In today’s complex network architectures, sometimes it seems there are limitless ways to deploy networking equipment. While that may be the case for some networking gear, in actuality there are probably only a few proven deployment methodologies for web gateways that are effective and provide complete security. In this article, we’ll talk about the most four most common different types of web gateway deployments. Sometimes referred to as forward proxies; these devices are used to secure web access for an organization’s internal end-users. The three commonly used deployment scenarios for web gateways are: inline proxy, explicit proxy, transparent and SPAN port. Each one of these deployments has its advantages and disadvantages and we’ll discuss these as we explain each methodology over the next few days. Yesterday we looked at Inline deployments and today, we'll examine Explicit deployments.
Explicit Deployment
Explicit Deployment is fairly common when a web gateway is deployed in a larger network; and the design of the network requires there be no single point of failure. Explicit deployment allows the web gateway to be located on the network in any location that is accessible by all end-users and the device itself has access to the internet. (See Figure 2) Explicit deployment is done through the use of an explicit definition in a web browser. To make this kind of deployment easier, an administrator can use PAC or WPAD files to distribute the setup information for the explicit proxy to the end-users browsers.
When using explicit deployment it is extremely important to have your firewall properly configured to prevent users from bypassing the proxy. The firewall needs to be configured to allow only the proxy to talk through the firewall using HTTP and HTTPS. All other hosts/ip addresses should be denied. In addition, all other ports need to be locked down to prevent end-users from setting up their own proxy internally that tries to go out to the internet via HTTP on a port other than the commonly used ones (80 and 443).
Explicit Mode Advantages
The main advantages of deploying a web gateway in explicit mode, include: narrowing the amount of traffic processed by the web gateway (you can limit traffic to only HTTP based traffic) and the ability to more easily implement redundancy for web gateways in your environment. Explicit mode deployment for an environment without an existing web gateway is also less disruptive to the network, as the web gateway can be placed anywhere in the network that is accessible by all end-users and the web gateway can reach the firewall to the internet.
Explicit Mode Disadvantages
The disadvantage of explicit mode deployment is typically around IT administrative overhead, as each end-users system needs a configuration change in order to work properly. While there is some reduction in this overhead with PAC and WPAD, any misconfigured end-user system will result in a helpdesk call and require a sysadmin to rectify the situation for the end-user. Explicit mode deployment also relies heavily on a properly configured network and firewall. Any hole in the network or firewall can be exploited by a knowledgeable end-user to bypass the web gateway as discussed earlier.
Tomorrow we'll look at Transparent deployments
Subscribe to:
Post Comments (Atom)
Posts
No comments:
Post a Comment