It's been a while since we've discussed what a proxy is. This recent article (which I've linked the source above and here (http://www.itecharticles.com/what-is-a-proxy-server/)
gives a nice overview of what a proxy is and what it does. It was a nice reminder for us to get back on the topic of the proxy.
What is a Proxy Server? (From iTechArticles.com)
by admin on December 27, 2008
A proxy server is a computer that services requests from its client computers by forwarding client requests to the outside servers and also acting as a gateway to any incoming data from an external server. Client computers will usually have to go through the proxy server while requesting a web page, a file or some other resource that is located on a remote server. The proxy will then connect to the specified server and act on behalf of the requesting client. Depending on security settings and other restrictions that have been into place, the server may alter a request that has been made to a remote server. On the other hand it may also alter the response of the remote server, before forwarding it to the client. At other times it may need to contact the remote server in order to service a request. In such a case, the proxy will act as a cache server by storing previously accessed web pages and resources so that when they are requested later on, they can be retrieved much faster.
The most common types of proxy servers are gateways. A gateway is a type of proxy server that handles data coming across a number of platforms that are running on different protocols. Also called protocol converters, these gateways pass unmodified replies and requests between outside servers and clients and can be placed at various points on a local area network as well as across the internet. On the internet, gateways convert packets formatted in one protocol like TCP/IP to another format like AppleTalk before sending it to a client computer. Gateways can either be hardware or software. In most cases however, they are implemented by having software in a router.
In order for a proxy server to act as a gateway they must understand the protocols they are going to handle. Gateways will usually be network points that separate one network from another. Commonly referred to as nodes on the internet, a gateway node acts as the end-point of one network and the beginning of another. Gateways are commonly installed between networks in a company or by internet service providers to their clients. To improve security, gateways will also server as firewall servers by having software installed on them. Most proxies will have 2 IP addresses, one that serves the local area network and the other serving the wide area network like the internet. When properly configured, these proxies ensure network security and efficiency is maintained.
Tuesday, December 30, 2008
Tuesday, December 23, 2008
Sophos: US is the number one malware host in 2008
In what may be a surprise to many in the U.S., Sophos reported that the U.S. is the number one malware host in 2008. I've linked an article on this report above, but the short details are that 37% of malware was hosted on sites in the U.S. this last year. It's not some third world country as we've come to expect in recent years.
As expected Sophos predicts cybercrime to increase in 2009, so make sure adding security to your network is on your list of new years resolutions!
As expected Sophos predicts cybercrime to increase in 2009, so make sure adding security to your network is on your list of new years resolutions!
Monday, December 22, 2008
Kaspersky: Interview with a virus-hunter
Network World recently interviewed Eugene Kaspersky, the man behind Kaspersky Anti-Virus. I've shared the link to the article above. I don't think there are any surprises in his interview, but found the interview an interesting read anyway.
As expected, the key take-away is you can't be too careful.
As expected, the key take-away is you can't be too careful.
Thursday, December 18, 2008
A Network Assessment
Do you know all the applications going through your network? How about just your proxy? You may think all traffic going through the proxy is innocuous, I mean really, it's just web traffic right? Probably not. Many applications tunnel over HTTP and while to your firewall and router it may all look like web traffic, it's probably a combination of web, P2P (file sharing), video streaming, chat and other traffic you may not find so desirable on your enterprise network.
If you suspect that your bandwidth bills are going up because of unwanted traffic, (or if your bandwidth usage bills are going up regardless of your suspicions), it may be time for a network assessment to figure out what traffic is going around your network and through your proxy.
What does a network assessment entail? Installing a device into your network to monitor they types of applications that are using up your network bandwidth. A classic device that does this is the PacketShaper, developed originally by Packeteer (and now part of the Blue Coat Systems family). A PacketShaper can sit inline in your network and classify traffic into over 600 categories, regardless of the port being used by the application.
Before your network usage keeps growing, maybe it's time to find out what's really going on in your network.
If you suspect that your bandwidth bills are going up because of unwanted traffic, (or if your bandwidth usage bills are going up regardless of your suspicions), it may be time for a network assessment to figure out what traffic is going around your network and through your proxy.
What does a network assessment entail? Installing a device into your network to monitor they types of applications that are using up your network bandwidth. A classic device that does this is the PacketShaper, developed originally by Packeteer (and now part of the Blue Coat Systems family). A PacketShaper can sit inline in your network and classify traffic into over 600 categories, regardless of the port being used by the application.
Before your network usage keeps growing, maybe it's time to find out what's really going on in your network.
Wednesday, December 17, 2008
What's So Hard About SSL?
As the proxy administrator, it's possible you haven't thought about SSL at all, or maybe opposite is true, and it keeps you up at night trying to figure out how to deal with SSL encrypted web traffic. Either way it's definitely something that you should be worrying about, whether it's a reverse proxy, or a forward proxy that you have implemented.
The reverse proxy scenario is of course easier in that you're protecting a known set of websites. If some of them happen to be SSL encrypted your proxy should easily have a method to allow you to install SSL certificates for those websites, and give protected access to those trying to reach internal websites.
The forward proxy scenario is the more complicated one, and probably the one keeping you up at night. When you use a forward proxy to protect your end-users from threats they may be exposed to from external websites, it's easy to check downloads that come across the proxy in the clear and check the URL's and scan the content for viruses and malware.
The hard part is when your users are browsing encrypted sites. If your proxy is bypassing or tunneling encrypted sessions, then any malware that's hosted on those encrypted sites makes it to your network without any URL blocking or virus and malware scanning. The reverse proxy scenario discussed above where you load up the website's SSL certificate is unmanageable for a forward proxy, as the scope of possible websites is enormous (and no proxies would be able to support that many SSL certificates).
There are a couple of possible answers to this possible dilemma. The first obvious one is to block access to all SSL encrypted sites. Obviously this doesn't work for everyone, especially those organizations that are using SaaS (Software as a Service) sites like salesforce.com, which depend on SSL for security. The next possibility is to just block SSL to well known categories that you don't want on your network to begin with (possibly banking and shopping). This still leaves the question about SSL to the remaining sites. Here's where having a fully featured proxy is important. Any proxy worth its salt today will have the ability to intercept SSL traffic and inspect the contents of the encrypted session. How is that done? Typically the proxy will create its own SSL certificate that's signed by the proxy as opposed the CA (certifying authority). This means of course you'll have to have your end-users trust the proxy, or pre-install that trust on systems as you stage them for end-users (otherwise end-users will get pop-ups warning them of insecure SSL sites). This allows the proxy to inspect SSL content by interception the session, and applying policies like URL blocking and virus and malware scanning, and DLP (data leakage protection) inspection as well.
There is a problem here and that is related to privacy. While intercepting SSL encrypted sessions for SaaS sessions that are company or enterprise related is fine, there's a slightly touchy subject if you intercept a user's personal banking session which has used the user's PIN or other passwords. If you do decide to intercept SSL, it's a good idea to block personal use categories like banking or shopping (to prevent capturing personal data), or at least put up an acceptable use policy page that explains that SSL sessions are intercepted, and private transactions should not be done over the corporate/enterprise network (so any access an end-user does is at their own risk). Most proxies are capable of setting up a click through page that explains acceptable use each session an end-user has to access the internet.
There's of course one other possible scenario related to proxies and SSL, and that's when your proxy is also your WAN Optimization device. We'll tackle that one in a future blog post.
The reverse proxy scenario is of course easier in that you're protecting a known set of websites. If some of them happen to be SSL encrypted your proxy should easily have a method to allow you to install SSL certificates for those websites, and give protected access to those trying to reach internal websites.
The forward proxy scenario is the more complicated one, and probably the one keeping you up at night. When you use a forward proxy to protect your end-users from threats they may be exposed to from external websites, it's easy to check downloads that come across the proxy in the clear and check the URL's and scan the content for viruses and malware.
The hard part is when your users are browsing encrypted sites. If your proxy is bypassing or tunneling encrypted sessions, then any malware that's hosted on those encrypted sites makes it to your network without any URL blocking or virus and malware scanning. The reverse proxy scenario discussed above where you load up the website's SSL certificate is unmanageable for a forward proxy, as the scope of possible websites is enormous (and no proxies would be able to support that many SSL certificates).
There are a couple of possible answers to this possible dilemma. The first obvious one is to block access to all SSL encrypted sites. Obviously this doesn't work for everyone, especially those organizations that are using SaaS (Software as a Service) sites like salesforce.com, which depend on SSL for security. The next possibility is to just block SSL to well known categories that you don't want on your network to begin with (possibly banking and shopping). This still leaves the question about SSL to the remaining sites. Here's where having a fully featured proxy is important. Any proxy worth its salt today will have the ability to intercept SSL traffic and inspect the contents of the encrypted session. How is that done? Typically the proxy will create its own SSL certificate that's signed by the proxy as opposed the CA (certifying authority). This means of course you'll have to have your end-users trust the proxy, or pre-install that trust on systems as you stage them for end-users (otherwise end-users will get pop-ups warning them of insecure SSL sites). This allows the proxy to inspect SSL content by interception the session, and applying policies like URL blocking and virus and malware scanning, and DLP (data leakage protection) inspection as well.
There is a problem here and that is related to privacy. While intercepting SSL encrypted sessions for SaaS sessions that are company or enterprise related is fine, there's a slightly touchy subject if you intercept a user's personal banking session which has used the user's PIN or other passwords. If you do decide to intercept SSL, it's a good idea to block personal use categories like banking or shopping (to prevent capturing personal data), or at least put up an acceptable use policy page that explains that SSL sessions are intercepted, and private transactions should not be done over the corporate/enterprise network (so any access an end-user does is at their own risk). Most proxies are capable of setting up a click through page that explains acceptable use each session an end-user has to access the internet.
There's of course one other possible scenario related to proxies and SSL, and that's when your proxy is also your WAN Optimization device. We'll tackle that one in a future blog post.
Tuesday, December 16, 2008
Cisco: Cyberattacks growing, looking more legit
Network World highlighted Cisco's Annual Security Report this week. From the article:
"Internet-based cyberattacks are becoming increasingly sophisticated and specialized as profit-driven criminals continue to hone their approach to stealing data from businesses, employees and consumers, according to a Cisco study released this week.
The 2008 edition of Cisco's Annual Security Report found that the overall number of disclosed vulnerabilities grew by 11.5% over 2007. Vulnerabilities in virtualization technology nearly tripled from 35 to103 year over year, and attacks are becoming increasingly blended, cross-vector and targeted."
These new attacks make web security more important than ever. The report specifically targets mobile users as a new vector to watch out for with respect to risks.
For the network and security administrator this means keeping on top of your proxy's security updates, and finding a mobile/remote security solution. A few proxy companies offer mobile clients that work on laptops to protect them when the user is away from the office and on an open network. Security for mobile users is going to be the key to whether or not your enterprise has to deal with the next big malware outbreak.
Monday, December 15, 2008
PacketShaper and Proxies Together
I found an interesting article on PacketShaper and Proxies working together this morning and thought I'd share it with everyone:
Source: PacketShaper and Proxies : together
Source: PacketShaper and Proxies : together
Posted by Tech in Field on December 13, 2008
Are you wondering where you should put your Blue Coat [Packeteer] PacketShaper and your in-line proxy / cache in your network?
The PacketShaper should be as close to the router (or firewall) as possible. The proxy or cache (if it sits in-line) should sit on the LAN side of the PacketShaper.
INTERNET <-> ROUTER <-> FIREWALL <-> PACKETSHAPER <-> WEB CACHE/PROXY <-> LAN
Can the Shaper and Cache deployment be reversed? Yes, but you will be shaping requests made to the cache. There can be some advantages to this deployment if you are attempting to shape individual connections to the web.
I prefer the cache inside and to see all web connections originating from the proxy.
If your web cache/proxy [Blue Coat, Barracuda, Ironport, etc] supports WCCP v2, you can use your PacketShaper to hand off all port 80 requests to your web filter. In this setup, you usually do not need your web proxy in-line any more.
For this article I use the terms web cache, web proxy and web filter interchangably — if you are using a good one it is all of those things.
Friday, December 12, 2008
Top 10 Coolest Hacking Moments in 2008
Network World's Jimmy Ray published the top 10 coolest hacking moments in 2008 today. The article is linked above, but here's some of the highlights:
D.N.S., Apple quietly recommends antivirus software for Macs, Drive-by attacks with Java, WPA cracked, Mac users get a dose of Windows hacks, Laptop Lojack!, and others make the list from Network World.
The one that struck this writer was of course the Drive-by attacks with Java. Mr. Ray goes on to say:
"JavaScript has been used to infect thousands of legitimate web pages to insert a trojan to visitors! Sound like a National Enquirer headline? No way! This attack method has been very successful and nearly transparent to users. This launches a new age in hacking."
This hack of course reiterates the need for web security. Every enterprise needs a secure web gateway in the form of a forward proxy supplying not only URL filtering, but antivirus filtering as well. Can your web security withstand a drive-by attack?
D.N.S., Apple quietly recommends antivirus software for Macs, Drive-by attacks with Java, WPA cracked, Mac users get a dose of Windows hacks, Laptop Lojack!, and others make the list from Network World.
The one that struck this writer was of course the Drive-by attacks with Java. Mr. Ray goes on to say:
"JavaScript has been used to infect thousands of legitimate web pages to insert a trojan to visitors! Sound like a National Enquirer headline? No way! This attack method has been very successful and nearly transparent to users. This launches a new age in hacking."
This hack of course reiterates the need for web security. Every enterprise needs a secure web gateway in the form of a forward proxy supplying not only URL filtering, but antivirus filtering as well. Can your web security withstand a drive-by attack?
Wednesday, December 10, 2008
Firefox users targeted by rare piece of malware
Another drive-by (meaning the user gets infected just by visiting the website, no clicking or other user-initiated action is necessary to get infected) virus was detected recently targeting specifically users of Firefox.
Drive-by viruses are one of the key reasons we advocate the use of forward proxies in corporate environments to protect end-user PCs. Your forward proxy should block embedded URLs containing malware and spyware sources. If your proxy can't recogonize embedded URLs you need to strongly consider upgrading to newer technology that does as embedded URLs are the most common vector used today to spread viruses and malware via web pages.
In addition to blocking embedded URLs your proxy should also scan objects being downloaded from webpages for viruses using an effective anti-virus program. In today's malware ridden web environment, it pays to be safe.
Drive-by viruses are one of the key reasons we advocate the use of forward proxies in corporate environments to protect end-user PCs. Your forward proxy should block embedded URLs containing malware and spyware sources. If your proxy can't recogonize embedded URLs you need to strongly consider upgrading to newer technology that does as embedded URLs are the most common vector used today to spread viruses and malware via web pages.
In addition to blocking embedded URLs your proxy should also scan objects being downloaded from webpages for viruses using an effective anti-virus program. In today's malware ridden web environment, it pays to be safe.
Monday, December 8, 2008
New Facebook Virus
New threats from social networking sites emerge more frequently than ever, as indicated by the article linked above. With web pages hidden behind credentials, such as the virus above, it's even more important to make sure web pages are scanned for viruses in addition to any URL filtering your proxy may already use.
Wednesday, December 3, 2008
FBI warns of holiday cyber scams
Sure enough, as if in response to my post yesterday, Network World published an article talking about holiday cyber scams. From the article:
"With cyber Monday comes an FBI warning against spam containing malware and phishing attempts that appear to be greeting cards and ads for shopping bargains.
The goal is theft of money and personal information, according to Shawn Henry, the assistant director of the bureau’s cyber division.
Read the latest WhitePaper - Software Assurance Protection: Bridging the Gap in Application Security for Open Source
E-mails attempt to lure victims to dummy e-commerce sites in hopes of gleaning credit card numbers and passwords, the FBI says. By mimicking legitimate sites, they lull unsuspecting shoppers into giving up the information as they make what they think are legitimate purchases."
Just another reminder to stay safe this holiday season.
"With cyber Monday comes an FBI warning against spam containing malware and phishing attempts that appear to be greeting cards and ads for shopping bargains.
The goal is theft of money and personal information, according to Shawn Henry, the assistant director of the bureau’s cyber division.
Read the latest WhitePaper - Software Assurance Protection: Bridging the Gap in Application Security for Open Source
E-mails attempt to lure victims to dummy e-commerce sites in hopes of gleaning credit card numbers and passwords, the FBI says. By mimicking legitimate sites, they lull unsuspecting shoppers into giving up the information as they make what they think are legitimate purchases."
Just another reminder to stay safe this holiday season.
Tuesday, December 2, 2008
Black Friday, Cyber Monday
With the holiday of Thanksgiving in the United States comes the inevitable day after, known as Black Friday, and the new phenomenon known as Cyber Monday afterwards. Both of these designated days refer of course to the pre-Christmas shopping splurge that occurs right after Thanksgiving.
While Black Friday has had notoriety for some time, Cyber Monday still remains relatively unknown, and may even morph into Cyber Friday or Cyber Week before it becomes truly established. Cyber Monday supposedly reflected when shoppers tired of brick and mortar shopping and turned to their computers the Monday after Black Friday to do their online shopping. According to eBay, shoppers have started their Cyber shopping even earlier than ever this year, starting the days before Thanksgiving when traffic on eBay was up significantly and remained high through Black Friday and Cyber Monday.
What does all of this have to do with the corporate or enterprise proxy? A large part of these purchases and online activity occurs from the corporate network. With the possibility of consumer dollars of course comes the mischievous hackers coming after personal identities, injecting malware and other undesirables onto the corporate network. Cyber Monday remains a good reminder, that it's time to make sure we have a proxy installed for security, and that the URL databases remain up to date, and there's a real time rating system to identify new sites that are threat to the enterprise security.
While Black Friday has had notoriety for some time, Cyber Monday still remains relatively unknown, and may even morph into Cyber Friday or Cyber Week before it becomes truly established. Cyber Monday supposedly reflected when shoppers tired of brick and mortar shopping and turned to their computers the Monday after Black Friday to do their online shopping. According to eBay, shoppers have started their Cyber shopping even earlier than ever this year, starting the days before Thanksgiving when traffic on eBay was up significantly and remained high through Black Friday and Cyber Monday.
What does all of this have to do with the corporate or enterprise proxy? A large part of these purchases and online activity occurs from the corporate network. With the possibility of consumer dollars of course comes the mischievous hackers coming after personal identities, injecting malware and other undesirables onto the corporate network. Cyber Monday remains a good reminder, that it's time to make sure we have a proxy installed for security, and that the URL databases remain up to date, and there's a real time rating system to identify new sites that are threat to the enterprise security.
Subscribe to:
Posts (Atom)
Posts
