web browsing in production environment - a journey through comfort and security

[info () hitcon de]

dear list,

actually i rack my brain about web browsing in a productive environment and
the risks and the most comfortable way for users to browse the internet.
there are several ways to get most security but it always faces the
comfort.
i would like to show up our situation and explain where problems occur or
users lose convenience.

today we have a environment which is arranged as follows:

- a windows 2003 domain
- a citrix terminal server farm ( 6 servers, 120 employees )
- a astaro firewall appliance ( with web security - it uses its own proxy
service (astaro engineered) and anti virus modules - clam & avira )
- a squid proxy server (3.x) (it does authentication against domino ldap)
with trend micro web security suite and squidguard for some url filtering
(mainly pron) - the blacklists are updated once a day

* web browsing is only possible via the citrix sessions of the users ( no
local access from desktop or from somewhere else). unfortunately we need to
use internet explorer (7) because most of the sites, which users reach work
only with IE :-(
( i already tried to migrate firefox without success )

* we limit the active content of websites via microsoft group policies.
only websites which are registered as trusted sites in group policies can
show its active content ( java, active x, javascript etc)

* we have a chain of proxy servers. (see list of environment).

so if a user start its internet explorer in it's citrix session, the IE
passes its way through the proxy servers:

1. checks if the website is a trusted site in group policy or not and
starts active content or not

2. squid proxy server (located in demilitarised zone) -> authentication
against LDAP (and logs all requests with username, ip, etc.)

3. Checks SquidGuard if website is on  blacklist

4. passes traffic to trend micro web security suite ( anti virus engine for
http(s) and ftp )

5. passes the traffic to the astaro (which is the parent proxy) which uses
its own scanners (clam and avira)


the main problem for the employees with that procedure is the group policy
configuration. users want to ( they dont know nothing about browser
exploits or else security risks ) surf the internet like they are at home,
and the it staff needs to make it as comfortable as possible and as secure
as possible.....
right now the employees need to get in touch with the management to request
a site to set it to trusted and the management get in contact with the it
staff. ok, it's just half of the truth, we engineered a database in which
the request for a trusted site could be filled in and gves all reviewed
sites to the group policies, but just from an allowed persons, but it
sticks to it, the employees need to request a site.......the employees are
peeved and always ask why the hell this is needed...

another problem: if a website calls another domain (or ip address) in its
code the site is just half functional (because the other domain or ip isnt
registered in trusted sites).....some frames, etc. wont work (bling bling
active, you know what i mean?)

all that causes the employees to feel blue and bugging the management as
often as possible.

questions:

- what would happen in worst case, if we turn off the group policies and
set the internet explorer settings to default and someone runs into a
browser exploit
- are there different kinds of browser exploits on which we should be more
attentive
- i know most of the exploits try to implant viruses on the host, we have 3
anti virus engines, how high could be the impact?
- the firewall is configured with restrictive egress filtering - a backdoor
to the outside shouldnt be able to reach the internet. are there tricks
used ( for example go through the proxy ) and are the backdoors intelligent
enough.
- how do you guys rate the situation ( relating to turn off group policy )
- how do you guys handle web browsing within the productive network?
- i thought that anti virus proxys handle viruses / virus code in http/ftp
traffice but never detect exploits, is that true?
- do we increase the risk management immoderate if we switch off group
policies?
- maybe there is an appliance for detecting malicious code in active
content?

sorry for that much questions and text but its a sensitive theme from which
i guess that a lot of persons are interested in.....i am thankful for any
hint or thoughts from you, belonging to this.

cheers,

Maik


HITCON AG
Maik Linnemann
Gartenstraße 208
48143 Münster
+49 (251) 2801-205 (Phone)
+49 (251) 2801-280 (Fax)
+49 (170) 6364-205 (Mobil)
mailto:info () hitcon de
http://www.hitcon.de

Mitglieder des Vorstandes: Helmut Holtstiege, Tobias Helling
Vorsitzender des Aufsichtsrats: Hans-Hermann Schumacher

Sitz der Gesellschaft: Münster
Registergericht: Amtsgericht Münster, HRB 5177

member of http://www.grouplink.de
·


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------