Antwort: Re: web browsing in production environment - a journey through comfort and security



fortunately it is someone elses corporate network (whoever and wherever)
and besides theres nothing special in here.....



Von:
Robin Wood <dninja@xxxxxxxxx>
An:
info@xxxxxxxxx
Kopie:
security-basics@xxxxxxxxxxxxxxxxx
Datum:
06.07.2009 21:50
Betreff:
Re: web browsing in production environment - a journey through comfort
and security



2009/7/6 <info@xxxxxxxxx>:



today we have a environment which is arranged as follows:

- a windows 2003 domain
- a citrix terminal server farm ( 6 servers, 120 employees )
- a astaro firewall appliance ( with web security - it uses its own
proxy
service (astaro engineered) and anti virus modules - clam & avira )
- a squid proxy server (3.x) (it does authentication against domino
ldap)
with trend micro web security suite and squidguard for some url
filtering
(mainly pron) - the blacklists are updated once a day

* web browsing is only possible via the citrix sessions of the users (
no
local access from desktop or from somewhere else). unfortunately we need
to
use internet explorer (7) because most of the sites, which users reach
work
only with IE :-(
( i already tried to migrate firefox without success )

* we limit the active content of websites via microsoft group policies.
only websites which are registered as trusted sites in group policies
can
show its active content ( java, active x, javascript etc)

* we have a chain of proxy servers. (see list of environment).

so if a user start its internet explorer in it's citrix session, the IE
passes its way through the proxy servers:

1. checks if the website is a trusted site in group policy or not and
starts active content or not

2. squid proxy server (located in demilitarised zone) -> authentication
against LDAP (and logs all requests with username, ip, etc.)

3. Checks SquidGuard if website is on blacklist

4. passes traffic to trend micro web security suite ( anti virus engine
for
http(s) and ftp )

5. passes the traffic to the astaro (which is the parent proxy) which
uses
its own scanners (clam and avira)


I don't know an answer to your question but I would suggest that
putting out this much information about your corporate network is not
a good idea.

Robin

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL
certificate. We look at how SSL works, how it benefits your company and
how your customers can tell if a site is secure. You will find out how to
test, purchase, install and use a thawte Digital Certificate on your
Apache web server. Throughout, best practices for set-up are highlighted
to help you ensure efficient ongoing management of your encryption keys
and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1

------------------------------------------------------------------------







HITCON AG
Maik Linnemann
Gartenstraße 208
48143 Münster
+49 (251) 2801-205 (Phone)
+49 (251) 2801-280 (Fax)
+49 (170) 6364-205 (Mobil)
mailto:info@xxxxxxxxx
http://www.hitcon.de

Mitglieder des Vorstandes: Helmut Holtstiege, Tobias Helling
Vorsitzender des Aufsichtsrats: Hans-Hermann Schumacher

Sitz der Gesellschaft: Münster
Registergericht: Amtsgericht Münster, HRB 5177

member of http://www.grouplink.de
·

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------



Relevant Pages

  • Antwort: RE: web browsing in production environment - a journey through comfort and security
    ... could we rely our security on such proxy servers instead ... we limit the active content of websites via microsoft group policies. ... Securing Apache Web Server with thawte Digital Certificate ...
    (Security-Basics)
  • Re: How to monitor a hosted web server
    ... We use a service to monitor our websites. ... Securing Apache Web Server with thawte Digital Certificate ...
    (Security-Basics)
  • RE: Website check
    ... You might want to check Qualys, they have a free service to check malicious content on websites. ... Securing Apache Web Server with thawte Digital Certificate ...
    (Security-Basics)
  • Re: Network Monitoring Software
    ... I am a big fan of open source monitoring solutions, ... Groundwork open source and Zenoss have open source options as well as ... out how to test, purchase, install and use a thawte Digital Certificate on ... your Apache web server. ...
    (Security-Basics)
  • Re: Network Monitoring Software
    ... salesperson recommended me to purchase the PacketTrap from QUEST ... out how to test, purchase, install and use a thawte Digital Certificate on ... your Apache web server. ... highlighted to help you ensure efficient ongoing management of your ...
    (Security-Basics)