[unisog] WindowsUpdate hole (was MS04-007/011 scanner)
wnelto at net.wm.edu
Wed May 5 20:57:40 GMT 2004
This is the approach we're taking. It's all "in development", but it
seems to work. Here's how we're allow people to get Windows Update...
DHCP hands out a lease with a gateway that points to a Linux box router.
The router allows DNS queries to pass through to our campus DNS server.
This way, when you contact "www.google.com", the name resolves to the
correct Google IP address.
The router redirects all web traffic to the local Squid process. Squid
is configured to run transparently, so it analyzes everything "inline".
It doesn't cache anything. An external program (SquidGuard) works with
Squid to scrape the incoming requests, and redirect any
non-windows-update traffic to a local webpage.
This approach works, since Squid/SquidGuard filters based on the HTTP
request hostname rather than the IP address, or even DNS hostname. For
the moment, we're allowing traffic to *.microsoft.com and *.akamai.com.
We'll experiment with these later.
On other gotcha... Once Windows Update gets going, it starts using
HTTPS rather than HTTP. Unfortunately, HTTPS also encrypts the
hostname, so SquidGuard can't figure it out. We're allowing the router
to pass all HTTPS traffic uninterrupted.
I realize this is somewhat dense. Let me know if you have any questions,
Information Technology - Network Engineering
College of William & Mary
On May 5, 2004, at 11:35 AM, Tom Laermans wrote:
> If you want to have proxying for all your workstations without even
> touching the clients it can be done with transparent proxying, squid
> supports this.
> unisog mailing list
> unisog at lists.sans.org
More information about the unisog