How to understand the security audit products in the network

First, the origin of the concept of network audit:

Audit originated from the financial system, used to audit the legality of business behavior, audit from the financial start, that is, audit accounts, from your book found in your business problems. There is a principle of accounting, that is, borrowing and lending always to balance, in a large number of accounts, to maintain the balance itself is not easy things, so the auditor is often a master in finance.

Auditing in finance has three key points to sum up: 1, all accounting transactions should be clearly visible, if you hide some of the transaction records, the audit may not find the problem, many accountants will check the bank's statement, there must be money transactions (cash transactions are not on this trip), to find your hidden transactions, itself is found in your guilty place, guilty of a problem, audit is to find the problem. 2, the loan should be balanced, imbalance will have funds dislocation, dislocation there are many problems need to be clarified, your explanation more, the more prone to loopholes. 3, the rationality of the transaction and compliance, compliance is legal, here is to include the provisions of the industry and practice, not limited to the law, it seems easy, people rely on experience, the computer has an expert system, but also the computer is the most difficult to simulate people's thinking place. Experienced auditors understand the behavior of the industry deeply, in the "reasonable" some of the behavior of the issue of unreasonable doubt, and then analysis of the transaction compliance.

The concept of auditing is introduced into network security, which can be traced back to the early research of IDS (Intrusion detection system), and the detection of intrusion behavior, which was originally the audit of host log, discovered the attack behavior, and later developed into host IDs technology. Because the host IDs only to detect the behavior of the host, and to occupy the precious resources of the host, the security manufacturers thought of the network link mirroring the way to collect the original information directly, is the current network IDs.

IDS is designed to detect attacks, generally do not store all the original data, if you want to reproduce the behavior of a customer at that time, it is generally difficult to do. The purpose of the audit is to find evidence of "attack" in the past records, not only can reproduce the "attack" process, and these "evidence" can not be modified later, then the network security audit product was born.

Second, the main function of the network audit product

Security audit is needed in the network, which is to reproduce the operation process of the wrongdoer, to provide evidence to determine its unlawful behavior, and to analyze the vulnerabilities in the current security defense system. From the point of view of security Defense: it is a deterrent to the lawless, "or do not hand, the shot will be caught, not to be caught, sooner or later will be the reckoning!" ”。 The audit also has an important idea: the audit is not directed against external intruders, this is an important difference from the IDs product, the audit is and for internal personnel, because its actors can be clearly positioned, its role is mainly security deterrence, network security issues 70% from internal personnel, for the internal "legal" User's illegal behavior is not likely in advance prevention, also not easy to find in the matter immediately, the most suitable is the audit process afterwards.

If you want to "reproduce," the security audit product must have the following features:

1. Record the behavior process of the user (who may be an outsider or an insider). When come, what to do, when to go.

2, determine the identity of the user. At the very least to determine the IP address of its computer, the audit system is generally connected with the network identity authentication, to determine the user specific who.

3, not only can record, but also can reproduce the user's "work" process. Because there are many application protocols in the network, there are many ways to invoke the resources, the reproduction process not only needs to record a large number of field communication data, but also a variety of reproduction environment.

4, audit records of the data is not to be changed.

Audit records are not modifiable, technically different from the traditional financial audit, because the computer stored information is electronic, easily modified, and can not be modified traces. To ensure that audit records are not modifiable, is the key to the evidence after the event. The business audit required by the listed companies in the US Symbian Act clearly requires the characteristics of an audit record that cannot be modified.

At present, in addition to audit products on audit records of the right to manage the guarantee, due to the professional and technical personnel involved in operation and maintenance management, the data modification and partial deletion from the bottom of the system is a problem that can not be neglected in security, and the use of worm (one write multiple read) technology in the networked storage system ensures the data is not censored from the storage operating system level. There is always a gap between technology and requirements, and audit products still have a long way to go in protecting audit records.

There is no management of the user in the audit product, event query, event Association analysis, report generation, compliance reports and other functions included, mainly think that these functions as a security product in the use of the necessary management functions, products not only to complete its work objectives, but also to facilitate the user's operation, Especially the daily management of the convenience, fast.

This column more highlights: http://www.bianceng.cnhttp://www.bianceng.cn/Network/Security/