Security Engineer manual purchases sleepless nights before InterScan

When the network is too large, management becomes more difficult. When the Internet is easy, the client is more vulnerable to injury. It has been a long time to know the name and function of "InterScan". To be honest, I have always wanted to set up anti-virus filtering products on the gateway layer, the "performance" parameter has not convinced the security manager of CERNET for a long time.

Of course, this is a long history. With the change of time and security awareness, the concept of gateway has become blurred in my eyes, however, the conflict between security borders and resource mutual access is like a strong handcuff that binds me. This is my dream to make the network of every school more secure, so that every school's resources can access each other, it is the dream of a leader.

The technology is cool and the tongue is arguing

There is an old saying in China: "No horse, no grass, no people, no money, no wealth". The additional funds before the end of the year must be used in network or security products, this leads "Security Gateway purchase" to the first page in the prompt book. We have re-measured the status of Anti-Virus products in the network. Below are some of my statements about how to exclude myself and how far-fetched the anti-virus gateway is.

In the traditional sense, computer viruses are exiting the stage of history, and now computer viruses are more used to refer to a broader collection: malware. The intrusion targets the browser. In the past, you may think that employees do not have to worry about it. However, as the pace of information construction accelerates, many network security problems are caused by internal staff. For example, when an employee browses a website, uses instant messaging software, and accesses some forums, some malware such as spyware and advertising software will be downloaded to the computer without knowing it, and spread in the enterprise's internal network. For security management personnel, the centralized security management method is simple and direct, because it brings together all risks. However, the security architecture may make unified management no longer available due to the personalized situation of employee clients.

Gateway is also known as the inter-network connector and Protocol converter. The gateway is the most complex network interconnection device on the transport layer to achieve network interconnection. It is only used for different network interconnection between two high-level protocols. The structure of the gateway is similar to that of the router. The difference is that the gateway is mainly used for Wan interconnection and can also be used for LAN interconnection. In the early days of the Internet, the gateway, or router, was the identifier of the network that exceeded the local network.

It has been a common practice for us to use a gateway as a solution to divide a trust zone or a non-trust zone. Deploying an Access Authorization Policy on a gateway is a common practice, "boundary" is only a modifier for physical security. Many people regard firewalls or VPN as security boundaries to defend against hacker attacks and vulnerability sniffing outside the Intranet boundaries. However, traditional firewalls cannot block popular viruses outside the gateway. That is to say, some viruses must first pass through the firewall before they can be detected and killed in the client software.

Note that the first point of security definition is to achieve "invisible". The first is to isolate the virus and virus carrier. What are our current practices? It is because viruses reside on your PC before our anti-virus system works. Does anyone think this is safe?
Although I have always maintained a "strong" Speech Style and have encountered some different opinions, I finally took the "money" to my account, but then I immediately entered the trap of Self-conflict. Because there is no firewall in the network of lower-level units, most of the security policies are configured on the uplink ports of routers or layer-3 switches, so we should adopt a firewall focusing on traffic detection, I am still confused about the use of Virus-focused InterScan, or UTM that integrates various functions.

Another consideration for measuring our own business level is the simplicity of the operation. Although the municipal education network and information center are responsible for systematic training for all primary and secondary school network management teachers in the city, all network management teachers are required to pass the training examination to obtain the qualification certificate.

However, most of the network administrators have a low level of education, and about 30% of them transfer jobs (previously engaged in teaching in other disciplines). The knowledge structure is inevitably single. In this way, even if network administrators want to learn other skills, they will be stranded due to lack of a certain theoretical basis. For these network administrators, apart from basic computer and network knowledge, they have hardly studied other theories, not to mention that they have never understood "security" so far, this greatly reduces the possibility of mastering this complex product.

The advantage of UTM is that it can meet most of our information security needs at a low cost, avoiding the high procurement and maintenance costs and complicated deployment and management work caused by the use of a single security device. It provides a simple and easy interface for non-professional users to perform routine maintenance work.

I have tested several UTM instances before. I know that UTM has integrated multiple security function modules on one device, therefore, the anti-spam and anti-virus functions implemented by devices are still different from those implemented by a single security device. If the basic firewall function is enabled on the UTM device, and anti-virus, intrusion detection, and other system resource-consuming application modules are enabled, the performance will be significantly reduced.

Of course, I also had a small abacus in my mind. The money is allocated by the upper-level organization, but it is also necessary to have an accident. I know that many UTM products have the virus filtering feature. Of course, there are also independent Anti-Virus products. Each feature added to these products may be charged separately. We can select all functional modules (because the cost is sufficient this time), but who will be responsible for the next year? Therefore, you only need to select the necessary functions. This is something you have already set before purchasing. With the network transformation solution for the next year, I will achieve network-wide resource mutual access under the premise of security. I will lock the target on the UTM product, after the UTM anti-virus function is enabled, the test becomes my heart disease!
In the morning, I came to the office to start the necessary work before the purchase: Call. After the first call, the project was officially launched. From the third day, the product sales promotion, the appointment, and the bidding documents have all arrived. In order to avoid being fooled (I have been fooled for many times and experienced), I began to launch my "dark power ", A bunch of "gray customer" friends delivered a large amount of virus code, and the lab was quickly built. All the testing machines were installed with the unified anti-virus software (antivirus code updated to 2009.1.16 ). Because the purchase volume is large, there are indeed a lot of butterflies. I am too lazy to listen to the vendor's introduction. Is it gold? Practice in the lab. The following is a record from the lab in the past two weeks. As procurement is still in progress, some content involving the manufacturer's name has been skipped for the moment.

1. Web application protocol anti-virus and Product

HTTP, FTP, SMTP, and other protection tests are required. I don't want to explain them here. It is worth mentioning that most testing products support the "routing" and "Transparent" modes. Five of them need to change the proxy server address settings of IE. Among the products that support these two features, 10% of the products in the transparent mode have leakage and the routing mode is 3 ~ 5% of the viruses are drilled in. In Gateway (route) mode, enable the anti-virus function and adjust the deep detection function to the highest position. The download speed of more than 70% of the products is reduced by more than six.

After the first round of tests, the first problem was highlighted. The participants suggested that internal users do not want to set up proxies in IE browsers for HTTP virus scanning, many applications that do not support proxy will not be available. To enable HTTP virus scanning and make it transparent to users, although I proposed a solution using "Active Directory + Group Policy", it was quickly killed. The first batch of products that do not meet application habits and have poor performance were eliminated.

2. Abnormal SMB shared anti-virus testing

The file sharing service across the network is a bold idea. For file servers infected with viruses, we tested the anti-virus function after SMB file sharing, because most UTM designs are for WEB anti-virus, they support HTTP, SMTP, POP3, FTP, and IM virus scanning. Many vendors have questioned the test scheme, but two of them can provide support for file sharing anti-virus. I think they have reached an olive branch. Of course, the network-wide file sharing service in the network of more than 10 thousand clients is just one of my ideas.

3. research products and Operation Manual

It is easy to be fooled. After testing, I handed over my work to other security engineers and started to study their product operation manuals. To be honest, I don't like the 1500-page product manuals. Although the hardware security gateway products of various manufacturers have their own characteristics, they differ in specific after-sales services and upgrades and extensions, especially for those products with poor reputation in forums, I am even more worried about this. In addition, previous tests have shown that although the hardware security gateway can detect and defend against viruses in depth, it may impose certain speed limits on network traffic and balance between anti-virus and network traffic, I have a headache. There is a description of the impact on performance. The product manuals that roughly conform to our test results are placed in the left drawer, and other ...... Ah, but the product is still being tested, and everything is still unclear.

Security products are always a supplement to network applications. I think the top three threats to CERNET security are "client virus problems", "network virus problems", "Web Access viruses, spyware, and rogue software problems ", however, in the SMB File Sharing and anti-virus test, I think that no matter which product purchase is spent, the application of anti-virus will become wider and wider, not only the Internet needs it.