I’ve been hot on free security tools lately, as I’ve had the chance to work with a lot of small and midsized businesses . Non-enterprise businesses don’t have the big budget for the expensive security tools that the big boys have. They’re more cost sensitive but are still aware that security is a key factor in making IT part of the profit center and not a loss center. Any free or low cost security tools go a long way at securing these firms.

One such tool is the Microsoft Malicious Software Removal Tool or MSRT. The MSRT scans your computer for existing malware and removes that malware. The MSRT looks for the most common malware seen out in the wild, so it’s not a comprehensive anti-malware solution. However, it is still very useful to run on machines on a regular basis. There are two ways to run the MSRT — manually by downloading the tool, or automatically as its delivered to your computer through Windows Update each month. If you run it through Windows Update, you have to give it permission to run the first time, but it will run automatically on subsequent downloads.

When you download the tool and run it manually, the first page will show you a link that shows you a list of the malware that it detects. As seen in the figure below

You then can choose a scan type:

I’ll choose a quick scan here, since I don’t want to wait for hours for the full scan to complete. However, if you have a new system that hasn’t been running any anti-malware software, you might want to consider a full scan.

The quick scan checks the most common places where malware hides, based on the malware that the MSRT is configured to find.

When the MSRT finishes, you hopefully will see what you see below. If it does find malware, it will let you know about it and remove it for you.

Learn more about the MSRT and download it at: http://www.microsoft.com/security/malwareremove/de...t.mspx

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

You might have heard of Microsoft System Center Operations Manager (SCOM). It’s the latest version of what used to be called Microsoft Operations Manager (MOM). MOM was an enterprise ready network monitoring system with an enterprise grade price. That’s great for enterprises, but what about the mid-sized business who wants to get a leg up on monitoring and securing their network?

Let me introduce you to Microsoft System Center Essentials. System Center Essentials has a subset of capabilities that you get with the SCOM, but it’s an important subset. Using System Center Essentials, you can get a unified view of your network infrastructure and it’s integration with the free Windows Server Update Services (WSUS) helps insure that all the computers on your network are updated with the latest security updates.

With System Center Essentials you get:

• A single console to manage your servers, clients, hardware and software configuration. From this console, you also have access to comprehensive reports regarding the security configuration of the systems on your network. There are over 30 reports that you can run to get a closer look at the current security and configuration status of your network. Reports include information on hardware and software inventory, issues in capacity planning, and update status
• System Center Essentials will alert you when important events take place on your network. You don’t have to go out and look for the information on each computer. Instead, that information comes to you. System Center Essentials will email you with an alert if something out of spec is taking place, so you can act on the issue before it becomes a bigger problem. The agents installed on the network devices will give you information on performance and also provide you insight into any issues with your network topology, including devices such as routers and wireless access points.
• Network management is traditionally difficult to setup and maintain. Not so with System Center Essentials. The setup wizards walks you through the process of configuring the system and deploying the agents on your networked computers. After that, you can choose to use the out of the box settings, or drill down and configure the alerts that you’re especially interested in. You also configure how you want Windows Update to work and define schedules that work best for your business. After setup is complete, you can then sit back and wait for things to happen. You can also run reports to see what machines are updated or have security issues, right out of the box.

I’ve been using System Center Essentials for quite awhile now with my small and medium sized networks and I can tell you that it works a treat! It’s almost a “set it and forget it” operation. I know when problems are happening or about to happen and I can take again before a small issue turns into a disaster recovery problem.

For more information on System Center Essentials, check out: http://www.microsoft.com/systemcenter/essentials/d...t.mspx

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

I get a lot of questions about how to cost effectively analyze the current security state on a network. There are many realms to consider when it comes to assessing security, but one of the most important ones is that of host security and one of the most important tasks for maintaining host security is to make sure you have the latest security updates installed on all of your computers. A tool that can help you make this assessment is the Microsoft Baseline Security Analyzer (MBSA). The MBSA can also perform a basic security assessment of the configuration of your computers.

The Microsoft Baseline Security Analyzer 2.x is an easy-to-use tool that helps small and medium businesses determine their security state in accordance with Microsoft security recommendations and offers specific remediation guidance. Improve your security management process by using MBSA to detect common security misconfigurations and missing security updates on your computer systems.

Built on the Windows Update Agent and Microsoft Update infrastructure, MBSA ensures consistency with other Microsoft management products including Microsoft Update (MU), Windows Server Update Services (WSUS), Systems Management Server (SMS) and Microsoft Operations Manager (MOM). Used by many leading third party security vendors including Tivoli, Patchlink and Citadel, MBSA on average scans over 3 million computers each week. Join the thousands of users that depend on MBSA for analyzing their security state.

Download the MBSA at: http://www.microsoft.com/downloads/details.aspx?Fa...ang=en

For more information about MBSA, check out: http://www.microsoft.com/technet/security/tools/mb...e.mspx

I’ve included a short history of the MBSA v2 so that you know how it’s been updated since version 1.x:

MBSA 2.0 needed for Update Services compatibility: Users of Windows Server Update Services should update their MBSA to version 2.0 for compatibility.

New Features found in MBSA 2.0:

Severity Ratings

Locally and remotely scan for Office XP or later security updates

Added guidance for locating updates and necessary actions

CVE-IDs for supported updates

Improved help content

Windows Server Update Services compatibility

Automatic Microsoft Update registration and agent update

Support for detection of updates on 64bit Windows and Windows XP Embedded

What is MBSA 2.0.1?

MBSA 2.0.1 is an update to MBSA 2.0 to enable compatibility with the new Windows Update (WU) offline scan file. (For information on the new scan file, see http://support.microsoft.com/kb/926464.) This fix enables MBSA to download and read the new file format.

In order to run offline scans, MBSA 2.0 must have the scan file on the scanning machine. MBSA 2.0 automatically downloads this file if the scanning machine has Internet access. If not, the file must be downloaded and installed manually. MBSA 2.0.1 behaves in the same manner, except that it uses the new scan file.

MBSA 2.1 Beta 2 supports the following scenarios:

Installing on Windows 2000 SP4 through Windows Vista.

Security update scans

Local online scans on Windows 2000 SP4 through Windows Vista

Local offline scans on Windows 2000 SP4 through Windows Vista

Remote offline scans against Windows 2000 SP4 through Windows Vista

Remote online scans against Windows 2000 SP4 through Windows Server 2003

Local and remote VA scans against Windows 2000 SP4 through Windows Vista (32-bit and 64-bit)

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

A few of you have email me about where to start with security. That’s a great question because computer and network security is a very large field, and to try to come up with a single place to start for any particular network is a difficult task. Since each network is different, just where should you start with your efforts to improve security? One way to get a great start is to use the Microsoft Security Assessment Tool (MSAT).

The Microsoft Security Assessment Tool is a free tool designed to help you assess weaknesses in your current IT security environment, reveal a prioritized list of issues, and help provide specific guidance to minimize those risks. MSAT is an easy, cost-effective way to begin strengthening the security of your network. You can being the process by taking a snapshot of your current security state, and then use the MSAT on a regular basis to monitor your infrastructure’s ability to respond to security threats

The MSAT includes over 200 questions covering infrastructure, applications, operations, and people. The questions, answers, and recommendations are derived from commonly accepted best practices, standards such as ISO 17799 and NIST-800.x, as well as recommendations and prescriptive guidance from the Microsoft Trustworthy Computing Group (http://www.microsoft.com/mscorp/twc/default.mspx) and other external security sources.

The assessment is designed to identify the business risk of your organization and the security measures deployed to mitigate risk. The questions have been developed to provide a high-level security risk assessment of the technology, processes, and people that supports your business.

Beginning with a series of questions about your company’s business model, the tool builds a Business Risk Profile (BRP), measuring your company’s risk of doing business due to the industry and business model defined by BRP. A second series of questions are posed to compile a listing of the security measures your company has deployed over time.

These two security measures form layers of defense, providing greater protection against security risk and specific vulnerabilities. Each layer contributes to a combined strategy for defense-in-depth. This sum is referred to as the Defense-in-Depth Index (DiDI). The BRP and DiDI are then compared to measure risk distribution across the Areas of Analysis (AoAs)—infrastructure, applications, operations, and people.

Risk management recommendations are suggested for your environment by taking into consideration existing technology deployment, current security posture, and defense-in-depth strategies. Suggestions are designed to move you along a path toward recognized best practices.

This assessment—including the questions, measures, and recommendations—is designed for midsize organizations that have between 50 and 1,500 desktops in their environment. It is meant to broadly cover areas of potential risk across your environment, rather than provide an in-depth analysis of a particular technologies or processes.

As a result, the tool cannot measure the effectiveness of the security measures employed. This report should be used as a preliminary guide to help you develop a baseline to focus on specific areas that require more rigorous attention. From the guidance provided by MSAT and security activities implemented, you can run the tool as often as you would like to gain further knowledge on your progress against an established baseline MSAT report.

I recommend that you run the tool and discover what areas need to be addressed first. If network management and security is not your area of expertise, then I highly recommend that you find a partner who does have this specialization and work with that partner at putting together a plan to improve you overall security posture.

You can download the MSAT at http://www.microsoft.com/downloads/details.aspx?Fa...ang=en

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

When thinking about security, it’s common to categorize the areas where you’ll be focusing on to make things a bit easier to manage. In general, I tend to categorize my security efforts in the following ways:

• Edge Security — Inbound and outbound access control to and from the Internet
• Network security — securing the network from data loss and corruption while it’s on the wire
• Datastream security — securing the information within the datastream from loss or corruption
• Host security — Securing the host operating system from attack, including things such as update management and security configuration of the operating system and applications and services running on the host
• Data security — securing the actual on-disk data from loss or corruption
• Application security — was the operating system and the applications developed with security in mind? Was a secure application development procedure, such as the Security Development Lifecycle (http://msdn.microsoft.com/msdnmag/issues/05/11/SDL...t.aspx) used to create the application
• People security — Has the user based been trained on secure computing practices?

While this schema is similar to what most security administrators use to organize their efforts, there is one area that I mentioned that is often left out of the mix — the Datastream security category.

What is Datastream security? Its the attempt to secure the information moving through the datastream, whether it be between client and server or server to server. Its the attempt to protect the data moving over the wire from being lost, stolen, intercepted, changed or corrupted. Datastream security is also aimed at protecting the rest of the network from contents of the datastream that might become malicious.

Datastream security really consists of two parts: datastream privacy and datastream security. I tend to break out privacy from security to make things more clear. That isn’t to say that privacy isn’t a big part of security, but privacy isn’t the entire story.

What are examples of datastream privacy? Consider the mail protocols SMTP, POP3 and IMAP4. Each of these protocols are unencrypted, which means that anyone with a network sniffer can intercept and read the contents of SMTP, POP3 and IMAP4 communications. In order to make the contents of these protocols private, you need to encrypt them. This is done in Windows environments using SSL/TLS, using the SMTPS, POP3S and IMAP4S protocols.

However, we’re not secure yet. Just because we’ve encrypted the data doesn’t make it secure. Worms, viruses, trojans and all sorts of malware can be traveling inside those encrypted communications. To solve this problem, we need to use something that will provide datastream security. The datastream security solution will clean the contents of the datastream itself, removing the malware and other undesirable content.

Microsoft has two primary products aimed at protecting the datastream — Forefront Security for Exchange and Forefront Security for SharePoint. Both of these products are able to block malware from entering your network over the mail or Web channels used to connect to Exchange and SharePoint. Not only do they block malware, but they can also be used for content inspection, so that spam and other mail can’t get into or leave your Exchange Server, or in the case of SharePoint, insure that undesirable or illicit content can’t make its way to your SharePoint libraries.

For more information on Forefront Security for Exchange, check out: http://www.microsoft.com/forefront/serversecurity/...t.mspx

For more information on Forefront Security for SharePoint, check out: http://www.microsoft.com/forefront/sharepoint/en/u...t.aspx

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

In all of the conversations about remote access security last week, I completely forgot about one of the best security products Microsoft has in its stable — the Intelligent Application Gateway (or IAG). The IAG is an SSL VPN gateway that is based on the Whale SSL VPN solution that Microsoft purchased a couple of years ago. Microsoft took the Whale product and made some improvements before releasing it as the IAG.

As you might know, an SSL VPN means many things to many people. To a network purist, a true SSL VPN is a solution that allows network layer connectivity to a corporate network from over the Internet, in the same way that PPTP or L2TP/IPsec allows connections. An example of this would be the Microsoft SSTP protocol. However, to other people, an SSL VPN is a portal that allows users access to applications by clicking on the application link. These applications might be Web applications, or they might be client/server applications, such as Outlook MAPI or Outlook RPC/HTTP.

What got me to thinking about the IAG was a question someone asked about how to enable client certificate authentication with the RPC/HTTP Outlook client. He was concerned that anyone with an Outlook 2003 or 2007 client would be able to try to connect over RPC/HTTP. So, in order to solve this problem, he wanted some kind of client certificate authentication solution.

Unfortunately, due to a limitation in the Outlook 2003/2007 client, there’s no way the client will support client certificate authentication, which is a real shame, because you want something a bit more secure than just password authentication before allowing access to a key corporate resource like email. You might even think “come on! I can have User Certificate authentication with my little ActiveSync enabled phone. What’s up with Outlook?”

Good point. However, there’s no fix on the way for the Outlook problem. However, you can solve this problem by using an IAG. IAG does support client certificate authentication to identify trusted hosts. The user can connect to the IAG first and authenticate with his User Certificate. Once authenticated, the Outlook client can then connect to the Exchange Server through the SSL tunnel. In fact, you don’t even need to use RPC/HTTP when connecting through the IAG, since the MAPI connections will move over the SSL tunnel created when the user connected to the IAG’s SSL VPN gateway! Now, that’s sweet :)

The IAG can do plenty more things. For a comprehensive review of SSL VPNs and the IAG, which out my article series on ISAserver.org at http://isaserver.org/tutorials/Microsoft-Intellige...1.html

For other information about the IAG, check out: http://www.microsoft.com/forefront/edgesecurity/ia...t.mspx

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

You might remember a few days ago that I wrote about possible security issues with Server Core. As a reminder, Windows Server 2008 has an installation option called Server Core. When you install Server Core, the installer installs only a small subset of binaries required for the core operating system to work. There’s no Explorer shell (interface), no GUI tools for management (at least not for local management) and just about everything has to be done from the command line.

I’ve done plenty of virtual labs and watched plenty of demos of the Server Core offering, but I have to admit that I’ve never tried to deploy it myself. So, in the interest of fairness, and for accuracy of assessment, I decided to install Server Core in VMware. While I won’t go into the details of my experience with Server Core (yet), I can tell you that it’s not nearly as egregious as I thought. It’s even sort of fun, which is saying something coming from me, as I usually abhor CLI management as slow, inefficient and error prone.

Anyhow, back to my installation experience in VMware Workstation. The installation completed fine, but then I ran an ipconfig to see if I got an IP address from my DHCP server and found that there were no interfaces. ACK! What happened? I realized that I needed to install the VMware tools to get the VMware NIC driver working. How do I do that in a non-GUI environment?

Well, it turns out the Server Core isn’t all non-GUI, and that you can run setup files for at least some applications within Server Core. In order to get the NIC driver installed in Server Core, do the following:

1. Install using the VMware profile for Vista.
2. Once installation is complete, you’ll see after running ipconfig that you have no network interface. Shutdown the server (using the shutdown command) and change the settings of the CD ROM used by the VM.  Use the option to mount the CD as an ISO image.  Select c:\program files\vmware\vmware workstation\windows.iso (this is the virtual CD image that contains the installation files for the VMware tools)
3. Reboot into server core, and navigate to the CD drive letter and run the dir command. You’ll see the setup.exe file on the CD drive. Type setup.exe and press ENTER to run the tools installation process.
4. Once the tools are installed you will be asked to restart the computer. Click OK to restart the computer. Log on and run ipconfig to confirm that you now have a network interface.  From there use netsh to configure IP addressing information for the NIC.
5. Be aware that if you install the video drivers during the installation of the VMware tools, your video resolution will be 640×480.  You can fix this by downloading a tool like nircmd which will allow you to change the display from the command line. Another option is to uncheck the video drivers setup from within the VMware tools setup. In this case, during the VMware tools setup, choose the Custom installation option and configure it to not install the video drivers.

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

There’s an active debate in the Microsoft security community regarding edge security. The debate goes something like this: in the past, there was the concept of the “hard crunchy” edge, where a firewall is in place to block all inbound connections to the corporate network. The only way to get to information stored on the corporate network was to actually be directly plugged into the network. This “hard crunchy” perimeter protected the network from all the bad things out in the Internet. Or so the thought was then, they didn’t consider the fact that outbound connections from the internal network could easily introduce exploits as well.

The new model, actively promoted by Microsoft, is that the “hard crunchy” perimeter (edge) no longer exists. Instead, we have a “soft chewy” perimeter that allows all sorts of connections to the corporate network. These connections are from home workers, road warriors, partners, consultants and an entire host of other remote access users. So, because of all of the “holes” we need to make on our edge security devices to allow these connections, the edge should no longer be seen as “hard” and “crunchy”.

There no doubt that mobile workers are making the edge more porous. And perhaps the most important devices we have to worry about are handheld mobile devices. Smart phones, PDA phones and other pocket computers are the fastest growing device type that makes remote connections to data on the corporate network. It’s your job to make sure that you can secure those connections.

To secure my networks against these types of devices, I have to take two major areas of security into account:

• Edge Security
• Host (or device) Security

For edge security, you need to make sure that only devices that are approved for corporate use are allowed to connect to the corporate network. The edge device should be able to perform both authentication (so that no anonymous connections from these devices hit internal servers) and authorization (so that even if a user successfully authenticates, he must be authorized to access the server and data before allowing the connection to go through.

In addition to authentication and authorization, you need to make sure that the contents of the datastream are private and secure. You can use SSL technology between the mobile device and the edge security device to insure privacy. In order to make the connection secure, you need to make sure that no exploits (such as exploit commands and code, as well as malware) can go past the edge security device.

For the edge security solution, you should consider an application layer inspection firewall, such as an ISA Firewall. The ISA Firewall is able to inspect the contents of SSL connections by performing SSL termination and initiation. The ISA Firewall can also inspect the HTTP datastream to make sure that no illegal commands are sent past the ISA Firewall, or to make sure that only known good HTTP commands and code are sent to past the ISA Firewall.

As you can see, while the edge isn’t the rock wall that it used to be, by enforcing authentication, authorization and application layer inspection road blocks, you go a long way toward making that edge a lot crunchier than the supposed “software and chewy” edge that some might advocate.

Now for the device side. I think the best selection for mobile devices is Windows Mobile 6. The Windows Mobile 6 devices need to be controlled so that in the event that those devices are lost or stolen, no valuable private information is lost. This is critical — thousands of handheld computing devices are lost or stolen each year, many of them with private, valuable corporate information that could put the company’s bottom line at risk.

This is where Windows Mobile 6 and Exchange Server 2007 come into play. With this mobile device client/server combination, you get the following security features:

• You can set policy so that all information contained on storage cards is encrypted and cannot be read on any other device
• The administrator can wipe the device once he discovers that it’s lost or stolen
• The user can wipe the device himself, through a OWA based self service portal, so that he doesn’t even need to inform IT that the device was stolen and needs to be wiped.
• You can set policy for attachment size limits
• You can set policy to allow or disallow attachment downloads
• You can enable Windows Rights Management on documents stored on the device in order to prevent them from being printed, copied, forwarded or even read by unauthorized individuals
• You can set policy that enables or disables access to UNC path folder shares and SharePoint library files
• You can set policy for password complexity and password reuse — which protects the stolen device from being used without a log-in PIN

In addition, you can pair up the security capabilities of Windows Mobile 6 with the ISA Firewall’s authentication and authorization scheme by requiring user certificate authentication. This prevents unauthorized devices from connecting to corporate resources, since these unapproved devices (which don’t allow centralized security policy management like Windows Mobile 6) from connecting to your network.

So, while the edge isn’t quite as hard and crunchy as it might have been in the 1990s, you can still make it plenty hard for mobile device users by combining the strengths of a application layer inspection edge device like an ISA Firewall and the device specific security provided by a combined Windows Mobile 6 and Exchange 2007 solution.

For an excellent article that gives detailed coverage of the Windows Mobile 6 and Exchange Server 2007 combination, check out: http://www.microsoft.com/technet/technetmag/issues...loc=en

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

Most network security administrators will by default not allow outbound VPN connections from their networks to other networks. This makes good sense, since once an outbound VPN connection is established from your network to another network, you immediately expose any security issues on that network to your network. You have no idea what they’ve done on the other side of the VPN connection to secure their network, so it’s wise to block outbound VPN connections.

So what’s this have to do with the concept of the “Universal Firewall Port”? TCP 443 is often referred to as the Universal Firewall Port because almost all firewalls allow outbound access to TCP port 443 to any location and any content. This is somewhat black humor, since they refer to TCP 443 as the Universal Firewall Port because they feel helpless about controlling what moves over the encrypted SSL channel. Regardless of whether you’re using a stateful packet inspection firewall or a Web proxy based firewall, you’re not going to be able to see the contents of that SSL communication (maybe — read on).

Now, what does VPN and the Universal Firewall Port have in common? The new Microsoft VPN protocol, the Secure Socket Tunneling Protocol or SSTP. SSTP is essentially PPP/SSL, which means that you no longer have to worry about firewalls that block outbound PPTP or L2TP/IPSec connections. Since all firewalls and Web proxies allow outbound SSL (TCP 443), SSTP will work in just about any environment.

This might make you believe that you’re helpless at blocking SSTP VPN connections, since the Universal Firewall Port TCP 443 is almost always be opened outbound. You might think that you’ll no longer be able to control outbound VPN connections because the SSL session cannot be inspected. Hence, the sense of helplessness.

Fortunately, the fact is that TCP 443 is not a Universal Firewall Port. True, if you’re using a simple stateful packet inspection only firewall, you’re out of luck, but you’ve been out of luck for quite some time. However, many proxy based firewalls and dedicated Web proxies are able to look at the information in the HTTP header and block connections based on that header information. This is true for SSTP.

If you check out the RRAS Team Blog, you’ll see that there is a value in the HTTP CONNECT header that you can configure your firewall to block (SSTP_VERSION:*). By configuring your Firewall (such as an ISA Firewall) to block connections that include SSTP_VERSION:* in the CONNECT header, you can block the SSTP connection. So much for the myth of the Universal Firewall Port.

But, SSTP isn’t the only issue. What about Web content that’s downloaded over an SSL connection? CONNECT header control isn’t going to allow you to control access to that content. Same is true for anonymous Web proxies. So are we helpless and has the Universal Firewall Port gained some credibility?

No. There are solutions that allow firewalls and Web proxies to inspect the contents of SSL encrypted sessions. These devices are able to do this by performing “outbound SSL bridging” where the clients terminate their SSL session with the firewall and the firewall impersonates the destination Web site. The firewall essentially acts as a Good Guy in the Middle (GGITM) to make sure that users aren’t downloading exploits and malware into your network over an encrypted SSL tunnel.

ISA Firewalls with Collective Software’s ClearTunnel (www.collectivesoftware.com) and Blue Coat Web proxies are the two most common devices used to perform this kind of SSL content inspection. Devices like these prove that there is no “Universal Firewall Port”, that is, unless you don’t want to shut down the SSL hole on your network by failing to deploy these solutions.

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)