My new blog at

January 30, 2007

Due to the publicly known reasons, this blog at has been not accessible at China for a long time till last Spring festival (Feb.2006). It’s very difficult for me to update and manage this blog, while most of my readers from mainland can not read it since then. So I decide move it to a new site with good performance.

Hope you guys can change your bookmark and RSS feeds. I am sorry for the unconvenience for this move. Thanks for the great pleasure WP community gave me.

A whitepaper on audit of SSH and RDP

November 14, 2006

BMST SAA startup at China, BMST, is exploring a new field in security audit by rolling out their ground-breaking product – Session-Auditor.  That’s good pitch in the hot compliance trends. Compared against those tradional host based audit systems and SPAN-sniffer like audit systems, SA can audit those encrypted protocols transparently, without necessity to install expensive agents at hosts. Another plus of this product is its built-in access control capability. That means you don’t need intranet firewalls to protect your mission critical servers from operation and administration terminals. Just use Session-Auditor.

More technical information are available at the new whitepaper at their website. Click here to download.

What Hamachi brings?

July 28, 2006

Bill recommended one “new” application to me. That’s Hamachi. It gave me a very complicated feeling.

It’s a wonderful software application, which provides us a virtual LAN over Internet. It’s a typical overlay network application, which makes use of P2P technology and has the capability to tranverse the NAT/FW enterprise perimeter. Additionally, it brings us an interesting function – Web Proxy:

Built-in Web proxy
An option to use Hamachi as a simple web proxy. This way your Hamachi peers may configure their Web browsers to access the Internet via your computer and therefore protect their Web traffic while it is in transition between you and them.

This feature is typically used for securing Web surfing from untrusted locations including cybercafes, coffee houses, hotels, etc

Obviously, founders of Hamachi have learned the lesson from Skype. They has done a lot of effort to open their protocols and algorithm in the identity, authentication, and communications among system components. That will be a door-knocker to those enterprise IT managers, because there must be growing security and system management software to support Hamachi, as long as Hamachi’s installation get enough base. According to their website, Hamachi has over 3,000,000 users at June 17, while this number was merely 2,000,000 in April, growing 50% in two months.

It’s a wonderful remote collaboration tool, as well as a virtual networking platform, particularly in the current booming broadband world.

At the other hand, the overspreading of such kind of softwares (for others, see, has been eroding and further eliminating the enterprises’ network perimeter, leading the compomise of security policy. It requires that firewalls and networking devices should support more and more layer-7 applications, in particular P2P overlay networking traffic. Morever, Traditional IDS and UTM won’t work in face of virtual LANs.

Let’s keep an eye on them together. See my comment in chinese.

UTM in China

June 22, 2006

In China, UTM (Unified Threats Management) has been rocketing in recent months, not only in the media, but also in the real market transactions. International vendors, such as Fortinet, Watchguard, Sonicwall, ZyXel, bomb the newspapers, journals and other soft-ad everyday, while Cisco, Juniper, Symantec, Securecomputing, McAfee and etc. keep talking on their vision of UTM directions. Of course, the prediction of IDC's report on UTM market that UTM will occupy 57.6% of total firewall, vpn, and anti-virus market share is one of the main stir and encouragement to the investment. Then, how is everything going about those local security vendors? Yes, they won't just stand by and watch the growth, instead they are deeply involved in this arena.

During the past 1-2 years, most of those major players in China security market have been brewing and rolling-out their UTM products. Kingsoft is one of the top three local anti-virus vendors in China(the other two is Rising and Jiangmin). Recently, they inked the agreement with xScreen on the UTM product OEM cooperation. In conjunction with their desktop antivirus/firewall/IDS, anti-virus gateway and server protection, no one would like to ignor their competition in the total security solution for SMB.

According to the UTM description by IDC, anti-virus is one basic function of UTM devices, ie. it's easier for those anti-virus vendors to turn to catch up UTM market. So it's an easy job to predict that Rising/Jiangmin/CA-JC won't wait long time to sell their UTM.

As to the UTM market, OEM is doomed to be a good choice for those vendors who want to break into this market. Because a single core technology within a UTM, such as firewall, VPN, IDS engine, and anti-virus engine, is a little bit overwhelming for an average vendor to develop from the much beginning. As a proof of my point, IDC's report list reflect the anti-virus engine OEMed in the major UTM products. So again it's easy to predict there are more and more vendors choose OEM to enhance their features and shorten the rolling-out time. It must leave such technology companies as xScreen a big space to make money and grow.

Go Security 2.0

May 10, 2006

When I try to dig "Security 2.0" via Google, only one noticeable hit was found from CSOonline by Sarah. Sarah summarized the convergence at security area, and regarded "Security 2.0" as integration, convergence, holistic security and so on. Sarah reported a case study from Constellation Energy Group on convergence of physical security and IT security, where they assigned a new role named Chief Risk Officer, directly under CEO, who is responsible for control of what ever risks which might hurt the enterprise to an acceptable level. That's very interesting and with deep insight. However, my vision of "Security 2.0" is somewhat different.

At least in China, based on the about ten years of security practice, I would like to define the following two stages of security management and technology we are living with so far.

  • Security 0.1: security came from anti-virus capability
  • Security 1.0: security is PDR (Protection -> Detection -> Response), where in most cases at China, PDR was explained as firewall (protection), IDS (detection) and security emergency response services (Response)

But I begin to feel the emerging of a new pulse and inspiration at the industry, which I didn't hasitate to call it "Security 2.0", where I hope to borrow some concepts and feelings from Web2.0. The representative and definitive features of "Security 2.0" include:

  • Security 2.0.1: focus changed to internal control and security protection of applications and data, rather than simple virus/intrusion detection and attacks.
  • Security 2.0.2: "holistic security" synergizing the AAAA(Account, Authentication, Authorization, and Audit), from just stack/heap of firewalls, IDSs and other single point stuff.
  • Security 2.0.3: emphasizing the perception and experience of those security managers and administrators, ie. the real effectiveness and efficiency. along with the implementation of technologies of data mining and correlation.

The key difference between Security 2.0 and previous stages lies at that the later focuses on the security information production and corresponding accuracy from those single point security elements, while the former turns to effective and efficient usage of those information to direct the real operations. Security 2.0 just develops itself on the shoulder of Security 1.0, instead of replacing them.

BTW, I am sorry I don't have time to translate other parts of this post from Chinese to English. If you are interested, please check the full version in Chinese.

Skype Unveiled – Silver Needle in the Skype

March 14, 2006

At recent Blackhat Europe, Philippe BIONDI and Fabrice DESCLAUX published their latest investigation on Skype titiled “Silver Needle in the Skype“. Previously a test by Network World studied the cryptography algorithm underneath Skype and drew a conclusion that Skype is security enough for end users.  Another whitepaper by Tom Berson expressed the similar viewpoint.  But, with heavy reverse engineering of Skype, Philippe and Fabrice investigated deeply how Skype operates and exchange information. The following is their conclusion:

Good points
      Skype was made by clever people
      Good use of cryptography
Bad points
      Hard to enforce a security policy with Skype
      Jams traffic, can’t be distinguished from data exfiltration
      Incompatible with traffic monitoring, IDS
      Impossible to protect from attacks (which would be obfuscated)
      Total blackbox. Lack of transparency.
      No way to know if there is/will be a backdoor
      Fully trusts anyone who speaks Skype.

I agree mostly to the author by my Top Ten Concern to Skype Security. 🙂

Netclarity’s VQS and FirewallBooster

February 27, 2006

Auditor is a vulnerability management product by Netclarity. It helps security administrators manage vulnerabilities based on its vul. database which is synchonized to CVE remotely. VQS and Firewallbooster are highlights of this product.

VQS(Vulnerability Quarantine System) is a sort of clientless (agentless) vulnerability management tech. It uses technology-mapping to identify the OS and applications of the target of protection. If some vulnerabilities of high priority are found, then it can notify the firewalls (or routers, swithces) to filter out the corresponding networking communication related to those vulnerabilities or even the whole host. Netclarity calls it "Firewallbooster" technology. Although "Firewallbooster" is policy based, I am afraid it will scare the administrators away by high "false positive", especially for those mission critical back-end servers.

Compared with CA's eTrust Vulnerability Manager, IMHO, Netclarity's Auditor doesn't provide any advantages to the customer at all, while it lacks auto inventory and built-in risk model.