Notes from Secure Computing's Web Gateway Security Workshop

Web Gateway Security

Grant Murphy - Director, Web Gateway Security

Negative security model ( known bad ). Must know about all possible attack vectors. Not possible.

Reference: Metasploit, HD Moore, VoMM.

Positive security model. Intent and reputation model. Something is good because of its known intent and reputation. Real world example. Credit score. If I have a reputation for defaults or late payments then I will get a lower credit score than someone who pays bill on time or in full.

TrustedSource. In Web 1.0 world trust is implied by user. User assumes that content on other end will not be malicious. In Web 2.0 trust can not be guaranteed. Many new vulnerabilities and attacks. Most new web traffic is Web 2.0. Lot of code is executed in the browser (endpoint).

Reputation enhanced URL filtering. What is the reputation of the site that I am on? What is the nature ( intent ) of the content that is returned by the site? Does this site download code ( JavaScript, ActiveX, Java etc. ) that is malicious?

Need engine on URL filter to trap malicious code and clean/drop before content is delivered to end point. Policy driven. Webwasher (proxy/web caching appliance) handles SSL traffic by decrypting/re-encrypting SSL traffic in memory on the fly and blocking invalid certificates or sites based on policy. Privacy issues. Suggested policy is that only reputation challenged sites usign SSL be scanned. Passes EU privacy laws.

Example: Storm Bot
Over 1 million machines infectedWeb based vectorPayload is P2P botnet.

Webwasher is CyberGauard Linux locked down to Common Criteria recommendations.

Q4/2007 - Support for Novell eDirectory.

Q1/2008 - Webwasher 6.7 - Desktop Agent, NTLM for transparent authentication.
Desktop Agent - Allows enforcement of filter policy for remote users. Q1/2008.
Q4/2008 - Web Reporter 7.0 - combined Smart Reporter and Content Reporter. SmartFilter delegated administration. Instant Messaging integration. Protocol based filtering!. Will have similar functionality to IMLogic.

Messaging Security

Brian Schwartzkopf, Systems Engineer Manager

  • Integrates with Active Directory
  • SPAM detection
  • Dynamic HOP count.
  • Pornographic image detection
  • Secure LDAP

2008 Roadmap

  • New Operating System Platform - Move away from Linux kernel to FreeBSD
  • TrustedSource integration
  • IPv6
  • Log standardization and real time reporting (Content Reporter)
  • New web based user interface
  • New end user quarantine - User can add/remove from white-list/blacklist
  • Sophos integration
  • Storage and archived search.
  • Gateway to user S/MIME support

Network Gateway Security (Sidewinder)

Jason Lamar, Director, Network Gateway Security

  • Most firewalls built to control packet routing to expedite throughput. No intelligence around whether inbound connection is wanted.
  • Sidewinder is reputation based firewall. Intelligent inspection of data traffic. Will inspect encrypted traffic ( e.g SSH ) on network and block/drop malicious traffic.
  • Inbound SSH proxy.

NOTE: Getting the idea that TrustedSource is a big deal for Secure Computing.

Author: Khürt Williams

A human who works in information security and enjoys photography, Formula 1 and craft ale. #nobridge