Penetration Testing
auditing web/mail proxies Dec 05 2011 09:21AM
cribbar (crib bar hotmail co uk) (3 replies)
Re: auditing web/mail proxies Dec 13 2011 05:06PM
White Hat (whitehat237 gmail com)
Re: auditing web/mail proxies Dec 11 2011 12:54AM
Brian Quick (brian e quick1 gmail com) (1 replies)
Re: auditing web/mail proxies Dec 12 2011 07:38AM
A. Ramos (aramosf gmail com)
Re: auditing web/mail proxies Dec 06 2011 07:36AM
Anders Thulin (anders thulin sentor se) (2 replies)
On 2011-12-05 10:21, cribbar wrote:

> Has anyone ever audited a proxy during a pen test/IT audit or as an audit on
> itself? If so do you have a scope of what kind of checks you reviewed, or a
> checklist?

An audit is intended to answer the question: does the examined system work
according to the rules and regulations it should follow? The next question is,
obviously, are there any such rules?

That should be answered by the organization owning or otherwise managing
the proxy: what rules should be followed? These will typically relate to the
management of the proxy: how is access controlled, how are changes implemented,
how are logs and backups handled, and so on. (Tests of proper function -- quality
testing -- is usually not regarded as part of an audit. That's more akin to
penetration testing.) The rules need not be expressed for the proxy specifically,
they could be part of an IS or IT policy, applying to all IS or IT systems in
the organization. And in some special cases, they might even take the form of
local or national law.

For an audit, you job includes defining the system you are auditing (the word
'system' is used an a fairly general sense here -- it needn't be just a network 'box',
but an entire proxy support and management -- don't forget helpdesk!), identify
the rules that are relevant that system, and then verify that they are indeed being

If there are no relevant rules, an audit cannot be done. If the system cannot
be strictly defined (in the sense of if some entity is part of the system or not),
there will be difficulties later. Additionally, if there are rules, but they cannot be
audited (quite often because they are imprecise), the only thing is to identify the
problem, and suggest a remedy for the next audit.

There *are* usually best practice suggestions, which, in the absence of other
requirements, could (barely) be used. But again, the system definition decides:
are you looking at a proxy box only, or a component in a network, at a system
that must be managed over it's lifetime, alone or in relation to other information systems
of which it is considered a part?

'Muscular audits' ... deciding on your own what the rules are (or should be) is a
possible way, technically, but it's so far from the accepted definition of an audit that
I don't consider it practical.

Anders Thulin anders.thulin (at) sentor (dot) se [email concealed] 070-757 36 10 / Intl. +46 70 757 36 10

0? *?H?÷
 ?0?1 0 +0? *?H?÷
 ?0?}0?e Ñà>[HíÇ? ?@ÞáaÃ?0
091 0 UFI10
Sonera10USonera Class2 CA0
TeliaSonera10U TeliaSonera Root CA v10?"0
½ýw?PEõ?]è#¼~þ5áíP{©0Ó ?hg]¿<?S»)bÅÊ^rÁÇ?ÔÛ- ´iìêâPñ <ð¬óS-ðõíl99s?ÈR°#Íà>ÜÝ<G »5?â?h?¾å¿rîÒú¥ííü?©&vÜ(K Ów-ío?÷I»S»]hÇÔÈu??Z?÷GÔLñÒ?y>M=?¨aÞ:Òø^àÁÉ?ӍMÓ?6³7_cc?3ð-&kS
|??2Ânì=!9É¡hâP?.°:+ó6 ¬/äoaÂQ 9>?S¹»gÚÜS¹vY6Cå à=2`?"Q·Ç3»Ý/¤x¦{F6?Ýy5Ç?,;°£5ås´\YïÚêe{zÐ?³´*7;p??[¹+·ì²Q?S)ZÔ
0ÿ0U 00 +?0Uÿ0UðY8³õ?? Õëú{ªè0¹U±0®0o m k?ildap://
era%20Class2%20CA,o=Sonera,c=FI?certificaterevocationlist;binary0; 9 7?5 0
?J ªX?Ó^<0
?{/fÕø«¡YRÛTÖçxx~C?¦­w²MðÅ` ÷CÕ?8cO?N(??õ?F??Ó½v!?
Î ]yÚô?
¤ æ?)?* UÄ ±Ô0«>úÞ?ݤ§ µ kvøß^²3?N©ª?rr_¬¦¨?­? Z^õµØÉ?~ påF!® aüqJ?ôM$³÷?Ö|²·R¢]¬Sù:¨?|?×a îªÿ]o<²ùÙÃÖ?aÜ?PÚÊR¶»|µÌf?ÉÄÑ-è®s0?Ý0?
Å oë_ SêÝÏ)iw|aä0
TeliaSonera1"0 U TeliaSonera Class 2 CA v10
131203230001Z0e1 0 USE10U

Sentor MSS AB10U
Anders Thulin1&0$ *?H?÷
 anders.thulin (at) sentor (dot) se0 [email concealed]?"0
ºF±?{T·? N Ô\ÿÃùY Fø?) ??B?N\B?g?A^G9Äù òwüÿ??µ§?n¦)?é3?<@"Rw-h?÷'Q´M¼LoøY?þ'³8Õ¦vâÊï?[,Öù?!jÈU3zÙwüãV!
R?ý¡BR?/x=Ïó?? ?U\ªHGF-îî
Õ]² ?`r6¯´?ÚI?sfÇÑ0?Ý
¶¯# ?'7.g1X?ra^½&ÏH?è¹9+£?²0?®0ÊUÂ0¿0¼ ¹ ¶?vldap://crl,o=TeliaSon
0 0 *?p#
ÿ 0
?]ÓM\T¨Ö?TjŦñþÝc÷¢eþ Í?Lݪh?57:(åQ?
&_J³êL?ÃòÔAN7ï,ômáèb:¸ý[êÙÃlV@$̤þ$(?{/½Pçà 5À{ÜoÞñDÄé?á*? f}rDÍ.7ò¹²Ö¢oÊÃ\ÿT×6F[7?I5?h¿Î/>Lt;°®??v*VèÔ#7Ø'¤DÌ??^^LI[8ú¨ º
R1É}4?eeú×^¹u??¼¯Í¦Njû£µÁ;èpáü®(G·Q7vø¦?Ö?cÝÎY²¯[BIÍ ðçÀ$¤uösl¶4¡H
n ZJÎÎmÙ6bäâ²½räå ?vF¸j*?l?.Gbà »7¹XowjGÖ¤?AÆ5·qDºÂ.
Æ à
[L~ ?³Ý?ÜÂSÛyØð-&2½´ 7ª®lhº'Îb~¦?·êàÔkp?éE?TÂm-|^«ÛJ с & å> i,§²ÕR×Rè+,HðÖä·?Ô(iñ+ô èÖgùpÄèV~kJMxÛ8?ô? ð?Q??²W@²kd} H?Éú@?ÆVx¸¨kR?Á[Á?´ÝJ½t~ëhi?gó> gî?3
?_JL o?3ä0??0?? 4©õÒ?y>À5Ìös÷³¿I0
TeliaSonera10U TeliaSonera Root CA v10
TeliaSonera1"0 U TeliaSonera Class 2 CA v10?"0
?¢8ö?ÉñÏ4p»WÛí³¿1M°.¬ml?ÛN!´'úr·á7¢X B¥uÞ®?ÞàµQ%öìG?¯Ö?Sº-Ñh$G??²¥I¸©L?vNËDCjU7¤'Ö? ÿ??ðq^yPùzx?GÒ?ÚÛA29¯$»£' Ã0yh?gG)_4?úË¿M?¥ôVrYnõß/?SM<Åó}?F?Öé=ó¯NÜ%(Í?PìGèÒ??F¹tB?â!ø&?óÍá
SlýÊ¦?Õì?è$??>ãyä_?í*?ìã?ãg?]?æë¢ ?Æ£Ðþ?i¾#T
2»~/?ÿNd|-yV§wÑË2????Qû?§?vQ±²yj=RF¶Ï!lÝ0\y??-¸?Îj?Ñ{ ?=??7ßÙól½3?WÑ
n, TÅÒì? ÁÚ5?[f§ÕÎåÜÒ¾Ö¦¨mF<?~ih ÇX»¼?s?¸FÛî?à-jS×tå,R¾
rarootcav1.cer0Uÿ0ÿ0U 00 +?0Uÿ0ÆU¾0»0w u s?qldap://,o=TeliaSonera?certificatere
vocationlist;binary0@ > <?:
arootcav1.crl0UÔm½²U»RK*è³ßm§Øûg?r0U#0?ðY8³õ?? Õëú{ªè0
??ÈU-HØ?ÀÿÐ\ü??uWÕ?Üeþ?ø¯jU¨Õ~?Ú? 6bXa«MÅb??âw¿1ÓâUÝ?7 h9æüja*FÔ4?UªSªêÉüí·ªñÉ1ôÐ{"Jïåi¿?ÔA?]±|~?ÓùJ©1ebâ?'7óh?õì
¨¬?íØä§?ß ü2Æ_Èd??¢?ó4I®²>??´´áÓ?Îv'úÉ?Ïx?}ì÷ý/,2rFæ©Y©ôß? åJ¥Ú¼EñYrÿr?o?
È?£Mº?õ"¸È±¶4¥¬ÉѪ³?6µ\?¯l­?ôûÁ3?8~?L Ó'bñdI¿?2Ç?è¦??#âF a?ÿ?ýï?ZÊ
TeliaSonera1"0 U TeliaSonera Class 2 CA v1oë_ SêÝÏ)iw|aä0 + ?~0 *?H?÷
 1  *?H?÷
0 *?H?÷
111206073642Z0# *?H?÷
 1Dä?ýúÿ><2Vø?ÙñT?ü0] +?71P0N0:10U
TeliaSonera1"0 U TeliaSonera Class 2 CA v1oë_ SêÝÏ)iw|aä0_ *?H?÷
 1R0P0  `?He0
(0_ *?H?÷
  1P N0:10U
TeliaSonera1"0 U TeliaSonera Class 2 CA v1oë_ SêÝÏ)iw|aä0
vá?ÿ )ø?mæë&íßFø?W`¾q$Æ£­?âë¦_oÉ4|îµÐS[yhü²Ç¬áë{©Í ¤ôÁÿ]î¶!þ?ï?¦òJ¬Ùæ?­`;°ÿ«cWK ?K?UþJÜ?Ö.?ÆPü 8?­ò?0ÛlXÞ?p´¤¶$(è»T4ùÝ!W¶2¡?ð??¡¨1 ?ü4!2 «MìÖ/gM¤?´¿J¤ÞD#Gt£ãßì³×

[ reply ]
Re: auditing web/mail proxies Dec 06 2011 07:42PM
Justin Rogosky (jrogosky gmail com)
Re: auditing web/mail proxies Dec 06 2011 09:54AM
Dion Stempfley (dtsonline verizon net)


Privacy Statement
Copyright 2010, SecurityFocus