【转贴】一篇很好的VoIP安全的文章 (2009-02-17 17:33:49)

二月 17, 2009 留下评论
VoIP Security Challenges: 25 Ways to Secure your VoIP Network

VoIP technology has the tech geeks buzzing.  It has been touted as:

– the killer of telecoms
– a solution for the third world’s communication gap
– revolutionizing factor in international business

But despite all the buzz, and the predictions that everyone will be it using it by 2009, why does it seem that every time you make a phone call with Skype the quality sucks…or that your Vonage calls constantly get dropped…or worse, that teenage hackers are stealing your personal information and bringing down the whole network?

A VoIP network is susceptible to the usual attacks that plague all data networks:

…viruses, spam, phishing,  hacking attempts, intrusions, mismanaged identities, Denial of Service (DoS) attacks, lost and stolen data, voice injections, data sniffing, hijacked calls, toll fraud, eavesdropping, and on and on and on.

The only difference is, with other technologies people take basic steps to protect themselves. With VoIP, nobody is doing so.  As a result, all we hear about in the mainstream media is how vulnerable and unreliable VoIP is.  And let’s face it…until people start taking the steps to safeguard their networks, this technology isn’t going to go places.

So for those you geeks who want to see the technology get broadly adopted, (and maybe fulfill some of the lofty aspirations mentioned above) start by first protecting your own VoIP network, and then helping to protect those of your friends and neighbors.  Pretty soon, we can dump the “vulnerable” label and start gaining some non-techie fans.

So without further adieu, here are 25 ways to help you get started.

1. Restrict all VoIP data to one Virtual Local Area Network (VLAN): Cisco recommends separate VLANs for voice and data; this helps prioritize voice over data and also keeps traffic on the voice network hidden from those connected to the data network. VLANs are also useful in protecting against toll fraud, DoS attacks, and eavesdroppers listening in and taking over conversations. A VLAN is an effective closed circle of computers that does not allow any other computer access to its facilities; with the lack of a PC to launch attacks, your VoIP network is quite safe. Even in the case of an attack, the disruption caused is a minimum.
2. Monitor and track traffic patterns on your VoIP network: Monitoring tools and intrusion detection systems can help identify attempts to break into your VoIP network. Scrutinizing your VoIP logs can bring to light irregularities such as international calls made at odd hours or to countries your organization has no ties with (toll fraud), multiple log-on attempts like in a brute-force attempt to crack a password, or a surge in voice traffic during off-peak hours (voice spam).
3. Lock down your VoIP servers: Servers should be secured physically against both internal and external intruders who can intercept data using sniffing techniques, either within the LAN or at the ISP when data travels over the Internet. Since VoIP phones have fixed IP and MAC addresses, it’s easier for attackers to try to worm their way in. Which is why Gary Miliefsky, founder and CTO of NetClarity, recommends locking down IP and MAC addresses that allow access to the administrative interfaces of VoIP systems, and putting up another firewall in front of the SIP gateway. This will restrict incoming access to IT administrators and prevent hackers from getting in.
4. Use multiple layers of encryption: It’s not enough to just encrypt the data packets that are sent out, you have to encrypt call signaling too. Encrypting voice packets prevents voice injections where interceptors can insert their own words into the conversation, giving it a whole new meaning. Steve Mank, CEO of Qovia, cites two common methods of encryption – the Secure Real Time Protocol (SRTP) which encrypts communication between endpoints, and Transport Level Security (TLS) which encrypts the whole call process. Encryption of voice traffic should be supported by providing strong protection at gateways, networks and hosts.
5. Build redundancy into VoIP networks: Be prepared for the day DoS attacks or viruses  threaten to bring your network crashing down – create a network that tolerates failures by setting up multiple nodes, gateways, servers, power sources, and call routers, and hooking up with more than one provider. Don’t stop with just putting the infrastructure in place; run frequent trials to ensure that they are working well and are ready to take over when the primary network fails.
6. Put your equipment behind firewalls: Create separate firewalls so that traffic crossing VLAN boundaries is restricted only to applicable protocols. This will prevent the spread of viruses and Trojans to servers in case clients are infected. The maintenance of security policies also becomes simpler when each firewall is considered separately. Choose networking and security vendors who support both the Session Initiation Protocol (SIP) and the International Telecommunication Union’s H.323 protocol. Firewall configurations have to be created so that the appropriate ports open and close when necessary.
7. Update patches regularly: The security of a VoIP network depends on both the underlying operating system and the applications that run on it. Maintaining patch currency for both the OS and VoIP applications is imperative in protecting against threats from malware. A study from Forrester Research urges companies to make sure they provide “added security measures for IP telephony, without assuming that vendors will respond to each and every risk that appears with patches for installed products.”
8. Keep your network away from the Internet:
The University of Houston is a pioneer in this security approach – the institution has put its call manager and network out of direct access from the Internet; its IP PBXs are in a domain separate from its other servers and access is restricted.
9. Minimize the use of softphones: VoIP softphones are prone to hacker attacks, even when they are behind corporate firewalls, because they are used with an ordinary PC, VoIP software, and a pair of headphones. Also, softphones do not separate voice and data, and are vulnerable to the viruses and worms that normally infect a PC.
10. Perform security audits on a regular basis: Running checks on administrative and user sessions and service activities can help bring irregularities to light. Phishing attempts can be thwarted, spam can be filtered out so it doesn’t clog the network, and intruder attacks can be stopped.
11. Evaluate physical security:
Make sure that only devices and users who are authenticated and pre-approved gain access to your network by limiting access to the Ethernet ports. Administrators are often fooled into accepting softphone devices that are not permitted on the network because hackers can easily imitate IP and MAC addresses by plugging into an RJ44 port.
12. Use vendors who provide digital security certificates: When IP phone vendors provide digital certificates to authenticate devices, users can ensure that the conversation is secure and is not being broadcast to other devices. The phones load digitally signed images to ensure that the software loaded is authentic. Verisign has been a pioneer in providing authentication certificates for wireless IP phones, in an effort to prevent “tapping” (illegal eavesdropping) and “spoofing” (illegal tampering) of conversations.
13. Secure your gateways: Configure gateways so that only those who are allowed access can make and receive VoIP calls. Lists with authenticated and approved users can ensure that others are prevented from using the lines to make free calls. Protect gateways and the LANs behind them with a combination of an SPI firewall, application layer gateways (ALG), network address translation (NAT) tools, and SIP support for VoIP soft clients.
14. Manage servers separately: VoIP call servers are often the targets for attackers because they are the heart of any VoIP network. Critical weaknesses inherent in the server include its operating system, and the services and applications it supports. To minimize the chance that hackers get at your VoIP servers, manage traffic to them separately from VoIP signaling and call traffic.
15. Sort SIP traffic: Looking through your SIP traffic and checking for abnormal packets and traffic patterns that are different from the usual will help in cutting short sessions that are not genuine. Anomalies in the syntax and semantics of SIP and events that are irregular and out-of-sequence indicate that attacks are taking or likely to take place.
16. Examine call setup requests at the application layer: VoIP calls are susceptible to hijacking by outsiders who gain access to the network. Set up appropriate security policies so that only those call setup requests that conform to them are accepted.
17. Isolate voice traffic: For external communications, rely on a Virtual Private Network (VPN). Separate your voice and data traffic to prevent unwanted ears from listening in on your conversation. According to Kevin Flynn, senior manager of unified communications for Cisco, the biggest problem for organizations is “bad stuff from the data network getting on to the voice network.” He recommends blocking PC port access to the voice VLAN.
18. Use proxy servers: Protect your network even beyond firewalls by using proxy servers to process data that comes in and goes out. Authentication and integrity are ensured when signaling messages travel between user agents and SIP proxies by integrating SSL tunnels with SIP proxies.
19. Run only applications that are necessary to provide and maintain VoIP services: The very fact that VoIP applications use data that is encrypted could lead to them being used to launch DoS attacks. Attackers can hide behind the cloak of encryption to avoid their activities from being monitored.
20. Configure applications against misuse: Prevent your network from being used to perpetrate toll fraud, phishing scams, and illegal calls by preparing a list of permitted caller destinations.
21. Add endpoint security layers: Use network admission techniques and IEEE 802.1X port-based network access controls to keep out devices that are not authorized on your LAN or WLAN. Network Access Control (NAC) applications are available from Cisco – Network Admission Control (NAC), Microsoft – Network Access Protection (NAP), and TCG – Trusted Network Connect (TNC).
22. Restrict access according to certain criteria: VoIP network administrators can set up strict admission criteria to prevent access to devices that are potentially unsafe – when they are found to be infected with viruses or worms, when they do not have the latest patches, or when they do not have the right firewalls. These devices can be redirected to a disparate network that makes them compliant and then lets them onto the main network.
23. Avoid remote management: If possible, it is better to stay away from remote management and audits; but when necessary, use Secure Shell (SSH) or IPsec (IP Security) for the purpose. Access your IP PBX from a system that’s physically secure.
24. Use IPsec tunneling rather than IPsec transport: Tunneling and transport are two different encryption modes that support secure exchange of packets at the IP layer. The use of IPsec transport encrypts only the data while hiding the source and destination IP addresses. This prevents administrators from finding out who initiated the call when they analyze traffic.
25. Secure your VoIP platform: VoIP platforms that support the clients are built on operating systems that should be “hardened” to protect the integrity of the networks that run on it and keep out cyber attacks. Disable services that are not absolutely necessary and use host-based methods to detect intrusion.

Securing a VoIP network is an uphill task, especially when you consider the lack of standards and procedures in place. How secure a network is depends on the right choice of both hardware and software. Without a doubt, VoIP communications can be made more secure and reliable than regular PSTN interactions if the appropriate security measures are in place. So get out there and make the changes to your own networks…

文章来源:http://www.voiplowdown.com/2006/12/voip_security_c.html

分类:Uncategorized

【转贴】一篇很好的VoIP安全的文章 (2007-01-30 16:53:55)

二月 17, 2009 留下评论
VoIP Security Challenges: 25 Ways to Secure your VoIP Network

VoIP technology has the tech geeks buzzing.  It has been touted as:

– the killer of telecoms
– a solution for the third world’s communication gap
– revolutionizing factor in international business

But despite all the buzz, and the predictions that everyone will be it using it by 2009, why does it seem that every time you make a phone call with Skype the quality sucks…or that your Vonage calls constantly get dropped…or worse, that teenage hackers are stealing your personal information and bringing down the whole network?

A VoIP network is susceptible to the usual attacks that plague all data networks:

…viruses, spam, phishing,  hacking attempts, intrusions, mismanaged identities, Denial of Service (DoS) attacks, lost and stolen data, voice injections, data sniffing, hijacked calls, toll fraud, eavesdropping, and on and on and on.

The only difference is, with other technologies people take basic steps to protect themselves. With VoIP, nobody is doing so.  As a result, all we hear about in the mainstream media is how vulnerable and unreliable VoIP is.  And let’s face it…until people start taking the steps to safeguard their networks, this technology isn’t going to go places.

So for those you geeks who want to see the technology get broadly adopted, (and maybe fulfill some of the lofty aspirations mentioned above) start by first protecting your own VoIP network, and then helping to protect those of your friends and neighbors.  Pretty soon, we can dump the “vulnerable” label and start gaining some non-techie fans.

So without further adieu, here are 25 ways to help you get started.

Kid 1. Restrict all VoIP data to one Virtual Local Area Network (VLAN): Cisco recommends separate VLANs for voice and data; this helps prioritize voice over data and also keeps traffic on the voice network hidden from those connected to the data network. VLANs are also useful in protecting against toll fraud, DoS attacks, and eavesdroppers listening in and taking over conversations. A VLAN is an effective closed circle of computers that does not allow any other computer access to its facilities; with the lack of a PC to launch attacks, your VoIP network is quite safe. Even in the case of an attack, the disruption caused is a minimum.
2. Monitor and track traffic patterns on your VoIP network: Monitoring tools and intrusion detection systems can help identify attempts to break into your VoIP network. Scrutinizing your VoIP logs can bring to light irregularities such as international calls made at odd hours or to countries your organization has no ties with (toll fraud), multiple log-on attempts like in a brute-force attempt to crack a password, or a surge in voice traffic during off-peak hours (voice spam).
3. Lock down your VoIP servers: Servers should be secured physically against both internal and external intruders who can intercept data using sniffing techniques, either within the LAN or at the ISP when data travels over the Internet. Since VoIP phones have fixed IP and MAC addresses, it’s easier for attackers to try to worm their way in. Which is why Gary Miliefsky, founder and CTO of NetClarity, recommends locking down IP and MAC addresses that allow access to the administrative interfaces of VoIP systems, and putting up another firewall in front of the SIP gateway. This will restrict incoming access to IT administrators and prevent hackers from getting in.
Encrypt 4. Use multiple layers of encryption: It’s not enough to just encrypt the data packets that are sent out, you have to encrypt call signaling too. Encrypting voice packets prevents voice injections where interceptors can insert their own words into the conversation, giving it a whole new meaning. Steve Mank, CEO of Qovia, cites two common methods of encryption – the Secure Real Time Protocol (SRTP) which encrypts communication between endpoints, and Transport Level Security (TLS) which encrypts the whole call process. Encryption of voice traffic should be supported by providing strong protection at gateways, networks and hosts.
5. Build redundancy into VoIP networks: Be prepared for the day DoS attacks or viruses  threaten to bring your network crashing down – create a network that tolerates failures by setting up multiple nodes, gateways, servers, power sources, and call routers, and hooking up with more than one provider. Don’t stop with just putting the infrastructure in place; run frequent trials to ensure that they are working well and are ready to take over when the primary network fails.
Firewall_1 6. Put your equipment behind firewalls: Create separate firewalls so that traffic crossing VLAN boundaries is restricted only to applicable protocols. This will prevent the spread of viruses and Trojans to servers in case clients are infected. The maintenance of security policies also becomes simpler when each firewall is considered separately. Choose networking and security vendors who support both the Session Initiation Protocol (SIP) and the International Telecommunication Union’s H.323 protocol. Firewall configurations have to be created so that the appropriate ports open and close when necessary.
7. Update patches regularly: The security of a VoIP network depends on both the underlying operating system and the applications that run on it. Maintaining patch currency for both the OS and VoIP applications is imperative in protecting against threats from malware. A study from Forrester Research urges companies to make sure they provide “added security measures for IP telephony, without assuming that vendors will respond to each and every risk that appears with patches for installed products.”
8. Keep your network away from the Internet:
The University of Houston is a pioneer in this security approach – the institution has put its call manager and network out of direct access from the Internet; its IP PBXs are in a domain separate from its other servers and access is restricted.
Softphone 9. Minimize the use of softphones: VoIP softphones are prone to hacker attacks, even when they are behind corporate firewalls, because they are used with an ordinary PC, VoIP software, and a pair of headphones. Also, softphones do not separate voice and data, and are vulnerable to the viruses and worms that normally infect a PC.
10. Perform security audits on a regular basis: Running checks on administrative and user sessions and service activities can help bring irregularities to light. Phishing attempts can be thwarted, spam can be filtered out so it doesn’t clog the network, and intruder attacks can be stopped.
11. Evaluate physical security:
Make sure that only devices and users who are authenticated and pre-approved gain access to your network by limiting access to the Ethernet ports. Administrators are often fooled into accepting softphone devices that are not permitted on the network because hackers can easily imitate IP and MAC addresses by plugging into an RJ44 port.
12. Use vendors who provide digital security certificates: When IP phone vendors provide digital certificates to authenticate devices, users can ensure that the conversation is secure and is not being broadcast to other devices. The phones load digitally signed images to ensure that the software loaded is authentic. Verisign has been a pioneer in providing authentication certificates for wireless IP phones, in an effort to prevent “tapping” (illegal eavesdropping) and “spoofing” (illegal tampering) of conversations.
Gateway 13. Secure your gateways: Configure gateways so that only those who are allowed access can make and receive VoIP calls. Lists with authenticated and approved users can ensure that others are prevented from using the lines to make free calls. Protect gateways and the LANs behind them with a combination of an SPI firewall, application layer gateways (ALG), network address translation (NAT) tools, and SIP support for VoIP soft clients.
14. Manage servers separately: VoIP call servers are often the targets for attackers because they are the heart of any VoIP network. Critical weaknesses inherent in the server include its operating system, and the services and applications it supports. To minimize the chance that hackers get at your VoIP servers, manage traffic to them separately from VoIP signaling and call traffic.
15. Sort SIP traffic: Looking through your SIP traffic and checking for abnormal packets and traffic patterns that are different from the usual will help in cutting short sessions that are not genuine. Anomalies in the syntax and semantics of SIP and events that are irregular and out-of-sequence indicate that attacks are taking or likely to take place.
16. Examine call setup requests at the application layer: VoIP calls are susceptible to hijacking by outsiders who gain access to the network. Set up appropriate security policies so that only those call setup requests that conform to them are accepted.
Router 17. Isolate voice traffic: For external communications, rely on a Virtual Private Network (VPN). Separate your voice and data traffic to prevent unwanted ears from listening in on your conversation. According to Kevin Flynn, senior manager of unified communications for Cisco, the biggest problem for organizations is “bad stuff from the data network getting on to the voice network.” He recommends blocking PC port access to the voice VLAN.
18. Use proxy servers: Protect your network even beyond firewalls by using proxy servers to process data that comes in and goes out. Authentication and integrity are ensured when signaling messages travel between user agents and SIP proxies by integrating SSL tunnels with SIP proxies.
19. Run only applications that are necessary to provide and maintain VoIP services: The very fact that VoIP applications use data that is encrypted could lead to them being used to launch DoS attacks. Attackers can hide behind the cloak of encryption to avoid their activities from being monitored.
20. Configure applications against misuse: Prevent your network from being used to perpetrate toll fraud, phishing scams, and illegal calls by preparing a list of permitted caller destinations.
Woman 21. Add endpoint security layers: Use network admission techniques and IEEE 802.1X port-based network access controls to keep out devices that are not authorized on your LAN or WLAN. Network Access Control (NAC) applications are available from Cisco – Network Admission Control (NAC), Microsoft – Network Access Protection (NAP), and TCG – Trusted Network Connect (TNC).
22. Restrict access according to certain criteria: VoIP network administrators can set up strict admission criteria to prevent access to devices that are potentially unsafe – when they are found to be infected with viruses or worms, when they do not have the latest patches, or when they do not have the right firewalls. These devices can be redirected to a disparate network that makes them compliant and then lets them onto the main network.
23. Avoid remote management: If possible, it is better to stay away from remote management and audits; but when necessary, use Secure Shell (SSH) or IPsec (IP Security) for the purpose. Access your IP PBX from a system that’s physically secure.
Tunnel 24. Use IPsec tunneling rather than IPsec transport: Tunneling and transport are two different encryption modes that support secure exchange of packets at the IP layer. The use of IPsec transport encrypts only the data while hiding the source and destination IP addresses. This prevents administrators from finding out who initiated the call when they analyze traffic.
25. Secure your VoIP platform: VoIP platforms that support the clients are built on operating systems that should be “hardened” to protect the integrity of the networks that run on it and keep out cyber attacks. Disable services that are not absolutely necessary and use host-based methods to detect intrusion.

Securing a VoIP network is an uphill task, especially when you consider the lack of standards and procedures in place. How secure a network is depends on the right choice of both hardware and software. Without a doubt, VoIP communications can be made more secure and reliable than regular PSTN interactions if the appropriate security measures are in place. So get out there and make the changes to your own networks…

文章来源:http://www.voiplowdown.com/2006/12/voip_security_c.html

分类:telecom

【转贴】802.1x认证技术分析及其应用建议 (2007-01-30 13:06:27)

一月 30, 2007 留下评论

一、技术背景

以太网的高性价比和媒体独立的特性使其逐渐成为家庭、企业局域网、电信级城域网的主导接入技术,而且随着10G以太网技术的出现,以太网技术在广域网范围内也将获得一席之地。电信运营商和宽带接入提供商也开始提供基于以太或者纯以太的接入业务,但对于以太网络中多数业务来说,运营商无法从物理上完全控制客户端设备或者媒介。运营商要实现对宽带业务的可运营、可管理,就必须从逻辑上对用户或者用户设备进行控制。该控制过程主要通过对用户和用户设备的认证和授权完成。一般来说,需要进行认证和授权的业务种类包括:

1.提供给多用户系统的以太城域网业务,这些业务包括典型的TLS业务,L2或者是L3的VPN,在该业务组网环境中,客户前端交换机由同一建筑物内的多个用户共享;

2.在以IEEE802.11a和IEEE802.11b提供无线以太接入的热点地区,像机场、商场、学校和餐厅等,需要基于每个用户设备或者用户进行接入认证,防止非授权用户接入;

3.基于ATMRFC1483的xDSL业务和IP以太接入网;

4.基于EFM(Ethernetinthe First Mile,IEEE 802.3ah) EPON接入和EoVDSL等业务;

5.基于以太Cable的共享RF信道接入方式。

二、电信级IP宽带网用户接入认证技术需求分析

随着基于以太业务应用的日益广泛,迫切需要一种能适应以太网多业务承载需求,兼顾以太接入灵活性和扩展性好的特点,并能确保以太接入安全性、支持运营商对接入用户进行控制和管理的接入认证技术。

以太技术和接入认证技术的结合要求网络接入控制完成以下功能。

1.网络的接入控制与网络提供的业务类型无关,即无论是有线接入业务或者是无线接入业务,或者其它形式的公众以太接入业务,都采用一个通用的接入认证解决方案;

2.电信级IP接入网络要求对用户进行严格的控制和管理,包括控制用户对网络的访问、用户身份识别

3.对于用户来说,只需要面对单一的认证界面,用户可以实现在多种网络接入业务间漫游;

4.对于新兴业务的支持也是选择认证技术时要考虑的一个重要因素,认证技术必须保证在现有的认证体系下对新兴业务的支持;

5.对于运营商而言,通用的认证解决方案可以简化远程接入VPN的安全管理,将用户认证的范畴延伸到LAN范围内;

6.适应电信级IP宽带网接入控制需求的认证技术将简化运营商网络认证的体系结构,降低运营商用于培训和维护的费用,减少运营成本。

按照Internet网络分层模型,在协议每一层都可以针对用户或者设备进行网络接入的认证、鉴权。无论从对现有设备的改动、多协议的支持、网络安全还是网络控制能力来看,链路层认证的优势突出,快速、简单和成本低廉也是它的优势。多数的链路层协议像PPP和IEEE802都可以支持基于链路层的认证技术。客户在认证之前不需要进行服务器的定位,不需要获得IP地址。网络接入设备只需要有限的3层功能,可以轻易实现和AAA的结合,从而提供丰富、灵活的认证方式和计费手段。在多协议网络环境中,基于链路层的认证可以实现对上层应用的完全透明,也就是说可以实现和新的网络层协议(比如IPv6)的兼容。链路层认证处理减小了认证包处理的延时,保证了关键性应用的服务质量。

三、IEEE802.1x协议技术分析

意识到PPPoE在用于纯以太网络环境接入控制中的种种缺陷,IEEE在2001正式颁布了IEEE802.1x标准,用于基于以太的局域网、城域网和各种宽带接入手段的用户/设备接入认证。该协议最初假定的应用环境是交换式以太网中,但是在标准化过程中也考虑到了像801.11b和Cable接入等共享式以太网络应用环境对认证的要求。802.1x认证采用基于以太网端口的用户访问控制技术,可以克服PPPoE方式带来的诸多问题,并避免引入集中式宽带接入服务器所带来的巨大投资。

在传统以太网设备基础上,基于端口的网络访问控制技术采用IEEE802.1x协议,提供了对基于以太网的点到点连接的端口用户进行认证和授权的能力,从而使以太网设备达到电信运营要求。用户侧的以太网交换机上放置一个扩展认证协议(EAP)代理,用户PC机运行EAPoL(EAPoverLAN)的客户端软件与交换机通信。基于端口的网络访问技术的基本思想是网络系统可以控制面向最终用户的以太网端口,使得只有网络系统允许并授权的用户可以访问网络系统的各种业务(如以太网连接,网络层路由,Internet接入等业务)。

802.1x协议是基于Client/Server的访问控制和认证协议。它可以限制未经授权的用户/设备通过接入端口访问LAN/MAN。在获得交换机或LAN提供的各种业务之前,802.1x对连接到交换机端口上的用户/设备进行认证。在认证通过之前,802.1x只允许EAPoL(基于局域网的扩展认证协议)数据通过设备连接的交换机端口;认证通过以后,正常的数据可以顺利地通过以太网端口。

网络访问技术的核心部分是PAE(端口访问实体)。在访问控制流程中,端口访问实体包含3部分:认证者–对接入的用户/设备进行认证的端口;请求者–被认证的用户/设备;认证服务器–根据认证者的信息,对请求访问网络资源的用户/设备进行实际认证功能的设备。

以太网的每个物理端口被分为受控和不受控的两个逻辑端口,物理端口收到的每个帧都被送到受控和不受控端口。对受控端口的访问,受限于受控端口的授权状态。认证者的PAE根据认证服务器认证过程的结果,控制”受控端口”的授权/未授权状态。处在未授权状态的控制端口将拒绝用户/设备的访问。

1.802.1x认证特点

基于以太网端口认证的802.1x协议有如下特点:IEEE802.1x协议为二层协议,不需要到达三层,对设备的整体性能要求不高,可以有效降低建网成本;借用了在RAS系统中常用的EAP(扩展认证协议),可以提供良好的扩展性和适应性,实现对传统PPP认证架构的兼容;802.1x的认证体系结构中采用了”可控端口”和”不可控端口”的逻辑功能,从而可以实现业务与认证的分离,由RADIUS和交换机利用不可控的逻辑端口共同完成对用户的认证与控制,业务报文直接承载在正常的二层报文上通过可控端口进行交换,通过认证之后的数据包是无需封装的纯数据包;可以使用现有的后台认证系统降低部署的成本,并有丰富的业务支持;可以映射不同的用户认证等级到不同的VLAN;可以使交换端口和无线LAN具有安全的认证接入功能。

2.802.1x应用环境特点

(1)交换式以太网络环境

对于交换式以太网络中,用户和网络之间采用点到点的物理连接,用户彼此之间通过VLAN隔离,此网络环境下,网络管理控制的关键是用户接入控制,802.1x不需要提供过多的安全机制。

(2)共享式网络环境

当802.1x应用于共享式的网络环境时,为了防止在共享式的网络环境中出现类似“搭载”的问题,有必要将PAE实体由物理端口进一步扩展为多个互相独立的逻辑端口。逻辑端口和用户/设备形成一一对应关系,并且各逻辑端口之间的认证过程和结果相互独立。在共享式网络中,用户之间共享接入物理媒介,接入网络的管理控制必须兼顾用户接入控制和用户数据安全,可以采用的安全措施是对EAPoL和用户的其它数据进行加密封装。在实际网络环境中,可以通过加速WEP 密钥重分配周期,弥补WEP静态分配秘钥导致的安全性的缺陷。

3.802.1x认证的安全性分析

802.1x协议中,有关安全性的问题一直是802.1x反对者攻击的焦点。实际上,这个问题的确困扰了802.1x技术很长一段时间,甚至限制了802.1x技术的应用。但技术的发展为这个问题给出了答案:802.1x结合EAP,可以提供灵活、多样的认证解决方案。

IEEE802.1x和PPP一样采用了EAP协议作为认证信息交互机制,EAP消息封装在EAPOL分组中。EAP作为一种认证消息承载机制可以允许认证者和请求者之间采用灵活的方案进行认证,并且对将来出现的更先进合理的认证技术具有很好的兼容性。EAP的这些特性主要通过扩展EAP中厂家定义的 “EAP类型”域实现,“EAP类型”域中定义的认证类型,可以满足不同层次认证的安全需要。目前可以采用的EAP类型包括:LEAP、PEAP、 EAP-MD5、EAP-TTLS。具体的EAP不同层次认证如图1所示。

802.1x认证技术分析及其应用建议
图1EAP不同层次认证

4.802.1x认证的优势

综合IEEE802.1x的技术特点,其具有的优势可以总结为以下几点。

简洁高效:纯以太网技术内核,保持了IP网络无连接特性,不需要进行协议间的多层封装,去除了不必要的开销和冗余;消除网络认证计费瓶颈和单点故障,易于支持多业务和新兴流媒体业务。

容易实现:可在普通L3、L2、IPDSLAM上实现,网络综合造价成本低,保留了传统AAA认证的网络架构,可以利用现有的RADIUS设备。

安全可靠:在二层网络上实现用户认证,结合MAC、端口、账户、VLAN和密码等;绑定技术具有很高的安全性,在无线局域网网络环境中802.1x结合EAP-TLS,EAP-TTLS,可以实现对WEP证书密钥的动态分配,克服无线局域网接入中的安全漏洞。

行业标准:IEEE标准,和以太网标准同源,可以实现和以太网技术的无缝融合,几乎所有的主流数据设备厂商在其设备,包括路由器、交换机和无线AP上都提供对该协议的支持。在客户端方面微软WindowsXP操作系统内置支持,Linux也提供了对该协议的支持。

应用灵活:可以灵活控制认证的颗粒度,用于对单个用户连接、用户ID或者是对接入设备进行认证,认证的层次可以进行灵活的组合,满足特定的接入技术或者是业务的需要。

易于运营:控制流和业务流完全分离,易于实现跨平台多业务运营,少量改造传统包月制等单一收费制网络即可升级成运营级网络,而且网络的运营成本也有望降低。

四、802.1x在电信级IP宽带网络中的应用建议

802.1x认证技术分析及其应用建议

图2为802.1x认证在电信级宽带网络中应用的总体架构。根据上文对802.1x技术特点及技术优势的分析,笔者认为电信级网络中应用802.1x可以采用以下策略:

1.以WLAN为应用突破口

802.1x认证技术在电信级宽带网中的应用以WLAN为突破口。802.1x技术从一开始就对基于WLAN提供认证的技术进行了大量的研究和探索;WLAN设备大量应用的时间段和802.1x协议标准产生基本同步,目前多数厂商的WLANAP设备都可以支持802.1x认证;从技术上考虑,WLAN是一种共享式的以太接入网络,其面临的安全性问题的解决和用户控制都要比基于有线的以太接入方式难解决;基于WLAN和3G移动网络的新型业务和应用层出不穷,尤其是基于组播技术的各种应用,原有的PPPoE认证在支持这些新业务时有明显缺陷,迫切需要一种新性认证技术,满足业务发展的需求;WLAN作为宽带网上的新应用,运营商没有什么历史包袱,在网络减少和设备选型时不受现有网络条件的牵制。以上种种原因决定了WLAN是802.1x 技术应用的排头兵。

2.认证边缘化、分布化

认证边缘化充分发挥了802.1x基于端口认证的优势。所谓认证边缘化是指将认证设备的网络中的位置设置为直接和用户设备/网络接口,边缘化的认证设备可以感知、监控认证设备和用户设备之间链路连接状态,根据链路状态变化,认证设备可以采取相应的策略,主动要求用户/设备发起认证。对链路状态的感知能力也是运营商进行网络故障检测和网络运行维护工作顺利开展的基础,可以说实现了认证的边缘化也就解决了宽带接入网络中线路维护和故障诊断困难的难题。用户可以在本地接入网段实现隔离,不需要像集中认证方式那样,在用户到接入认证服务器之间的二层网络都进行用户隔离,减少了交换机运行VLAN的复杂度,也使网络的流量的规划、管理、控制更加容易。认证边缘化意味着认证设备的分布化,可以避免采用集中式的PPPoE认证带来的网络性能和网络可靠性的瓶颈。

3.用户管理集中化

虽然802.1x采用分布式的认证,但是在用户管理时建议仍采用集中方式。集中式的用户管理的范围包括有线接入用户和无线接入用户。集中认证一方面易于管理维护,保证了单个管理域内用户信息的一致性;另一方面,集中统一的用户管理为不同接入手段的用户账户之间进行漫游提供了前提条件,而且用户在不同网络或者接入类型之间切换时面对的是统一的界面。PPPoE认证中也采用的是集中式的用户管理,802.1x通过对现有的RADIUS设备进行升级,可以完整的继承PPPoE的认证体系,避免了对网络结构进行大规模调整,工程易实现。

4.多业务接入,兼顾网络技术特点

802.1x是IEEE以太协议族中的一个组成部分,应用范围涵盖WLAN、xDSL、5类线、Cable和EPON等等纯以太或者基于以太的多业务接入方式。以xDSL技术为例,一方面EoVDSL等纯以太的xDSL接入手段出现;另一方面,在基于ATM的xDSL技术中,IPDSLAM的出现及其三层路由功能需求,使802.1x成为满足需求的最佳选择。值得注意的是,交换式以太网络和共享式以太网络有不同的网络技术特点,在应用802.1x时要兼顾。

5.逐步取代PPPoE

802.1x技术代表了电信级宽带网络发展的趋势,即认证、业务分离和支持多业务。PPPoE的缺陷注定了其过渡者的角色,事实上当初PPPoE也是作为一种权宜之计应用到宽带网络接入认证中的。但是802.1x取代PPPoE是一个渐进的过程,网络现状是我们不得不考虑的问题,其中最主要的问题是楼道交换机功能简单,不支持802.1x。解决这个问题可以考虑采用如下途径:方案一,对楼道交换机进行软件升级,使其支持802.1x;方案二,对 802.1x协议进行改进,使EAP可以承载在VLAN上,在汇聚层交换机进行802.1x认证,下游二层交换机采用VLAN进行用户隔离,最终,认证边缘化要求面向用户的接入设备可以直接实现对用户接入的管理和控制。方案二可以作为实现目标网络的过渡。

五、电信级IP宽带网认证技术存在的问题和发展的趋势

随着802.1x协议在基于以太的宽带电信级接入网络中应用范围的延展和应用层次的深入,也暴露出了该协议一些不成熟、不完善和不适应现有网络环境的方面,主要体现在对认证端口颗粒度控制方面。认证端口颗粒度控制更加灵活将是802.1x技术发展的趋势。

基于802.1x的认证应该提供灵活的端口控制能力。这里所说的端口是一个逻辑上的广义端口概念的统称,并非单指物理端口,而是包含物理端口、MAC、 VLAN等识别用户或用户群的标识。可以灵活的根据应用的情况、业务的要求,针对用户的类型,选择端口形式进行控制,有效地解决了运营遇到的用户安全,用户认证等问题。

六、结论

随着以太网技术在宽带网内应用范围的日益广泛,各种基于以太网技术的业务应运而生,成为宽带网络业务主体。在宽带接入领域内,纯以太网或者以太网相关的接入技术已经成为接入网发展的大趋势,这种控制和管理一般通过对网络接入进行控制、认证和授权实现。802.1x技术作为IEEE协议族的一个组成部分,在以太网络环境中提供了一种基于端口、认证和业务分离,高灵活性,强适应性的接入控制手段。相比现阶段广泛应用的PPPoE解决方案,802.1x不仅具有和以太网技术天生的良好兼容性,还具有出色的多业务支持能力和多样化的统计计费能力。现阶段802.1x应用于电信级宽带网络还存在着一些缺陷,但是随着其不断完善、成熟,802.1x和802.1aa协议将成为电信级宽带网络中不可或缺的部分。

原文地址http://www.cww.net.cn/Technique/Article.asp?id=16208

分类:Security

【转贴】基于802.1x认证技术的应用分析 (zz) (2007-01-30 13:03:01)

一月 30, 2007 留下评论
一、引言

802.1x协议起源于802.11协议,后者是IEEE的无线局域网协议,制订802.1x协议的初衷是为了解决无线局域网用户的接入认证问题。IEEE802LAN协议定义的局域网并不提供接入认证,只要用户能接入局域网控制设备(如LANS witch),就可以访问局域网中的设备或资源。这在早期企业网有线LAN应用环境下并不存在明显的安全隐患。

随着移动办公及驻地网运营等应用的大规模发展,服务提供者需要对用户的接入进行控制和配置。尤其是WLAN的应用和LAN接入在电信网上大规模开展,有必要对端口加以控制以实现用户级的接入控制,802.lx就是IEEE为了解决基于端口的接入控制(Port-Based Network Access Contro1)而定义的一个标准。

二、802.1x认证体系

802.1x是一种基于端口的认证协议,是一种对用户进行认证的方法和策略。端口可以是一个物理端口,也可以是一个逻辑端口(如VLAN)。对于无线局域网来说,一个端口就是一个信道。802.1x认证的最终目的就是确定一个端口是否可用。对于一个端口,如果认证成功那么就“打开”这个端口,允许所有的报文通过;如果认证不成功就使这个端口保持“关闭”,即只允许802.1x的认证协议报文通过。

802.1x的体系结构如图1所示。它的体系结构中包括三个部分,即请求者系统、认证系统和认证服务器系统三部分:

<img title=”基于802.1x认证技术的应用分析 (zz)” src=”http://lzueclipse.bokee.com/inc/1×1.jpg&#8221; alt=” ” align=”bottom” />

图1 802.1x认证的体系结构

1.请求者系统

请求者是位于局域网链路一端的实体,由连接到该链路另一端的认证系统对其进行认证。请求者通常是支持802.1x认证的用户终端设备,用户通过启动客户端软件发起802.lx认证,后文的认证请求者和客户端二者表达相同含义。

2.认证系统

认证系统对连接到链路对端的认证请求者进行认证。认证系统通常为支持802.lx协议的网络设备,它为请求者提供服务端口,该端口可以是物理端口也可以是逻辑端口,一般在用户接入设备(如LAN Switch和AP)上实现802.1x认证。后文的认证系统、认证点和接入设备三者表达相同含义。

3.认证服务器系统

认证服务器是为认证系统提供认证服务的实体,建议使用RADIUS服务器来实现认证服务器的认证和授权功能。

请求者和认证系统之间运行802.1x定义的EAPOL(Extensible Authentication Protocol over LAN)协议。当认证系统工作于中继方式时,认证系统与认证服务器之间也运行EAP协议,EAP帧中封装认证数据,将该协议承载在其它高层次协议中(如 RADIUS),以便穿越复杂的网络到达认证服务器;当认证系统工作于终结方式时,认证系统终结EAPoL消息,并转换为其它认证协议(如 RADIUS),传递用户认证信息给认证服务器系统。

认证系统每个物理端口内部包含有受控端口和非受控端口。非受控端口始终处于双向连通状态,主要用来传递EAPoL协议帧,可随时保证接收认证请求者发出的EAPoL认证报文;受控端口只有在认证通过的状态下才打开,用于传递网络资源和服务。

三、802.1x认证流程

基于802.1x的认证系统在客户端和认证系统之间使用EAPOL格式封装EAP协议传送认证信息,认证系统与认证服务器之间通过RADIUS协议传送认证信息。由于EAP协议的可扩展性,基于EAP协议的认证系统可以使用多种不同的认证算法,如EAP-MD5,EAP-TLS,EAP- SIM,EAP-TTLS以及EAP-AKA等认证方法。

以EAP-MD5为例,描述802.1x的认证流程。EAP-MD5是一种单向认证机制,可以完成网络对用户的认证,但认证过程不支持加密密钥的生成。基于EAP-MD5的802.1x认证系统功能实体协议栈如图2所示。基于EAP-MD5的802.1x认证流程如图3所示,认证流程包括以下步骤:

<img title=”基于802.1x认证技术的应用分析 (zz)” src=”http://lzueclipse.bokee.com/inc/1×2.jpg&#8221; alt=” ” align=”bottom” />

图2 基于EAP-MD5的802.1x认证系统功能实体协议栈

<img title=”基于802.1x认证技术的应用分析 (zz)” src=”http://lzueclipse.bokee.com/inc/1×3.jpg&#8221; alt=” ” align=”bottom” />

图3 基于EAP-MD5的802.1x认证流程

(1)客户端向接入设备发送一个EAPoL-Start报文,开始802.1x认证接入;

(2)接入设备向客户端发送EAP-Request/Identity报文,要求客户端将用户名送上来;

(3)客户端回应一个EAP-Response/Identity给接入设备的请求,其中包括用户名;

(4)接入设备将EAP-Response/Identity报文封装到RADIUS Access-Request报文中,发送给认证服务器;

(5)认证服务器产生一个Challenge,通过接入设备将RADIUS Access-Challenge报文发送给客户端,其中包含有EAP-Request/MD5-Challenge;

(6)接入设备通过EAP-Request/MD5-Challenge发送给客户端,要求客户端进行认证;

(7)客户端收到EAP-Request/MD5-Challenge报文后,将密码和Challenge做MD5算法后的Challenged-Pass-word,在EAP-Response/MD5-Challenge回应给接入设备;

(8)接入设备将Challenge,Challenged Password和用户名一起送到RADIUS服务器,由RADIUS服务器进行认证:

(9)RADIUS服务器根据用户信息,做MD5算法,判断用户是否合法,然后回应认证成功/失败报文到接入设备。如果成功,携带协商参数,以及用户的相关业务属性给用户授权。如果认证失败,则流程到此结束;

(10)如果认证通过,用户通过标准的DHCP协议(可以是DHCP Relay),通过接入设备获取规划的IP地址;

(11)如果认证通过,接入设备发起计费开始请求给RADIUS用户认证服务器;

(12)RADIUS用户认证服务器回应计费开始请求报文。用户上线完毕。

四、802.1x认证组网应用

按照不同的组网方式,802.1x认证可以采用集中式组网(汇聚层设备集中认证)、分布式组网(接入层设备分布认证)和本地认证组网。不同的组网方式下,802.1x认证系统实现的网络位置有所不同。

1.802.1x集中式组网(汇聚层设备集中认证)

802.1x集中式组网方式是将802.1x认证系统端放到网络位置较高的LAN Switch设备上,这些LAN Switch为汇聚层设备。其下挂的网络位置较低的LAN Switch只将认证报文透传给作为802.lx认证系统端的网络位置较高的LAN Switch设备,集中在该设备上进行802.1x认证处理。这种组网方式的优点在于802.1x采用集中管理方式,降低了管理和维护成本。汇聚层设备集中认证如图4所示。

<img title=”基于802.1x认证技术的应用分析 (zz)” src=”http://lzueclipse.bokee.com/inc/1×4.jpg&#8221; alt=” ” align=”bottom” />

图4 802.1x集中式组网(汇聚层设备集中认证)

2.802.1x分布式组网(接入层设备分布认证)
802.1x分布式组网是把802.lx认证系统端放在网络位置较低的多个LAN Switch设备上,这些LAN Switch作为接入层边缘设备。认证报文送给边缘设备,进行802.1x认证处理。这种组网方式的优点在于,它采用中/高端设备与低端设备认证相结合的方式,可满足复杂网络环境的认证。认证任务分配到众多的设备上,减轻了中心设备的负荷。接入层设备分布认证如图5所示。 <img title=”基于802.1x认证技术的应用分析 (zz)” src=”http://lzueclipse.bokee.com/inc/1×5.jpg&#8221; alt=” ” align=”bottom” />

图5 802.1x分布式组网(接入层设备分布认证)

802.lx分布式组网方式非常适用于受控组播等特性的应用,建议采用分布式组网对受控组播业务进行认证。如果采用集中式组网将受控组播认证设备端放在汇聚设备上,从组播服务器下行的流在到达汇聚设备之后,由于认证系统还下挂接入层设备,将无法区分最终用户,若打开该受控端口,则汇聚层端口以下的所有用户都能够访问到受控组播消息源。反之,如果采用分布式组网,则从组播服务器来的组播流到达接入层认证系统,可以实现组播成员的精确粒度控制。

3.802.1x本地认证组网
802.1x的AAA认证可以在本地进行,而不用到远端认证服务器上去认证。这种本地认证的组网方式在专线用户或小规模应用环境中非常适用。它的优点在于节约成本,不需要单独购置昂贵的服务器,但随着用户数目的增加,还需要由本地认证向RADIUS认证迁移。
五、结束语
802.1x认证系统提供了一种用户接入认证的手段,它仅关注端口的打开与关闭。对于合法用户(根据账号和密码)接入时,该端口打开,而对于非法用户接入或没有用户接入时,则使端口处于关闭状态。认证的结果在于端口状态的改变,而不涉及其它认证技术所考虑的IP地址协商和分配问题,是各种认证技术中最为简化的实现方案。
必须注意到802.1x认证技术的操作颗粒度为端口,合法用户接入端口之后,端口始终处于打开状态,此时其它用户(合法或非法)通过该端口接入时,不需认证即可访问网络资源。对于无线局域网接入而言,认证之后建立起来的信道(端口)被独占,不存在其它用户非法使用的问题。但如果802.lx认证技术应用于宽带IP城域网,就存在端口打开之后,其它用户(合法或非法)可自由接入且难以控制的问题。因此,在提出可运营、可管理要求的宽带IP城域网中如何使用该认证技术,还需要谨慎分析所适用的场合,并考虑与其它信息绑定组合认证的可能性。

原文地址:http://lzueclipse.bokee.com/5054911.html

国际光缆一断,MSN&nbsp;Spaces的劣势也显现了&nbsp;(2007-01-29&nbsp;11:50:33)

一月 29, 2007 留下评论

这一段时间,国际光缆一断,MSN登陆也不正常了,MSN Spaces也访问极度困难,也就没法更新了,实在是需要考虑换一个地方才好,可是还是满喜欢这个Windows Live Writer的,不知道那个Blog Server还支持比较好的工具,访问速度也比较好的,找找再说吧.

分类:Uncategorized

"悄悄的进村,放枪的不要“--运营商终端安全建设的良好实践 (2006-12-07 12:23:53)

十二月 7, 2006 留下评论

在2006’电信行业网络信息安全管理高峰论坛上,对于运营商的终端安全建设,我提出了一个核心的概念,终端安全体系的建设,一定要充分考虑到终端安全系统对于终端用户所可能造成的影响,并且一定要尽量减小对于终端用户的影响,最好能够做到保障安全的同时对现有用户使用无影响,用一句形象的话讲就是”悄悄的进村,放枪的不要“。在终端用户还没有直接感官的情况下,终端安全系统已经建设完成,并且能够很好的保障整体网络的安全了。这也主要基于如下的几点考虑:

1、终端数量众多。运营商系统里面,都有众多的终端在使用,终端类型也及其复杂,终端部署的区域也多种多样,覆盖的层面也非常广,要一次性解决所有终端问题,面临的困难也非常大,从基础的问题和容易掌控的问题上入手,会比较容易。

2、终端类型多样。目前运营商网络里面,面临着众多的终端类型,不仅仅包含主流的Windows 2000/XP系统,还有Windows NT/2003/98。。。,还有众多不同类型的Linux,想统一采用一种方式解决所有终端类型的安全问题难度较大,现有的基于Agent的技术里面很难同时支持如此众多的终端类型,其直接支持的范围都有限。

3、终端用途多样。运营商网络里面,包含着多种不同用途的终端,业务终端,生产终端,办公终端,客服终端,合作伙伴终端,远程终端,移动终端……,每种终端类型都有其特定类型的需求,不同类型的终端的使用人员的水平和意识也不尽相同,必然导致终端安全的解决方案同时受限,也要求终端安全的解决方案必须综合考虑这些不同类型的终端对于安全考虑的需求。

4、安全管理推行难度大。从管理措施上限制终端访问或者避免终端安全问题,在运营商体系中,由于涉及到部门众多,人员数量较大,管理意识差异大等因素,单纯的管理手段很难收到效果。从简单的限制终端上网或者私自拉线上网的推行和监控效果并不明显上就很能体现这个问题。

5、终端安全管理基础薄弱。目前的运营商由于传统的安全管理体制,使得终端的安全问题一直没有得到有效的重视,一些基础的终端管理问题还需要解决,如终端的资产管理问题就是一个复杂的问题,很多省自身的终端资产统计、管理及维护都还没有形成良好的体系,大量终端管理的基础工作需要一个长期和艰苦的过程,更是一个实际执行层面需要各个部门大力配合的事情,一旦牵扯的方面过大极容易造成项目流产或者效果不佳。

上述种种运营商所面临的问题和现状制约,将导致运营商对于终端安全管理的建设必然是一个长期的、艰巨的和需要管理层大力推动的过程,如何有效的推动这个过程的前行?如何保障系统的建设真正有效?如何保障系统建设获得最大的投资收益比?是每一个运营商必须要考虑的问题。而其中一个非常有效的手段就是潜移默化的,依靠成效来推进后续的工作,分步骤有效的工程建设来完成这项工作。

从实际的部署实践来看,如下的几点工作是基础的、必须的和有效的工作内容:

1、资产清理与统计
任何终端安全管理的工作基础是一个准确而良好的终端资产管理,而现有终端的资产状况的清理和统计是一个基础中的基础工作。或许这个工作对于其它企业是一个容易的事情,但是对于运营商来讲,却是一个比较复杂与困难的问题,大量的终端数量、多期不同的工程、众多的业务系统、不同的终端类型、新老终端混杂……等等问题,对于这个工作的有效完成都是一个巨大的考验,但是,这个工作作为一项基础性工作,又必须去解决,并且是即使现在不解决,也总有一天需要去解决的。同时,这也是一项纯管理工作,没有一个软件体系或者技术能够完全替代人去完成。当然,这项工作如果顺利完成,后续的终端安全管理的工作将能够有一个良好的基础,也能够做到有的放矢了。

2、终端用户感官影响最小化
终端安全管理建设中将要面临的一个很大的问题就是终端用户的反响,包括终端用户使用的便利性影响、终端用户的接受度、终端用户的期望……,这些问题如果处理不好,极大的可能会导致项目失败。如如果终端上安装的客户端软件与终端现有软件冲突,导致系统不可用甚至死机,将必然影响终端系统的推行,如果终端安全管理软件自身的策略复杂度过高,也将直接导致终端用户不使用,偷偷卸载或者直接抵制,这些都将影响整个系统的建设成效,是项目容易失败的极大风险点。而一种有效的做法就是尽量避免安装复杂的客户端软件,甚至不要安装客户端软件,但是同时能够保障终端系统的安全接入与访问控制。

3、分步骤工程建设
终端安全管理技术众多,涉及到的管理内容和层面也特别多,如果期望通过一次性的解决所有安全问题和管理措施全部到位,将是一个极易导致失败的风险点,因此,选取容易推行、对客户端影响最小、实施部署简单、容易获取成效的问题进行进行解决是一个良好的做法。从目前的实践看,集中资产管理、集中补丁管理、集中统一接入身份认证是一个比较好的选择,也是最容易被接受和最具成效的做法。

4、必须强制管理
对于企业终端安全管理问题,必须提供强制性措施才能够保障终端安全管理问题得到有效的解决和达到成效。如补丁更新问题,完全依赖个人自行进行补丁更新的做法在运营商体系中被证明是失败的。大量终端的防病毒软件被卸载等问题也大量存在,因此,要想有一个好的成效,必须采用强制的措施。

5、标准化支持
无论选择任何一种接近方案,如何更好的利用和适应现有的设备资源是一个基础性的需求。如802.1x的协议支持,必须充分考虑多种路由器、交换机的不同厂家、不同型号的现状,选择一种标准化或者多厂家支持的产品来适应现有网络无疑是一个良好的解决方案。

6、集中化管理
如果终端安全管理工作想落到实处,一个另外很关键的问题就是必须采用集中化管理,策略集中定制、集中分发与集中监控,只有这样才能够保障所有的终端系统的安全管理策略符合运营商的要求,也能够针对运营商的各种不同终端区域的安全管理得到落实。

上述的几个终端安全管理的问题是我的一些浅见,其总结的基本思路也就是在运营商网络中实施终端安全管理的项目的时候,采用一种初期尽量简化管理内容,先基础安全工作,再逐步递进式增强管理措施,最后再完整的提供终端安全管理策略和措施,这样才能够使得运营商的终端安全管理工作有成效,又避免有大的阻力。这也就是说尽量做到“悄悄的进村,放枪的不要”的核心思路,待到一些基础安全管理工作已经被大家所接受,再逐步的加深管理深度和强度,获取最大的管理成效的同时,又能够避免有过大的阻力来影响安全管理工作的进展。

分类:telecomsecurity 标签:

关于运营商专有安全解决方案的思考 (2006-11-29 15:12:52)

十一月 29, 2006 留下评论

前两天参加第二届2006’电信行业网络信息安全管理高峰论坛,在讨论的时候有人提出了是否能够提供针对运营商独有的信息安全解决方案的问题,觉得会上演讲的相关信息和内容基本上对非运营商都适用,而不是运营商专有的信息安全解决方案。当时在会场上我没有发言,一方面想听听大家的声音,另外一方面还考虑的不成熟,现在还是想记录下来目前的想法,供有识之士参考吧。

我觉得运营商独有的安全解决方案存在如下三个方面(或者角度):

1、 传统运营商独有交换网络的安全。

2、 对外运营数据网的安全。

3、 对内支撑承载网的安全。

一、传统运营商独有交换网络的安全。

对于运营商来讲,其相对于其它行业所独有的特点就是运营了电话(固定或移动)网络,而这些网络是运营商的核心,也是其区别于其它企业的一个关键。关于电话网络的安全问题,从最初的“电话飞客”开始就是一个令运营商头痛的问题。但是,随着程控技术的发展,瘦终端模式使得传统电话网络上安全问题变得相对容易得到控制,对于技术水平的要求也是非常高的,其研究的人也越来越少,当然,这并不是说就没有安全问题,而是说其安全问题相对容易得到控制。另外一个层面来讲,由于目前的程控交换机的控制层面是由控制和网管终端来完成的,所以网管终端的安全反倒是一个比较大的短板。但是,随着新的3G技术等的引入,程控网的承载出现IP化的趋势,NGN网络的发展,也加剧了这个进程,交换网络的安全问题也从根本上越来越解决IP网络的安全问题了。

二、对外运营数据网的安全

其实,作为互联网的一部分,电信运营商的网络和其它的网络也并没有本质的区别,但是目前在宽带网上所关注的所谓安全问题,如P2P、IM、带宽占用等,这些问题实际上对于宽带网并没有实质性的安全损害或者威胁,只是对运营商的业务会产生影响,所以我更同意会上一位朋友的说法:“借安全之名,行业务之事”。数据网上用户的流量本身所造成的后果只是对流量带宽的占用,对于用户本身来讲是正常流量,但是却消耗了宽带网自身大量的带宽,也消耗了大量的出口带宽和并发连接,目前运营商想提供自身业务的情况下,如IPTV等,则由于这些P2P流量存在,导致运营商自身提供业务可能无法体现优势,这是目前运营商想尝试封堵或者疏导P2P流量的本质所在。另外,在数据网上存在的DDoS攻击问题,其实质问题也并不是对数据网自身造成影响,而是对处于数据网边缘的运营商自身服务或者边缘用户的业务造成影响,进一步导致运营商无法很好的保障数据网所提供业务的服务质量。排除上述问题,实质上的数据网的安全问题就集中到了数据网的承载设备自身的安全,而这些安全问题的解决,在目前的技术条件下,就只能够由设备自身提供的安全措施来保障了,至少到目前为止,我还没有看到有真正的可以串入到如此高带宽的数据网上面的安全设备或者措施是真正可用的产品,即使存在,也是旁路的记录分析,而不是实时防护。

三、对内支撑承载网的安全。

在运营商的对内支撑承载网部分,一般主要指DCN上所承载的各项运营商内部系统,BSS、CSS、OSS以及OA/MIS等。这些业务自身实际上与大型企业的业务系统并没有本质的区别,所面临的安全问题与其它大型企业所面临的安全问题都基本相同。如果说有运营商独有的解决方案则是由于运营商自身独有的组网特点和管理模式相关的。如运营商的终端问题相较其它企业要复杂的多,有业务终端、维护终端、客服终端、办公终端及合作伙伴终端,还分移动终端及远程终端等,同时这些终端又分布在不同的业务区域和归属,其使用部门、使用目的及访问权限等均不相同,其数量又是非常的庞大,管理维护及安全考虑都相对于其它企业都复杂一些,而考虑安全解决方案的时候都必须要考虑到这些特点,从这个角度上看,我们说这是针对运营商说独有的安全解决方案也不为过。

关于这方面的一点想法希望能够起到抛砖引玉的作用,也希望有识之士拍砖!