Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Web Filtering

Posted on 2014-03-31
Medium Priority
Last Modified: 2014-09-08
Hi All,

I wondered if people could offer some advice and maybe some ideas on what others are doing.

We currently have got Barracuda Web Security Gateways for Internet Filtering, and they are used in Inline Transparent mode.

They work well, but the issue I have is that because they sit online on the LAN they only filter LAN traffic, they don't capture anything that is on a DMZ or WiFi DMZ>

Does anyone have any ideas or experience of a better way to deploy this to capture all networks that are going out to the internet, or other systems they have used that can do this.

Thanks in advance.

Question by:essexboy80
  • 2
LVL 65

Expert Comment

ID: 39968985
actually the proxy ideally is to ensure the perimeter filter is checked as well, example of placement can be of such is as below. For smaller scale, there may be single DMZ only and for some even have IDS exterior of (EXT) FW.


The WIFI DMZ is largely also within the EXT-DMZ for guest or contractor access. So ideally the proxy is to guard at perimeter of critical segment exit and entry point. Assuming the segment are segregated based on division, department or agencies etc from the overall organisation. The strategy is not to have many "holes" that serves as exit or entry else visibility of threats (data leakage or malware incursion or malpractice etc) can be easily lost or overlooked. Ideally there is a central monitoring SOC to gather all security log to act as another oversight ..

Back to the inline, I see if as a need to just that you may want to review in the time of proxy failure or outage or denial of service or misconfiguration, is it a fail secure (deny all) or fail open (let all through) approach. I will go for former as security professional but business calling will tend to go for latter which is more common. Keeping business running is critical especially if the segment design is all being congregated to single point of exit / entry.

Therefore HA for proxy, FW or even IPS are consideration when choosing the appropriate solution. Most now simplify the approach with UTM or NGFW that embrace such security capabilities as a All in One. The next caveat is then the performance for such convenience per se.

We will always need to seek a balance btw security and performance. There is need for the profiling of the normal before the filtering and restriction of the rules really get effective with minimal false positive. For proxy, the key is the category to block as baseline e.g. social n/w, anonymiser, p2p sites, cloud service hosting file shares, poronography sites, code sharing site, web email etc. It has to align to your organisation security policy and standard - get the security team involved and not the infrastructure folks. Sometimes microsite blocking may be needed e.g. allow fackbook but not sharing of photo feature etc...

There are technology provider to fulfill the capability but to tailor to your need, only you will know the environment best and have higher mgmt and user requirement considered.

Just some few cents

Author Comment

ID: 40226323
Thanks very much
LVL 65

Accepted Solution

btan earned 2000 total points
ID: 40226434
Appreciate it, actually the focus will be to identify the egress and ingress points and then having the proxy in place to perform the necessary filtering or monitoring. It is tough to check all the "windows" and "doors" if the thief can just come in from all of them - having to restrict or channel all such attempts to only one or two public facing "windows" or "doors" will have a more concerted and consistent scheme to monitoring and be your ultimate enforcement pt.

But as mentioned, let not neglect those that can hide thru the authorised channel and means such as use of external portable devices and those allowed thru the legit protocol and port due to exposed services. So in all no 100% proxy coverage for "all" network traffic as some will required internal and external dmz bouncer to oversee - have a layered and fluency in the monitoring.

Featured Post

Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
How to fix a SonicWall Gateway Anti-Virus firewall blocking automatic updates to apps like Windows, Adobe, Symantec, etc.
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses

581 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question