Surf Control Alternatives?

[[KFKAS]Death-Speak]

Does anybody use a server-side tool to log/limit web access besides Surf Control.

I'm not really happy with our current Surf Control setup and I'm shopping for a cheaper alternative.

DS

 

[Fint]

We use a product called WebSensehttp://www.websense.com/. I know it has its quirks, but seems to work well enough (and it integrates with our Cisco Pix firewall). I have no idea how much $$ it is.

 

[Scheizekopf]

My company uses Websense also.

 

[[KFKAS]Death-Speak]

I've just contacted WebSense about pricing. Do you guys run Websense Enterprise? Do you know what all solutions they offer.

My only real requirement is for it to be a server-side tool (no client installs, no appliances). Other than that, it could be a reporting only tool as well, blocking the websites isn't top priority, but tracking use/abuse is what I'm focusing on.

DS

 

[Zick]

We use Websense as well but it's been a pain keeping it working properly. Be it blocking everyones access to the internet when its not suppose to or losing connection with the PDC, there seems to be something wrong with it all the time.Though when it does decide to work, it works pretty nice.

 

[Boscoh]

We've been using Websense Enterprise for almost 2 years now. We dont have any major problems with it, and I suspect if you do have problems then you have a misconfiguration somewhere down the line.

We use the standard Websense Enterprise with the Premium Groups and the Client Policy Manager for remote roaming systems that are not part of our domain. We integrate it with PIX and also with our AD 2k3 domain. We actually just migrated from an NT4 domain to 2k3 and the Websense transition was pretty easy. It was fairly simple to mirror user policies from the NT4 domain over to the users on the 2k3 domain. We also use the Network Agent to collect bandwidth stats, block by protocol, etc.

The only two problems we have are pretty minor. One is that while using the Network Agent, you can see a small delay in browsing. It's about a half a second delay...not major, but the web surfing gurus in the office notice it. The other problem we had was getting remote PIX 501's to forward Websense lookup requests over our VPN tunnels. Once I figured out how to do it, I had to adjust the timeout values for the websense server and switch the protocol over to UDP. TCP introduced too much latency for Websense to handle and the 501 was reporting the Websense server going into ALLOW mode just about every time it made a lookup request. ALLOW mode is a method of telling the PIX to permit all web traffic since it cant contact the Websense server, there is an opposite mode to deny all traffic until the server comes back online. A minor annoyance (could be major, depending on your company) is that when using the Network Agent, all your logging data comes from the Network Agent alone. Lookups still work from the PIXen just fine, even if you're doing lookups from a remote network that doesn't have it's traffic filtered by a Network Agent. However, when you pull a log of activity you'll only see the traffic the Network Agent sees in those logs. Unfortunately that means in our company, all our remote sites are not getting their traffic logged since we do not have a box running the Network Agent at those locations, and are using split tunneling to allow their web traffic to go out their own Internet connection instead of through the link at the corporate office. The blocking still works fine for those locations, we just cant see any data in the logs. But for us, knowing the blocking is working is enough. When the PIXen get the ability to route all traffic through a VPN tunnel and back out the interface it came in on, we will most likely disable split-tunneling and pipe their Internet traffic through our WAN link instead of their local link. I never did like using split-tunneling anyways, but those remote locations were never supposed to have Internet access, only VPN access. Internet access was a result of management pushing too many of my buttons and fielding too many complaints.

Hope this post helped you. If I can answer anymore questions, just let me know.

 

[wastingtape]

At my last tech job we used a Sonicwall internet appliance. It was one of the most reliable pieces of equpitment we ever bought. They come in all sorts of sizes and configurations. Most can do web-filtering based on keyword, etc. We also subscribed to a database and could choose categories like "Adult" and block everything in that category database. Additionally, if you're ever considering VPN in the future, a lot of thier middle and upper products have that feature integrated.

 

[Lucis]

I've looked at websense, but it is too pricey for most of my clients. I've have been setting up a combination of Squid, Privoxy, and Squint (creates the squid logs in HTML format) on Linux and it has worked really well. It's probably gotten a few people fired so far for looking at too much pr0n on the clock

 

[dekard]

I've looked at websense, but it is too pricey for most of my clients. I've have been setting up a combination of Squid, Privoxy, and Squint (creates the squid logs in HTML format) on Linux and it has worked really well. It's probably gotten a few people fired so far for looking at too much pr0n on the clock

I use the same combo in a automatically installed version called clark connect.. www.clarkconnect.com and it works wonderfully. It will work well on a lowend system just so long as you use slightly speedy harddrives or load the box up with ram... I'm running it a 40g ide drive at 5400 rpm and its fine for us...

Lovely and free!

 

[Darthkim]

We just moved from surfcontrol to websense.

I'll tell ya what... websense gets reallll competitive when displacing their competition. My 3 year renewal came out less that Surfcontrols...

 

[MorfiusX]

Websense FTW!!!

 

[Malk-a-mite]

Lovely and free!

Free for home users... hopefully anyone using it in the business enviroment is paying the small cost they ask of their user base.

 

[Farva]

i cant wait to use surfcontrol here at work (about 100 users). at another company i worked for, they used websense (about 4k users).

 

[sandmanx]

I'll have to look into some of the free options. We used to use surfcontrol, but it sucked(it didn't block half the time) and we didn't renew it after a couple of years. I know that my company will not spend the money for websense, but if I could accomplish it in linux for free, I'm sure they would like that.

 

[MorfiusX]

Endian firewall has it built in. May be worth your time to look at.