Penetration Testing
auditing web/mail proxies Dec 05 2011 09:21AM
cribbar (crib bar hotmail co uk) (3 replies)
Re: auditing web/mail proxies Dec 13 2011 05:06PM
White Hat (whitehat237 gmail com)
Is the main threat internal, or external?

If it's internal, a few questions I would ask are:

Do they allow egress ICMP?
Do they allow egress SSH?
Do they allow egress DNS?

If they do allow these protocols out then an insider can probably
bypass the proxy with tools like icmptx, nstx, ssh tunneling, etc.

Do they control what browser clients use?
Does the proxy transparently redirect outbound http requests, or does
it rely on browser configuration?
Do they block sites like portable apps to prevent an insider from
using firefox portable which can be run without admin rights?

Is HTTPS allowed out un-proxied? This opens up use of external https
proxies which can be used to access content that should be blocked
according to proxy policy.

Does the proxy intercept and re-issue certs?
I would argue that the security add provided by this is negated by
breaking the chain of trust with verified sites and the real CA.

In my experience, end users simply don't verify every cert, from every
site every time, they just simply click accept.

Hope this helps.

On Mon, Dec 5, 2011 at 4:21 AM, cribbar <crib.bar (at) hotmail.co (dot) uk [email concealed]> wrote:
>
> Hey all,
>
> Has anyone ever audited a proxy during a pen test/IT audit or as an audit on
> itself? If so do you have a scope of what kind of checks you reviewed, or a
> checklist? The proxy software in question is web sense which addresses both
> email filtering and web filtering. Or any tools that can automate the
> process most welcome. Look forward to your responses ? I couldn?t find to
> many resources on proxy auditing.
>
> Kind Regards
> Cb
> --
> View this message in context: http://old.nabble.com/auditing-web-mail-proxies-tp32916010p32916010.html

> Sent from the Penetration Testing mailing list archive at Nabble.com.
>
>
> ------------------------------------------------------------------------

> This list is sponsored by: Information Assurance Certification Review Board
>
> Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.
>
> http://www.iacertification.org
> ------------------------------------------------------------------------

>

------------------------------------------------------------------------

This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

[ reply ]
Re: auditing web/mail proxies Dec 11 2011 12:54AM
Brian Quick (brian e quick1 gmail com) (1 replies)
Re: auditing web/mail proxies Dec 12 2011 07:38AM
A. Ramos (aramosf gmail com)
Re: auditing web/mail proxies Dec 06 2011 07:36AM
Anders Thulin (anders thulin sentor se) (2 replies)
Re: auditing web/mail proxies Dec 06 2011 07:42PM
Justin Rogosky (jrogosky gmail com)
Re: auditing web/mail proxies Dec 06 2011 09:54AM
Dion Stempfley (dtsonline verizon net)


 

Privacy Statement
Copyright 2010, SecurityFocus