Thursday, 10 February 2011

UAG Registry Keys

Found this TechNet section when looking for something else and it may be very useful to you.

Here are the registry keys used by UAG:
http://technet.microsoft.com/en-us/library/ee809087.aspx

The one that is the most use, especially carrying out proof of concepts and "real" certificates are not being used:

HKEY_LOCAL_MACHINE\SOFTWARE\WhaleCom\e-Gap\Von\URLFilter\Comm\SSL


By default Forefront UAG validates both the certificate and the revocation list of each SSL backend server during the TLS handshake procedure. In the event where the certificate or the CRL are not valid, backend users are denied access to that given backend server. If a Forefront UAG administrator wishes to disable those validation tests, set the ValidateRwsCert and ValidateRwsCertCRL key values to 0, and then restart the IIS service on the Forefront UAG server.

As UAG checks certificates and CRL, where IAG really didn't this can be new to most people who have experienced IAG.
Posted by at No comments:
Labels: , ,

Friday, 1 October 2010

ActiveSync and email on iPhones (and other ActiveSync devices)

Recently I’ve been asked a lot about ActiveSync for iPhones, but I try to highlight the security implications for this.

I have spoken with a number of people who have ActiveSync running on their Exchange Servers, where they can access the server directly from the internet. I’m not a fan of having servers on the LAN available from the internet, but the pressure to deploy the access this is often overlooked. Especially as the Microsoft IAG and UAG solutions will allow you to reverse proxy the ActiveSync connection, eliminating the need for a direct connection to the Exchange server.

Ensure the handset you have has a level of encryption on it, as the company can be subject to hefty fines from the ICO, if personal data is not encrypted. Apple iPhones have AES 256-bit hardware encryption to protect the data at rest. The Nokia E-series that I have investigate have encryption on both device and storage memory.

Although as this is protecting data at rest, ensure there is at least a password on the device, or there is no point having the encryption. Enforcing password on the device, and comprehensive password policies can be created on from the Exchange server.
 
What is the handset is stolen? There is the ability to remote wipe the mobile device, as well as enforce a wipe if there are too many failed attempts to logon to the device.
 
The only concern is a number of requests for this access on personal iPhones, which is a worry from a data leakage perspective. Although a number of places have said they will ensure password policies and reserve the right to remote wipe the device when it is required, then make their employees agreeing to this. Personally, I am not a fan of this and would rather be working with corporate devices, where as a business you have more “rights” to your hardware.
 
From a technical perspective, you will need to do the following:
  • Ensure ActiveSync is configured and running on the Exchange server, with the relevant password, encryption and wipe policies. Assign the access to the users who should be able to access it, taking care to remove access from everyone else (so they are unable to connect up unauthorised or personal mobile devices).
  • Configure an ActiveSync portal on IAG, or create a portal for ActiveSync on UAG.
  • Ensure all the Exchange server settings are entered correctly.
  • Apply a real SSL certificate to the portal, as some mobile devices will not allow you to except a self signed SSL certificate.
  • Publish the portal.
  • Test the ActiveSync by defining the server name, domain/username and password here: https://testexchangeconnectivity.com/
  • Expect it to fail on the OPTIONS section, but everything else should pass.
  • Configure your device to point to the newly created portal.
  • Allow device to synchronise and enjoy emails on your mobile device!

 
Posted by at 1 comment:
Labels: , , , ,

Monday, 27 September 2010

Avira International Partner Summit, Germany - September 2010

I was fortunate enough to be attend the 2nd Avira International Partner Summit, which was held in Germany last week.

There were partners from 35 different countries, so it was great to meet and chat with members of the extended Avira family.

Avira were a great host, not only offering information regarding growth and expansion of the previous year, new developments and structure changes, but also offering a listening ear with the issues and challenges faced by the various distributors and our reseller partners.

There were a number of useful workshops to allow us to voice our challenges in a commercial, marketing and technical environment, but also share ideas and solutions in these areas, and I was amazed at the parity despite the diverse audience.

There are many exciting things that will be announced and released from Avira in due course, and I will keep you up to date when I can!
Posted by at No comments:
Labels: ,

Two Factor Authentication on GMail

An interesting article about Google protecting Google Apps, which includes GMail, with a one time password sent to your mobile phone:  http://www.scmagazineuk.com/google-adds-two-factor-authentication-to-gmail-via-sms-one-time-passwords/article/179266/

This technology has been available for a while, but this should create greater awareness of two factor authentication, and in turn make more companies realise this is required for their websites, services, applications and SaaS/Cloud offerings.

Vasco can provide two factor authentication to remote access solutions, such as traditional IPSEC VPNs as well as SSL-VPNs.  Vasco can provide two factor authentication to a whole network, using uniquely generated one time passwords to log into Windows instead of traditional passwords.  More importantly Vasco can be used to protect web services and web applications.  The one time passwords can be generated by hardware tokens, software tokens, tokens for mobile and smartphones, and even sent one time passwords via SMS.

Cloud maybe the next big thing as a delivery method, but what will you be using to secure it?
Posted by at No comments:
Labels: , ,

Is your anti-virus software doing it's job?

AV-Comparatives (http://www.av-comparatives.org/) have been reviewing and comparing anti-virus software packages for a number of years. 

The latest reports are available from this section of their site: http://www.av-comparatives.org/comparativesreviews/main-tests

The comparisons between these products are independent and are based on the findings, which are reported.

I know people find it a big upheaval to change your anti-virus provider, especially in larger organisations, but the results offer a very compelling argument to switch to Avira!
Posted by at No comments:
Labels:

Thursday, 1 July 2010

Are all UTM appliances the same? - Cyberoam

I'm a little bias, but I think the Cyberoam CR series UTM (Unified Threat Management) offering is head and shoulders above other UTM appliances on the market.

Some people will consider all UTMs the same, rather than looking at the components that make up the whole, or they consider it a point solution where only one or two features are used, rather than making the most of the whole solution.

Why do I consider the Cyberoam CR series a better solution, well here are some of my findings:
  • Identity based UTM, to allow rules to be applied to users, rather than IPs
  • A stateful firewall, that supports high availability and IP v6
  • Gateway anti-virus and anti-spyware solution provided by Kaspersky
  • Real time anti-spam solution provided by Commtouch
  • IPSEC VPN that supports PPTP and L2TP, as well as a VPN client provided by GreenBow
  • SSL-VPN functionality on the appliance
  • Web content and application filtering, including IM filtering
  • IPS, including the ability to create your own signatures
  • Multi-link/Multiple WAN links supported on all the appliances, including USB 3G dongle support
The Cyberoam CR series solution is very cost effective and can go head-to-head with all the major UTM appliances, and in my opinion out shine them as well!

To help compliment this solution, there is also the Cyberoam Centralised Console (CCC), which can manage multiple Cyberoam UTM appliances, as well as software based solution to offer Data Protection & Encryption, Device Management, Application Control and Asset Management.


Don't just take my word for it, organise an evaluation of one from e92plus
Posted by at No comments:
Labels: ,

Wednesday, 30 June 2010

UAG - Activating your configuration

The first few times I used UAG, I wondered why it took so long to activate the configuration.  Even though the finish screen came up, the configuration would not always be live.

There is an easy way to check this by using the messages.  On the main UAG screen, click on "Messages" and select "Filter Messages...", then select "Informational messages".

So the before the finish button would appear after activation:

But if you have a look at the following screen, you can see it takes a bit longer before the activation is completed.

Posted by at 1 comment:
Labels: , , ,
Subscribe to: Posts (Atom)