Back to Basics

It's been a while since we've discussed what a proxy is. This recent article (which I've linked the source above and here (http://www.itecharticles.com/what-is-a-proxy-server/)
gives a nice overview of what a proxy is and what it does. It was a nice reminder for us to get back on the topic of the proxy.


What is a Proxy Server? (From iTechArticles.com)

by admin on December 27, 2008

A proxy server is a computer that services requests from its client computers by forwarding client requests to the outside servers and also acting as a gateway to any incoming data from an external server. Client computers will usually have to go through the proxy server while requesting a web page, a file or some other resource that is located on a remote server. The proxy will then connect to the specified server and act on behalf of the requesting client. Depending on security settings and other restrictions that have been into place, the server may alter a request that has been made to a remote server. On the other hand it may also alter the response of the remote server, before forwarding it to the client. At other times it may need to contact the remote server in order to service a request. In such a case, the proxy will act as a cache server by storing previously accessed web pages and resources so that when they are requested later on, they can be retrieved much faster.

The most common types of proxy servers are gateways. A gateway is a type of proxy server that handles data coming across a number of platforms that are running on different protocols. Also called protocol converters, these gateways pass unmodified replies and requests between outside servers and clients and can be placed at various points on a local area network as well as across the internet. On the internet, gateways convert packets formatted in one protocol like TCP/IP to another format like AppleTalk before sending it to a client computer. Gateways can either be hardware or software. In most cases however, they are implemented by having software in a router.

In order for a proxy server to act as a gateway they must understand the protocols they are going to handle. Gateways will usually be network points that separate one network from another. Commonly referred to as nodes on the internet, a gateway node acts as the end-point of one network and the beginning of another. Gateways are commonly installed between networks in a company or by internet service providers to their clients. To improve security, gateways will also server as firewall servers by having software installed on them. Most proxies will have 2 IP addresses, one that serves the local area network and the other serving the wide area network like the internet. When properly configured, these proxies ensure network security and efficiency is maintained.

Sophos: US is the number one malware host in 2008

In what may be a surprise to many in the U.S., Sophos reported that the U.S. is the number one malware host in 2008. I've linked an article on this report above, but the short details are that 37% of malware was hosted on sites in the U.S. this last year. It's not some third world country as we've come to expect in recent years.

As expected Sophos predicts cybercrime to increase in 2009, so make sure adding security to your network is on your list of new years resolutions!

Kaspersky: Interview with a virus-hunter

Network World recently interviewed Eugene Kaspersky, the man behind Kaspersky Anti-Virus. I've shared the link to the article above. I don't think there are any surprises in his interview, but found the interview an interesting read anyway.

As expected, the key take-away is you can't be too careful.

A Network Assessment

Do you know all the applications going through your network? How about just your proxy? You may think all traffic going through the proxy is innocuous, I mean really, it's just web traffic right? Probably not. Many applications tunnel over HTTP and while to your firewall and router it may all look like web traffic, it's probably a combination of web, P2P (file sharing), video streaming, chat and other traffic you may not find so desirable on your enterprise network.

If you suspect that your bandwidth bills are going up because of unwanted traffic, (or if your bandwidth usage bills are going up regardless of your suspicions), it may be time for a network assessment to figure out what traffic is going around your network and through your proxy.

What does a network assessment entail? Installing a device into your network to monitor they types of applications that are using up your network bandwidth. A classic device that does this is the PacketShaper, developed originally by Packeteer (and now part of the Blue Coat Systems family). A PacketShaper can sit inline in your network and classify traffic into over 600 categories, regardless of the port being used by the application.

Before your network usage keeps growing, maybe it's time to find out what's really going on in your network.

What's So Hard About SSL?

As the proxy administrator, it's possible you haven't thought about SSL at all, or maybe opposite is true, and it keeps you up at night trying to figure out how to deal with SSL encrypted web traffic. Either way it's definitely something that you should be worrying about, whether it's a reverse proxy, or a forward proxy that you have implemented.

The reverse proxy scenario is of course easier in that you're protecting a known set of websites. If some of them happen to be SSL encrypted your proxy should easily have a method to allow you to install SSL certificates for those websites, and give protected access to those trying to reach internal websites.

The forward proxy scenario is the more complicated one, and probably the one keeping you up at night. When you use a forward proxy to protect your end-users from threats they may be exposed to from external websites, it's easy to check downloads that come across the proxy in the clear and check the URL's and scan the content for viruses and malware.

The hard part is when your users are browsing encrypted sites. If your proxy is bypassing or tunneling encrypted sessions, then any malware that's hosted on those encrypted sites makes it to your network without any URL blocking or virus and malware scanning. The reverse proxy scenario discussed above where you load up the website's SSL certificate is unmanageable for a forward proxy, as the scope of possible websites is enormous (and no proxies would be able to support that many SSL certificates).

There are a couple of possible answers to this possible dilemma. The first obvious one is to block access to all SSL encrypted sites. Obviously this doesn't work for everyone, especially those organizations that are using SaaS (Software as a Service) sites like salesforce.com, which depend on SSL for security. The next possibility is to just block SSL to well known categories that you don't want on your network to begin with (possibly banking and shopping). This still leaves the question about SSL to the remaining sites. Here's where having a fully featured proxy is important. Any proxy worth its salt today will have the ability to intercept SSL traffic and inspect the contents of the encrypted session. How is that done? Typically the proxy will create its own SSL certificate that's signed by the proxy as opposed the CA (certifying authority). This means of course you'll have to have your end-users trust the proxy, or pre-install that trust on systems as you stage them for end-users (otherwise end-users will get pop-ups warning them of insecure SSL sites). This allows the proxy to inspect SSL content by interception the session, and applying policies like URL blocking and virus and malware scanning, and DLP (data leakage protection) inspection as well.

There is a problem here and that is related to privacy. While intercepting SSL encrypted sessions for SaaS sessions that are company or enterprise related is fine, there's a slightly touchy subject if you intercept a user's personal banking session which has used the user's PIN or other passwords. If you do decide to intercept SSL, it's a good idea to block personal use categories like banking or shopping (to prevent capturing personal data), or at least put up an acceptable use policy page that explains that SSL sessions are intercepted, and private transactions should not be done over the corporate/enterprise network (so any access an end-user does is at their own risk). Most proxies are capable of setting up a click through page that explains acceptable use each session an end-user has to access the internet.

There's of course one other possible scenario related to proxies and SSL, and that's when your proxy is also your WAN Optimization device. We'll tackle that one in a future blog post.

Cisco: Cyberattacks growing, looking more legit

Network World highlighted Cisco's Annual Security Report this week. From the article:

"Internet-based cyberattacks are becoming increasingly sophisticated and specialized as profit-driven criminals continue to hone their approach to stealing data from businesses, employees and consumers, according to a Cisco study released this week.

The 2008 edition of Cisco's Annual Security Report found that the overall number of disclosed vulnerabilities grew by 11.5% over 2007. Vulnerabilities in virtualization technology nearly tripled from 35 to103 year over year, and attacks are becoming increasingly blended, cross-vector and targeted."

These new attacks make web security more important than ever. The report specifically targets mobile users as a new vector to watch out for with respect to risks.

For the network and security administrator this means keeping on top of your proxy's security updates, and finding a mobile/remote security solution. A few proxy companies offer mobile clients that work on laptops to protect them when the user is away from the office and on an open network. Security for mobile users is going to be the key to whether or not your enterprise has to deal with the next big malware outbreak.

PacketShaper and Proxies Together

I found an interesting article on PacketShaper and Proxies working together this morning and thought I'd share it with everyone:

Source: PacketShaper and Proxies : together

Posted by Tech in Field on December 13, 2008

Are you wondering where you should put your Blue Coat [Packeteer] PacketShaper and your in-line proxy / cache in your network?

The PacketShaper should be as close to the router (or firewall) as possible. The proxy or cache (if it sits in-line) should sit on the LAN side of the PacketShaper.

INTERNET <-> ROUTER <-> FIREWALL <-> PACKETSHAPER <-> WEB CACHE/PROXY <-> LAN

Can the Shaper and Cache deployment be reversed? Yes, but you will be shaping requests made to the cache. There can be some advantages to this deployment if you are attempting to shape individual connections to the web.

I prefer the cache inside and to see all web connections originating from the proxy.

If your web cache/proxy [Blue Coat, Barracuda, Ironport, etc] supports WCCP v2, you can use your PacketShaper to hand off all port 80 requests to your web filter. In this setup, you usually do not need your web proxy in-line any more.

For this article I use the terms web cache, web proxy and web filter interchangably — if you are using a good one it is all of those things.

Top 10 Coolest Hacking Moments in 2008

Network World's Jimmy Ray published the top 10 coolest hacking moments in 2008 today. The article is linked above, but here's some of the highlights:

D.N.S., Apple quietly recommends antivirus software for Macs, Drive-by attacks with Java, WPA cracked, Mac users get a dose of Windows hacks, Laptop Lojack!, and others make the list from Network World.

The one that struck this writer was of course the Drive-by attacks with Java. Mr. Ray goes on to say:

"JavaScript has been used to infect thousands of legitimate web pages to insert a trojan to visitors! Sound like a National Enquirer headline? No way! This attack method has been very successful and nearly transparent to users. This launches a new age in hacking."

This hack of course reiterates the need for web security. Every enterprise needs a secure web gateway in the form of a forward proxy supplying not only URL filtering, but antivirus filtering as well. Can your web security withstand a drive-by attack?

Firefox users targeted by rare piece of malware

Another drive-by (meaning the user gets infected just by visiting the website, no clicking or other user-initiated action is necessary to get infected) virus was detected recently targeting specifically users of Firefox.

Drive-by viruses are one of the key reasons we advocate the use of forward proxies in corporate environments to protect end-user PCs. Your forward proxy should block embedded URLs containing malware and spyware sources. If your proxy can't recogonize embedded URLs you need to strongly consider upgrading to newer technology that does as embedded URLs are the most common vector used today to spread viruses and malware via web pages.

In addition to blocking embedded URLs your proxy should also scan objects being downloaded from webpages for viruses using an effective anti-virus program. In today's malware ridden web environment, it pays to be safe.

New Facebook Virus

New threats from social networking sites emerge more frequently than ever, as indicated by the article linked above. With web pages hidden behind credentials, such as the virus above, it's even more important to make sure web pages are scanned for viruses in addition to any URL filtering your proxy may already use.

FBI warns of holiday cyber scams

Sure enough, as if in response to my post yesterday, Network World published an article talking about holiday cyber scams. From the article:

"With cyber Monday comes an FBI warning against spam containing malware and phishing attempts that appear to be greeting cards and ads for shopping bargains.

The goal is theft of money and personal information, according to Shawn Henry, the assistant director of the bureau’s cyber division.
Read the latest WhitePaper - Software Assurance Protection: Bridging the Gap in Application Security for Open Source

E-mails attempt to lure victims to dummy e-commerce sites in hopes of gleaning credit card numbers and passwords, the FBI says. By mimicking legitimate sites, they lull unsuspecting shoppers into giving up the information as they make what they think are legitimate purchases."

Just another reminder to stay safe this holiday season.

Black Friday, Cyber Monday

With the holiday of Thanksgiving in the United States comes the inevitable day after, known as Black Friday, and the new phenomenon known as Cyber Monday afterwards. Both of these designated days refer of course to the pre-Christmas shopping splurge that occurs right after Thanksgiving.

While Black Friday has had notoriety for some time, Cyber Monday still remains relatively unknown, and may even morph into Cyber Friday or Cyber Week before it becomes truly established. Cyber Monday supposedly reflected when shoppers tired of brick and mortar shopping and turned to their computers the Monday after Black Friday to do their online shopping. According to eBay, shoppers have started their Cyber shopping even earlier than ever this year, starting the days before Thanksgiving when traffic on eBay was up significantly and remained high through Black Friday and Cyber Monday.

What does all of this have to do with the corporate or enterprise proxy? A large part of these purchases and online activity occurs from the corporate network. With the possibility of consumer dollars of course comes the mischievous hackers coming after personal identities, injecting malware and other undesirables onto the corporate network. Cyber Monday remains a good reminder, that it's time to make sure we have a proxy installed for security, and that the URL databases remain up to date, and there's a real time rating system to identify new sites that are threat to the enterprise security.

I Need A Proxy, Everybody Wants A Proxy

Unfortunately the article linked above is referring to open proxies that most people use to get around the corporate or school proxy enforcing policy. Open proxies allow anyone pointing to them to get around the corporate policy. Many good security proxies maintain lists of these open proxies and prevent users from going to them. The tough part is of course making sure this list is up to date, as new open proxies get created every day.

The article above, though makes good points for the end-user on why you shouldn't use an open proxy. There are lots of inherent risks to your company or school and especially to your own workstation or laptop if you use an open proxy.

The article I referenced in yesterday's blog post made a good suggestion for system administrators to prevent the use of open proxies on the corporate network, which was making your corporate policy, a default "deny policy", and only allow specific websites through your corporate proxy. Unfortunately this is probably too severe for most organizations, which tend to have a default "allow policy", and then policy to deny specific site categories.

So if you're relying on your corporate proxies to prevent access to open proxies, and you have a default "allow policy", you need to make sure your URL database is not only up to date with their open proxy list, but you need to make sure they've got a method to determine when a new open proxy comes on-line and give a real-time rating to match the open proxy category. Many corporate proxies have this real-time capability today. Make sure yours does too.

Mining for Malware; There’s Gold in Them Thar Proxy Logs!

A new research paper released on the SANS website (link to the paper above in the title) discusses using the web proxy logs to discover how much malware is in your network. In addition to mining information from web proxy logs to determine if malware got through, the author also discusses some policies that worth enforcing on the proxies in your organization to minimize malware and spyware on your internal network.

One of the keys here is of course making sure your proxy has an up to date URL database and is using an anti-virus package to make sure no malware is making its way through to your network. You also want to make it as difficult as possible for employees to use an anonymizing or other proxy-avoidance software which makes it easier for them to get infected.

Tough Times

It's no surprise to anyone, every IT department is going along with rest of the world in having to deal with smaller budgets, cost cutting, and everything that goes along with a really tough economy. We're all treading new water every day with new lows and new surprises in the market.

For the typical IT administrator, the key here is how to reduce your costs in an effort to be the good corporate citizen. Proxies should be on your shortlist on how to help you cost cut in your organization. If you're already using a proxy today to restrict usage of the Internet, re-evaluate your policies and make sure they're up to date for today's social networking, Web 2.0 web use. If you don't have a proxy, you need to get one to make sure you aren't increasing your bandwidth spend every quarter due to unauthorized use of the internet. In other words, don't increase your bandwidth budget to pay for someone watching video on your corporate bandwidth links.

Some proxies offer even greater savings than just internet policy enforcement. Many offer compression, caching and other bandwidth savings features as well, and there's even a proxy out there that doubles as a WAN Optimization device, saving bandwidth across those wide area links. Do your homework and find out if a proxy can help you cut costs in today's frugal environment

SaaS

Software as a Service (SaaS) has provided a lot of fodder for security concern in the Enterprise. As valuable corporate data moved out to the cloud, there's concern about making sure the right data goes to the cloud, as well as making sure no malware/spyware is coming back into the organization through secure web connections. Proxies have been providing a solution for these concerns, and in a recent announcement, linked above, even Webroot is offering a cloud based service (in the SaaS model) for scanning of web threats.

While SaaS services like Salesforce.com and Webex have proven the value of SaaS, it remains to be seen if enterprises will be willing to use security as a service in the cloud. As Web 2.0 becomes commonplace, security admins are searching for new ways of ensuring their end-users are protected. Is Security in the Cloud the answer?

Undetectable data-stealing trojan nabs 500,000 virtual wallets

The linked article above is another reminder why it's important to have a proxy as part of your network security infrastructure, especially one that has the ability to block embedded URL's that are considered spyware or malware sources. Researchers have uncovered a trove of financial account data stolen by a Trojan horse program known as Sinowal over the last several years. As many as half a million accounts have been compromised; more than 20 percent were stolen in the last six months alone. Sinowal, which is also known as Torpig and Mebroot, spreads through websites onto unpatched PCs without any user interaction. That the Trojan had been operating for nearly three years has been called "extraordinary." It lies in wait on infected PCs; when a user enters a banking URL, it offers up a phony site to collect the pertinent data and then sends the information back to a drop server.

Visibility and Control

The proxy architecture has proven to be one of the most popular in implementing web security for enterprises. While it gives control to network administrators in implementing corporate HR policy on web browsing, it hasn't been a great tool for visibility or control into other applications that run on the network or even other applications that run over port 80, the port for http (web traffic).

Getting that visibility seems to be the goal for a few vendors in the proxy space. Blue Coat Systems recently acquired Packeteer and the PacketShaper product line to give it application visibility on the network. Palo Alto Networks has similar features built into its application firewall. The key here is understanding what's running on your network. While most administrators like to believe they understand what's on the network, without visibility on the application level, it's unlikely you actually know what's using up your network bandwidth.

Visibility and Control. Find out what's running on your network and stop it from eating up your valuable bandwidth and resources.

Network Latency

It's not uncommon to get complaints from your end-users about response times, and immediately blame network latency for the problems. Here's a good article that talks about the different sources of latency that an end-user may experience.

It's interesting to note the author lists proxy servers in its own category as one of the areas to check for latency.

As latency has become more of an issue, it's a topic that WAN Optimization vendors have spent a great deal of time explaining and targeting. Almost all the vendors have a good story about how they address latency in reducing the application wait times for end-users.

Spending money on a proxy?

According to the linked article on Network World, IT spending on security is expected to remain strong, based on a recent worldwide survey by PricewaterhouseCoopers. 75% of IT security professionals indicated that their security spending will either increase or stay the same year over year. As companies move more of their business online, they need to deploy new defenses to protect those assets. Since this is a relatively new trend, there are no real existing protections that they can utilize. Additionally, compliance will continue to drive security spending. Both of these trends are largely recession proof since they are not areas that can be readily cut.

The relative strength in the security market is playing out against an expected slow down in the networking market. Forrester predicts that the crisis will slow growth in software and IT services to 3-5% down from an average growth rate of 9-12%. So the question is, are you spending money on your proxy infrastructure?

8 Things You Can Do With A Proxy

I came across this article in a developers forum and thought it was rather unique at taking a look at other functions proxies are capable of.

Many of us take for granted our proxy protects us from web threats, but there's a lot more the typical proxy can do as well. Some of them are obvious, like URL rewriting, but functions like data scrubbing may not be something you're doing today. DLP (data leakage protection) is still relatively new to proxies, and may be something you need to look at, especially with newer privacy laws coming out all the time (For example, Nevada is all set to have a new privacy law around email - which includes webmail - making it illegal to send any personal information that's not encrypted via email).

5 Mistakes You'd Do Over Again

Network World ran an article a couple of days ago on 5 mistakes IT admins would make again. The article is linked above. The first mistake covers an IT admin who recommended a proxy implementation to solve some bandwidth issues on the Internet link caused by end-users downloading porn from the internet. Although he was fired for standing his ground 10 years ago, he said he'd do it all over again.

And he was right, today, proxies are one of the best devices an organization can implement to prevent unauthorized use of the Internet at work, while protecting end-users from malware, viruses and other threats on the Internet. While many organizations may not admit to having a proxy in their network, the numbers show that most actually use some sort of proxy device for security and content filtering. Blue Coat Systems for example reports that 81% of the Fortune Global 500 implement their products, and 96 of the largest 100 companies use their products.

Web Filtering At Home

For those of you that have been trying to figure out how to protect your home PC from malware on websites, and keep your kids from getting to content on the Internet that you deem unacceptable, there's a free solution from one of the major proxy vendors.

Blue Coat Systems offers a free program for home use, called "K9 Web Protection". You can download it at http://www.getk9.com. It offers the same protection as their proxy web filtering solution for enterprises.

With K9 you can get protection from malware and spyware sites, while having full control to block categories such as adult content, gambling, and other sites you may deem unacceptable. The best part of this is it's free, so no risk in trying it.

McAfee to Buy Secure Computing

Yesterday, McAfee announced it was buying troubled security vendor Secure Computing. Secure's had its share of problems this past year including telling financial analysts that it was suspending forward guidance for the year. That combined with most of the top execs from the Ciphertrust acquisition leaving the company seems to have led to this buyout.

McAfee has never been strong in selling appliances and this acquisition gives them a well known entry in the security market. Time will tell as to whether they can build on the WebWasher (SecureWeb) and IronMail (SecureMail) products.

Web based attacks pick up some steam

The above linked Network World article on Web based attacks should give any IT administrator some pause for concern. Especially if you aren't protecting your end-users that are browsing the internet with some sort of secure web gateway or proxy device.

Hackers continue to find new ways to cause harm to the end-user and keeping your end-users protected is a full time job.

Remote Clients

Even inside a company office building, many employees are on wireless networks and moving from place to place, not to mention traditional remote client locations in coffee shops, hotels and airports; on networks the IT manager does not control.

While most laptops have a threat detection engine (anti-virus), it must stand on its own against a wide range of web content and threats. Some proxy vendors, like Websense and Blue Coat now offer mobile client solutions. ProxyClient, a Blue Coat product, extends the value of their web filtering and malware host blocking of their honeygrid product (WebPulse) to remote clients. Surprisingly, there's no extra charge or additional licensing fees associated with this product (assuming you are already licensed for their ProxySG product). Websense has a Mobile Client that does something similar, but they do have a per user licensing fee.

It's important for the IT manager to remember that their URL filtering solution must encompass remote clients as they come and go from a corporate network in their daily roles. URL filtering is changing; and the proxy vendors are stepping up to the plate and making sure their products meet today's mobile challenges. Make sure your proxy vendor supports mobile clients.

Web 2.0 Content

More and more of the web is two-way published content of text, images and video. The days of single web page loads and a URL rating for a site or page are evaporating. Now sites have multiple feeds, often with real-time content, search string variables from the user or cookies, plus user authenticated content. Often referred to as Web 2.0, this display of wide array of content based on user authentication presents specific challenges to IT administrators trying to implement a Secure Web Gateway solution in the form of a proxy.

In a proxy solution, real-time rating services help by rating the entire URL (URL + parameters supplied to the web site) for complex web sites. Blue Coat Systems has DRTR, a real-time rating service which they claim provides a 7-8% coverage benefit over a static URL database coverage percentage. Blue Coat expects this to increase as Web 2.0 content continues to expand. URL databases are moving to hybrid solutions that provides hidden malware host detection, real-time cloud services, local real-time rating services and traditional ratings. Make sure your proxy supports these latest features.

Hidden Malware in Popular Sites

The prevalence of hidden malware in popular websites continues to increase. Active script injections are infiltrating popular web sites, and these scripts are making dynamic download requests to malware stored on separate hosts, and often the payload uses a custom encryption wrapper to try and avoid proxy and gateway detection.

These advanced attacks have led many proxy and gateway vendors to develop large honey grids (like Webpulse by Blue Coat Systems) to utilize multiple threat detection engines on clients within a cloud service.

This provides several key benefits for malware host blocking on platforms using existing URL databases. First the cloud service off-loads the web gateway from threat detection processing, next it uses clients within the cloud so attacks uncloak themselves for detection, and finally the cloud service uses multiple threat detection engines, (Blue Coat claims to use as many as 10 engines) whereas a web gateway has one threat detection engine, or in many cases none.

A great example of the effectiveness of this honey grid was during some recent attacks against the UN website and some UK websites, which ended up affecting thousands of websites. Those using a Blue Coat proxy were protected, as the Blue Coat solution required only two entries in their WebFilter, both detected by theiur WebPulse (one malware source three weeks before the attack, the second several days before the attack). This allowed users to visit popular sites that would have been over blocked due to script injections (using some less sophisticated gateways that identified the main site as the infected site), as Blue Coat's solution made sure the true malware download sources were transparently blocked for the users (using Blue Coat's embedded URL blocking capability).

Interestingly enough, URL filtering has become an important first layer of malware defense in these hidden malware attacks. Reputation while interesting, would not have made any difference in these popular sites that had embedded malware.

Cross Categorization

URL filtering databases have the tough job of deciding how to categorize a website into a category that's descriptive of that website. For some websites it's easy. Google is a search engine, Playboy is pornography, etc. But for other sites the categorization isn't as easy. Should Yahoo be listed as search engine or a news site or something else entirely?

Some URL databases make this distinction and only put a website in a single category, which means even if there's a possibility that website has characteristics of other categories, it will only be classified with a single classification.

There are a few URL databases which will classify a website under multiple categories, which is more appropriate when it's harder to give a single classification to a website. For organizations that have blocks in place this is important, when a site may offer both sports news and gambling for instance, but may be considered more a sports site than a gambling site. Cross classification would offer the ability for the site to be blocked appropriately, per the organization's corporate policy.

When investigating URL databases for your organization, be sure to check that websites can be cross classified for the best accuracy when implementing your policy.

Apparent Data Types

One of the more common attacks in the email world is starting to filter over into the web world. In the email world, viruses are often distributed as the payload on an email message. Typically this payload is an executable, which means it has to be suffixed with .com, .exe, .bat or some other executable suffix. As end-users have gotten more savvy, hackers have started trying to obscure their attachments so that the end-user is fooled into thinking the file is a data type that's not an executable.

The easiest way of doing this is taking the extension suffix on a file and changing it to something that the typical end-user will want to click on, download and execute. A typical example of this would be of course to take an executable and disguise it as an image file or video clip.

In reality it isn't that easy to deceive an end-user into executing a virus, as changing the suffix on a file would make it not capable of being executed. The problem comes about when files are shuffled around the Internet, they are usually encoded or packed, using BASE64 or zip or some other encoding mechanism. This encoding can claim to have a jpg file (for example using MIME-Content-Type using MIME encoding), but the actual file when unencoded may actually have a name like "image.jpg.exe". For most people this is problematic as Windows by default hides the extension, and most end-users would think they are looking at a file called "image.jpg"

While many anti-malware programs will block known viruses and malware, a new variant could get past the malware scan. This is where a proxy with better security mechanisms could save your organization. Some proxies are capable of detecting mismatches in apparent data types in encoded files. This will help ensure that policies that block exe files or other executables actually gets enforced. Make sure your proxy is one that understands how to look for a mismatch in apparent data type.

Application Firewall Reviewed by Network World

I previously discussed application firewalls in this blog, specifically talking about Palo Alto Networks. For those interested in another view point on the new company and their product, Network World recently reviewed their appliance.

I've linked the article above, but it's clear that Network World felt they were more a UTM (Unified Threat Management) box than a firewall or a proxy.

Proxy Servers Give Real Time Olympics

There's been a lot of talk about the proxy servers protecting the enterprise organization during the onslaught of video that's going to be available during the Olympics. We've already covered some of it here on this blog.

There's another angle to proxy servers and the Olympics though, and it's one that you may not have thought of. Your workers may be going through a proxy server on the Internet, not to avoid your existing proxy server, but to pick up a foreign IP address space in order to pick up live video streams of the Olympics. NBC has an embargo on live video on the Internet, unless it is being shown live on broadcast television in the U.S. So if there's a delayed showing on TV, you can't pick up video of on the event on the Internet from U.S. IP address. But if you have a foreign IP, you can visit a number of foreign sites that are showing the same video live.

The solution some people have found is discussed in the linked article above, which is to find a proxy server with a foreign IP address to submit your request for video to. Anonymous proxy servers tend to do this already, as many of them are located outside the U.S. We've discussed how to prevent end-users from accessing proxy servers outside the organization, and if you haven't already looked into it, it may be a good time to revisit this topic for your organization.

Secure ICAP

ICAP is the protocol proxies use to talk to anti-malware engines for processing content the proxy is trying to serve from the internet. The ICAP standard itself was discussed in a previous post to this blog and can be used for both request and response objects. Typically request objects get scanned by DLP engines, while response objects get scanned by the anti-malware engines. Since ICAP is used over the network, it's possible if you are using the devices on a network that's open to everyone in your organization, that someone could capture packets on the network and examine the content that's being scanned.

Secure ICAP was created to address this concern. Secure ICAP is SSL encrypted ICAP and requires both the proxy and the system the anti-malware or DLP engine is running on to support Secure ICAP. The alternative to this of course is to put a spare network interface on the proxy and on the anti-malware/DLP system on a private network so that any data passed between the two systems is kept away from prying eyes. The requirement here of course is that you have spare network interfaces on your systems to use, to ensure this security.

When you don't have the option of a private network, Secure ICAP is nice option to have. SSL encryption will always add a little overhead to the processing on your proxy and on your anti-malware or DLP system, so be sure to take this into account before turning on this feature on your systems and proxies.

Direct to the Net

For smaller organizations, there's generally only one main link to the internet. A single proxy (or a redundant proxies) solve the security needs of this organization nicely. But for larger organizations where there are remote offices, each of which may have their own direct to the net connections, trying to control traffic may be a real challenge for the IT administrator.

While the corporate proxy controls the traffic to the internet at the main data center, it has no control over users who are at branch offices going directly to the internet over links to the internet that exist at the remote office. These "direct to the net" scenarios require a separate branch office proxy at each location that has its own connection to the Internet. For a large enough organization this can be a significant amount of branch office proxies, that will need central management to ensure corporate policy is uniformly enforced across all proxies in the corporate network.

This "direct to the net" scenario is becoming increasingly common as internet links become a commodity. The savvy IT administrator will keep ahead of the game by making sure their corporate proxy is capable of scaling as the Internet link bandwidth increases, and scales in terms of numbers of supported branch office proxies in a centrally managed deployment.

Securing Outlook Web Access

Reverse proxy is one specialized deployment of the proxy architecture. For the typical organization, securing OWA (Outlook Web Access) is probably one of the most common concerns around IT administrators, who secure their end-users access to corporate resources.

Giving end-users access to OWA from the Internet is always a concern, as it requires opening up an internal server with valuable corporate resources to the World Wide Web. There's of course even greater concern, as OWA runs on an Exchange server on a Windows Server platform, a platform that needs to be secured before it can be offered on an Internet link.

The reverse proxy fills this security concern neatly as an architecture that can not only secure OWA, but provide performance improvements for the OWA server at the same time, using the caching capabilities of the reverse proxies for static items like graphics.

In selecting a reverse proxy for securing your OWA or other internal application, look for SSL enabled security for reverse proxies. Not all reverse proxies support SSL, and SSL proxy capability is a requirement when talking about securing internal corporate resources. Additional benefits a proxy can offer included redirection to SSL login pages, timing out of logged in sessions, and other security enhancements to web access.

The reverse proxy is a necessity in any corporate deployment of OWA access from the Internet, and can offer similar benefits for any other web enabled application that end-users are accessing from the Internet. Be sure to look for the right security features for your application when deciding on which reverse proxy to deploy.

Almost as if on cue ...

Almost as if on cue, Blue Coat Systems issued a warning about the Olympics two days after my posting about the worry regarding the bandwidth usage the Olympics would take up because of the unprecedented amount of videos around the Olympics that will be available.

Now is the time to prepare for the effects of the Olympics on your corporate network. Is your proxy prepared? Have you setup a policy around what can be viewed during work hours? If you're allowing video streaming, is your proxy going to cache content to help offload your Internet bandwidth usage?

All good questions you need to have an answer for and soon.

Web Streaming of Video Dominating Web Traffic?

It's inevitable whenever there's a big sports event, that you see articles in news journals talking about the spike in Internet usage from that event, due to everyone watching the live video streaming of it over the Internet. Net usage goes up, and slows everyone else down. The important question for the IT administrator though, is did that sporting event cause your local network to slow down as well, and did it eat up all your bandwidth to the Internet, making it impossible for your workers to get anything done that day?

The next big test of networks is coming soon. The Beijing Olympics is just around the corner set to start on August 8, 2008. CCTV has already announced intentions to broadcast videos of the Olympics available for download from their web site. CCTV is already planning on using a e-CDN (Content Delivery Network) to help offload their web servers. But will office workers watching the Olympics crush the typical organization's web link and internal LAN traffic? The answer is no, if you've got the right web proxy in place.

As long as you're using a proxy to secure your access to web traffic, and your web proxy supports caching of video streams, you should be able to offload the web usage by video watchers. If you have web proxies at your remote offices sharing the same link to the Internet as your main HQ, you'll also be offloading your LAN traffic. The other answer of course is to block video traffic entirely using the proxy, but that's a corporate IT and HR decision. And if it's one you decide to make, it'll be your proxy that does the blocking for you again.

HoneyGrid

For those of you who have been dealing with email problems, spam and viruses, you're probably already familiar with the term honeypot. Honeypots have been in use for some time to collect spam and virus samples on the internet. The idea of course is to get samples out in the wild as early as possible in order to create patterns to catch the spam or virus.

For web filtering and the proxy the problem is slightly different. How do you determine there's a malicious website or a new website containing some content you don't want to get on your network? The security companies have been hard at work creating a new method of getting this information as quickly as possible. Similar to the honeypot technology, the "honeygrid" uses resources out on the internet to get as many samples as quickly as possible. Larger security companies have the ability to tap their deployed network of users to help gather information around when a malicious site has been found.

As an example, Blue Coat Systems calls their "honeygrid", WebPulse. It's comprised of all the deployed ProxySG systems running their webfiltering software and also all the sites that have deployed their free filtering software, K9, which according to the website currently has over 650,000 deployed copies worldwide. This force of web surfers world wide helps Blue Coat determine when a new page has been created, and if the content is suspicious (based on real time rating and virus scanning) gives them an opportunity to get a first look at examining the content of the page for malicious content.

When looking at threat protection for your proxy, don't forget to ask about the latest - honeygrids and whether you've got the force of web surfers working for you.

Threat Engines are a Necessity

In today's web world, with 1 in 10 websites being infected according to Google, it's easy to see why a "threat engine" is a critical part of the Proxy architecture in any network. While the proxy was originally placed in the network to help save bandwidth and speed up access to the internet, it's edge location in the network, also makes it the ideal place to detect malicious intent coming from websites on the Internet.

We've talked about scanning for malicious content in previous postings, but what about the actual "threat engine" behind the scanner? How good a "threat engine" do you need to detect the malware that's out there, and do you need more than one threat engine? Those are all good questions, and ones worth researching when deploying a threat scanner on your proxy.

It's also nice to have a choice among threat engines in your proxy. Different vendors, such as McAfee, Symantec, Kaspersky, Sophos, Panda, etc. each have their own strengths and weaknesses, not to mention price points. Make sure your proxy lets you select the threat engine you use to scan for malware. The threat engine is separate from the URL filtering we've talked about in the past, but should be able to work in conjunction with your URL filter to offer you a full level of protection. The URL category databases allows blocking of categorized sites, while the threat engine helps prevent any new uncategorized sites from infecting your organization.

Proxy Avoidance

For the typical IT administrator trying to handle end-users that are trying to get around the corporate proxy, it can be a frustrating and never-ending task. New proxy avoidance sites seem to pop up every day, so it's extremely difficult to keep a blacklist of proxy avoidance sites up to date.

This is one instance where real time dynamic rating can help. Most IP addresses used as a proxy avoidance site have live web pages at that IP address that explain how to use that IP address for proxy avoidance.

These web pages can be dynamically rated by those proxies that have the ability to do real time rating. A good engine should categorize these IP addresses as proxy avoidance sites, a classification that should be blocked in the corporate proxy. As long as you're using transparent proxy, all http should be going through the proxy regardless of the proxy IP addresses used by the end-users and blocked using policy set on the proxy itself to block access to proxy avoidance sites.

For protection against proxy avoidance, do the due diligence and make sure your corporate proxy has the best protection against proxy avoidance sites, and can detect new ones as they become available.

Google Releases RatProxy

Google has been well known for recognizing that malicious threats are embedded in many web pages. Their research last year indicated that 1 out of every 10 web pages had some malicious content on them, regardless of the reputation of the site.

As a follow on, Google announced last week they are releasing the code to their internal tool called RatProxy that analyzes websites for threats. While this isn't a proxy in the normal sense, it is a useful tool to make sure your own website hasn't been compromised.

The proxy analyzes problems such as cross-site script inclusion threats, insufficient cross-site request forgery defenses, caching issues, cross-site scripting candidates, potentially unsafe cross-domain code inclusion schemes and information leakage scenarios, and other threats.

Switchproxy

Here's a link to an interesting extension tool that lets you switch between proxy configurations on your Firefox browser easily. It creates a little drop down for you to select the proxy you want to use.

It's useful if you're on a laptop and constantly on different networks. An added bonus is has a built in anonymizer for those who have a need to surf the web without divulging their identity.

As always a tool like this can be mis-used, so if you're a network administrator and want to make sure your end-users aren't mis-using something like this, you probably don't want an explicit proxy deployment in your network (see other posts on proxy deployments).

Secure's New Customer Isn't Blue Coat's Former?

If you didn't think competitor's relationships in the proxy space were contentious enough, a recent press release (linked above) from Secure seems to go to show there's really no holds barred between these two competitors.

Secure Computing put out what seems an innocuous enough press release about a new customer of theirs, Joy Global. The problem comes when they claim this customer is a former Blue Coat customer and discusses the problems the customer had with the Blue Coat solution.

Why is this such a problem? Blue Coat has come out saying that Joy Global has never been a Blue Coat customer, and all the statements with regard to the Blue Coat products are incorrect and misleading.

It'll be interesting to see how Secure responds to this one, but if in fact Blue Coat's claim is true, that puts Secure another notch lower on the integrity scale.

Application Firewall: The Next Generation Proxy?

There's a lot of talk lately around application firewalls. While the idea sounds intriguing there's a lot of issues still before this idea can gain wide acceptance. The idea behind an application firewall is to marry the proxy and the firewall into a single device that has the application layer security and visibility of the proxy with the packet layer security and visibility of the firewall.

While this sounds great in theory, there's a lot of practical hurdles to overcome in implementation. First off it marries two different groups in most IT organizations, the network layer group and the security group. That alone makes it a tough sell in many larger IT organizations.

The other big hurdle? Most organizations that would implement an application firewall already have both a firewall and a proxy already, typically devices they have a considerable investment in, not only in hardware and software costs, but also in training, reporting, monitoring and other intangible investments.

Is the added benefit of a combined device enough to overcome the expense and create enough justification to remove the existing firewall and proxy? Some IT admins I've spoken to don't think so, they view the application firewall as just a fad, and expect that the proxy vendors and firewall vendors will add enough new features in their products to prevent the application firewall from getting a toehold, especially when there aren't enough compelling reasons to buy the application firewall. Yet.

Object Cache and Pipelining

The proxy is the ideal place to have an object cache. This should make sense intuitively. You have multiple users accessing the internet from the same location. Many of them will go to the same web sites, so caching objects from those sites locally, means more bandwidth available to all users to access the internet. It also means faster access for users to content when their requests match objects already in the cache. Objects can be anything stored on a web page, documents, images, video, or audio files.

For objects that aren't a cache hit (a first time visit by any user to a website), pipelining can help speed up access to that page. By retrieving objects in parallel instead of serially (where you have to wait for one object to finish loading before fetching the next), you can load the contents into the cache and the destination browser much more quickly than a traditional fetch.

Object caching does have its denigrators. Depending on the implementation, object caches have been criticized for containing stale data. In today's on-demand 24x7 world, having the up-to-the-minute information is key. Likewise, your object cache needs to have algorithms that help it detect when data changes. Technologies like adaptive refresh, keep track of the types of data in an object cache, and can determine based on the data type how often that data type is likely to change, and check the server for "freshness" of the data, even if there hasn't been a recent request for that data.

With the right proxy there's no reason not to have an object cache and all the benefits of caching. Look for adaptive refresh and pipelining to help speed your internet access.

Malware Threats Move from Email to the Web

Just a few years ago, the biggest concern for most IT administrators was viruses coming into their organization's networks via email attachments. The unwary user would click on an attachment and install a virus on their computer, doing damage to their own computer and to the local network.

Today, these viruses and worms still exist, but their threat is relatively mitigated with the prevalence of anti-virus scanners on the edge of the network, on servers and on desktops.

As hackers realize this, they've moved their attacks to areas that have less security, specifically web sites that employees have access to. In addition, attacks have become more targeted and in smaller volume. URL's of websites that have malicious content are now emailed to specific targets with personalized emails. Recently, an attack targeted only 500 executives, rather than the widespread mailings administrators are accustomed to with spam. While this one contained a payload, a more recent attack targeting workers at Berkeley Lab targeted employees by asking them to divulge personal information at a website.

What's an IT administrator to do about all these targeted attacks? First, make sure all your anti-virus and anti-malware software is up to date. Second, make sure your users are familiar with phishing and know to check the actual URL's before clicking on any URL's in an email message. Finally make sure you have a security device like a proxy, that knows sites that contain malicious content and blocks those sites. In recent attacks of well known websites, the URL databases of the best proxies had the malicious websites (the URL's embedded into the well-known sites to cause harm) already categorized as malicious and blocked their access by end-users (who were behind the proxy).

SMB Signing and the Proxy

In the world of file sharing, anyone with a Microsoft environment knows that SMB Signing is one way to ensure that the client is talking with the server that its supposed to. SMB Signing guarantees that the there's no device in between the client and the server intercepting the traffic and stealing company secrets or hacking in trying a man-in-the-middle attack.

That's a great philosophy if you know your network is secure and you have no devices in the way that will interfere with the network traffic. The problem of course comes into play when you talk about devices that do interrupt the flow of network traffic. Devices that are designed to terminate network traffic, like the proxy. If you've deployed an in-line proxy, you already know that you have to make exceptions for specific types of traffic and allow that traffic to bypass the proxy. We've talked about some of these different types of traffic in previous articles here, including VoIP. SMB Signing falls into this bucket as well. In order to guarantee you're going to file share you want to go using SMB Signing, you'll need to make sure your proxy can allow traffic for SMB Signing to go through in bypass mode.

Where's the problem in all of this? There are some proxies that will allow you to intercept SMB Signing from the client and let the proxy claim it is the file server, and the re-establish the connection to the file server from the proxy. Essentially, a man-in-the-middle. While this approach may work (meaning the client can successfully connect through and get files), it seems some how wrong as it has broken the essential trust model that SMB signing was based on to begin with. If SMB Signing guarantees you're talking with the file server you're think you are, how does allowing a man-in-the-middle keep that trust? If your proxy can be a man-in-the-middle in SMB Signing, why can't something with malicious intent do the same thing and without your knowledge?

Perhaps it's best to let SMB Signing do what it's supposed to. Guarantee you're talking to the server you think you are. Bypass that traffic on the proxy, and there's no worries if you ever need to audit the connection and figure out what happened to that traffic.

Internet Speed Bump

As an IT administrator, there's a need to let everyone know what the corporate policy is around web usage. But how do you ensure everyone has seen the corporate policy? The Internet Speed Bump. Your proxy should allow you to create a brief message or a click through to give your end-users a message, whether it be a policy agreement, message of the day, or just an announcment.

This page can be shown for a brief period (5-10 seconds) and then automatically redirect to the requested page, or require a click through for the user to get to their requested page.

Having a speed bump ensures that everyone has read the policy before they go browsing the web.

Why Terminate?

I read recently a very rudimentary discussion about what the difference was between a firewall or router and a proxy. The author's very quick and dirty description to explain the difference? Routers and firewalls pass traffic and connections (assuming the policies allow it), while proxies terminate traffic and connections. While this is a simplistic view, it does beg the question, why terminate?

The quick answer? Inspection and security. By terminating the connection, you get to inspect the content of everything going through the box. There's no worry about any hidden content being tunneled through the connection. Proxies have to terminate a connection and rebuild the connection to the final destination.

At the same time proxies are smart enough to know what protocols can't be terminated, and allows certain applications to be bypassed, such as VoIP which would would not be able to tolerate disruption.

Typical routers and firewalls either allow or block traffic. Most organizations allow HTTP (web) traffic through the firewall and router. End-users can go to the web, to even secure (HTTPS) sites, but without a proxy, there's no visibility to what the user is doing, whether they are downloading malware, sending out confidential information (against corporate policy), or visiting sites that are not condoned by human resource regulations.

The proxy provides the visibility and control the IT administrator needs for today's applications.

Packeteer in a Proxy?

Last month Blue Coat announced intentions to purchase the networking company Packeteer. Today they released an announcement that the deal has been completed. As one of the heavy weight leaders in the proxy market, it led many of us to wonder what is it, that Packeteer can do for a proxy.

For those of you unfamiliar with Packeteer, their main product line is called PacketShaper, a product that classifies data going across the network, and gives the administrator the ability to manage the bandwidth being allocated to different applications. PacketShaper also does some compression and TCP optimization to improve the bandwidth usage of the application.

Blue Coat has called PacketShaper the "crown jewel" they were buying Packeteer for. PacketShaper will definitely give Blue Coat the ability to recognize more applications, and when you recognize more applications, you can probably proxy more applications. In a previous article we talked about proxying applications besides HTTP and HTTPS. With better visibility, you can even start talking about different policies for different HTTP-based applications.

There's no where for the proxy to go, but to get smarter. This is good news for all IT administrators.

Developing a Webmail Policy

Does your organization have a policy on who can use external webmail and what can be sent out using external webmail? In today's web world, it's all too easy to get to a web-based email platform and download a malicious virus or to send sensitive corporate data out of a secure private network. With web-based email even more prevalent than client based email today, it's important to set parameters around its use in the corporate environment.

Today's proxies let you create policy around web-based email. It can be an extremely secure policy blocking access to all web-based email, or you can be selective, allowing access to web-based email pages, but prevent downloads of attachment files to prevent any possible download of viruses. Alternatively you can set policy to use an anti-virus scanner to scan any downloads that are permitted by policy.

For outbound DLP (data leakage protection), a proxy can help prevent DLP by sending any outbound documents being sent over web-based email to a DLP scanner via ICAP. We've discussed ICAP as a protocol available to proxies in a previous article in this blog.

With all these options available on many proxies, there's no reason not to have a policy on access to web-based email.

Proxy isn't just for the web anymore

When most adminstrators think about proxies, they automatically assume secure web gateways. A proxy to handle web traffic in and out of the corporate network. Today's proxies handle a lot more than just web traffic. Modern proxies can proxy FTP, P2P (peer to peer), IM (Instant Messaging), and other protocols. They also recognize applications within web pages, and many proxies can even filter or block embedded chat mechanisms in web pages.

While proxies provide mechanisms to control these additional protocols they can also set policy for them by user or group. For example, perhaps the sales organization needs IM to keep in touch while they're on the road, so those users can be allowed to chat online, while the remainder of the organization can be forced to use an internal only chat mechanism (like Jabber), or just have it completely restricted. The support organization may need FTP for transferring files for debugging while it's a risk to allow it for the rest of the organization due to DLP (data leakage protection) reasons.

Today's proxies give you a lot more reason to make sure they are part of your network security toolbox.

A Proxy of One

The proxy makes a lot of sense as a security device in the data center, and even at branch offices where there's a direct internet connection. It provides a level of security against malware coming from the Internet, and it enforces corporate policy. The only problem, is that in today's mobile world, almost everyone has a laptop, and more likely than not, the your end-users will be connecting to the Internet from a network that isn't the corporate network. The end result of course is that they won't have the protection of the proxy.

What's the solution? A proxy of one. All the features of the proxy built right into a client that runs directly on the laptop itself. Because the proxy of one has to not only protect the end-user but also enforce corporate policy, it needs to be managed and controlled from the enterprise data center.

While there are plenty of software packages that offer web filtering and protection few do so with the ability to be centrally managed. Blue Coat Systems announced a package that does even one better. In addition to being a centrally managed, distributed proxy of one solution, their ProxyClient solution also offers WAN Acceleration in the same package (See this article regarding WAN Optimization in the proxy).

There's really no reason you can't have the protection of the proxy, even when you're on the road.

PAC and WPAD

There are plenty of deployment methods for proxies, and we've touched on a number of them in this blog. If you've decided on an explicit proxy implementation (where you block all access to the web from any IP address in your organization except for the IP address of the proxy), there's a need to configure the proxy's IP address in every browser's configuration. This alone sounds like a nightmare of a chore for any systems administrator.

Luckily there's two technologies to help with this chore, PAC (Proxy Auto Config) and WPAD (Web Proxy Autodiscovery Protocol). These technologies help to ensure that all browsers in your organization use the same proxy configuration, without the need for the administrator to visit every browser manually.

The PAC standard allows the administrator to create and publish one central proxy configuration file. A PAC file contains a javascript function "FindProxyForURL(url, host)". This function returns a string that cause the user agent to use a particular proxy server or to connect directly. Typically the PAC file is named "proxy.pac". You can configure the PAC file to have multiple proxy targets in order to provide a backup if a specific proxy fails to respond. To use PAC, you publish the PAC file on a Web server and instruct a user agent to utilize it, either by entering the URL in the proxy connection settings of your browser or through the use of the WPAD protocol.

The WPAD standard allows two ways for the system administrator to publish the location of the proxy configuration file, using the Dynamic Host Configuration Protocol (DHCP) or the Domain Name System (DNS).

Prior to fetching its first page, the web browser using WPAD sends the local DHCP server a DHCPINFORM query, and uses the URL from the WPAD option in the server's reply. If the DHCP server does not provide the necessary details, DNS is used. For example, if the hostname of the end-user's computer is dhcp123.company.com, the browser will try a URL based on the domain name to find the correct file. In this case it would try http://wpad.company.com/wpad.dat.

With the implementation of PAC and/or WPAD, you can relieve some of the administrative work in getting an explicit proxy deployment to work. If you need some additional information on PAC and WPAD, https://www.wikipedia.org has some great examples.

The Reverse Proxy

The reverse proxy, sometimes referred to as the inbound proxy is the proxy deployed at the edge of your network to protect the organization's web presence. Reverse proxies that double as web caches are also used to expand the capacity of the organization's web servers. Typically a web cache can handle many more requests for content than a typical web server. Reverse proxies can also protect web servers from attacks coming from the Internet.

In addition to an organization's web presence, a reverse proxy can also help secure services the organization serves to their employees through the web, such as Outlook Web Access (OWA), Micrsoft Exchange's web based email offering. Typically organizations allow their employees to retrieve email using this web service when they are traveling or working from home. A reverse proxy can help prevent malicious attacks, denial of service attacks, and other security risks to the web server.

A reverse proxy protecting an OWA server has to be able to intercept SSL, as most organizations will want to make sure that email access is secure. A good reverse proxy will be able to force users to do an SSL login (redirect to https), logout inactive users. A truly advanced proxy will also provide virus protection and content filtering capability, including ILP and DLP (Information and Data Leakage Protection).

WCCP and the Proxy

If your network is truly mission critical, and you need to be up 24x7, then bringing down your network to install an inline proxy probably isn't the best solution for your needs. First there's the service window to do the install (not necessarily a show stopper, but something you'd probably like to avoid). Second, there's the proxy itself. While it may have advanced features like fail to wire (the ability for traffic to flow through if the device itself fails), you may still consider it a single point of failure and need or want better redundancy.

In this scenario, you may want to look at WCCP (Web Cache Communication Protocol) as your solution. The requirements? Cisco routers in your environment running IOS version 12.1 or higher. WCCP was originally developed for cisco routers to redirect web traffic to Cisco Cache Engines, but today will work with any proxy that supports WCCP.

WCCP has built-in load-balancing, scaling, fault tolerance, and service-assurance (failsafe) mechanisms. With all these features, WCCP may just be the solution for the mission critical network. There's no excuse for not having a proxy acting as a secure web gateway.

In the News Malware by Proxy - Fake Search Engine Results

Here's a new article on legitimate websites being infected by malware. This article states that 15,000 web pages were infected daily between January and March of this year (3x the rate from the previous year), and of those pages, 79% were on legitimate websites, including Fortune 500, government agencies and even security vendors!

Once again, with new threats emerging from the web, there's no reason why your organization should go without some sort of web protection. The secure web proxy, is the first line of defense against sites that are infected with malware. Make sure your proxy is checking all web sites, and doesn't rely on some sort of reputation based system. As you can see from the article above, even reputable websites get infected, and a system that bypasses reputable websites will leave your organization vulnerable to malware.

Making the Proxy Work in Your Environment

One of the major concerns about implementing proxies to secure web access is the need to tie into an existing infrastructure without creating an added layer of authentication for the end-user and any additional work for the IT administrator.

Many of us still think of proxies as a clunky network security tool. One that we place on the edge of the network, then setup the firewall to prevent access to the internet for all hosts except the proxy. The final step is then setting up all our user's workstations to point to the proxy in order to get users access to the world wide web.

Luckily for IT administrators, the world of proxies has evolved and with it the ease of implementation and integration with existing networks. Unlike the time when all users had to explicitly point their browsers at a proxy, today proxies can be deployed inline to capture all web traffic automatically, or even out of path, using WCCP (Web Cache Communications Protocol) to redirect the web traffic to the proxy.

Even the authentication issue has simplified with the introduction of Single-Sign On mechanisms available for many proxies. Advanced proxies offer integration with a number of well-known authentication databases including LDAP, Active Directory, NTLM, Kerberos, Radius, TACACS and others. Single-Sign On can be integrated with a web portal page or the existing Microsoft sign on mechanism in any organization.

Today, there's really no excuse for any IT administrator to forgo implementing web security in their network. Proxies have evolved to become the right solution for any organizations concerns around web access.

ICAP and the Proxy

For IT administrators, the proxy is a well known part of the network infrastructure. Admins use the proxy to secure their end-user's access to web sites on the Internet, and they expect the proxy to provide access restrictions and logging based on the websites visited. Today proxies do more than ever before.

With the introduction of ICAP (Internet Content Adaptation Protocol) based on RFC 3507 (2003), proxies gained the ability to provide even more significant security functions. ICAP specifically has been implemented with proxies for anti-virus scanning (including malware scanning), URL filtering, and for DLP/ILP (Data Leakage Protection/Information Leakage Protection) scanning.

ICAP allows the proxy to talk to a secondary device, using policy to decide what needs to be sent to the secondary device for filtering/scanning. For example an administrator can create a policy on a proxy to have all file attachments sent to the ICAP server for anti-virus scanning. This is useful where end-users have access to webmail on the Internet, and are downloading files from the email service. Any other files downloaded from the web can be targeted for malware scanning as well.

In the DLP/ILP scenario, a policy for any files uploaded to a webmail service could be implemented to allow for the search of any proprietary or confidential information in the uploaded file.

One of the biggest benefits of ICAP, is the standards based nature of the protocol, allowing the administrator to choose from a variety of vendors for anti-virus, URL and DLP/ILP solutions that can integrate with their proxy. These new tools for the proxy let the IT administrator keep web browsing safe for their end-user in a age when more threats than ever are showing up on web pages.

In The News: Web Forums Hijacked to Spread Child Porn

The above is an older article from June of 2007, but I thought it was a good article to highlight the spread of attacks on websites, even you would not expect an attack on. Hackers attacked and infiltrated well-known sites, including ones that are for kids, inserting links to pages that contained pornography.

This is a good reminder to make sure the web security proxy you're using for your organization's access to the internet has the ability to look at embedded links and rate them separately from the main page. That way your users still get the content they're looking for and you get to block out the malicious content that was inserted by hackers.

In The News: Web Porn at Work

The news article above outlines one Japanese worker who surfed porn at work and was undetected for quite some time. It was not until his computer picked up a virus from one of the sites he was surfing that his extensive browsing was discovered.

Wouldn't you hate to have been the IT administrator of that network, having to explain why you didn't detect this waste of bandwidth earlier? Or even simpler, why such an abuse of corporate policy was allowed without detection.

The web proxy would have been the simplest network device to have implemented, to enforce policy, or at the very least categorize web browsing into reports for management to see where traffic was going and from which IP addresses. It's incredible to think that with the network tools available today, we still hear stories like this one.

Secure Computing Stumbles

Contrary to all my predictions about the proxy returning to the spotlight as the focus of security for the enterprise, Secure Computing seems to be having problems selling their web security solutions, according to the Motley Fool article linked above.

According to the article growth for Secure has slowed from an anticipated 20% down to a mere 2%. Motley Fool goes on to suggest the economy is to blame for Secure's woes, but then corrects itself by indicating other security vendors (proxy, anti-virus and other), don't seem to have a problem with the economy. That said, is web security still where the focus needs to be for the IT administrator?

In my opinion, undoubtedly. There's still way too many threats on the web, with more being reported everyday. When reputable web sites like the New York Times and the United Nations are being infiltrated with malware, there's no telling which site is truly safe to browse.

You certainly don't want to be the IT administrator who has no response, when asked, "what did you do to prevent that latest outbreak from a web site's drive-by malware download?". Be proactive, and at the very least be able to show you've put some web security in place in your corporate proxy.

Mash Up?

You may have been hearing the term "mashup" more and more when referring to web pages and websites. But what's the implication for the IT administrator, the end-users and the security proxy?

First we have to talk about what a "mashup" refers to. A mashup web page is when a web page or web application delivers content on demand that is a combination of different mediums and applications. The wikipedia link above to the definition of mashup uses the example of when google maps are used in a real estate page to build a full page combining not only map data, but photos, video and other information for the end-user. The key here is personalized content.

That's great for the end-user. It means getting better information, quicker than ever before. But it may become the IT administrator's nightmare. The biggest problem with the mashup is that the old web security technologies in proxies may not be able to recognize the threats that come in the form of a mashup. URL databases that do web crawls may not necessarily get the same information that the end-user gets, because the personalized content will be delivered based on the end-user's history with the website, something the web crawler won't have.

As the web becomes more and more dynamic the old URL databases and database filtering will become less and less relevant for companies that are trying to enforce web access policies. A company with a policy against pornography in the workplace, may find it more and more difficult to enforce this policy with just URL database filtering. More and more, it will be necessary to evaluate web pages real-time based on actual content being delivered to the end-user and the need to evaluate embedded URL's in delivered content. An embedded URL in a mashup needs to be evaluated independently of the web page, as it can come from anywhere in the world wide web. Unfortunately web reputation is going to be less and less important as more well known websites get infiltrated.

What does all of this mean for the IT administrator? It means ensuring they have the latest security tools in their proxy's arsenal. Real time virus scanning, real time URL categorization, and embedded URL checking are just a few of the technologies the IT administrator needs to be looking for in their proxy. It's going to be important to keep track of new technologies as they evolve and make sure they get deployed successfully after a reasonable testing phase.

Everything Old is New Again

When the web started out it was quickly recognized that there was a need to protect and secure the web space as well as expand the capacity of the web. The proxy quickly became the source of that expansion capacity as a web cache, and working in tandem with the corporate firewall, providing the security that IT administrators were looking for in logging and controlling access to the internet.

The focus of security quickly shifted from the web proxy to email in the new millennium, as viruses and worms were quickly propagated using email transmission. Edge email gateways became the hot product and Ciphertrust and Ironport became the "in" products to have.

As hackers start to realize that organizations have the email problem mostly in-hand, the threat vector has started to shift back to the web again. We're seeing more and more "drive-by" downloads of spyware and viruses on web pages, even well known and reputable web sites.

While the proxy may trigger up memories of days gone by, it's going to take its place in days to come as well. The proxy is ideally suited to handle web threats, and every organization needs to start taking threats from the web seriously, as seriously as e-mail borne viruses if not more seriously, as few end-users today consider the web a source of threats.

Defining the Line Between Good and Bad

As the IT administrator, you probably don't want to be tasked with setting the policy for what's allowed in the workplace. Unfortunately, in many cases the IT administrator has to make the decision as to how to interpret a vague or non-existent HR policy on what's permittable on the corporate network.

There's some obvious categories that should be blocked from the corporate network. Prevent malware, spyware and viruses, and implement tools and protection to that end. Next obvious is probably pornography, for all sorts of reasons, a sexual harassment lawsuit being the most convincing. After those two categories, everything else is probably more of a gray area if no one in your HR organization has already defined a policy.

The URL database vendors for proxies have made it easy to get specific websites categorized into these different buckets, and the proxy makes it relatively simple to setup policy to block the unwanted categories. That leaves the categories that are sort of in between. Is it acceptable to go shopping on company time? For the administrative assistant that's probably a yes, if he or she is going to the office supply store's website to order items for the office. But do other employees really need to be browsing Ebay during working hours?

How about a sports website? Perhaps if you work for ESPN or Sports Illustrated, that makes sense, but the typical office worker probably doesn't need access to those sites. And there's the hard call for the IT administrator. Should they be the arbiter in deciding what's allowed?

With some proxies, the IT administrator doesn't need to make that decision. Anything the IT administrator decides is in a gray area, can be put into a policy that displays a warning page when that type of site is visited. For example, if an employee visits Ebay, a guidance page that displays verbiage stating the site is a "shopping" site can be displayed, and warn the user that it may not be within the parameters of their job to visit such a site, that their visit will be logged, and if they want or need to, they can visit the site by clicking through the warning page. The benefit of this "guidance" page is that it leaves the decision about whether an employee can visit a page to the employee and not to the IT administrator.

If you're an IT administrator lucky enough to have policy set by the HR department that is clear, a good proxy, can also let you configure the policy to do whatever has been decided in the policy. Perhaps it's not okay to visit sporting sites during the day from 8 to 5, but outside of that time, there's no restriction on those sites. Perhaps the executives on management row don't have any restrictions on where they can browse, but everyone else does. These should be policies that your proxy lets you set. The proxy should be a tool in the IT administrator's arsenal, and one that helps keep the administrator out of the HR policy setting process.

Forcing Google Safe Search

One of the ways Google is trying to help ensure surfing the web safely, is a feature in their image search called "safe search". When "safe search" is enabled, any images that have offensive (pornographic) content is prevented from showing up in the search return. It's a nice feature, but in an office environment there's generally no way to force everyone to use it. And in fact many users trying to get around web filtering products like a proxy do so by using Google's image search without safe search turned on. The problem is that Google caches many images that traditional proxies block when you go directly to the page hosting the image, but these traditional proxies aren't smart enough to block the cached image in Google.

Blue Coat Systems' ProxySG interestingly enough offers a couple of features to help prevent this proxy bypass from occurring. First, they can actually search embedded URL's like the ones in Google's image search and block the images from appearing in a search return, so rather than seeing the picture the end-user see's only a broken link. The other option they offer is the ability to force safe-search for every search that's done. They do this by re-writing the URL request for the search into a safe-search every time a user requests a search, regardless of whether the safe-search feature was enabled.

These are two great tools to help keep your HR policy enforced, without having to worry about holes in the proxy that might otherwise get your IT group into trouble.

In the News: Web Infection Attacks Reputable Web Pages

It seems almost on cue, that the above article on Web infections appeared in the The Register yesterday. It's a perfect example of my previous blog article on why reputation doesn't solve the web filtering problem and can be a detriment to the organization. The article in the register points to two highly reputable websites that were infected with malware, the United Nations, and the UK Civil Service. The solution as I've reiterated a few times on this blog is to implement a proxy based web security system that checks and blocks embedded URL's and requests for redirection based on not only URL filtering but real time dynamic ratings when needed. And of course there's still the need to scan all web pages for viruses, so don't forget the anti-virus scanner for the web gateway.

CDN - Content Delivery Networks

CDNs (Content Delivery Networks) are becoming more popular in organizations looking for ways to effectively reduce travel and training costs. CDNs offer a way to distribute training, announcements and regulatory mandated deliverables (HR announcements, etc) to the employee population via streaming video content. The video content can be flash, windows media, quicktime, or live video.

In California, every organization is tasked with regulatory requirements around sexual harassment training, and one way to fulfill this and keep track that everyone has taken the training, is through a CDN that is delivered by a proxy. The proxy keeps track of authentication, to log who has taken the training, and gives the ability to save the bandwidth required to send the video content around the network, as well as offload the server serving the video content.

The proxy offers authentication and logging capabilities for compliance, caching of video for bandwidth savings, stream splitting at remote locations for additional bandwidth savings, and caching of video that reduces the load on the video server. Sounds like a win-win situation, right? Unfortunately, not every proxy will support CDN's so you'll need to shop around and find the one that has the features that your organization needs.

InterOp Vegas

Either you love or hate conferences and the associated exhibition floor. But for those of you that enjoy the going to talk to vendors and grabbing the occasional tchotchke, next week's InterOp show in Vegas is one that anyone in networking is sure to be familiar with.

I started attending InterOp shows back in 1991, and the show has certainly come a long way since then. The show reached its peak (in terms of size) back during the dot com boom, and hasn't really regained the exhibition size it once had, so this year's show is at the Mandalay Bay Convention Center. Even on a smaller scale, InterOp remains one of the important shows to keep track of what's happening in networking, and to a smaller degree, network security.

It's no surprise then that many key proxy vendors will be displaying their wares on the show floor, and some will probably have interesting announcements around their products. I'll keep tuned and let you know any interesting tidbits I see or hear about as a result of InterOp.

Blogged: Ways to test your Proxy for Security

We've talked a lot in this blog about needing to have a secure web gateway as your proxy and many of the security features that are needed to protect the organization from threats on the web. One of the things we haven't really discussed is how do you test that your proxy is actually secure from threats on the web.

The above linked website on the title bar is to a blog article on iCranium, that discusses testing the security of web applications using proxy like devices. These are four testing tools that you could use against your web proxy, while visiting different websites. These tools include: Burb Suite, Paros, Fiddler and WebScarab. Each of these has a separate focus, but together form a really powerful suite of tools for testing your the web security of your proxy, and of your web presence.

Fake and Poisoned Websites?

The link above goes to a good article about threats on web pages, including poisoned websites. The key to this, is the second section which says that cyber-criminals can poison legitimate websites. I've discussed in the past that your web proxy needs to be able to block malicious content regardless of source. Web reputation doesn't buy you much when it allows a site just because it has a good reputation, in the off chance that site has been poisoned. Hedge your bets and scan everything that could possibly be malicious.

The other really interesting piece mentioned in this article occurs at the end. There's a demonstration of how something we all consider relatively benign - MP3 files can contain malicious content. The author has an MP3 you can download, but the catch here is the MP3 file contains code that executes pop windows when you play the music file. That's pretty scary if you think there's probably more than just opening browser windows that could happen from downloading and playing an MP3 file.

So what's the lesson here? Make sure your web proxy scans for viruses, malware, and protects you from spyware on all the pages your employees visit. Don't let a webpage get past a scan just because it's got a good reputation.

WAN Optimization moves in on the Proxy

In a previous article I talked about whether WAN Optimization belonged in the proxy and referenced Blue Coat's implementation in their proxy device. Apparently other WAN Optimization vendors are beginning to believe the same story as Riverbed announced their partnership with Secure Computing. While this announcement shores up Blue Coat's story, the above linked article shows that at least one networking pundit believes there's little substance to Riverbed and Secure's announcement other than marketing fluff.

Mike Rothman refers to the partnership as "No Coat" and calls it a "Barney" deal (as in Barney, the purple dinosaur - you know "I love you, you love me"). I'm sure this isn't the first partnership in response to Blue Coat, nor will it be the last, as we'll continue to see proxy vendors integrate, partner and merge with WAN Optimization vendors.

In the News: Larger Prey are Targets

The New York Times ran an article today about a recent phishing threat that seems to have snared a lot of victims. Apparently this latest attack was much more realistic to end-users, but also had a much bigger threat than most phishing attacks. The typical phishing attack asks end-users to enter their personal information on fake website, an act that makes most users at least a little suspicious of the nature of the site. This scam was much more devious in getting the end-user to click on a link for more information, and that link was to a web page that did a drive-by install of software that monitored key strokes on the end-user's computer and also gave control of the computer to the hackers.

The most striking thing about this article to me was the fact that traditional anti-virus programs for the most part were unable to protect end-users from this threat. This particular kind of attack is one where a desktop anti-virus program isn't the best solution, but a proxy is ideally suited to protect the end-user from malicious code in a web page. Too many security administrators think that anti-virus is sufficient, and it was back when threats came in primarily through e-mail. As technology moves back towards the web (including web based email), threats now reside in both e-mail and web pages.

The proxy is ideally situated to protect any organization from web threats, including phishing scams like this one. Check out your proxy vendor and make sure they would have protected you from this threat.

Web 2.0 in a Proxy World

In today's constantly on, information overload, the term Web 2.0 has become acceptable to cover any new web technology, display of web information, and use of the web. The definition of Web 2.0 remains fluid and evolving making it difficult for a network administrator, to understand what the threats are associated with Web 2.0 that s/he needs to be aware of.

The IT press is publishing articles that display Web 2.0 as a doomsday scenario for many IT administrators. Today, Web 2.0 covers any new web based mechanism of sharing information, whether it's blogging, social networking, or file sharing. Dynamically displayed web pages, using technologies such as Ajax, contribute to the feel of a new web experience.

The threat to the proxy administrator is that URL databases and Web reptuation are no longer sufficient by themselves to protect the end-user from threats that are dynamically created on webpages based on random criteria. One user viewing a page may see a perfectly safe page with no threats, but the next person looking at the same URL may have an embedded drive-by malicious code that was created dynamically.

Just because a site has a good reputation doesn't protect you from the possibility of getting a virus or spyware from that site. Less of a problem, but still a problem, is also the possibility of displaying content that may be prohibited by corporate policy. Because this content can be dynamically created and differ by viewers of the same URL, once again, standard categorization or single bucket categorization will be less than effective in enforcing corporate policy.

So, what's the proxy administrator to do in a Web 2.0 world? The first is obviously to keep your proxy up to date, and to make sure your proxy has the latest in security features. Make sure your proxy is a "secure web gateway" (to use Gartner's terminology). This means in addition to the URL database, there's a mechanism to examine content for malware, regardless of categorization or reputation. Also make sure your proxy doesn't categorize URL's into single buckets, but has the ability for a URL to spread across multiple categories, and the ability to dynamically rate any page as needed.

In the News: Wishing RSA Away

A strange title for a blog article. RSA is perhaps one of the more respected conference shows out there. The author of the linked blog is of course not wishing the conference away, but rather the need for the conference to go away. To think that we don't need any security on our networks, that everyone is well behaved, or that all of our network devices handle problems without our intervention, seems, well, like a fantasy. The point of course being that it is unlikely that the need for RSA will go away anytime soon.

But the author does point to the fact that many vendors continue to make strides in addressing threats and vulnerabilities, so it's always a good idea to look around and make sure your vendor has the latest and/or the best protection for your needs. And remember to look past the hype, and look for concrete features that have a purpose, and a benefit that can be demonstrated.

Other Common Proxy Avoidance Techniques

A few weeks ago we discussed a website that pointed out some obvious obfuscation techniques that are used to hide the actual URL being visited, most of these techniques around masking the actual URL using variations on the IP address, and using the username/password area to give the appearance of visiting a site other than the actual one being accessed.

In addition to using these techniques to try and confuse the proxy, there are other ways the end-user can try to get around the proxy. If the goal of the end-user is to reach images that are being blocked by URL, a common technique is to go to Google Images and do the search there to get images. A less capable proxy will display the images, as most proxies don't go the extra distance to block the embedded URL's being displayed in each of the search results. There are proxies out there that are smart enough to block pics pointing to embedded URL's and some that even are capable of re-writing the Google search so that it always comes out a "safe search" regardless of the setting the end-user tries to use.

Google also offers another common method that end-users will attempt to use to bypass the proxy. The translation feature offered by Google for web pages, will produce a URL that looks like a Google URL, but contain all the contents of the page that was requested to be translated. For example, if you take www.playboy.com and ask it to be translated by Google from English to French, the result is a URL pointing at google.com, which once again, a lesser proxy will display to the end-user, but a more capable proxy should be able to block.

So what's the lesson here? Buyer beware when selecting your proxy. Be sure your proxy has advanced features like the ones discussed here. As end-users get more savvy, your proxy needs to be even more intelligent.