idea and implementation of virtual security control

Posted by barello at 2020-03-20

Since the operation of the official account of Jun brother's body calendar, there are not many publications, mainly due to the limited ability of their own level and the limited experience energy, resulting in limited output. A few articles that I have sent out, my friends also reminded me very well that they were too long to push several times, and to keep the official account number by using the hot events. After listening, I also have many explanations, but the reason is "I'm lazy". There is a little bit of selfish feelings in laziness: the idea of building and maintaining the official account of "Jun brother" is to record and share some personal experiences and experiences in work and life. At the same time, when he summarizes and improves himself, he hopes his personal experience can help some people in need, so he is unwilling to rely on hot spots to brush up his presence and disturb his friends. Not for high yield, but for truth, goodness and beauty.

get down to business. As my colleagues in enterprise security, there is a big pain point. A certain type of security control measures is particularly effective in defense of certain security threats, which can be limited by the internal network or system environment of the enterprise, and they do not have the conditions for deployment or large-scale deployment, so they have to give up at last. In this paper, the idea and Realization of virtual security control is put forward, which can be used for reference and discussion.

Firewall isolation is usually used for access control between the internal security domain and the security sub domain of financial enterprises to prevent the threat side of the low-level security protection area from leaking to the high-level security domain. Typical is the separation of transaction network, office network and Internet, which is a security domain division with the coarsest lines. For example, the security domain of the transaction network of the bank's head office can be further divided into outreach area, Internet access area, office network access area, storage and backup area, encryption area, core host area, ECC, management area, etc. due to the large concentration of business, the transaction network of the branch will be less. The office network can be divided into office terminal area, office application server area, basic server area, wireless access area, outsourcing personnel access area, etc. even in the office terminal area, some key objectives will be distinguished, such as president, vice president, department general manager, etc. It is obviously not the best practice to deploy firewalls for access control among so many security domains. First, it is difficult to insert firewalls due to network restrictions. Second, it is uneconomical and the cost of equipment and management maintenance is relatively high. But it's obviously not appropriate not to isolate. The solution is to do ACL (access control list) isolation control on the switch. This brings about some problems, such as ACL granularity, which is as accurate as firewall rules to source IP, destination IP, destination port and opening time. Then the performance of switches and routers will be seriously reduced, even to the point of unusable. Then we can only let it go, not too detailed. For example, the source and destination IP can only be a large segment and a large segment of IP (subnet). In this way, the performance degradation is limited, but the security control is limited.

In 2012, we encountered this problem and some other greater pain points. After internal brainstorming, we put forward an idea to alleviate these pain points at the end of the year's brainstorming meeting, code named "nimesis plan". The core of the plan is to establish a set of automatic and manual security detection, analysis, response processing and reaction system, including technical realization, supporting operation and maintenance process and appropriate personnel. This is the security operation system that has been gradually realized and improved iteratively. It shows its value from previous internal and external attack and defense confrontation. Far from it, as a small part of nimisis plan, in order to solve the problem that the internal security domain access control requires the deployment of physical firewalls, the loose ACL + network traffic detection between security domains is used to analyze exceptions. Mirror the two-way traffic between security domains, analyze the relationship between network access pairs, and look for abnormal access.

The rules of the physical firewall are as follows:

The rules of virtual firewall are as follows:

So, how to analyze the logs of the virtual firewall to find exceptions? Cluster analysis to form profile for detection. Clustering analysis can automatically classify from sample data, and clustering is observation learning. The difference between clustering and classification is that the classification required by clustering is unknown. Cluster analysis is used to form a class, and then self-learning is used to form a profile (similar to / etc / profile under Linux, which is saved in / etc / profile and will be read out as soon as the environment variables for all users are turned on). Then the original log is filtered according to blacklist - > whitelist - > profile, and the rest after filtering is unknown traffic, which is then analyzed manually.

The implementation of the system is as follows:

The actual situation after deployment among the five main security domains is as follows:

The advantages of virtual firewall and abnormal traffic analysis: first, to mitigate the security risks caused by the inability to deploy access control devices; second, because the security protection of traffic image belongs to the network layer, there are risks of being tampered and controlled by attackers in the host layer, application layer and user layer, in theory, the credibility of the host layer and application layer logs is much lower than that of the network layer. The security of security detection based on network layer is higher than that of host layer and application layer.

For the above-mentioned commercialized products of abnormal traffic and abnormal access detection, Cisco has products that have been realized, which have not been used in detail. I don't know the actual effect. It is said that they are billions of dollars worth of cake. Some domestic security companies are also striving for commercialization, which should have a good prospect and look forward to.

In addition to the realization of virtual firewall, more and more security control can be realized by using the idea of security detection. The traditional security idea focuses on the security control of blacklist, which pays no attention to the gray-scale behavior, and the defects of blacklist can not meet the security requirements more and more. The way of using virtual security control such as security detection will become the mainstream. For example, more and more enterprises begin to deploy security agent on the server to realize the implementation of security requirements. The idea is also to focus on security detection, with as few or no security control measures as possible. It is just a simple behavior detection, which records the behavior and transmits it to the cloud platform for centralized analysis. Under the premise of not reducing the availability of business system, the safety protection measures shall be promoted and implemented as much as possible.

-----------Chicken soup boundary---------------

There is more than one way out in the world. Everyone has two selves. One tries to be perfect in the eyes of others, the other just wants to listen to the most real call from his heart. Too many people live carefully to meet the expectations of others. They care that they can't meet those people after their eyes are exhausted

The real life is only about the essence of each person's life. It only exists in our deep desire to get rid of the sense of frame and boundary, and to refuse the external bondage and binding

March is coming, Shenzhen has become a sea of flowers. Friends in the security circle, in addition to loopholes and entrepreneurship, as well as flowers and distant places, go out to enjoy flowers.

Note appended:

Nie Jun, an information security practitioner, has more than ten years of experience in information security in the financial industry. Good reading, no understanding. Cheerful personality, like football.

This subscription number article is a personal experience and experience sharing of work and life. Reading from different perspectives and positions will lead to deviation, different opinions, not seeking correct unity, but seeking truth, goodness and beauty.

Long press the QR code to communicate with me.