tiersten wrote: » Weaknesses would be users circumventing it by bouncing off another proxy out on the internet. SSL encrypted connections etc...
whatthehell wrote: » Thanks for responses. No no homework assignment and not trying to be shayd Just at current job, heard rumors that they have implemented some granular network monitoring and/or filtering, and trying to figure out what they might have in place. I figure, they most likely will do their research and go with the industry standard, which sounds like Websense I guess? Either way, thanks for the posts!
HeroPsycho wrote: » Microsoft's ISA Server with ClearTunnel could thwart that actually.Collective Software | ClearTunnel
tiersten wrote: » Neat. I always wondered if anybody would make something that'd reencrypt. I wouldn't use SSL anywhere that used that software tho
HeroPsycho wrote: » But in all honesty, that is the problem now. People are using SSL encrypted tunnels to bypass filtering that is essential to business security. If you have an AV web filter, how is the web filter supposed to filter the malware out of an SSL encrypted connection unless the SSL traffic is decrypted? I understand the privacy concerns, but businesses are going to have to increasingly do this for their own protection.
tiersten wrote: » I've seen people try to use SSH to tunnel out via the SSL port number. They'd have a server somewhere that would be listening on port 443.
Forsaken_GA wrote: » Sadly, I've yet to meet a network admin that can prevent me from bypassing their security measures short of locking down all access to the outside world except port 80, and making absolutely sure that all packets going through port 80 are indeed http
tiersten wrote: » We lock down everything on the workstations as well so actually installing any software to bypass the network protection is going to be harder. We don't allow non company equipment to connect to the network either.
Forsaken_GA wrote: » I can usually get around that as well. Most every job I've worked for that I've been forced to run a Windows workstation at, doesn't bother to lock down their CMOS. So I can boot off a CD.
Forsaken_GA wrote: » I've also seen folks get aorund the non-company equipment policies by simply using a commerical grade linksys router to spoof their desktops MAC address, and then they plug their laptop and desktop into that.
Forsaken_GA wrote: » Fortunately, I currently work in an environment where management understands we're a bunch of smart folks and that these kinds of safeguards would be counter-productive, in addition to futile (the futile part is mainly in that we have to use SSH to get our jobs done, so it can't be limited in any way, which pretty much means any security measures are out the window from the word go).
Forsaken_GA wrote: » They let us run whatever OS we want on our boxes, and don't really care if we hook our own gear up.
tiersten wrote: » I work in a bank and there is a very small list of allowable applications that the users are allowed to run and access. Most users don't even have access to the general internet but only a limited subset of essential work sites.
As we process/store financial data and there is an online banking facility, we have very specific security guidelines we have to follow and get regular audits.
tiersten wrote: » We've got 802.1x and Cisco NAC running. If we caught anybody tampering with the network or computers they'd be dismissed on the spot and promptly escorted out of the building.
gojericho0 wrote: » Tiersten, Its been a little while, but my old organization we used the NAC appliance as opposed to the framework which i assume you are running with .1x With the appliance, automatic remediation (which was one of the big selling points) and reporting was pretty terrible. The other problem I had with it is the only way to stop the appliance from shutting down the switchport for a device like a printer that couldn't conform with your policy was to exempt it by mac address which of course could easily be spoofed.
gojericho0 wrote: » do you use CSA as well? that i feel is my favorite security application cisco has ever bought/produced due to the granularity to secure just about everything from network to application and the fact it is all behavioral based and doesn't run on signatures.
HeroPsycho wrote: » I tried deploying CSA 3 times with a slew of Cisco and Northrop Grumen engineers hell bent on selling it to my employer at the time. Either memory leaked or denied what should have been allowed everytime. Hopefully it has improved since then (that was 4 years ago).
