A Proxy of One

The proxy makes a lot of sense as a security device in the data center, and even at branch offices where there's a direct internet connection. It provides a level of security against malware coming from the Internet, and it enforces corporate policy. The only problem, is that in today's mobile world, almost everyone has a laptop, and more likely than not, the your end-users will be connecting to the Internet from a network that isn't the corporate network. The end result of course is that they won't have the protection of the proxy.

What's the solution? A proxy of one. All the features of the proxy built right into a client that runs directly on the laptop itself. Because the proxy of one has to not only protect the end-user but also enforce corporate policy, it needs to be managed and controlled from the enterprise data center.

While there are plenty of software packages that offer web filtering and protection few do so with the ability to be centrally managed. Blue Coat Systems announced a package that does even one better. In addition to being a centrally managed, distributed proxy of one solution, their ProxyClient solution also offers WAN Acceleration in the same package (See this article regarding WAN Optimization in the proxy).

There's really no reason you can't have the protection of the proxy, even when you're on the road.

PAC and WPAD

There are plenty of deployment methods for proxies, and we've touched on a number of them in this blog. If you've decided on an explicit proxy implementation (where you block all access to the web from any IP address in your organization except for the IP address of the proxy), there's a need to configure the proxy's IP address in every browser's configuration. This alone sounds like a nightmare of a chore for any systems administrator.

Luckily there's two technologies to help with this chore, PAC (Proxy Auto Config) and WPAD (Web Proxy Autodiscovery Protocol). These technologies help to ensure that all browsers in your organization use the same proxy configuration, without the need for the administrator to visit every browser manually.

The PAC standard allows the administrator to create and publish one central proxy configuration file. A PAC file contains a javascript function "FindProxyForURL(url, host)". This function returns a string that cause the user agent to use a particular proxy server or to connect directly. Typically the PAC file is named "proxy.pac". You can configure the PAC file to have multiple proxy targets in order to provide a backup if a specific proxy fails to respond. To use PAC, you publish the PAC file on a Web server and instruct a user agent to utilize it, either by entering the URL in the proxy connection settings of your browser or through the use of the WPAD protocol.

The WPAD standard allows two ways for the system administrator to publish the location of the proxy configuration file, using the Dynamic Host Configuration Protocol (DHCP) or the Domain Name System (DNS).

Prior to fetching its first page, the web browser using WPAD sends the local DHCP server a DHCPINFORM query, and uses the URL from the WPAD option in the server's reply. If the DHCP server does not provide the necessary details, DNS is used. For example, if the hostname of the end-user's computer is dhcp123.company.com, the browser will try a URL based on the domain name to find the correct file. In this case it would try http://wpad.company.com/wpad.dat.

With the implementation of PAC and/or WPAD, you can relieve some of the administrative work in getting an explicit proxy deployment to work. If you need some additional information on PAC and WPAD, https://www.wikipedia.org has some great examples.

The Reverse Proxy

The reverse proxy, sometimes referred to as the inbound proxy is the proxy deployed at the edge of your network to protect the organization's web presence. Reverse proxies that double as web caches are also used to expand the capacity of the organization's web servers. Typically a web cache can handle many more requests for content than a typical web server. Reverse proxies can also protect web servers from attacks coming from the Internet.

In addition to an organization's web presence, a reverse proxy can also help secure services the organization serves to their employees through the web, such as Outlook Web Access (OWA), Micrsoft Exchange's web based email offering. Typically organizations allow their employees to retrieve email using this web service when they are traveling or working from home. A reverse proxy can help prevent malicious attacks, denial of service attacks, and other security risks to the web server.

A reverse proxy protecting an OWA server has to be able to intercept SSL, as most organizations will want to make sure that email access is secure. A good reverse proxy will be able to force users to do an SSL login (redirect to https), logout inactive users. A truly advanced proxy will also provide virus protection and content filtering capability, including ILP and DLP (Information and Data Leakage Protection).

WCCP and the Proxy

If your network is truly mission critical, and you need to be up 24x7, then bringing down your network to install an inline proxy probably isn't the best solution for your needs. First there's the service window to do the install (not necessarily a show stopper, but something you'd probably like to avoid). Second, there's the proxy itself. While it may have advanced features like fail to wire (the ability for traffic to flow through if the device itself fails), you may still consider it a single point of failure and need or want better redundancy.

In this scenario, you may want to look at WCCP (Web Cache Communication Protocol) as your solution. The requirements? Cisco routers in your environment running IOS version 12.1 or higher. WCCP was originally developed for cisco routers to redirect web traffic to Cisco Cache Engines, but today will work with any proxy that supports WCCP.

WCCP has built-in load-balancing, scaling, fault tolerance, and service-assurance (failsafe) mechanisms. With all these features, WCCP may just be the solution for the mission critical network. There's no excuse for not having a proxy acting as a secure web gateway.

In the News Malware by Proxy - Fake Search Engine Results

Here's a new article on legitimate websites being infected by malware. This article states that 15,000 web pages were infected daily between January and March of this year (3x the rate from the previous year), and of those pages, 79% were on legitimate websites, including Fortune 500, government agencies and even security vendors!

Once again, with new threats emerging from the web, there's no reason why your organization should go without some sort of web protection. The secure web proxy, is the first line of defense against sites that are infected with malware. Make sure your proxy is checking all web sites, and doesn't rely on some sort of reputation based system. As you can see from the article above, even reputable websites get infected, and a system that bypasses reputable websites will leave your organization vulnerable to malware.

Making the Proxy Work in Your Environment

One of the major concerns about implementing proxies to secure web access is the need to tie into an existing infrastructure without creating an added layer of authentication for the end-user and any additional work for the IT administrator.

Many of us still think of proxies as a clunky network security tool. One that we place on the edge of the network, then setup the firewall to prevent access to the internet for all hosts except the proxy. The final step is then setting up all our user's workstations to point to the proxy in order to get users access to the world wide web.

Luckily for IT administrators, the world of proxies has evolved and with it the ease of implementation and integration with existing networks. Unlike the time when all users had to explicitly point their browsers at a proxy, today proxies can be deployed inline to capture all web traffic automatically, or even out of path, using WCCP (Web Cache Communications Protocol) to redirect the web traffic to the proxy.

Even the authentication issue has simplified with the introduction of Single-Sign On mechanisms available for many proxies. Advanced proxies offer integration with a number of well-known authentication databases including LDAP, Active Directory, NTLM, Kerberos, Radius, TACACS and others. Single-Sign On can be integrated with a web portal page or the existing Microsoft sign on mechanism in any organization.

Today, there's really no excuse for any IT administrator to forgo implementing web security in their network. Proxies have evolved to become the right solution for any organizations concerns around web access.

ICAP and the Proxy

For IT administrators, the proxy is a well known part of the network infrastructure. Admins use the proxy to secure their end-user's access to web sites on the Internet, and they expect the proxy to provide access restrictions and logging based on the websites visited. Today proxies do more than ever before.

With the introduction of ICAP (Internet Content Adaptation Protocol) based on RFC 3507 (2003), proxies gained the ability to provide even more significant security functions. ICAP specifically has been implemented with proxies for anti-virus scanning (including malware scanning), URL filtering, and for DLP/ILP (Data Leakage Protection/Information Leakage Protection) scanning.

ICAP allows the proxy to talk to a secondary device, using policy to decide what needs to be sent to the secondary device for filtering/scanning. For example an administrator can create a policy on a proxy to have all file attachments sent to the ICAP server for anti-virus scanning. This is useful where end-users have access to webmail on the Internet, and are downloading files from the email service. Any other files downloaded from the web can be targeted for malware scanning as well.

In the DLP/ILP scenario, a policy for any files uploaded to a webmail service could be implemented to allow for the search of any proprietary or confidential information in the uploaded file.

One of the biggest benefits of ICAP, is the standards based nature of the protocol, allowing the administrator to choose from a variety of vendors for anti-virus, URL and DLP/ILP solutions that can integrate with their proxy. These new tools for the proxy let the IT administrator keep web browsing safe for their end-user in a age when more threats than ever are showing up on web pages.

In The News: Web Forums Hijacked to Spread Child Porn

The above is an older article from June of 2007, but I thought it was a good article to highlight the spread of attacks on websites, even you would not expect an attack on. Hackers attacked and infiltrated well-known sites, including ones that are for kids, inserting links to pages that contained pornography.

This is a good reminder to make sure the web security proxy you're using for your organization's access to the internet has the ability to look at embedded links and rate them separately from the main page. That way your users still get the content they're looking for and you get to block out the malicious content that was inserted by hackers.

In The News: Web Porn at Work

The news article above outlines one Japanese worker who surfed porn at work and was undetected for quite some time. It was not until his computer picked up a virus from one of the sites he was surfing that his extensive browsing was discovered.

Wouldn't you hate to have been the IT administrator of that network, having to explain why you didn't detect this waste of bandwidth earlier? Or even simpler, why such an abuse of corporate policy was allowed without detection.

The web proxy would have been the simplest network device to have implemented, to enforce policy, or at the very least categorize web browsing into reports for management to see where traffic was going and from which IP addresses. It's incredible to think that with the network tools available today, we still hear stories like this one.

Secure Computing Stumbles

Contrary to all my predictions about the proxy returning to the spotlight as the focus of security for the enterprise, Secure Computing seems to be having problems selling their web security solutions, according to the Motley Fool article linked above.

According to the article growth for Secure has slowed from an anticipated 20% down to a mere 2%. Motley Fool goes on to suggest the economy is to blame for Secure's woes, but then corrects itself by indicating other security vendors (proxy, anti-virus and other), don't seem to have a problem with the economy. That said, is web security still where the focus needs to be for the IT administrator?

In my opinion, undoubtedly. There's still way too many threats on the web, with more being reported everyday. When reputable web sites like the New York Times and the United Nations are being infiltrated with malware, there's no telling which site is truly safe to browse.

You certainly don't want to be the IT administrator who has no response, when asked, "what did you do to prevent that latest outbreak from a web site's drive-by malware download?". Be proactive, and at the very least be able to show you've put some web security in place in your corporate proxy.

Mash Up?

You may have been hearing the term "mashup" more and more when referring to web pages and websites. But what's the implication for the IT administrator, the end-users and the security proxy?

First we have to talk about what a "mashup" refers to. A mashup web page is when a web page or web application delivers content on demand that is a combination of different mediums and applications. The wikipedia link above to the definition of mashup uses the example of when google maps are used in a real estate page to build a full page combining not only map data, but photos, video and other information for the end-user. The key here is personalized content.

That's great for the end-user. It means getting better information, quicker than ever before. But it may become the IT administrator's nightmare. The biggest problem with the mashup is that the old web security technologies in proxies may not be able to recognize the threats that come in the form of a mashup. URL databases that do web crawls may not necessarily get the same information that the end-user gets, because the personalized content will be delivered based on the end-user's history with the website, something the web crawler won't have.

As the web becomes more and more dynamic the old URL databases and database filtering will become less and less relevant for companies that are trying to enforce web access policies. A company with a policy against pornography in the workplace, may find it more and more difficult to enforce this policy with just URL database filtering. More and more, it will be necessary to evaluate web pages real-time based on actual content being delivered to the end-user and the need to evaluate embedded URL's in delivered content. An embedded URL in a mashup needs to be evaluated independently of the web page, as it can come from anywhere in the world wide web. Unfortunately web reputation is going to be less and less important as more well known websites get infiltrated.

What does all of this mean for the IT administrator? It means ensuring they have the latest security tools in their proxy's arsenal. Real time virus scanning, real time URL categorization, and embedded URL checking are just a few of the technologies the IT administrator needs to be looking for in their proxy. It's going to be important to keep track of new technologies as they evolve and make sure they get deployed successfully after a reasonable testing phase.

Everything Old is New Again

When the web started out it was quickly recognized that there was a need to protect and secure the web space as well as expand the capacity of the web. The proxy quickly became the source of that expansion capacity as a web cache, and working in tandem with the corporate firewall, providing the security that IT administrators were looking for in logging and controlling access to the internet.

The focus of security quickly shifted from the web proxy to email in the new millennium, as viruses and worms were quickly propagated using email transmission. Edge email gateways became the hot product and Ciphertrust and Ironport became the "in" products to have.

As hackers start to realize that organizations have the email problem mostly in-hand, the threat vector has started to shift back to the web again. We're seeing more and more "drive-by" downloads of spyware and viruses on web pages, even well known and reputable web sites.

While the proxy may trigger up memories of days gone by, it's going to take its place in days to come as well. The proxy is ideally suited to handle web threats, and every organization needs to start taking threats from the web seriously, as seriously as e-mail borne viruses if not more seriously, as few end-users today consider the web a source of threats.

Defining the Line Between Good and Bad

As the IT administrator, you probably don't want to be tasked with setting the policy for what's allowed in the workplace. Unfortunately, in many cases the IT administrator has to make the decision as to how to interpret a vague or non-existent HR policy on what's permittable on the corporate network.

There's some obvious categories that should be blocked from the corporate network. Prevent malware, spyware and viruses, and implement tools and protection to that end. Next obvious is probably pornography, for all sorts of reasons, a sexual harassment lawsuit being the most convincing. After those two categories, everything else is probably more of a gray area if no one in your HR organization has already defined a policy.

The URL database vendors for proxies have made it easy to get specific websites categorized into these different buckets, and the proxy makes it relatively simple to setup policy to block the unwanted categories. That leaves the categories that are sort of in between. Is it acceptable to go shopping on company time? For the administrative assistant that's probably a yes, if he or she is going to the office supply store's website to order items for the office. But do other employees really need to be browsing Ebay during working hours?

How about a sports website? Perhaps if you work for ESPN or Sports Illustrated, that makes sense, but the typical office worker probably doesn't need access to those sites. And there's the hard call for the IT administrator. Should they be the arbiter in deciding what's allowed?

With some proxies, the IT administrator doesn't need to make that decision. Anything the IT administrator decides is in a gray area, can be put into a policy that displays a warning page when that type of site is visited. For example, if an employee visits Ebay, a guidance page that displays verbiage stating the site is a "shopping" site can be displayed, and warn the user that it may not be within the parameters of their job to visit such a site, that their visit will be logged, and if they want or need to, they can visit the site by clicking through the warning page. The benefit of this "guidance" page is that it leaves the decision about whether an employee can visit a page to the employee and not to the IT administrator.

If you're an IT administrator lucky enough to have policy set by the HR department that is clear, a good proxy, can also let you configure the policy to do whatever has been decided in the policy. Perhaps it's not okay to visit sporting sites during the day from 8 to 5, but outside of that time, there's no restriction on those sites. Perhaps the executives on management row don't have any restrictions on where they can browse, but everyone else does. These should be policies that your proxy lets you set. The proxy should be a tool in the IT administrator's arsenal, and one that helps keep the administrator out of the HR policy setting process.