SNS Journal (September 2013)
A monthly review of best practices & security insights to help you get the most from your McAfee products
IN THIS ISSUE
Product Focus: McAfee Web Gateway SSL Scanner
This month, Web Gateway team members Jen Hulting, Darin Shock, and Steve Goers break down this powerful feature into a set of tools that can benefit every Web Gateway Administrator.
The McAfee Web Gateway SSL Scanner is a complex feature set that frequently raises questions such as “Do I need it?”, “How do I use it?”, “What if I don't want to do SSL inspection”, and “Where do I put the rule set?”
The bottom line is if Web Gateway needs to do anything other than pass along HTTPS requests, then you will need some tools to properly handle different aspects of the HTTPS connection. Below, we break down the components of the Web Gateway SSL Scanner to help you better understand why you would use them.
The following are examples of use cases where SSL Scanner tools are required:
Breaking down the SSL Scanner into tools
The SSL Scanner is not a single function, but a “toolbox” that contains components for interacting with and filtering HTTPS traffic.
Note that the default SSL Scanner rule included in Web Gateway’s Rule Set Library has every component enabled. This is not a requirement, and you may choose to use only the components you need. Likely, you’ll just have to make a few minor rule set criteria modifications.
In addition, it is simple to apply the SSL Scanner to specific clients or categories. In fact, when rolling this out, McAfee recommends that you initially limit tests to particular client IP addresses rather than globally introducing it to all connections.
The SSL Scanner Tools
Rule Set Criteria Examples
For more Web Gateway rule set examples that outline the rules and rule placement needed to implement combinations of the SSL Scanner tools, visit the McAfee Community.
Client considerations for SSL Scanner
Regardless of deployment method, when a client workstation makes an HTTPS request, it expects a certificate to be presented as part of the response. Additionally, the client expects:
The first requirement can easily be met by pushing out Web Gateway’s CA to clients (via Group Policy) or by importing a trusted CA (such as an internal Microsoft CA) to Web Gateway.
See the FAQs below for information about importing a Microsoft CA. The second requirement is usually met with no issue for explicit (direct) proxy clients. However, for transparent clients, either Server Name Indication, or certificate verification with a fixed host name rule can be used. For more information, see the Best Practices Guide.
Ask the Experts: Web Gateway SSL Scanner FAQs
I want to use Web Gateway’s Root CA on my end users’ browsers – where can I download it?
McAfee strongly recommends that you generate a new CA on Web Gateway to ensure yours is unique. You can find specific information on this in chapter 10 of the Web Gateway Product Guide, in the section that addresses SSL Scanning. To download the CA to push out to clients, open the Web Gateway UI, navigate to 'Policy', then the ‘Settings’ tab, select ‘Engines’ then ‘SSL Client Context’ with CA. Click to select the appropriate setting container, then click the button to export the Certificate Authority.
How do I import my organization's Microsoft Certificate Authority onto my Web Gateway appliance?
If you prefer to use a trusted Microsoft CA over the provided Web Gateway CA, see KnowledgeBase article KB75037- How to create and import a Microsoft Subordinate Certificate Authority (Sub CA) for MWG7 , for instructions on importing your organization’s Microsoft CA to your Web Gateway appliance.
Can I use a web server cert? What about a public CA?
No. A server certificate does not have the ability to sign certificates for arbitrary hosts. A server certificate is tied to a single host. Because Web Gateway must issue and sign certificates for a variety of hosts, you need a CA. A public CA cannot be used, because most customers are not able to get a CA certificate from public providers (Thawte, Verisign, GoDaddy, etc.). If you do receive a certificate from one of these providers, it is a ‘web server’ certificate, not a ‘Certificate Authority’ certificate.
Can I configure Web Gateway to perform content inspection and not certificate verification - or vice versa?
It is no issue to perform certificate verification and not content inspection. This still provides strong protection against phishing. While it is possible to perform content inspection and not perform certificate verification, McAfee strongly warns against this due to security concerns. It is required that the SSL Client Context with CA event be set (usually done in the Handle CONNECT Call rule set). For information about how the rule set would look, see https://community.mcafee.com/docs/DOC-5212.
What if I do not want to use any element of the SSL Scanner?
Can I still block HTTPS traffic? Web Gateway can still block hosts; however, users will not see a block page. Instead, they will see a browser warning. In transparent deployments, user authentication will not function, and you must block/allow based on IP address, not hostname.
I would like to apply URL path filtering, but just for a specific site. How can I do this?
You can configure the elements as though they would affect all sites. Then, at the top level SSL Scanner rule set, apply criteria to match only the specific host. In a transparent configuration, you must match on the IP.
Do applications like Citrix or WebEx work with the SSL Scanner?
No. Citrix and WebEx type software does not work with the SSL Scanner because the SSL Scanner allows Web Gateway to scan HTTP traffic that is inside an SSL Tunnel. While both Citrix and WebEx use SSL Tunnels to connect, the data inside is not HTTP data, but each company’s respective protocol. As such, these connections must be bypassed from all elements of SSL Scanning. Take a look at this article for an example of using McAfee Subscribed Lists to whitelist/blacklist these types of connections.
Cyberfacts: Android Malware Affects Users Globally
Over the past few years, the Android mobile platform has grown exponentially, which, as Daniela Ramirez points out in her recent blog, “Variety of Android Threats Extends Around the World,” means that there is an increase in developers creating not only new innovative applications, but malicious ones as well. These threats are affecting users across the globe. Some of the threats include:
More information on threats posed to Android mobile platforms can be found on the McAfee website.
Security Insight: McAfee Releases Second Quarter Threats Report
McAfee Labs researchers have analyzed the threats of the second quarter of 2013 and have reported that the global cybercriminal community pursued four primary strategies to extract currency and confidential information from their victims. Their tactics included:
Each of these trends targets very different victims with distinct attack tactics, but each carries its own dangers for both individuals and enterprises. In addition to these attacks on consumers and enterprises, the cybercriminal and hacktivist communities also launched significant attacks on the Bitcoin infrastructure and a broad range of targets in the Middle East, reflecting the ongoing conflict in that region.
An executive summary of the report can be found here, and the full report can be accessed here.
MS Patch Update: September Release
Microsoft released 13 patches addressing 47 individual vulnerabilities. Four patches are identified Critical and the remainder are Important. This month’s patches are as follows:
The four critical patches are worth highlighting:
Aggregate coverage (combining host and network-based countermeasure together) is 36 out of 47. including coverage for (MS13-069, MS13-070, and MS13-068. Related vulnerabilities are covered by the following McAfee endpoint security software and NSP (McAfee IPS):
Additional research is being performed by McAfee Labs, and coverage may improve as additional results become available. You can find details on the McAfee Threat Center.
Releases, Patches, and Hotfixes
PD24657– EMM Secure Container 2.3.10 (Android)
KB79177 – EMM C2DM Service Interruption Patch
PD24642– Endpoint Encryption for Files and Folders 4.2
PD24664– SiteAdvisor Enterprise 3.5 Patch 2
KB73044 – McAfee Get Clean 1.0
PD24661– Endpoint Encryption for PC 7.0 Patch 2
McAfee FOCUS’13, October 1-3, Las Vegas
FOCUS’13 features over 70 targeted, highly technical sessions in ten tracks — comprehensive Malware Protection; Data Center; Endpoint Security; McAfee Labs, Mobile Safety; Network Security; Public Sector; Situational Awareness; Security Connected; and Web/Cloud Security for Business. To see more details, go to http://www.mcafeefocus.com/focus2013/BreakoutSessions.aspx.
Upcoming McAfee Analyst Webinars
The Security Impact of Employee-Deployed Cloud Applications
Wednesday, September 18, 11:00-12:00pm PDT - Register
Join McAfee and Frost & Sullivan as they discuss enabling employee access to cloud applications while protecting data, maintaining network application control, and achieving compliance.
Seven Benefits of Managing Mobile Devices as Another Endpoint
Tuesday, October 8, 11:00-12:00pm PDT - Register
Join McAfee and Forrester Research as they discuss best practices in architecting a safe working environment for enterprise mobile users that is simplified, scalable, and affordable.
Recent Releases and Announcements
McAfee Stinger 12.0 Now Available
McAfee Stinger is a standalone utility used to detect and remove specific viruses. Stinger 12.0 optimizes scanning, enhances the user interface and experience and scans and remediates an infected computer in approximately fifteen minutes. This tool is not a substitute for full anti-virus protection, but a specialized tool to assist administrators and users when dealing with infected systems. Stinger utilizes next-generation scan technology, including rootkit scanning, and scans performance optimizations. To obtain Stinger, go to http://stinger.mcafee.com.
McAfee Get Clean 1.0 Now Available
McAfee GetClean is now available free of charge to all Enterprise customers. GetClean is a McAfee Labs initiative that collects known good files from customers to avoid false positives in the field. Instead of submitting entire COE images, customers can run McAfee GetClean on their Windows COE gold master image files or known clean software repositories. The tool takes a couple of clicks to run, and simplifies the submission process. It sends only those files which are unknown to McAfee Global Threat Intelligence File Reputation, thus eliminating redundant files being submitted and saving network bandwidth. Customers can review the files being submitted prior to the submission to McAfee. For full details, view KnowledgeBase Article KB73044. Customers who have a valid Gold Support or Platinum Support Grant Number can download GetClean from the McAfee Downloads site.
Aug 28 - Seven Myths of Advanced Malware — Myth #2:Sandboxing Blocks Malware
Sandboxing is a great offline discovery tool that isolates unknown or suspicious files in a virtual environment where they can be examined in greater detail; however, most sandboxes only analyze a copy of the file, while the original file is sent on its way to the target endpoint.
Aug 26 - Game Theory And Training
The Ultimate Hacking: Human course, was developed by McAfee/Foundstone as a primer for organizations on how to identify, prevent, and secure themselves from the human element of hacking. This intense, two day course covers all forms of social engineering and how to incorporate the tools and techniques into a security awareness program.
Aug 21 - Bitcoin Headlines Attract Malware Developers
Bitcoin issues have been front-page news in recent months, especially after its surprising April exchange rate. In this blog, Senior Threat Researcher Francois Paget examines these issues more closely.
Aug 2 - Java Back Door Acts as Bot
The current threat landscape is often driven by web-based malware and exploit kits that are regularly updated with newly found vulnerabilities. Recently, we received an interesting malware binary–a JAR package that opens a back door for an attacker to execute commands and acts as a bot after infection.
End of Life Announcements
Aug 29 - GTI Proxy (Added support for ePO 4.6)
Aug 30 - McAfee Endpoint Protection for Mac AND VirusScan for Mac 9.0 (formerly Virex); Security for Microsoft SharePoint 2.0 (formerly PortalShield)
Oct 15 - NW Threat Response Traffic Filter, Sig. Service, Sig. Studio (all versions)
Oct 23 - EMM 10.0.x and 10.1.x
Oct 31 - Endpoint Encryption for Files and Folders 3.1.x
Nov 26 - Database Activity Monitoring / McAfee Virtual Patching for Databases 4.2.1
Nov 26 - Vulnerability Manager for Databases 4.2.1
Dec 31 - ePolicy Orchestrator (ePO 4.5); Web Gateway 7.1.x; Webwasher 6.9.x; ePO Deep Command 1.0;Application Control 5.1.x; Change Control 5.1.x; Embedded Control 5.1.x; Change Reconciliation 6.0 and older
Feb 17 - Database Activity Monitoring / McAfee Virtual Patching for Databases 4.3.0; Vulnerability Manager for Databases 4.3.0
Mar 28 - Management for Optimized Virtual Environments 2.6 (MOVE)
Mar 31 - Endpoint Encryption for Files and Folders, 3.2.0 – 3.2.7; Endpoint Encryption for PCs 6.1.x, 6.2.x; 5.2.0 – 5.2.5;EE for Mac 1.1.x, 6.2.x; Security for Microsoft Exchange 7.0.1, 7.0.2 (formerly GroupShield for MS Exchange)
Apr 30 - Cloud Identity Manager 3.5.1 and older
Jun 7 - McAfee Device Control 9.1
Jun 15 - VirusScan Enterprise for Linux (LinuxShield) 1.6
Jun 30 - Security for Lotus Domino on Linux (MSDL) 7.5 and 7.5.1
Aug 10 - SmartFilter 4.2.x
Aug 30 - Total Protection for Internet Gateways
Oct 15 - Network Threat Response Software 3.x
See the Product End of Life web page for more details.
Places to Go
McAfee Community Forums
McAfee Labs Security Advisories (subscription page)
McAfee Labs AudioParasitics Podcasts
McAfee Product Downloads, Free Security Trials & Tools
Product End of Life
DAT Release Notes
Submit a Virus or Malware Sample
McAfee Stinger Virus Removal Tool
McAfee Free Tools
McAfee Security Connected Reference Architecture
Coming in October
Product Focus: ePolicy Orchestrator
ePolicy Orchestrator is the most advanced, extensible and scalable centralized security management software in the industry. Next month, experts will discuss new features of and migration to ePO 5.0 as well as competing repository population methods.
Tell us what you think about the McAfee SNS Journal. What products or topics do you want to hear about? Visit us at https://community.mcafee.com/community/business/support/sns, or email us at email@example.com.
To unsubscribe from the SNS Journal, click here. To unsubscribe from SNS, click here. For technical support, go to mysupport.mcafee.com. (Platinum Support Customers - contact your SAM for high severity issues. For other technical issues, call your Product Specialist Team or go to platinum.mcafee.com). McAfee Community: https://community.mcafee.com.
McAfee, Inc. | 2821 Mission College Blvd. | Santa Clara, CA | 95054 | 888.847.8766 | www.mcafee.com © 2013. McAfee, Inc. All rights reserved.