Forcing Google Safe Search

One of the ways Google is trying to help ensure surfing the web safely, is a feature in their image search called "safe search". When "safe search" is enabled, any images that have offensive (pornographic) content is prevented from showing up in the search return. It's a nice feature, but in an office environment there's generally no way to force everyone to use it. And in fact many users trying to get around web filtering products like a proxy do so by using Google's image search without safe search turned on. The problem is that Google caches many images that traditional proxies block when you go directly to the page hosting the image, but these traditional proxies aren't smart enough to block the cached image in Google.

Blue Coat Systems' ProxySG interestingly enough offers a couple of features to help prevent this proxy bypass from occurring. First, they can actually search embedded URL's like the ones in Google's image search and block the images from appearing in a search return, so rather than seeing the picture the end-user see's only a broken link. The other option they offer is the ability to force safe-search for every search that's done. They do this by re-writing the URL request for the search into a safe-search every time a user requests a search, regardless of whether the safe-search feature was enabled.

These are two great tools to help keep your HR policy enforced, without having to worry about holes in the proxy that might otherwise get your IT group into trouble.

In the News: Web Infection Attacks Reputable Web Pages

It seems almost on cue, that the above article on Web infections appeared in the The Register yesterday. It's a perfect example of my previous blog article on why reputation doesn't solve the web filtering problem and can be a detriment to the organization. The article in the register points to two highly reputable websites that were infected with malware, the United Nations, and the UK Civil Service. The solution as I've reiterated a few times on this blog is to implement a proxy based web security system that checks and blocks embedded URL's and requests for redirection based on not only URL filtering but real time dynamic ratings when needed. And of course there's still the need to scan all web pages for viruses, so don't forget the anti-virus scanner for the web gateway.

CDN - Content Delivery Networks

CDNs (Content Delivery Networks) are becoming more popular in organizations looking for ways to effectively reduce travel and training costs. CDNs offer a way to distribute training, announcements and regulatory mandated deliverables (HR announcements, etc) to the employee population via streaming video content. The video content can be flash, windows media, quicktime, or live video.

In California, every organization is tasked with regulatory requirements around sexual harassment training, and one way to fulfill this and keep track that everyone has taken the training, is through a CDN that is delivered by a proxy. The proxy keeps track of authentication, to log who has taken the training, and gives the ability to save the bandwidth required to send the video content around the network, as well as offload the server serving the video content.

The proxy offers authentication and logging capabilities for compliance, caching of video for bandwidth savings, stream splitting at remote locations for additional bandwidth savings, and caching of video that reduces the load on the video server. Sounds like a win-win situation, right? Unfortunately, not every proxy will support CDN's so you'll need to shop around and find the one that has the features that your organization needs.

InterOp Vegas

Either you love or hate conferences and the associated exhibition floor. But for those of you that enjoy the going to talk to vendors and grabbing the occasional tchotchke, next week's InterOp show in Vegas is one that anyone in networking is sure to be familiar with.

I started attending InterOp shows back in 1991, and the show has certainly come a long way since then. The show reached its peak (in terms of size) back during the dot com boom, and hasn't really regained the exhibition size it once had, so this year's show is at the Mandalay Bay Convention Center. Even on a smaller scale, InterOp remains one of the important shows to keep track of what's happening in networking, and to a smaller degree, network security.

It's no surprise then that many key proxy vendors will be displaying their wares on the show floor, and some will probably have interesting announcements around their products. I'll keep tuned and let you know any interesting tidbits I see or hear about as a result of InterOp.

Blogged: Ways to test your Proxy for Security

We've talked a lot in this blog about needing to have a secure web gateway as your proxy and many of the security features that are needed to protect the organization from threats on the web. One of the things we haven't really discussed is how do you test that your proxy is actually secure from threats on the web.

The above linked website on the title bar is to a blog article on iCranium, that discusses testing the security of web applications using proxy like devices. These are four testing tools that you could use against your web proxy, while visiting different websites. These tools include: Burb Suite, Paros, Fiddler and WebScarab. Each of these has a separate focus, but together form a really powerful suite of tools for testing your the web security of your proxy, and of your web presence.

Fake and Poisoned Websites?

The link above goes to a good article about threats on web pages, including poisoned websites. The key to this, is the second section which says that cyber-criminals can poison legitimate websites. I've discussed in the past that your web proxy needs to be able to block malicious content regardless of source. Web reputation doesn't buy you much when it allows a site just because it has a good reputation, in the off chance that site has been poisoned. Hedge your bets and scan everything that could possibly be malicious.

The other really interesting piece mentioned in this article occurs at the end. There's a demonstration of how something we all consider relatively benign - MP3 files can contain malicious content. The author has an MP3 you can download, but the catch here is the MP3 file contains code that executes pop windows when you play the music file. That's pretty scary if you think there's probably more than just opening browser windows that could happen from downloading and playing an MP3 file.

So what's the lesson here? Make sure your web proxy scans for viruses, malware, and protects you from spyware on all the pages your employees visit. Don't let a webpage get past a scan just because it's got a good reputation.

WAN Optimization moves in on the Proxy

In a previous article I talked about whether WAN Optimization belonged in the proxy and referenced Blue Coat's implementation in their proxy device. Apparently other WAN Optimization vendors are beginning to believe the same story as Riverbed announced their partnership with Secure Computing. While this announcement shores up Blue Coat's story, the above linked article shows that at least one networking pundit believes there's little substance to Riverbed and Secure's announcement other than marketing fluff.

Mike Rothman refers to the partnership as "No Coat" and calls it a "Barney" deal (as in Barney, the purple dinosaur - you know "I love you, you love me"). I'm sure this isn't the first partnership in response to Blue Coat, nor will it be the last, as we'll continue to see proxy vendors integrate, partner and merge with WAN Optimization vendors.

In the News: Larger Prey are Targets

The New York Times ran an article today about a recent phishing threat that seems to have snared a lot of victims. Apparently this latest attack was much more realistic to end-users, but also had a much bigger threat than most phishing attacks. The typical phishing attack asks end-users to enter their personal information on fake website, an act that makes most users at least a little suspicious of the nature of the site. This scam was much more devious in getting the end-user to click on a link for more information, and that link was to a web page that did a drive-by install of software that monitored key strokes on the end-user's computer and also gave control of the computer to the hackers.

The most striking thing about this article to me was the fact that traditional anti-virus programs for the most part were unable to protect end-users from this threat. This particular kind of attack is one where a desktop anti-virus program isn't the best solution, but a proxy is ideally suited to protect the end-user from malicious code in a web page. Too many security administrators think that anti-virus is sufficient, and it was back when threats came in primarily through e-mail. As technology moves back towards the web (including web based email), threats now reside in both e-mail and web pages.

The proxy is ideally situated to protect any organization from web threats, including phishing scams like this one. Check out your proxy vendor and make sure they would have protected you from this threat.

Web 2.0 in a Proxy World

In today's constantly on, information overload, the term Web 2.0 has become acceptable to cover any new web technology, display of web information, and use of the web. The definition of Web 2.0 remains fluid and evolving making it difficult for a network administrator, to understand what the threats are associated with Web 2.0 that s/he needs to be aware of.

The IT press is publishing articles that display Web 2.0 as a doomsday scenario for many IT administrators. Today, Web 2.0 covers any new web based mechanism of sharing information, whether it's blogging, social networking, or file sharing. Dynamically displayed web pages, using technologies such as Ajax, contribute to the feel of a new web experience.

The threat to the proxy administrator is that URL databases and Web reptuation are no longer sufficient by themselves to protect the end-user from threats that are dynamically created on webpages based on random criteria. One user viewing a page may see a perfectly safe page with no threats, but the next person looking at the same URL may have an embedded drive-by malicious code that was created dynamically.

Just because a site has a good reputation doesn't protect you from the possibility of getting a virus or spyware from that site. Less of a problem, but still a problem, is also the possibility of displaying content that may be prohibited by corporate policy. Because this content can be dynamically created and differ by viewers of the same URL, once again, standard categorization or single bucket categorization will be less than effective in enforcing corporate policy.

So, what's the proxy administrator to do in a Web 2.0 world? The first is obviously to keep your proxy up to date, and to make sure your proxy has the latest in security features. Make sure your proxy is a "secure web gateway" (to use Gartner's terminology). This means in addition to the URL database, there's a mechanism to examine content for malware, regardless of categorization or reputation. Also make sure your proxy doesn't categorize URL's into single buckets, but has the ability for a URL to spread across multiple categories, and the ability to dynamically rate any page as needed.

In the News: Wishing RSA Away

A strange title for a blog article. RSA is perhaps one of the more respected conference shows out there. The author of the linked blog is of course not wishing the conference away, but rather the need for the conference to go away. To think that we don't need any security on our networks, that everyone is well behaved, or that all of our network devices handle problems without our intervention, seems, well, like a fantasy. The point of course being that it is unlikely that the need for RSA will go away anytime soon.

But the author does point to the fact that many vendors continue to make strides in addressing threats and vulnerabilities, so it's always a good idea to look around and make sure your vendor has the latest and/or the best protection for your needs. And remember to look past the hype, and look for concrete features that have a purpose, and a benefit that can be demonstrated.

Other Common Proxy Avoidance Techniques

A few weeks ago we discussed a website that pointed out some obvious obfuscation techniques that are used to hide the actual URL being visited, most of these techniques around masking the actual URL using variations on the IP address, and using the username/password area to give the appearance of visiting a site other than the actual one being accessed.

In addition to using these techniques to try and confuse the proxy, there are other ways the end-user can try to get around the proxy. If the goal of the end-user is to reach images that are being blocked by URL, a common technique is to go to Google Images and do the search there to get images. A less capable proxy will display the images, as most proxies don't go the extra distance to block the embedded URL's being displayed in each of the search results. There are proxies out there that are smart enough to block pics pointing to embedded URL's and some that even are capable of re-writing the Google search so that it always comes out a "safe search" regardless of the setting the end-user tries to use.

Google also offers another common method that end-users will attempt to use to bypass the proxy. The translation feature offered by Google for web pages, will produce a URL that looks like a Google URL, but contain all the contents of the page that was requested to be translated. For example, if you take www.playboy.com and ask it to be translated by Google from English to French, the result is a URL pointing at google.com, which once again, a lesser proxy will display to the end-user, but a more capable proxy should be able to block.

So what's the lesson here? Buyer beware when selecting your proxy. Be sure your proxy has advanced features like the ones discussed here. As end-users get more savvy, your proxy needs to be even more intelligent.

Bandwidth Management?

You may be wondering what Bandwidth Management has to do with Proxies. At this week's RSA Conference, Blue Coat Systems was showing off a demonstration in their booth where their ProxySG allowed all text to be displayed immediately from sites categorized as Sporting, but bandwidth limited all the graphics on the page to only 1kbps. The obvious benefit here of course is that you get all the textual content, and prevent the graphics on the page from using up all the internet bandwidth available, so that actual job-related use of the internet can continue.

RSA Conference, San Francisco

This week brings the RSA Security Conference to San Francisco. It's one of the largest security shows for networking in the industry, and the exhibit hall opened up last night. As is common with all conferences lately, many of the talks are available on podcast, which means that if your organization didn't send anyone to RSA, you may have lots of listeners on your local area network, eating up the bandwidth to the internet.

The exhibit hall of course is filled with vendors that can help you solve that problem from blocking that content to allowing it, and only allowing one download to happen from the internet, caching that content, and delivering locally when requested by each additional requester. This year, RSA is touting 400 exhibitors, 240 sessions and a keynote by Michael Chertoff.

If you get the chance stop by and visit, even if you can't afford the conference pass, the exhibits are sure to provide lots of learning opportunities.

In the News: Risks of Anonymous Proxies

A recent article (linked above) on the risks of anonymous proxies (which have become a popular way of avoiding the corporate or school proxy), indicated that at least 5% or more of anonymous proxies contained some kind of malware. Users accessing these anonymous proxies, put their organizations at risk for drive-by spyware, viruses and trojans. They can also possibly expose your users to identity theft and your organization to information theft.

Your end-user may find access to barred sites by using an anonymous proxy, violating corporate or policy or even regulatory requirements. The article describes methods to combat anonymous proxies and recommends such features as SSL interception in a proxy, and advanced proxies that recognize anonymous proxy sites. In case you don't think you're vulnerable, set up a test PC in your corporate network and point the browser at a few anonymous proxies, you may be surprised at the result.

In the News: Web Attacks Won't Stop

According to this blog article from InfoWorld, the Web will continue to be a dangerous place to visit with even the best of sites compromised, and the threat being as simple as a "drive-by" meaning that just visiting a site could cause some malicious code to be implanted on your computer.

With well known sites with good reputations being victims themselves of bots, hackers and other malware being deposited on their sites, URL filtering alone won't solve the security problem.

While we focus on proxies in this blog, it's also important to remember that threats are beginning to enter the organization in other more unconventional means as this article reminds us. While the web may be the source of a lot of malware, physical devices are also a source of infection in computer networks. In 2007 there was a rash of digital picture frames that were shipped with the Trojan virus, and USB sticks (thumb drives) are vulnerable to this type of distribution of malware.

A good proxy remains important in keeping out the malware, but remember to be checking on the desktop as well.

In the News: What Firewalls do and What Firewalls don't do

The linked article above has an interesting view point. Where we agree is that firewalls aren't sufficient to address all the security threats on the network. Where we disagree is how to address that shortcoming. The author discusses the use of UTM (Unified Threat Management) devices to address all the other threats out on the Internet. While in theory I like the idea, the problem I have with it is that it only works for the smaller organization. Any organization that has any volume of email and web usage will probably find any UTM device inadequate as the scanning necessary to address the myriad of threats tends to drive up CPU usage, and most UTM devices don't scale to the necessary levels for larger organizations.

Another and perhaps bigger problem with UTM devices is that attacks on organizations tend to focus on one protocol, a denial of service attack will be on HTTP, SMTP, or DNS, but not usually all of them at once. With a UTM device an attack on any of these will render all of them unusable. By separating the security devices associated with each protocol, when one is under attack, there's a good chance the other protocols remain available for use.

The final problem with UTM devices is having to rely on the technology that the UTM vendor has selected for the given protocol. This leaves the organization vulnerable if the best of breed technology wasn't selected by the UTM vendor. In this blog we focus on proxies, and I believe any organization should evaluate the proxy solutions available and decide which one is best for their needs. At the same time, find the best email solution for spam and viruses, and any other protection they think need (including ILP/DLP, etc.).

Find the proxy solution with all the security features you need and don't rely on the UTM vendor to do it for you.