Filtering HTTP over SSL connections

Web traffic has posed one of the biggest security issues. And to overcome this, URL filtering solutions are used. Filtering solution screens an incoming web page, checks the page against the set of rules and policies to determine whether the page access is to be allowed or not.
Filtering solutions detect and block HTTP communication as per web filtering policies but because enterprises keep port 443 (HTTPS) open, filtering policy cannot be applied when user visits secure (HTTPS) sites as content is encrypted.

Hence the primary circumvention method used to evade these carefully crafted web filtering policies, is the use of HTTPS connections. Clearly, HTTPS connections pose a serious threat as it provides employees with an easy way to avoid the enterprise’s Internet Usage policy to conceal their activities.

Using Secure Proxy is the easiest way to make use of HTTPS connection. To use proxy, user simply points his browser to the HTTPS proxy web site and makes a request to access the destination (blocked) site to proxy. HTTPS proxy initiates its own request as opposed to actually passing the user’s request. It fetches the page on behalf of the user and responds back to the user as if it was the destination. This way user and the destination (blocked) site never actually interact directly. As HTTPS proxy returns the encrypted content directly to the user, gateway only sees the SSL encrypted traffic. URL filtering solution cannot sniff in the encrypted traffic to determine the correct URL making filtering policies ineffective.

How does Cyberoam solve this problem?
Cyberaom approach includes SSL certificate inspection along with the filtering policies to control SSL traffic.

Cyberoam parses SSL handshake (SSLv2, SSLv3, and TLS) and extracts “Common Name” (CN) from the certificate. It applies control filters on common name. Based on the outcome of filters, user is either served the page or the connection is terminated.

Apart from secure proxies, client-based proxies, HTTP proxies and open proxies are also used to evade filtering policies. Cyberoam filters the usage of these proxies with the help of its keyword and URL filtering techniques as well as Signature based detection technique.
Additionally, to control rogue employees, SSL traffic filtering can applied on individual user or group of users, single URL, group of URLs or entire URL category.

Windows NTLM Vs Cyberoam Clientless Single Sign On Authentication

Single Sign On (SSO) is the ability of a user to authenticate himself to a network one time, and thereafter to have access to all authorized network resources without additional authentication.

What is NTLM?

NTLM is a suite of authentication and session security protocols used in various Microsoft network protocol implementations. It is used throughout Microsoft's systems as an integrated single sign-on mechanism.

What is CTAS?

Cyberoam introduces Clientless Single Sign On as a Cyberoam Transparent Authentication Suite (CTAS).

With Single Sign On authentication, user automatically logs on to the Cyberoam when logs on to Windows through his windows username and password. Hence, eliminating the need of multiple logins and username & passwords.

But, Clientless Single Sign On not only eliminates the need to remember multiple passwords - Windows and Cyberoam, it also eliminates the installation of SSO clients on each workstation. Hence, delivering high ease-of-use to end-users, higher levels of security in addition to lowering operational costs involved in client installation.

NTLM CTAS OS dependency Yes It can authenticate only systems are running on the Windows platform only. No It can authenticate domain irrespective of the operating system they have on their computers. It works with Windows, Macintosh & Linux. Applications supported Only browser-based applications and Microsoft implementations of SMTP, POP3, IMAP (all part of exchange). User has to authenticate for each application he wants to use. All the applications Re-authentication is not required in order to access any application. Processing load System load increases as each new session gets authenticated when a new browser instance is opened. As the user is authenticated just once and agent polls the log off information, system is not burdened on sending keep alive messages to Cyberoam.

Why Firewall?

Firewalls are usually seen as a requirement if you are going to attach your network to other networks, especially the Internet. Unfortunately, some network administrators and managers do not understand the strengths a firewall can offer, resulting in poor product choice, deployment, configuration and management. Like any security technology, firewalls are only effective if the implementation is done properly and there is proper maintenance and response to security events.

Additionally, with the proper deployment of firewalls other security strategies are often much easier to integrate, such as VPNs and IDS systems. So what makes firewalls good, and what can you do to ensure they are used properly?

Perimeter
One of firewalls' weaknesses is also one of their strengths. Firewalls are typically deployed as a perimeter defence, usually intersecting network links that connect your network to others. If the firewall is properly deployed on all paths into your network, you can control what enters and leaves your network.

Of course, as with any form of perimeter defence, if an attack is launched from inside, firewalls are not too effective. However, this deployment on your network perimeter allows you to prevent certain kinds of data from entering your network, such as scans and probes, or even malicious attacks against services you run.

Conversely, it allows you to restrict outbound information. It would be nearly impossible to configure every workstation to disallow IRC, but blocking ports 6667-7000 (the most common IRC ports) is relatively easy on your perimeter firewalls.

While you can employ access control lists on servers internally, this still allows attackers to scan them, and possibly talk to the network portion of the OS on the server — making a number of attacks possible. This perimeter also allows you to deploy IDS systems much more easily, since "chokepoints" will have already been created, and you can monitor all data coming in or leaving.

VPN deployment also becomes easy. Instead of loading up VPN software on every desktop that might need it, you can simply employ VPN servers at those network access points, either as separate servers or directly on your firewall, which is becoming increasingly popular.

Concentrated Security
Controlling one, or even multiple firewalls is a much easier job than maintaining access control lists on numerous separate internal servers that are probably not all running the same operating system or services. With firewalls you can simply block all inbound mail access except for the official mail server. If someone forgets to disable email server software on a newly installed server, you do not need to worry about an external attacker connecting to it and exploiting any flaws.

Most modern firewall products are administered from a central console. You get an overall view of your network and can block or allow services as needed very quickly and efficiently.

With VPN-capable firewalls you can easily specify that access to certain networks must be done via encrypted tunnels, or otherwise blocked. With VPN software on each client, you would have more to worry about with misconfiguration or user interference. This results in sensitive data being accidentally sent out unencrypted. If your firewall is set up to block all but a few specific outbound services, then no matter what a user does - even to bring in their own laptop - they will probably not be able to access the blocked services. Enforcing this without firewalls and instead on each client machine is nearly impossible.

Enforcement of Security Policies
You may have a set of corporate guidelines for network usage that include such items as:

1. Chat clients such as IRC, AIM, and Yahoo IM are strictly forbidden, as they can transfer files.
2. Accessing external mail servers is forbidden (antivirus policy); only use the internal server to send or receive.
3. Network games, such as Doom or Quake, are forbidden, except between 8 a.m. and 6 p.m. all weekdays for members of management.
4. Websites such as playboy.com are forbidden for legal reasons.

Enforcing the first policy without a firewall would be possible, but difficult. In theory, if you managed to secure every single desktop machine and prevent users from installing software, it would be possible. Then you would need to prevent people from attaching "rogue" laptops and so forth to the internal LAN with software preinstalled. While possible, this is a Herculean task compared to configuring a dozen rules (or even a hundred rules) on your firewalls to prevent access to the ports and servers that IRC, AIM and the rest use.

The second policy would be very difficult to enforce without a firewall. You would need to do the above steps to prevent people from installing their own email software or using rogue machines such as laptops with it preinstalled. Moreover, any email software you do use (such as Outlook or Eudora) would need to be configured so that users could not modify any preferences, add new accounts and so on. This is not possible in almost all email clients.

The third policy is virtually impossible to enforce without a firewall. You would need to take the above steps to prevent any user except for management installing the software. One possibility would be to place the software on a network share and only make it available from 6 p.m. to 8 a.m., and on weekends to users of the management group. However, many network games would not function properly, and you would have to prevent the software from being copied off, etc.

Even with all this, the software may still continue to function after 8 a.m. if it is running on the client machine (or it might crash horribly). In any event, this is much easier to enforce with a firewall such as FW-1: enable user authentication, then define a policy that allows users of the management group access to the ports used by these games at the appropriate times.

Enforcing policy number four is basically impossible as well without a firewall. While some Web clients do allow you to list sites that are off limits, keeping the browsers on multiple workstations up to date would be a virtually impossible task. Compare that with configuring the firewall to force WWW access through an application-level.

A Secure Network Is a Healthy Network
Generally speaking, any security implementation done in a network will help with its overall health. Cataloguing systems and software versions to decide what needs upgrading first, implementing automated software upgrade procedures, and so on all helps with the overall health of your network and its systems.

A network configuration that creates chokepoints for firewall deployment also means you can easily implement a DMZ, a zone with servers to handle inbound and outbound information with the public. These servers can typically run a hardened and stripped down OS and application software. A proxy email server, for example, only needs to be able to accept and send email. There is no need for user accounts, POP or IMAP services, or GroupWare software integration.

Usually the simpler a system is, the easier it is to secure, and hence the harder it is for an attacker to break into. Securing a messy network is almost impossible. You must find out what you have, which versions, where the servers are deployed, what network links exist, and so on.

Kurt Seifried.
Security Analyst & the author of the Linux Administrators Security Guide.

Cyberoam CR100ia - Comprehensive Network Security for Small and Remote

Cyberoam UTM

Cyberoam CR100ia is an identity-based security appliance that delivers real-time network protection against evolving Internet threats to small and medium enterprises (SMEs) through unique user based policies. CR100ia delivers comprehensive protection from malware, virus, spam, phishing, pharming and more. Its unique identity-based security protects users from internal threats that lead to data leakage. Cyberoam features include Stateful Inspection Firewall, VPN (SSL VPN & IPSec), Gateway Anti-Virus and Anti-Spyware, Gateway Anti-Spam, IPS, Content Filtering, Bandwidth Management, Multiple Link Management and can be centrally managed with Cyberoam Central Console.

Identity-based Security inUTM Cyberoam attaches the user identity to security, taking enterprises a step ahead of conventional solutions that bind security to IP-addresses. Cyberoam's identity-based security offers full business flexibility while ensuring complete security in any environment, including DHCP and Wi-Fi, by identifying individual users within the network-whether they are victims or attackers.

Features Description Benefits Stateful Inspection Firewall (ICSA Labs Certified) Powerful stateful and deep packet inspection Fusion technology blends all the components of Cyberoam into a single firewall policy Prevents DoS & flooding attacks from internal & external sources Identity-based access control for applications like P2P, IM Application layer protection Provides the right balance of security, connectivity and productivity Flexibility to set policies by user identity High scalability Virtual Private Network Threat Free Tunneling Industry standard: IPSec, L2TP, PPTP VPN VPN High Availability for IPSec and L2TP connections Dual VPNC Certifications - Basic and AES Interop Safe and clean VPN traffic Secure connectivity to branch offices and remote users Low cost remote connectivity over the Internet Effective failover management with defined connectionpriorities Gateway Anti-Virus & Anti-Spyware Scans HTTP, FTP, IMAP, POP3 and SMTP traffic Detects and removes viruses, worms and Trojans Access to quarantined mails to key executives Instant user identification in case of HTTP threats Complete protection of traffic over all protocols High business flexibility Protection of confidential information Real-time security Gateway Anti-Spam Scans SMTP, POP3 and IMAP traffic for spam Detects, tags and quarantines spam mail Enforces black and white lists Virus Outbreak Protection Content-agnostic spam protection including Image-spam using Recurrent Pattern Detection (RPD ) Technology Enhances productivity High business flexibility Protection from emerging threats High scalability Zero hour protection incase of virus outbreaks Multi-language and Multi-format spam detection Intrusion Prevention System - IPS Database of over 3000 signatures Multi-policy capability with policies based on default & custom signatures, source and destination Prevents intrusion attempts, DoS attacks, malicious code, backdoor activity and network-based blended threats Blocks anonymous proxies with HTTP proxy signatures Blocks “phone home” activities Low false positives Real-time Security in dynamic environments like DHCP and Wi-Fi Offers instant user-identification in case of internal threats Apply IPS policies on users Content & Application Filtering Automated web categorization engine blocks non-work sites based on millions of sites in over 82+ categories URL Filtering for HTTP & HTTPS protocols Hierarchy, department, group, user-based filtering policies Time-based access to pre-defined sites Prevents downloads of streaming media, gaming, tickers, ads Supports CIPA compliance for schools and libraries Prevents exposure of network to external threats Blocks access to restricted websites Ensures regulatory compliance Saves bandwidth and enhances productivity Protects against legal liability Ensures the safety and security of minors online Enables schools to qualify for E-rate funding Bandwidth Management Committed and burstable bandwidth by hierarchy, departments, groups & users Prevents bandwidth congestion Prioritizes bandwidth for critical applications Multiple Link Management Security over multiple ISP links using a single appliance Load balances traffic based on weighted round robin distribution Link Failover automatically shifts traffic from a failed link to a working link Easy to manage security over multiple links Controls bandwidth congestion Optimal use of low-cost links Ensures business continuity On-Appliance Reporting Complete Reporting Suite available on the Appliance Traffic discovery offers real-time reports Reporting by username Reduced TCO as no additional purchase required Instant and complete visibility into patterns of usage Instant identification of victims and attackers in internal network

Specification

Interfaces 10/100 Ethernet Ports - 10/100/1000 GBE Ports 6 Configurable Internal/DMZ/WAN Ports Yes Console Ports (RJ45) - SFP (Mini GBIC) Ports - USB ports 2 System Performance* Firewall throughput (Mbps) 1,000 New sessions/second 10,000 Concurrent sessions 400,000 168-bit Triple-DES/AES throughput (Mbps) 80/100 Antivirus throughput (Mbps) 200 IPS throughput (Mbps) 300 UTM throughput (Mbps) 160 Stateful Inspection Firewall Multiple Zones security with separate levels of access rule enforcement for each zone Yes Rules based on the combination of User, Source & Destination Zone and IP address and Service Yes Actions include policy based control for IPS, Content Filtering, Anti virus, Anti spam and Bandwidth Management Yes Access Scheduling Yes Policy based Source & Destination NAT Yes H.323 NAT Traversal Yes 802.1q VLAN Support Yes DoS & DDoS Attack prevention Yes Gateway Anti-Virus & Anti-Spyware Virus, Worm, Trojan Detection & Removal Yes Spyware, Malware, Phishing protection Yes Automatic virus signature database update Yes Scans HTTP, FTP, SMTP, POP3, IMAP, VPN Tunnels Yes Customize individual user scanning Yes Self Service Quarantine area Yes Scan and deliver by file size Yes Block by file types Yes Gateway Anti-Spam Real-time Blacklist (RBL), MIME header check Yes Filter based on message header, size, sender, recipient Yes Subject line tagging Yes IP address Black list/White list Yes Redirect spam mails to dedicated email address Yes Image-based spam filtering using RPD Technology Yes Zero hour Virus Outbreak Protection Yes Self Service Quarantine area Yes Intrusion Prevention System Signatures: Default (3000+), Custom Yes IPS Policies: Multiple, Custom Yes User-based policy creation Yes Automatic real-time updates from CRProtect networks Yes Protocol Anomaly Detection Yes Block - P2P applications e.g. Skype - Anonymous proxies e.g. UItra surf - “Phone home” activities - Keylogger Yes Yes Yes Yes Content & Application Filtering Inbuilt Web Category Database Yes URL, keyword, File type block Yes Categories: Default(82+), Custom Yes Protocols supported: HTTP, HTTPS Yes Block Malware, Phishing, Pharming URLs Yes Custom block messages per category Yes Block Java Applets, Cookies, Active X Yes CIPA Compliant Yes Data leakage control via HTTP upload Yes Virtual Private Network - VPN IPSec, L2TP, PPTP Yes Encryption - 3DES, DES, AES, Twofish, Blowfish, Serpent Yes Hash Algorithms - MD5, SHA-1 Yes Authentication - Preshared key, Digital certificates Yes IPSec NAT Traversal Yes Dead peer detection and PFS support Yes Diffie Hellman Groups - 1,2,5,14,15,16 Yes External Certificate Authority support Yes Export Road Warrior connection configuration Yes Domain name support for tunnel end points Yes VPN connection redundancy Yes Overlapping Network support Yes Hub & Spoke VPN support Yes SSL VPN TCP & UDP Tunneling Yes Authentication - Active Directory, LDAP, RADIUS, Cyberoam Yes Multi-layered Client Authentication - Certificate, Username/Password Yes Network access - Split and Full tunneling Yes Browser-based (Portal) Access - Clientless access Yes Lightweight SSL VPN Tunneling Client Yes Granular access control to all the Enterprise Network resources Yes Administrative controls - Session timeout, Dead Peer Detection, Portal customization Yes User & Group policy enforcement Yes Bandwidth Management Application and User Identity based Bandwidth Management Yes Guaranteed & Burstable bandwidth policy Yes Application & User Identity based Traffic Discovery Multi WAN bandwidth reporting User Identity and Group Based Controls Access time restriction Yes Time and Data Quota restriction Yes Schedule based Committed and Burstable Bandwidth Yes Schedule based P2P and IM Controls Yes Networking Multiple Link Auto Failover Yes WRR based Load balancing Yes Policy routing based on Application and User Yes DDNS/PPPoE Client Yes Support for HTTP Proxy Yes Dynamic Routing: RIP v1& v2, OSPF, BGP, Multicast Forwarding Yes Parent Proxy support with FQDN Yes High Availability Active-Active Yes Active-Passive with state synchronization Yes Stateful Failover Yes Alert on Appliance Status change Yes Administration & System Management Web-based configuration wizard Yes Role-based administration Yes Multiple administrators and user levels Yes Upgrades & changes via Web UI Yes Multi-lingual support: Chinese, Hindi Yes Web UI (HTTPS) Yes Command line interface (Serial, SSH, Telnet) Yes SNMP (v1, v2c, v3) Yes Cyberoam Central Console Yes Version Rollback Yes NTP Server Support Yes User Authentication Local database Yes Windows Domain Control & Active Directory Integration Yes Automatic Windows Single Sign On Yes External LDAP/RADIUS database Integration Yes User/MAC Binding Yes Logging/Monitoring Internal HDD Yes Graphical real-time and historical monitoring Yes Email notification of reports, viruses and attacks Yes Syslog support Yes On-Appliance Reporting Intrusion events reports Yes Policy violations reports Yes Web Category reports (user, content type) Yes Search Engine Keywords reporting Yes Data transfer reporting (By Host, Group & IP Address) Yes Virus reporting by User and IP Address Yes Compliance Reports 45+ VPN Client IPSec compliant Yes Inter-operability with major IPSec VPN Gateways Yes Supported platforms: Windows 98, Me, NT4, 2000, XP, Vista Yes Import Connection configuration Yes Certification ICSA Firewall - Corporate Yes VPNC - Basic and AES interoperability Yes Checkmark UTM Level 5 Certification Yes Compliance CE Yes FCC Yes Dimensions H x W x D (inches) 16.8 x 10.3 x 1.7 H x W x D (cms) 42.8 x 25.5 x 4.4 Weight 5.3 kg, 11.68 lbs Power Input Voltage 115-230 VAC Consumption 90W Total Heat Dissipation (BTU) 200 Environmental Operating Temperature 0 to 40 °C Storage Temperature -20 to 80 °C Relative Humidity (Non condensing) 0 to 90% Cooling System -Fans 2