Hi malware fighters,
Protect your port 80
Whereas a good firewall protected against the majority of attacks
a couple of years ago, to-day a large part of attacks circumvents the firewall
or passes right through it. Contentscanning of port 80 protects against
the majority of this kind of attacks. A good firewall could ward off 95%
of all attacks , now 30% malware vectors use a different way to infect.
Port 80, the main carrier port of all webtraffick is notorious in this
respect. Via the webmail interface an attack on the internal mail server
can be achieved. Inside a mail a weblink can be sent, where a click-through
can lead to a lot of trouble.
A good firewall is a must, but actually we have gone back to day 1 again
Today all sort of applications carry a web interface.In the future all distributed
applications based on web services use port 80. (Now you know why you
have a webshield installed). Even p2p programs that are not supported by
firewall proxies have a fall-back to web protocol.
Craig Hicks-Frazer, Managing Director van Blue Coat, measures that 50 to 70%
of all the traffick for his clients runs via port 80, and that percentage is
only increasing.
Checking web traffioc for dangerous and undesired content is more difficult
than scanning in-coming mail. Simple in-line scanning, where webcontent is
being examined directly, does not offer a good solution. It means that the user
sits waiting for the next screen all the time. Using content scanning on demand
(DrWeb's hyperlink scanning) is better. But when things fail, one even could
get a time-out of the application. It is also difficult to apply on a larger
scale in a commercial surroundings.
Caching appears to be the solution to these problems.
By saving all of the webcache (for all of the firm) and loading this pro-actively
even, the scanner can perform on an acceptable scale. Even better so the web-
cache can enhance performance as a whole and lower the bandwidth. First the cache
is checked before new content is brought in, if that takes a while the user
is served up with "patience-page". According to Hicks-Frazer this was the reason
that user started clicking again and again, while the background system was busy
scanning so it almost collapsed under the enormous load.
That is why Blue Coat as a vendor of web cache and proxy systems applications is
now heavily into web content scanning. Their port 80 security Appliances
do mainly consist of a web cache together with a security engine, that looks
after the implementation of set policies for URL and MIME type filtering, virus
scanning and bandwidth management.
Scanning and filtering is done via the Internet Content Adaptation Protocol
(ICAP) intertwined with content scanners. Supported here are applications like
WebWasher, Finjan SurfinGate, SmartFilter van Secure Computing, Websense,
Symantec CarrierScan Server en TrendMicro InterScan Server.
Setting policies for port 80 scanners is like setting management interfaces of
firewall systems. It looks lite setting the rules for let us say Check Point
VPN-1/FireWall-1.
The protocols can be set for user or for a group of users, the same as what
content can be approached, what content can be viewed and at what moment this
is allowed. So you can filter out abusive language, religious or fundamentalist
content, pr0n, but also sports and private stock, what could be allowed during
lunch hour could be a subject of debate. Then you could be free to do your
shopping, download your e-books etc. etc. So people would not linger on e-Bay.
For this reasonm time-outs and content limits could be implimented.
From a security point of view filtering outgoing content is much more interesting.
Sop instant messaging may be allowed on the firms Intranet but not on the
Internet. Sometimes only file-sharing is blocked, usb sharing is blocked,
and outgoing content is checked for certain terms to secure certain
documents or information to be leaked.
For the users everything should be as transparent as possible, first you get
a policy survey inside the browser, you have to agree with that before you
can go on the Internet. If you are in confict with the policy you will get
a pop-up. Easiest is to block this, but better to use a form of social
engineering seeing to it that applications of this sort are being counted,
and no-one want to be "top of the list". This works, the same as "all your
attempts are going to be logged". The management has to be shown only
general surveys, because full reports would take too much of their time.
polonus
