Solved

Web Filtering

Posted on 2014-03-31
3
445 Views
Last Modified: 2014-09-08
Hi All,

I wondered if people could offer some advice and maybe some ideas on what others are doing.

We currently have got Barracuda Web Security Gateways for Internet Filtering, and they are used in Inline Transparent mode.

They work well, but the issue I have is that because they sit online on the LAN they only filter LAN traffic, they don't capture anything that is on a DMZ or WiFi DMZ>

Does anyone have any ideas or experience of a better way to deploy this to capture all networks that are going out to the internet, or other systems they have used that can do this.

Thanks in advance.

Paul
0
Comment
Question by:essexboy80
  • 2
3 Comments
 
LVL 61

Expert Comment

by:btan
ID: 39968985
actually the proxy ideally is to ensure the perimeter filter is checked as well, example of placement can be of such is as below. For smaller scale, there may be single DMZ only and for some even have IDS exterior of (EXT) FW.

(EXT)FW<>IPS<>Proxy<>EXT-DMZ<> (INT)FW<>INT-DMZ<>IPS<>Proxy<>INTRANET

The WIFI DMZ is largely also within the EXT-DMZ for guest or contractor access. So ideally the proxy is to guard at perimeter of critical segment exit and entry point. Assuming the segment are segregated based on division, department or agencies etc from the overall organisation. The strategy is not to have many "holes" that serves as exit or entry else visibility of threats (data leakage or malware incursion or malpractice etc) can be easily lost or overlooked. Ideally there is a central monitoring SOC to gather all security log to act as another oversight ..

Back to the inline, I see if as a need to just that you may want to review in the time of proxy failure or outage or denial of service or misconfiguration, is it a fail secure (deny all) or fail open (let all through) approach. I will go for former as security professional but business calling will tend to go for latter which is more common. Keeping business running is critical especially if the segment design is all being congregated to single point of exit / entry.

Therefore HA for proxy, FW or even IPS are consideration when choosing the appropriate solution. Most now simplify the approach with UTM or NGFW that embrace such security capabilities as a All in One. The next caveat is then the performance for such convenience per se.

We will always need to seek a balance btw security and performance. There is need for the profiling of the normal before the filtering and restriction of the rules really get effective with minimal false positive. For proxy, the key is the category to block as baseline e.g. social n/w, anonymiser, p2p sites, cloud service hosting file shares, poronography sites, code sharing site, web email etc. It has to align to your organisation security policy and standard - get the security team involved and not the infrastructure folks. Sometimes microsite blocking may be needed e.g. allow fackbook but not sharing of photo feature etc...

There are technology provider to fulfill the capability but to tailor to your need, only you will know the environment best and have higher mgmt and user requirement considered.

Just some few cents
0
 
LVL 1

Author Comment

by:essexboy80
ID: 40226323
Thanks very much
0
 
LVL 61

Accepted Solution

by:
btan earned 500 total points
ID: 40226434
Appreciate it, actually the focus will be to identify the egress and ingress points and then having the proxy in place to perform the necessary filtering or monitoring. It is tough to check all the "windows" and "doors" if the thief can just come in from all of them - having to restrict or channel all such attempts to only one or two public facing "windows" or "doors" will have a more concerted and consistent scheme to monitoring and be your ultimate enforcement pt.

But as mentioned, let not neglect those that can hide thru the authorised channel and means such as use of external portable devices and those allowed thru the legit protocol and port due to exposed services. So in all no 100% proxy coverage for "all" network traffic as some will required internal and external dmz bouncer to oversee - have a layered and fluency in the monitoring.
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

The use of stolen credentials is a hot commodity this year allowing threat actors to move laterally within the network in order to avoid breach detection.
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the fileā€¦
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now