WAF over SSL VPN?

Question: When is it a good idea to add a Web Application Firewall (WAF) to an existing VPN/SSL connection ? Is it even necessary at all
Approximately 100 End-Users
Medium Security (No Cash Transactions)
Web Server IIS based
scalability


Answer:
The answer depends on your security requirements.

If you have a assessed requirement (e.g. PCI) to secure your applications with a front-end like a web application firewall (WAF), then you should have a web application firewall in front of your web applications.

In general SSL VPN adds the following features to the shops that require layer 7 web application firewalls (when configured properly):
1 - All users accessing your web applications using SSL VPN are authenticated when it is enforced. If authenticated users are considered trusted, then you do not need an extra WAF protection.
2- SSL VPN systems can bring pre-authentication posture checks like malicious software scans. If you consider scanned clean systems trusted then you do not need a web application firewall
3- Some SSL systems come with integrated security features like content security, layer 7 security, protocol checks, firewalls etc. If the security level offered by the SSL VPN vendor is good enough for your web application security requirements you do not need an additional layer for WAF.

Let me know if you have any specific questions,
Regards,
- yinal ozkan

Web Filtering for ISP's, who would you recommend?

Question: I'm working on a Regulation to allow the content Regulator to issue website blocking requests to ISP's in ......... Blocking of a few websites is not a problem, but blocking an entire category of websites on the other hand (such as "pornography", for example) should be made possible.

The regulation will specify technical solutions (whether software or hardware based) that are acceptable and recognized of being capable of complying with individual, and blanket, blocking requests. Most of the solutions I've found online are tailored towards enterprises for managing employee access to websites; what I'm looking for, however, must be capable of handling access requests from all users of a given ISP. Given the fact that a single URL could have multiple IP addresses, the recommended solution should robust enough to deal with such complexities.

What would you recommend? How was your experience with it? A brief summary would do just fine, there's no need to take a lot of your time in answering this question.


Answer: We have been deploying web filtering solutions for TELCOs for a while. In the TelCo world the requirements are different from the enterprise:
1- No authentication is required
2- Performance and scalability is a major decision criteria
3- Pricing is important when the userbase is over 100K.
4- URL categories must fit your requirements, when needed you should be able to apply more than 1 filter database.
5- Management should not require an army of engineers.
6- Not too many pie charts are required for reporting

http://mediaproducts.gartner.com/reprints/securecomputing/160130.html
Is a good start for checking vendors

Big enterprise appliance based solutions usually have a custom ISP product.
Blue Coat, Ironport, SecureComputing (Now McAfee) , MI5 Networks and Optenet are used commonly at TelCos.

I do work with Blue Coat appliances since it is stable, scaleable and it does support 3rd party URL databases like Websense. But this combination can burn your budget. Blue Coat is in use at several neighboring states for you. Blue Coat also offers its own URL database:
http://www.bluecoat.com/

I have seen large ISP deployments with Optenet (the pricing options were good)
http://www.optenet.com/en-us/ispproducts.asp

Load balancing is a key issue, I am not sure how these ISPs are interconnected to Internet backbone but you will need to load balance content filters. You can check F5, Cisco, Citrix, Radware etc for L4-7 load balancing switches.

And a few recommendations: Do not get ambitious stay away from content AV. It does not scale at ISP level.
DNS poisoning , TCP resets are not very effective go with the content gateway.
Because of you specific requirements, in the cloud services like webroot and Scansafe may not be the best option.
This is a commodity market you have so many alternatives like 8e6, Barracuda, Clearswift et al.

If you have a specific vendor or design question, please let me know,
Regards,
- yinal ozkan

IT-GRC and GRCM tools revisited

The line between IT-GRC and the old world GRC are getting thinner everyday. So I updated my list with old world GRC players.. As you can tell they all have IT-GRC solutions

It is difficult to say which sets of tools are exactly for IT-GRC, or GRC Management (GRCM) or enterprise governance, risk and compliance (EGRC).

IT controls are everywhere when you check the 4 pillars of GRCM:
1- Audit management
2- Compliance management
3- Risk management
4- Policy management

Tools do not fix the governance problem but they do help in shaping your project with fewer bodies (and probably for an exchange for good hard cash)

The new era of tools have a better message than the previous "We fix your compliance problems" motto. We all knew that compliance was just another step to achieve governance on Information Security. The new tools have better connections with legacy information security and risk management tools, they also come with several predefined policy frameworks like ISO 27001, COSO, COBIT, PCI etc..

Not there yet, but if you are interested here is a good start list of lists for googling and reading:

Governance, Risk and Compliance (GRC) Tools with IT Controls (IT-GRC)


Agiliance
http://www.agiliance.com/
Brabeion
http://www.brabeion.com/
Archer
http://www.archer-tech.com/solutions/index.html
Control Path
http://www.controlpath.com/solutions_advantage.php
Symantec (Control Compliance Suite)
http://eval.symantec.com/mktginfo/enterprise/fact_sheets/ent-datasheet_control_compliance_suite_05-2007.en-us.pdf
Compliance Spectrum -Spectra (Command Center)
http://www.compliancespectrum.com/
Modulo
http://www.modulo.com/
NeIQ Vigelent Policy center and other NetIQ tools
http://download.netiq.com/CMS/WHITEPAPER/NetIQ_CRM_Methodology_Feb_2007.pdf
eIQ Networks SecureVue
http://www.eiqnetworks.com/products/SecureVue.shtml
CA clarity (formerly NIKU)
http://www.niku.com/it-governance-47.html
IBM Tivoli Series
http://www-306.ibm.com/software/uk/itsolutions/governance/?ca=grm_Lnav&me=w
SAP
http://www.sap.com/solutions/grc/index.epx
Relational Security - RSAM
http://www.relsec.com/rsam_overview.htm
Iconium
http://www.iconium.co.uk/Solutions/overview.htm
Security Works - Visible Security
http://security-works.com/?page_id=27
Oracle (formerly Logical Apps and Oracle GRC Manager)
http://www.oracle.com/solutions/corporate_governance/governance-risk-compliance-manager.html
Proteus
http://www.infogov.co.uk/proteus_enterprise/index.php
Avedos
http://www.avedos.com/257-Home-EN.html
BWise
http://www.bwise.com/
Neupart
http://www.neupart.com/
Metric Stream
http://www.metricstream.com/
Nemea
http://www.nemea.us/
Favored Solutions
http://www.favoredsolutions.net/
Paisley
http://www.paisley.com/
OpenPages
http://www.openpages.com/Solutions/Technology_17.asp
Qumas
http://www.qumas.com/products/index.asp
IDS Scheer
http://www.ids-scheer.com/en/ARIS/ARIS_Solutions/Governance_Risk__Compliance_Management/88815.html
Axentis
http://www.axentis.com/axentis_solutions_5.aspx
Achiever
http://www.goachiever.com/ACHIEVERPLUS/aweb2.nsf
Methodware
http://www.methodware.com/products/oprisk/idx-oprisk.shtml
Protiviti
http://www.protiviti.com/portal/site/pro-us/menuitem.32f530ef9aa26f4acd230ef2f5ffbfa0/
Cura Software
http://www.curasoftware.com/pages/content.asp?SectionId=7&SubSectionID=48
Mega
http://www.mega.com/index.asp/l