RE: Wireless hotspot login pages




I know there is a lot of caveats, however, I think Mozilla Browser will
be configurable and you may be able to get around the GPO settings, by
having users use this for when you want to use WIFI. Not 100% on this,
so I apologise in advance if I was wrong.

However, this does pose the possibility that users will be now able to
bypass what restrictions you have put in place once they know they can
untick the proxy settings there.
I think a more secure solution for this would be a HIPS client or
Client/Host firewall that restricts access to only your CAG.

Regards,
Kavesh

-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx]
On Behalf Of Paul Johnston
Sent: Friday, 28 May 2010 5:42 PM
To: security-basics@xxxxxxxxxxxxxxxxx
Subject: Wireless hotspot login pages

Hi,

I have a client who restricts their mobile workers' browsers so they can
only access a single site - the client's citrix access gateway. They
don't want users directly browsing the Internet out of the office -
because of both malware and AUP concerns. They enforce this by setting
the proxy to the corporate proxy (only accessible in the office), having
a proxy exclusion for the CAG, and preventing users editing the
settings.

This all works fine for use on home broadband (wired/wireless) and 3G.

However, it falls down for Wireless Hotspots. Many of these have a
browser-based login page. The proxy configuration prevents access to the
login page, stopping the hot spot being used at all.

This must be a problem a lot of people have hit. How do you allow access
to Hot spot login pages, but not web pages in general?

Any suggestions much appreciated,

Paul

--
Pentest - When a tick in the box is not enough

Paul Johnston - IT Security Consultant / Tiger SST
Pentest Limited - ISO 9001 (cert 16055) / ISO 27001 (cert 558982)

Office: +44 (0) 161 233 0100
Mobile: +44 (0) 7817 219 072

Email policy: http://www.pentest.co.uk/legal.shtml#emailpolicy
Registered Number: 4217114 England & Wales
Registered Office: 26a The Downs, Altrincham, Cheshire, WA14 2PU, UK

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an
SSL certificate. We look at how SSL works, how it benefits your company
and how your customers can tell if a site is secure. You will find out
how to test, purchase, install and use a thawte Digital Certificate on
your Apache web server. Throughout, best practices for set-up are
highlighted to help you ensure efficient ongoing management of your
encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
------------------------------------------------------------------------



This message is intended for the addressee named and may contain confidential information.
If you are not the intended recipient, please delete it and notify the sender.
Views expressed in this message are those of the individual sender, and are not necessarily
the views of NSW Health or any of its entities.

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------



Relevant Pages

  • Re: 401 - Error from WebServer
    ... Yes I do use a proxy server...and 'Automatically detect settings' is already ... The following are checked in the LAN settings in IE (browser) ... > try uncheck 'Automatically detect settings' in you IE. ...
    (microsoft.public.inetserver.iis.security)
  • Re: silently authenticate to websense?
    ... > proxy (I don't have to set up any proxy server in my browser ... your browser settings means nothing. ... Knowing the rules to the game and knowing how to play it ...
    (comp.security.firewalls)
  • Re: Excluding Internal IPs from being proxied
    ... Then the browser is improperly interpeting the IP# to be a FQDN. ... FQDNs are sent to the proxy fist until they are resolved with DNS,...only ... > I have the same problem, but feel it MUST be down to the client IE settings,> not the SIA settings. ...
    (microsoft.public.isa)
  • RE: Publish to External FrontPage Server
    ... meaning Auto config, use proxy I am able to connect to the remote website. ... How can I make this work without having to disable the IE settings everytime ... Publish to External FrontPage Server ...
    (microsoft.public.isa)
  • Re: HTTP Error 403.6 - Forbidden: IP Address Rejected
    ... it was the proxy settings on the ... > You can also try to change the security settings for the Remote Web ... Open the IIS console ...
    (microsoft.public.windows.server.sbs)