Web Filtering

Hi All,

I wondered if people could offer some advice and maybe some ideas on what others are doing.

We currently have got Barracuda Web Security Gateways for Internet Filtering, and they are used in Inline Transparent mode.

They work well, but the issue I have is that because they sit online on the LAN they only filter LAN traffic, they don't capture anything that is on a DMZ or WiFi DMZ>

Does anyone have any ideas or experience of a better way to deploy this to capture all networks that are going out to the internet, or other systems they have used that can do this.

Thanks in advance.

Paul
LVL 1
essexboy80Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
actually the proxy ideally is to ensure the perimeter filter is checked as well, example of placement can be of such is as below. For smaller scale, there may be single DMZ only and for some even have IDS exterior of (EXT) FW.

(EXT)FW<>IPS<>Proxy<>EXT-DMZ<> (INT)FW<>INT-DMZ<>IPS<>Proxy<>INTRANET

The WIFI DMZ is largely also within the EXT-DMZ for guest or contractor access. So ideally the proxy is to guard at perimeter of critical segment exit and entry point. Assuming the segment are segregated based on division, department or agencies etc from the overall organisation. The strategy is not to have many "holes" that serves as exit or entry else visibility of threats (data leakage or malware incursion or malpractice etc) can be easily lost or overlooked. Ideally there is a central monitoring SOC to gather all security log to act as another oversight ..

Back to the inline, I see if as a need to just that you may want to review in the time of proxy failure or outage or denial of service or misconfiguration, is it a fail secure (deny all) or fail open (let all through) approach. I will go for former as security professional but business calling will tend to go for latter which is more common. Keeping business running is critical especially if the segment design is all being congregated to single point of exit / entry.

Therefore HA for proxy, FW or even IPS are consideration when choosing the appropriate solution. Most now simplify the approach with UTM or NGFW that embrace such security capabilities as a All in One. The next caveat is then the performance for such convenience per se.

We will always need to seek a balance btw security and performance. There is need for the profiling of the normal before the filtering and restriction of the rules really get effective with minimal false positive. For proxy, the key is the category to block as baseline e.g. social n/w, anonymiser, p2p sites, cloud service hosting file shares, poronography sites, code sharing site, web email etc. It has to align to your organisation security policy and standard - get the security team involved and not the infrastructure folks. Sometimes microsite blocking may be needed e.g. allow fackbook but not sharing of photo feature etc...

There are technology provider to fulfill the capability but to tailor to your need, only you will know the environment best and have higher mgmt and user requirement considered.

Just some few cents
0
essexboy80Author Commented:
Thanks very much
0
btanExec ConsultantCommented:
Appreciate it, actually the focus will be to identify the egress and ingress points and then having the proxy in place to perform the necessary filtering or monitoring. It is tough to check all the "windows" and "doors" if the thief can just come in from all of them - having to restrict or channel all such attempts to only one or two public facing "windows" or "doors" will have a more concerted and consistent scheme to monitoring and be your ultimate enforcement pt.

But as mentioned, let not neglect those that can hide thru the authorised channel and means such as use of external portable devices and those allowed thru the legit protocol and port due to exposed services. So in all no 100% proxy coverage for "all" network traffic as some will required internal and external dmz bouncer to oversee - have a layered and fluency in the monitoring.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.