Web Security - Desktop Tool

A recent blog post talking about the SPA Conference highlighted a tool that many IT administrators my find useful. It shows what happens when you visit a website and how much data actually passes between the site and your network, and how much data is retained between site visits.

Many IT administrators can probably discover this information themselves using their corporate proxy, but sometimes it's nice to be able to do this quickly and easily on their desktop. This tool sounds like it might just do the trick.

From the blog post:

[The] Paros proxy server with Firefox easily showed the web transactions when entering a simple URL (I won't disclose the URLs used in the demonstration, suffice to say that the sites were well-known). Using Paros, it is easy to see how much information is passed via cookies. Stopping cookies results in the same information being passed via URL (although this is more obvious since the data appears in some form in the address bar). In many cases the same data is passed to a number if websites regardless of whether the data is appropriate or useful to the receiving website.

For those of you interested, you can find more information on this tool at the Paros Proxy Server website. It's free of charge and written in Java. If you don't already use a enterprise web proxy for security, after testing your site with Paros, it may jolt you into putting one in.

Cloud security guarantees?

Last week, Network World published an article on the type of security guarantees you can get from services in the cloud. Editor Tim Greene poses the question:

Cloud computing providers no doubt put forth a best effort to secure their infrastructure in order to protect their customers' data, but what kind of guarantees are there?

A widespread breach of customer data would cripple the reputation of a cloud provider and could set it up for legal action if the lost data had a financial impact on the customer or the customer’s customers.

...

It seems unlikely that cloud providers are ever going to offer service-level agreements against data loss or successful exploits because the task is just too impossible and the potential liabilities would be too enormous to take on.

And that's probably the main issue. Most enterprises are going to want an SLA, or have a company that can be held accountable, if they use a cloud service and something goes wrong. So while cloud computing still has a lot of benefits to make it look attractive, there's still some serious issues that any enterprise is going to have to look at seriously before moving to a cloud model.

Acceptable Use Policy Reminder

Network World recently published an article talking about the recent hype over "March Madness" and the concern that streaming video from the event was going to over take bandwidth on many corporate and enterprise networks. They titled the article "Streaming video - Much ado about very little?"

Network World had a quick solution to this problem and it's a good reminder to all of us that there's a simple solution to Internet Usage, and it's called the "Acceptable Use Policy" Having an acceptable use policy is a necessary first step to making sure end-users don't abuse privileges like access to the internet.

The second step is making that acceptable use policy visible to your end-users. Most proxies allow display of a "exception" page for the first time an end-user tries to access the web. This page can have the acceptable use policy along with a click through to get to the requested web page. In addition to having an exception page, it's probably also a good idea to send out a reminder to your end-users just before events like March Madness. A simple way to keep your end-users from using up all your bandwidth. Alternatively, of course, you can either just block access to streaming video, or use a more sophisticated proxy which has the capability of caching streaming video for you, also known as a CDN (content delivery network). Proxies like, Blue Coat's ProxySG support this feature.

No matter which way you go, it's always nice to have a reminder, that there's always a simple option to solve a problem.

Boost your corporate security posture even if you don’t have any budget

It's no surprise to anyone right now that it's a tough economy out there. That translates to a tough economy for many IT budgets. With shrinking budgets how does an IT administrator keep their network and applications secure? Network World tackled that topic this week with an article on boosting your corporate security even if you don't have the budget dollars to support it. How do they recommend you do this? Use your existing products that you already have in your network. It's likely most companies aren't using products they own to their fullest potential. There's probably a lot of features you haven't played with on your existing network devices that may actually solve some of the problems you had originally planned on tackling.

Network World discussed some hidden security features in Cisco devices. But all devices probably have something of value you didn't know was already there. Web proxies are no exception. Blue Coat proxies for example, are chock full of other features besides just web proxy capability. Were you planning a CDN project? Or an IM control project? How about a DLP project? The Blue Coat proxy already in your network might be able to get you all the way there, or at least part of the way there towards solving another one of your security issues.

Can a cloud be more secure than a corporate data center?

We've talked on this blog recently about the move to cloud computing and some of the concerns around cloud computing including security. Network World, this week reported that the Jericho Forum believes that using a cloud can actually be more secure than running applications and databases out of corporate data centers.

The Jericho Forum has detailed definitions of what it means by cloud computing.
There are three scales by which it defines clouds: internal or external; proprietary or open; and with a security perimeter or not.

So it's not really an open and shut case of clouds being less or more secure. The real answer? It depends.

From Network World:

He says the safety of cloud computing has yet to be proven and likely requires work to reach acceptable levels. That will mean developing a secure architecture around with cloud computing infrastructure is built. One core building block will be creating data objects that include a definition of what type of security zone the data must stay.

So while the headline was provoking, it just goes to show, there's still a lot to worry about with cloud computing. And security is just one aspect to consider when moving to a cloud architecture.

US Mulls Tougher Penalties For Criminal Use Of Proxy Servers

Many IT administrators already know that our end-users attempt to use anonymous proxy servers to bypass the organizations' proxy web gateway. They do it to either hide their activities or get around the organizations use policies on what's acceptable to visit on the web.

Now, there's even more incentive for IT administrators to make sure their end-users aren't using anonymous proxies to surf the web. Whether knowingly or unknowingly if an end-user uses an anonymous proxy to commit a crime, they could find themselves behind bars for a longer time period.

From redorbit.com:

The U.S. Sentencing Commission is set to hold a crucial vote on Wednesday regarding new federal sentencing guidelines that would classify the use of proxy servers as an indication of “sophistication.” Those facing such charges would face prison sentences about 25 percent longer than those called for under current sentencing guidelines. Depending on the crime, convicted criminals now face years or even decades longer behind bars,

Digital rights advocates are against these longer convictions, claiming "new guidelines might lead to unreasonably harsh sentences for technology neophytes who were unaware they were using proxies, or were merely engaging in a practice often encouraged as a safer way of surfing the Web".

If the commission votes in favor of the amendment, the change would go into effect Nov. 1 unless Congress takes the exceptional step of blocking it before then.

One other important item redorbit.com noted:

Criminals often use legitimate proxies that are misconfigured. Universities, corporations and home users who own such proxies are often unaware their bandwidth is being sucked up by cybercriminals trying to cover up their tracks.

These are two good reminders to make sure our proxy servers block access to anonymous proxies, and to make sure our proxies are configured correctly.

RSA Conference kicks off on somber note

This week is the start of the RSA 2009 Conference in San Francisco. It's notable as one of the premier security tradeshows in the industry. Network World published an article today, stating it will feel smaller this year than in years past due to the current economy. As they state:

One telling sign of the times: RSA Conference is extending free passes worth more than $2,000 to 25 individuals described as "victims of corporate downsizing … who lost their jobs due to the economic environment."

If you're in the area, and you're interested in security, it's worth a visit to see the latest products. The show runs through Thursday at the Moscone Center in San Francisco.

McAfee slaps brand on Secure Computing products

For those of you keeping up on the acquisition news, McAfee's recent purchase of Secure Computing has finally moved down to the product lines. Some Secure partners were sent notice of it this past week, and informed of the changes in naming of the Secure products. SearchITChannel blogged about these changes:

So, say goodbye to IronMail and hello to McAfee Email Gateway.

So long Webwasher; hey to McAfee Web Gateway.

Sayonara to Sidewinder and howdy to McAfee Firewall Enterprise.

...

Securify morphs into McAfee User Behavior Analysis. SnapGear is now McAfee UTM Firewall. Secure Web SmartFilter is now just McAfee SmartFilter.

SearchITChannel's writer seemed a little concerned that something was being lost in the renaming, and the new names do seem to lose Secure's identity. But maybe that's the point, as they're now McAfee.

Web Filter Appliance Adds Feature To Protect Against Proxy Abuse

School Guardian, an SME and education focused Web filter appliance announced they have added a feature to help prevent proxy abuse, a significant problem in the K-12 market. We've talked about the use of anonymous proxies in previous posts here, and some of the solutions around it using features like real time rating of new websites/proxies. From The Journal:

School Guardian, in its latest version offers a feature known as SSL Interception, which helps to prevent students from using anonymous proxies such as Ultrasurf and Vtunnel.

These sites allow users to engage in online activities "anonymously," so that sites they visit and Web filters that monitor their activity will not know the Web address where the activity originates.

The current standard for blocking access such sites is to use "SSL certificate checking," which confirms the validity of a site's electronic certificate. However, advances in Web security technology have sparked corresponding advances in methods to undermine such technology, and today site content can be encrypted against filters, and obtaining an electronic certificate is easier than ever.

While SSL Interception has long been a feature of Enterprise proxies, this is a nice enhancement for the K-12 market.

The consequences of inadequate cloud security

We've talked about the move towards cloud computing in past blog articles, including concerns about lack of control of outages, and to a certain degree concerns around security. Network World brought up the security problem again this week in an article by Tim Greene. He accepts the premise that cloud computing can be beneficial to an organization's bottom line, but he states:

The downside is that businesses choosing to use cloud computing give up direct control of those corporate assets running in the cloud. Data and applications accessed through the cloud is in the cloud, not in a privately held corporate data center where the owner controls everything from the physical security to authentication and authorization to intrusion prevention to firewalling to virus protection.

The consequences of inadequate cloud security are great. The loss of corporate intellectual property is near the top of the list as is loss of corporate reputation should a breach result in public admission that sensitive personal data has been stolen.

For their part, cloud computing providers are aware of the risks and are making efforts to embrace security in a way that reassures their customers. Exactly what the standard should be for those efforts is evolving. So there is a lot to consider when developing strategies for how to use cloud computing and how to use it safely.

The question of whether to move to the cloud remains a tough one for IT administrators. Each will have to balance their needs for reduced costs with the amount of security and control they want to have.

How the Internet Got Its Rules

I came across this piece in the Op Ed section of the New York Times on the 40th anniversary of RFCs (Request for Comment). It's a delightful piece, authored by one of the early pioneers and a contributor to RFC 1. This intro should whet your appetite and convince you to read on by clicking the linked article from the title above.

When the R.F.C.’s were born, there wasn’t a World Wide Web. Even by the end of 1969, there was just a rudimentary network linking four computers at four research centers: the University of California, Los Angeles; the Stanford Research Institute; the University of California, Santa Barbara; and the University of Utah in Salt Lake City. The government financed the network and the hundred or fewer computer scientists who used it. It was such a small community that we all got to know one another.

Websense Launches New Appliance

Websense, a well known vendor in the web filtering space announced their first appliance this week, the V10000. Websense's URL filtering database has been available on a number of proxy servers, including Blue Coat's ProxySG as well as in a standalone software package available for Windows and Unix platforms.

Some insight on why Websense chose to go the appliance route from Channel Insider:

Websense, which recently completed a rebranding of the company, is trying to turn perceptions that it’s simply a Web filtering company that denies access to gross amounts of content and Websites to a technology provider that protects users without totally impeding Web access. The V10000 moves the company in that direction by providing security that strips or blocks malicious content from popular social networking sites—such as Facebook or Twitter—without impeding access or functionality.

The appliance, powered by two quad-core Intel Xeon processors and 16GB of DDR2 memory, sits at the gateway and provides application-layer inspection of all Web, peer-to-peer and instant messaging traffic. The appliance provides integrated Web proxy and cache management, giving users the ability to monitor and inspect SSL-encrypted traffic. Appliance management is through a Web-based console that enables granular policy configuration and compliance reporting.

The question here is whether Websense is too late to the game with a market that already has plenty of appliances, even ones that already run Websense software. A new product is always one that IT departments are wary of, so Websense's ability to succeed in a new market will remain to be seen.

Short-lived Web malware: Fading fad or future trend?

Security software vendor AVG Technologies announced that Web-based malware attacks are now so prevalent that attackers craft them to be "secretive, short-lived and fast-moving." This trend became more obvious this week with the Conflicker virus, which tried to access domains that did not even exist, causing domain registrars to scramble to block registrations of 50,000+ domains. Using a more sophisticated Web delivery mechanism that is short-lived helps to reduce the likelihood of attackers getting caught by antivirus signatures or heuristic checks.

From Tech Target's article on the same topic:

One of the best ways to counter newly created sites containing malware is to use some sort of proxy or Web filter that denies new sites not yet scanned and classified under a certain category (i.e. business, investing, news, social networking, etc.). While this strategy will help prevent new websites from compromising systems, it doesn't do anything for compromised legitimate sites allowed by default. For those sites, the best option is to ensure the enterprise security products in place are configured to combat the entire Web threat landscape, namely via real-time analysis of sites prior to serving them to users.

We couldn't have said it better ourselves. Make sure you use a proxy and a web filter, make sure your anti-virus is up to date, and use some type of real-time rating system or block unknown categories!

15 Foolish High Tech Stories

Network World chose to honor April Fools Day with a story around 15 "foolish" stories that have occurred over the last year. Some interesting tidbits include the rise of fake security programs going from 2,500 to close 10,000 this year and the rise in online scams to take advantage of the government's stimulus program.

Both of these are good reminders to keep an eye on corporate security and an eye on what your end-users are downloading from the internet into the corporate network. The secure web gateway remains the best defense against malicious intent.