Shulou(Shulou.com)06/01 Report--

At present, both security manufacturers and security companies have the necessity of virus sample analysis and malicious program analysis, and they all adopt more or less the same approach.

Mr. Security researchers, it is not about using the following ways, and there are several ways that I have mentioned, at least the blogger's company does not understand that they are not in use yet. Let me get back to the point. In order to officially launch below, I would like to list a few ways of current research:

First, the use of soft-killing isolation zone

Disadvantages: if there is too much content, there are about 50 gigabytes, it is not realistic to use virtual disks, and it is even more difficult to use soft quarantines.

I would like to add the following points:

1. If I use a virtual machine, I will choose to install the linux system in the virtual machine and put the virus in it. Then there are too many files, collation, transfer is too slow, and it is not convenient to call (you can't use it if you don't install a virtual machine).

two。 With a soft quarantine zone, I can't build a 100G quarantine zone, and I can't clean it up.

2. Change the file format of the main file

Encrypt compressed files + folder encryption + (another software) folder encryption + partition encryption + set permissions to the system and users (no access to zones) + write hard disk write protection

Disadvantages: this mode of operation is more complex, higher requirements for people, do not expect everyone to have these basic skills, but bring inconvenience to the operation.

It seems that it is a bit troublesome to solve this problem from the end, so let's take a look at how to solve this kind of problem when you think of the problem of falling on the Internet.

First, establish an independent vpc to do virus sample analysis, communicate only with the Internet, and logically isolate from the intranet with security policies.

Disadvantages: 1. How to upload debugging samples to the analysis machine

2. The debugging operation is affected by the geographical area, and the remote operation depends on the network quality, which can not affect the efficiency of sample analysis.

3. Multi-office area is concentrated on vpc to do sample analysis. Does the security researcher conflict with this way of remote sample analysis?

4. Under the premise of no ferry equipment, sample downloading and sample report all need to go to cloud disk, which is a challenge to the confidentiality of data.

Second, the establishment of B network, sample analysts to adopt dual-computer double-card, independent Internet export. Sample analysis localization is completed, does not spread the intranet, A, B network belongs to physical isolation.

Disadvantages:

1. Cost input is needed, and if security researchers are scattered in many places, the cost of establishing multiple B networks is really uncontrollable. This problem can be replaced by a solution: establishing a large B network in the core office area, publishing ssl remote access points in the B network, and security researchers, through dual-machine working mode, the sample analysis machine is remotely connected to the B network to complete sample analysis operations. The A-net working machine is responsible for the daily office, and the B-net ssl identifies the hardware characteristics of the sample analysis machine to prevent the mixed use of multiple computers.

2. It is necessary to apply for independent networking equipment, which is not in one with the current network, and the cost of operation and maintenance increases.

3. The company still has to spend money, which is too difficult.

Third, a special network for testing virus samples is set up with 4G routing, and the security research is completed under the 4G network of isp.

Disadvantages: 1, can not meet the long-term goal of business development, poor network quality, user experience may not be

Can meet the needs of use.

2. The state of assets out of control has been increased. It brings inconvenience to the overall asset management of the company. Whether the operation and maintenance is handed over to the operation and maintenance of the business line or the management of the operation and maintenance department, there is no distinction between powers and responsibilities, and all operations in this part are divorced from safety monitoring and belong to risk points.

3. The third point is the most ridiculous reason I have heard about doing security for so many years. "this sensitive type of operation should be carried out off the network that has nothing to do with the company as far as possible." to be responsible and struggle, not only to be responsible for the work you do, but also to be responsible to the society and to the individuals who use it, otherwise the network is safer and the world is better in vain, running counter to the boss's thinking. Security people, no responsibility, then the network will still be safe?

Well, I talked about some of the general defense methods mentioned above. I describe my views on the establishment of a sample analysis network below, and I hope you can give me a lot of advice.

1. Complete the construction of the sample analysis network under the physical network, that is, establish An and B networks.

It is certain to meet the demand of A-B network interworking, so how to deal with the communication of A-B network, instead of using a firewall to deal with the isolation of A-B network?

Let's take a look at the existing way of A-B network communication.

Although this method meets the requirements of network isolation, but the risk of manual operation is high, and it is really not very good for virus and content filtering.

In fact, for the horizontal, the blogger still recommends the use of the network gate, the working principle of the network gate I do not need to be verbose, it is nothing more than the problem of file ferry communication. The isolation equipment has "forward isolation" and "reverse isolation". We are worried about the problem of roaming to the A network, which can be controlled.

If you really do not have the ability to establish a B network, the host used for sample analysis can be concentrated on the upper interface of the physical equipment and the current A network, through the way of positive and reverse isolation, the network gate to do ferry to improve the overall security.

2. Establish a special vpc for sample analysis.

Vpc uses tunneling technology to achieve isolation from traditional VLAN. The broadcast domain is isolated at the strength network card level.

Our goal of establishing an independent vpc is to be able to access the Internet and be isolated from the company's intranet.

For more information on Microsoft's vpc, see the link http://winsvr.org/info/info.php?sessid=&infoid=25&page=6.

Using vpc technology to do sample analysis, the core is to achieve two-layer logic isolation in different vpc.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.