fortunately it is someone elses corporate network (whoever and wherever)
and besides theres nothing special in here.....
Von:
Robin Wood <dninja (at) gmail (dot) com [email concealed]>
An:
info (at) hitcon (dot) de [email concealed]
Kopie:
security-basics (at) securityfocus (dot) com [email concealed]
Datum:
06.07.2009 21:50
Betreff:
Re: web browsing in production environment - a journey through comfort
and security
2009/7/6 <info (at) hitcon (dot) de [email concealed]>:
>
>
>
> today we have a environment which is arranged as follows:
>
> - a windows 2003 domain
> - a citrix terminal server farm ( 6 servers, 120 employees )
> - a astaro firewall appliance ( with web security - it uses its own
proxy
> service (astaro engineered) and anti virus modules - clam & avira )
> - a squid proxy server (3.x) (it does authentication against domino
ldap)
> with trend micro web security suite and squidguard for some url
filtering
> (mainly pron) - the blacklists are updated once a day
>
> * web browsing is only possible via the citrix sessions of the users (
no
> local access from desktop or from somewhere else). unfortunately we need
to
> use internet explorer (7) because most of the sites, which users reach
work
> only with IE :-(
> ( i already tried to migrate firefox without success )
>
> * we limit the active content of websites via microsoft group policies.
> only websites which are registered as trusted sites in group policies
can
> show its active content ( java, active x, javascript etc)
>
> * we have a chain of proxy servers. (see list of environment).
>
> so if a user start its internet explorer in it's citrix session, the IE
> passes its way through the proxy servers:
>
> 1. checks if the website is a trusted site in group policy or not and
> starts active content or not
>
> 2. squid proxy server (located in demilitarised zone) -> authentication
> against LDAP (and logs all requests with username, ip, etc.)
>
> 3. Checks SquidGuard if website is on blacklist
>
> 4. passes traffic to trend micro web security suite ( anti virus engine
for
> http(s) and ftp )
>
> 5. passes the traffic to the astaro (which is the parent proxy) which
uses
> its own scanners (clam and avira)
>
I don't know an answer to your question but I would suggest that
putting out this much information about your corporate network is not
a good idea.
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL
certificate. We look at how SSL works, how it benefits your company and
how your customers can tell if a site is secure. You will find out how to
test, purchase, install and use a thawte Digital Certificate on your
Apache web server. Throughout, best practices for set-up are highlighted
to help you ensure efficient ongoing management of your encryption keys
and digital certificates.
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.
and besides theres nothing special in here.....
Von:
Robin Wood <dninja (at) gmail (dot) com [email concealed]>
An:
info (at) hitcon (dot) de [email concealed]
Kopie:
security-basics (at) securityfocus (dot) com [email concealed]
Datum:
06.07.2009 21:50
Betreff:
Re: web browsing in production environment - a journey through comfort
and security
2009/7/6 <info (at) hitcon (dot) de [email concealed]>:
>
>
>
> today we have a environment which is arranged as follows:
>
> - a windows 2003 domain
> - a citrix terminal server farm ( 6 servers, 120 employees )
> - a astaro firewall appliance ( with web security - it uses its own
proxy
> service (astaro engineered) and anti virus modules - clam & avira )
> - a squid proxy server (3.x) (it does authentication against domino
ldap)
> with trend micro web security suite and squidguard for some url
filtering
> (mainly pron) - the blacklists are updated once a day
>
> * web browsing is only possible via the citrix sessions of the users (
no
> local access from desktop or from somewhere else). unfortunately we need
to
> use internet explorer (7) because most of the sites, which users reach
work
> only with IE :-(
> ( i already tried to migrate firefox without success )
>
> * we limit the active content of websites via microsoft group policies.
> only websites which are registered as trusted sites in group policies
can
> show its active content ( java, active x, javascript etc)
>
> * we have a chain of proxy servers. (see list of environment).
>
> so if a user start its internet explorer in it's citrix session, the IE
> passes its way through the proxy servers:
>
> 1. checks if the website is a trusted site in group policy or not and
> starts active content or not
>
> 2. squid proxy server (located in demilitarised zone) -> authentication
> against LDAP (and logs all requests with username, ip, etc.)
>
> 3. Checks SquidGuard if website is on blacklist
>
> 4. passes traffic to trend micro web security suite ( anti virus engine
for
> http(s) and ftp )
>
> 5. passes the traffic to the astaro (which is the parent proxy) which
uses
> its own scanners (clam and avira)
>
I don't know an answer to your question but I would suggest that
putting out this much information about your corporate network is not
a good idea.
Robin
------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL
certificate. We look at how SSL works, how it benefits your company and
how your customers can tell if a site is secure. You will find out how to
test, purchase, install and use a thawte Digital Certificate on your
Apache web server. Throughout, best practices for set-up are highlighted
to help you ensure efficient ongoing management of your encryption keys
and digital certificates.
http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
------------------------------------------------------------------------
HITCON AG
Maik Linnemann
GartenstraÃ?e 208
48143 Münster
+49 (251) 2801-205 (Phone)
+49 (251) 2801-280 (Fax)
+49 (170) 6364-205 (Mobil)
mailto:info (at) hitcon (dot) de [email concealed]
http://www.hitcon.de
Mitglieder des Vorstandes: Helmut Holtstiege, Tobias Helling
Vorsitzender des Aufsichtsrats: Hans-Hermann Schumacher
Sitz der Gesellschaft: Münster
Registergericht: Amtsgericht Münster, HRB 5177
member of http://www.grouplink.de
·
------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.
http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
------------------------------------------------------------------------
[ reply ]