Internet Content Filtering

[Jay_2]

I have a small office network setup with the main DHCP, DNS server also sharing the internet for all 25 users (the internet needs to be restricted from the network users at certain times of the day )

so here is the current setup

Network Users --- Switch --- Server--- ADSL Router

I can't change the above in this case as the owner of the business said that he wished to keep the DC as the network share

now I need to add in a content filtering solution that blocks the site but also if possible create a report telling me what system requested access to the site (IP will do, need to integrate with the AD)

eg

Network Users --- Switch --- Server --- Content Filter --- ADSL Router

now if this is possible what would you suggest?

if the IP report was produced would it not just tell me that the server IP was requesting the site?

Would it be best to buy a new router with this feature? (if so what router, i have been looking at a Cisco PIX 501)

 

[versello]

Barracuda Network's Web Content Filter recently got good reviews on scmagazine... you might want to check it out.

 

[mps]

How about putting in Clark Connect as a replacement for your router. I put one in at a client with approx. 60 users recently. I did it specifically for content filtering purposes & ease of use for the local admin, and my client is very pleased with it.

As for Cisco, PIX is awesome. I am a CCNA and I have PIX deployed in several clients. If you do not have knowledge of Cisco equipment, I'd look elsewhere. It can be a bit overwhelming to a noobie.

 

[mobrep]

How about putting in Clark Connect as a replacement for your router. I put one in at a client with approx. 60 users recently. I did it specifically for content filtering purposes & ease of use for the local admin, and my client is very pleased with it.

Or a squid proxy.

 

[Grentz]

How about putting in Clark Connect as a replacement for your router. I put one in at a client with approx. 60 users recently. I did it specifically for content filtering purposes & ease of use for the local admin, and my client is very pleased with it.

Problem with that is that you will lose the server as the DHCP/DC if you put a router in between the server and network. If you put it in between the server and internet, you would lose the by client monitoring. He really needs something that runs on his current DC.

You might want to check out:
http://www.surfcontrol.com/Default.aspx?id=396&mid=53
http://www.iss.net/products/Proventia_Web_Filter/product_main_page.html

I have yet to use either, but they look decent and are meant to run on Server 2k/2k3.

 

[MorfiusX]

Problem with that is that you will lose the server as the DHCP/DC if you put a router in between the server and network. If you put it in between the server and internet, you would lose the by client monitoring. He really needs something that runs on his current DC.

A router does not have to be a DHCP server. You can still run DHCP off the Windows box, and have a firewall/router only device.

Please don't buy a PIX. If you are going Cisco, at least buy an ASA 5505 for about the same price.

SurfControl is buggy, doesn't work well, and is way over priced.

If you want Active Directory integration, you should be looking at ISA 2006. It's the only product that integrates with AD. You could then use a third party add on to give you contect filtering.

The cheapest thing to do would be to implement Squid and DansGuardian on an old machine and use it as a proxy. It may not have all of the features you want, but the price is right.

 

[mps]

Problem with that is that you will lose the server as the DHCP/DC if you put a router in between the server and network. If you put it in between the server and internet, you would lose the by client monitoring. He really needs something that runs on his current DC.

You might want to check out:
http://www.surfcontrol.com/Default.aspx?id=396&mid=53
http://www.iss.net/products/Proventia_Web_Filter/product_main_page.html

I have yet to use either, but they look decent and are meant to run on Server 2k/2k3.

Wow Grentz, there is so much wrong with your statements that I do not even know where to start. Who said anything about placing a CC box between the network & the server? That would be a real silly thing to do. Go back and re-read what I typed. It would replace his existing router. How exactly do you figure that you lose monitoring with the setup I proposed? I'm doing it right now using that setup.

Surf Control is an utter joke. Way too expensive for what you get...and you don't get much. I'd agree with what MorfiusX said -- entirely too buggy. I've been through 3 different client evals with SurfControl in the last year, and we couldn't use it at any of the sites due to the bugs and poor performance. Perhaps you should actually TRY the product before you recommend something.

Jay_Oasis if you really demand AD integration, ISA is the only real way to go. From a cost/benefit standpoint (IMHO), ISA is like killing a fly with a sledgehammer for the size of environment you have. If you are using SBS, ISA comes with it, but I do not suggest running your file/print services and ISA on the same box. The CC solution I proposed would give you the requirement that you asked for in your question -- a full report (viewable/printable from a web browser) that shows a listing of the IP addresses in your facility and what web sites were blocked. PM me if you want to see a sample of what this looks like. I'd be happy to send you a screen capture.

 

[DistributedBen]

At my office we use a ClarkConnect box that acts as a proxy/filter (Squid and DansGuardian) and it has worked great for years. I don't believe that it will give you detailed reports or AD intergration though (we don't have the need currently).

I have been looking at the filters from Barracuda since I would like to eventually have more control and better reporting options as well. From what I've read and heard they are top notch products.

 

[Grentz]

Wow Grentz, there is so much wrong with your statements that I do not even know where to start. Who said anything about placing a CC box between the network & the server? That would be a real silly thing to do. Go back and re-read what I typed. It would replace his existing router. How exactly do you figure that you lose monitoring with the setup I proposed? I'm doing it right now using that setup.

Surf Control is an utter joke. Way too expensive for what you get...and you don't get much. I'd agree with what MorfiusX said -- entirely too buggy. I've been through 3 different client evals with SurfControl in the last year, and we couldn't use it at any of the sites due to the bugs and poor performance. Perhaps you should actually TRY the product before you recommend something..

Sorry, early morning read, I thought you meant on the network side. I said I have never used those solutions, just saw they had decent reviews online. I never said I recommended it from personal use.

I have yet to use either, but they look decent and are meant to run on Server 2k/2k3.

 

[trmentry]

You could take a look at Websense .

the only experience I've had with it was the frustration of getting it to work right on a spanned port off an Alcatel switch. Many headaches on that. *shudder* But that was over 3 years ago and I'm sure newer versions since then

But the company I work for uses it and has it locked down pretty hard. Can't even hit Webmail links.

 

[crash848]

Websense is a really powerful filtering option, but the price may be a bit prohibitive for such a small integration. You usually need to renew licenses every year, plus you need a machine to run this on (added cost for all licensing).

Personally I would use some form of IPCop, Clark Connect, etc - and make some DHCP reservations for IPs (to track users better) and use Squid with DansGuardian or some other form of squid content control.

As far as using a PIX, if you are not at all familiar with Cisco CLI, then I wouldn't rush in to getting into the PIX/ASA world. As mentioned before, go with the ASA option if you do decide to go this route - many more features for about the same price. The Cisco solution would work well Websense, since they have an option to send all http/https traffic to the Websense box, and it integrates with Active Directory really well.

So basically, how big of a budget do you have to work with? That is the biggest question here. If money is not really an object, hit the PIX/ASA and Websense option, they work excellent together (I was the administrator at my last job of that setup, for around 1,500+ users). Otherwise, the linux solutions mentioned are really powerful for their price, but won't have everything you are looking for.