Tokyo, May 16, 2005 --- NEC Corporation today announced that it
has succeeded in the development of a security configuration
analyzing system that enables automatic detection of security
problems through collection and analysis of configuration
parameters of security tools that work collaboratively within the
network. The newly developed system can detect security issues such
as when the file transfer protocol ("FTP") service is accepted by
the firewall, but the FTP data stream is not monitored by any
intrusion detection system ("IDS") and is thus vulnerable to
infection via worm attack, and can propose configuration revision
plans to correct the problem at the time of error detection. This
is the world's first system to achieve automatic detection of
security problems arising from configuration mismatching among
different security appliances and software tools that work in
collaboration. Without this system every network administrator
would have to carry out this task manually based on individual
skills and experience. An automatic detection system drastically
reduces the network security checking time and load in comparison
to manual methods. It is based on the following two
technologies:
| (1) |
A security policy extraction technology that translates
configuration parameters of different security tools into basic
policy rules boasting a common format. |
| (2) |
A configuration analysis technology that compares policies by
the data flows within the network to detect policy mismatches (i.e.
security problems) such as the detection of a stream that is
accepted, but is not monitored. |
The technological characteristics of the system are as
follows.
- Use of a common configuration policy description language
In order to describe the filtering policies of a firewall by
specifying what kind of packet streams it can accept, as well as
the monitoring policies of IDS by specifying what kind of attacks
on what kind of packet streams require monitoring, the system
collects configuration parameters and translates them into an NEC
original common policy description language called security
configuration coordination markup language ("SCCML.") SCCML is
designed to be platform independent and to describe basic security
functions such as filtering and monitoring. It enables the
administrator to easily grasp the current security status of the
whole network by reviewing the SCCML policies, without having to
consult every individual application and software tool in the
network.
- Virtual firewall simulation
As a firewall operates with many filtering rules (sometimes there
are even more than 1000,) it is difficult to perform a
comprehensive test to find out exactly what kind of packet streams
it accepts in practice. The new system provides an integration
algorithm of SCCML-based filtering rules to monitor if there is any
overlapping of relationships or if any specified packet streams are
accepted or rejected by the rule set. This function is called the
"virtual firewall simulator." This simulator enables the
administrator to carry out a comprehensive test in just
minutes.
- Automatic mismatch detection between a filtering policy and a
monitoring policy
The system offers a mismatch detection algorithm by comparing the
filtering and monitoring policies related to the same packet stream
such as hypertext transfer protocol ("HTTP") or FTP service. This
algorithm enables administrators to automatically detect security
problems, for example it may notify the administrator that "This
FTP service is accepted but not monitored." To date, no efficient
method has existed to compare configurations or to detect such
vulnerabilities. An experiment has shown that NEC's newly developed
system completed a firewall-IDS configuration comparison task
within 3 minutes, while an administrator took 170 hours to carry
out the same task. This achieves a time reduction ratio of 1 over
3400.
- Identification of configuration problems
Using the mismatched SCCML description, the system strictly
identifies problematic configuration parameters and offers
configuration revision candidates to the administrator. The
administrator can select the candidate and revise the original
configuration parameters immediately after the detection of the
mismatch.
In recent years, a variety of applications and software tools have
been introduced in the internet and intranet to protect resources
from multiple kinds of security threats. However, this also means
that only limited security experts can handle them, and their
maintenance has become a heavy load for enterprises. As the
internet and intranet become more dynamic and prevalent, service
collaboration and enterprise organizations are becoming continually
subject to change. In such environments, security configuration
mismatches can easily occur, and warrant a serious problem if the
mismatch is not detected and the corresponding vulnerability
removed immediately.
NEC believes its new security configuration analyzing system can
contribute to solving these kinds of security problems, and in turn
drastically reduce security management costs while simultaneously
improving the reliability of internet services and enterprises as
they change dynamically.
About NEC Corporation
NEC Corporation (NASDAQ: NIPNY) (FTSE: 6701q.l) is one of the
world's leading providers of Internet, broadband network and
enterprise business solutions dedicated to meeting the specialized
needs of its diverse and global base of customers. Ranked as one of
the world's top patent-producing companies, NEC delivers tailored
solutions in the key fields of computer, networking and electron
devices, by integrating its technical strengths in IT and Networks,
and by providing advanced semiconductor solutions through NEC
Electronics Corporation. The NEC Group employs more than 140,000
people worldwide and had net sales of 4,855 billion yen (approx.
$45.4 billion) in the fiscal year ended March 2005.
For additional information, please visit the NEC home page at:
http://www.nec.com/
* Newsroom: http://www.nec.co.jp/press/en/newsroom/index.html
NEC Press Contacts:
Diane Foley
NEC Corporation
d-foley@ax.jp.nec.com
+81-3-3798-6511 (Japan)