Scott Fowler
asked on
Best Way to Let Users Access Potentially Dangerous Sites?
A few of the users at our firm are sometimes required to do investigative work that takes them to web sites of ill repute. Currently our Palo Alto firewall is doing an excellent job of blocking these websites and their potentially dangerous content. However, we'd like to find a way to access such sites without exposing our internal network. I'm looking for suggestions as to what would be the most efficient way to accomplish this for users on Windows 7 workstations that are working from our internal network. Would it require the use of a DMZ or is their perhaps another way?
A little bit about our environment: 4 ESXi Hosts, Virtual Servers and Physical Servers (All running version of Windows Server from 2003 to 2012), Windows 7 Workstations, HP Procurve Switches, everything behind a Palo Alto PA-500 firewall.
Thanks in advance for any suggestions!
A little bit about our environment: 4 ESXi Hosts, Virtual Servers and Physical Servers (All running version of Windows Server from 2003 to 2012), Windows 7 Workstations, HP Procurve Switches, everything behind a Palo Alto PA-500 firewall.
Thanks in advance for any suggestions!
It really depends on budget, supportability, time and risk appetite.
The *most* secure way would before each of those users to have a physically separate machine connected to a different vlan in a "dmz" or separate zone of the PAN.. etc. But there is a certain amount of cost to this and added complexity to your network.
On the flip side, an easy change that reduces risk while not requiring as much change would be for that select group of A.D. users, change the URL action on the "bad" categories from Block to Continue. This will remind them every time they hit a bad site yet not obstruct their daily job tasks. While using the Continue action, if they visit a website which tries to call out to a malware URL, this would most likely still be blocked as the extra call will not readily be able to handle the "Continue" requirement of your URL filtering profile.
The *most* secure way would before each of those users to have a physically separate machine connected to a different vlan in a "dmz" or separate zone of the PAN.. etc. But there is a certain amount of cost to this and added complexity to your network.
On the flip side, an easy change that reduces risk while not requiring as much change would be for that select group of A.D. users, change the URL action on the "bad" categories from Block to Continue. This will remind them every time they hit a bad site yet not obstruct their daily job tasks. While using the Continue action, if they visit a website which tries to call out to a malware URL, this would most likely still be blocked as the extra call will not readily be able to handle the "Continue" requirement of your URL filtering profile.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Will.