Web Security

This is the third article in this series covering Web Security. The first gave the arguments that may lead you to obtain so form of protection, the second discussed a more open approach. This article will concentrate on solutions available to businesses.

Corporate Solutions
There can be quite a steep learning curve in IT when you start out in a new topic and Web Security is one area that is rarely approached in smaller business, large businesses and corporations tend to be able to hire personnel with the required skills or at least some experience.
Unfortunately, each of the solutions discussed in these articles require different IT skills but an administrator worth his salt should be able to pick up any and run to the desired outcome.
Simply put, each solution comes into one or more of three categories:

• In-Network based
• Border
• Cloud based

Additionally, a system may be a Managed/Semi-Managed third party system.
This article consider one small section of the above, an in-network appliance.
In-Network
This classification covers solutions installed within the offices of the corporation, attached to the internal network just like any other server.
The two primary methods used depend on how much you want to spend and how much control you wish to have.

• Appliance
• Simple Proxy

Appliance
An appliance is a device provided by a third party. You simply configure it up to you network specifications, point users at it and it will from day one apply a “default” policy; usually this is block everything or allow everything.
The appliance solution has the advantage that you do not require of the skills required to build solutions.
An appliance normally provides a reasonable configuration interface that allows you to define policies. Policies will be covered in another article later but basically this defines who can do what.
Appliances often have the ability to hook into existing user control systems, like Active Directory or LDAP. Most appliances allow you to configure custom users that require a separate username and password in order to get specific web services. All will allow you to restrict access for all and for specific IP addresses. Many allow you to create custom groups, simplifying the policy management considerably.
This solution often includes a system to that categorises sites to aid the administrator block or allow classes of sites, such as pornography or social networking.
The main (possible) disadvantages of an appliance solution are:

• Limited flexibility in configuration
• Categorisation configuration must be downloaded regularly
• Categorisation not updated very frequently
• Anti-Malware not updated very frequently
• Categorisation can be too limited
• Failover or disaster recover will require hot standby (additional cost)
• Access to underlying system restricted by manufacturer
• On going license cost for categorisation lists and anti-malware components
• Often entire device can only be leased/licensed, no purchasable devices
• multiple sites will often require separate configuration/device

I have seen several different installations and they do the job well within the restrictions above. You do end up with the occasional long exceptions list if the categories provided do not match your own thoughts on the issues. One man’s cheese is another man’s biscuit.
Another note is that some of those disadvantages can be positives; if there is limited configuration space for, say, exceptions you are less likely to be handing them out like candy, simplifying procedure and access rights.
To summarise, the main (possible) advantages to an appliance are:

• Security Integration
• Automated Categorisation
• Simple Administration
• Few expert skills requirements
• Malware protection
• Direct manufacture support

All of the above (pros and cons) should be discussed with any provider before purchase. Also a corporation needs to consider (as always) the support model they require (international? 24/7? Same day fix? 4 hour fix? Automatic failover?) and an extended trial are essential. For the trial do not consider any period less than 30 days or 4 weeks after initial configuration is complete. You simply won’t have enough time to evaluate the solution otherwise.

The next article will look toward Custom Proxy devices. Remember that if you have a comment on any of these articles just drop me a comment.

– Posted using BlogPress from my iPhone