RE: ISAserver.org - Review of SurfControl Web Filter 5.0 for ISA Server 2004
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Thu, 17 Mar 2005 16:24:14 -0600
Hi Ara,
Not sure if I understand the question.
Tom
www.isaserver.org/shinder
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
-----Original Message-----
From: Ara [mailto:ara@xxxxxxxxxxxxx]
Sent: Thursday, March 17, 2005 11:59 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: ISAserver.org - Review of SurfControl Web Filter 5.0 for
ISA Server 2004
http://www.ISAserver.org
Hi tom,
Let me see, looks like I learnt new things today. First of all we don't need to
set people's machine to go through isa port 8080 and automatically detect
settings will do it while firewall client is enabled. If so, will it get
filtered and also use the cache?
Thank you
________________________________________
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
Sent: Thursday, March 17, 2005 7:51 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: ISAserver.org - Review of SurfControl Web Filter 5.0 for
ISA Server 2004
http://www.ISAserver.org
Hi Ara,
If you are using the Firewall client, then the name of the application is sent
to the ISA firewall, in addition to the user name and machine name. So, you can
identify users who are subverting policy. because these application names will
be accessing Web resources.
If they disable the Firewall client, and are configured as SecureNAT clients
only, then if the rule requires authentication, and you have disabled all be
integrated auth, then the connection will fail.
That leaves them with the option to configure their browsers as Web proxy
clients. They can use IE (which they should) and use autodetect, or they can
fiddle with their off-label browsers and configure them as Web proxy clients.
Is there a network use or security policy in place? Its very hard to secure a
business if there is none, and you're forced to play "Internet security police"
when that's not your official job title and you don't get back up from the
management.
HTH,
Tom
www.isaserver.org/shinder
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
________________________________________
From: Ara [mailto:ara@xxxxxxxxxxxxx]
Sent: Thursday, March 17, 2005 9:41 AM
To: [ISAserver.org Discussion List]
Subject: RE: ISAserver.org - Review of SurfControl Web Filter 5.0 for ISA
Server 2004
Hi Tom,
Yes it is more political problem than technical. But I don't have a proof on my
hand. As an example, if I use surf control real time monitor, I can see where
people go with IE and even generate logs. But when they use fire fox, that
doesn't show up on monitor or logs which is pretty crazy
Anyway thank you for suggestions
________________________________________
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
Sent: Thu 3/17/2005 3:59 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: ISAserver.org - Review of SurfControl Web Filter 5.0 for
ISA Server 2004
http://www.ISAserver.org
Hi Ara,
It sounds like you might have behavior issues with your users. Several problems
I see here:
* They are not use IE. I don't consider the alternate browsers more secure and
in fact, probably in the next few months they'll be much more of a security
risk than IE
* They are disabling the proxy configuration to subvert network use and
security policy
* They are willing to endanger the network and business to such an extent that
they will rename executable files to subvert security policy and the viability
and profitability of the business
If I had these problems, I'd worry more about which law enforcement wing to
report these uses to, since I could choose from local, State or Federal.
HTH<
Tom
www.isaserver.org/shinder
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
________________________________________
From: Ara [mailto:ara@xxxxxxxxxxxxx]
Sent: Thursday, March 17, 2005 12:53 AM
To: [ISAserver.org Discussion List]
Subject: RE: ISAserver.org - Review of SurfControl Web Filter 5.0 for ISA
Server 2004
Hi Tom,
What about if the user is smart enough changing the executable name to
something else? what about for safari, opera, Netscape, mozilla???
looks like my only option is removing firewall client and pushing proxy
settings through group policy. Also following one of my last post, I had to run
the firewall service under local system account instead of network service due
to some incompability with 3rd party tools. Do you think that might be a
problem too?
Regards
________________________________________
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
Sent: Wed 3/16/2005 7:42 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: ISAserver.org - Review of SurfControl Web Filter 5.0 for
ISA Server 2004
http://www.ISAserver.org
Hi Ara,
Good question. None that I can think of, because the hosts have to be
configured as Web proxy clients for it to work. You can't use authentication to
control this, because the Firewall client can authenticate too. I suppose you
could disable=1 for the Firefox executable. That will cause the Firewall client
to bypass connections from Firefox and then then when authentication is
enforced, then they must be Web proxy clients since SecureNAT clients can't
auth.
That should work.
Tom
www.isaserver.org/shinder
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
-----Original Message-----
From: Ara [mailto:ara@xxxxxxxxxxxxx]
Sent: Wednesday, March 16, 2005 7:51 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: ISAserver.org - Review of SurfControl Web Filter 5.0 for
ISA Server 2004
http://www.ISAserver.org
Hi Tom,
Is there any way to stop those firewall clients' users bypassing the web filter
using fire fox?
Thank you
________________________________________
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
Sent: Wednesday, March 16, 2005 6:35 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: ISAserver.org - Review of SurfControl Web Filter 5.0 for
ISA Server 2004
http://www.ISAserver.org
Hi Dan,
Yeah, its a real problem. The HTTP redirector would work for anonymous
connections in 2000, but the auth model changed (for the better) for 2004, but
the filter guys didn't get wind of it or something, so now if you allow users
to disable their Web proxy config, they can still auth via FWC and get by the
Web filter, even though the Web proxy filter is still bound to the HTTP
protocol.
Supposed to be fixed soon, though.
Tom
www.isaserver.org/shinder
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
ara@xxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
ara@xxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
