Even inside a company office building, many employees are on wireless networks and moving from place to place, not to mention traditional remote client locations in coffee shops, hotels and airports; on networks the IT manager does not control.
While most laptops have a threat detection engine (anti-virus), it must stand on its own against a wide range of web content and threats. Some proxy vendors, like Websense and Blue Coat now offer mobile client solutions. ProxyClient, a Blue Coat product, extends the value of their web filtering and malware host blocking of their honeygrid product (WebPulse) to remote clients. Surprisingly, there's no extra charge or additional licensing fees associated with this product (assuming you are already licensed for their ProxySG product). Websense has a Mobile Client that does something similar, but they do have a per user licensing fee.
It's important for the IT manager to remember that their URL filtering solution must encompass remote clients as they come and go from a corporate network in their daily roles. URL filtering is changing; and the proxy vendors are stepping up to the plate and making sure their products meet today's mobile challenges. Make sure your proxy vendor supports mobile clients.
Thursday, August 28, 2008
Wednesday, August 27, 2008
Web 2.0 Content
More and more of the web is two-way published content of text, images and video. The days of single web page loads and a URL rating for a site or page are evaporating. Now sites have multiple feeds, often with real-time content, search string variables from the user or cookies, plus user authenticated content. Often referred to as Web 2.0, this display of wide array of content based on user authentication presents specific challenges to IT administrators trying to implement a Secure Web Gateway solution in the form of a proxy.
In a proxy solution, real-time rating services help by rating the entire URL (URL + parameters supplied to the web site) for complex web sites. Blue Coat Systems has DRTR, a real-time rating service which they claim provides a 7-8% coverage benefit over a static URL database coverage percentage. Blue Coat expects this to increase as Web 2.0 content continues to expand. URL databases are moving to hybrid solutions that provides hidden malware host detection, real-time cloud services, local real-time rating services and traditional ratings. Make sure your proxy supports these latest features.
In a proxy solution, real-time rating services help by rating the entire URL (URL + parameters supplied to the web site) for complex web sites. Blue Coat Systems has DRTR, a real-time rating service which they claim provides a 7-8% coverage benefit over a static URL database coverage percentage. Blue Coat expects this to increase as Web 2.0 content continues to expand. URL databases are moving to hybrid solutions that provides hidden malware host detection, real-time cloud services, local real-time rating services and traditional ratings. Make sure your proxy supports these latest features.
Wednesday, August 20, 2008
Hidden Malware in Popular Sites
The prevalence of hidden malware in popular websites continues to increase. Active script injections are infiltrating popular web sites, and these scripts are making dynamic download requests to malware stored on separate hosts, and often the payload uses a custom encryption wrapper to try and avoid proxy and gateway detection.
These advanced attacks have led many proxy and gateway vendors to develop large honey grids (like Webpulse by Blue Coat Systems) to utilize multiple threat detection engines on clients within a cloud service.
This provides several key benefits for malware host blocking on platforms using existing URL databases. First the cloud service off-loads the web gateway from threat detection processing, next it uses clients within the cloud so attacks uncloak themselves for detection, and finally the cloud service uses multiple threat detection engines, (Blue Coat claims to use as many as 10 engines) whereas a web gateway has one threat detection engine, or in many cases none.
A great example of the effectiveness of this honey grid was during some recent attacks against the UN website and some UK websites, which ended up affecting thousands of websites. Those using a Blue Coat proxy were protected, as the Blue Coat solution required only two entries in their WebFilter, both detected by theiur WebPulse (one malware source three weeks before the attack, the second several days before the attack). This allowed users to visit popular sites that would have been over blocked due to script injections (using some less sophisticated gateways that identified the main site as the infected site), as Blue Coat's solution made sure the true malware download sources were transparently blocked for the users (using Blue Coat's embedded URL blocking capability).
Interestingly enough, URL filtering has become an important first layer of malware defense in these hidden malware attacks. Reputation while interesting, would not have made any difference in these popular sites that had embedded malware.
These advanced attacks have led many proxy and gateway vendors to develop large honey grids (like Webpulse by Blue Coat Systems) to utilize multiple threat detection engines on clients within a cloud service.
This provides several key benefits for malware host blocking on platforms using existing URL databases. First the cloud service off-loads the web gateway from threat detection processing, next it uses clients within the cloud so attacks uncloak themselves for detection, and finally the cloud service uses multiple threat detection engines, (Blue Coat claims to use as many as 10 engines) whereas a web gateway has one threat detection engine, or in many cases none.
A great example of the effectiveness of this honey grid was during some recent attacks against the UN website and some UK websites, which ended up affecting thousands of websites. Those using a Blue Coat proxy were protected, as the Blue Coat solution required only two entries in their WebFilter, both detected by theiur WebPulse (one malware source three weeks before the attack, the second several days before the attack). This allowed users to visit popular sites that would have been over blocked due to script injections (using some less sophisticated gateways that identified the main site as the infected site), as Blue Coat's solution made sure the true malware download sources were transparently blocked for the users (using Blue Coat's embedded URL blocking capability).
Interestingly enough, URL filtering has become an important first layer of malware defense in these hidden malware attacks. Reputation while interesting, would not have made any difference in these popular sites that had embedded malware.
Monday, August 18, 2008
Cross Categorization
URL filtering databases have the tough job of deciding how to categorize a website into a category that's descriptive of that website. For some websites it's easy. Google is a search engine, Playboy is pornography, etc. But for other sites the categorization isn't as easy. Should Yahoo be listed as search engine or a news site or something else entirely?
Some URL databases make this distinction and only put a website in a single category, which means even if there's a possibility that website has characteristics of other categories, it will only be classified with a single classification.
There are a few URL databases which will classify a website under multiple categories, which is more appropriate when it's harder to give a single classification to a website. For organizations that have blocks in place this is important, when a site may offer both sports news and gambling for instance, but may be considered more a sports site than a gambling site. Cross classification would offer the ability for the site to be blocked appropriately, per the organization's corporate policy.
When investigating URL databases for your organization, be sure to check that websites can be cross classified for the best accuracy when implementing your policy.
Some URL databases make this distinction and only put a website in a single category, which means even if there's a possibility that website has characteristics of other categories, it will only be classified with a single classification.
There are a few URL databases which will classify a website under multiple categories, which is more appropriate when it's harder to give a single classification to a website. For organizations that have blocks in place this is important, when a site may offer both sports news and gambling for instance, but may be considered more a sports site than a gambling site. Cross classification would offer the ability for the site to be blocked appropriately, per the organization's corporate policy.
When investigating URL databases for your organization, be sure to check that websites can be cross classified for the best accuracy when implementing your policy.
Friday, August 15, 2008
Apparent Data Types
One of the more common attacks in the email world is starting to filter over into the web world. In the email world, viruses are often distributed as the payload on an email message. Typically this payload is an executable, which means it has to be suffixed with .com, .exe, .bat or some other executable suffix. As end-users have gotten more savvy, hackers have started trying to obscure their attachments so that the end-user is fooled into thinking the file is a data type that's not an executable.
The easiest way of doing this is taking the extension suffix on a file and changing it to something that the typical end-user will want to click on, download and execute. A typical example of this would be of course to take an executable and disguise it as an image file or video clip.
In reality it isn't that easy to deceive an end-user into executing a virus, as changing the suffix on a file would make it not capable of being executed. The problem comes about when files are shuffled around the Internet, they are usually encoded or packed, using BASE64 or zip or some other encoding mechanism. This encoding can claim to have a jpg file (for example using MIME-Content-Type using MIME encoding), but the actual file when unencoded may actually have a name like "image.jpg.exe". For most people this is problematic as Windows by default hides the extension, and most end-users would think they are looking at a file called "image.jpg"
While many anti-malware programs will block known viruses and malware, a new variant could get past the malware scan. This is where a proxy with better security mechanisms could save your organization. Some proxies are capable of detecting mismatches in apparent data types in encoded files. This will help ensure that policies that block exe files or other executables actually gets enforced. Make sure your proxy is one that understands how to look for a mismatch in apparent data type.
The easiest way of doing this is taking the extension suffix on a file and changing it to something that the typical end-user will want to click on, download and execute. A typical example of this would be of course to take an executable and disguise it as an image file or video clip.
In reality it isn't that easy to deceive an end-user into executing a virus, as changing the suffix on a file would make it not capable of being executed. The problem comes about when files are shuffled around the Internet, they are usually encoded or packed, using BASE64 or zip or some other encoding mechanism. This encoding can claim to have a jpg file (for example using MIME-Content-Type using MIME encoding), but the actual file when unencoded may actually have a name like "image.jpg.exe". For most people this is problematic as Windows by default hides the extension, and most end-users would think they are looking at a file called "image.jpg"
While many anti-malware programs will block known viruses and malware, a new variant could get past the malware scan. This is where a proxy with better security mechanisms could save your organization. Some proxies are capable of detecting mismatches in apparent data types in encoded files. This will help ensure that policies that block exe files or other executables actually gets enforced. Make sure your proxy is one that understands how to look for a mismatch in apparent data type.
Thursday, August 14, 2008
Application Firewall Reviewed by Network World
I previously discussed application firewalls in this blog, specifically talking about Palo Alto Networks. For those interested in another view point on the new company and their product, Network World recently reviewed their appliance.
I've linked the article above, but it's clear that Network World felt they were more a UTM (Unified Threat Management) box than a firewall or a proxy.
I've linked the article above, but it's clear that Network World felt they were more a UTM (Unified Threat Management) box than a firewall or a proxy.
Monday, August 11, 2008
Proxy Servers Give Real Time Olympics
There's been a lot of talk about the proxy servers protecting the enterprise organization during the onslaught of video that's going to be available during the Olympics. We've already covered some of it here on this blog.
There's another angle to proxy servers and the Olympics though, and it's one that you may not have thought of. Your workers may be going through a proxy server on the Internet, not to avoid your existing proxy server, but to pick up a foreign IP address space in order to pick up live video streams of the Olympics. NBC has an embargo on live video on the Internet, unless it is being shown live on broadcast television in the U.S. So if there's a delayed showing on TV, you can't pick up video of on the event on the Internet from U.S. IP address. But if you have a foreign IP, you can visit a number of foreign sites that are showing the same video live.
The solution some people have found is discussed in the linked article above, which is to find a proxy server with a foreign IP address to submit your request for video to. Anonymous proxy servers tend to do this already, as many of them are located outside the U.S. We've discussed how to prevent end-users from accessing proxy servers outside the organization, and if you haven't already looked into it, it may be a good time to revisit this topic for your organization.
There's another angle to proxy servers and the Olympics though, and it's one that you may not have thought of. Your workers may be going through a proxy server on the Internet, not to avoid your existing proxy server, but to pick up a foreign IP address space in order to pick up live video streams of the Olympics. NBC has an embargo on live video on the Internet, unless it is being shown live on broadcast television in the U.S. So if there's a delayed showing on TV, you can't pick up video of on the event on the Internet from U.S. IP address. But if you have a foreign IP, you can visit a number of foreign sites that are showing the same video live.
The solution some people have found is discussed in the linked article above, which is to find a proxy server with a foreign IP address to submit your request for video to. Anonymous proxy servers tend to do this already, as many of them are located outside the U.S. We've discussed how to prevent end-users from accessing proxy servers outside the organization, and if you haven't already looked into it, it may be a good time to revisit this topic for your organization.
Tuesday, August 5, 2008
Secure ICAP
ICAP is the protocol proxies use to talk to anti-malware engines for processing content the proxy is trying to serve from the internet. The ICAP standard itself was discussed in a previous post to this blog and can be used for both request and response objects. Typically request objects get scanned by DLP engines, while response objects get scanned by the anti-malware engines. Since ICAP is used over the network, it's possible if you are using the devices on a network that's open to everyone in your organization, that someone could capture packets on the network and examine the content that's being scanned.
Secure ICAP was created to address this concern. Secure ICAP is SSL encrypted ICAP and requires both the proxy and the system the anti-malware or DLP engine is running on to support Secure ICAP. The alternative to this of course is to put a spare network interface on the proxy and on the anti-malware/DLP system on a private network so that any data passed between the two systems is kept away from prying eyes. The requirement here of course is that you have spare network interfaces on your systems to use, to ensure this security.
When you don't have the option of a private network, Secure ICAP is nice option to have. SSL encryption will always add a little overhead to the processing on your proxy and on your anti-malware or DLP system, so be sure to take this into account before turning on this feature on your systems and proxies.
Secure ICAP was created to address this concern. Secure ICAP is SSL encrypted ICAP and requires both the proxy and the system the anti-malware or DLP engine is running on to support Secure ICAP. The alternative to this of course is to put a spare network interface on the proxy and on the anti-malware/DLP system on a private network so that any data passed between the two systems is kept away from prying eyes. The requirement here of course is that you have spare network interfaces on your systems to use, to ensure this security.
When you don't have the option of a private network, Secure ICAP is nice option to have. SSL encryption will always add a little overhead to the processing on your proxy and on your anti-malware or DLP system, so be sure to take this into account before turning on this feature on your systems and proxies.
Monday, August 4, 2008
Direct to the Net
For smaller organizations, there's generally only one main link to the internet. A single proxy (or a redundant proxies) solve the security needs of this organization nicely. But for larger organizations where there are remote offices, each of which may have their own direct to the net connections, trying to control traffic may be a real challenge for the IT administrator.
While the corporate proxy controls the traffic to the internet at the main data center, it has no control over users who are at branch offices going directly to the internet over links to the internet that exist at the remote office. These "direct to the net" scenarios require a separate branch office proxy at each location that has its own connection to the Internet. For a large enough organization this can be a significant amount of branch office proxies, that will need central management to ensure corporate policy is uniformly enforced across all proxies in the corporate network.
This "direct to the net" scenario is becoming increasingly common as internet links become a commodity. The savvy IT administrator will keep ahead of the game by making sure their corporate proxy is capable of scaling as the Internet link bandwidth increases, and scales in terms of numbers of supported branch office proxies in a centrally managed deployment.
While the corporate proxy controls the traffic to the internet at the main data center, it has no control over users who are at branch offices going directly to the internet over links to the internet that exist at the remote office. These "direct to the net" scenarios require a separate branch office proxy at each location that has its own connection to the Internet. For a large enough organization this can be a significant amount of branch office proxies, that will need central management to ensure corporate policy is uniformly enforced across all proxies in the corporate network.
This "direct to the net" scenario is becoming increasingly common as internet links become a commodity. The savvy IT administrator will keep ahead of the game by making sure their corporate proxy is capable of scaling as the Internet link bandwidth increases, and scales in terms of numbers of supported branch office proxies in a centrally managed deployment.
Subscribe to:
Posts (Atom)
Posts
