Different Approaches to Unified Threat Mamagement

  This is enough to make your head swim. I have a network of about 150 users. Windows 2003 Servers.
We run Trend Micro Client Security for SMB. Even with Trend running several users get hit with rootkits and the like. I know it is because the go places on the internet that they shouldn't ne going to. I obviously need some kind of Web Filter or in a broader sense some type of Unified Threat Mamagement.

 In researching this topic it appears as though there are three basic topologies for doing this:
1) A security appliance
2) Turn the Windows Servers in to Proxy Servers
3) Set up a standalone PC as a Proxy server
Am I completely off base here?

   Assuming I am close I am struggleing with the approach to take. I like the security appliances because they off load everything to the security appliance and don't utilize the servers in any way. I don't like the security appliances because they are propreitary and expensive. If one goes down it would be a real pain to get fixed rapidly and the intermet would be down for the duration of the fix.

   I don't like using the server as a proxy server just from the standpoint that the less you have your server do the better off you are. One less thing to go wrong.

   I like the idea of using a standalone PC as a Proxy Server for several reasons. It still eliminates any burden on the server. If it does go down you stand a good chance of fixing it fast and reasonably (especially if you make an image backup of it). There are a couple drawbacks. The major one seems to be that the UTM Proxy Server software from most vendors will only run on Windows Servers. This makes the price of a Security Appliance a lot more reasonable.

   Does anyone have any input on the approach to take? My head is swimming with all the different vendors and their different approaches. I have read several of the threads here and everyone seems to reccommend a different vendor. Isn't there a web page you can go to to get an overall rating of the different vendors?

ANy input would be greatly appreciated. Thanks!
LVL 11
Who is Participating?
ahoffmannConnect With a Mentor Commented:
I'd collect an old i386 from the trash corner, install a simple linux with squid, force all browsers to use that squid as proxy, and ready you go ...
(well, the configuration ofthe blacklist checked by squid will be a challenge, depending on your browser user's skills:)
McKnifeConnect With a Mentor Commented:
First: No one "gets hit" with rootkits. If it could come that far, your administration has to be taken responsible for it. If you have that massive infections, then it's time to rethink your whole strategy.
Some loose thoughts for the future:
-teach your users
-use user rights
-keep applications and OS updated (patch management)
-block access to personal startup areas (autostart/registry)
-think about restricting internet access to business matters only

less simple
-use indirect internet access like from a terminal server or kde (linux) session
-use content filtering (mimesweeper clearswift/ finjan web appliance)
-apply software restriction policies (via GPOs)

From your current situation I would first do analysis of "what went wrong", because something definitely went wrong. Alongside you should take your time to build a security policy and I mean it, make a plan about what you want people to be able to (functionality), what that implies (risks) and how to react (prevention/countermeasures/emergency behavior). Afterwards, you might think about hightech solutions - and if those would really be appropriate.
If people have direct internet access (no proxy) then there has to be a reason for that, what is it?
Imagine someone hacking your machines and committing cybercrime. The police might come and take away all your servers - no working for days - that was it ;)
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.