Best internet filter practices for interconnected offices.

Posted on 2014-08-29
Last Modified: 2016-02-25
I have a two office account that is interconnected (hub / spoke model) with all internet traffic leaving one site (firewall).  I've been asked to deploy a internet content filter to better manage internet abuse during work hours and protect from malicious sites.  

What is the best practice here and what application or appliance does anyone recommend?  I would prefer to be able to manage the level of internet access by user account in the AD with the solution.
Question by:jo80ge121
    LVL 60

    Expert Comment

    Will be best all site traffic (interconnected via WAN) to exit through single internet gateway (all still behind your organisation main perimeter FW) and there is the proxy content filtering to take place. You can consider locking lockdown og the browser proxy (via GPO assume) to resolve and go via the proxy before into internet for single enforcement pt and monitoring.

    MS Forefront TMG or Bluecoat (or even Squid) are common one unless you already have some sort of NG FW or UTM as your perimeter FW - you may even want to explore if the existing FW can already be added with such content filter module with upgrade (likely may have h/w change to ensure optimal performance). I even understand some Load balancer are application delivery controller that has such filtering capability as well - can explore.

    Gartner has list out candidate for web security gateway which can be helpful reference in decision buying

    Consideration for such proxy should include deployment flexibility for below. One sharing from Trend Micro
     Forward Proxy
    • Transparent Bridge
    • Transparent Bridge for High Availability
    • WCCP
    • ICAP
    • Reverse Proxy
    • Simple Transparency

    Also some good pointer from a FW perspective

    For inter-server communications involving external servers, only allow access to service ports your internal servers must use to operate correctly, and only allow your internal servers access to these services. If you operate your own mail servers, make certain that only these servers establish outbound SMTP connections.

    If you operate an HTTP proxy, or a proxy system that performs some form of web URL or content filtering, only allow outbound connections through your firewall from the proxy(ies).
    Overall, for security defense depth - consider single (main site or interconnected sub site) exit enforcement filter, agent based (or proxy lock down) to force traffic to enforcement and appliance to serve as proxy (be it the FW upgrade or one behind the FW).
    LVL 22

    Assisted Solution

    by:Dirk Kotte
    would suggest to take a look to sophos UTM.
    It is a NextGeneration Firewall but you can use it a proxy-only without replacing your current FW.
    It is available as virtual appliance and you can get demo key simple.
    The "webfilter" is able to authenticate against AD 7 LDAP / and other can use different rules debend from subned / group membership / and so on

    Author Comment

    Thank you.  I'm reviewing the information and downloading Sophos UTM trial.  I'll get back to you both.
    LVL 60

    Expert Comment

    on the same note, you can check out below but do note VM performance especially if you enable many s/w module on UTM and like - have the vendor to advice (frankly) the limits. there may already impact if AV scan and web filter and FW and IPS etc (or all) turn on even for appliance ...

    Bluecoat SWG Virtual Appliance -
    Websense -
    Barracuda -

    also best to consider SSL decryption too so that your organizations can control online content normally hidden by SSL. This can include content found in social-media platforms, web-based email, and search engines. As an admin, you can further specify domains and URL categories (mandated by security policy) which SSL-encrypted traffic will be decrypted and scanned for malware and web policy enforced.

    Author Comment

    dkotte, hold my hand on this question please.  

    On a virtual setup, how do I set up the virtual UTM on my network so that my pc's talk to it for the web filter module without replacing my firewall?  

    I have a dual nic hyper-v setup (as stated in the install doc), just need to know how do I place this in my current network at a physical layer to take advantage of the features.  I have a network + certification just to give you a idea of my networking level & lingo :)
    LVL 60

    Expert Comment

    pardon me for the interject, maybe this may be useful (for info)

    Using a Sophos UTM in Hyper-v
    Using a Sophos UTM in Virtual Box
    ..others in Sophos forum (good means to find past experience)
    It *is* possible to install and use Sophos UTM with a single physical NIC. For a Proxy/VPN only setup this is completely sufficient but don't expect the initial setup wizard to work properly (just cancel it).
    ...and the steps suggested..
    LVL 22

    Accepted Solution

    - you install the webfilter as proxy like a standard virtual pc or server at your lan or within the dmz.
    - configure the proxy-settings for your clients within the AD (or localy for testing).
    - prohibit the direct internet-http-access for your clients within the firewall.
    LVL 10

    Expert Comment

    What is your budget as this can be don from $0 to $100000

    Author Comment

    Thank you everyone for putting me on the right path.

    Featured Post

    Too many email signature updates to deal with?

    Are you constantly visiting users’ desks making changes to email signatures? Feel like it’s taking up all of your time? Wish you could manage all signatures from one central location, easily design them and deploy them quickly to users? Well, there is an easy way!

    Join & Write a Comment

    Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
    This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
    This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
    This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

    734 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    23 Experts available now in Live!

    Get 1:1 Help Now