Security Basics mailing list archives
Antwort: Re: web browsing in production environment - a journey through comfort and security
From: info () hitcon de
Date: Tue, 7 Jul 2009 15:10:36 +0200
fortunately it is someone elses corporate network (whoever and wherever) and besides theres nothing special in here..... Von: Robin Wood <dninja () gmail com> An: info () hitcon de Kopie: security-basics () securityfocus com Datum: 06.07.2009 21:50 Betreff: Re: web browsing in production environment - a journey through comfort and security 2009/7/6 <info () hitcon de>:
today we have a environment which is arranged as follows: - a windows 2003 domain - a citrix terminal server farm ( 6 servers, 120 employees ) - a astaro firewall appliance ( with web security - it uses its own
proxy
service (astaro engineered) and anti virus modules - clam & avira ) - a squid proxy server (3.x) (it does authentication against domino
ldap)
with trend micro web security suite and squidguard for some url
filtering
(mainly pron) - the blacklists are updated once a day * web browsing is only possible via the citrix sessions of the users (
no
local access from desktop or from somewhere else). unfortunately we need
to
use internet explorer (7) because most of the sites, which users reach
work
only with IE :-( ( i already tried to migrate firefox without success ) * we limit the active content of websites via microsoft group policies. only websites which are registered as trusted sites in group policies
can
show its active content ( java, active x, javascript etc) * we have a chain of proxy servers. (see list of environment). so if a user start its internet explorer in it's citrix session, the IE passes its way through the proxy servers: 1. checks if the website is a trusted site in group policy or not and starts active content or not 2. squid proxy server (located in demilitarised zone) -> authentication against LDAP (and logs all requests with username, ip, etc.) 3. Checks SquidGuard if website is on blacklist 4. passes traffic to trend micro web security suite ( anti virus engine
for
http(s) and ftp ) 5. passes the traffic to the astaro (which is the parent proxy) which
uses
its own scanners (clam and avira)
I don't know an answer to your question but I would suggest that putting out this much information about your corporate network is not a good idea. Robin ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------ HITCON AG Maik Linnemann Gartenstraße 208 48143 Münster +49 (251) 2801-205 (Phone) +49 (251) 2801-280 (Fax) +49 (170) 6364-205 (Mobil) mailto:info () hitcon de http://www.hitcon.de Mitglieder des Vorstandes: Helmut Holtstiege, Tobias Helling Vorsitzender des Aufsichtsrats: Hans-Hermann Schumacher Sitz der Gesellschaft: Münster Registergericht: Amtsgericht Münster, HRB 5177 member of http://www.grouplink.de · ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- web browsing in production environment - a journey through comfort and security info (Jul 06)
- Re: web browsing in production environment - a journey through comfort and security Robin Wood (Jul 06)
- Antwort: Re: web browsing in production environment - a journey through comfort and security info (Jul 07)
- RE: web browsing in production environment - a journey through comfort and security Marc Rivero López (Jul 06)
- <Possible follow-ups>
- Re: web browsing in production environment - a journey through comfort and security stcroix111 (Jul 13)
- Re: web browsing in production environment - a journey through comfort and security evilwon12 (Jul 13)
- Re: web browsing in production environment - a journey through comfort and security Robin Wood (Jul 06)