Antwort: RE: web browsing in production environment - a journey through comfort and security

[info () hitcon de]

beside of that, what would happen in worst case if we decide to set group 
policy settings to default, which means that active content in untrusted 
websites is allowed.

i spoke to many other it administrative persons, and nearly none of them 
have a strict policie like us. they all got anti virus gateways/proxys and 
thats it. but am i right that mostly none of the anti virus proxys detect 
browser exploits? could we rely our security on such proxy servers instead 
of cut off active content?

cheers




Von:
Marc Rivero López <mriverolopez () gmail com>
An:
<info () hitcon de>, <security-basics () securityfocus com>
Datum:
06.07.2009 22:03
Betreff:
RE: web browsing in production environment - a journey through comfort and 
security



 
You have a very well staged. Even though there are vulnerabilities in the
structure.
For example an LDAP server misconfigured LDAP injection is sensitive to.
And what about turning off the Group Policies, I would say no. You must 
have
a security policy and ceñirte it. You must make clear to users that is
important. Also if you're always the last in terms of upgrades I do not
think you have problems. Also look at any solution of type End Point
Security.

Marc Rivero López
http://www.seifreed.wordpress.com

-----Mensaje original-----
De: listbounce () securityfocus com [mailto:listbounce () securityfocus com] En
nombre de info () hitcon de
Enviado el: lunes, 06 de julio de 2009 13:45
Para: security-basics () securityfocus com
Asunto: web browsing in production environment - a journey through comfort
and security



dear list,

actually i rack my brain about web browsing in a productive environment 
and
the risks and the most comfortable way for users to browse the internet.
there are several ways to get most security but it always faces the
comfort.
i would like to show up our situation and explain where problems occur or
users lose convenience.

today we have a environment which is arranged as follows:

- a windows 2003 domain
- a citrix terminal server farm ( 6 servers, 120 employees )
- a astaro firewall appliance ( with web security - it uses its own proxy
service (astaro engineered) and anti virus modules - clam & avira )
- a squid proxy server (3.x) (it does authentication against domino ldap)
with trend micro web security suite and squidguard for some url filtering
(mainly pron) - the blacklists are updated once a day

* web browsing is only possible via the citrix sessions of the users ( no
local access from desktop or from somewhere else). unfortunately we need 
to
use internet explorer (7) because most of the sites, which users reach 
work
only with IE :-(
( i already tried to migrate firefox without success )

* we limit the active content of websites via microsoft group policies.
only websites which are registered as trusted sites in group policies can
show its active content ( java, active x, javascript etc)

* we have a chain of proxy servers. (see list of environment).

so if a user start its internet explorer in it's citrix session, the IE
passes its way through the proxy servers:

1. checks if the website is a trusted site in group policy or not and
starts active content or not

2. squid proxy server (located in demilitarised zone) -> authentication
against LDAP (and logs all requests with username, ip, etc.)

3. Checks SquidGuard if website is on  blacklist

4. passes traffic to trend micro web security suite ( anti virus engine 
for
http(s) and ftp )

5. passes the traffic to the astaro (which is the parent proxy) which uses
its own scanners (clam and avira)


the main problem for the employees with that procedure is the group policy
configuration. users want to ( they dont know nothing about browser
exploits or else security risks ) surf the internet like they are at home,
and the it staff needs to make it as comfortable as possible and as secure
as possible.....
right now the employees need to get in touch with the management to 
request
a site to set it to trusted and the management get in contact with the it
staff. ok, it's just half of the truth, we engineered a database in which
the request for a trusted site could be filled in and gves all reviewed
sites to the group policies, but just from an allowed persons, but it
sticks to it, the employees need to request a site.......the employees are
peeved and always ask why the hell this is needed...

another problem: if a website calls another domain (or ip address) in its
code the site is just half functional (because the other domain or ip isnt
registered in trusted sites).....some frames, etc. wont work (bling bling
active, you know what i mean?)

all that causes the employees to feel blue and bugging the management as
often as possible.

questions:

- what would happen in worst case, if we turn off the group policies and
set the internet explorer settings to default and someone runs into a
browser exploit
- are there different kinds of browser exploits on which we should be more
attentive
- i know most of the exploits try to implant viruses on the host, we have 
3
anti virus engines, how high could be the impact?
- the firewall is configured with restrictive egress filtering - a 
backdoor
to the outside shouldnt be able to reach the internet. are there tricks
used ( for example go through the proxy ) and are the backdoors 
intelligent
enough.
- how do you guys rate the situation ( relating to turn off group policy )
- how do you guys handle web browsing within the productive network?
- i thought that anti virus proxys handle viruses / virus code in http/ftp
traffice but never detect exploits, is that true?
- do we increase the risk management immoderate if we switch off group
policies?
- maybe there is an appliance for detecting malicious code in active
content?

sorry for that much questions and text but its a sensitive theme from 
which
i guess that a lot of persons are interested in.....i am thankful for any
hint or thoughts from you, belonging to this.

cheers,

Maik


HITCON AG
Maik Linnemann
Gartenstraße 208
48143 Münster
+49 (251) 2801-205 (Phone)
+49 (251) 2801-280 (Fax)
+49 (170) 6364-205 (Mobil)
mailto:info () hitcon de
http://www.hitcon.de

Mitglieder des Vorstandes: Helmut Holtstiege, Tobias Helling
Vorsitzender des Aufsichtsrats: Hans-Hermann Schumacher

Sitz der Gesellschaft: Münster
Registergericht: Amtsgericht Münster, HRB 5177

member of http://www.grouplink.de
·


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL
certificate.  We look at how SSL works, how it benefits your company and 
how
your customers can tell if a site is secure. You will find out how to 
test,
purchase, install and use a thawte Digital Certificate on your Apache web
server. Throughout, best practices for set-up are highlighted to help you
ensure efficient ongoing management of your encryption keys and digital
certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727

d1
------------------------------------------------------------------------


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL 
certificate.  We look at how SSL works, how it benefits your company and 
how your customers can tell if a site is secure. You will find out how to 
test, purchase, install and use a thawte Digital Certificate on your 
Apache web server. Throughout, best practices for set-up are highlighted 
to help you ensure efficient ongoing management of your encryption keys 
and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1

------------------------------------------------------------------------







HITCON AG
Maik Linnemann
Gartenstraße 208
48143 Münster
+49 (251) 2801-205 (Phone)
+49 (251) 2801-280 (Fax)
+49 (170) 6364-205 (Mobil)
mailto:info () hitcon de
http://www.hitcon.de

Mitglieder des Vorstandes: Helmut Holtstiege, Tobias Helling
Vorsitzender des Aufsichtsrats: Hans-Hermann Schumacher
 
Sitz der Gesellschaft: Münster
Registergericht: Amtsgericht Münster, HRB 5177

member of http://www.grouplink.de
·

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------