Forefront TMG Beta 3: URL Filtering – Building a Reputation Service is not a simple task

As you may know, Microsoft is using for their URL Filtering from Forefront TMG Beta 3 a reputation service, Microsoft Reputation Service (MRS). They say their URL filtering is special, and list a few arguments for that.

What I want to mention bellow is an interesting situation, the situation when one says it’s so, and at the same time the same one says it’s not so.
Say we take a web site, and take a look at it. Can Microsoft Reputation Service (MRS) make a difference to what we will notice ?
Please keep in mind that Forefront TMG is still in Beta stages, so let’s take a look at what’s bellow now, and revisit it when it will be RTM.

 

For example, the en.securitylab.ru web site, say I go to http://en.securitylab.ru/:

tmg_url_f_dom1_1
tmg_url_f_dom1_log_1

 

So what’s so “interesting” at this domain ?
It’s interesting because it’s “split” in parts(sub-directories). For example, a part dedicated to security advisories, a part dedicated to a vulnerability database, and so on:

tmg_url_f_dom1_2
tmg_url_f_dom1_3

 

As we can see from above, they do not use sub domains for that, rather they use “paths”, sub-directories.
While the above pictured paths may be in “harmony” with the general URL category Technical Information, one path may be not:

tmg_url_f_dom1_4

 

Indeed, it’s still technical information there, a great resource for certain security professionals, but this “path” of this domain is as technical as milw0rm.com is:

tmg_url_f_dom2

 

How is that ?
Take a look yourself, one URL from en.securitylab.ru and one URL from milw0rm.com(ignore what it says it’s there):

tmg_url_f_dom1_url_5
tmg_url_f_dom1_log_5

tmg_url_f_dom2_url_1
tmg_url_f_dom2_log_1

 

So, as ca be seen, same domain + different paths, two different domains, different domains and a similar path(sub-directory), different web pages on different domains on a similar path, same information on those web pages, information that (wrongly) used can put your network at risk(it can do what they say it does, or not –;) ), one URL goes into the Technical Information and the other into the Hacking/Computer Crime. Who’s wrong and who’s right ?

 

Putting the entire en.securitylab.ru web site into the Hacking/Computer Crime category may be wrong. 
Having the /poc path of the en.securitylab.ru web site into the Technical Information category may be also wrong while keeping milw0rm.com(and the /exploits path) into the Hacking/Computer Crime category.

Can the cloud make a difference ?

Will have to wait and see.

Comments are closed