WASH everything
Posted by PSlijkhuis in Exchange, General, tags: DMZ, email, encryption, isa server, security, ssl, xmlThe internet is a tricky world for doing business with – nothing new here. I would like to make a statement for WASHing everything that passes your DMZ environment. WASH is also the abbreviation for Web Application Security in a Holistic way. You like this one? In Dutch: een wasstraat.
No, really. Security is very important in the DMZ. The DMZ is typically the area of interest for washing application functionality and washing data transfer. Most of us already do this for email and internet traffic. And of course the firewall is delivering our basic security needs. But there are still many holes!
First hole: SSL websites.
Very few proxy servers are able to ”wash” SSL secure websites. And HTTPS is moving up. I suspect it will not take long for bad websites to abuse this hole too. I came by a solution called Clearswift Cleartunnel that extends the common ISA server with a SSL proxy. Hopefully Microsoft will put this feature into there ForeFront ISA 2008 version by default.
Second hole: XML messages
Open standards are promoted. XML is the major spin-off. So we protect HTTP and a lot of web protocols too, but XML is allowed blindly. What are we doing?!?! XML meta information is very, very useful for hacking purposes. We should mask our internal resources more carefully. Read this hacking example. So watch out for Web services applications that exists in the DMZ zone. These are commonly the applications that talk the XML protocol. As a solution I propose to accept only appliations that are designed by the WS-Security protocol principles. Otherwise look out for a XML firewall solution. Examples are: ForumSystems Xwall (also available as an ISA add-on), Cisco ACE XML Gateway, Vordel and Layer7.
Third hole: encrypted email messages
Email is the equivalent for SPAM (90-95% true). No wonder that email encryption is increasing popularity. Again, scanning there email messages is not an out of the box activity. Ideally you already have a mail security gateway supporting the common standards PGP (OpenPGP too), S/MIME and webmail. Some secure email gateways even support PDF mail. If you wish to be as flexible as possible you should support all common encryption technologies, I think. Multi functional solutions to consider are Exedra IQ suite, PGP Universal Gateway or the Utimaco Safeguard Mailgateway.
Fourth hole: FTP
Ancient technology. That is what FTP is. The HTTP protocol is much better to scale, load balance and secure. So my advice is to move to HTTP as fast as you can. Windows SharePoint Services is free to use on a Windows Server. So why not use it?
Want more answers? Do you know of more holes to explore? Please post a reaction.
- Paul
Entries (RSS)