Penetration Testing mailing list archives

Re: auditing web/mail proxies

From: White Hat <whitehat237 () gmail com>
Date: Tue, 13 Dec 2011 12:06:17 -0500

Is the main threat internal, or external?

If it's internal, a few questions I would ask are:

Do they allow egress ICMP?
Do they allow egress SSH?
Do they allow egress DNS?

If they do allow these protocols out then an insider can probably
bypass the proxy with tools like icmptx, nstx, ssh tunneling, etc.

Do they control what browser clients use?
Does the proxy transparently redirect outbound http requests, or does
it rely on browser configuration?
Do they block sites like portable apps to prevent an insider from
using firefox portable which can be run without admin rights?

Is HTTPS allowed out un-proxied?  This opens up use of external https
proxies which can be used to access content that should be blocked
according to proxy policy.

Does the proxy intercept and re-issue certs?
I would argue that the security add provided by this is negated by
breaking the chain of trust with verified sites and the real CA.

In my experience, end users simply don't verify every cert, from every
site every time, they just simply click accept.

Hope this helps.

On Mon, Dec 5, 2011 at 4:21 AM, cribbar <crib.bar () hotmail co uk> wrote:


Hey all,

Has anyone ever audited a proxy during a pen test/IT audit or as an audit on
itself? If so do you have a scope of what kind of checks you reviewed, or a
checklist? The proxy software in question is web sense which addresses both
email filtering and web filtering. Or any tools that can automate the
process most welcome. Look forward to your responses – I couldn’t find to
many resources on proxy auditing.

Kind Regards
Cb
--
View this message in context: http://old.nabble.com/auditing-web-mail-proxies-tp32916010p32916010.html
Sent from the Penetration Testing mailing list archive at Nabble.com.


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

Current thread:

auditing web/mail proxies cribbar (Dec 05)
- Re: auditing web/mail proxies Anders Thulin (Dec 05)
  - Re: auditing web/mail proxies Dion Stempfley (Dec 10)
  - Re: auditing web/mail proxies Justin Rogosky (Dec 10)
- Re: auditing web/mail proxies Brian Quick (Dec 10)
  - Re: auditing web/mail proxies A. Ramos (Dec 12)
- Re: auditing web/mail proxies White Hat (Dec 16)