Security Basics mailing list archives
Antwort: RE: web browsing in production environment - a journey through comfort and security
From: info () hitcon de
Date: Thu, 9 Jul 2009 14:35:34 +0200
beside of that, what would happen in worst case if we decide to set group policy settings to default, which means that active content in untrusted websites is allowed. i spoke to many other it administrative persons, and nearly none of them have a strict policie like us. they all got anti virus gateways/proxys and thats it. but am i right that mostly none of the anti virus proxys detect browser exploits? could we rely our security on such proxy servers instead of cut off active content? cheers Von: Marc Rivero López <mriverolopez () gmail com> An: <info () hitcon de>, <security-basics () securityfocus com> Datum: 06.07.2009 22:03 Betreff: RE: web browsing in production environment - a journey through comfort and security You have a very well staged. Even though there are vulnerabilities in the structure. For example an LDAP server misconfigured LDAP injection is sensitive to. And what about turning off the Group Policies, I would say no. You must have a security policy and ceñirte it. You must make clear to users that is important. Also if you're always the last in terms of upgrades I do not think you have problems. Also look at any solution of type End Point Security. Marc Rivero López http://www.seifreed.wordpress.com -----Mensaje original----- De: listbounce () securityfocus com [mailto:listbounce () securityfocus com] En nombre de info () hitcon de Enviado el: lunes, 06 de julio de 2009 13:45 Para: security-basics () securityfocus com Asunto: web browsing in production environment - a journey through comfort and security dear list, actually i rack my brain about web browsing in a productive environment and the risks and the most comfortable way for users to browse the internet. there are several ways to get most security but it always faces the comfort. i would like to show up our situation and explain where problems occur or users lose convenience. today we have a environment which is arranged as follows: - a windows 2003 domain - a citrix terminal server farm ( 6 servers, 120 employees ) - a astaro firewall appliance ( with web security - it uses its own proxy service (astaro engineered) and anti virus modules - clam & avira ) - a squid proxy server (3.x) (it does authentication against domino ldap) with trend micro web security suite and squidguard for some url filtering (mainly pron) - the blacklists are updated once a day * web browsing is only possible via the citrix sessions of the users ( no local access from desktop or from somewhere else). unfortunately we need to use internet explorer (7) because most of the sites, which users reach work only with IE :-( ( i already tried to migrate firefox without success ) * we limit the active content of websites via microsoft group policies. only websites which are registered as trusted sites in group policies can show its active content ( java, active x, javascript etc) * we have a chain of proxy servers. (see list of environment). so if a user start its internet explorer in it's citrix session, the IE passes its way through the proxy servers: 1. checks if the website is a trusted site in group policy or not and starts active content or not 2. squid proxy server (located in demilitarised zone) -> authentication against LDAP (and logs all requests with username, ip, etc.) 3. Checks SquidGuard if website is on blacklist 4. passes traffic to trend micro web security suite ( anti virus engine for http(s) and ftp ) 5. passes the traffic to the astaro (which is the parent proxy) which uses its own scanners (clam and avira) the main problem for the employees with that procedure is the group policy configuration. users want to ( they dont know nothing about browser exploits or else security risks ) surf the internet like they are at home, and the it staff needs to make it as comfortable as possible and as secure as possible..... right now the employees need to get in touch with the management to request a site to set it to trusted and the management get in contact with the it staff. ok, it's just half of the truth, we engineered a database in which the request for a trusted site could be filled in and gves all reviewed sites to the group policies, but just from an allowed persons, but it sticks to it, the employees need to request a site.......the employees are peeved and always ask why the hell this is needed... another problem: if a website calls another domain (or ip address) in its code the site is just half functional (because the other domain or ip isnt registered in trusted sites).....some frames, etc. wont work (bling bling active, you know what i mean?) all that causes the employees to feel blue and bugging the management as often as possible. questions: - what would happen in worst case, if we turn off the group policies and set the internet explorer settings to default and someone runs into a browser exploit - are there different kinds of browser exploits on which we should be more attentive - i know most of the exploits try to implant viruses on the host, we have 3 anti virus engines, how high could be the impact? - the firewall is configured with restrictive egress filtering - a backdoor to the outside shouldnt be able to reach the internet. are there tricks used ( for example go through the proxy ) and are the backdoors intelligent enough. - how do you guys rate the situation ( relating to turn off group policy ) - how do you guys handle web browsing within the productive network? - i thought that anti virus proxys handle viruses / virus code in http/ftp traffice but never detect exploits, is that true? - do we increase the risk management immoderate if we switch off group policies? - maybe there is an appliance for detecting malicious code in active content? sorry for that much questions and text but its a sensitive theme from which i guess that a lot of persons are interested in.....i am thankful for any hint or thoughts from you, belonging to this. cheers, Maik HITCON AG Maik Linnemann Gartenstraße 208 48143 Münster +49 (251) 2801-205 (Phone) +49 (251) 2801-280 (Fax) +49 (170) 6364-205 (Mobil) mailto:info () hitcon de http://www.hitcon.de Mitglieder des Vorstandes: Helmut Holtstiege, Tobias Helling Vorsitzender des Aufsichtsrats: Hans-Hermann Schumacher Sitz der Gesellschaft: Münster Registergericht: Amtsgericht Münster, HRB 5177 member of http://www.grouplink.de · ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727 d1 ------------------------------------------------------------------------ ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------ HITCON AG Maik Linnemann Gartenstraße 208 48143 Münster +49 (251) 2801-205 (Phone) +49 (251) 2801-280 (Fax) +49 (170) 6364-205 (Mobil) mailto:info () hitcon de http://www.hitcon.de Mitglieder des Vorstandes: Helmut Holtstiege, Tobias Helling Vorsitzender des Aufsichtsrats: Hans-Hermann Schumacher Sitz der Gesellschaft: Münster Registergericht: Amtsgericht Münster, HRB 5177 member of http://www.grouplink.de · ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- web browsing in production environment - a journey through comfort and security info (Jul 06)
- Re: web browsing in production environment - a journey through comfort and security Robin Wood (Jul 06)
- RE: web browsing in production environment - a journey through comfort and security Marc Rivero López (Jul 06)
- Antwort: RE: web browsing in production environment - a journey through comfort and security info (Jul 09)
- Re: RE: web browsing in production environment - a journey through comfort and security Jeremy Bennett (Jul 13)
- Antwort: RE: web browsing in production environment - a journey through comfort and security info (Jul 09)
- <Possible follow-ups>
- Re: web browsing in production environment - a journey through comfort and security stcroix111 (Jul 13)
- Re: web browsing in production environment - a journey through comfort and security evilwon12 (Jul 13)