Content audit demand background

• Network security law requires
  • Make clear who is responsible
    • Establish internal safety management system and operation procedures , Implement safety protection responsibilities
  • Take preventive and protective measures
    • Prevent computer viruses and network attacks 、 Network intrusion, etc
  • monitoring 、 Record and keep a log
    • Take monitoring 、 Record network operation status 、 Technical measures for network security incidents , And keep relevant network logs for no less than six months
  • data classification 、 Backup and encryption
    • data classification 、 Important data backup and encryption measures
  • Other legal obligations
    • law 、 Other obligations stipulated by administrative regulations
      

Online behavior audit framework

Online behavior audit technology

• The log center will record all audit actions
• Log query includes all behavior queries 、 Visit the website to inquire 、 Instant chat log query 、 mail 、 Post 、 Send Weibo and other log queries , It can trace all kinds of violations of organizational regulations
  • According to the specified time 、 user 、 Group 、 Application, etc. to query logs
• Statistical analysis can be used for flow analysis 、 Duration analysis 、 User behavior analysis 、 Compliance analysis, etc . And can automatically generate reports , Subscribe to
  

Outgoing email audit technology

• Between the client and the mail server, we usually use IMAP/POP3 agreement , Between the web version and the mail server, we usually use HTTP agreement
• Between the mail server and the mail server SMTP agreement
• For emails from different manufacturers ,SangFor All know the encapsulation structure of mail , So you can clearly record the email receiving and sending mailbox 、 The theme 、 Content 、 Accessories, etc.
  • Only messages sent in clear text , You can audit
    

SSL Content decryption technology

HTTPS agreement

• be based on SSL Transmission of HTTP agreement , The port used is TCP Of 443 port
• Workflow
  • Client to DNS The server queries the target domain name IP Address
  • Client and server pass 3 The second handshake establishes TCP Connect
  • The client initiates... To the server Client-Hello message
    • Carry all encryption algorithm versions supported by the local client
    • Server-Name： Tell the server the domain name to access
  • The server returns the client Server-Hello message
    • The server will choose the highest version of encryption algorithm supported by both sides , Notify the client
  • The client asks the server for a certificate
  • The server sends a digital certificate to the client
  • The server asks the client for the certificate （ Optional , Used for bidirectional encryption ）
  • The client sends a digital certificate to the server （ Optional ）
  • The client is protected by the server public key , Negotiate symmetric keys with the server
  • The client and server are protected by symmetric keys , Conduct HTTP transmission
  • Client and server through 4 Second wave , end TCP Connect
• HTTPS Authentication mode
  • Single validation ： The client needs to verify the identity of the server , But the server does not need to verify the identity of the client
  • Two way verification ： The client needs to verify the identity of the server , The server also needs to verify the identity of the client
    

SSL Content recognition principle

• AC Crawl client's Client-Client package , By identifying Server-Name Field , To get the address of the server
• AC Fake it as a server , Negotiate encryption with the client , And forge certificates , Send to client
• AC At the same time, fake the client , Negotiate encryption with the server , And request to obtain the certificate of the server
• AC The data sent by the client and server can be decrypted at the same time

• because AC The certificate sent to the client is forged , So the client opens HTTPS Website time , The browser will display a certificate alarm
  • You can trust on the client AC Certificate , To eliminate the browser certificate alarm

• about AC Certificate issued , The client can download and install manually , It can also be done through AC Configuration of , When enabling users to access the Internet , The installation certificate is mandatory
• Even if it's HTTPS Encrypted mail , It can also be done through SSL The middleman hijacked , Audit the contents of the email
  

Web Keyword filtering technology

• Through the Internet access policy “Web Keyword filtering ”, To prohibit the search or outgoing of some keywords
  • If it is an outgoing email / post / Weibo contains filtering keywords , Need to open HTTP Upload identification
  • If you search for keywords through search engines , And is HTTPS Website , It also needs to be turned on SSL Content identification , And you need to add the domain name of the website to AC In the identification Library
• except Web Keyword recognition filtering , You can also filter the file types uploaded and downloaded
  

IM Chat content audit technology

• Because the chat content is a private protocol , It will not conduct packet capturing audit in real time
• SangFor Through plug-in , It will be found on the client computer QQ Local cache database of chat content ,AC Every interval 10s Read the chat content in the database of the client , Write to AC The log center of
  • Can each PC Install the access plug-in manually , Also can be AC Distribute uniformly through strategies

• Access procedures only support Windows PC Install on run , For non Windows user , The client plug-in cannot be installed
  • Policies can be configured for terminals that do not support admission , Directly allow or prohibit the Internet

【AC Content audit experiment 】

 All of the above are original , If unknown or wrong , Please point out .