Safe and comfortable access to the Internet or how to protect your network from Internet threats without inconvenience
Listening to a recent interview with esteemed Evgeny Kaspersky on RussiaToday , where he expressed the idea that soon most of the company's employees will not have access to the Internet, I remembered the practice of many companies completely separating the internal network from the Internet, providing access to the Internet only from separate dedicated computers , and decided to present my thoughts on this aspect of information security.
The practice of complete separation of the local network and Internet access is quite correct and, according to many IT specialists, is the only 100% way to protect corporate data. However, this method, in addition to the high costs of its implementation, has another very significant drawback, namely the inconvenience of using the Internet. The lack of comfortable access to the Internet entails not only direct losses in the form of reduced employee performance, but also indirect ones, such as reduced employee loyalty and work prestige, which is the direct cause of the company's increased costs.
A typical scheme for such a network is:
')
This scheme completely separates the workplaces from the Internet and even if the Trojan hits the employee’s computer, it will not be able to transfer the stolen information to the Internet. Also, a network built according to this scheme prevents unauthorized dissemination of confidential information by an employee of the company via the Internet.
And yet, with all the security, this scheme has a significant drawback - it is the lack of flexibility and comfortable work, since only two states are possible: the employee either does not have Internet access at all, or he is on a separate machine.
To solve these problems and allow the employee to work fully, there is an interesting solution in the form of application virtualization, Microsoft has called this technology App-V.
Microsoft Application Virtualization (App-V) technology allows you to make programs available to user computers without having to install them directly on these computers. Thanks to a process called application virtualization that allows each application to work in its own autonomous virtual environment on the client computer. Virtualized applications are isolated from each other. This avoids conflicts between applications, but they can still interact with the client computer .
This is done in the following way: in the DMZ, we install a terminal server to which we allow Internet traffic, configure the Internet browser as a virtual application, prohibit the use of the buffer and the use of local resources via RDP. Also in the DMZ we configure Remote Desktop Gateway and allow access to it via https from the company’s network.
Approximate scheme:
So, what we have in the end:
Users of the company, isolated by the internal network from the Internet, access the internal web page of the RDG service on which the Internet browser is published or launch the RDP file.
After authentication, if you have sufficient rights, the user launches a browser, whose work for the user is indistinguishable from the work of the browser on his local machine. In reality, the browser works on the terminal server, can only display information on the monitor and receive commands from the keyboard and mouse, without having access to other resources of the user's computer or local network. Thus, with quite comfortable work, we get a browser with Internet access that is completely isolated from the computer and the internal network.
References on the article:
Application virtualization
Remote Desktop Gateway
Yours, Servilon Team
The practice of complete separation of the local network and Internet access is quite correct and, according to many IT specialists, is the only 100% way to protect corporate data. However, this method, in addition to the high costs of its implementation, has another very significant drawback, namely the inconvenience of using the Internet. The lack of comfortable access to the Internet entails not only direct losses in the form of reduced employee performance, but also indirect ones, such as reduced employee loyalty and work prestige, which is the direct cause of the company's increased costs.
A typical scheme for such a network is:
')
This scheme completely separates the workplaces from the Internet and even if the Trojan hits the employee’s computer, it will not be able to transfer the stolen information to the Internet. Also, a network built according to this scheme prevents unauthorized dissemination of confidential information by an employee of the company via the Internet.
And yet, with all the security, this scheme has a significant drawback - it is the lack of flexibility and comfortable work, since only two states are possible: the employee either does not have Internet access at all, or he is on a separate machine.
To solve these problems and allow the employee to work fully, there is an interesting solution in the form of application virtualization, Microsoft has called this technology App-V.
Microsoft Application Virtualization (App-V) technology allows you to make programs available to user computers without having to install them directly on these computers. Thanks to a process called application virtualization that allows each application to work in its own autonomous virtual environment on the client computer. Virtualized applications are isolated from each other. This avoids conflicts between applications, but they can still interact with the client computer .
This is done in the following way: in the DMZ, we install a terminal server to which we allow Internet traffic, configure the Internet browser as a virtual application, prohibit the use of the buffer and the use of local resources via RDP. Also in the DMZ we configure Remote Desktop Gateway and allow access to it via https from the company’s network.
Approximate scheme:
So, what we have in the end:
Users of the company, isolated by the internal network from the Internet, access the internal web page of the RDG service on which the Internet browser is published or launch the RDP file.
After authentication, if you have sufficient rights, the user launches a browser, whose work for the user is indistinguishable from the work of the browser on his local machine. In reality, the browser works on the terminal server, can only display information on the monitor and receive commands from the keyboard and mouse, without having access to other resources of the user's computer or local network. Thus, with quite comfortable work, we get a browser with Internet access that is completely isolated from the computer and the internal network.
References on the article:
Application virtualization
Remote Desktop Gateway
Yours, Servilon Team
Source: https://habr.com/ru/post/134860/
All Articles