URL Filtering - Where to implement it
So today was very interesting. In my role, I manage our firewalls (palo) and we have URL filtering enabled on it. It's been this way for a long time. Today, a user had an issue with a website being filtered, but it turned out not to be by our firewall. The server team just recently deployed a new version of AV, and enabled URL Filtering on the clients. Long story short, it started a mini war between the two Directors of each area. I can't lie, it was a little fun to watch. What added to it was the category that was blocked, was not a category that we block on the firewall.
The argument from my Director (network) was, we force users to connect to VPN (full tunnel), so even if they are remote, their internet traffic was going through the firewall. The server side's argument was, they feel the extra protection is good, and for those occasions where someone either doesn't connect to VPN (maybe account locked, or expired password, or disabled service somehow), those machines are no longer protected from the firewall, but will be with AV.
While I see both sides and think extra protection is good, this could lead to some issues/inconveniences. For example, if a certain blocked site has a legitimate business purpose, it will need to be unblocked from both sides.
So my question to TE is....who was right, and how would you implement it?
If it was my decision, I probably wouldn't do url filtering on either AV or firewall. I'd probably opt for a proxy, like Cisco Web Security or <add other vendor here>
The argument from my Director (network) was, we force users to connect to VPN (full tunnel), so even if they are remote, their internet traffic was going through the firewall. The server side's argument was, they feel the extra protection is good, and for those occasions where someone either doesn't connect to VPN (maybe account locked, or expired password, or disabled service somehow), those machines are no longer protected from the firewall, but will be with AV.
While I see both sides and think extra protection is good, this could lead to some issues/inconveniences. For example, if a certain blocked site has a legitimate business purpose, it will need to be unblocked from both sides.
So my question to TE is....who was right, and how would you implement it?
If it was my decision, I probably wouldn't do url filtering on either AV or firewall. I'd probably opt for a proxy, like Cisco Web Security or <add other vendor here>
Comments
you can always add extra layers on the end point like HIPS, more AVs, DLP client, etc....it gets messy to manage though and does slow things down. Is it necessary to have URL filtering somewhere other than the border? I'm not sure...I don't think so, but curious to see what everyone thinks
Now, the AV filtering is good as a backup to catch anything that passes those 2 devices above. Once it has been identified it has to be send to the firewall guys so they can change the firewall policies and update with the mew url that needs filtered. Once that has been done then it will no longer be filtered at the AV. This is the best approach in my opinion. A layered defense and not a war between where it should be blocked. Ultimate you would want to block as much as possible at your perimeter not after.
I think this sums it up exactly. "A layered defense and not a war". Couldn't say it any better.
I think the big problem is their AV filtering rules didn't match the firewall rules, which needs to happen first. I think that cause a misunderstanding, where my director feels if both are enabled, theirs will activate first. Unfortunately, this argument happened in a room, so I decided not to address it until tomorrow.
We're an MSP and sell our clients web security at the DNS level (Cisco Umbrella). We set all DNS forwarders to OpenDNS DNS servers and there is a lightweight client that we install on client workstations that gives always on dns filtering. It's very easy to manage, intuitive, and just works. I think it's the best solution for SMBs... which is most of our client base.
We've had bad experiences with URL filtering not blocking URLs when it should at the firewall level (Cisco Firepower) because of "bugs" so we are trying to move all of our clients off of that at the moment.
I'd say so! I've also looked at Umbrella, pretty cool product. It was out of budget though.
- Firewall URL filtering is URL filtering "lite." They rarely have the ability to make dynamic decisions based on the content of the page when they don't know the URL reputation. It's URL filtering lite for a reason. If you look at MIERCOM tests with firewalls vs dedicated web content servers, you can see how much a firewall gets spanked hard in comparison
- DLP integration on a firewall sucks. Same with AV for the most part
- Most stuff on the interwebs is getting encrypted. You can push more security to the endpoint but trying to decrypt everything at the firewall will make it cry. PAN doesn't have a dedicated chipset for decryption like A10, F5, Firepower (not active in Firepower yet tho - full disclosure), etc. I did a recent episode of The Network Collective on this subject: Episode 4
Blog: www.network-node.com
Bonus TE Fun: Nerd Photos
Umbrella is awesome and it has some awesome points that both dedicated web content servers - i.e. being able to use analytics to determine how new a domain is, tracking IPs to see if other malicious domains were recently registered to the same IP, tracks malicious behavior over time, etc. It also doesn't do certain things a dedicated proxy can do (i.e. DLP integration). Cool stuff tho
Blog: www.network-node.com
Bonus TE Fun: Nerd Photos
Security is a priority, we had Websense in the past, but to save costs, we went with firewall url filtering.
I know what you mean. Although, I've been lucky and haven't had any problems with performance from decryption. Palo's new appliances are supposed to have even better decryption performance. I haven't looked much at them yet though.
I'm behind on the Network Collective episodes, but yours is on my list. I want to watch that EIGRP one too.
Agreed that URL filtering on traditional firewall is light...but nextgen(I hate this term) 'firewalls' have good capabilities. I find Palo Alto's Firewall(really IPS/IDS) URL filtering to be top notch.
DLP is another topic and yes it shouldn't be on the firewalls for sure
Blog: www.network-node.com
Bonus TE Fun: Nerd Photos
What I like about Palo Alto is that it's the closest to a one device do it all. Fits the purpose where I work because it's an open environment by nature and we don't really block things other than malware infected websites...
For my company it serves the purpose. For a larger company, I'd do things different.
So let's say you get an unknown site or it's misclassified by the first initial look on a web content gateway, it doesn't stop there: It usually looks at the nature of the content and tries to dynamically make a disposition based on the different elements on the page (as well as blocking certain elements of the page). So let's say you allow blogs but block gambling and someone surfs to a page that features a blog about gambling. With a Firewall URL filter, that blog might be categorized as "unknown" or "blog" and that's that. With a Web Content Gateway, it could dynamically make the assessment that it's most likely gambling-oriented regardless of the original designation of being a blog and take action based on that. It's much more powerful that "URL Filtering Lite"
Blog: www.network-node.com
Bonus TE Fun: Nerd Photos
I just checked a hacking site I know of and it shows as a "blog." It's a site that's been around for about 20 years now and details phone phreaking, social engineering and hacking. Meanwhile, my blog which is less than 2 years old shows as "Computers and Technology" (not a blog) which means if you were blogging blogs, I could get right on by
Blog: www.network-node.com
Bonus TE Fun: Nerd Photos
Blog: www.network-node.com
Bonus TE Fun: Nerd Photos
Not to beat up on poor PAN since I was trying to make a point on dedicated web appliances vs trying to fit it all in one box but someone did post this in the INE's CCIE Security chat yesterday:
Also... I've never heard of Forcepoint but I kind of want to learn more about it after reading the NSS Labs report...
Blog: www.network-node.com
Bonus TE Fun: Nerd Photos
ForcePoint is formerly Websense.
Blog: www.network-node.com
Bonus TE Fun: Nerd Photos
I've seen their urlfiltering improve over the past few months, so now when you request a re-classification, they scan it and respond quickly, but yeah they can be liberal about classifying blogs. They've been good with re-classifying phishing websites though.
We also have automated block lists (reputation based) in place from places like alien vault, blocklist.ed , etc...heaps and they block so much and they're too quick to update. I've seen the number of incidents (malware and breaches) where i work drop drastically after implementing those feeds. filters out most Malware C2 & compromised sites..It's a life saver if you have BYoD in a public network..
I think they're consolidating those feeds in one plan in Pan 8 (haven't used it yet): https://live.paloaltonetworks.com/t5/PAN-OS-8-0-Articles/PAN-OS-8-0-IP-Block-List-Feeds/ta-p/129616
Blog: www.network-node.com
Bonus TE Fun: Nerd Photos