Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

RE: IE is just as safe as FireFox
From: "joe" <mvp () joeware net>
Date: Wed, 24 Nov 2004 19:47:11 -0500

problems. I think, 1-3 web servers (possibly clustered) for territorial 
subdivision and 3-5 in head office is enough for all tasks in corpotation 
which isn't listed in Forbes Top 500 :)

Most of the work I do and have done over the last 10 years has been for
companies in the global 50, most of the last 8 years has been for the global
5. Obviously for smaller companies, you will *generally* need fewer intranet
servers but it depends entirely on the business model and IT organization. 

Anyway, you can specify an unlimited amount of non-proxied servers in 
autoconfiguration script. More, you may modify autoconfig rules as 
frequently as needed, or even do it automatically.

Agreed. But if the idea is to protect your internal clients from your
intranet web servers, the proxy isn't doing much for you. Plus again,
someone can just configure their machine to not use the proxy as mentioned
previously. If the machines are available on the public intranet without
having to go through some firewall, you can't slap much of a guarantee on
things not reaching them except via your proxy. You mention setting up
routing ACL policies for HTTP traffic further down. This isn't something
that is reasonable to manage in a large organization and does nothing from
stopping people from selecting alternate ports. 

  joe

 

-----Original Message-----
From: Raoul Nakhmanson-Kulish [mailto:raoul () elforsoft com] 
Sent: Monday, November 22, 2004 4:43 AM
To: joe; full-disclosure () lists netsys com
Subject: Re: [Full-disclosure] IE is just as safe as FireFox

Hello, joe!

Autoconfig script may enumerate hosts which don't require a proxy. 
Usually there are a very few intranet servers in corporate network.
You should have prefixed "there are very few... " with one of two 
things 1. Relative to the internet...
2. In my experience...
I said "usually". What's a habit to pick on words? :(

I have been on several large corporate networks where there are 
hundreds or thousands of intranet web servers hosting tens of 
thousands of sites. Many large enterprise class companies are moving 
whole hog to web based apps internally (even email) and all available
content is on the internal web.
IMHO, right policy in this point should be reducing number of intranet
servers to minimally sensible value. This is a simple reason: the smaller
web server amount the easier administration and less security risks.
Clusters is solution of bottleneck problems. I think, 1-3 web servers
(possibly clustered) for territorial subdivision and 3-5 in head office is
enough for all tasks in corpotation which isn't listed in Forbes Top 500 :)

Anyway, you can specify an unlimited amount of non-proxied servers in
autoconfiguration script. More, you may modify autoconfig rules as
frequently as needed, or even do it automatically.

This is actually the area where IE is so strongly embedded due to its 
application interfaces and what MS has been building towards for so 
long with it.
Examples? Outlook Web Access works fine with Mozilla, Lotus iNotes too. 
Probably, some on-knee-assembled applications using a lot of dubious
ActiveXes will not work, but company-wide Firefox installation is a good
occasion to redesign them or switch to another product.

There are companies whose primary LOB applications internally are on 
IIS servers and can only be accessed with IE.
FF/Win32 supports SSPI since 1.0PR, and thus I don't expect big problems
with IIS.

I wouldn't really call that a worm. Worms work without interaction. 
They are self-propagating/replicating. Malware that spreads that 
requires user interaction would generally just be called a virus.
Any malware suited in Local Intranet zone is more dangerous than in
untrusted zone. Using browser without this "feature" is a good point anyway.

Furthermore, I would suggest you to deny any HTTP access to all LAN hosts
generally, of course, except known intranet servers. This "feature" doesn't
make sense at all and leads only to risks. A correctly configurated proxy
should do it.

--
Best regards,
Raoul Nakhmanson-Kulish
Elfor Soft Ltd.,
ERP Department
http://www.elforsoft.ru/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault