Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
2266 Views 11 Replies Latest reply: Dec 6, 2012 12:07 PM by bragot RSS 1 2 Previous Next
Ahmed Eissa Apprentice 53 posts since
Nov 14, 2011
Currently Being Moderated

Nov 15, 2011 4:45 AM

hardening webwasher

Hey all

Please i need urgent help

 

i need to know Hardening standars for Webwasher ??

Could u please help meeeeeee ??????????????

  • asabban McAfee SME 1,357 posts since
    Nov 3, 2009
    Currently Being Moderated
    1. Nov 15, 2011 6:42 AM (in response to Ahmed Eissa)
    Re: hardening webwasher

    Hi Ahmed,

     

    I don´t think that we already have a document that describes hardening, but I want to mention some ideas for hardening:

     

    - Use multiple NICs and associate services to it. You do have more than one NIC in your Appliance, so you should use it. I would specifiy separate NICs for the Proxy Traffic and for internal traffic, such as Cluster Communication and GUI accesses. In each "Port" field in the MWG configuration you can change the Port (for example "9090"), to IP:Port (for example "192.168.0.1:9090"). Doing so you can ensure that end-users are not able to access the Admin interface, even from a network perspective, by choosing a NIC that is only accessible for your Admin users.

     

    - The same should apply to the SSH service running on the MWG. By default it binds to any available IP address. Since we do not want to play around with the SSH configuration file, I would recommend to use the Network Protection feature, to restrict port 22 accesses. Doing so will prevent the majority of users to even see a Logon prompt on port 22, which is good for security.

     

    By default there are no further services running on the appliance. Just to be really sure you can use a Firewall or the Web Gateway Network Protection to block all accesses but those pointing to your proxy port, at least for the NIC pointing to your users.

     

    Doing so should give you a better feeling. I hope it helps to get started.

     

    Best,

    Andre

  • asabban McAfee SME 1,357 posts since
    Nov 3, 2009
    Currently Being Moderated
    3. Nov 16, 2011 7:39 AM (in response to Ahmed Eissa)
    Re: hardening webwasher

    Hello Ahmed,

     

    I think basically you have some company-related guidelines to ensure to keep the "normal user" away from everything that may be critical, such as SSH. I think this has already done in this case which is good.

     

    I agree that having a document that gives more hints on this topic and/or defines a standard "lock down" policy would be very helpful to customers. Unfortunately currently we don´t have one and it is not up to me to decide if this shoud/can be done or not. I would recommend to file your request as an FMR, to have it officially recoreded. To do so, please describe your wish/requirement on

     

    https://secure.mcafee.com/apps/downloads/products/products-enhancement-request.a spx?region=us

     

    Best regards,

    Andre

  • productivityenhancer Apprentice 64 posts since
    Mar 17, 2011
    Currently Being Moderated
    4. Nov 16, 2011 2:35 PM (in response to asabban)
    Re: hardening webwasher

    The network protection "feature" broke our setup with WCCP, so we had to be creative in how we were going to protect the appliances.  You can modify the hosts.allow and hosts.deny to restrict SSH access, change the https connector interface to localhost and then tunnel your ssh connection to your mgmt port listening on the localhost.

  • Jon Scholten McAfee SME 856 posts since
    Nov 3, 2009
    Currently Being Moderated
    5. Nov 16, 2011 7:03 PM (in response to productivityenhancer)
    Re: hardening webwasher

    The issue with network protection and wccp should be addressed in 7.1.6 (Currently in beta). To productivityenhancer, did you already have a case open for that issue? If so let me know the SR #.

     

    ~Jon

  • michael_schneider McAfee SME 424 posts since
    Nov 14, 2009
    Currently Being Moderated
    6. Nov 17, 2011 6:10 AM (in response to Jon Scholten)
    Re: hardening webwasher

    Hardening Snippet from an internal document. Usage on own risk and without warranty.

     

    Michael

    Attachments:

    --
    CISSP
    Sr. Product Manager Web Security
    Network Security BU

    **no personal messages please, unless requested**
  • productivityenhancer Apprentice 64 posts since
    Mar 17, 2011
    Currently Being Moderated
    7. Nov 17, 2011 12:57 PM (in response to Jon Scholten)
    Re: hardening webwasher

    Hey Jon, we had a ticket opened for it and you were the engineer who assisted us after looking back on it! Thanks again!

  • michael_schneider McAfee SME 424 posts since
    Nov 14, 2009
    Currently Being Moderated
    9. Nov 21, 2011 3:37 AM (in response to Ahmed Eissa)
    Re: hardening webwasher

    Hi Ahmed,

     

    a request for what exactly? Did you review the document I attached three posts above? Is this what you are looking for?

     

    thanks,

    Michael


    --
    CISSP
    Sr. Product Manager Web Security
    Network Security BU

    **no personal messages please, unless requested**
1 2 Previous Next

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points