Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Web Filtering

Posted on 2014-03-31
Medium Priority
Last Modified: 2014-09-08
Hi All,

I wondered if people could offer some advice and maybe some ideas on what others are doing.

We currently have got Barracuda Web Security Gateways for Internet Filtering, and they are used in Inline Transparent mode.

They work well, but the issue I have is that because they sit online on the LAN they only filter LAN traffic, they don't capture anything that is on a DMZ or WiFi DMZ>

Does anyone have any ideas or experience of a better way to deploy this to capture all networks that are going out to the internet, or other systems they have used that can do this.

Thanks in advance.

Question by:essexboy80
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
LVL 64

Expert Comment

ID: 39968985
actually the proxy ideally is to ensure the perimeter filter is checked as well, example of placement can be of such is as below. For smaller scale, there may be single DMZ only and for some even have IDS exterior of (EXT) FW.


The WIFI DMZ is largely also within the EXT-DMZ for guest or contractor access. So ideally the proxy is to guard at perimeter of critical segment exit and entry point. Assuming the segment are segregated based on division, department or agencies etc from the overall organisation. The strategy is not to have many "holes" that serves as exit or entry else visibility of threats (data leakage or malware incursion or malpractice etc) can be easily lost or overlooked. Ideally there is a central monitoring SOC to gather all security log to act as another oversight ..

Back to the inline, I see if as a need to just that you may want to review in the time of proxy failure or outage or denial of service or misconfiguration, is it a fail secure (deny all) or fail open (let all through) approach. I will go for former as security professional but business calling will tend to go for latter which is more common. Keeping business running is critical especially if the segment design is all being congregated to single point of exit / entry.

Therefore HA for proxy, FW or even IPS are consideration when choosing the appropriate solution. Most now simplify the approach with UTM or NGFW that embrace such security capabilities as a All in One. The next caveat is then the performance for such convenience per se.

We will always need to seek a balance btw security and performance. There is need for the profiling of the normal before the filtering and restriction of the rules really get effective with minimal false positive. For proxy, the key is the category to block as baseline e.g. social n/w, anonymiser, p2p sites, cloud service hosting file shares, poronography sites, code sharing site, web email etc. It has to align to your organisation security policy and standard - get the security team involved and not the infrastructure folks. Sometimes microsite blocking may be needed e.g. allow fackbook but not sharing of photo feature etc...

There are technology provider to fulfill the capability but to tailor to your need, only you will know the environment best and have higher mgmt and user requirement considered.

Just some few cents

Author Comment

ID: 40226323
Thanks very much
LVL 64

Accepted Solution

btan earned 2000 total points
ID: 40226434
Appreciate it, actually the focus will be to identify the egress and ingress points and then having the proxy in place to perform the necessary filtering or monitoring. It is tough to check all the "windows" and "doors" if the thief can just come in from all of them - having to restrict or channel all such attempts to only one or two public facing "windows" or "doors" will have a more concerted and consistent scheme to monitoring and be your ultimate enforcement pt.

But as mentioned, let not neglect those that can hide thru the authorised channel and means such as use of external portable devices and those allowed thru the legit protocol and port due to exposed services. So in all no 100% proxy coverage for "all" network traffic as some will required internal and external dmz bouncer to oversee - have a layered and fluency in the monitoring.

Featured Post

Are You Ready for GDPR?

With the GDPR deadline set for May 25, 2018, many organizations are ill-prepared due to uncertainty about the criteria for compliance. According to a recent WatchGuard survey, a staggering 37% of respondents don't even know if their organization needs to comply with GDPR. Do you?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Cybersecurity has become the buzzword of recent years and years to come. The inventions of cloud infrastructure and the Internet of Things has made us question our online safety. Let us explore how cloud- enabled cybersecurity can help us with our b…
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question