1 2 Previous Next 11 Replies Latest reply: Dec 6, 2012 12:07 PM by bragot RSS

    hardening webwasher

    Ahmed Eissa

      Hey all

      Please i need urgent help

       

      i need to know Hardening standars for Webwasher ??

      Could u please help meeeeeee ??????????????

        • 1. Re: hardening webwasher
          asabban

          Hi Ahmed,

           

          I don´t think that we already have a document that describes hardening, but I want to mention some ideas for hardening:

           

          - Use multiple NICs and associate services to it. You do have more than one NIC in your Appliance, so you should use it. I would specifiy separate NICs for the Proxy Traffic and for internal traffic, such as Cluster Communication and GUI accesses. In each "Port" field in the MWG configuration you can change the Port (for example "9090"), to IP:Port (for example "192.168.0.1:9090"). Doing so you can ensure that end-users are not able to access the Admin interface, even from a network perspective, by choosing a NIC that is only accessible for your Admin users.

           

          - The same should apply to the SSH service running on the MWG. By default it binds to any available IP address. Since we do not want to play around with the SSH configuration file, I would recommend to use the Network Protection feature, to restrict port 22 accesses. Doing so will prevent the majority of users to even see a Logon prompt on port 22, which is good for security.

           

          By default there are no further services running on the appliance. Just to be really sure you can use a Firewall or the Web Gateway Network Protection to block all accesses but those pointing to your proxy port, at least for the NIC pointing to your users.

           

          Doing so should give you a better feeling. I hope it helps to get started.

           

          Best,

          Andre

          • 2. Re: hardening webwasher
            Ahmed Eissa

            u talked about two things

             

            -connecting through SSH

            -Avalaibilty through more Nic Card

              i think it is by default done in our enterprise , is there more specific guidlines as Cisco hardening ....

            i think a big enterprise like macafee should have a hardening Standars....are u agree with me

            Thanks for your post , really i do appericate

            • 3. Re: hardening webwasher
              asabban

              Hello Ahmed,

               

              I think basically you have some company-related guidelines to ensure to keep the "normal user" away from everything that may be critical, such as SSH. I think this has already done in this case which is good.

               

              I agree that having a document that gives more hints on this topic and/or defines a standard "lock down" policy would be very helpful to customers. Unfortunately currently we don´t have one and it is not up to me to decide if this shoud/can be done or not. I would recommend to file your request as an FMR, to have it officially recoreded. To do so, please describe your wish/requirement on

               

              https://secure.mcafee.com/apps/downloads/products/products-enhancement-request.a spx?region=us

               

              Best regards,

              Andre

              • 4. Re: hardening webwasher
                productivityenhancer

                The network protection "feature" broke our setup with WCCP, so we had to be creative in how we were going to protect the appliances.  You can modify the hosts.allow and hosts.deny to restrict SSH access, change the https connector interface to localhost and then tunnel your ssh connection to your mgmt port listening on the localhost.

                • 5. Re: hardening webwasher
                  Jon Scholten

                  The issue with network protection and wccp should be addressed in 7.1.6 (Currently in beta). To productivityenhancer, did you already have a case open for that issue? If so let me know the SR #.

                   

                  ~Jon

                  • 6. Re: hardening webwasher
                    michael_schneider

                    Hardening Snippet from an internal document. Usage on own risk and without warranty.

                     

                    Michael

                    • 7. Re: hardening webwasher
                      productivityenhancer

                      Hey Jon, we had a ticket opened for it and you were the engineer who assisted us after looking back on it! Thanks again!

                      • 8. Re: hardening webwasher
                        Ahmed Eissa

                        @ jon

                        i did open ticket for today with product enhancement request ......

                        please could u give me a link or attached the file to be easily view ??

                        • 9. Re: hardening webwasher
                          michael_schneider

                          Hi Ahmed,

                           

                          a request for what exactly? Did you review the document I attached three posts above? Is this what you are looking for?

                           

                          thanks,

                          Michael

                          1 2 Previous Next