Need a method of switching between intranet and internet for zero client users
We are moving to a VDI solution with zero clients and Nutanix Servers with VMware. We are going with a default deny policy on our intranet in which we will only allow a whitelist of urls outbound to the trusted business partners we deal with.
When we implement that, it will break internet browsing so we would have another VLAN or security zone that is less restrictive to be used by everyone for internet browsing.
My question is how do I achieve this without putting two zero-clients and having 2 VM's for every user???
THis is probably simple but I am brain frozen....
When we implement that, it will break internet browsing so we would have another VLAN or security zone that is less restrictive to be used by everyone for internet browsing.
My question is how do I achieve this without putting two zero-clients and having 2 VM's for every user???
THis is probably simple but I am brain frozen....
ASKER
Wouldn't that require allowing the uncontrolled internet onto the restricted intranet?
The requirement is that the internal network NEVER allows traffic except to those on the whitelist...no exceptions.
This proxy solution does it still allow total firewalling of internet browsing from intranet? Can the user still get the VM infected from their browsing of the proxied internet?
The requirement is that the internal network NEVER allows traffic except to those on the whitelist...no exceptions.
This proxy solution does it still allow total firewalling of internet browsing from intranet? Can the user still get the VM infected from their browsing of the proxied internet?
ASKER
Maybe it would help if I tried to clarify a bit more what we are trying to do.
Our main network is being locked down tight, one of the things we are using is deny all outward bound traffic except to trusted urls. The reason we are taking this approach is because we are constantly being hit by malicious phishing attacks that when opened, they go out to a rogue url and pull down keystroke loggers and rootkits.
We are having to take this approach because the perpetrators are relentless and have unlimited funds and manpower. So, our main network will remain locked down.
Now, in our line of work, researching things using Google and the like are are a must. So our people must have the ability to access Google and the search results that come up. Being locked down to only trusted urls make search engines results useless because the urls that are returned from a search will not be able to be gotten to.
That is why we need a separate network that allows access to the internet, but the VM in the restricted network must NEVER be exposed to the unfiltered internet.
I am trying to figure out a way to do this using zero clients...there must be a way to set this up so that a user can "toggle" from the restricted network to the unfiltered internet.
Maybe the only answer is for each user to have two computers, one for the restricted and one for the unrestricted?
Our main network is being locked down tight, one of the things we are using is deny all outward bound traffic except to trusted urls. The reason we are taking this approach is because we are constantly being hit by malicious phishing attacks that when opened, they go out to a rogue url and pull down keystroke loggers and rootkits.
We are having to take this approach because the perpetrators are relentless and have unlimited funds and manpower. So, our main network will remain locked down.
Now, in our line of work, researching things using Google and the like are are a must. So our people must have the ability to access Google and the search results that come up. Being locked down to only trusted urls make search engines results useless because the urls that are returned from a search will not be able to be gotten to.
That is why we need a separate network that allows access to the internet, but the VM in the restricted network must NEVER be exposed to the unfiltered internet.
I am trying to figure out a way to do this using zero clients...there must be a way to set this up so that a user can "toggle" from the restricted network to the unfiltered internet.
Maybe the only answer is for each user to have two computers, one for the restricted and one for the unrestricted?
Using proxies is an old school method and I no longer recommend. You need a good Next Generation Firewall such as Palo Alto Networks. They are the pioneers in the next generation firewall concept. The point is there firewall is a true layer 7 firewall that filters traffic based on Content-ID, App-ID, and User-ID. This firewall will give you the most flexibility in terms of filtering. URL and category based filtering is good, but not enough to protect your network. You basically need a traffic cop to monitor, analyze, and filter traffic going through any ports you allow open. For example: The most common being Port 80 and 443, when using URL filtering you allow select URLs to pass through either of these ports.
URL filtering is not enough because you can have malicious content even on allowed/white listed websites that may redirect traffic. Therefore, you need to make sure the appliance checks for Malware/Viruses. Also, the firewall needs to be able to actively identify the content and selectively block portions of the site. Now there's some really good proxies out there that very caps able at doing this. One I've used in the past called Webwasher formally by Secure Computing now Mc Afee was a very good product and very granular filtering abilities. However, it still lacked the ability to filter Application traffic, which in today's Web 2.0/3.0 world is more common. Most popular sites these days use apps that transverse your firewall over a variety of different ports, which creates Hughes problems for Firewall administrators and companies. The point Application filtering becomes an important part of allowing or denying components from a website. For example: You may want certain users to have access to Facebook, but not give them the ability to transfer files, chat, or play Facebook games. This is what App-ID filtering allows you to do. You selective enable access to gmail, yahoo mail, etc..., but deny the ability to use chat, upload/download files, and/or restrict other application features.
So again, Palo Alto Networks Firewall will give you a single point where all inbound/outbound traffic will transverse no matter how you segment your traffic using multiple internal networks with routers, VLANs, and subnets. Instead you can filter using User IDs and AD groups, etc..., which is also used by proxies. With Palo Alto Networks firewall you won't use proxy settings since it's you default gateway. So you can selectively filter content by IP, Subnet, Group, or User ID.
Note other vendors have jump on the Next-Gen Firewall bandwagon so there are other vendors. My personal choice and what we use internally is Palo Alto Networks.
URL filtering is not enough because you can have malicious content even on allowed/white listed websites that may redirect traffic. Therefore, you need to make sure the appliance checks for Malware/Viruses. Also, the firewall needs to be able to actively identify the content and selectively block portions of the site. Now there's some really good proxies out there that very caps able at doing this. One I've used in the past called Webwasher formally by Secure Computing now Mc Afee was a very good product and very granular filtering abilities. However, it still lacked the ability to filter Application traffic, which in today's Web 2.0/3.0 world is more common. Most popular sites these days use apps that transverse your firewall over a variety of different ports, which creates Hughes problems for Firewall administrators and companies. The point Application filtering becomes an important part of allowing or denying components from a website. For example: You may want certain users to have access to Facebook, but not give them the ability to transfer files, chat, or play Facebook games. This is what App-ID filtering allows you to do. You selective enable access to gmail, yahoo mail, etc..., but deny the ability to use chat, upload/download files, and/or restrict other application features.
So again, Palo Alto Networks Firewall will give you a single point where all inbound/outbound traffic will transverse no matter how you segment your traffic using multiple internal networks with routers, VLANs, and subnets. Instead you can filter using User IDs and AD groups, etc..., which is also used by proxies. With Palo Alto Networks firewall you won't use proxy settings since it's you default gateway. So you can selectively filter content by IP, Subnet, Group, or User ID.
Note other vendors have jump on the Next-Gen Firewall bandwagon so there are other vendors. My personal choice and what we use internally is Palo Alto Networks.
ASKER
That a great summary of url whitelisting capabilities, and we do use PA. But the network internet access is not negotiable. THERE WILL BE NO ACCESS TO ANY URLS OTHER THAN THOSE WE DO BUSINESS WITH for the primary network.
Internet browsing will require a separate method...there will be no free browsing from the primary network.
I am just trying to figure out if I can setup something that doesn't require buying two clients for each user and having a separate VM for browsing.
Internet browsing will require a separate method...there will be no free browsing from the primary network.
I am just trying to figure out if I can setup something that doesn't require buying two clients for each user and having a separate VM for browsing.
I'm not familiar with a zero client, but sounds like a virtual or thin client. Thanks for the clarification also. I'm not a fan of NGFW's or UTM systems. It sounds to me like the most you want is clip-board access to/from a host that the users can interact with the internet, but it doesn't touch their locked down machine other than the video portion.
A jump box is what you're after, RDP/Ternimal Service/Citrix from the locked down machine to the more external facing machine. I use 2 screens on my computer, the main computer is in a DMZ and has no access to the internet. The other screen I use to as my RDP desktop for the machine outside the DMZ. My firewall only allows established connections from the DMZ to that other IP. The only data I get from the rdp session is video of the other host and I can copy to or from in the clipboard.
That should save you some money over NGFW/UTM, not to mention much less administration.
-rich
A jump box is what you're after, RDP/Ternimal Service/Citrix from the locked down machine to the more external facing machine. I use 2 screens on my computer, the main computer is in a DMZ and has no access to the internet. The other screen I use to as my RDP desktop for the machine outside the DMZ. My firewall only allows established connections from the DMZ to that other IP. The only data I get from the rdp session is video of the other host and I can copy to or from in the clipboard.
That should save you some money over NGFW/UTM, not to mention much less administration.
-rich
ASKER
who makes a "jump box"?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks! this is what I was looking for...now to see if I can get the funding for this
-rich