Is proxy still needed after Internet segregation?

We are segregating users PCs that could access Internet from
Production/servers network.

With this segregation in place, is it still essential to have a proxy
for the users PCs that access Internet?  The PCs have AV installed.

The argument is if the users PCs are infected, we can just wipe
them out & reclone & there's no sensitive data stored in them.

Next is if the PCs are used for email access, then should it be
segregated from the servers' network or it should be part of
the users network that could access Internet (other than the
MS Exchange which we use O365 in Cloud)?  I've seen emails
is possibly the top vector of malwares, sometimes accounting
for more than 80% of malwares (including malicious PDF &
phishing links/attachments in them), so my view is emails has
higher risk than Internet access.
sunhuxAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

sunhuxAuthor Commented:
My personal view is it is still good to have proxy for those PCs
that access Internet even if the PCs don't hold sensitive data
but ransomware/malware disruptions can result in loss of
productivity  or downtime to the 'low-priority' PCs
0
btanExec ConsultantCommented:
1. for the proxy existence, I do see there is still good use depending on your company policy. If you need to oversee that the surfing activity to still hold certain amount of oversight to the place visited. You should have that as forward proxy. Also to have a simple list of authorised IP address range enforced w/o firewall going into internet, the proxy still comes in handy.

Note that it depends on the "level" of segregating on the user machines - for a clean cut off, it is different machine issued to user i.e. one for internet and one for intranet. Two separate machines. Otherwise using the same machine and still surfing internet, the risk remains high and you better have the proxy to be fronting the first or earlier checks before allowing traffic going into the machine host.


2. for email exchange aspect, I deemed they are still in the DMZ not much different even if you have a separation of internet and intranet. You still need the mail relay to get to the external network. Phishing email is the residual and email is a necessity. You have to accept this risk.

What you can do is to enforce anti-spoof, anti-spam etc checks at the mail relay before letting the email comes through and make use of exchange rules to tag all external sender (not your colleagues) for greater vigilance. Conduct awareness training and consider also run phishing  campaign to keep user aware of the risk of email - never to click or open on suspicious or unsolicited email. Delete and report phished email as req.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
sunhuxAuthor Commented:
One extra question:
What are some free proxies out there that could do blacklisting (& possibly greylisting)
as well as auto-block by know malicious sources (eg: get updates from SpamHaus,
AlienVault, bad Reputation sites & known sources of malwares)
0
sunhuxAuthor Commented:
Ideally the free proxies could also stop users from downloading executables or
a specified file types.  No plan to go for commercial ones like Bluecoat
0
btanExec ConsultantCommented:
Better to have a new question to solicit instance of the proxy. Actually may even want to consider cloud proxy in Azure
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Vulnerabilities

From novice to tech pro — start learning today.