Recommendations on an HTTP Web Security service/appliance

exchange keys

Limp Gawd
Joined
Feb 18, 2009
Messages
339
We currently block out HTTP requests on IE7 through an administrative template/gpo. However, you can still ping external websites and if someone decides to download a different web browser other than IE7, then it the user bypasses the gpo restriction.

I was looking for a few services/appliances but I am not really liking them, such as St. Bernard iPrism, Websense, MXLogic (recently acquired by McAfee)...

I guess I could use OpenDNS, but I really just want to have a dedicated point where it looks like this:

User's PC -> HTTP request -> Proxy/Web service/appliance filters request -> Internet.


Thank you.
 
I suppose the simplest way of doing things if you already have a firewall is to restrict all http/ssl requests to all user computers and only allow traffic from the proxy to go through. This should pretty much do what you need.
 
at your perimeter firewall, block all direct outbound traffic apart from just the protocols you want just your proxy server to be able to access. then find a proxy that supports inspection of http traffic and block all user agent strings apart from the ones you want to permit. microsoft isa acting as a proxy supports this feature, for example. then, configure your browser to point at the proxy, and then lock down the browser configuration so it cannot be changed by users. oh, and prevent users from downloading and installing their own software too.
 
I would heavily recommend BlueCoat. It is a bit pricey but has some great features. And how do you feel about using a proxy pac? Also which firewall technology do you use?
 
I think we're using a Cisco ASA5510 Series, but that's handling a lot of things already (I think), so I don't think I want to add content/web filtering to it.

I am looking at SafeSquid. I think a web proxy solution might work but I'm thinking there might be easy ways to circumvent through the security.
 
having re-read the post, i am a little confused on what it is your trying to achieve? are you saying you only want people to be able to use internet explorer 7 to access the internet? and that you don't want people to be able to download another browser, tinker with the proxy settings to allow them directly out?

if so, then definately get a logging proxy server on the internal network, and definately block all direct outbound access. the users then have two choices, use the proxy server with it's logging and potentially restrictive internet access, or have no internet access. your users, to be quite frank, should not even have the ability to change the configuration of the browser, nor download and install their own software anyway.

this all needs to be backed up by an acceptable use policy and an internet access and email policy, which is underwritten by the senior management, hr, legal, and if necessary - team leaders and other middle management throughout the business. users should be warned at least once a day (or even every time they open their browser if you wanted to be really pedantic) that their online activities are being monitored.

finally, all employees need to sign up to the policy, maybe even on an annual basis if it is reviewed on a semi-regular basis.
 
Do the specific work stations need internet at all or no?


this all needs to be backed up by an acceptable use policy and an internet access and email policy, which is underwritten by the senior management, hr, legal, and if necessary - team leaders and other middle management throughout the business. users should be warned at least once a day (or even every time they open their browser if you wanted to be really pedantic) that their online activities are being monitored.

...What?
 
you've never worked in an environment where a users activity within systems is logged and monitored? particularly internet access? the typical 'get out' for end users is 'oh i didn't know there was a policy surrounding the use of x resource'...so, if you enforce the policy regularly via a mechanism such as a captive portal, people cannot use that 'excuse'. assuming this is in the workplace, people need to wake the hell up and realise that the company network and it's assets are not there for their own personal consumption. try dealing with law enforcement because some dumbass is looking at kiddy porn, or performing fraudulent credit card transactions from your network, etc. it's not much fun.
 
you've never worked in an environment where a users activity within systems is logged and monitored? particularly internet access? the typical 'get out' for end users is 'oh i didn't know there was a policy surrounding the use of x resource'...so, if you enforce the policy regularly via a mechanism such as a captive portal, people cannot use that 'excuse'. assuming this is in the workplace, people need to wake the hell up and realise that the company network and it's assets are not there for their own personal consumption. try dealing with law enforcement because some dumbass is looking at kiddy porn, or performing fraudulent credit card transactions from your network, etc. it's not much fun.


I take it you have been there?

We have a policy in our employee handbook on it, not much is watched though, not as much as I'd like.
 
yep, we're trying to clamp down as much as possible. politics keeps getting in the way though.
 
having re-read the post, i am a little confused on what it is your trying to achieve? are you saying you only want people to be able to use internet explorer 7 to access the internet? and that you don't want people to be able to download another browser, tinker with the proxy settings to allow them directly out?

Sorry for the misunderstanding. Our users VPN/RDP into a data center that is hosting VMWare VDI (View). In that virtual environment, I do not want the end-users to have Internet access for web browsing, except for allowed/approved websites that are needed for certain functions (i.e. intranet, external ftp site from clients, etc.). I still need them to be able to install local apps though when necessary. However, there is a "user policy" that appears in the beginning of the Windows logon as a disclaimer enforces the restriction of installing apps without IT approval.

if so, then definately get a logging proxy server on the internal network, and definately block all direct outbound access. the users then have two choices, use the proxy server with it's logging and potentially restrictive internet access, or have no internet access. your users, to be quite frank, should not even have the ability to change the configuration of the browser, nor download and install their own software anyway.

I am thinking of getting a web content proxy like suggested, however I still think this can be circumvented. I used to work for a company that would block/monitor Internet activity through Websense. We would be allowed "quota time" to browse the Internet. However, this only really applied if you were using IE on their machines. If you used a portable app of another web browser (or even a local installation of Opera), you could bypass this. Kind of cheesy. Same could be said about "https" allowed traffic since you could download a proxy like "psion" or "tor" and bypass this as well. Same with Citrix.

So, I guess (from what I learned), I want to block other savvy users from doing what I used to do when I was working at that place.

So, anymore recommendations? BlueCoat seems cool, but yeah, pricey. Websense might be intriguing though, if configured correctly.
 
if the only thing that has internet access is the proxy, then that would mean your users would have to come up with some way to circumvent the perimeter firewall itself...which, if you have the firewall configured correctly, should not be easy for them to do. your running an asa, so from inside to outside is permitted by default...lock that down with an appropriate acl quick smart, if you haven't already.
 
Back
Top