5

I currently work in a manufacturing company with round about 5000 computers and 6000 employees.

We use a lot of web based line of business applications (all internal, non over the Internet) in order to keep the production running, developed by the internal Applications department. Although from the functional aspect they run quite well, their adoption of new releases of the browser stack is very, very slow.

In order to run the programs, they require Internet Explorer as well as the Java plug in. Any new release of any of these two requires them intense testing. Before they confirm, we can’t roll out anything new.

From the security perspective, the current stack is far too old. Right now, we are allowed to install Internet Explorer 8 as well as Java 1.6 U30 (about 9 months old).

Since neither I nor our CISO were able to change these procedures (they got full support for this from the CEO), we would like to implement a “Green” and a “Red” browser.

The idea is to cut of Internet Explorer and the IE Java plugin from the Internet (using rules on the local firewall, the central firewall and/or the central proxy) and installing Google Chrome. Internet Explorer would then be the “Green” browser for anything internal and Chrome the “Red” one for Internet Access.

As Chrome would be used solely used for Internet Access, updating it with a new version and plug ins wouldn’t need any testing from the Application department. This way, we would always have the newest version with the best protection.

Of course, this would require some extra work from our side (Version checks, deployment jobs etc.) but I think the extra benefit for security would outweigh this extra work.

Would this be considered a good solution, or would we open new security issues with it?

Tex Hex
  • 181
  • 5
  • Not a security issue, but a usability one: Are there any Internet-hosted applications which are needed to support the business? Often times, business applications are written with IE in mind and support for Chrome or others may be buggy. If you limit your users to an alternative browser for Internet access, you may be crippling some of their applications. – Iszi Aug 09 '12 at 17:39
  • Good point. Yes, there are but these are mostly customer portals that work fine in any browser. None of them is used by more than 5-10 people. At least, all portals we know of (we give them higher QoS on the GAN lines) are working fine in Firefox we use for testing so this shouldn't be a problem. – Tex Hex Aug 09 '12 at 17:42
  • I strongly suggest you put those through thorough testing in your alternate browsers. Also, make sure you're considering things like your shipping, banking, payroll, and employee benefits providers. – Iszi Aug 09 '12 at 17:43
  • 2
    As a side note, yes if you develop a small scale business application then you can only really support a finite number of browsers - but only choosing to support a browser which is very closely tied to a specific OS version (as in the case of MSIE) is not a good strategy. – symcbean Aug 10 '12 at 11:30
  • @symcbean: Couldn't agree more, but this department is by far not "small" - 35 engineers, 60 application server, 8 database server ;). – Tex Hex Aug 10 '12 at 17:01

2 Answers2

5

Theoretical security is a world of absolutes, but the world we live in is made of compromise. You have to find a good balance between strong security and usability. Your approach pretty much hits the nail on the head.

What you're essentially doing is separation of duties. You have an insecure browser, which is unsuitable for web browsing, but must be used for a particular business purpose. As such, you're creating a second role (filled by Chrome) and separating the duties they have to perform.

The only suggestion I'd give, if it's possible, is to skip the firewall configuration and just unplug the box from the network entirely.

Polynomial
  • 133,763
  • 43
  • 302
  • 380
  • Thank you! But could please explain what you mean with *unplug the box from the network*? I don't get it right now. – Tex Hex Aug 10 '12 at 08:54
  • If the app doesn't require network resources, disconnect the machine that is running IE from the network completely. – Polynomial Aug 10 '12 at 08:56
  • Ah, I see. Well, this procedure would be applied to all our 5k clients, not just one or two. If the proposal is OK, we will change all out client machines. – Tex Hex Aug 10 '12 at 08:58
  • Sounds good to me. – Polynomial Aug 10 '12 at 08:59
  • If not unplug from the network completely, unplug from the Internet at least - if possible. – Iszi Aug 11 '12 at 04:24
  • Both answers are good, and if possible I would mark both as answer. Since I can't do this, I will mark this question as answer because Polynomial was 6 minutes earlier than @D.W. – Tex Hex Sep 08 '12 at 11:46
2

Yes, I think this is an excellent, pragmatic choice. I like the way you think!

One suggestion: you can make the "green" browser (the IE8 in a VM) a site-specific browser, so it is configured to connect only to your internal site. There are multiple ways to do it, but one way to do it is to set up firewall rules in the VM which prevent any network connection to the outside Internet. (Alternatively, it may also be possible to enforce this by configuring the IE browser in the VM.) I think this is a good idea, because it avoids a risk where users accidentally use the "IE8 in a VM" to browse external web sites.

D.W.
  • 98,860
  • 33
  • 271
  • 588
  • Thanks, good to hear :). But does your answer mean that we can do it right only be forcing IE to a VM? We currently plan to not rollout any VM solution, we would reconfigure the firewall and the IE/Chrom config on all machines that are in use (~ 5,000 of them). – Tex Hex Aug 10 '12 at 09:00
  • @TeXHeX - Ahh, my mistake, sorry! I missed that you were not planning to run IE8 in a VM. Yes, this still seems reasonable to me, assuming you have a way to ensure people don't use the IE8 browser for connecting to external web sites. – D.W. Aug 10 '12 at 15:50