In the News: Think you're protected? Think again!

There's a new study out regarding a government agency that had strict rules around network access. The study was done in conjunction with Panda Security. At least 13% of computers were infected with viruses, even though all had desktop anti-virus and anti-malware software installed and all access to the internet was through a secure proxy. An even higher percentage of computer (16%) were infected with some type of malware.

It just goes to show neither a proxy, nor desktop software alone are a complete defensive solution. The proxy is a necessary component of an overall security plan, and choosing a proxy with the most security defenses is key. As we've outlined in previous blog articles, look for a proxy that can detect obfuscated URLs, intercept SSL and analyze SSL content, and has a dynamic real-time method for categorizing websites.

Obfuscating the URL

Common techniques used by spammers seems to also cause grief for many proxies that scan URLs against URL database lists. Spammers would try to hide the actual URL in an email by using some standard features of URLs. In addition to domain names, URLs can contain usernames and passwords, IP addresses, and encoded IP addresses. All of these provide ways to create URL's that look like they are going to a site, but really are going somewhere else.

Simple proxies don't recognize anything other than a standard domain name. So many of the techniques in the linked article above will get past a URL filter. So if someone wanted to bypass a typical proxy they could obfuscate the URL they type in the browser and still get to sites that are deemed inappropriate based on policy or contain malicious content.

Many of the better proxies are aware of these techniques and will "translate" the URL before passing it through the URL filter to ensure the real URL gets filtered, and blocked or scanned if appropriate.

Be sure to include obfuscation techniques in your evaluation of any proxy solution for your organization.

Privacy and Proxy Avoidance

Today, the most common mention about proxies deals with either proxy avoidance (getting around that proxy at work or school), or using an anonymizing proxy to prevent leaving footprints on the web that could possibly be used for identification theft or other malicious intent.

Proxy avoidance is popular in both workplaces and schools where proxies have limited the web access of end-users. Proxy avoidance is a big headache for IT administrators trying to enforce corporate or school policy. The most common form of proxy avoidance is to use an open proxy on the internet to bypass the proxy in the local environment. Typically, the end-user just changes the setting in the browser to point to the open proxy IP address and port number, and in an insecure deployment, this allows them to surf freely without policy restrictions.

So how does an organization protect themselves from end-users that use proxy avoidance techniques? The first step is to make sure the proxy is capable of recognizing proxy avoidance techniques and can prevent end-users from getting to those sites. With open proxies coming on line daily, the URL list we talked about is really no solution for this problem. On the other hand a dynamic rating system, would be able to solve most of this problem as most of these open proxies, if you go directly to their IP address with a browser have a landing page describing how to use the open proxy. This would allow a dynamic rating system to pick up on new pages and automatically detect and rate new open proxies correctly in the "proxy avoidance" category. According to Blue Coat Systems, this is exactly what their ProxySG product's DRTR (Dynamic Real Time Rating) system does, and with the correct policy prevents end-users from getting to the open proxy.

In addition to open proxies there's less well known techniques for avoiding proxies that are used when there is malicious intent in mind. I'll save that for another post tomorrow.

In the News: Gambling in the Workplace

Just another reminder that setting policy in the workplace is important not only to keep employees productive, but to keep internet bandwidth available for work related activities. The article is a good reminder that the employer sets the policy, and is allowed to monitor activities on the Internet that are being generated from within the organization. We'll talk in tomorrow's blog articles about how employees are trying to avoid proxies and continue to surf websites prohibited by company policy and the techniques they are using to do this.

In the News: SSL doesn't guarantee security

Last week we talked about how going to an SSL website doesn't guarantee security. There's still the possibility of viruses and other malware embedded in the website, which would just mean that you're download a virus across an SSL link, making it harder for most proxies to detect the virus. As if to confirm my ramblings I came across this article in the SF Chronicle, talking about viruses embedded in secure sites.

So make sure you're protecting your end-users by using the proxy to either terminate SSL connections and inspect content or blocking access to SSL where appropriate.

In the News: Blocking video in the workplace

The NCAA tournament brought video blocking into the news again. In addition to the article linked above, the San Jose Mercury News also ran a front page article on the possibility of video streaming from the tournament eating up all the bandwidth of workplace internet links. Other newspapers ran articles on this topic across the nation and stories on this topic filled radio airwaves including NPR broadcasts.

At the root of the debate of course was whether or not to block access to the NCAA site which offers streaming video of the tournament that began yesterday. Blocking access would preserve bandwidth for the mission critical applications of the organization, but not all organizations have a method to block streaming video. An astute network administrator would realize immediately that a proxy would give that ability without having to block the entire internet.

An even better solution would be a proxy that takes that video stream from the internet only once rather than allowing multiple streams of the same data from the same site, and then sends off separate streams of data for each requestor on the local network. This feature is often referred to as a CDN (content delivery network), and is featured prominently on some proxies.

Unfortunately I didn't see any articles this week proposing CDN's in organizations as a solution to this issue.

To Bypass or Not to Bypass SSL

In the past this decision was easy. There was little risk to bypassing SSL sites on your proxy, and most administrators didn't want to deal with the implication of proxying SSL connections, so SSL was for the most part bypassed in forward proxy deployments.

As SSL becomes more prevalent on the web, the need for inspection of SSL content has become much more important. Public webmail sites are quickly moving towards the implementation of SSL, and the ability send out confidential company data over SSL is more likely now than ever. In addition with the amount of malware on internet sites, the possibility of downloading a piece of malware onto the corporate network from a secure site is a true risk.

With this knowledge, using a proxy to terminate SSL connections and inspect the contents of the information coming and going from the corporate network seems to make a lot of sense. Luckily many proxies offer this ability today, and some partner with DLP/ILP (Data and Information Leak Protection) companies to inspect outgoing content for company confidential materials.

The major concern with proxying SSL connections and inspecting content is where this may conflict with existing privacy laws or corporate privacy policy. This is where the ability of the proxy to be able to set granular policy is critical. In addition the proxy should offer authentication and coaching pages that warn the user not to go to sensitive sites (like banking or health) if there's a concern of having that information inspected. Alternatively those sites could just be blocked or bypassed. The really astute administrator will work with their HR department to decide which policy is best for their organization.

Implementing an SSL proxy will of course take some education of the end-users on what to expect with SSL certificates, and the warnings their internet browsers will generate. We'll discuss certificates, and other security issues in a future blog article.

URL Lists and webfiltering in the Proxy

There's a lot of vendors out there selling URL lists for webfiltering on the web proxy. Each one claims to be superior to the others, but what in reality are you paying for when you subscribe to these lists?

The idea is of course to categorize the entire web (so you can block unwanted sites like spyware, porn, etc), but thousands of new pages are being created on the web daily. Wikipedia estimates there are around 100 million websites, containing over 2 billion web pages. If you survey the vendors offering URL lists for webfiltering, some claim to contain as much as 20 million websites, but even that falls short of Wikipedia's estimates.

The theory behind this of course is that by categorizing 20% of the websites, you are getting 80% of the web hits. This is great for the 80% of websites that match a category, but what about the other 20%? Even if you subscribe to a URL list, your proxy needs some way to categorize the new sites and the uncategorized sites on the web. Some proxy vendors offer a way to dynamically rate websites real-time when they don't match in a URL list. The key here is to be able to produce this rating without introducing any visible latency to the end-user.

When evaluating lists, there are other criteria to watch out for as well. Can the website exist in more than one category? Just because a site may be a sports information site, doesn't preclude it from offering gambling in one form or another. You may want to block that site just because it offers gambling, and if your URL list only categorizes it as a sporting site, you'll have a less than effective policy.

You should also check to see how responsive your vendor is when a mis-categorization is found. Are they quick to verify the mis-categorization and change their lists?

The last concern has to do with links, and this one perhaps is more a proxy requirement rather than a URL database list requirement. Any given site can have useful information, while at the same time have embedded information gathered from other sites, that are categorized in a prohibited group according to your policy. The most flexible proxy should still show you the good information, while blocking the embedded portions of the website.

URL lists are necessary to help enforce policy on the proxy, but implementing URL lists alone doesn't guarantee the security policy you expect. Remember to look for the gotchas when selecting your URL list and proxy vendor.

Is Ironport embracing the Proxy title?

I came across this article in an Indian online publication. What struck me as strange is that up until now, I have never seen Ironport use the term "proxy" to refer to their Web Security Appliance. Maybe they're just realizing that proxy isn't a bad word!

Does WAN Optimization Belong in a Proxy?

Blue Coat Systems seems to believe so. Blue Coat is well known for their ProxySG product line, which according to their own press is used by 93 of the Fortune Global 100. Blue Coat is the former CacheFlow which made web proxy caches for forward and reverse proxy use. They moved into secure proxies during the dot com bust and during the last two years have integrated WAN Optimization into their ProxySG product line.


At first glance it seems like a real incongruity. What could these two networking products share in common? WAN Optimization is usually deployed internally, on two ends of a WAN link inside the corporate network, whereas the proxy has always been on the edge of the network guarding access to the Internet or providing security and scalability to the corporate web presence. And in fact in most organizations including your own, it's probably safe to say the administrator of the proxy isn't even the same group or same person as the one that's responsible for the WAN Acceleration device.

And in fact in many instances, although the same device can be used as both a proxy and a WAN Optimization device, it's deployed as one or the other and in different parts of the network.

Where this starts to change is when you look at the branch office. With WAN Optimization, in general you need to have a device on both ends of the WAN link. Many companies have traditionally back hauled internet access over the WAN link back to the corporate Internet link. As prices for internet drops continue to decrease, it's not unusual to see branch offices have their own drops to the internet. In this scenario, it makes sense to try and consolidate boxes at the branch office, and having the branch office proxy also serve as the WAN Optimization box, begins to have some value.

In companies that still back haul internet access over the WAN link, there's some value in having the WAN Optimization device at the data center also server as the proxy, protecting the branch office users from internet threats. But as internet links become more prevalent, you may be seeing more of this functionality at the branch office.

Why Cache?

Not all proxies are equal. Many, but not all have the ability to cache web pages and objects. Web Caching is the act of storing copies of Web pages on a "local'' system (in our example, the proxy). If the same pages are requested at a later time by the same or other users through the proxy, and the cached copy is still valid, there is no need to contact the original server again. Cache hits can significantly reduce latencies and network bandwidth usage.

All that sounds great, especially the part about reducing latency and saving bandwidth, but what is the risk (if any) to caching? The obvious risk is data becoming outdated. If a cached version is different than what's on the webserver, the person requesting the data isn't getting the most up-to-date information. In this instance it's important to either obey the web page (if it's marked to not cache information on the page), or have a proxy that uses an intelligent algorithm to verify "freshness" of data. One major proxy vendor claims to have a patented method around verifying the "freshness" of their data to keep the most up-to-date information in cache, while keeping bandwidth usage to a minimum.

A truly flexible proxy should let you set your own policy around how long to cache different types of data. Perhaps you want to override settings found on a specific webpage, like Youtube, so the next time a really popular video gets forwarded around the company you aren't downloading it from the web everytime (per the default cache settings on Youtube), and instead cache Youtube video for a few hours or more.

Secure Computing finally added a cache to their Webwasher appliance last year (2007), but even in the latest presentation I heard them give, they generally don't recommend you turn it on, with the main concern around staleness of data.

Caching can definitely work to your advantage, just make sure the proxy you use has up-to-date caching technology to help you set the policy you need.

Forward or Reverse

You may have heard the terms "Forward Proxy" and "Reverse Proxy" and wondered what's the difference and also wonder, which one do I need for my organization?

Back in the early days of the web the answer was simple. Most companies had only ever heard of the "Reverse Proxy", even if they didn't call it that. The "Reverse Proxy" sat in front of the company's internet web presence, providing additional performance, scalability, and reliability for all the requests to the corporate web site from users all over the internet.

As the web grew, companies began to see the need to protect users from threats on the web as well as implement policy around acceptable web usage. The proxy that the end-user connects to with their browser to access the internet, is the "Forward Proxy". Unfortunately the implementation of "Forward Proxies" in many organizations has also lead to the rise of many illicit websites on proxy avoidance. A sophisticated proxy should be able to detect proxy avoidance techniques to keep corporate guidelines and policy intact.

There are special variations on both forward and reverse proxies, far too many for discussion in this short post, but we'll address some special implementations in separate future posts.

To Proxy or Not to Proxy

The decision to implement a proxy is never taken lightly in any organization. If there's never been a policy around web-surfing during office hours, it's considered almost a god given right, and the implementation of a proxy can only be seen as big brother finally coming.

Unfortunately (for the end-users at least), the days of letting the end-user roam the internet freely is quickly coming to an end. According to a study by Sophos, 29% of webpages host some kind of malware, and an additional 29,000 pages containing malware are added to the internet daily. The risk of bringing malware into an organization, and letting that malware disrupt the network, or even worse steal sensitive corporate information is growing every day.

The only real solution to this problem is filter all web surfing through a proxy. A proxy can block malware from coming into an organization. A sophisticated proxy can even block only the malware links and programs on a webpage, allowing the rest of the page to be viewed, in case there is valuable information needed from that webpage.

There's additional added benefit from implementing a proxy. You can prevent end-users from downloading pornography, a sure violation of your organization's sexual harrassment policy. You can also create policy around bandwidth usage for such popular items as peer-to -peer file sharing, video watching, and music listening during office hours. All of these heavy bandwidth usage items are sure to restrict the amount of real work being done in the office.

If you're worried about the overhead involved for the administrator of the proxy, there's a lot of new ways to implement proxies these days. The old days of having to visit everyone's PC to put in the IP address of the proxy is gone. The proxy can simply be placed in-line or there are options for doing automatic proxy discovery (also known as WPAD - Web Proxy Autodiscovery Protocol). We'll go into the multiple deployment options for proxy setup in future postings, but for now, it's more important to realize the need for the proxy and the benefit the organization will receive by putting the proxy in place.

The Definition of Proxy

Wikipedia has a good page on Proxy Server technology. If you need a good overview click the link above. Even though the page has tags on it indicating it needs some attention, most of the information found here is a really good starting point for a technology backgrounder on proxies.

Wall Street Journal: The New Workplace Rules: No Video-Watching

The Wall Street Journal published an article on March 4, 2008, entitled, "The New Workplace Rules: No Video-Watching".

This article shows a great new security use for proxies. Using a proxy gives the network or security administrator the ability to block video for certain users or groups or everyone in the company. Some proxies even give admins the flexibility to define time frames on when an end-user can watch video (perhaps no video use from 9 to 5, during working hours).

Blue Coat Systems, even has a proxy that can cache and split video streams to help off-load the bandwidth requirements video has on the internet link. That way when the latest new Youtube video goes around the office, it's only downloaded once from the internet, and all subsequent views are from the cache on the proxy.

Proxy: The Ugly Stepsister in the Security World

Welcome to the Proxy Update! The Proxy Update is intended to be an on-going source of information on Proxies.

Proxies unfortunately have a bad reputation both with the user community and the network security realm. When you think security in a network, a proxy isn't usually the first thing that comes to mind, instead most networking professionals will mention Firewalls, Intrusion Detection and Prevention, Virus scanning, Spam Prevention, etc.

Somehow Proxy gets the unjustified position of being the after thought.

The reality though, is that the Proxy is one of the most important components to network security, more today than in any time in the history of the Internet. As more threats are being embedded in websites and web pages, both intentional and through hackers, the proxy is going to play a more key role in protecting the enterprise.

Keep tuned to this website and we'll talk about some of the needs, problems, and solutions in the Proxy industry, and how the Proxy may be the 800 pound gorilla solving the security problems of your organization.