RE: Wireless hotspot login pages

["Kavesh Moodley" <Kavesh.Moodley () hss health nsw gov au>]

I know there is a lot of caveats, however, I think Mozilla Browser will
be configurable and you may be able to get around the GPO settings, by
having users use this for when you want to use WIFI. Not 100% on this,
so I apologise in advance if I was wrong.

However, this does pose the possibility that users will be now able to
bypass what restrictions you have put in place once they know they can
untick the proxy settings there. 
I think a more secure solution for this would be a HIPS client or
Client/Host firewall that restricts access to only your CAG.

Regards,
Kavesh

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Paul Johnston
Sent: Friday, 28 May 2010 5:42 PM
To: security-basics () securityfocus com
Subject: Wireless hotspot login pages

Hi,

I have a client who restricts their mobile workers' browsers so they can
only access a single site - the client's citrix access gateway. They
don't want users directly browsing the Internet out of the office -
because of both malware and AUP concerns. They enforce this by setting
the proxy to the corporate proxy (only accessible in the office), having
a proxy exclusion for the CAG, and preventing users editing the
settings.

This all works fine for use on home broadband (wired/wireless) and 3G.

However, it falls down for Wireless Hotspots. Many of these have a
browser-based login page. The proxy configuration prevents access to the
login page, stopping the hot spot being used at all.

This must be a problem a lot of people have hit. How do you allow access
to Hot spot login pages, but not web pages in general?

Any suggestions much appreciated,

Paul

-- 
Pentest - When a tick in the box is not enough

Paul Johnston - IT Security Consultant / Tiger SST
Pentest Limited - ISO 9001 (cert 16055) / ISO 27001 (cert 558982)

Office: +44 (0) 161 233 0100
Mobile: +44 (0) 7817 219 072

Email policy: http://www.pentest.co.uk/legal.shtml#emailpolicy
Registered Number: 4217114 England & Wales
Registered Office: 26a The Downs, Altrincham, Cheshire, WA14 2PU, UK

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an
SSL certificate.  We look at how SSL works, how it benefits your company
and how your customers can tell if a site is secure. You will find out
how to test, purchase, install and use a thawte Digital Certificate on
your Apache web server. Throughout, best practices for set-up are
highlighted to help you ensure efficient ongoing management of your
encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
------------------------------------------------------------------------



This message is intended for the addressee named and may contain confidential information. 
If you are not the intended recipient, please delete it and notify the sender. 
Views expressed in this message are those of the individual sender, and are not necessarily
the views of NSW Health or any of its entities.

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------