An external firewall proxy service?

[WhollyMindless]

Ok,this is weird. Until recently I've always had my own firewall but I'm finding that some of the people I support (think Parents) have managed to, even with NAT and windows firewall continue to get infected and reinfected every couple of weeks.

At work I have a $25k firewall to prevent my 500 users from being pwned. My problem is how do I protect this rather wild user with a compulsion to click any flashing button?

I was thinking - perhaps there is someone with a say Palo Alto or a SonicWall or equally awesome and enthusiastic firewall that will rent out socks access to this user on a monthly basis. Or is there another incredibly cheap solution short of taking her machine away? And no, a tablet isn't a solution for her, she has some things that simply must be done on a pc on a monthly basis - I thought about it. I'm still thinking about it but no...

Any ideas or recommendations? When google doesn't seem to pop any ideas it's really surprising.

Wholly

[digininja]

Firewalls don't prevent machines getting infected it is stopping them clicking on malicious links running opening software they shouldn't. The only way a firewall would protect them is to have it drop all traffic in and out.

The only way you could outsource a firewall would be to have the router set up a VPN to a server which is then running the firewall, the router forces all traffic to the server and so through the firewall.

I'd say get them a decent AV and spyware app and train them not to click stuff.

[digininja]

And an addition to that, remove their admin privileges. A locked down user is far less likely to get their machine trashed when they do something they shouldn't.

[digip]

User awareness training is only going to go so far, and you can take the Boris approach and tell them "Don't click shit" till you're blue in the face, but it sounds more like you need to segment and secure the lan, possibly even putting said person (and might be overkill) in her own vlan for internet acces with proxy access. Using a proxy, you can scan all incoming files, and if the user is forced to connect to the internet through said proxy, you decide what files make it to end users, what you can filter(like .exe's, zips, etc) before they make it to workstations. At my previous job, we used a combination of vlan and squid proxy to segment departments, and each user had their own internet sign on. Helped make it easier to control traffic, protect internal departments non-related to one another and prevented spreading of infections from one department to others. There are also some filtering things you can put in place, and you can make ban lists of well known sites you want to keep them off of, since this is work, sites like say myspace and facebook can be nixed, youtube, etc.

You should have everything that enters your network though, being scanned before it reaches an end user, same for email servers. Not sure the software involved to do the work, thats up to your work to decide, but also things like snort rules, ingress and egress filtering, acl's and limiting what sites workers can reach, helps stop infections. If its BYOD, well then your shit out of luck since they are plugging in something possibly infected from home onto your lan, or even carrying thumb drives of their fav music, could have infections on them, which we saw a lot at work, and IT and Procurement went as far as disabling all USB ports on all workstations for certain departments, such as customer service, they couldn't use their CD drives or USB ports, all disabled, or removed, since they worked and booted into a limited dekstop with access to a file share, and programs only related to their work,such as email and phone call software and Microsoft office.

9 times out of 10, it comes down to budget restraints and corporate asking you to be inventive in how you keep twats from infecting the network and they almost never want to invest in dev work to come up with solutions to test, so much of it ends up being put on the IT Tech in charge to come up with something out of the norm for a solution.