by Pavel Klushin, Israel CUGC Leader
Today, access to the Internet is a fundamental requirement in virtually any workplace environment. But, for enterprise IT, this presents a problem.
More than a million new malware threats are unleashed every single day. Firewalling, content scanning, virus scanners, intrusion detection, URL safe lists and regular software patching can help you mitigate the risk of attack. But, as new threats appear, it can take time before software manufacturers become aware they exist. So, you can never guarantee 100% protection.
Likewise search engines have the same problem detecting new malware, which means they cannot keep pace with the number of unsafe websites. And it’s only a matter of time before a member of staff visits a site that could potentially harm or spy on your enterprise IT infrastructure.
So, What’s the Solution?
If your corporate users are browsing the internet on a Citrix XenApp/XenDesktop environment, then you have three main options for implementing an isolated secure access to the Internet.
Option 1: Virtual Browsing via an Isolated Citrix Environment
To tighten up security, you create a separate XenApp/XenDesktop environment within a DMZ, which serves as a dedicated Internet browsing farm for access outside your internal network. That way, all external content is executed out of reach of your corporate network, so malicious code can’t run internally.
This solution offers numerous benefits, such as centralized management of your browsing security and a contained environment that isolates malware infections from your core business systems. It also gives you scope for stricter firewall rules, as you’ll need fewer open ports. And you may be able to limit browser functionality, as you no longer need certain features for running internal business applications.
Option 2: Browsing Capability at Individual Endpoints
Alternatively, you could implement a secure Internet browsing environment locally at each individual workstation. Provided users have access to a capable machine and network, this option is potentially the best in terms of performance. Also, if you properly segment your LAN, you may be able to contain malware infections to just a small part of your internal network, thereby avoiding wider infection across your data center.
On the other hand, this option decentralizes control of your security, making it harder and more time consuming to maintain—especially if your endpoints use different operating systems and technologies. It also increases the attack service, as there are more endpoints to protect in comparison with a centralized system.
Option 3: Dedicated Internet-only Workstations
This is potentially the most secure option, all the more so if these machines are physically separated from the rest of your LAN. But laying on separate machines purely for Internet access will necessitate both additional office space and additional costs.
Not only that, but it could also harm productivity. When staff need to browse the web, they’ll need to log onto a different machine each time and may also have to wait while someone else is using it.
How to use Citrix as an additional layer between your workstation and external Internet connection.
Each option clearly has its pros and cons, which you can read about in more detail in our comprehensive guide. But if you’re looking for a brief summary on the logistics of the Citrix browsing farm solution then the following are the main points you need to consider.
The challenges of isolating internet browsing from internal core data and apps:
- Establishing a secure browsing farm with optimal user experience, based on XenApp/ XenDesktop
- Browsing farm sizing
- Browsing farm hardening (both browser and server)
- Transparent user experience (retaining cookies, favorites, history etc.)
- Flash blocker for maximum performance and security (not always possible)
- Enabling file downloads and delivery
- Monitoring and optimization of corporate browsing activity
- Enabling anonymous corporate browsing to prevent user information leak
- SSO (Single Sign On) support
- Safe browsing of any website
- Compliance with local regulatory requirements
- Minimal effort required to implement the organization’s browsing policy
- As transparent/easy to use for the end user as possible
Citrix Secure Browsing Solution Brief
To set up a DMZ Citrix Internet browsing farm for browsing outside your corporate network, a number of corporate organizations realized that the ultimate way to defeat malware was to isolate web browsing. Consequently, these organizations built a separate XenApp/XenDesktop environment on their DMZ in order to access the Internet safely.
This way, all external content is executed outside the corporate network so that malicious code can’t run internally. The only traffic entering your network from the DMZ is screen updates, prints or clipboard items. The last two can be disabled or configured to lower the risk of harmful content which may harm internal desktops, cause data breaches of the desktop, internal applications, databases and sensitive data.
By isolating browsing traffic in a Citrix environment in the DMZ, you get the best of both worlds:
- A centralized environment is the easiest to secure and manage.
- Separation: Any malware infection can be contained to the DMZ, where your core business applications are not hosted. Read the full guide.