Reverse proxy is one specialized deployment of the proxy architecture. For the typical organization, securing OWA (Outlook Web Access) is probably one of the most common concerns around IT administrators, who secure their end-users access to corporate resources.
Giving end-users access to OWA from the Internet is always a concern, as it requires opening up an internal server with valuable corporate resources to the World Wide Web. There's of course even greater concern, as OWA runs on an Exchange server on a Windows Server platform, a platform that needs to be secured before it can be offered on an Internet link.
The reverse proxy fills this security concern neatly as an architecture that can not only secure OWA, but provide performance improvements for the OWA server at the same time, using the caching capabilities of the reverse proxies for static items like graphics.
In selecting a reverse proxy for securing your OWA or other internal application, look for SSL enabled security for reverse proxies. Not all reverse proxies support SSL, and SSL proxy capability is a requirement when talking about securing internal corporate resources. Additional benefits a proxy can offer included redirection to SSL login pages, timing out of logged in sessions, and other security enhancements to web access.
The reverse proxy is a necessity in any corporate deployment of OWA access from the Internet, and can offer similar benefits for any other web enabled application that end-users are accessing from the Internet. Be sure to look for the right security features for your application when deciding on which reverse proxy to deploy.
Wednesday, July 30, 2008
Tuesday, July 29, 2008
Almost as if on cue ...
Almost as if on cue, Blue Coat Systems issued a warning about the Olympics two days after my posting about the worry regarding the bandwidth usage the Olympics would take up because of the unprecedented amount of videos around the Olympics that will be available.
Now is the time to prepare for the effects of the Olympics on your corporate network. Is your proxy prepared? Have you setup a policy around what can be viewed during work hours? If you're allowing video streaming, is your proxy going to cache content to help offload your Internet bandwidth usage?
All good questions you need to have an answer for and soon.
Now is the time to prepare for the effects of the Olympics on your corporate network. Is your proxy prepared? Have you setup a policy around what can be viewed during work hours? If you're allowing video streaming, is your proxy going to cache content to help offload your Internet bandwidth usage?
All good questions you need to have an answer for and soon.
Tuesday, July 22, 2008
Web Streaming of Video Dominating Web Traffic?
It's inevitable whenever there's a big sports event, that you see articles in news journals talking about the spike in Internet usage from that event, due to everyone watching the live video streaming of it over the Internet. Net usage goes up, and slows everyone else down. The important question for the IT administrator though, is did that sporting event cause your local network to slow down as well, and did it eat up all your bandwidth to the Internet, making it impossible for your workers to get anything done that day?
The next big test of networks is coming soon. The Beijing Olympics is just around the corner set to start on August 8, 2008. CCTV has already announced intentions to broadcast videos of the Olympics available for download from their web site. CCTV is already planning on using a e-CDN (Content Delivery Network) to help offload their web servers. But will office workers watching the Olympics crush the typical organization's web link and internal LAN traffic? The answer is no, if you've got the right web proxy in place.
As long as you're using a proxy to secure your access to web traffic, and your web proxy supports caching of video streams, you should be able to offload the web usage by video watchers. If you have web proxies at your remote offices sharing the same link to the Internet as your main HQ, you'll also be offloading your LAN traffic. The other answer of course is to block video traffic entirely using the proxy, but that's a corporate IT and HR decision. And if it's one you decide to make, it'll be your proxy that does the blocking for you again.
The next big test of networks is coming soon. The Beijing Olympics is just around the corner set to start on August 8, 2008. CCTV has already announced intentions to broadcast videos of the Olympics available for download from their web site. CCTV is already planning on using a e-CDN (Content Delivery Network) to help offload their web servers. But will office workers watching the Olympics crush the typical organization's web link and internal LAN traffic? The answer is no, if you've got the right web proxy in place.
As long as you're using a proxy to secure your access to web traffic, and your web proxy supports caching of video streams, you should be able to offload the web usage by video watchers. If you have web proxies at your remote offices sharing the same link to the Internet as your main HQ, you'll also be offloading your LAN traffic. The other answer of course is to block video traffic entirely using the proxy, but that's a corporate IT and HR decision. And if it's one you decide to make, it'll be your proxy that does the blocking for you again.
Friday, July 18, 2008
HoneyGrid
For those of you who have been dealing with email problems, spam and viruses, you're probably already familiar with the term honeypot. Honeypots have been in use for some time to collect spam and virus samples on the internet. The idea of course is to get samples out in the wild as early as possible in order to create patterns to catch the spam or virus.
For web filtering and the proxy the problem is slightly different. How do you determine there's a malicious website or a new website containing some content you don't want to get on your network? The security companies have been hard at work creating a new method of getting this information as quickly as possible. Similar to the honeypot technology, the "honeygrid" uses resources out on the internet to get as many samples as quickly as possible. Larger security companies have the ability to tap their deployed network of users to help gather information around when a malicious site has been found.
As an example, Blue Coat Systems calls their "honeygrid", WebPulse. It's comprised of all the deployed ProxySG systems running their webfiltering software and also all the sites that have deployed their free filtering software, K9, which according to the website currently has over 650,000 deployed copies worldwide. This force of web surfers world wide helps Blue Coat determine when a new page has been created, and if the content is suspicious (based on real time rating and virus scanning) gives them an opportunity to get a first look at examining the content of the page for malicious content.
When looking at threat protection for your proxy, don't forget to ask about the latest - honeygrids and whether you've got the force of web surfers working for you.
For web filtering and the proxy the problem is slightly different. How do you determine there's a malicious website or a new website containing some content you don't want to get on your network? The security companies have been hard at work creating a new method of getting this information as quickly as possible. Similar to the honeypot technology, the "honeygrid" uses resources out on the internet to get as many samples as quickly as possible. Larger security companies have the ability to tap their deployed network of users to help gather information around when a malicious site has been found.
As an example, Blue Coat Systems calls their "honeygrid", WebPulse. It's comprised of all the deployed ProxySG systems running their webfiltering software and also all the sites that have deployed their free filtering software, K9, which according to the website currently has over 650,000 deployed copies worldwide. This force of web surfers world wide helps Blue Coat determine when a new page has been created, and if the content is suspicious (based on real time rating and virus scanning) gives them an opportunity to get a first look at examining the content of the page for malicious content.
When looking at threat protection for your proxy, don't forget to ask about the latest - honeygrids and whether you've got the force of web surfers working for you.
Tuesday, July 15, 2008
Threat Engines are a Necessity
In today's web world, with 1 in 10 websites being infected according to Google, it's easy to see why a "threat engine" is a critical part of the Proxy architecture in any network. While the proxy was originally placed in the network to help save bandwidth and speed up access to the internet, it's edge location in the network, also makes it the ideal place to detect malicious intent coming from websites on the Internet.
We've talked about scanning for malicious content in previous postings, but what about the actual "threat engine" behind the scanner? How good a "threat engine" do you need to detect the malware that's out there, and do you need more than one threat engine? Those are all good questions, and ones worth researching when deploying a threat scanner on your proxy.
It's also nice to have a choice among threat engines in your proxy. Different vendors, such as McAfee, Symantec, Kaspersky, Sophos, Panda, etc. each have their own strengths and weaknesses, not to mention price points. Make sure your proxy lets you select the threat engine you use to scan for malware. The threat engine is separate from the URL filtering we've talked about in the past, but should be able to work in conjunction with your URL filter to offer you a full level of protection. The URL category databases allows blocking of categorized sites, while the threat engine helps prevent any new uncategorized sites from infecting your organization.
We've talked about scanning for malicious content in previous postings, but what about the actual "threat engine" behind the scanner? How good a "threat engine" do you need to detect the malware that's out there, and do you need more than one threat engine? Those are all good questions, and ones worth researching when deploying a threat scanner on your proxy.
It's also nice to have a choice among threat engines in your proxy. Different vendors, such as McAfee, Symantec, Kaspersky, Sophos, Panda, etc. each have their own strengths and weaknesses, not to mention price points. Make sure your proxy lets you select the threat engine you use to scan for malware. The threat engine is separate from the URL filtering we've talked about in the past, but should be able to work in conjunction with your URL filter to offer you a full level of protection. The URL category databases allows blocking of categorized sites, while the threat engine helps prevent any new uncategorized sites from infecting your organization.
Friday, July 11, 2008
Proxy Avoidance
For the typical IT administrator trying to handle end-users that are trying to get around the corporate proxy, it can be a frustrating and never-ending task. New proxy avoidance sites seem to pop up every day, so it's extremely difficult to keep a blacklist of proxy avoidance sites up to date.
This is one instance where real time dynamic rating can help. Most IP addresses used as a proxy avoidance site have live web pages at that IP address that explain how to use that IP address for proxy avoidance.
These web pages can be dynamically rated by those proxies that have the ability to do real time rating. A good engine should categorize these IP addresses as proxy avoidance sites, a classification that should be blocked in the corporate proxy. As long as you're using transparent proxy, all http should be going through the proxy regardless of the proxy IP addresses used by the end-users and blocked using policy set on the proxy itself to block access to proxy avoidance sites.
For protection against proxy avoidance, do the due diligence and make sure your corporate proxy has the best protection against proxy avoidance sites, and can detect new ones as they become available.
This is one instance where real time dynamic rating can help. Most IP addresses used as a proxy avoidance site have live web pages at that IP address that explain how to use that IP address for proxy avoidance.
These web pages can be dynamically rated by those proxies that have the ability to do real time rating. A good engine should categorize these IP addresses as proxy avoidance sites, a classification that should be blocked in the corporate proxy. As long as you're using transparent proxy, all http should be going through the proxy regardless of the proxy IP addresses used by the end-users and blocked using policy set on the proxy itself to block access to proxy avoidance sites.
For protection against proxy avoidance, do the due diligence and make sure your corporate proxy has the best protection against proxy avoidance sites, and can detect new ones as they become available.
Wednesday, July 9, 2008
Google Releases RatProxy
Google has been well known for recognizing that malicious threats are embedded in many web pages. Their research last year indicated that 1 out of every 10 web pages had some malicious content on them, regardless of the reputation of the site.
As a follow on, Google announced last week they are releasing the code to their internal tool called RatProxy that analyzes websites for threats. While this isn't a proxy in the normal sense, it is a useful tool to make sure your own website hasn't been compromised.
The proxy analyzes problems such as cross-site script inclusion threats, insufficient cross-site request forgery defenses, caching issues, cross-site scripting candidates, potentially unsafe cross-domain code inclusion schemes and information leakage scenarios, and other threats.
As a follow on, Google announced last week they are releasing the code to their internal tool called RatProxy that analyzes websites for threats. While this isn't a proxy in the normal sense, it is a useful tool to make sure your own website hasn't been compromised.
The proxy analyzes problems such as cross-site script inclusion threats, insufficient cross-site request forgery defenses, caching issues, cross-site scripting candidates, potentially unsafe cross-domain code inclusion schemes and information leakage scenarios, and other threats.
Tuesday, July 8, 2008
Switchproxy
Here's a link to an interesting extension tool that lets you switch between proxy configurations on your Firefox browser easily. It creates a little drop down for you to select the proxy you want to use.
It's useful if you're on a laptop and constantly on different networks. An added bonus is has a built in anonymizer for those who have a need to surf the web without divulging their identity.
As always a tool like this can be mis-used, so if you're a network administrator and want to make sure your end-users aren't mis-using something like this, you probably don't want an explicit proxy deployment in your network (see other posts on proxy deployments).
It's useful if you're on a laptop and constantly on different networks. An added bonus is has a built in anonymizer for those who have a need to surf the web without divulging their identity.
As always a tool like this can be mis-used, so if you're a network administrator and want to make sure your end-users aren't mis-using something like this, you probably don't want an explicit proxy deployment in your network (see other posts on proxy deployments).
Monday, July 7, 2008
Secure's New Customer Isn't Blue Coat's Former?
If you didn't think competitor's relationships in the proxy space were contentious enough, a recent press release (linked above) from Secure seems to go to show there's really no holds barred between these two competitors.
Secure Computing put out what seems an innocuous enough press release about a new customer of theirs, Joy Global. The problem comes when they claim this customer is a former Blue Coat customer and discusses the problems the customer had with the Blue Coat solution.
Why is this such a problem? Blue Coat has come out saying that Joy Global has never been a Blue Coat customer, and all the statements with regard to the Blue Coat products are incorrect and misleading.
It'll be interesting to see how Secure responds to this one, but if in fact Blue Coat's claim is true, that puts Secure another notch lower on the integrity scale.
Secure Computing put out what seems an innocuous enough press release about a new customer of theirs, Joy Global. The problem comes when they claim this customer is a former Blue Coat customer and discusses the problems the customer had with the Blue Coat solution.
Why is this such a problem? Blue Coat has come out saying that Joy Global has never been a Blue Coat customer, and all the statements with regard to the Blue Coat products are incorrect and misleading.
It'll be interesting to see how Secure responds to this one, but if in fact Blue Coat's claim is true, that puts Secure another notch lower on the integrity scale.
Thursday, July 3, 2008
Application Firewall: The Next Generation Proxy?
There's a lot of talk lately around application firewalls. While the idea sounds intriguing there's a lot of issues still before this idea can gain wide acceptance. The idea behind an application firewall is to marry the proxy and the firewall into a single device that has the application layer security and visibility of the proxy with the packet layer security and visibility of the firewall.
While this sounds great in theory, there's a lot of practical hurdles to overcome in implementation. First off it marries two different groups in most IT organizations, the network layer group and the security group. That alone makes it a tough sell in many larger IT organizations.
The other big hurdle? Most organizations that would implement an application firewall already have both a firewall and a proxy already, typically devices they have a considerable investment in, not only in hardware and software costs, but also in training, reporting, monitoring and other intangible investments.
Is the added benefit of a combined device enough to overcome the expense and create enough justification to remove the existing firewall and proxy? Some IT admins I've spoken to don't think so, they view the application firewall as just a fad, and expect that the proxy vendors and firewall vendors will add enough new features in their products to prevent the application firewall from getting a toehold, especially when there aren't enough compelling reasons to buy the application firewall. Yet.
While this sounds great in theory, there's a lot of practical hurdles to overcome in implementation. First off it marries two different groups in most IT organizations, the network layer group and the security group. That alone makes it a tough sell in many larger IT organizations.
The other big hurdle? Most organizations that would implement an application firewall already have both a firewall and a proxy already, typically devices they have a considerable investment in, not only in hardware and software costs, but also in training, reporting, monitoring and other intangible investments.
Is the added benefit of a combined device enough to overcome the expense and create enough justification to remove the existing firewall and proxy? Some IT admins I've spoken to don't think so, they view the application firewall as just a fad, and expect that the proxy vendors and firewall vendors will add enough new features in their products to prevent the application firewall from getting a toehold, especially when there aren't enough compelling reasons to buy the application firewall. Yet.
Subscribe to:
Posts (Atom)
Posts
