Best internet filter practices for interconnected offices.

I have a two office account that is interconnected (hub / spoke model) with all internet traffic leaving one site (firewall).  I've been asked to deploy a internet content filter to better manage internet abuse during work hours and protect from malicious sites.  

What is the best practice here and what application or appliance does anyone recommend?  I would prefer to be able to manage the level of internet access by user account in the AD with the solution.
Joe GIT personalAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
Will be best all site traffic (interconnected via WAN) to exit through single internet gateway (all still behind your organisation main perimeter FW) and there is the proxy content filtering to take place. You can consider locking lockdown og the browser proxy (via GPO assume) to resolve and go via the proxy before into internet for single enforcement pt and monitoring.

MS Forefront TMG or Bluecoat (or even Squid) are common one unless you already have some sort of NG FW or UTM as your perimeter FW - you may even want to explore if the existing FW can already be added with such content filter module with upgrade (likely may have h/w change to ensure optimal performance). I even understand some Load balancer are application delivery controller that has such filtering capability as well - can explore.

Gartner has list out candidate for web security gateway which can be helpful reference in decision buying http://www.marketwatch.com/story/latest-gartner-magic-quadrant-for-secure-web-gateways-recognizes-websense-as-a-leader-for-fifth-time-2014-07-07

Consideration for such proxy should include deployment flexibility for below. One sharing from Trend Micro http://esupport.trendmicro.com/solution/en-us/1096980.aspx
 Forward Proxy
• Transparent Bridge
• Transparent Bridge for High Availability
• WCCP
• ICAP
• Reverse Proxy
• Simple Transparency

Also some good pointer from a FW perspective
http://securityskeptic.typepad.com/the-security-skeptic/firewall-best-practices-egress-traffic-filtering.html

For inter-server communications involving external servers, only allow access to service ports your internal servers must use to operate correctly, and only allow your internal servers access to these services. If you operate your own mail servers, make certain that only these servers establish outbound SMTP connections.

If you operate an HTTP proxy, or a proxy system that performs some form of web URL or content filtering, only allow outbound connections through your firewall from the proxy(ies).
Overall, for security defense depth - consider single (main site or interconnected sub site) exit enforcement filter, agent based (or proxy lock down) to force traffic to enforcement and appliance to serve as proxy (be it the FW upgrade or one behind the FW).
0
Dirk KotteSECommented:
would suggest to take a look to sophos UTM.
It is a NextGeneration Firewall but you can use it a proxy-only without replacing your current FW.
It is available as virtual appliance and you can get demo key simple.
The "webfilter" is able to authenticate against AD 7 LDAP / and other can use different rules debend from subned / group membership / and so on
0
Joe GIT personalAuthor Commented:
Thank you.  I'm reviewing the information and downloading Sophos UTM trial.  I'll get back to you both.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

btanExec ConsultantCommented:
on the same note, you can check out below but do note VM performance especially if you enable many s/w module on UTM and like - have the vendor to advice (frankly) the limits. there may already impact if AV scan and web filter and FW and IPS etc (or all) turn on even for appliance ...

Bluecoat SWG Virtual Appliance - https://www.bluecoat.com/products/secure-web-gateway-virtual-appliance
Websense - http://www.websense.com/content/web-filter-features.aspx
Barracuda - https://www.barracuda.com/products/webfilter/features#section_11

also best to consider SSL decryption too so that your organizations can control online content normally hidden by SSL. This can include content found in social-media platforms, web-based email, and search engines. As an admin, you can further specify domains and URL categories (mandated by security policy) which SSL-encrypted traffic will be decrypted and scanned for malware and web policy enforced.
0
Joe GIT personalAuthor Commented:
dkotte, hold my hand on this question please.  

On a virtual setup, how do I set up the virtual UTM on my network so that my pc's talk to it for the web filter module without replacing my firewall?  

I have a dual nic hyper-v setup (as stated in the install doc), just need to know how do I place this in my current network at a physical layer to take advantage of the features.  I have a network + certification just to give you a idea of my networking level & lingo :)
0
btanExec ConsultantCommented:
pardon me for the interject, maybe this may be useful (for info)

Using a Sophos UTM in Hyper-v
http://fastvue.co/sophos/blog/how-to-deploy-sophos-utm-on-hyper-v-in-7-simple-steps/
Using a Sophos UTM in Virtual Box
http://pynej.blogspot.sg/2013/07/using-sophos-utm-in-virtual-box.html
..others in Sophos forum (good means to find past experience)
https://www.astaro.org/gateway-products/hardware-installation-up2date-licensing/44328-sophos-only-one-nic.html
It *is* possible to install and use Sophos UTM with a single physical NIC. For a Proxy/VPN only setup this is completely sufficient but don't expect the initial setup wizard to work properly (just cancel it).
...and the steps suggested..
https://www.astaro.org/gateway-products/essential-firewall-edition-free-business-use/44234-virtual-appliance-network-v9.html
0
Dirk KotteSECommented:
- you install the webfilter as proxy like a standard virtual pc or server at your lan or within the dmz.
- configure the proxy-settings for your clients within the AD (or localy for testing).
- prohibit the direct internet-http-access for your clients within the firewall.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
anupnellipCommented:
What is your budget as this can be don from $0 to $100000
0
Joe GIT personalAuthor Commented:
Thank you everyone for putting me on the right path.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Internet / Email Software

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.