[Last Call] Learn how to a build a cloud-first strategyRegister Now


Best internet filter practices for interconnected offices.

Posted on 2014-08-29
Medium Priority
Last Modified: 2016-02-25
I have a two office account that is interconnected (hub / spoke model) with all internet traffic leaving one site (firewall).  I've been asked to deploy a internet content filter to better manage internet abuse during work hours and protect from malicious sites.  

What is the best practice here and what application or appliance does anyone recommend?  I would prefer to be able to manage the level of internet access by user account in the AD with the solution.
Question by:jo80ge121
  • 3
  • 3
  • 2
  • +1
LVL 65

Expert Comment

ID: 40294122
Will be best all site traffic (interconnected via WAN) to exit through single internet gateway (all still behind your organisation main perimeter FW) and there is the proxy content filtering to take place. You can consider locking lockdown og the browser proxy (via GPO assume) to resolve and go via the proxy before into internet for single enforcement pt and monitoring.

MS Forefront TMG or Bluecoat (or even Squid) are common one unless you already have some sort of NG FW or UTM as your perimeter FW - you may even want to explore if the existing FW can already be added with such content filter module with upgrade (likely may have h/w change to ensure optimal performance). I even understand some Load balancer are application delivery controller that has such filtering capability as well - can explore.

Gartner has list out candidate for web security gateway which can be helpful reference in decision buying http://www.marketwatch.com/story/latest-gartner-magic-quadrant-for-secure-web-gateways-recognizes-websense-as-a-leader-for-fifth-time-2014-07-07

Consideration for such proxy should include deployment flexibility for below. One sharing from Trend Micro http://esupport.trendmicro.com/solution/en-us/1096980.aspx
 Forward Proxy
• Transparent Bridge
• Transparent Bridge for High Availability
• Reverse Proxy
• Simple Transparency

Also some good pointer from a FW perspective

For inter-server communications involving external servers, only allow access to service ports your internal servers must use to operate correctly, and only allow your internal servers access to these services. If you operate your own mail servers, make certain that only these servers establish outbound SMTP connections.

If you operate an HTTP proxy, or a proxy system that performs some form of web URL or content filtering, only allow outbound connections through your firewall from the proxy(ies).
Overall, for security defense depth - consider single (main site or interconnected sub site) exit enforcement filter, agent based (or proxy lock down) to force traffic to enforcement and appliance to serve as proxy (be it the FW upgrade or one behind the FW).
LVL 24

Assisted Solution

by:Dirk Kotte
Dirk Kotte earned 2000 total points
ID: 40294594
would suggest to take a look to sophos UTM.
It is a NextGeneration Firewall but you can use it a proxy-only without replacing your current FW.
It is available as virtual appliance and you can get demo key simple.
The "webfilter" is able to authenticate against AD 7 LDAP / and other can use different rules debend from subned / group membership / and so on

Author Comment

ID: 40294985
Thank you.  I'm reviewing the information and downloading Sophos UTM trial.  I'll get back to you both.
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

LVL 65

Expert Comment

ID: 40294998
on the same note, you can check out below but do note VM performance especially if you enable many s/w module on UTM and like - have the vendor to advice (frankly) the limits. there may already impact if AV scan and web filter and FW and IPS etc (or all) turn on even for appliance ...

Bluecoat SWG Virtual Appliance - https://www.bluecoat.com/products/secure-web-gateway-virtual-appliance
Websense - http://www.websense.com/content/web-filter-features.aspx
Barracuda - https://www.barracuda.com/products/webfilter/features#section_11

also best to consider SSL decryption too so that your organizations can control online content normally hidden by SSL. This can include content found in social-media platforms, web-based email, and search engines. As an admin, you can further specify domains and URL categories (mandated by security policy) which SSL-encrypted traffic will be decrypted and scanned for malware and web policy enforced.

Author Comment

ID: 40295011
dkotte, hold my hand on this question please.  

On a virtual setup, how do I set up the virtual UTM on my network so that my pc's talk to it for the web filter module without replacing my firewall?  

I have a dual nic hyper-v setup (as stated in the install doc), just need to know how do I place this in my current network at a physical layer to take advantage of the features.  I have a network + certification just to give you a idea of my networking level & lingo :)
LVL 65

Expert Comment

ID: 40295028
pardon me for the interject, maybe this may be useful (for info)

Using a Sophos UTM in Hyper-v
Using a Sophos UTM in Virtual Box
..others in Sophos forum (good means to find past experience)
It *is* possible to install and use Sophos UTM with a single physical NIC. For a Proxy/VPN only setup this is completely sufficient but don't expect the initial setup wizard to work properly (just cancel it).
...and the steps suggested..
LVL 24

Accepted Solution

Dirk Kotte earned 2000 total points
ID: 40295681
- you install the webfilter as proxy like a standard virtual pc or server at your lan or within the dmz.
- configure the proxy-settings for your clients within the AD (or localy for testing).
- prohibit the direct internet-http-access for your clients within the firewall.
LVL 10

Expert Comment

ID: 40298326
What is your budget as this can be don from $0 to $100000

Author Comment

ID: 40306715
Thank you everyone for putting me on the right path.

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Considering today’s continual security threats, which affect Information technology networks and systems worldwide, it is very important to practice basic security awareness. A normal system user can secure himself or herself by following these simp…
High user turnover can cause old/redundant user data to consume valuable space. UserResourceCleanup was developed to address this by automatically deleting user folders when the user account is deleted.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question