate and Symantec Gateway Security, let you set antivirus configuration options on a per-rule basis, while others are more global. Content filtering and IPS functionality generally have lesser, but still appreciable effects on performance. Each vendor defines content filtering differently. For one, it could be as simple as regulating MIME types, or going deep into files to search for key words in Web pages and e-mail. The more specific the content filtering, the slower the overall performance. Making It Dance So how configurable are these puppies? We're big fans of granularity--we like to tailor an appliance's protective features to our needs, not the other way around. Fortinet's FortiGate is a model of fine-grained configurability. We could, on a per-rule basis, apply different sets of protection features, such as content filtering and antivirus scanning. That's handy when performance is a concern because you can enable advanced features as needed.
Once an appliance is processing lots of traffic, the management interface often slows to a crawl, rendering the device unmanageable. If you're brushing off this consideration, you've never tried to manage a firewall that was under DoS attack. We were happy to find that, even while under load, most of the devices remained manageable; the exception was the SonicWall appliance. The clear winner in our review is ISS's Proventia M50. This $14,890 champ caught all our attacks the first time and had adequate performance and management capabilities, earning it our Tester's Choice award. Symantec's Gateway Security and Secure Computing's Sidewinder G2 battled for the middle of the pack. Both cost more than double what the Proventia will set you back--$36,700 and $35,900, respectively--but each has strengths in application proxies, plus Symantec's offering is augmented with IDS/IPS while the Sidewinder's split DNS and SMTP proxies add a layer of protection to common protocols. Fortinet's and SonicWall's products brought up the rear; we were surprised at how poorly their offerings performed. The FortiGate missed three key attacks, while the SonicWall lacks rivals' policy granularity, has poor logging, underperformed with throughput and missed some key attacks.
ISS, like other vendors in this review, is conservative in enabling blocking on intrusion-detection rules--a wise stance. The Proventia has a wide variety of actions that can result from alerts, but the most common are blocking or resetting the connection and dropping the packet. Tuning IDS/IPS features--a requirement in nearly all IT shops--was needlessly complicated. We could tune default actions by entering adjustments on a per-signature or event-family basis through an advanced tab widget. For a few exceptions, this wouldn't be a problem, but for making wide-scale changes, it becomes another rule set to manage. ISS will make changes for you, but then you have to keep going back to the mother ship--not a scalable solution. Proventia's antispam, antivirus, firewall and Web-filter capabilities generally are enabled or disabled globally, with scant tuning available. For example, antivirus is enabled or disabled for HTTP, FTP, SMTP and POP3 globally. We prefer the granularity Fortinet provides, where profiles are applied on a per-rule basis. Reporting was mixed. The Proventia logged data and provided excellent detail, which is especially handy when the IDS is firing off alerts. Being able to quickly absorb the particulars of malicious traffic let us immediately understand the risks and possible courses of action. However, the Proventia, like the other products we tested, cannot save filters for later reuse; we also couldn't create negate filters. Although we don't always know what we're looking for in a log file, we know what we don't want to see. Not being able to create a filter that says, "Don't show SYN Flood alerts," we had to slog through entries by hand. Proventia M50 Integrated Security Appliance. Internet Security Systems, (800) 776-2362, (404) 236-2600. www.iss.net
We've always maintained that application proxies, which fully support defined protocols like HTTP, SMTP or SQL*Net, offer better protection than stateful packet filters and even IPSs. This is because application proxies instantiate service protocols as a client and server. Service-level attacks typically violate protocols in some way, and we have shown in testing that they are best stopped by application proxies. However, there are two problems with this approach: The first is reduced performance, because of the increased processing and the additional latency required to set up a second connection completing the proxy. The second is that few application proxies are actually written. Common protocols HTTP, FTP, SMTP and DNS are easily found, but other common protocols, including Microsoft SQL, use generic proxies that do nothing more than proxy TCP and UDP connections. The 5460 addresses the second shortcoming with its IDS/IPS feature, which triggers on malicious traffic per an attack-signature match. An interesting phenomenon on the 5460 is that the IIS .printer and ntdll.dll overflow attacks were detected and blocked on the application proxies, not processed by the IDS. The Unicode attack was passed through the application proxy because it is valid HTTP traffic, but it triggered an IDS alert. That's what we call an interesting pairing of complementary technologies. Unfortunately, because Symantec doesn't have an application proxy for SQL Server and no signatures for the two well-known exploits we used, our SQL Server overflow attack was not caught. Firewall rule and configuration changes were often a multistep process, where we had to apply changes and then save them to the firewall. If we forgot the second step, our modifications didn't take effect. Application proxies are configured on a per-rule basis, so as with the FortiGate, we could tailor protective mechanisms as needed. Logging, while detailed, was rather awkward to use, which is the last thing you want to deal with when troubleshooting. The logging system had filtering capabilities, but again, we found no way to define a negate filter. Symantec Gateway Security 5460. Symantec Corp., (800) 441-7234, (408) 253-9600. www.symantec.com
The Sidewinder is highly tunable; we're impressed with the options available in configuring application proxies. Different profiles can be defined for an application defense, which is then used to configure protection features. For example, we created an HTTP profile of the enforced content control and allowed only the get, post and head methods. We also disallowed Unicode encoding in the URI. We could then apply that profile to a rule. But not all application-defense mechanisms had as many options as HTTP. The Sidewinder achieves high performance for an application proxy by limiting the amount of resources it expends on application inspection. Normally, application proxies must move network transactions from the NIC up into user space, proxy the traffic to the "other side" and send it back down to the NIC, creating a bottleneck. Secure Computing changed how the Sidewinder proxies traffic, setting it to inspect only packets that require protocol analysis. For example, if a Web client is doing an HTTP get, only the first few packets must be inspected. Once the get is successful, the rest of the transaction is just moving data, which is kept in kernel space and requires much less overhead. This intelligent inspection provides the best of both worlds--application proxy and good performance. Still, these benefits don't justify the high price, and like the Symantec Gateway Security, logging left lots to be desired. Although there were plenty of details, ferreting out the salient ones took more mental processing then we like to expend on parsing logs when troubleshooting or even monitoring the firewall. Sidewinder G2 Security Appliance Model 2150 C 6.1. Secure Computing Corp., (800) 379-4944, (408) 979-6572. www.securecomputing.com
Once we had the SonicWall installed and the firewall policies configured, we enabled the IPS on the LAN zone and the DMZ zone. We fired off our attacks, and four triggered alerts. Only three, however, were correctly identified. The Microsoft SQL Server buffer flow attack passed unnoticed, and the Windows ntdll.dll overflow triggered three different alarms: one for WebDAV access, one for an overlong URI and one for a SQL injection attempt that left us scratching our heads. None of these would have indicated that someone was attempting to exploit a two-year-old vulnerability. To make matters worse, these exploit signatures were all marked as low priority. We told SonicWall about our results and the company updated its signature databases within the week. The SonicWall's alert logs are filterable, and when we clicked on an IPS event, we could edit signature properties, such as default action. There's also a link that took us to more information about the event. Unfortunately, the SonicWall doesn't log traffic that passes through allow rules, except through syslog or SonicWall's Viewpoint reporting software. Makes troubleshooting a bit difficult. We also found that while under load, the SonicWall was essentially unmanageable. Sure, we were managing the SonicWall from the same interface traffic was arriving on, but we never got above 50 percent utilization during our tests, so management shouldn't have been degraded because of high traffic. SonicWall Pro 5060c with SonicOS 3.0 Enhanced. SonicWall, (888) 557-6642, (408) 745-9600. www.sonicwall.com
The FortiGate does have some redeeming qualities. It is easy to configure and its rule set is highly readable. We also like the system status page, which was unique among the devices tested and gave a quick overview of the firewall. We configured and applied different protection profiles on a per-rule basis, so we could customize traffic protections. For example, we applied a restrictive content-filtering and antivirus profile for one rule, and a less restrictive set of rules for another. Logging is sparse, barely giving enough details to troubleshoot problems. However, unlike the SonicWall, we could log all traffic, and the FortiGate has a modular system for determining what gets reported. Fortinet FortiGate-800 Antivirus Firewall 2.8. Fortinet, (866) 868-3678, (408) 235-7700. www.fortinet.com Mike Fratto is editor of Secure Enterprise. He was previously a senior technology editor for Network Computing and independent consultant in central New York. Write to him at mfratto@secureenterprisemag.com. Secure Enterprise joined with sister publication Network Computing for the mother of all firewall reviews--we tested 20 firewalls in four categories: Gigabit enterprise firewalls, XML gateways, branch-office firewalls and UTM (unified threat management) devices. The only vendor that submitted a single product in multiple categories was Secure Computing, which sent its 2150 model Sidewinder G2 for our gigabit enterprise and UTM reviews. Testing took place at our Green Bay, Wis., Syracuse, N.Y., Chicago and Gainesville, Fla., labs. In the UTM category, we put five devices through their paces. Overall, we were underwhelmed. Although we told vendors we would test using publicly available exploits, only one product, ISS' Proventia, detected everything. All the other devices let through at least one attack--even though the vulnerabilities we threw at them were at least a year old. Moreover, performance, especially with antivirus checking enabled, left much to be desired, and pricing was all over the map. Product Category: UTM appliances, aka multifunction firewalls or all-in-one security appliances Market Data: By early next year, spending for all-in-one security appliances will exceed spending for specialized security devices, according to Gartner. Products Tested: Fortinet's FortiGate-800 Antivirus Firewall 2.8, Internet Security Systems' Proventia M50 Integrated Security Appliance, Secure Computing Corp.'s Sidewinder G2 Security Appliance Model 2150 C 6.1, SonicWall's SonicWall Pro 5060c and Symantec Corp.'s Symantec Gateway Security 5460 Who Won and Why: Priced at a mere $14,890, ISS's Proventia detected every one of our attacks while providing decent management capabilities. Our main nit is that ISS could have made it easier to tune IDS/IPS features and antispam, antivirus, firewall and Web-filter capabilities. What Happens Next: Check out the rest of our "Firewall Blowout" in the April 28, 2005 edition of Network Computing. When we set out to test unified threat-management appliances, we modeled our tests on real-world requirements. We laid out our network with a DMZ containing an SMTP MTA (message transfer agent), a DNS server and an HTTP server. Our internal zone housed our user clients and an Exchange Server. We designed firewall rules so that all traffic originating from the external zone went only to the DMZ, and all traffic originating from the internal zone could get to the DMZ and external zone. This is a common architecture. The bulk of our traffic originated from the internal zone. To test the protection features of the UTM devices, we used the Metasploit framework to attack vulnerable HTTP and SQL servers in the DMZ. We verified that the exploits worked prior to testing. We also used fragroute to fragment the traffic into 8-byte chunks to evade IDS detection. We then gathered up virus files, which we used for FTP and SMTP antivirus scanning. We set up the UTM appliances with similar polices to detect and block attacks and to detect and block viruses over SMTP and FTP, and we restricted access through the firewall, allowing only required services. We then tested each exploit and virus while the firewall was idle and while under load. We considered an attack properly detected and blocked if the UTM device named the exploit with a degree of accuracy. For example, several appliances named the ntdll.dll exploit as an overlong URI string, which is far too generic a classification to set a block on. If, however, the appliance named it, we attempted to block the attack. We notified vendors of the results. We didn't change the grade if the IDS was properly configured but failed to detect or block the attack, even if the vendor issued a subsequent signature update.
Be careful with protocol parameters, such as maximum header and URL length in HTTP. Although we agree that it's unusual to have a URI longer than 100 characters, some longer ones are out there and there are longer headers. Be sure you understand the behaviors of your applications before you set arbitrary limits. We strove to configure the firewalls with the strongest possible policy that would be similar across all the products tested so we could determine how the different feature sets compare with one another. Surprisingly, the core security features don't vary much. Some products add some nice touches, though. SonicWall's advanced protections are configured on zones, and you can enable antivirus and content filtering on a per-zone basis. Secure Computing and Symantec took that idea one step further, letting us configure advanced features on a per-rule basis. All Secure Enterprise product reviews are conducted by current or former IT professionals in our Real-World Labs or partner labs, according to our own test criteria. Vendor involvement is limited to assistance in configuration and troubleshooting. Secure Enterprise schedules reviews based solely on our editorial judgment of reader needs, and we conduct tests and publish results without vendor influence. 5/7/2005 UT斯达康两款机卡分离小灵通率先通过测试据最新消息,根据联盟技术组终端技术测试的结果,并结合电信、网通各省公司现网终端兼容性测试和量测的结果,全球领先的通信厂商UT斯达康公司生产的UT228已与4月26号率先通过中国固网和PHS终端联盟机卡分离检测,成为了行业内首款通过检测的机卡分离小灵通手机,而同一天UT斯达康的另一款机卡分离小灵通手机UT611也通过了测试,从而使UT228和UT611成为通过联盟测试的机卡分离小灵通的先锋产品。
UT228 在进行联盟测试的过程中,UT228和UT611在电信和网通都获得了很高的评价,并且UT228还凭借优良的性能表现和功能配置被联盟测试部门称为是机卡分离手机的样板机。 UT228和UT611皆为荟萃了目前小灵通领域几乎所有领先技术和功能的潮流之作,不仅支持机卡分离技术,还全面支持了业界先进的H&H技术标准,即高速无缝切换与高速数据传输相融合的技术标准,可大大提高小灵通的通话质量和小灵通手机的性能。UT斯达康是目前业界唯一将这两种技术高度集成,并作为一种技术标准规模化应用与小灵通手机的生产的厂商。这样不仅大大降低了这两种技术的应用成本,而且也为新一代机卡分离小灵通设定了新的技术基准。以“H&H”技术标准为基本配置的小灵通手机形成了UT斯达康产品又一独特的优势,也必将会得到更多消费者的青睐。
UT611 为配合中国电信与中国网通从2005年5月17日起分阶段在全国推广支持机卡产分离技术的小灵通手机,即将上市的UT228和UT611可同时支持传统烧号及机卡分离两种模式的应用,以便于各推广进度不同的地区选用,为各地运营商和消费者提供更多的选择空间,增加未来运作和使用的灵活性。继UT228和UT611后,UT斯达康公司还将推出多款支持机卡分离技术的小灵通手机,为消费者提供更多的选择。 网络设备制造商Juniper和Avaya宣布要加深合作网络设备制造商Juniper和Avaya宣布要加深合作,共同挑战思科。两家公司将合作开发新产品,转售彼此的产品并且互相提供支持。 目前,这两家公司已经签署了备忘录,其中包括:将两家现有的一些产品集成在同一系统中;两家公司在开发新品时可能会使用任意一家的品牌;此外,两家公司还可在全球范围内销售对方的产品并且互相提供支持。这份备忘录涉及到的一些细节,包括要两家联合开 发什么样的产品等还正在制定。据称,两家公司的这种合作只要签订明确协议就可生效,合作并非是排它性的。 Avaya在2000年从朗讯科技分拆出来,是全球最大的企业IP电话厂商之一,它与其它网络设备厂商也有类似的伙伴关系;而对于Juniper来说,在企业网络市场建立这样的合作关系还是头一次,Juniper是思科公司的主要竞争对手,它与朗讯、西门子、爱立信等就运营商产品市场曾建立了战略伙伴关系。上周,朗讯公司就宣布将会向英国电信的“21世纪网络”项目中转售Juniper的路由器产品。 Juniper近年将业务扩展到了企业路由器市场,去年它通过收购NetScreen公司又扩展到防火墙和虚拟专网市场。然而,不管是Avaya还是Juniper,在包括从路由器到IP电话的企业网络市场中,他们都面对着共同的敌人---思科。双方还打算将Avaya的通信应用和终端设备与Juniper的路由和安全方案融合。 Avaya在呼叫中心和IP电话市场占有领先地位,而Juniper则在高端路由器和防火墙市场同思科竞争激烈。这两家公司联手,将会向企业用户提供更具诱惑力的融合通信产品和服务。 5/6/2005 思科发布多功能安全产品 集中18种安全管理功能5月4日消息,思科系统公司首席执行官约翰·钱伯斯本周二在拉斯维加斯举行的NetWorld + Interop(网络世界暨互操作)展会上发表主题演讲时将推出一种名为“Adaptive Security Appliance 5500”(自适应安全设备5500)的新产品。 这种新的安全设备把不同产品的安全功能都集中在了一起。 这种新的产品在一种设备中集中了18种不同的网络和安全管理功能。这些功能包括探测入侵者、防止拒绝服务攻击、防止间谍软件和广告软件和网络通信的宏观检测等。这种检测功能能够发现雇员在访问Kazaa等文件交换网站时引起网络带宽突然增加的状况。 目前,这种功能很多都用于思科为企业数据中心设备的各种产品中。这些产品包括PIX安全设备、IPS 4200 Series系列产品和VPN 3000网络集中器等。然而,由于许多企业的数据中心的使用空间有限,不能容纳所有的的这种设备。因此,思科这次推出的自适应安全设备能够帮助用户最大限度地节省空间。 思科的这种多功能产品的战略与其竞争对手是完全不同的。例如,Check Point软件公司和赛门铁克就为不同的功能提供不同的安全产品。 然而,思科的另一个竞争对手Juniper Networks也开始把许多功能集成在一一个设备中。思科的这一新的举措将促使Juniper Networks等竞争对手把更多的集成到一台设备中。 思科副总裁Jayshree Ullal表示,ASA5500(自适应安全设备5500)产品将在5月份上市,销售价格为3500美元至1.7万美元。思科计划在今年晚些时候推出更多的集成多种功能的安全产品。 http://www.cisco.com/application/pdf/en/us/guest/products/ps6120/c1650/cdccont_0900aecd802930c5.pdf 5/5/2005 产品生命周期战略
产品生命周期战略 企业不能期望他的产品永远地畅销,因为一种产品在市场上的销售情况和获利能力并不是一成不变的,而是随着时间的推移发生变化,这种变化经历了产品的诞生、成长、成熟和衰退的过程,就象生物的生命历程一样,所以称之为产品生命周期。产品生命周期就是产品从进入市场到退出市场所经历的市场生命循环过程,进人和退出市场标志着周期的开始和结束。 典型的产品生命周期一般可以分成四个阶段:引入期、成长期、成熟期和衰退期。 一、产品生命周期的各个阶段 1.第一阶段:引入期新产品投入市场,便进入了引入期。此时顾客对产品还不了解,除了少数追求新奇的顾客外,几乎没有人实际购买该产品。在此阶段产品生产批量小,制造成本高,广告费用大,产品销售价格偏高,销售量极为有限,企业通常不能获利。 2.第二阶段:成长期当产品进入引入期,销售取得成功之后,便进入了成长期。这是需求增长阶段,需求量和销售额迅速上升,生产成本大幅度下降,利润迅速增长。 3.第三阶段:成熟期 、经过成长期之后,随着购买产品的人数增多,市场需求趋于饱和,产品便进入了成熟期阶段。此时,销售增长速度缓慢直至转而下降,由于竞争的加剧,导致广告费用再度提高,利润下降。 4.第四阶段:衰退期随着科技的发展、新产品和替代晶的出现以及消费习惯的改变等原因,产品的销售量和利润持续下降,产品从而进人了衰退期。产品的需求量和销售量迅速下降,同时市场上出现替代品和新产品,使顾客的消费习惯发生改变。此时成本较高的企业就会由于无利可图而陆续停止生产,该类产品的生命周期也就陆续结束,以至最后完全撤出市场。 二、如何测定产品所处生命周期的阶段能否正确判断产品处在生命周期的哪个阶段,对企业制定相应的营销策略非常重要。企业最常用的判断产品生命周期阶段有下面两种方法: 1.类比法该方法是根据以往市场类似产品生命周期变化的资料来判断企业产品所处市场生命周期的何阶段。如要对彩电市场进行判断,可以借助类似产品如黑白电视机的资料为依据,作对比分析,进行判别。 2.增长率法该方法就是以某一时期的销售增长率与时间的增长率的比值来判断产品所处市场生命周期阶段的方法。 三、如何运用产品生命周期理论帮助企业决策1.引入期的营销策略——瞄准市场,先声夺人引人期是产品成功的开始,但是,往往很多新产品在向市场投放以后,还没有进入成长期就被淘汰了。因此,企业要针对成长期的特点,制定和选择不同的营销策略。可供企业选择的营销策略,主要有以下几种类型: ①迅速夺取策略。指以高价格和高促销水平推出新产品的策略,采用此策略必须具备如下条件:产品鲜为人知;了解产品的人急于购买,并愿意以卖主的定价支付;企业面临潜在的竞争,必须尽快培养对本产品品牌偏好的忠实顾客。 ②缓慢夺取策略。指以高价格和低促销水平推出新产品的策略。它适用于这样一些情况:市场规模有限;顾客已经了解该产品;顾客愿意支付高价;没有剧烈的潜在竞争。 ③迅速渗透策略。指用低价格和高水平促销费用推出新产品的策略。所必须具备的条件如下:市场规模大;顾客并不了解该新产品;市场对价格比较敏感;有强大的潜在竞争对手存在。 ④缓慢渗透策略。指以低价和低促销水平推出新产品的策略。所必须具备的条件如下:市场规模大;产品有较高的知名度;市场对价格敏感;存在潜在的竞争对手。 2.成长期的营销策略——顺应增长,质量过硬企业在成长期的主要目的是尽可能维持高速的市场增长率。为此,可以采取以下市场推广策略: ①改进产品质量,增加花色品种,改进款式、包装,以适应市场的需要。 ②进行新的市场细分,从而更好地适应增长趋势。 ③开辟新的销售渠道,扩大商业网点。 ④改变广告宣传目标,由以建立和提高知名度为中心转变为以说服消费者接受和购买产品为中心。 ⑤适当的降低价格以提高竞争能力和吸引新的顾客。 3.成熟期的营销策略——改革创新,巩固市场成熟产品是企业理想的产品,是企业利润的主要来源。因此,延长产品的成熟期是该阶段的主要任务。延长产品成熟期的策略可以从以下三个方面考虑: ①发展产品的新用途,使产品转入新的成长期。 ②开辟新的市场,提高产品的销售量和利润率。 ③改良产品的特性、质量和形态、以满足日新月异的消费需求。 4.衰退期的营销策略——面对现实,见好就收处于衰退期的产品常采取立刻放弃策略、逐步放弃策略和自然淘汰策略,但有的企业也常常运用一些方法延长其衰退期。如唐山自行车总厂,其生产的燕山牌加重自行车在各城市滞销后,该厂采取撤出城市、转战农村的策略,为该厂产品重新找到了出路。 产品生命周期是一个很重要的概念,它和企业制定产品策略以及营销策略有着直接的联系。管理者要想使他的产品有一个较长的销售周期,以便赚到足够的利润来补偿在推出该产品时所做出的一切努力和经受的一切风险,就必须认真研究和运用产品的生命周期理论,此外,产品生命周期也是营销人员用来描述产品和市场运作方法的有力工具。但是,在开发市场营销战略的过程中,产品生命周期却显得有点力不从心,因为战略既是产品生命周期的原因又是其结果,产品现状可以使人想到最好的营销战略,此外,在预测产品性能时产品生命周期的运用也受到限制。 |
||||||||||||||||||||||||||||||||||||
Internet Security Systems is a relative newcomer to the UTM field, but its solid experience in intrusion detection and vulnerability assessment have served it well: The Proventia was the only appliance to detect and name all the exploits we used, and really, that's the bottom line. In addition, the wealth of information Proventia provides about attacks and the causes is top-notch. However, its management interface leaves a lot to be desired. Navigating through screens was a challenge, and reporting was middle of the road. 
The Gateway 5460 is a blend of Symantec security products in a centrally managed appliance. The 5460 is unique because it features both application proxies (which inherently provide better protection against network- and service-level attacks and are also found in the Sidewinder) and intrusion-detection and -prevention functionality. However, its reporting is sparse and difficult to view at a glance; this is a recurring theme with Symantec's firewall. And, even given all its functionality, the 5460 is overpriced at $35,900. 
The inexpensive SonicWall 5060 seems to be targeted at a midsize companies. In our first round of attacks, the device detected three out of five exploits and, like ISS's Proventia, wasn't thrown by our fragmentation evasion attempt. The SonicWall did detect our ntdll.dll exploit, but it failed to name the attack properly, which would have led us to believe it was a false positive. The device's policy definitions weren't as granular as Fortinet's, and its IPS responses were not even close to those offered by ISS. As a firewall, the SonicWall is solid, but we're not convinced the device's intrusion-detection capabilities are up to snuff.
|
|
