Author: Mihai Olteanu

Posted on

MobileIron Exchange 2003 Kerberos Integration

MobileIron Exchange 2003 Kerberos Integration

MobileIron Sentry and Exchange 2003 Kerberos Integration is not officially supported but from my experience it seems it’s working smoothly using the same steps as for Exchange 2007 integration. From my opinion is even easier because you can skip the steps required to allow the Kerberos authentication in IIS for the Active-Sync webservice.

In my MobileIron Exchange 2003 Kerberos Integration project I’ve worked recently I’ve used the following link to guide me through the process and I’d like to thank the site owner for it: http://www.chaseoriginal.com/techcell/technotes/authentication-using-kerberos-constrained-delegation/

I really cannot add anything to the guide written by Benjamin Chase regarding the Kerberos preparation steps but, from the Exchange preparation steps point of view, I may say that you don’t need to change anything in IIS and it will work. It seems in Exchange 2003 the IIS is automatically allowing the Kerberos protocol to authenticate the user if the Kerberos account used is correctly configured.

Anyway, I might add that you will have a big disadvantage integrating MobileIron Sentry with Exchange 2003 because you don’t have attachment control at all, no matter what device you are using, iOS or Android . Unfortunately this option is available only starting with Exchange 2007 with SP3. From the security point of view, attachment control is a must have feature for a Mobile Device Management software because you can prevent the confidential data loss from the company, at least if the employee is using documents attached to the email (if the data is in the email body you need to think to some other Data Loss Prevention solutions).

In conclusion, if you encounter in your daily job or in a project an MobileIron Exchange 2003 Kerberos Integration requirement, even if Exchange 2003 is very old, you may use the link mentioned above and my notes from this article about the IIS and everything will work.

For any question regarding MobileIron Exchange 2003 Kerberos Integration or any other settings you need, don’t hesitate to write a comment.

MobileIron Exchange 2003 Kerberos Integration

Posted on

McAfee Webgateway – Security Review

McAfee Webgateway – Introduction

McAfee Webgateway is an enterprise proxy solution combined with an antimalware gateway providing secure access to Internet and also filtering the unproductive web traffic for the employees.
From the operational point of view, McAfee Webgateway is for technical personnel. The User Interface is easy to use but the multitude of options for the web policy could be a challenge at the beginning. I’ve used this solution as a customer for 3 years and I won’t lie to you that it was easy  when I’ve started. After a couple of months of using it and after a lot of “trial and error” configurations (I always prefer to learn by myself) I’ve started to understand the full potential of this solution.

 McAfee Webgateway – Features

If you use any kind of enterprise proxy solution (Bluecoat, Websense, etc…) you will probably know what this kind of product can do. Basically all the products meant to protect the Internet access have similar features but if you are the kind of network admin who likes to go deep in the configuration and have the mean to totally control the web traffic, then McAfee Webgateway is your friend. I will try to briefly point the main features of the solution but if you want more details don’t hesitate to ask here and I will answer as fast as I can.

– it has full integration with Active Directory; the device is actually joined to the domain and acts as a computer, having access to the domain objects which provides full identity awareness

– if direct access to Domain Controllers is forbidden by security regulations, don’t worry, you can use a special software package who can relay the information about users to the gateway

– it has it’s own clustering solution based on VRRP, with active-active configuration; you can add how many gateways you need because the license permits this

– the nice thing McAfee Webgateway has is the licensing model which is based on the number of users not on the number of gateways or of the devices in the company; you can add how many gateways you need in your cluster without paying extra; the servers are not counted in the license

– there is integration with LDAP for authentication in the Web GUI and it has custom profiles for access (it has a permission tab for each object allowing you a very granular security profile)

– for Internet access you can use multiple authentications like: NTLM, Kerberos, LDAP

– the gateway can be deployed in explicit proxy mode or transparent mode, with some combinations of course

– the policy is based on rule sets which are basically collections of rules grouped by their purpose; each rule set has a matching criteria so the parsing engine won’t parse the rules inside if the matching criteria is not met, this way optimizing the hardware resources

– each rule has it’s own match criteria which can be a combination of a lot of functions like destination URL, time and date, client IP, web category and many many others and when I say many, I mean it; probably you will never use 90% of the functions but they are there, in case you want them

– something really powerful at the rule matching criteria is the ability to use logical operators (AND / OR), grouping them using the “(” and “)” obtaining an advanced logical matching criteria

– the antimalware rule set has 2 antivirus engines (McAfee and Avira) and also a behavioral engine meant to detect suspicious active content (java scripts, activex, flash); starting with version 7.4, which is still controlled release at this moment, McAfee Webgateway has full integration with the McAfee Advanced Threat Detection solution so any suspicious executable that passes the gateway will be sent for deep analysis to this sandboxing device

– the error pages are fully custom; you can add whatever HTML code you want and also java scripts

– reporting is done using the Webreporter solution which is included in the license or using the Content Security Reporter which is a module of ePolicy Orchestrator, which is also included

As a final conclusion, McAfee Webgateway is a very powerful solution which empowers the security officer or the network administrator to enforce whatever combination of security policy requirements in the Internet access gateway.

For more information you can visit McAfee website here.

mcafee webgateway

Posted on

QualysGuard Enterprise Suite

QualysGuard – Introduction

QualysGuard is the product of Qualys company. It covers many aspects of the IT Security workflow in an enterprise company like Asset Management, Vulnerability Scanner, Web Application Scanner, Policy Compliance.

The solution is cloud-based but you can install an appliance on premises to scan internal networks also, not only public IPs. The main concern of the customers is the security of their data because everything is stored in the cloud, the appliance being only a relay for the internal networks. To cover this concern, QualysGuard is configured in such a way that all the data is encrypted by a combination of encryption key and the password for your main administrative account (name “Manager” in the console). 

QualysGuard Vulnerability Management

This is the main module where you can define the targets (Assets), the scanning options, the remediation actions, the reports, the authentication and so on. Basically form this module you can define all you need in order to generate reports regarding your network security status.

QualysGuard Assets

The Assets tab let you define your “targets” from the company network. The targets can be Internet domains (like prohelpdesk.ro), IPs, IP ranges. There is also a type of scan called “discovery scan” that can help discovering all the assets on specified network segments or Internet domains. These scans create a “Map” which is in fact a kind of active report containing all the assets discovered and provide a drop-down menu to take actions of them like creating Asset Groups.

QualysGuard Search Lists

After defining the assets next step would be to define some filters that here are called “Search Lists”. These lists act as filtering for other actions, for example you can define a list of specific vulnerabilities or a list of critical vulnerabilities and start a vulnerability scanner only for those.

QualysGuard Options Profile

Before starting the actual scan, it is recommended to define a scanning profile (Options Profile in the console) because in this wizard you can setup all the parameters required for scanning (port range, performance, authentication, vulnerabilities to scan for and many other settings).

QualysGuard Scan

Having the targets and the way how to do it, it’s time to start the scanning. In the scan wizard you can define parameters like targets (specific asset groups) and the scanning profile. The scanning can take a lot of time, depending of what you selected in the scanning profile.

QualysGuard Reports

The reporting tab let the customer define specific scheduled reports to be sent or run (Remediation Reports, Patch Reports, Compliance Reports and so on..). Take note that for the email options there is a limit of 5MB per report PDF file. There are already pre-defined report templates for the most used reports but you can define your own templates.

QualysGuard Remediation

The product has its own internal ticketing system that keeps tracking for the issues found in the customer’s environment. There are some integration with third-party ticketing systems (BMC for example) but QualysGuard has a public API which can be used in order to integrate it with any software you may have.

 QualysGuard Policy Compliance

This module is probably a very nice to have for the security officers because, after creating some policies that your company must comply, you just run some reports and see exactly what is not compliant with your standards. There is a nice feature to build a policy from a device which you consider as being compliant and with some fine tuning on this you get a very nice and easy to use Compliance Policy. Of course there is the possibility to build the policy from scratch but what’s the point to reinvent the wheel?
For the international standards (like PCI) there are built-in policies.

 Conclusions

To summarize, the solution is very good and I would recommend it to any company who wants to know what is happening in it’s IT environment and who wants to have an easier life with audits.

For any details don’t hesitate to ask me here and I will try to answer as fast as I can.

For more information you can always check the Qualys site of course.

qualysguard

Posted on

Next Generation Firewall from McAfee

McAfee Next Generation Firewall – Introduction

McAfee Next Generation Firewall is in fact the product of the company Stonesoft which was acquired in 2013 by McAfee. At this moment the product is not yet integrated with the other McAfee products (version 5.7 is now the latest one).In this summer, the version 5.8 will be released and a couple of steps will be made on the road to the “Security Connected”  concept McAfee provides.

I had the opportunity this week to participate to a technical workshop where we were presented the main features and strengths of the McAfee Next Generation Firewall. I want to thank Provision Software Division for the invitation to this workshop.

After installing an instance of the McAfee Next Generation Firewall in my lab environment I could start the tests and the user interface exploration.

Here is my review of this product, with some key points that I thought deserve mentioning.

McAfee Next Generation Firewall – PROs
  • the active-active clustering technique is patented (it’s called “dispatch” technique) and Stonesoft was the clustering solution vendor for Checkpoint back in the 90’s (till 2001 when Stonesoft started creating their own firewall solution); they say it’s the only true active-active firewall clustering solution on the market at this moment; the limit for clustering is 16 members in active-active connection
  • the cluster nodes can run different software versions allowing a transition period when the new version can be tested but if something goes wrong the old version is still available
  • the Multilink Technology used for balancing the Internet connections (assuming for example that you have 2 Internet Service Providers) can easily replace BGP that requires you to have an AS number
  • the standard deployment contains 2 NGFW machines (McAfee appliances or physical/virtual machines, 1 SMC (Security Management Console is installed on a Windows/Linux machine) and 1 Logger (installed on a Windows/Linux machine, can be the same machine as SMC)
  • in a distributed deployment the SMC can be installed only in the main site and connected to all the gateways through SSL channel over Internet (there are special built-in NAT rules for this mode)
  • it supports firewall virtualization but the virtual instance lacks the antivirus and antispam capabilities
  • the logs are sent to the main logger but secondary loggers can be defined, as fail-over or as backup for the main logger; it accepts syslog from other vendors
  • in the logger there is a very nice feature named “Analyze” that takes a snapshot of the logs based on a time frame and other filters (for example all the logs for a specific destination IP) and creates a visual map of the traffic (requires Java on the management workstation); however it has a limitation of only 100.000 logs so the filtering must be very careful set
  • the IPS module is integrated but can be installed on a separate machine using the same installation DVD (or ISO file in case of VMWARE deployment); the IPS has a very powerful protection against Advanced Evasion Techniques (patented) used by most of the attacks
  • a nice feature that is available for free in the McAfee Next Generation Firewall is a basic Load Balancer that combined with 2 ISPs using the Multilink Technology offers high-availability for the company’s web services
  • for identity awareness this product uses an agent that needs to be installed in the internal network and has access to the Domain Controller’s security events; in the next version the integration with ePo will allow it to read extended workstation information using the McAfee Agent installed on the endpoint
McAfee Next Generation Firewall – CONs
  • there is no SSL VPN module yet (it will be available for free in the 5.8 version that will be released this summer)
  • there is no “standalone” appliance because the management is not integrated with the firewall yet (it will be available in the 5.8 release)

A very nice tool to test your IPS is the EVADER
More information can be found on the McAfee Website

next generation firewall