Few companies would lay claim to being able to protect all end devices. So in a deperimeterised environment a holistic approach to web access is required, says Paul Simmonds
Browsing the web is a risky pastime. E-mails try to lure people to dodgy sites, and URLs are deliberately misspelt to snare the unsuspecting. Some end-users will inevitably stray to sites that are clearly inappropriate or have been hacked and crammed with malicious code.
IT managers need to provide end-users with a web browsing experience that protects them from inadvertently straying to inappropriate sites and also ensures that, wherever they browse, the data downloaded via their web browser is free from malicious content.
Although organisations work hard to maintain an environment where access to computing devices is governed and controlled by inherently secure protocols, the problem remains of how to control access to inherently untrusted environments such as the web.
In a deperimeterised environment, an untrusted website needs to have its trust level raised so that end-users are presented with browsing that is 100% free of malicious content, closing off this route to compromised PCs.
IT departments face three problems with end-users accessing the web. First, they must ensure that the sites end-users browse are in line with the stated (corporate, country, personal or home) policy on web browsing. Second, they have to ensure that what a web server delivers back to the end-user is free from malicious content. The third challenge is to protect all end devices, no matter where or how they are connected.
Most organisations admit to doing the first reasonably well, the second poorly, and the third rarely or never.
Existing approaches to controlling web access involve installing filtering products in a demilitarised zone (DMZ). But such products generally protect only those users inside the corporate intranet. The same level of filtering is rarely available for SME or home users. And where a corporate policy exists for remote end-users, it generally involves either leaving mobile staff unprotected or insisting that all web access requires end-users to run an authenticated VPN tunnel back into the corporate environment.
There are two separate problems to be solved here. First, an IT architecture is needed that allows operation in a deperimeterised environment. Second, user organisations need a way to provision a distributed filtering service.
To ensure users have 100% protection at all time, all web traffic, regardless of where the end device is connected, must be filtered. And crucially, once filtered, all protocols between the filter and the end device must be inherently secure.
Standard URL filtering can use a database look-up of known sites to support corporate-wide blocking of categories such as hate, criminal activities and racism. A wildcard capability to blacklist and whitelist similar domains, such as http://*.my-company.com, is also useful.
Filtering should provide intelligent handling and differentiation of port 80 tunnelling traffic, such as instant messaging, Limewire, Skype/VoIP, video and audio streaming. It is also important to be able to identify proxy sites that deliberately mask their URLs as well as those that accidentally mask or bypass URLs, such as the Google cache.
If end-users access the internet via an external service provider, then access points, or POPs, should be globally available with 24x7 support, ensuring that mobile deperimeterised workers have only a short hop to the nearest POP and from there directly to the internet. It is important that global POPs provide global load-balancing and resilience. This external service should offer a secure interface between the local web browser and the service, thus minimising upgrades or changes which are the responsibility of the service provider.
There is an issue when a remote worker needs to make an initial local connection, typically using a local hotspot or hotel. This issue is compounded by the plethora of web redirection methods for authentication and payment. There is a need for a standard method or protocol for web charging to provide a secure interface that can separately handle the authentication and payment necessary to grant access to the internet via a local connection.
Reporting facilities should be able to present the extent of internet use, not just by individuals, but also aggregated to departments and locations, with suitable safeguards on individual privacy. For instance, there should be facilities to anonymise usage so that service providers and IT managers can see usage (and abuse), but are unable to identify the individuals.
The reporting should also offer configurable data retention policies to meet business, industry, regulatory and country-specific requirements, and provide real-time reporting on filtered conditions.
Most of these filtering features are partially available in products today. But in a deperimeterised environment, internet filtering and reporting will need to run in a distributed environment. In other words, multiple, replicated internet filtering and reporting environments are needed to connect users to the local service or DMZ. Common filtering rules are applied and reporting is consolidated into a central report interface, irrespective of the actual hardware or the way the internet is accessed.
Challenges for the industry remain, such as defining a web page redirection standard that allows a minimal subset of protocol exchange for granting website access by password, token, certificate, pre-authentication or payment card. The industry also needs to agree a standard mechanism for secure proxy connectivity with credentials being passed.
Accelerating the use of inherently secure protocols for proxy connections, with the ability to use those protocols inside or outside the corporation, will let corporates provide a simpler, yet more secure and holistic approach to web access.
Web security basics
- Bar sites known to contain malicious code
- Scan files and other non-HTML code for viruses and malicious code
- Block password-protected files that prevent their contents being scanned
- Use heuristic detection tools to ensure all malicious code is detected.
Paul Simmonds is chief security officer at ICI and a contributor to the Jericho Forum
Comment on this article: email@example.com
This was first published in November 2006