Different Approaches to Unified Threat Mamagement

Posted on 2007-09-30
Last Modified: 2013-12-04
  This is enough to make your head swim. I have a network of about 150 users. Windows 2003 Servers.
We run Trend Micro Client Security for SMB. Even with Trend running several users get hit with rootkits and the like. I know it is because the go places on the internet that they shouldn't ne going to. I obviously need some kind of Web Filter or in a broader sense some type of Unified Threat Mamagement.

 In researching this topic it appears as though there are three basic topologies for doing this:
1) A security appliance
2) Turn the Windows Servers in to Proxy Servers
3) Set up a standalone PC as a Proxy server
Am I completely off base here?

   Assuming I am close I am struggleing with the approach to take. I like the security appliances because they off load everything to the security appliance and don't utilize the servers in any way. I don't like the security appliances because they are propreitary and expensive. If one goes down it would be a real pain to get fixed rapidly and the intermet would be down for the duration of the fix.

   I don't like using the server as a proxy server just from the standpoint that the less you have your server do the better off you are. One less thing to go wrong.

   I like the idea of using a standalone PC as a Proxy Server for several reasons. It still eliminates any burden on the server. If it does go down you stand a good chance of fixing it fast and reasonably (especially if you make an image backup of it). There are a couple drawbacks. The major one seems to be that the UTM Proxy Server software from most vendors will only run on Windows Servers. This makes the price of a Security Appliance a lot more reasonable.

   Does anyone have any input on the approach to take? My head is swimming with all the different vendors and their different approaches. I have read several of the threads here and everyone seems to reccommend a different vendor. Isn't there a web page you can go to to get an overall rating of the different vendors?

ANy input would be greatly appreciated. Thanks!
Question by:jimbecher
    LVL 51

    Accepted Solution

    I'd collect an old i386 from the trash corner, install a simple linux with squid, force all browsers to use that squid as proxy, and ready you go ...
    (well, the configuration ofthe blacklist checked by squid will be a challenge, depending on your browser user's skills:)
    LVL 52

    Assisted Solution

    First: No one "gets hit" with rootkits. If it could come that far, your administration has to be taken responsible for it. If you have that massive infections, then it's time to rethink your whole strategy.
    Some loose thoughts for the future:
    -teach your users
    -use user rights
    -keep applications and OS updated (patch management)
    -block access to personal startup areas (autostart/registry)
    -think about restricting internet access to business matters only

    less simple
    -use indirect internet access like from a terminal server or kde (linux) session
    -use content filtering (mimesweeper clearswift/ finjan web appliance)
    -apply software restriction policies (via GPOs)

    From your current situation I would first do analysis of "what went wrong", because something definitely went wrong. Alongside you should take your time to build a security policy and I mean it, make a plan about what you want people to be able to (functionality), what that implies (risks) and how to react (prevention/countermeasures/emergency behavior). Afterwards, you might think about hightech solutions - and if those would really be appropriate.
    If people have direct internet access (no proxy) then there has to be a reason for that, what is it?
    Imagine someone hacking your machines and committing cybercrime. The police might come and take away all your servers - no working for days - that was it ;)

    Featured Post

    Do You Know the 4 Main Threat Actor Types?

    Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

    Join & Write a Comment

    You cannot be 100% sure that you can protect your organization against crypto ransomware but you can lower down the risk and impact of the infection.
    Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
    how to add IIS SMTP to handle application/Scanner relays into office 365.
    Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

    731 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now