Much of my time is spent researching data sheets and release notes to determine the capabilities of a product and you can learn a lot about the capabilities of the product by reading these documents. However, the most important thing I’ve learned is how to read a document in such a way that you can determine what the product does not support. The vendors of course never tell you what isn’t supported, they tell you what is supported.

This I have found is the most challenging task in product research and without the skill you can find yourself in a difficult position after the product is already sold into the promises have been made. I don’t think this something you can teach but it is something you learn over time after being burned. Who pays for these mistakes? It is certainly not the vendors and it’s not the customer, it is the person responsible for the implementation.

Recently after discussing with a new customer requirements for a the firewall VPN URL filtering IPS device [all in wonder box] I did a little research and came up with a solution utilizing a Cisco IOS ISR router. I had thought I had done all my research, but during deployment we ran into some real snags!

First issue: not enough flash to run SSL VPN at IPS concurrently.
Second issue: URL filtering not supported using C B A C- must use zone-based configuration.

In reading through the data sheets for this router I read nothing about the flash limitations on the router that is sold to support SSL VPN and IPS concurrently. A flash upgrade was obviously required but this could not be determined until we had already ran into the issue. For the second issue, I have no one to blame but myself for I just assumed that URL filtering was supported using Cisco’s original IOS firewall technology. Had I done just a little more research I would’ve found the document to talk about URL filtering and how it’s configured in a zone-based firewall deployment. Nowhere does it say that URL filtering is not available using CBAC.

Live and learn as they say. I won’t be making that mistake again but at the rate that technology changes I probably wouldn’t have the opportunity to make that mistake again. I’m sure a new one is on the horizon but I’ll be sure to read all the documents so that I can determine what they have not told me.

ISA Server 2006′nın yeni versiyonu olan TMG (Threat Management Gateway) 2010′un Beta 3 çıktı. Beta 3′ü aşağıdaki linkten indirip kurabilirsiniz. Beta 3 ile birlikte gelen en önemli yeniliklerden biri de URL filtering. Böylece kullanıcılarınızın istemediğiniz sitelere erişimlerini kontrol altında tutabileceksiniz. Aynı zamanda da çok detaylı bir şekilde raporlayabileceksiniz. URL filtering konusunda, TMG birçok firmanın veritabanlarını kullanıyor olacak. Bunlardan biri de BrightCloud. Beta 3′de aynı zamanda birçok yenilikte sizleri karşılıyor olacak. Bunlardan biri de Setup Preparation Tool. Bu özellik sayesinde TMG çok daha hızlı ve rahat bir şekilde kuruluyor olacak. Bununla birlikte TMG hem Windows Server 2008 hemde Windows Server 2008 R2′yi destekleyecek. Gene gelen yeni özelliklerden biri de sanırım birçok ISA Server yneticisini mutlu edecek olan arama ve gruplama özelliği. Böylece kurallarda aradığınızı çok rahat bir şekilde bulacaksınız. Son olarakta SSL VPN özelliği olan SSTP (Secure Socket Tunneling Protocol) bu beta ile birlikte TMG içinde yer alıyor.

http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=e05aecbc-d0eb-4e0f-a5db-8f236995bccd

Heute gibt es nach etwas längerer Zeit mal wieder etwas neues von mir.

Mich hat schon lange ein Problem beschäftigt, welches seitdem ich wieder auf Arbeit in der Praxisphase bin, wieder akkut wurde. Wir sitzen dort hinter einem Proxy namens Webwasher, der sich sehr restriktiv verhält. Zum einen sind so ziemlich alle Ports gesperrt (bis auf HTTP(80), HTTPS(443) und wie ich neulich herausgefunden habe lustigerweise auch FTP(20/21)) und zum anderen macht der Proxy auch noch Content Filtering, sowie URL-Filtering.

Das heißt, dass es eine sehr umfangreiche Liste an Webangeboten gibt die wir auf Arbeit nich abrufen können. Soll wahrscheinlich dazu dienen die Produktivität zu fördern, bewirkt aber bei mir oftmals das Gegenteil – besonders dann wenn ich gerade technische Informationen suche und dann auf die Seite nicht raufkomme weil sie als “Computer Crime / Hacking” klassifiziert ist.

Als ob das alles noch nicht hässlich genug wäre blockt der Proxy auch noch den Download von allem was Executable(EXE, DLL, …) ist, weil könnte ja Virus sein. Er geht dabei soweit dass er sogar Zip-Files rekursiv scannt und schaut ob da irgendwelche bösen Executables drinne sind. Für nen Entwickler, der mal eben ein Skript schreiben muss und dafür nicht den Windows Editor nehmen will extrem doof.

Nun habe ich vor Kurzem versucht bei mir zu Hause SSH aufzusetzen um wenigstens auf meinen Rechner zu Haus raufzukommen. Wie gesagt Ports sind kaum offen – was nimmt man also? Na klar Port 443 für HTTPS, weil kann eigtl nicht gescannt werden. Schade – kanns doch.

Genug geheult – kommen wir zu der Lösung (hoffentlich). Denn ich habe heute den Nachmittag damit verbracht mir auf meinem Webserver zu Hause

• bblocked als web-based Proxy
• ne webshell (ich weiß gruselig)
• und ein selbstgeschriebenes Skript um Downloaden zu können

raufzuhauen. Zu der Webshell ist zu sagen, dass ich morgen erstmal nochmal schauen werde ob die FTP auch filtern (ich nehme es an) und wenn nicht dann werd ich SSH darüber laufen lassen.

Das Skript macht nun folgendes: Es lädt Files runter, benennt sie um (so dass Webwasher sie nicht überprüft) und packt sie dann in ein Zip. Wer es haben will um es auf den eigenen Server zu packen: Hier ist es.

Es läuft allerdings ohne Modifikation nur auf Linuxkisten und setzt im htdocs-Ordner die Existenz eines Unterordner “files” voraus. Desweiteren muss LAMPP in “/opt/lampp” liegen.

Zum Schluss noch eine tolle Grafik von der Webseite des Webwashers:

 There is a company out there named Secure Computing.  They say they want to be “your trusted source for enterprise security”.  Yesterday I sat down with them to see if they could be our trusted source for K12 security.

 Secure Computing products are broken into solutions sets.  The solution set presented yesterday was based around their Web Gateway Security solution.

 Everything in their Web Gateway Security Solution seems to based around the product Webwasher.   Like most security products in the Web 1.0 world, Webwasher does URL fitering.  Their marketing says this “First reputation based URL Filter eliminating security exposure, limiting legal risks and productivity losses caused by in adverted or unauthorized employee access to inappropriate, malicious or distracting Web content.”

There is another module of Webwasher that addresses “Anti-Malware”.  They use this module to bring the Web 2.0 conversation into their marketing conversation.  From a marketing standpoint brilliant.

Other modules include AntiVirus, SSL Scanner, Content Reporter, Instant message and Peer-to-peer security and SecureCache.

Buying all of these modules together is not cheap or in my opinion smart.  Because their architecture is module based it allows you take a la carte approach and build the solution that works best for your school district as you go.

My next step is to get one of their appliance’s in my district and open the hood to see what it can do.