Simplest Administration, Inexpensive UTM With Content Filtering (including HTTPS)

ElectroPulse

Limp Gawd
Joined
Aug 19, 2013
Messages
129
Hello all,

I volunteered at a school system in another country for a couple of years, and have periodically been providing support for them over the past two and a half years whenever something comes up that stumps them.

When I was there, I set up a (in my opinion) pretty great network (given the resources I had to work with). The problem now is that given the positions there are pretty much only volunteer (with a small stipend for survival), they are unable to get anyone in there with any kind of IT background/knowledge to support it ("what's a VLAN?" is a question I've gotten from the past couple of guys). I'm looking to try to simplify things at this point.

My initial thought is maybe go with a Ubiquiti Security Gateway, a Ubiquiti switch, and cloud key (since they're running Ubiquiti APs anyway). From what I of seeing the controller a few years back, it was a pretty simple setup. However, there is no content filtering (they've got a dorm full of students that access the internet there as well). I got pfSense set up with Squid to run a MitM type of thing that would filter HTTPS traffic, and it seemed to work pretty well. However pfSense is a little overwhelming and easy to mess up for someone that doesn't have much of an IT background.

What would you suggest for a reliable, super-easy management system that either has a very low monthly cost (very, very low - when I was there, I practically had to write a paper on the benefits of purchasing X device that cost only $20 in order to get them to purchase it - it was pretty insane at times), or no subscription cost (so Untangle is out I believe - sounds like they don't have much in the way of free content filtering).

Thanks!
 
Sounds like your team can't afford a firewall based content filtering system. I would recommend Meraki if your WAN and VPN side of things is simple, but would be outside your price range I'd imagine.
Have you considered instead using OpenDNS? Should be a reasonable subscription and you can define domain based content filters. You just need to have the DHCP to clients use the OpenDNS servers (or DNS forwarders), and set some firewall rules to disallow other DNS servers.
 
OpenDNS would be great - I looked into it initially when I was working there, with the idea of blocking port 53 directed toward WAN. Seemed like it would be really easy to set up/manage (and a helluva lot easier than Squid ended up being). However, the pricing seemed too high at the time, and it wouldn't have allowed for different user groups and schedules within those user groups (if I recall correctly at least). The principal wants to be able to block Facebook campus-wide (with one or two computers whitelisted as it's the primary form of communication with potential hires) during school hours. I'll look a little into it later and see if they have any kind of non-profit pricing, and any kind of schedules/user groups possible.
 
In that case, Meraki is the easiest option and a reasonable price. It's priced for small business, but it's not a cheap solution. They have list pricing on their website, and for a non-profit there will be deep discounts though.

Going outside of that, you will likely need to homebrew up a solution
 
Meraki is great if you can afford yearly service payment. You can't avid it - without Meraki will not work.
And it's not that cheap unfortunately..

I personally use Untangle but for HTTPS you'd have to have paid version.
 
Meraki is good. I'd suggest either that or a Fortinet solution, firewall, APs and switches. Given the environment and the situation I would go a single vendor solution regardless as it will be easier to support long term. Even though it pains me to say it I would also suggest not doing MitM unless you have local support that can troubleshoot any issues that may arise and they will arise. I've implemented mitm on just about every enterprise firewall platform there is and there are always issues. I would also ask that without competent local support who is going to install and maintain the local certs? You will be much happier with no decryption required solution.
 
Meraki is good. I'd suggest either that or a Fortinet solution, firewall, APs and switches. Given the environment and the situation I would go a single vendor solution regardless as it will be easier to support long term. Even though it pains me to say it I would also suggest not doing MitM unless you have local support that can troubleshoot any issues that may arise and they will arise. I've implemented mitm on just about every enterprise firewall platform there is and there are always issues. I would also ask that without competent local support who is going to install and maintain the local certs? You will be much happier with no decryption required solution.

If this was US K-12 schools, filtering HTTPS traffic is basically a necessity anymore. At the very least, implement something that supports SNI - HTTPS web searches for pornography and other web content can put the school in legal battles and other PR snafus.
 
I've been very happy with the Check Point 600 and now 700 series devices for here at our businesses. The annual subscription updates I've been getting for about $150 per year (this does NOT include support and firmware updates). The 600 series are a bit older and slower. The new 700 series is a lot faster when using the GUI. Checkfirewalls also has a pretty darn good deal going right now on the 700 series where you get 3 years of support and updates included. The specific model will depend on the number of users behind it though. The 700 series are small business models intended for less than 100 users. https://www.checkpoint.com/products/700-security-appliances/

You start getting into devices with all of these capabilities for larger numbers you are really getting into the thousands of dollars to start and nearly as much in annual costs to keep them updated.

I had some issues with the Meraki (Cisco) devices a few years back. I've heard a lot of good things about Fortinet too but when I looked a comparable Fortinet solution was going to cost significantly more. I've had 3 of the Check Point 640 (with wireless) models for a few years and they have been very good. Actually just recently upgraded one to the 730 and like it a lot too. The built in wireless (you can get them with or without) is convenient and works great too. Can configure up to 4 separate wireless networks with different restrictions. The older 600 series was piss poor with https but the new 700 deal with that very well.

Any commercial solution like these are going to have a cost that is considerably more than any do it yourself solution though. There are advantages though - full support for one, everything is integrated to work perfectly together right out of the box. Is there configuration needed - yes and there is far far more options than a typical home user firewall is going to give you. Does not matter what you get, when it comes to advanced configurations like routing between subnets, different levels of permissions for different users, VPN configurations, etc are never going to be as simple as plugging in and configuring a home user Linksys router/firewall.
 
If this was US K-12 schools, filtering HTTPS traffic is basically a necessity anymore. At the very least, implement something that supports SNI - HTTPS web searches for pornography and other web content can put the school in legal battles and other PR snafus.

No argument from me, but without technical staff to support the issues that will arise or even administer/distribute the local CA cert best of luck with that plan.

The school has to decide if this is a priority and if so staff and build accordingly and if not just get some PoS consumer firewall from Best Buy and call it a day. Anything in between will be security theater that costs more and leaves them just as open as the consumer firewall would. This is inability to set a priority is the primary reason I got out of consulting went back to enterprise security.

BTW the Checkpoint devices are great if all you need is a single AP and are okay potentially leaving your firewall in an unsecured area to get better coverage. If either of those are not options, I can't imagine they would be in a school, then you would need to look elsewhere.

Let me add in case it sounds like I'm being hard on CP. I am not. CP is what I cut my teeth on. I have a 2200 with upgraded RAM running at home along side a Fortigate not 8 feet to my left. I do think CP needs to up their game when it comes to wireless but aside from that I have few complaints.
 
Last edited:
On the Checkpoint you can always get the same models without the built in AP's. Just a convenience to have everything in one interface for smaller deployments.

Aside from that many schools also use software from Faronics. Usually Deep Freeze but that only restores a machine. On our ambulance service machines we use WinSelect from Faronics to pretty much lock the machines down. Rather than disallow all sketchy websites using URL filtering, on those machines we just disallow ALL except and have literally a list of 4 websites that the employees are allowed to access from a company computer. That pretty much solves 95% of the problems. Yeah I'm a network nazi but I got tired of constantly fixing those machines and on the ambulance service side of things there are also very strict HIPAA regulations and by locking things down to the extreme we mitigate nearly everything right off the bat. :)

Personally, and I'm certain others would argue otherwise, I think there is zero need for internet access on classroom computers. Anything related to classwork that "might" be on the internet. Just restrict the computers to the local network, done. I know, I know..... that is not the way anymore. Odds are half the stuff the schools need the computers for is content that the school cannot host or have locally - all cloud based I'm sure. Everything everywhere that has any sort of cpu must be connected to the interwebs at all times!
 
Last edited:
IF the list to block is fairly small, a decent firewall appliance should do the trick for things like no Facebook. Be aware that if the goal is to also block Porn, you will quickly run into the mess of science/medical sites being blocked because they mention/have pictures of breasts, penises, balls, etc. Your workload could well become far more then you or they would like. (I was a Websense admin for an Environmental Regulatory agency. Really amazing how many chemicals adversely impact sexual function or organs and the number of websites that had to be exempted from the Porn filters.)

You also need to talk them into creating a Computer Use Policy that outlines things like:
1. All computers are property of the school/district and are subject to examination at any time without notification.
2. List of improper uses, for example: porn, personal business, gambling etc.
3. Does the district allow use of USB flash drives?

Without a policy in place, even if you catch someone browsing porn during working hours on a school computer, taking legal/job action against them can be iffy at best.
 
Dead Parrot - Even a basic firewall appliance can't just simply block Facebook. Facebook is over HTTP over SSL, the appliance will at least need to support SNI for HTTPS URL filtering.
 
Dead Parrot - Even a basic firewall appliance can't just simply block Facebook. Facebook is over HTTP over SSL, the appliance will at least need to support SNI for HTTPS URL filtering.

Pretty sure if the goal is allow Facebook or not that a simple outbound rule:
source - any, destination - facebook.com, service - any, action - deny would work. If the basic, "I want to start the login process" packet never gets to Facebook, no SSL session happens. Now if the goal is to limit certain types of Facebook activity on a logged in account, then yes, you need a device that can do inspection of encrypted packets.
 
Unless you're inspecting Facebook traffic as an application, it's not that simple. If your firewall isn't intercepting or looking for HTTPS traffic, it can't block your destination of Facebook.com (I'm not talking about decrypting the SSL traffic - if you aren't decrypting SSL, you still need to be able to see the HTTP header of facebook.com, which requires SNI). I'm saying this from the aspect of you suggesting it can be done on a basic firewall, which wasn't necessarily defined. Not trying to be nitpicky, but making sure we are both understanding to help OP.
 
If you have less than 50 devices, Sophos has a free UTM solution. Otherwise, you're going to have to pay-to-play when it comes to content and application filtering. Checkpoint, Juniper, Sonicwall, Cisco Firepower, Meraki, Sophos, Fortigate, Palo Alto, Untangle firewalls all require subscriptions of at least a few hundred dollars annually.
 
In the pay to play route, I'm going to throw WatchGuard into the mix, since that is what I have been mainly dealing with the past two years at work, both configuring and troubleshooting.

Their Application Control solution is pretty good, and the list of applications you can block is pretty large. Same with WebBlocker, which can either use WebSense (which is now Forcepoint/Raytheon), or another which escapes me at this time. Their prices are also not outrageous, especially for the throughput available on the models, and they have released a new product stack very recently so their hardware isn't outdated. YouTube for Schools is also integrated (provided you have the account for it). If a lot of throughput isn't required, you can get their little T35 or T15 for not too much money.

You'd be looking at around:

WatchGuard Firebox T35 with 3-yr Basic Security Suite (WW) $1,505
WatchGuard Firebox T35 with 1-yr Basic Security Suite (WW) $945

WatchGuard Firebox T15 with 3-yr Basic Security Suite (WW) $730
WatchGuard Firebox T15 with 1-yr Basic Security Suite (WW) $460

from an authorized seller. Add ~$300 for the Wireless model.
 
If you want the lowest maintenance, OpenDNS. You don't have to put a certificate on every system nor worry about it every. You can build groups but it is a PITA. It would be easier to build allow groups for the couple of people or bypass codes.

Now, you probably still want a firewall. It's the blocking HTTPS traffic that's the challenge and will cause headaches if there is not any people to support it. OpenDNS all the way for that.
 
Easy to implement, content filtering system.... It has to be WebTitan IMO. It essentially offers the same as OpenDNS, but it is a lot cheaper. It's certainly worth a look.
 
Back
Top