Innovative Technology Weblog

The internet is a tricky world for doing business with – nothing new here. I would like to make a statement for WASHing everything that passes your DMZ environment. WASH is also the abbreviation for Web Application Security in a Holistic way. You like this one? In Dutch: een wasstraat.

No, really. Security is very important in the DMZ. The DMZ is typically the area of interest for washing application functionality and washing data transfer. Most of us already do this for email and internet traffic. And of course the firewall is delivering our basic security needs. But there are still many holes!

First hole: SSL websites.
Very few proxy servers are able to ”wash” SSL secure websites. And HTTPS is moving up. I suspect it will not take long for bad websites to abuse this hole too. I came by a solution called Clearswift Cleartunnel that extends the common ISA server with a SSL proxy. Hopefully Microsoft will put this feature into there ForeFront ISA 2008 version by default.

Second hole: XML messages
Open standards are promoted. XML is the major spin-off. So we protect HTTP and a lot of web protocols too, but XML is allowed blindly. What are we doing?!?! XML meta information is very, very useful for hacking purposes. We should mask our internal resources more carefully. Read this hacking example. So watch out for Web services applications that exists in the DMZ zone. These are commonly the applications that talk the XML protocol. As a solution I propose to accept only appliations that are designed by the WS-Security protocol principles. Otherwise look out for a XML firewall solution. Examples are: ForumSystems Xwall (also available as an ISA add-on), Cisco ACE XML Gateway, Vordel and Layer7.

Third hole: encrypted email messages
Email is the equivalent for SPAM (90-95% true). No wonder that email encryption is increasing popularity. Again, scanning there email messages is not an out of the box activity. Ideally you already have a mail security gateway supporting the common standards PGP (OpenPGP too), S/MIME and webmail. Some secure email gateways even support PDF mail. If you wish to be as flexible as possible you should support all common encryption technologies, I think. Multi functional solutions to consider are Exedra IQ suite, PGP Universal Gateway or the Utimaco Safeguard Mailgateway.

Fourth hole: FTP
Ancient technology. That is what FTP is. The HTTP protocol is much better to scale, load balance and secure. So my advice is to move to HTTP as fast as you can. Windows SharePoint Services is free to use on a Windows Server. So why not use it? 

Want more answers? Do you know of more holes to explore? Please post a reaction.

- Paul

Home automation is big business in Hannover Cebit 2008. Homeplug AV is everywhere, next to Media Centers, wireless radio’s, IP phones and all integrated. A NAS/RAID device at home is common too. All is shown in attractive real world bedrooms and living rooms.
Microsoft shows a very, very big display on people ready software – cool! A lot of Vista and SOA here. And of course ForeFront security is around too. It’s the first time for me to play with IAG server. The Whale software is feature rich and a true opponent for SSL/VPN suppliers.  

I also noticed Microsoft Spider on the ForeFront ground. New? Yes, very! An agent-less compliancy tool that delivers true compliancy reports. SCOM auditing services does not deliver truly useful compliancy reports. You can even create your own company template in regards to industry of company specific rules. It is developed by Microsoft IT. No dates given yet.

Back to the living room. So everything is wireless distributed, stored and personally designed. But where does Windows Home Server fit in here? I couldn’t discover it anywhere. This is a missed opportunity, I think. So I have to believe it will not be adapted at large, at least not in Europe. Vista, Media Center and XBOX 360′s where commonly integrated by other vendors. Microsoft should make Windows Home server the director platform of home automation. Microsoft: Please plug Windows Home Server on my continent too.   

Please?

 - Paul

Read the rest of this entry »

When I walked around at Cebit 2008 I was really surprised by the innovations of the German Universities. This example catches your face and gives a real time feedback of your mood. It can do this for hundreds of faces. Look I am surprised !!!

- Paul

Some people just cannot wait to make their Windows machine as personal as it gets. I surfed down a freeware tool tool that is able to do the job. Like in the old 95/98/xp days.

Screenshot seen at bink.nu

Download: Vista Boot Logo Generator

Encryption on the internet is hot. Have you ever tried any google website with https://? Yes, you can. VPN communications is still the area of B2B or mobile-to-office communication. Companies like Cisco and Juniper have grown larger with it. I came across a few free VPN initiatives which I wish to share with you. Secure internet access via a public wifi is now an option for the public.

• TOR
• hamachi.cc

Also, you may want to extend your ISA proxy server to extend with SSL offload / content scanning to secure your browsing community.  The best add-in I know off is the SSL proxy web filter from Collective software. You need work with certificates, so have a PKI in place. So far I haven’t heard of SSL websites with malicious content, but that will be a matter of time…

- Paul