Web Browsing Through Terminal Server Only

[dead.cell]

Hey guys,

 

So... my IT Manager wants us to look into changing our VLANs so that HTTP traffic is not allowed, using local web browser for intranet only.  His idea is to have all clients using a terminal server for web browsing, where the terminal servers would allow HTTP access.  Right now, my initial concerns for this are:

 

• Usability: This would make web browsing much more problematic. What about media access? WebEx meetings?
• Client applications: Skype/Outlook I believe use ports 80/443; I believe other clients may use these ports, but I'd have to verify the different applications used in our environment

 

Has anyone had such a request before? And if so, was there a better way of going about this? I don't know of any companies my friends work with that do this.  We're not in a hyperconverged setup, nor do we have strict control of client devices where images are the norm and can be pre-configured / updated.  If you need more details, please let me know.

 

Thanks

[Guest]

i solution that we used in a role was to installed hyper-V into a DMZ

 

only allow HTTP/HTTPS to the DMZ

 

Within the DMZ hyper-V use published apps and publish IE or FF

[sc302 Veteran]

Why not filter the crap out of http/https?  There are lots of things that use http/https and that is where deep inspection comes into play and having things like webfilters come in. 

Know where your threats are sourced and blocking those sources/categories is required.  Filter it well enough and very little threats will make it through, filter it too much and you will have issues.  It could be pass thru, it could be AD integrated with less secure, more secure, and most secure groupings (or anywhere in between and as many in between you would like). 

 

You can block all except for x sites for http/https at your firewall level, this could be internal or external...the down side to external is that it is by ip address not by site/dns name.  Even if you use hostname it will only resolve to 1 ip address usually and create a rule for that 1 ip. 

 

Otherwise tomcoleman is on the right path.

[+BudMan MVC]

How big of company is this?  So the devices are BOYD (bring your own device)?  When you say you do not have control of the images?

 

Do you have enough licenses for term services to let all your users use term access at the same time, do you have enough horse power to run such a setup?

 

I would suggest you look more to content filtering.  Websense now forcepoint https://www.forcepoint.com/

 

You can do on prem or in the cloud filtering..  Or Zscaler https://www.zscaler.com or you could just get a UTM that does web filtering Fortigate, Sophos, SonicWall, Barracuda, etc. etc..  You could roll your own with squid and squidguard, etc. etc..

 

As to using a specific term connection to access the net - yeah no, not a good approach at all..

 

Your best approach would prob get a UTM that meets your needs and budget.. what speed of internet do you have, how many users?

[dead.cell]

On 2/2/2018 at 11:20 AM, BudMan said:

How big of company is this?  So the devices are BOYD (bring your own device)?  When you say you do not have control of the images?

 

Do you have enough licenses for term services to let all your users use term access at the same time, do you have enough horse power to run such a setup?

 

I would suggest you look more to content filtering.  Websense now forcepoint https://www.forcepoint.com/

 

You can do on prem or in the cloud filtering..  Or Zscaler https://www.zscaler.com or you could just get a UTM that does web filtering Fortigate, Sophos, SonicWall, Barracuda, etc. etc..  You could roll your own with squid and squidguard, etc. etc..

 

As to using a specific term connection to access the net - yeah no, not a good approach at all..

 

Your best approach would prob get a UTM that meets your needs and budget.. what speed of internet do you have, how many users?

• Globally, close to 300 users. I mostly manage Houston and Vegas, which are collectively maybe 160-170 users. Canada and UK are about 50 users each.
• It's not BYOD, but there isn't any real standardization to make it easier for us. (e.g. pushing an image to a group of PCs is not doable)
• Licenses are a great point to which I can bring up. Regarding performance, I believe it'd run like ass for them given we have 2 PowerEdge R730s as our production hosts, with a R710 for backup/development.  I can give you specs when I get back to the office, but short answer: no, I don't believe they have the horsepower for that many users, coupled with everything we're running right now.
• Internet speeds: 100/100 Mbps fiber, 50/10 Mbps copper backup line.

Currently, we're doing content filtering through an HA pair of Sonicwall NSA 4500 that need to be replaced.  They're EOL and we're looking for replacements actually for Houston and Toronto.  My manager seems intent on us determining how feasible this is, despite our protests about it.  I've also personally never heard of this really being done like this.

 

On 2/1/2018 at 11:10 AM, sc302 said:

Why not filter the crap out of http/https?  There are lots of things that use http/https and that is where deep inspection comes into play and having things like webfilters come in. 

Know where your threats are sourced and blocking those sources/categories is required.  Filter it well enough and very little threats will make it through, filter it too much and you will have issues.  It could be pass thru, it could be AD integrated with less secure, more secure, and most secure groupings (or anywhere in between and as many in between you would like). 

 

You can block all except for x sites for http/https at your firewall level, this could be internal or external...the down side to external is that it is by ip address not by site/dns name.  Even if you use hostname it will only resolve to 1 ip address usually and create a rule for that 1 ip. 

 

Otherwise tomcoleman is on the right path.

Yes, we do have content filtering; my manager is just looking to have this as an "added layer".  I'm confused on tomcoleman's comment a bit though; is he saying to install hyper-v on their local PC? Or server side published through RemoteApp?  Either way, I see this segregation becoming a real problem if users are to copy hyperlinks and paste them into their RemoteApp browser. Maybe I'm misunderstanding though?

[+BudMan MVC]

3 hours ago, dead.cell said:

I've also personally never heard of this really being done like this.

It isn't - I have been in the biz for 30 years.  For a few of those all I did was manage content filtering.. No only letting a term session out to the internet is not how it would be done or should be done.  Nobody is doing that..

 

As to using it as an extra layer - again never seen it.. Your throwing more money at the problem - now you have to have all the lic and power to let your users term over to something to get to the net, and then go through content filtering still..  Makes zero sense.

 

If I were u where any extra money should be going is standardization of your hardware users use and the image deployed on it..  

 

[sc302 Veteran]

8 hours ago, dead.cell said:

• Yes, we do have content filtering; my manager is just looking to have this as an "added layer".  I'm confused on tomcoleman's comment a bit though; is he saying to install hyper-v on their local PC? Or server side published through RemoteApp?  Either way, I see this segregation becoming a real problem if users are to copy hyperlinks and paste them into their RemoteApp browser. Maybe I'm misunderstanding though?

You would be pushing it through remoteapp.  You can disable the clipboard so that they can't copy in the rd session, but that really is ineffective and will create turmoil causing your solution to be removed.

 

The above isn't really a good solution in your scenario.  You should be using a good webfilter and have strict rules with the ability to have a manager elevate if needed.  A good webfilter will prevent typosquatting/URL hijacking.  You should also have a good spam solution to do the same, it goes hand in hand.  You want to really protect yourself, have images of every computer and have those images updated regularly with a retention period of a week.  Have shadow copy enabled on your servers, have the shadow copy update 3-4 times a day.  Do not allow anyone to do anything from the servers directly unless they absolutely have to.  Have service accounts, lots of them if needed.  Follow best practices and you will be OK, get lazy and you will have issues.  Pay attention to web filter updates, don't just apply and walk away.  Look to see if there are added categories or added ways to block things, see if there is a business need to have those things, if there is no business need then block them if they aren't already preselected.  It is easier to relax security a little if it becomes a nuisance than it is to fix a network outbreak.

[dead.cell]

3 hours ago, sc302 said:

You would be pushing it through remoteapp.  You can disable the clipboard so that they can't copy in the rd session, but that really is ineffective and will create turmoil causing your solution to be removed.

 

The above isn't really a good solution in your scenario.  You should be using a good webfilter and have strict rules with the ability to have a manager elevate if needed.  A good webfilter will prevent typosquatting/URL hijacking.  You should also have a good spam solution to do the same, it goes hand in hand.  You want to really protect yourself, have images of every computer and have those images updated regularly with a retention period of a week.  Have shadow copy enabled on your servers, have the shadow copy update 3-4 times a day.  Do not allow anyone to do anything from the servers directly unless they absolutely have to.  Have service accounts, lots of them if needed.  Follow best practices and you will be OK, get lazy and you will have issues.  Pay attention to web filter updates, don't just apply and walk away.  Look to see if there are added categories or added ways to block things, see if there is a business need to have those things, if there is no business need then block them if they aren't already preselected.  It is easier to relax security a little if it becomes a nuisance than it is to fix a network outbreak.

Thanks @sc302 and @BudMan for the feedback.

• Do you use additional web filtering tools, on top of your content filtering? (e.g. typosquatting as you mentioned) I know we've got redirects like ad.doubleclick blocked for instance.
• Spam solutions, I take it you're talking about email? We've discussed possibly routing our Microsoft 365 through a hosted service for better filtering (Sonicwall offers this).  I don't know if that's just going to add additional delay though in general correspondence.  We already have Microsoft Advanced Threat Protection setup, along with some other rules I've applied to prevent domain spoofing from external.

[sc302 Veteran]

typosquatting is built into my webfilter.  The sonic wall filter may not be good enough.  I haven’t used that in many years so I don’t know it’s current capabilities. When a user clicks on it, the service checks to see if it is good and then sends the user there if it is good.  It helps prevent a bit of issues.   As far as mail goes, a hosted anti spam solution would work if you aren’t happy with your current.