Link to home
Start Free TrialLog in
Avatar of mikhael
mikhaelFlag for Australia

asked on

Cloud-based web filter/proxy - can it be done? What is the best software to use?

Hi there
We are an MSP and cloud host. We would like to buy (or use) a web filter that we can provision in the cloud and offer to our clients to use it as a web proxy (if that’s the best way, perhaps) and be able to filter out objectionable content (with a warning issued to the end-user and the attempt logged and later reported upon to management).
The way I see it…
INTERNET  <----> cloud web filter/proxy <-----> client’s browsers forced to use the proxy
Importantly, the filter needs to be in the cloud (with a public IP) and NOT in the clients’ premises.
Ideally I would like to use an existing supported solution - either open source or paid, rather than roll-your-own from a Linux distro. I was thinking Untangle, SquidGuard, SafeSquid. Don't know if they can do it, or others.
Any ideas ?
Thanks
Michael
Avatar of Raghav
Raghav
Flag of India image

Hi,

Amending your list above -

You can use Symantec Messagelabs, McAfee's Web Protection Software suite (WPS) and CCProxy too.

Hope this helps.

Best Regards
Raghav.
Avatar of arnold
Usually, a cloud based would provide the updates (signatures/rules) to a locally installed proxy at the clients offices.

Actually hosting the proxy in the cloud will become impracticle because effectively you will be responsible for double the traffic.
You receive the request, note most sites these days use secure (https) such that if your were to work, it will be functioning equivalent to a "man in the middle attack" in general for https your proxy in the cloud will be a pass through.
For the unsecure, after receiving the request. It will relay the query and receive the web page, (let's say 10k) it then transmits this 10k to the client. Note this 20k is merely the description of the page, the client will then generate requests for each object in the page, js, css, images, etc. that would require a significant bandwidth in the cloud for that setup to merely pass through filter.

The bandwidth consumption could grow in geometric proportion to the number of clients.
Avatar of mikhael

ASKER

Thanks Raghav. The Messagelabs and McAfee's solutions will not do. We want to host the proxy/filter server ourselves - as in we would like to be in opposition to these two!  :)
However, ccProxy might work. Looking at the webpages for ccProxy, suggests that it needs to be resident in the LAN  - as the gateway. Maybe it can work in the cloud with just public IP Addresses. Do you know? Have you used it this way?

And Arnold, thank you also for your response. As we are an ISP and cloud provider we have our own infrastructure in a few data centres, and we have rather sizeable (5Gbps plus) and cost-effective links to the net. At this stage I am not too concerned with bandwidth costs, but you are right, it might become significant at some point. Regarding https and "man in the middle", it is fairly straightforward to give the proxy a legitimate FQDN and purchase an SSL certificate for it. That should not be a problem.

I should have drawn my "diagram" like this:-

INTERNET  <----> cloud web filter/proxy <-----> clients' on-premises router/gateway <----> client’s browsers forced to use the cloud proxy

Other suggestions are certainly welcome folks!
Cheers
Michael
it depends on how you define your customer, you might be combining a proxy with what accelarator engines such as akamai do.

deploying a black box to the customer LAN that consults for the rules/signature/sites in the cloud is....

event with a certificate your proxy will not be able to enforce secure sites since your proxy will not be able to view the content. to manage restriction you would need to block entire sites (https) since the way it works, the proxy merely provides a mode to establish a connection through it to the destination.
the only way to filter secure sites is by requiring the individuals to effectively use a portal (browser within a browser) they submit their requests in plain text and your browser in the browser proxies the request making you the client that requests the referenced site and returning the data to the user.......
similar to the anonymizer, and others....
Avatar of mikhael

ASKER

Thanks again Arnold.
Not sure what you mean by "deploying a black box to the customer LAN that consults for the rules/signature/sites in the cloud is..."
Yes it is like  a black box solution (SaaS), but my plan is to make it multi-tenanted - 1 black box for many separate clients. Perhaps I should have made that clearer.
Re HTTPS, you might be right. But I am not that worried about HTTPS traffic. Nearly all of the "blocked" traffic will probably be HTTP (except perhaps social media); although I realise that's changing. Also re HTTPS, I have had some experience with Untangle, which only looks at the URLs anyway - not necessarily the content - even though it calls itself a web content filter (refer https://www.untangle.com/shop/web-filter/ )
Any other packages that might work?
Cheers
Michael
ASKER CERTIFIED SOLUTION
Avatar of arnold
arnold
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of mikhael

ASKER

Thanks very much Arnold. What all this does is confirm for me that a single multi-tenanted solution is going to be impractical. I think I will pursue the idea of a small blackbox on each client's network. Many thanks for your input.