My new blog at

January 30, 2007

Due to the publicly known reasons, this blog at has been not accessible at China for a long time till last Spring festival (Feb.2006). It’s very difficult for me to update and manage this blog, while most of my readers from mainland can not read it since then. So I decide move it to a new site with good performance.

Hope you guys can change your bookmark and RSS feeds. I am sorry for the unconvenience for this move. Thanks for the great pleasure WP community gave me.


What Hamachi brings?

July 28, 2006

Bill recommended one “new” application to me. That’s Hamachi. It gave me a very complicated feeling.

It’s a wonderful software application, which provides us a virtual LAN over Internet. It’s a typical overlay network application, which makes use of P2P technology and has the capability to tranverse the NAT/FW enterprise perimeter. Additionally, it brings us an interesting function – Web Proxy:

Built-in Web proxy
An option to use Hamachi as a simple web proxy. This way your Hamachi peers may configure their Web browsers to access the Internet via your computer and therefore protect their Web traffic while it is in transition between you and them.

This feature is typically used for securing Web surfing from untrusted locations including cybercafes, coffee houses, hotels, etc

Obviously, founders of Hamachi have learned the lesson from Skype. They has done a lot of effort to open their protocols and algorithm in the identity, authentication, and communications among system components. That will be a door-knocker to those enterprise IT managers, because there must be growing security and system management software to support Hamachi, as long as Hamachi’s installation get enough base. According to their website, Hamachi has over 3,000,000 users at June 17, while this number was merely 2,000,000 in April, growing 50% in two months.

It’s a wonderful remote collaboration tool, as well as a virtual networking platform, particularly in the current booming broadband world.

At the other hand, the overspreading of such kind of softwares (for others, see, has been eroding and further eliminating the enterprises’ network perimeter, leading the compomise of security policy. It requires that firewalls and networking devices should support more and more layer-7 applications, in particular P2P overlay networking traffic. Morever, Traditional IDS and UTM won’t work in face of virtual LANs.

Let’s keep an eye on them together. See my comment in chinese.

UTM in China

June 22, 2006

In China, UTM (Unified Threats Management) has been rocketing in recent months, not only in the media, but also in the real market transactions. International vendors, such as Fortinet, Watchguard, Sonicwall, ZyXel, bomb the newspapers, journals and other soft-ad everyday, while Cisco, Juniper, Symantec, Securecomputing, McAfee and etc. keep talking on their vision of UTM directions. Of course, the prediction of IDC's report on UTM market that UTM will occupy 57.6% of total firewall, vpn, and anti-virus market share is one of the main stir and encouragement to the investment. Then, how is everything going about those local security vendors? Yes, they won't just stand by and watch the growth, instead they are deeply involved in this arena.

During the past 1-2 years, most of those major players in China security market have been brewing and rolling-out their UTM products. Kingsoft is one of the top three local anti-virus vendors in China(the other two is Rising and Jiangmin). Recently, they inked the agreement with xScreen on the UTM product OEM cooperation. In conjunction with their desktop antivirus/firewall/IDS, anti-virus gateway and server protection, no one would like to ignor their competition in the total security solution for SMB.

According to the UTM description by IDC, anti-virus is one basic function of UTM devices, ie. it's easier for those anti-virus vendors to turn to catch up UTM market. So it's an easy job to predict that Rising/Jiangmin/CA-JC won't wait long time to sell their UTM.

As to the UTM market, OEM is doomed to be a good choice for those vendors who want to break into this market. Because a single core technology within a UTM, such as firewall, VPN, IDS engine, and anti-virus engine, is a little bit overwhelming for an average vendor to develop from the much beginning. As a proof of my point, IDC's report list reflect the anti-virus engine OEMed in the major UTM products. So again it's easy to predict there are more and more vendors choose OEM to enhance their features and shorten the rolling-out time. It must leave such technology companies as xScreen a big space to make money and grow.

Go Security 2.0

May 10, 2006

When I try to dig "Security 2.0" via Google, only one noticeable hit was found from CSOonline by Sarah. Sarah summarized the convergence at security area, and regarded "Security 2.0" as integration, convergence, holistic security and so on. Sarah reported a case study from Constellation Energy Group on convergence of physical security and IT security, where they assigned a new role named Chief Risk Officer, directly under CEO, who is responsible for control of what ever risks which might hurt the enterprise to an acceptable level. That's very interesting and with deep insight. However, my vision of "Security 2.0" is somewhat different.

At least in China, based on the about ten years of security practice, I would like to define the following two stages of security management and technology we are living with so far.

  • Security 0.1: security came from anti-virus capability
  • Security 1.0: security is PDR (Protection -> Detection -> Response), where in most cases at China, PDR was explained as firewall (protection), IDS (detection) and security emergency response services (Response)

But I begin to feel the emerging of a new pulse and inspiration at the industry, which I didn't hasitate to call it "Security 2.0", where I hope to borrow some concepts and feelings from Web2.0. The representative and definitive features of "Security 2.0" include:

  • Security 2.0.1: focus changed to internal control and security protection of applications and data, rather than simple virus/intrusion detection and attacks.
  • Security 2.0.2: "holistic security" synergizing the AAAA(Account, Authentication, Authorization, and Audit), from just stack/heap of firewalls, IDSs and other single point stuff.
  • Security 2.0.3: emphasizing the perception and experience of those security managers and administrators, ie. the real effectiveness and efficiency. along with the implementation of technologies of data mining and correlation.

The key difference between Security 2.0 and previous stages lies at that the later focuses on the security information production and corresponding accuracy from those single point security elements, while the former turns to effective and efficient usage of those information to direct the real operations. Security 2.0 just develops itself on the shoulder of Security 1.0, instead of replacing them.

BTW, I am sorry I don't have time to translate other parts of this post from Chinese to English. If you are interested, please check the full version in Chinese.

Force10 release 10GE IDS/IPS

April 18, 2006

Force10 P-seriesForce10 is getting into a new territory by the release of its P-series 10GE/GE IDS/IDP yesterday. Basically speaking, it's the first 10G IDS/IDP products in the market. Force10 P-series products includes P-10, which has two 10GE ports, and P-1, which has two 1GE ports. They can work like with SPAN from switches lieke IDS's , and in-line like IPS's. Force10 will compete against Juniper, Cisco, Fortinet, 3Com and other high-end IDS/IPS/UTM vendors.

It's a bit astonishing that 2x10GE port P-10 is condensed into a 1U rack mountable box. Based on its patented DPI (deep packet inspection) technology, P-series engines run at full line-rate for GbE or 10 GbE network links with full deep-packet inspection and stateful signatures/policies enabled.

While they're at it, Force10 officials are taking a swipe at the mainstream security market with the P-1, a similar two-port box for Gigabit Ethernet lines.

MetaNetworks was shipping its own products, but those are subsumed by the P-series, which Force10 believes is more suitable for volume shipments. Force10 officials have said they'll eventually turn MetaNetworks's FPGA-based technology into a series of blades.

Any lead Force10 has in 10-Gbit/s security might not last long. Fortinet Inc. admits it doesn't have a 10-Gbit/s intrusion detection and prevention box, but the company pledges it will "announce something, probably within the next couple of months," a spokeswoman says.

Both of the P-series systems are shipping in production, with the P-10 listed at $95,000 and the P-1 at $38,000.

Click here for the datasheet.

UTM (Unified Threat Management) Definition

November 14, 2005

According to IDC, UTM (Unified Threat Management) security appliances are defined as:

UTM security appliance products include multiple security features integrated into one box. To be included in this category, as opposed to other segments, the appliance MUST contain the ability to perform network firewalling, network intrusion detection and prevention, and gateway antivirus (AV). All of the capabilities in the appliance need not be utilised, but the functions must exist inherently in the appliance. In these products, the individual components cannot be separated. 

Basically, UTM security appliances are charactered as some integration of the follow 6 features in one boxes:

  • * Firewall – these devices are typically deployed at the network perimeter, and therefore robust, stateful firewall capabilities with NAT are required.
  • * VPN – often deployed as branch office solutions on a corporate WAN, the ability to create a small number of secure VPN tunnels is essential.
  • * IDS/IPS – a firewall only enforces policy, and if that policy includes allowing inbound HTTP traffic to Web servers on the DMZ, then there is nothing the firewall can do to prevent HTTP exploits from subverting the target Web server. The IPS capability will detect and block such attempted exploits at the network perimeter, preventing the malicious traffic from ever reaching the server. An IDS-only capability can detect exploits and raise alerts, but will be unable to block the malicious traffic.
  • * Anti Virus – gateway Anti Virus prevents inbound virus traffic at the edge of the network, thus reinforcing desktop security solutions and blocking viruses before they reach the desktop. This solution can also prevent infected machines from propagating viruses outside the corporate network.
  • * Anti Spam – gateway Anti Spam can tag inbound e-mail, allowing it to be handled more effectively by desktop filtering solutions, or can block suspected spam mails completely. This solution can also prevent internal hosts from sending spam mail outside the corporate network.
  • * URL Filtering – using a constantly-updated database of categorised URLs, a gateway URL filtering solution can prevent employees from accessing objectionable or inappropriate Web sites from the corporate network  
  • * Content Filtering – by scanning Web and mail traffic for specific content, a gateway content filtering solution can prevent objectionable or inappropriate material from passing into, or out of, the corporate network.