By Reid Nilson, Senior Systems Engineer, Acrodex Integrated Network and Security Solutions

Internet security solutions must tackle browser-based threats

Enforcing corporate web traffic security policies is not just about controlling the websites your users visit. In fact, these days, many of the new threat vectors seen on the Internet are targeted at the web browser.

Having a web security appliance to control user browsing activities can help increase productivity but can also defend against threats targeting browsers, which may make your enterprise vulnerable to new threats.  This article will cover a few of the high points related to the Cisco Ironport web security appliance.

The Cisco Ironport “S” series of Web Security Appliances are designed to apply company policies to web traffic.  The “S” series has a number of advanced features which allow deep visibility into web traffic to ensure that company policies are accurately applied.

Ironport uses the traditional method of categorizing URLs into a large number of groups that allow policies to be applied based on the categories of the URL. However, due to the changing nature of the Internet it is impossible to categorize all URLs, so Ironport can also use the Cisco Senderbase network to categorize URLs based on traffic collected from around the globe.  The Senderbase network first appeared on the Ironport Email Security Appliances to assign a reputation value to an email source allowing an administrator to control what email was allowed or dropped.  This value assigned to a URL is called the Web Reputation Score or WBRS.

The WBRS is a value from -10 to 10 and protects against URL-based malware which is becoming more prevalent.  By default, a score of -10 to -6 is blocked right away as this score indicates that the site is more likely to contain malware.  An example may be a site which is a typo of a popular site.

A score of -5.9 to 5.9 will be scanned by the Ironport Dynamic Vectoring and Streaming (DVS) engine which inspects web traffic from both the client and the server for anomalies.  DVS can inspect the user agent for suspicious activity which may indicate that the client is infected with malware in addition to scanning with Webroot, McAfee and Sophos, anti-malware utilities to ensure that the client is not compromised.

Scores of 6.0 to 10 are allowed with no scanning.  These scores indicate a trusted web site with an established reputation which is very unlikely to be hosting malware.

Besides the URL categorization and Web reputation filtering, the Ironport has another feature called Application Visibility & Control.  A large number of popular websites may have a useful business functions but also include applications that may not be approved.  An example of this is Facebook which can help a business establish a social media presence but Facebook also has games like Farmville which can impact productivity.  AV&C can be configured to allow the basic access to Facebook but block access to games and other imbedded applications which may contradict company policies.

What about encryption?  If the traffic from the client to a server is encrypted then the Ironport can’t see the traffic and cannot apply the policies.  There is a solution for this as well, a trusted certificate can be installed on the Ironport which will be presented to client during the TLS handshake.  Once the connection is set up, the Ironport will decrypt traffic from the client, inspect it and then re-encrypt the traffic with the destination server’s public key to ensure that the traffic is secured when crossing the Internet.  This method ensures that the clients are following company policy and that their traffic is secure across the Internet.

The Ironport security appliances allows for granular control of web traffic, for example, giving you the flexibility to allow some social media to promote your business but blocking time-consuming games.  In additional to the flexible control you can reduce the attack plane and defend against browser-based threats.

Have a question about corporate web security? Get in touch with our Integrated Network Security and Solutions group (INSS) by calling 1-800-456-2667.