Strengthening network security management with UDS technology

The rapid development of Internet has brought great convenience for the dissemination and utilization of information, and also made human society face the great challenge of information security. In order to deal with the increasingly serious information security problems, firewall, intrusion detection, security audit, traffic monitoring and other security products are gradually promoted and applied. These security products to some extent alleviate the increasingly urgent security problems, but how to integrate the advantages of each product, better play the role of security products, network managers are facing a new problem.

To sum up, the following problems exist in the current network security management:

1. The security equipment is often isolated operation, the alarm information is difficult to correlate, making administrators lack of the overall security situation of the network.

2. After a security incident, it is not possible to quickly determine the source of the security incident, and the network business recovery time is long.

3. There is a lack of accurate and effective detection methods for certain security incidents, such as DDoS attacks, worm viruses, etc.

4. Multiple network devices, or multiple mirroring on the switch to achieve packet capture, can cause network performance degradation.

The integration of intrusion detection, security audit and abnormal traffic, using integrated security detection (Unified detection System, or uds) technology, can solve these problems effectively, and has seven advantages compared with each technology.

Improve the accuracy of administrator security decisions

The integration of various detection means can make users understand the network security situation more comprehensively from different aspects. The key points of different bypass detection products are not the same, and when security breaches occur, the accuracy of administrators ' decision can be improved by the mutual confirmation and correlation analysis between three kinds of tools. For example: Traffic display network suddenly generate a very high TCP traffic, through the IDs alarm can be seen, is peer-to-peer software download caused by the audit system can see more detailed information, such as the download file name, file type, size and so on. It is helpful for administrators to monitor whether network resources are legitimately used.

Fast location of attack source and target

In the case of Internet worm propagation, the network behavior of the host infected by the worm will be different from that of the normal host, at this time, the audit function can quickly find the abnormal host, combined with the IDs attack alarm to determine the source of infection. For example: For super Long data buffer overflow, IDS can be alerted, the administrator through the audit module to see the specific length of the data content, you can accurately determine whether an alarm is an attack, but also to track the intruder to provide strong evidence.

Achieve full detection of specific security incidents

For DDoS attacks and unknown worms, IDs are often difficult to detect effectively, but both of them can cause significant anomaly of network traffic. The UDS integrates the traffic detection function on the basis of IDs, which makes up for the inherent deficiency of IDs and brings more comprehensive detection ability. For example, a DDoS or worm attack will allow the traffic detection module to show a protocol and an application to generate a lot of traffic, and a combination of IDs module can see the traffic type and more specific attack information. Traffic module provides the network traffic generated by the attack, the administrator to assess the specific loss, IDs module can determine the specific type of attack, and IP positioning, to find network security risks.

Improve the user's investment ratio

The multiple analysis on the basis of one packet capture, compared with the simultaneous adoption of multiple devices, improves the efficiency of processing, reduces the possibility of failure when the device is concatenated, and reduces the impact of multiple mirrors on network performance. In addition, when the use of a comprehensive product to replace a variety of separation products, to meet the functional and performance requirements, the price advantage is very obvious, can effectively improve the user's investment performance.

Easy deployment

The bypass detection function is unified to one device, which is advantageous to the implementation and deployment of the product installation. Bypass products are typically accessed by configuring a mirror via a switch or by tapping tap, requiring multiple mirror ports on the switch or multiple tap connections. Not only will there be multiple mirroring caused switch performance degradation, but also face some of the switch does not support multiple mirrors of the embarrassment, and multiple tap, it is also easy to cause a single point of failure.

Centralized management, comprehensive analysis

The typical process of bypass detection is to capture the data packets on the network, analyze the data packets without losing the packet, and form the security events, alarms or statistics according to the different predefined rules. Therefore, in the maintenance of the bottom of the technology unified, the upper level to achieve a variety of uds detection system to effectively expand the detection range, can achieve a variety of comprehensive detection requirements. At the same time, in the future of the product architecture also has a very good scalability. For example: The system for multiple detection of the results of cross correlation, centralized detection can be a security event for the unit to alarm, so as to provide administrators with a clear level. In a DDoS attack event, the abnormal traffic module will divide the time range, the IDs module provides the detailed attack type information, the Traffic module statistics generates the network traffic, not only can calculate the attack intensity of this security incident, but also can provide the basis for calculating the loss in the future. The audit module can record the specific application services affected by the attack, and can provide evidence for tracking the source of the attack in the future.

In-depth analysis of security incidents, evidence records, traceability traceable

Abnormal traffic session recording. By analyzing the result of abnormal traffic, when the traffic anomaly of some protocol type is found, it is convenient for the security managers to audit the abnormal traffic by initiating the session recording function of the UDs. For example: For unknown worm attacks, the abnormal traffic system can be alerted, but because this worm is a burst, abnormal flow system in the first time, so there is no agency named, the UDs system can not alarm the specific worm name, so that administrators can automatically record the session through the system of the stream of data, The specific worm name will be confirmed at a later date.

IDS log and security audit log, abnormal traffic alarm log of the cross reporting function. The traffic distribution and behavior performance of the host infected by worm or remote control will be different from that of normal host. The abnormal host can be found by audit or abnormal traffic log, which makes the administrator pay more attention to the abnormal host when handling the alarm of IDs module, and improve the accuracy of analysis. For example, for a security event, such as a worm attack, a crosstab report can provide administrators with a very clear hierarchy, through the exception traffic module to confirm a security event, IDs module provides a specific type of security incident attack, worm name, traffic module can provide security events generated by the amount of data, The audit module provides a basis for identifying and tracking the attack source and the victim system.

An IDs association with host resource information. Not every attack poses a threat to the security of the target network in the event of an attack reported by various security devices. As an example of a typical buffer overflow attack against IIS, if the target host is unreachable, or if its operating system is not a Windows system, the IIS service is not running, and there are no associated vulnerabilities, the attack will be unsuccessful. The alarm of IDs can be correlated with the information of host resources to judge the authenticity of the alarm and reduce the false positive rate of IDs. The exact alarm function of the uds solves this kind of problem to some extent, and if the result of the vulnerability scan can be further correlated, the accuracy of the alarm will be further enhanced. For example: The intruder to a Linux system to launch a Unicode attack, in fact, this attack is aimed at the Windows platform, the attack is not successful, if the operating environment of large data flow, alarm more, the administrator can reduce the alarm intensity in the strategy, filtering out these intrusion attempts, and record truly effective, threatening attacks.

Based on the above seven advantages can be expected, integrated security detection technology and products will be more and more attention and application.