cancel
Showing results for 
Search instead for 
Did you mean: 

SNS Journal - Focus on Web Gateway (September 2013)


SNS Journal (September 2013)

A monthly review of best practices & security insights to help you get the most from your McAfee products


IN THIS ISSUE

  • Product Focus: McAfee Web Gateway SSL Scanner
  • Ask the Experts: Web Gateway SSL Scanner FAQs
  • Cyberfacts: Android Malware Affects Users Globally
  • Security Insight: McAfee Releases Second Quarter Threats Report
  • MS Patch Update: September Release
  • Latest News/Resources
  • Places to Go
  • Coming in October


Product Focus: McAfee Web Gateway SSL Scanner
This month, Web Gateway team members Jen Hulting, Darin Shock, and Steve Goers break down this powerful feature into a set of tools that can benefit every Web Gateway Administrator.

The McAfee Web Gateway SSL Scanner is a complex feature set that frequently raises questions such as “Do I need it?”, “How do I use it?”, “What if I don't want to do SSL inspection”, and “Where do I put the rule set?”

The bottom line is if Web Gateway needs to do anything other than pass along HTTPS requests, then you will need some tools to properly handle different aspects of the HTTPS connection. Below, we break down the components of the Web Gateway SSL Scanner to help you better understand why you would use them.

The following are examples of use cases where SSL Scanner tools are required:

  • Enabling end users to see Web Gateway block pages, rather than browser errors, when blocking HTTPS sites
  • Preventing browser certificate warnings for blocked HTTPS requests in transparent deployments
  • Preventing browser certificate warnings for authentication of HTTPS requests in transparent deployments
  • Restricting access based on the integrity of the destination web server certificate
  • Performing anti-malware scanning for HTTPS requests
  • Enforcing DLP for HTTPS requests
  • Filtering URL paths of HTTPS requests, such as allowing https://www.facebook.com but blocking https://www.facebook.com/chat


Breaking down the SSL Scanner into tools
The SSL Scanner is not a single function, but a “toolbox” that contains components for interacting with and filtering HTTPS traffic.

Note that the default SSL Scanner rule included in Web Gateway’s Rule Set Library has every component enabled. This is not a requirement, and you may choose to use only the components you need. Likely, you’ll just have to make a few minor rule set criteria modifications.

In addition, it is simple to apply the SSL Scanner to specific clients or categories. In fact, when rolling this out, McAfee recommends that you initially limit tests to particular client IP addresses rather than globally introducing it to all connections.

The SSL Scanner Tools

  • Handle CONNECT Request (Set SSL Client Context with Certificate Authority (CA))
    This component gives Web Gateway the ability to properly facilitate the SSL connection between the client and the application in the event Web Gateway must interact with the connection. Most administrators will want this enabled, especially if they want display Web Gateway block pages when blocking HTTPS sites, authenticate transparent clients, or use any other SSL Scanner components.
  • Certificate Verification
    This component provides the ability to filter HTTPS requests based on aspects of the destination web server’s certificate. It can check for expired certificates, self-signed certificates, and other certificate criteria. This is critical protection against phishing, and is definitely a recommended component. Certificate verification is also related to transparent deployment, where Web Gateway only sees the IP address of the HTTPS request, not the hostname typed into the browser. In this situation, certificate verification is required to whitelist/blacklist based on hostname. Administrators may have also noticed browser warnings about common name mismatches. This is due to an IP address being present in the certificate’s common name. Certificate Verification gives the Web Gateway the ability to avoid those browser warnings by ‘fixing’ that hostname and providing a corrected certificate. Click here to see an example.
  • Content Inspection
    This component gives Web Gateway the ability to inspect and filter all traffic within an HTTPS connection. With Content Inspection, administrators can fully utilize features such as anti-malware, URL path filtering, Media Type filtering, and Data Leakage Prevention. It is important to note that Web Gateway is unable to perform most filtering of HTTPS traffic if Content Inspection is not enabled. Without it, Web Gateway can still prevent users from accessing particular hosts, but not much else. Here is an example of using Content Inspection to filter particular HTTPS paths.


Rule Set Criteria Examples

For more Web Gateway rule set examples that outline the rules and rule placement needed to implement combinations of the SSL Scanner tools, visit the McAfee Community.

Client considerations for SSL Scanner
Regardless of deployment method, when a client workstation makes an HTTPS request, it expects a certificate to be presented as part of the response. Additionally, the client expects:

  • The certificate to come from a Trusted CA
  • The common name on the certificate to match the name typed in the client’s address bar

The first requirement can easily be met by pushing out Web Gateway’s CA to clients (via Group Policy) or by importing a trusted CA (such as an internal Microsoft CA) to Web Gateway.

See the FAQs below for information about importing a Microsoft CA. The second requirement is usually met with no issue for explicit (direct) proxy clients. However, for transparent clients, either Server Name Indication, or certificate verification with a fixed host name rule can be used. For more information, see the Best Practices Guide.


Ask the Experts: Web Gateway SSL Scanner FAQs

I want to use Web Gateway’s Root CA on my end users’ browsers – where can I download it?
McAfee strongly recommends that you generate a new CA on Web Gateway to ensure yours is unique. You can find specific information on this in chapter 10 of the Web Gateway Product Guide, in the section that addresses SSL Scanning. To download the CA to push out to clients, open the Web Gateway UI, navigate to 'Policy', then the ‘Settings’ tab, select ‘Engines’ then ‘SSL Client Context’ with CA. Click to select the appropriate setting container, then click the button to export the Certificate Authority.

How do I import my organization's Microsoft Certificate Authority onto my Web Gateway appliance?
If you prefer to use a trusted Microsoft CA over the provided Web Gateway CA, see KnowledgeBase article KB75037- How to create and import a Microsoft Subordinate Certificate Authority (Sub CA) for MWG7 ,  for instructions on importing your organization’s Microsoft CA to your Web Gateway appliance.

Can I use a web server cert? What about a public CA?
No. A server certificate does not have the ability to sign certificates for arbitrary hosts. A server certificate is tied to a single host. Because Web Gateway must issue and sign certificates for a variety of hosts, you need a CA. A public CA cannot be used, because most customers are not able to get a CA certificate from public providers (Thawte, Verisign, GoDaddy, etc.). If you do receive a certificate from one of these providers, it is a ‘web server’ certificate, not a ‘Certificate Authority’ certificate.

Can I configure Web Gateway to perform content inspection and not certificate verification - or vice versa?
It is no issue to perform certificate verification and not content inspection. This still provides strong protection against phishing. While it is possible to perform content inspection and not perform certificate verification, McAfee strongly warns against this due to security concerns. It is required that the SSL Client Context with CA event be set (usually done in the Handle CONNECT Call rule set). For information about how the rule set would look, see https://community.mcafee.com/docs/DOC-5212.

What if I do not want to use any element of the SSL Scanner?
Can I still block HTTPS traffic? Web Gateway can still block hosts; however, users will not see a block page. Instead, they will see a browser warning. In transparent deployments, user authentication will not function, and you must block/allow based on IP address, not hostname.

I would like to apply URL path filtering, but just for a specific site. How can I do this?
You can configure the elements as though they would affect all sites. Then, at the top level SSL Scanner rule set, apply criteria to match only the specific host. In a transparent configuration, you must match on the IP.

Do applications like Citrix or WebEx work with the SSL Scanner?
No. Citrix and WebEx type software does not work with the SSL Scanner because the SSL Scanner allows Web Gateway to scan HTTP traffic that is inside an SSL Tunnel. While both Citrix and WebEx use SSL Tunnels to connect, the data inside is not HTTP data, but each company’s respective protocol. As such, these connections must be bypassed from all elements of SSL Scanning. Take a look at this article for an example of using McAfee Subscribed Lists to whitelist/blacklist these types of connections.



Cyberfacts: Android Malware Affects Users Globally

Over the past few years, the Android mobile platform has grown exponentially, which, as Daniela Ramirez points out in her recent blog, “Variety of Android Threats Extends Around the World,” means that there is an increase in developers creating not only new innovative applications, but malicious ones as well. These threats are affecting users across the globe. Some of the threats include:

  • Obad     - This is a complex mobile malware program that uses Bluetooth to infect other Android devices, accepts commands from the attacker and hides from      the Device Administrator list
  • GinMaster – This mobile malware family is prevalent in China and appears in Trojanized applications where it steals sensitive information
  • Adware – These are Trojans, such as FakeRun or AdwoLeaker, are widespread across the United States, India and Japan, and use dummy applications that advertise functionality but only display ads, thus making money for their creators
  • Premium-rate SMS Trojans – These Trojans, prevalent throughout the world, masquerade as wallpaper apps or battery saver apps, but are actually malware that sends SMS messages to premium-rate phone numbers that essentially steal users’ money.


More information on threats posed to Android mobile platforms can be found on the McAfee website.



Security Insight: McAfee Releases Second Quarter Threats Report

McAfee Labs researchers have analyzed the threats of the second quarter of 2013 and have reported that the global cybercriminal community pursued four primary strategies to extract currency and confidential information from their victims. Their tactics included:

  • Aggressive attacks on users of Android-based mobile devices
  • Significant expansion of malicious or infected websites to distribute malware
  • High-volume spam campaigns promoting bogus pharmaceutical drug offers
  • Extensive use of ransomware to extract currency from victims

Each of these trends targets very different victims with distinct attack tactics, but each carries its own dangers for both individuals and enterprises. In addition to these attacks on consumers and enterprises, the cybercriminal and hacktivist communities also launched significant attacks on the Bitcoin infrastructure and a broad range of targets in the Middle East, reflecting the ongoing conflict in that region.

An executive summary of the report can be found here, and the full report can be accessed here.



MS Patch Update: September Release

Microsoft released 13 patches addressing 47 individual vulnerabilities. Four patches are identified Critical and the remainder are Important. This month’s patches are as follows:

  • MS13-067 - Vulnerabilities in Microsoft SharePoint Server Could Allow Remote Code Execution (2834052)
  • MS13-068 - Vulnerability in Microsoft Outlook Could Allow Remote Code Execution (2756473)
  • MS13-069 - Cumulative Security Update for Internet Explorer (2870699)
  • MS13-070 - Vulnerability in OLE Could Allow Remote Code Execution (2876217)
  • MS13-071 - Vulnerability in Windows Theme File Could Allow Remote Code Execution (2864063)
  • MS13-072 - Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2845537)
  • MS13-073 - Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (2858300)
  • MS13-074 - Vulnerabilities in Microsoft Access Could Allow Remote Code Execution (2848637)
  • MS13-075 - Vulnerability in Microsoft Office IME (Chinese) Could Allow Elevation of Privilege (2878687)
  • MS13-076 - Vulnerabilities in Kernel-Mode Drivers Could Allow Elevation of Privilege (2876315)
  • MS13-077 - Vulnerability in Windows Service Control Manager Could Allow Elevation of Privilege (2872339)
  • MS13-078 - Vulnerability in FrontPage Could Allow Information Disclosure (2825621)
  • MS13-079 - Vulnerability in Active Directory Could  Allow Denial of Service (2853587)


The four critical patches are worth highlighting:

  • MS13-069 consists of patches for 10 critical memory corruption vulnerabilities found in all supported versions of Internet Explorer. This update fixes multiple remote code execution vulnerabilities. The trajectory for this vulnerability is a malicious webpage or possibly a spear-phishing email.
  • MS13-067 consists of patches for 10 critical vulnerabilities found in SharePoint 2003, 2007, 2010, and 2013, along with Office Web Apps 2010. This update fixes multiple elevations of privilege vulnerabilities that could allow an attacker to execute code in the environment of another SharePoint user. In certain situations where the default authentication mechanism has been changed, an attacker may be able to take control of the server.
  • MS13-068 is only for Outlook 2007 and 2010 email clients. This privately reported vulnerability can be used by an attacker to execute arbitrary code as the current logged in user. The exploit can be leveraged without a user’s interaction by creating a malicious S/MIME message to send the potential targeted victim. Once the email is open, the user’s system is compromised, allowing the attacker to run code as the user.
  • MS13-070 is a privately reported vulnerability in the OLE. This vulnerability could allow remote code execution if the user opens a file that contains an OLE object crafted to take advantage of this exploit. The most likely vector would be a Visio file, which can be viewed by the Explorer 'Preview' function.


Aggregate coverage (combining host and network-based countermeasure together) is 36 out of 47. including coverage for (MS13-069, MS13-070, and MS13-068. Related vulnerabilities are covered by the following McAfee endpoint security software and NSP (McAfee IPS):

  • BOP ( Buffer Overflow Protection w/ VSE)
  • HIPS
  • NSP
  • App Control


Additional research is being performed by McAfee Labs, and coverage may improve as additional results become available. You can find details on the McAfee Threat Center.



Latest News/Resources

Releases, Patches, and Hotfixes
PD24657EMM Secure Container 2.3.10 (Android)
KB79177 EMM C2DM Service Interruption Patch
PD24642– Endpoint Encryption for Files and Folders 4.2
PD24664SiteAdvisor Enterprise 3.5 Patch 2
KB73044 McAfee Get Clean 1.0
PD24661Endpoint Encryption for PC 7.0 Patch 2

Upcoming Events
McAfee FOCUS’13, October 1-3, Las Vegas
FOCUS’13 features over 70 targeted, highly technical sessions in ten tracks — comprehensive Malware Protection; Data Center; Endpoint Security; McAfee Labs, Mobile Safety; Network Security; Public Sector; Situational Awareness; Security Connected; and Web/Cloud Security for Business. To see more details, go to http://www.mcafeefocus.com/focus2013/BreakoutSessions.aspx.

Upcoming McAfee Analyst Webinars
The Security Impact of Employee-Deployed Cloud Applications
Wednesday, September 18, 11:00-12:00pm PDT - Register
Join McAfee and Frost & Sullivan as they discuss enabling employee access to cloud applications while protecting data, maintaining network application control, and achieving compliance.

Seven Benefits of Managing Mobile Devices as Another Endpoint
Tuesday, October 8, 11:00-12:00pm PDT - Register
Join McAfee and Forrester Research as they discuss best practices in architecting a safe working environment for enterprise mobile users that is simplified, scalable, and affordable.

Recent Releases and Announcements
McAfee Stinger 12.0 Now Available
McAfee Stinger is a standalone utility used to detect and remove specific viruses. Stinger 12.0 optimizes scanning, enhances the user interface and experience and scans and remediates an infected computer in approximately fifteen minutes. This tool is not a substitute for full anti-virus protection, but a specialized tool to assist administrators and users when dealing with infected systems. Stinger utilizes next-generation scan technology, including rootkit scanning, and scans performance optimizations. To obtain Stinger, go to http://stinger.mcafee.com.

McAfee Get Clean 1.0 Now Available
McAfee GetClean is now available free of charge to all Enterprise customers. GetClean is a McAfee Labs initiative that collects known good files from customers to avoid false positives in the field. Instead of submitting entire COE images, customers can run McAfee GetClean on their Windows COE gold master image files or known clean software repositories. The tool takes a couple of clicks to run, and simplifies the submission process. It sends only those files which are unknown to McAfee Global Threat Intelligence File Reputation, thus eliminating redundant files being submitted and saving network bandwidth. Customers can review the files being submitted prior to the submission to McAfee. For full details, view KnowledgeBase Article KB73044. Customers who have a valid Gold Support or Platinum Support Grant Number can download GetClean from the McAfee Downloads site.

McAfee Blogs
Aug 28 - Seven Myths of Advanced Malware — Myth #2:Sandboxing Blocks Malware
Sandboxing is a great offline discovery tool that isolates unknown or suspicious files in a virtual environment where they can be examined in greater detail; however, most sandboxes only analyze a copy of the file, while the original file is sent on its way to the target endpoint.

Aug 26 - Game Theory And Training
The Ultimate Hacking: Human course, was developed by McAfee/Foundstone as a primer for organizations on how to identify, prevent, and secure themselves from the human element of hacking. This intense, two day course covers all forms of social engineering and how to incorporate the tools and techniques into a security awareness program.

Aug 21 - Bitcoin Headlines Attract Malware Developers
Bitcoin issues have been front-page news in recent months, especially after its surprising April exchange rate. In this blog, Senior Threat Researcher Francois Paget examines these issues more closely.

Aug 2 - Java Back Door Acts as Bot
The current threat landscape is often driven by web-based malware and exploit kits that are regularly updated with newly found vulnerabilities. Recently, we received an interesting malware binary–a JAR package that opens a back door for an attacker to execute commands and acts as a bot after infection.

End of Life Announcements
2013
Aug 29 - GTI Proxy (Added support for ePO 4.6)
Aug 30 - McAfee Endpoint Protection for Mac AND VirusScan for Mac 9.0 (formerly Virex); Security for Microsoft SharePoint 2.0 (formerly PortalShield)
Oct 15 - NW Threat Response Traffic Filter, Sig. Service, Sig. Studio (all versions)
Oct 23 - EMM 10.0.x and 10.1.x
Oct 31 - Endpoint Encryption for Files and Folders 3.1.x
Nov 26 - Database Activity Monitoring / McAfee Virtual Patching for Databases 4.2.1
Nov 26 - Vulnerability Manager for Databases 4.2.1
Dec 31 - ePolicy Orchestrator (ePO 4.5); Web Gateway 7.1.x; Webwasher 6.9.x; ePO Deep Command 1.0;Application Control 5.1.x; Change Control 5.1.x; Embedded Control 5.1.x; Change Reconciliation 6.0 and older

2014
Feb 17 - Database Activity Monitoring / McAfee Virtual Patching for Databases 4.3.0; Vulnerability Manager for Databases 4.3.0
Mar 28 - Management for Optimized Virtual Environments 2.6 (MOVE)
Mar 31 - Endpoint Encryption for Files and Folders, 3.2.0 – 3.2.7; Endpoint Encryption for PCs 6.1.x, 6.2.x; 5.2.0 – 5.2.5;EE for Mac 1.1.x, 6.2.x; Security for Microsoft Exchange 7.0.1, 7.0.2 (formerly GroupShield for MS Exchange)
Apr 30 - Cloud Identity Manager 3.5.1 and older
Jun 7 - McAfee Device Control 9.1
Jun 15 - VirusScan Enterprise for Linux (LinuxShield) 1.6
Jun 30 - Security for Lotus Domino on Linux (MSDL) 7.5 and 7.5.1
Aug 10 - SmartFilter 4.2.x
Aug 30 - Total Protection for Internet Gateways
Oct 15 - Network Threat Response Software 3.x

See the Product End of Life web page for more details.


Places to Go

McAfee Community Forums
McAfee Labs Security Advisories (subscription page)
McAfee Labs AudioParasitics Podcasts
McAfee ServicePortal
McAfee Product Downloads, Free Security Trials & Tools
Product End of Life
DAT Release Notes
Submit a Virus or Malware Sample
McAfee Stinger Virus Removal Tool
McAfee Free Tools
McAfee Security Connected Reference Architecture



Coming in October

Product Focus: ePolicy Orchestrator
ePolicy Orchestrator is the most advanced, extensible and scalable centralized security management software in the industry. Next month, experts will discuss new features of and migration to ePO 5.0 as well as competing repository population methods.

Tell us what you think about the McAfee SNS Journal. What products or topics do you want to hear about? Visit us at https://community.mcafee.com/community/business/support/sns, or email us at sns@mcafee.com.


To unsubscribe from the SNS Journal, click here. To unsubscribe from SNS, click here. For technical support, go to mysupport.mcafee.com. (Platinum Support Customers - contact your SAM for high severity issues. For other technical issues, call your Product Specialist Team or go to platinum.mcafee.com). McAfee Community: https://community.mcafee.com.

McAfee, Inc. | 2821 Mission College Blvd. | Santa Clara, CA | 95054 | 888.847.8766 | www.mcafee.com  © 2013. McAfee, Inc. All rights reserved.

Version history
Revision #:
1 of 1
Last update:
‎09-13-2013 12:33 AM
Updated by:
 

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community