While I was listening to a recent interview with the respected Eugene Kaspersky, where he expressed the idea that most of the company’s employees will not have Internet access soon, I was reminded that many companies completely separate their internal networks from the Internet, providing Internet access only from separate machines, and I decided to express my thoughts about this aspect of information security.
The practice of completely isolating a corporate network from the Internet is good enough. According to many IT professionals, it is the best way to protect corporate data. However, in addition to its high cost of implementation, this method has another very significant drawback, namely increased hassle when using the Internet. A lack of easy access to the Internet entails not only direct losses due to reduced employee productivity but also indirect costs, such as reduced employee loyalty and diminished prestige in the work. The result is increased company expenses.
Such a network typically looks like this:
This scheme completely separates workstations from the Internet. And even if a Trojan is installed on an employee’s computer, it will not be able to transfer the stolen information to the Internet. Such a network also prevents employees from distributing the company’s confidential information without authorization.
However, with all its security this scheme has a significant drawback — inflexibility and inconvenience, because there are only two options: an employee has no Internet access, or he or she is on a separate machine.
There is an interesting Microsoft solution in form of application virtualization called App-V can solve these problems and allow employees to work effectively.
Microsoft Application Virtualization (App-V) technology makes programs available on users’ computers without having to install the programs directly on those computers. Application virtualization allows each application to run in its own stand-alone virtual environment on the client computer. Virtualized applications are isolated from each other. This avoids conflicts between applications, but still allows them to interact with the client computer.
This could be implemented as follows: set up a terminal server on the DMZ to permit incoming Internet traffic, set up an Internet browser as a virtual application, and prohibit the use of the buffer and local resources through RDP. Also, set up a Remote Desktop Gateway on the DMZ and allow access to it via HTTPS from the company network.
The approximate scheme:
As a result, we have internal network users isolated from the Internet, who use an internal RDG service web page available in the Internet browser, or run an RDP file.
If a user possesses sufficient rights after authenticating, he or she launches the browser, which runs just as if it were being executed on user’s local machine. In reality, the browser is run on a Terminal Server: it only displays information on the monitor, and receive commands from the keyboard and mouse. It has no access to other resources on the user’s computer or the local network. Thus, we have achieved easy Internet access while completely isolating the computer.
Links:
Application Virtualization
Remote Desktop Gateway
Sincerely, the Servilon Team