Help bring me up-to-date on network appliances for filtering

primesuspect

I have a lead on a job for an old client, and I need to be brought up to date to make sure I recommend the right solution.

This is a network of <20 clients

They want an internet access appliance such as a WatchGuard Firebox or a Barracuda web filter. Apparently there is a great deal of internet abuse at this company. Here is a bullet list of what they need to be able to do:

• Filter out all but a specific set of websites to most client workstations
• Very easily add/delete sites from the filter
• Track web usage on clients (where did they go)

If you guys have advice and first-hand experience with any particular brand, I'd love hearing it. I don't think I'll have any trouble setting things up, but it's been a few years since I've been in the biz, and I want some more in-the-trenches opinions. Right now all I have to go on is the sales and marketing materials from each manufacturer.

Thanks!

jared

I'm interested to see what people recommend because I am going to be setting up something like this for my Dad's biz which is ~16 clients (nothing huge).

But the internet abuse (myspace!) is getting out of hand!

Butters

Sonicwall NSA series (NSA 240 and up). Unified Threat Management- Firewall, Gateway AV, A-Spyware, A-Spam, Content Filtering, etc.

I considered going with Watchguard, but the NSA 2400 rocked my sox. Sonicwall support has been awesome, though most of the UTM features are subscription based, basica functionality still kicks arse.

I could give better detail with my experiences with the NSA2400 if needed.

primesuspect

I'm pretty sure they're not gonna wanna go with something subscription-based.

I have experience with Sonicwall stuff, but it's probably outdated. It definitely is rock-solid hardware, but the cost is pretty high.

jared

yeah thats the problem I had: finding a solution suitable for under 50 clients that isn't outrageously priced. :\

kryyst

You can do all of that with OpenDNS. The free version will more or less get you there but the deluxe version will absolutely do what you want. No need for an appliance for any of that.

primesuspect

Is it easy though? The bossman is not at all computer saavy

also: isn't that just a blanket policy for the whole org though?

The bossman wants specific computers to have different policies; some all-open, some blocking social networks, some blocking other stuff, etc.

Butters

You can probably pickup a TZ series. I have a TZ-190 at a branch location for VPN. A newer TZ-100 series can be had for around $200. I think it has basic internet content filtering without the yearly subscription for premium (websense) . It might fit the bill.

Butters

OpenDNS looks pretty good. I'm going to try it out.

kryyst

primesuspect wrote:

Is it easy though? The bossman is not at all computer saavy

also: isn't that just a blanket policy for the whole org though?

The bossman wants specific computers to have different policies; some all-open, some blocking social networks, some blocking other stuff, etc.

First it's ridiculously easy and even if you are using other means I'd still suggest putting this in place (just the free version) as a catch all filter. Their DNS servers are fast and even their basic ad-filtering and other catchall's work great.

If you want to get more specific policy use then you'd need the deluxe version. I haven't fully delved into it enough to know if you can setup specific per user based policies. But at the very least you create bi-pass passwords so users with that password can get through.

Now depending on how picky your boss is this may not do all that he wants. But depending on how much he's wanting to pay there are sometimes compromises that need to be made.

One thing is you can literally get the free version of OpenDNS up and running in about 15 minutes and nicely configured with a good blanket policy - and tested in about 60 minutes and that requires no hardware or software investment.

1) Sign up for an account
2) Point your last step external DNS pointers to use OpenDNS.
2a) If you have a static IP just create the network
2b) If you have a dynamic IP you have to install some software so that OpenDNS gets updated to know which network you are coming from.
3) Start turning on some rules
4) start testing on various computers.

It's that easy.

Kwitko

OpenDNS has a pay version that is $5/user/year and allows you to set up different groups. The free version is an all-or-nothing affair.

We use CensorNet at work. A 25 concurrent user license runs us $880/year. They do have a free open-source version but it's not maintained anymore.

primesuspect

Nothing that requires maintenance: This is a client without an IT staff, and they'll probably never have an IT guy.

I want something I can set up once and then not worry about again

Kwitko

I would go with OpenDNS pay version. At least that way they can get the granularity they need with a super-easy interface.

kryyst

OpenDNS really sounds like what you want. Once you setup opendns you never need to do maintenance on it. The only time you'd need to touch it is if you want to add/change the rules and that takes all of about 15 minutes of training. It's dead simple. You won't get that kind of ease and flexibility out of any kind of appliance. Furthermore the thing can't break. You don't have to worry about patches or anything.

I don't want to say that it's bulletproof or foolproof or anything like that. But it's in the ball park.

primesuspect

You can get a report of where people went?

Kwitko

Well, the problem is that it's on the WAN side, so it's going to report all traffic, not on a per-machine basis. You'll need a program that reads router logs or a LAN side firewall in order to track where people are going. In that case, you can go with the CensorNet open source version. It even integrates with AD.

QCH

Here's one of the reports on the domains viewed... and then how to block domains.

primesuspect

How granular is the blacklist? Can you say:

Users A, B, and C can go to facebook, but not D or E

Users A, C, D can go to cnn, but not B or E.

etc.?

Kwitko

Kwitko wrote:

Well, the problem is that it's on the WAN side, so it's going to report all traffic, not on a per-machine basis. You'll need a program that reads router logs or a LAN side firewall in order to track where people are going. In that case, you can go with the CensorNet open source version. It even integrates with AD.

primesuspect

So that means building a router, which I'm not doing.

Which leads me back to:

op wrote:

Help bring me up-to-date on network appliances for filtering

mtrox

I have a client with the same specs. Got tired of seeing facebook all day and didn't want to buy a SonicWALL. We went with CCProxy. Free proxy server you put on the server.

Yes, you could control each user. We made three groups. You then assign machines to the group you want by MAC address. The main group can only get to 6 web sites.

It works great, and once you set it up for him, he can adjust the groups by a txt file that controls each group.

The only downside is that you have to point each workstation to a proxy server. Saavy users will get around that so I prevented them from seeing that setting through Group Policy. For the Firefox users I prevented it by.....don't remember but it can be done. My FF users can't get to the proxy server settings either.