Is proxy still needed after Internet segregation?

sunhux
sunhux used Ask the Experts™
on
We are segregating users PCs that could access Internet from
Production/servers network.

With this segregation in place, is it still essential to have a proxy
for the users PCs that access Internet?  The PCs have AV installed.

The argument is if the users PCs are infected, we can just wipe
them out & reclone & there's no sensitive data stored in them.

Next is if the PCs are used for email access, then should it be
segregated from the servers' network or it should be part of
the users network that could access Internet (other than the
MS Exchange which we use O365 in Cloud)?  I've seen emails
is possibly the top vector of malwares, sometimes accounting
for more than 80% of malwares (including malicious PDF &
phishing links/attachments in them), so my view is emails has
higher risk than Internet access.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Author

Commented:
My personal view is it is still good to have proxy for those PCs
that access Internet even if the PCs don't hold sensitive data
but ransomware/malware disruptions can result in loss of
productivity  or downtime to the 'low-priority' PCs
Exec Consultant
Distinguished Expert 2018
Commented:
1. for the proxy existence, I do see there is still good use depending on your company policy. If you need to oversee that the surfing activity to still hold certain amount of oversight to the place visited. You should have that as forward proxy. Also to have a simple list of authorised IP address range enforced w/o firewall going into internet, the proxy still comes in handy.

Note that it depends on the "level" of segregating on the user machines - for a clean cut off, it is different machine issued to user i.e. one for internet and one for intranet. Two separate machines. Otherwise using the same machine and still surfing internet, the risk remains high and you better have the proxy to be fronting the first or earlier checks before allowing traffic going into the machine host.


2. for email exchange aspect, I deemed they are still in the DMZ not much different even if you have a separation of internet and intranet. You still need the mail relay to get to the external network. Phishing email is the residual and email is a necessity. You have to accept this risk.

What you can do is to enforce anti-spoof, anti-spam etc checks at the mail relay before letting the email comes through and make use of exchange rules to tag all external sender (not your colleagues) for greater vigilance. Conduct awareness training and consider also run phishing  campaign to keep user aware of the risk of email - never to click or open on suspicious or unsolicited email. Delete and report phished email as req.

Author

Commented:
One extra question:
What are some free proxies out there that could do blacklisting (& possibly greylisting)
as well as auto-block by know malicious sources (eg: get updates from SpamHaus,
AlienVault, bad Reputation sites & known sources of malwares)

Author

Commented:
Ideally the free proxies could also stop users from downloading executables or
a specified file types.  No plan to go for commercial ones like Bluecoat
btanExec Consultant
Distinguished Expert 2018

Commented:
Better to have a new question to solicit instance of the proxy. Actually may even want to consider cloud proxy in Azure

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial