Welcome to the Proxy Update, your source of news and information on Proxies and their role in network security.

Thursday, October 29, 2009

Cyber Security Awareness

The Open Systems Journal web site is highlighting Cyber Security Awareness this month, and Day 25 of their efforts focused on security through port 80 and 443, the ones used for web traffic.

As they remind us:

Port 80 and 443 are ports generally associated with the Internet. Port 443/HTTPS is the HTTP protocol over TLS/SSL. Port 80/HTTP is the World Wide Web. Let’s face it, port 80/443 are generally a given for being open on any type of filtering device allowing traffic outbound on your network. If web servers are being hosted, connections will be allowed inbound to those web servers. They are also two ports that pose a significant threat(s) to your network.

One reason for such a threat, is the very fact that we just mentioned: everyone generally associates it with the Internet and web traffic and its usually open. Sadly, it doesn’t get watched that closely. I have heard the statement many times its just people surfing the web and we ignore it cause there is too much traffic. The sad reality is that more often than not, the threat will come from people on your network surfing the web. The rise in browser based attacks is staggering to say the least.

For those that do want to watch it close, that poses a challenge as well. How do you filter? What do you filter? How do you do analysis on the traffic? Let me pose a example to you. I looked at a piece of malware about three years ago that used base64 encoded html comments, on a very benign web page, to pass commands. How do you detect that? Some software automatically defaults to port 80 if the primary port is available.

The above two threats applies to port 80 and 443 traffic. Now, let’s just focus on 443 for a minute. It’s encrypted traffic which means you can’t read it. So what do you do? Unless you have a proxy on your network where you can inspect the traffic at that point or run a host based IDS etc., your other network tools are blind to what is there.


Any serious IT admin concerned about security, should already have the aforementioned proxy in their network. It provides a way to make sure only true http traffic is passed through these ports (you can choose to block anything that's not actually http). And even if you don't do this (you'd be surprised how many applications you break if you do), at least you'll have a record of all the traffic going through port 80 and 443, for later audits. But seriously consider controlling more of the traffic through port 80 and 443. The proxy will definitely help you do this.

No comments: