Solved

Need a method of switching between intranet and internet for zero client users

Posted on 2013-12-20
9
405 Views
Last Modified: 2013-12-26
We are moving to a VDI solution with zero clients and Nutanix Servers with VMware.  We are going with a default deny policy on our intranet in which we will only allow a whitelist of urls outbound to the trusted business partners we deal with.
When we implement that, it will break internet browsing so we would have another VLAN or security zone that is less restrictive to be used by everyone for internet browsing.

My question is how do I achieve this without putting two zero-clients and having 2 VM's for every user???

THis is probably simple but I am brain frozen....
0
Comment
Question by:rand1964
  • 5
  • 3
9 Comments
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39733564
Perhaps you should use a proxy, have a browser like FireFox setup to use the proxy for internet, and use IE to browse the local intranet and other white-listed sites. The proxy can also, depending on the solution, use an Anti-vrus to scan all data going to/from the internet.
-rich
0
 

Author Comment

by:rand1964
ID: 39733705
Wouldn't that require allowing the uncontrolled internet onto the restricted intranet?

The requirement is that the internal network NEVER allows traffic except to those on the whitelist...no exceptions.

This proxy solution does it still allow total firewalling of internet browsing from intranet?  Can the user still get the VM infected from their browsing of the proxied internet?
0
 

Author Comment

by:rand1964
ID: 39733716
Maybe it would help if I tried to clarify a bit more what we are trying to do.

Our main network is being locked down tight, one of the things we are using is deny all outward bound traffic except to trusted urls.  The reason we are taking this approach is because we are constantly being hit by malicious phishing attacks that when opened, they go out to a rogue url and pull down keystroke loggers and rootkits.
We are having to take this approach because the perpetrators are relentless and have unlimited funds and manpower.  So, our main network will remain locked down.

Now, in our line of work, researching things using Google and the like are are a must.  So our people must have the ability to access Google and the search results that come up.  Being locked down to only trusted urls make search engines results useless because the urls that are returned from a search will not be able to be gotten to.

That is why we need a separate network that allows access to the internet, but the VM in the restricted network must NEVER be exposed to the unfiltered internet.

I am trying to figure out a way to do this using zero clients...there must be a way to set this up so that a user can "toggle" from the restricted network to the unfiltered internet.

Maybe the only answer is for each user to have two computers, one for the restricted and one for the unrestricted?
0
 
LVL 8

Expert Comment

by:gsmartin
ID: 39733753
Using proxies is an old school method and I no longer recommend.  You need a good Next Generation Firewall such as Palo Alto Networks.  They are the pioneers in the next generation firewall concept.   The point is there firewall is a true layer 7 firewall that filters traffic based on Content-ID, App-ID, and User-ID.  This firewall will give you the most flexibility in terms of filtering.  URL and category based filtering is good, but not enough to protect your network.  You basically need a traffic cop to monitor, analyze, and filter traffic going through any ports you allow open.  For example: The most common being Port 80 and 443, when using URL filtering you allow select URLs to pass through either of these ports.  

URL filtering is not enough because you can have malicious content even on allowed/white listed websites that may redirect traffic.  Therefore, you need to make sure the appliance checks for Malware/Viruses.  Also, the firewall needs to be able to actively identify the content and selectively block portions of the site.  Now there's some really good proxies out there that very caps able at doing this.  One I've used in the past called Webwasher formally by Secure Computing now Mc Afee was a very good product and very granular filtering abilities.  However, it still lacked the ability to filter Application traffic, which in today's Web 2.0/3.0 world is more common.  Most popular sites these days use apps that transverse your firewall over a variety of different ports, which creates Hughes problems for Firewall administrators and companies.  The point Application filtering becomes an important part of allowing or denying components from a website.  For example: You may want certain users to have access to Facebook, but not give them the ability to transfer files, chat, or play Facebook games.  This is what App-ID filtering allows you to do.  You selective enable access to gmail, yahoo mail, etc..., but deny the ability to use chat, upload/download files, and/or restrict other application features.  

So again, Palo Alto Networks Firewall will give you a single point where all inbound/outbound traffic will transverse no matter how you segment your traffic using multiple internal networks with routers, VLANs, and subnets.  Instead you can filter using User IDs and AD groups, etc..., which is also used by proxies.  With Palo Alto Networks firewall you won't use proxy settings since it's you default gateway.  So you can selectively filter content by IP, Subnet, Group, or User ID.

Note other vendors have jump on the Next-Gen Firewall bandwagon so there are other vendors.  My personal choice and what we use internally is Palo Alto Networks.
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 

Author Comment

by:rand1964
ID: 39733763
That a great summary of url whitelisting capabilities, and we do use PA.  But the network internet access is not negotiable.  THERE WILL BE NO ACCESS TO ANY URLS OTHER THAN THOSE WE DO BUSINESS WITH for the primary network.

Internet browsing will require a separate method...there will be no free browsing from the primary network.

I am just trying to figure out if I can setup something that doesn't require buying two clients for each user and having a separate VM for browsing.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39733795
I'm not familiar with a zero client, but sounds like a virtual or thin client. Thanks for the clarification also. I'm not a fan of NGFW's or UTM systems. It sounds to me like the most you want is clip-board access to/from a host that the users can interact with the internet, but it doesn't touch their locked down machine other than the video portion.
A jump box is what you're after, RDP/Ternimal Service/Citrix from the locked down machine to the more external facing machine. I use 2 screens on my computer, the main computer is in a DMZ and has no access to the internet. The other screen I use to as my RDP desktop for the machine outside the DMZ. My firewall only allows established connections from the DMZ to that other IP. The only data I get from the rdp session is video of the other host and I can copy to or from in the clipboard.
That should save you some money over NGFW/UTM, not to mention much less administration.
-rich
0
 

Author Comment

by:rand1964
ID: 39740920
who makes a "jump box"?
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 500 total points
ID: 39740978
You do :) Think of it like using VNC or RDP to "remote control" another PC. You have you're locked down network, with only outbound permissions to a Terminal Server or Citrix server. That terminal server/citrix server, is controled by the locked down hosts. You see what it sees, and control it from the locked down host. To get something to/from that remote host you use the clipboard, copy and paste is about all you can do. The remote host can't do anything to the locked down host.
http://blog.industrialdefender.com/?p=612
-rich
0
 

Author Closing Comment

by:rand1964
ID: 39740995
Thanks!  this is what I was looking for...now to see if I can get the funding for this
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now