Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Web Filtering

Posted on 2014-03-31
3
Medium Priority
?
465 Views
Last Modified: 2014-09-08
Hi All,

I wondered if people could offer some advice and maybe some ideas on what others are doing.

We currently have got Barracuda Web Security Gateways for Internet Filtering, and they are used in Inline Transparent mode.

They work well, but the issue I have is that because they sit online on the LAN they only filter LAN traffic, they don't capture anything that is on a DMZ or WiFi DMZ>

Does anyone have any ideas or experience of a better way to deploy this to capture all networks that are going out to the internet, or other systems they have used that can do this.

Thanks in advance.

Paul
0
Comment
Question by:essexboy80
  • 2
3 Comments
 
LVL 65

Expert Comment

by:btan
ID: 39968985
actually the proxy ideally is to ensure the perimeter filter is checked as well, example of placement can be of such is as below. For smaller scale, there may be single DMZ only and for some even have IDS exterior of (EXT) FW.

(EXT)FW<>IPS<>Proxy<>EXT-DMZ<> (INT)FW<>INT-DMZ<>IPS<>Proxy<>INTRANET

The WIFI DMZ is largely also within the EXT-DMZ for guest or contractor access. So ideally the proxy is to guard at perimeter of critical segment exit and entry point. Assuming the segment are segregated based on division, department or agencies etc from the overall organisation. The strategy is not to have many "holes" that serves as exit or entry else visibility of threats (data leakage or malware incursion or malpractice etc) can be easily lost or overlooked. Ideally there is a central monitoring SOC to gather all security log to act as another oversight ..

Back to the inline, I see if as a need to just that you may want to review in the time of proxy failure or outage or denial of service or misconfiguration, is it a fail secure (deny all) or fail open (let all through) approach. I will go for former as security professional but business calling will tend to go for latter which is more common. Keeping business running is critical especially if the segment design is all being congregated to single point of exit / entry.

Therefore HA for proxy, FW or even IPS are consideration when choosing the appropriate solution. Most now simplify the approach with UTM or NGFW that embrace such security capabilities as a All in One. The next caveat is then the performance for such convenience per se.

We will always need to seek a balance btw security and performance. There is need for the profiling of the normal before the filtering and restriction of the rules really get effective with minimal false positive. For proxy, the key is the category to block as baseline e.g. social n/w, anonymiser, p2p sites, cloud service hosting file shares, poronography sites, code sharing site, web email etc. It has to align to your organisation security policy and standard - get the security team involved and not the infrastructure folks. Sometimes microsite blocking may be needed e.g. allow fackbook but not sharing of photo feature etc...

There are technology provider to fulfill the capability but to tailor to your need, only you will know the environment best and have higher mgmt and user requirement considered.

Just some few cents
0
 
LVL 1

Author Comment

by:essexboy80
ID: 40226323
Thanks very much
0
 
LVL 65

Accepted Solution

by:
btan earned 2000 total points
ID: 40226434
Appreciate it, actually the focus will be to identify the egress and ingress points and then having the proxy in place to perform the necessary filtering or monitoring. It is tough to check all the "windows" and "doors" if the thief can just come in from all of them - having to restrict or channel all such attempts to only one or two public facing "windows" or "doors" will have a more concerted and consistent scheme to monitoring and be your ultimate enforcement pt.

But as mentioned, let not neglect those that can hide thru the authorised channel and means such as use of external portable devices and those allowed thru the legit protocol and port due to exposed services. So in all no 100% proxy coverage for "all" network traffic as some will required internal and external dmz bouncer to oversee - have a layered and fluency in the monitoring.
0

Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Suggested Courses

885 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question