Penetration Testing mailing list archives
Re: auditing web/mail proxies
From: White Hat <whitehat237 () gmail com>
Date: Tue, 13 Dec 2011 12:06:17 -0500
Is the main threat internal, or external? If it's internal, a few questions I would ask are: Do they allow egress ICMP? Do they allow egress SSH? Do they allow egress DNS? If they do allow these protocols out then an insider can probably bypass the proxy with tools like icmptx, nstx, ssh tunneling, etc. Do they control what browser clients use? Does the proxy transparently redirect outbound http requests, or does it rely on browser configuration? Do they block sites like portable apps to prevent an insider from using firefox portable which can be run without admin rights? Is HTTPS allowed out un-proxied? This opens up use of external https proxies which can be used to access content that should be blocked according to proxy policy. Does the proxy intercept and re-issue certs? I would argue that the security add provided by this is negated by breaking the chain of trust with verified sites and the real CA. In my experience, end users simply don't verify every cert, from every site every time, they just simply click accept. Hope this helps. On Mon, Dec 5, 2011 at 4:21 AM, cribbar <crib.bar () hotmail co uk> wrote:
Hey all, Has anyone ever audited a proxy during a pen test/IT audit or as an audit on itself? If so do you have a scope of what kind of checks you reviewed, or a checklist? The proxy software in question is web sense which addresses both email filtering and web filtering. Or any tools that can automate the process most welcome. Look forward to your responses – I couldn’t find to many resources on proxy auditing. Kind Regards Cb -- View this message in context: http://old.nabble.com/auditing-web-mail-proxies-tp32916010p32916010.html Sent from the Penetration Testing mailing list archive at Nabble.com. ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- auditing web/mail proxies cribbar (Dec 05)
- Re: auditing web/mail proxies Anders Thulin (Dec 05)
- Re: auditing web/mail proxies Dion Stempfley (Dec 10)
- Re: auditing web/mail proxies Justin Rogosky (Dec 10)
- Re: auditing web/mail proxies Brian Quick (Dec 10)
- Re: auditing web/mail proxies A. Ramos (Dec 12)
- Re: auditing web/mail proxies White Hat (Dec 16)
- Re: auditing web/mail proxies Anders Thulin (Dec 05)