Management Wants Internet Filtering - Options?

R

rosco

Gawd
Joined
Jun 22, 2000
Messages
722
Management first asked me to come up with a solution to enable whitelist only access for 5 or 6 employees. It now looks like that may evolve into whitelist only access for almost the whole company (about 50 users).

I believe that I will be able to let them know how difficult it will be to use a whitelist in this day and age and we'll probably end up with whitelist for those original employees and blacklist for the rest.

What would you recommend for this? We don't have a domain in place and the only server we have is for our LOB application that a third party manages.

I know about websense but I'm scared to even get a quote for 50 users from them. So, I was thinking about using ipcop with a couple proxy addons.

The last time I used a proxy was several years ago and it worked well but it seemed like a few sites do NOT like being routed through a proxy. Is that still an issue I would run into today?

Thanks in advance for the suggestions.
 
http://www.untangle.com/

You can use the free version, router (or bridge mode if you want it completely transparent.). You can whitelist by IP address, and you don't need to use all the UTM features, just setup a small box for web filtering. And by whitelist by IP, I mean the IP of the computer on your LAN you can just say pass all for this IP basically.
 
MikeTrike said:
http://www.untangle.com/

You can use the free version, router (or bridge mode if you want it completely transparent.). You can whitelist by IP address, and you don't need to use all the UTM features, just setup a small box for web filtering. And by whitelist by IP, I mean the IP of the computer on your LAN you can just say pass all for this IP basically.
Click to expand...

I'll 2nd this. Unless you can tell us what your using for a router / firewall right now? Does it have any sort of content filtering built in to it that you could utilize
 
Multiple avenues to go down here.
Untangle or Astro for free UTM on whitebox or virtual platforms.
Untangle, Astro, Microsoft Forefront TMG for paid UTM on whitebox, or virtual platforms.
Cymphonics, Sonicwall for blackbox UTM.

I like Cymphonics and Forefront because they integrate into AD so if you have one in place you can make the proxy an in line proxy forcing all traffic on the network through it and allowing you to make changes to the user's AD profile to change their level of access.
 
do you have any budget for this? whats the projected growth of the company, in terms of extra people? do you have laptops that roam between the internal lan and cafes/airports/hotels/homes? i would be tempted to suggest using a cloud provider such as webroot, et al for this.
 
I just got to thinking if they want a 1 site fit all setup openDNS would be an option..
 
Since you don't have AD to integrate into I would say going with Untangle in bridge mode wouldnt be a bad Idea. One of the nice bits about untangle is that it filters without needing proxy configured on the workstations so less work for you to deploy and implement. If you had a domain and AD to work with then I'd go with something with better AD integration so you could simply add a group or two and filter in that manner.
 
Thanks for all the input.

Can untangle do a combined whitelist/blacklist setup? What I mean by whitelist is certain computers can ONLY access sites in the whitelist.
 
May want to look into Fortinet Web Filtering as well. You can snag their webfiltering service for relatively cheap depending on what your budget is.
 
Untange is unable to have a whitelist for some computers and have a blacklist for others unless you purchase the policy manager.

I'm actually not sure where to setup a whitelist at all in the open source package.

We do not have AD in place at this time.
 
we use webroot, its very good and although its best with AD you don't actually need AD for webroot to work.
 
Untangle for web filter is really good, You can setup white list's i believe, but it's for all computers.
 
MikeTrike said:
http://www.untangle.com/

You can use the free version, router (or bridge mode if you want it completely transparent.). You can whitelist by IP address, and you don't need to use all the UTM features, just setup a small box for web filtering. And by whitelist by IP, I mean the IP of the computer on your LAN you can just say pass all for this IP basically.
Click to expand...

I'll 3rd this one.

nitrobass24 said:
OpenDNS
Click to expand...

I'll second this one.
 
Another vote for Untangle....even without the Policy Manager add-on and Directory Connector add-on, you should be able to create rules by IP address.

But...for 50 users, it's time to pitch to management that...if they want control of the network and users, it's time to outgrow the home grade peer to peer network and get AD in there.
 
YeOldeStonecat said:
Another vote for Untangle....even without the Policy Manager add-on and Directory Connector add-on, you should be able to create rules by IP address.

But...for 50 users, it's time to pitch to management that...if they want control of the network and users, it's time to outgrow the home grade peer to peer network and get AD in there.
Click to expand...
Yes, I would certainly have AD for an environment over 10-15 users.
 
O2Flow said:
Squid+DansGuardian.
Click to expand...

If setup properly this is an awesome solution, if setup incorrectly this will be a HUGE headache. we just pulled a Dan's setup out of a client because it was soo FUBAR
 
Cymphonix Composers are pretty good. I've deployed about 40 of them. PITA to setup the first several times though. Their support techs are pretty stellar, however. If you end up getting one I recommend calling support straight off and getting a tutorial on the setup, or have them help you install it. A fantastic feature they have is copper passthrough on the Ethernet. If the device physically fails- even no power- your traffic will continue to pass through it.
 
If you have a good content filtering solution you may be able to avoid having to do white lists. Ask the boss what their true desire is.
 
In past experience, I've used Websense with multiple content filters for different groups and a whitelist filter for another group. It worked very well, but you'll want to deploy it through group policy in an AD setup.

If you've just looked at a couple retail prices online, don't use that as a good judgement for the actual cost of the software. I negotiated a great deal with our Dell rep which resulted in 3 years of service for a heavily-discounted 1 year price.

You might want to look at your AV solution to do some of the whitelisting for the group that requires the most filtering. I've used Trend Micro Worry-Free Business Security to do some pretty basic filtering and I think it works extremely well. Doing a whitelist only web filter might seem a little daunting at first, but it isn't as bad as you think it is...
 
OpenDNS is great if everyone wants to live by the same rules.

Untangle is good if you want something different for each user or certain users and want reports.
 
C7J0yc3 said:
If setup properly this is an awesome solution, if setup incorrectly this will be a HUGE headache. we just pulled a Dan's setup out of a client because it was soo FUBAR
Click to expand...

Not for newbs. Easy way to tell is if they use run level 5 :)
 
Squid+Dansguardian. I've got one box that's been running for a long while with no headaches. It was a pain to initially setup but once I got past that it works great. I like it because it logs everything, time, IP of machine, requested site, etc... That way we have proof when one of our employees tries to get on onionbooty.com during work hours.
 
My advise on the matter is go with a payed service. All open source and free options might work well , but in any company if it screws up it is your ass on the line first and then the software a payed package or apliance not so much. AND they do the work for you research threats and how to counter them and well the support is just nice to fall back on.

That said I have few experiences but I am personally happy with Cisco Ironport running cross site for about 5k users. We used to have Websense it it gave me a major headache when it came to support or wanting something a little different then their advertised solution. Astora is right there with Untangle for me , had it in a lab but have next to no informed opinion.
 
You must log in or register to reply here.
Back
Top