[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now


Need a method of switching between intranet and internet for zero client users

Posted on 2013-12-20
Medium Priority
Last Modified: 2013-12-26
We are moving to a VDI solution with zero clients and Nutanix Servers with VMware.  We are going with a default deny policy on our intranet in which we will only allow a whitelist of urls outbound to the trusted business partners we deal with.
When we implement that, it will break internet browsing so we would have another VLAN or security zone that is less restrictive to be used by everyone for internet browsing.

My question is how do I achieve this without putting two zero-clients and having 2 VM's for every user???

THis is probably simple but I am brain frozen....
Question by:rand1964
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
LVL 38

Expert Comment

by:Rich Rumble
ID: 39733564
Perhaps you should use a proxy, have a browser like FireFox setup to use the proxy for internet, and use IE to browse the local intranet and other white-listed sites. The proxy can also, depending on the solution, use an Anti-vrus to scan all data going to/from the internet.

Author Comment

ID: 39733705
Wouldn't that require allowing the uncontrolled internet onto the restricted intranet?

The requirement is that the internal network NEVER allows traffic except to those on the whitelist...no exceptions.

This proxy solution does it still allow total firewalling of internet browsing from intranet?  Can the user still get the VM infected from their browsing of the proxied internet?

Author Comment

ID: 39733716
Maybe it would help if I tried to clarify a bit more what we are trying to do.

Our main network is being locked down tight, one of the things we are using is deny all outward bound traffic except to trusted urls.  The reason we are taking this approach is because we are constantly being hit by malicious phishing attacks that when opened, they go out to a rogue url and pull down keystroke loggers and rootkits.
We are having to take this approach because the perpetrators are relentless and have unlimited funds and manpower.  So, our main network will remain locked down.

Now, in our line of work, researching things using Google and the like are are a must.  So our people must have the ability to access Google and the search results that come up.  Being locked down to only trusted urls make search engines results useless because the urls that are returned from a search will not be able to be gotten to.

That is why we need a separate network that allows access to the internet, but the VM in the restricted network must NEVER be exposed to the unfiltered internet.

I am trying to figure out a way to do this using zero clients...there must be a way to set this up so that a user can "toggle" from the restricted network to the unfiltered internet.

Maybe the only answer is for each user to have two computers, one for the restricted and one for the unrestricted?
Understanding Web Applications

Without even knowing it, most of us are using web applications on a daily basis. Gmail and Yahoo email, Twitter, Facebook, and eBay are used by most of us daily—and they are web applications. We often confuse these web applications tools for websites.  So, what is the difference?


Expert Comment

ID: 39733753
Using proxies is an old school method and I no longer recommend.  You need a good Next Generation Firewall such as Palo Alto Networks.  They are the pioneers in the next generation firewall concept.   The point is there firewall is a true layer 7 firewall that filters traffic based on Content-ID, App-ID, and User-ID.  This firewall will give you the most flexibility in terms of filtering.  URL and category based filtering is good, but not enough to protect your network.  You basically need a traffic cop to monitor, analyze, and filter traffic going through any ports you allow open.  For example: The most common being Port 80 and 443, when using URL filtering you allow select URLs to pass through either of these ports.  

URL filtering is not enough because you can have malicious content even on allowed/white listed websites that may redirect traffic.  Therefore, you need to make sure the appliance checks for Malware/Viruses.  Also, the firewall needs to be able to actively identify the content and selectively block portions of the site.  Now there's some really good proxies out there that very caps able at doing this.  One I've used in the past called Webwasher formally by Secure Computing now Mc Afee was a very good product and very granular filtering abilities.  However, it still lacked the ability to filter Application traffic, which in today's Web 2.0/3.0 world is more common.  Most popular sites these days use apps that transverse your firewall over a variety of different ports, which creates Hughes problems for Firewall administrators and companies.  The point Application filtering becomes an important part of allowing or denying components from a website.  For example: You may want certain users to have access to Facebook, but not give them the ability to transfer files, chat, or play Facebook games.  This is what App-ID filtering allows you to do.  You selective enable access to gmail, yahoo mail, etc..., but deny the ability to use chat, upload/download files, and/or restrict other application features.  

So again, Palo Alto Networks Firewall will give you a single point where all inbound/outbound traffic will transverse no matter how you segment your traffic using multiple internal networks with routers, VLANs, and subnets.  Instead you can filter using User IDs and AD groups, etc..., which is also used by proxies.  With Palo Alto Networks firewall you won't use proxy settings since it's you default gateway.  So you can selectively filter content by IP, Subnet, Group, or User ID.

Note other vendors have jump on the Next-Gen Firewall bandwagon so there are other vendors.  My personal choice and what we use internally is Palo Alto Networks.

Author Comment

ID: 39733763
That a great summary of url whitelisting capabilities, and we do use PA.  But the network internet access is not negotiable.  THERE WILL BE NO ACCESS TO ANY URLS OTHER THAN THOSE WE DO BUSINESS WITH for the primary network.

Internet browsing will require a separate method...there will be no free browsing from the primary network.

I am just trying to figure out if I can setup something that doesn't require buying two clients for each user and having a separate VM for browsing.
LVL 38

Expert Comment

by:Rich Rumble
ID: 39733795
I'm not familiar with a zero client, but sounds like a virtual or thin client. Thanks for the clarification also. I'm not a fan of NGFW's or UTM systems. It sounds to me like the most you want is clip-board access to/from a host that the users can interact with the internet, but it doesn't touch their locked down machine other than the video portion.
A jump box is what you're after, RDP/Ternimal Service/Citrix from the locked down machine to the more external facing machine. I use 2 screens on my computer, the main computer is in a DMZ and has no access to the internet. The other screen I use to as my RDP desktop for the machine outside the DMZ. My firewall only allows established connections from the DMZ to that other IP. The only data I get from the rdp session is video of the other host and I can copy to or from in the clipboard.
That should save you some money over NGFW/UTM, not to mention much less administration.

Author Comment

ID: 39740920
who makes a "jump box"?
LVL 38

Accepted Solution

Rich Rumble earned 2000 total points
ID: 39740978
You do :) Think of it like using VNC or RDP to "remote control" another PC. You have you're locked down network, with only outbound permissions to a Terminal Server or Citrix server. That terminal server/citrix server, is controled by the locked down hosts. You see what it sees, and control it from the locked down host. To get something to/from that remote host you use the clipboard, copy and paste is about all you can do. The remote host can't do anything to the locked down host.

Author Closing Comment

ID: 39740995
Thanks!  this is what I was looking for...now to see if I can get the funding for this

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This program is used to assist in finding and resolving common problems with wireless connections.
This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Suggested Courses

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question