Posts tagged ‘HTTP Security’

SSL Proxies

August 17, 2010, 1:25 pm

Because it is open outbound from the firewall, many applications send their traffic across port 80 to avoid firewall issues.   This has led to port 80 being called the Firewall Traversal Exploit.   Port 443 then is the Secure Firewall Traversal Exploit because it allows traffic out in an encrypted fashion.

Because its encrypted users bypass protections in place for HTTP to download viruses, access forbidden sites and leak confidential information.  This is limited only by the availability of SSL sites.     In recent years webmail like GMail has gone to full SSL sessions.   Bad guys can easily set up SSL as well.  Without a SSL proxy, all you can do to address these concerns is block by IP address.   IP addresses change frequently and are less likely to be categorized in a URL block list.

When you use a SSL proxy, the web traffic is terminated at the proxy server and a new request is made to the remote server.   The client browser uses a certificate from the proxy to secure data during the first leg of this transaction.   This will result in a certificate error if you don’t deploy the proxy’s self-signed certificate as a trusted root.   Because the client never sees the certificate of the remote server, the user does not get information about the trustworthiness of that certificate.  For this reason it is necessary to either block all bad certificates or make sure your SSL proxy can pass on that certificate info when the certificate is expired or does not chain to a trusted root.

The SSL proxy can use the hostname (CN) in the server certificate to make a  URL categorization decision to intercept or tunnel the traffic. 

Because you can intercept based on URL categorization, you could choose to intercept (and block) only websites that are in your blocked categories.  This is the simplest implementation of a SSL proxy.    It blocks site that wouldn’t have been blocked before and it doesn’t interfere with anything else.   If a computer doesn’t have your certificate in their trusted root, it’s not that bad because the site would have been blocked anyway.

A slightly more intrusive step is to also intercept webmail sites.   Webmail sites have the potential to download malware although the site itself is valid.   By intercepting the site the download is scanned by the antivirus layer.   A related idea is intercepting all uncategorized sites so they can be scanned.

A full implementation involves intercept everything not categorized as a financial site.  It is not recommended to intercept financial websites for obvious reasons.
Intercepting everything allows you to scan all downloads for viruses.  The main drawback is you’ll have more issues with web applications not conforming to HTTP standards.  

I think the simplest option of only intercepting websites classified in categories on your block list is best.   It provides additional security without potential for complications.  You’d have to make a security decision for your own environment.

There are security considerations to intercepting traffic.   When you only intercept a site to block it you don’t have sensitive data but as you intercept other categories, you must take care.  Sensitive data may now be exposed in clear text.  You may want to think twice about what you are logging and caching.  If any offbox analysis is performed you need to encrypt the connection and make sure nothing is on the remote box. 

A lot of attacks occur over the web and its important to provide the best defense.  It’s no longer good enough to ignore 443/TCP.

Tags:
Category: General  |  1 Comment

BlueCoat ProxyClient

July 24, 2010, 8:53 am

As I warned, I attended a BlueCoat seminar on Wednesday and I’m getting a few days worth of blog posts from that.

In March of 2009, I blogged that I was testing the BlueCoat ProxyClient.   The ProxyClient provides URL filtering via WebPulse and also attempts to provide acceleration to VPN users and users on slower network sites.   Each feature can be enabled or disabled automatically depending on location.  Last year I had ProxyClient deployed to the IT department for quite a while until it was time to test some HTTP SaaS solutions.  At that point I uninstalled ProxyClient from all computers.   I didn’t return it after I completed my HTTP bake-off.   I only renewed with BlueCoat for one year and didn’t want to roll out something and then switch it only a year out.

Looking at this months desktop virus reports, its pretty clear that a large number of the infections occur while systems are remote.   Outside the facility they currently only have SEP11 as protection.   For a long while I felt that if I was going to offer protection, URL filtering wasn’t good enough.   I needed antivirus.   But from what I wrote about yesterday with WebPulse, I am now thinking this is a significant step up security wise.   Also it doesn’t have the SaaS risk. 

To be sure some of our users might revolt if we put one more security product on “their” desktop.   But I a strong case can be made for deploying ProxyClient.   If you own BlueCoat and you pay for BlueCoat WebFilter, then the ProxyClient is no charge.  At most companies, users are increasingly mobile.   Unless you’ve got some other strong protections (such as only allowing browsing through an always tunnel vpn connection, and also removing local admin rights) I’d take a strong look at adding this protection.

Tags: ,
Category: General  |  4 Comments

BlueCoat WebPulse

July 23, 2010, 12:19 pm

As I mentioned, I was at a BlueCoat Web Security briefing on Wednesday.

Most of the talks covered things I already knew.   I’m well aware of BlueCoat’s product line, and the web security stuff I received that in a meeting earlier in the year.   But the security stuff was good review.   It is rather interesting how BlueCoat is using a hybrid model for security.   Rather than simply having an Antivirus Engine and a URL filter database on site, they use the WebPulse Cloud service to provide better protection. 

At one point URL filtering exclusively used a local database that was updating periodically.   When sites aren’t categorized,  BlueCoat used to use a service called Dynamic Real-Time Threat Rating to submit the URL to the cloud and see if categorization was available, either in a newer database or through dynamic categorization.   That has evolved into BlueCoat Webpulse.   It’s a cloud based service that uses 8-10 heuristic scanners to analyze requested websites.    With 62 million global users, there is a certain hope that a malicious site would have been seen and been categorized by the service.

This is why I don’t actually see very many viruses detected by the Kaspersky AV scanner that scans traffic.   A lot of malicious sites are already categorized and in the block list.   I need to check out BlueCoat Reporters reports on the malicious software category if I want to better justify web security.

While BlueCoat does use some of the more advanced detection functionality of Kaspersky locally on the appliance, they are doing detection in the cloud that couldn’t be done on locally on the appliance.

Tags: ,
Category: General  |  1 Comment

BlueCoat Security Briefing

July 23, 2010, 1:19 am

On Wednesday, I went to the BlueCoat Security Briefing at the Tyson’s Corner Marriott. 

The big news for me was that our hardware (SG810-B and SG510-B) which I’d been led to believe was going to end-of-support in November is good for another year.  Even today the end of life matrix says TBD, but typically end of life comes three years after end of sale.   I had only renewed BlueCoat for one year last year based on the end of life information provided by the sales rep.   That’s good news.   If we stick with BlueCoat we’ll be able to get another year of life from this hardware.   I dont anticipate replacing this hardware to be cheap, its good to put that off.  However it does make it a bit tougher to justify leaving BlueCoat because of cost.

There were two briefings.   One by Mark Stanford, Director of Sales Engineering and another by Jeff Barker VP of Technical Marketing.    Technical Marketing.   Hmmm.   Sounds like an oxymoron.  

I plan string out posts about this meeting for a few days rather than engaging in one long post now.

Tags: ,
Category: General  |  Comment