I had never heard of Purewire until today. There are a couple of demos about their web security service available here. They offer the same protection strategy as something like McAfee’s Web Gateway (Webwasher) but probably with less management overhead. In my experience, Webwasher was only a good fit for a large shop with the resources to fiddle with it all the time. With Purewire, Barracuda may be able to offer state-of-the-art web filtering to customers of all sizes with a “turn-key” implementation and management.

There are many, many alternatives for a web security service, but none with the marketing footprint of Barracuda, so this should be good.

via Securosis

Apparently they are doing this using SSL inspection (outbound SSL proxy) as opposed to using application signatures. Outbound SSL proxies introduce a new range of hassles. It would be better if they could detect the application (ahem) and block it that way:

The new filtering engine of Astaro’s version 7.4 also allows users to filter and control secure web traffic (HTTPS). With inferior web security solutions, users can circumvent the security policy simply by accessing sites over HTTPS, which encrypts the session between the client browser and the target destination. Astaro’s version 7.4 intercepts encrypted HTTPS traffic and examines the content for malware, stops spyware infections, and controls what types of sites can be accessed.

In addition to (instead of?) of blocking Ultrasurf at the network level, one could control such applications at the desktop level. Sophos does this with panache. Using a whitelisting program like Bit9 or Lumension also turns this into a non-issue. If there are other ways to solve this problem, let me know.

Or you can donate a datapoint to crowdsourcing effort Herdictweb:

Herdict Web aggregates reports of inaccessible sites, allowing users to compare data to see if inaccessibility is a shared problem. By crowdsourcing data from around the world, we can document accessibility for any web site, anywhere.

What’s cool about Herdict is it can be used to see which sites are being blocked by which countries or ISPs.

Ultrasurf uses “140300000101″ for SSL ehlo messages. If you can block this signature with the your firewall you can block ultrasurf. To do this follow these steps:

1. Create a custom object in Firewall/Application Object section. Lets say the name of the object is “Ultra”
2. Application object type must be “Custom object”
3. Match Type must be “Exact Match”
4. Input Representation must be “Hexadecimal”
5. Then add Content “140300000101″

Then go to Object Policy/Application Firewall Policy Settings:

1. Policy name: write whatever you want
2. Policy type “Custom Policy”
3. Adress Source “Any”, Destionation “Any”
4. Service Source “Any”, Destionation “Any”
5. Exclusion Adrsss “None”
6. Application Object “Ultra Object” **Select the object which you write in the first section
7. Action “Reset/Drop”
8. Users/Group Included “All”, Excluded “None”
9. Schedule “Always On”
10. Enable loging “Check”
11. Redundancy Filters “Use Global settings checked”
12. Connection Side “Client Side”
13. Direction “Basic” Both

Dont forget to enable the Application Firewall feature. This is a bit easier to do on a Palo Alto firewall since the application is already identified natively by the box, you just have to block it in one of your threat profile policies.

Most (all?) filters can report on such activity after the fact, but many don’t have the real-time alerting feature that this customer felt was so valuable.

This is an example of using feature vectors rather than feature matrices to compare products. Comparing a single most important feature across products is simple, fast and minimizes distraction by features that aren’t relevant to the problem at hand.

K9 Web Protection – Free Internet Filtering and Parental Controls Software

For the AD Agent, it is currently has only been released for Active Directory environments with 2200 users or less.

This company looks like they have combined Vericept-like analysis with URL filtering in a single solution, but instead of merely logging everything, they actually block based on content. Not sure how well it works yet.

flashform

UPDATE: The thing doesn’t work right now, so never mind.

To improve this number, the paper suggests the following:

• browser vendors follow Mozilla’s lead and implement an auto-update mechanism that checks for updates each time the browser is used
• consumers implement URL filtering to reduce odds of visiting an infected website
• implement a “best by” dating system for software similar to what consumers are familiar with when they shop for groceries. This is supposed to increase awareness of the risk of outdated browsers and motivate users to update.
• someone implement an authentic, open repository of plugin version information that can be queried by vendors to make sure browser plugins are updated regularly

I don’t like the “best by” idea. A little red notice that states “145 days expired, 3 patches missed” isn’t much different from the existing software update schemes. Trying to raise awareness for the sake of awareness is futile. Outdated software alone doesn’t cause loss and discomfort like spoiled produce does so consumers won’t be motivated to pay attention to the “best by” date.