dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
909
share rss forum feed


margioa
Premium
join:2007-04-06
Nicaragua

1 edit

SMB Content Filter

Good day all,

I need to deploy a CF system (appliance) in a small business network. I was thinking on sonicwall but the smallest unit is over 1K. Any other recommendation?

Thanks

Edit: maybe I can consider ZyXEL?

H_T_R_N
Premium
join:2011-12-06
Valencia, PA
kudos:1
Reviews:
·voip.ms
said by margioa:

Good day all,

I need to deploy a CF system (appliance) in a small business network. I was thinking on sonicwall but the smallest unit is over 1K. Any other recommendation?

Thanks

Edit: maybe I can consider ZyXEL?

Unused box and iPCop. Much less than $1k

HarryH3
Premium
join:2005-02-21
kudos:3
Reviews:
·Suddenlink
reply to margioa
I have a Watchguard XTM-25W setup at a doctors office. It can be configured to block pretty much anything, but there is an annual subscription fee to keep the Web Blocker, Anti-virus, Spam-Blocker and Intrusion Prevention databases continually updated. You can find them online for around $400 (which includes the first year subscription). The annual sub costs around $300 but you get a discount if you pay for 3 years.

It also does Site-to-site VPN, Mobile VPN, Active Directory integration and a slew of other things.

The staff there was not happy when we blocked access to anything not work related. Now they have to actually work all day instead of reading Facebook, etc.

You can read more here: »www.watchguard.com/products/xtm-···view.asp


XCOM
digitalnUll
Premium
join:2002-06-10
Spring, TX
Reviews:
·ObiVoice
·flowroute
·Comcast
reply to margioa
If you are doing it for a customer I would deply something you can get support with.
As mention Watchguard is good and ZyXel as well.
Another one to consider is pfsense. While is open source you can get premium support.
--
[nUll@dcypher ~]$


Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5
reply to margioa
Just in case you have not looked at using OPEN DNS, they provide a free personal service and a business class service to do what you wish by pointing all traffic to their DNS servers. Check it out before purchasing an appliance.


margioa
Premium
join:2007-04-06
Nicaragua
Reviews:
·deltathree
said by Anav:

Just in case you have not looked at using OPEN DNS, they provide a free personal service and a business class service to do what you wish by pointing all traffic to their DNS servers. Check it out before purchasing an appliance.

Thanks Anav See Profile, but with OpenDNS you are not able to block specifc devices within your network "directly". Umbrella insights solutions works with active directory and Umbrella Everywhere works with Umbrella Roaming client which has to be installed on all workstations in order to apply specfic policy to any device thru this app.


margioa
Premium
join:2007-04-06
Nicaragua
Reviews:
·deltathree
reply to HarryH3
said by HarryH3:

I have a Watchguard XTM-25W setup at a doctors office.

said by XCOM:

As mention Watchguard is good and ZyXel as well

I agree, both appliances seem good solutions.

Any other member's thought, if any?

Thanks


Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:11
Reviews:
·TekSavvy DSL
·Bell Fibe
reply to XCOM
said by XCOM:

As mention Watchguard is good and ZyXel as well.

One big difference, Watchguard can content filter HTTPS (encrypted) traffic, ZyXel can not!

If you need CF this is important. Little bit smarter user will try to bypass your HTTP CF by using HTTPS.


XCOM
digitalnUll
Premium
join:2002-06-10
Spring, TX
Reviews:
·ObiVoice
·flowroute
·Comcast
said by Brano:

said by XCOM:

As mention Watchguard is good and ZyXel as well.

One big difference, Watchguard can content filter HTTPS (encrypted) traffic, ZyXel can not!

If you need CF this is important. Little bit smarter user will try to bypass your HTTP CF by using HTTPS.

I am sure both have there differences, pros, and cons. I am not saying one is better than the other just pointing out that both are good.
--
[nUll@dcypher ~]$

HELLFIRE
Premium
join:2009-11-25
kudos:19
reply to margioa
What kind of budget are you limiting yourself to, and what kind of technical expertise level are you expecting?

Pretty much any appliance on the market today will have a recurring subscription fee, on top of the price of the
hardware itself, to keep the filter up to date -- just the nature of the business as with any other anti-anything
signatures.

Untangle Lite is an option under the free / DIY category, if you need more control you can look into the higher
subscription level packages. Vyatta and Astaro, I think, also falls under these categories.

My 00000010bits

Regards


margioa
Premium
join:2007-04-06
Nicaragua
Reviews:
·deltathree

1 edit
reply to Brano
said by Brano:

One big difference, Watchguard can content filter HTTPS (encrypted) traffic, ZyXel can not!

Yes that is correct. Last time I implemented a ZyXEL edit: ZyWall USG 300 (~ 2 years ago) they had this issue. I thought by now they had improve that. Thanks
--
Efforts and courage are not enough without purpose and direction.


margioa
Premium
join:2007-04-06
Nicaragua
Reviews:
·deltathree

1 edit
reply to HELLFIRE
said by HELLFIRE:

What kind of budget are you limiting yourself to...

Vyatta and Astaro, I think, also falls under these categories...

Max. budget in HW is $ 800.00

Will check Vyatta and Astaro units - thanks

edit: and yes, business is willing to pay the CFS recurring subscription fee.
--
Efforts and courage are not enough without purpose and direction.

breto

join:2013-03-12
Lake Zurich, IL
reply to margioa
DNS Redirector is another option, it updates nightly but there is no subscription fee, you just pay once for the software license and run it locally on your own server. Since it's inside the firewall you can get logs of which client went where, or got blocked where, and provide a password to temporarily unblock the filter (for yourself or VIPs in the company) on just that workstation or device (phone/tablet/etc)


Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5
reply to margioa
Take a look at the new CISCO small business class router it may be a very suitable solution. ISA570
»www.cisco.com/en/US/prod/collate···997.html


margioa
Premium
join:2007-04-06
Nicaragua
Reviews:
·deltathree
reply to breto
breto See Profile & Anav See Profile

Thanks for your replys.

Based on the budget - I selected Untangle Standard last week. Sonicwall, WG, and Astaro (Sophos) where out of budget.
--
Efforts and courage are not enough without purpose and direction.


mackey
Premium
join:2007-08-20
kudos:13
reply to Brano
said by Brano:

One big difference, Watchguard can content filter HTTPS (encrypted) traffic

Do you know how it performs this MitM attack on HTTPS? Do you need to install a special SSL certificate on every computer?

/M


Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5
reply to margioa
Which Untangle Standard appliance did you buy U10??


Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:11
Reviews:
·TekSavvy DSL
·Bell Fibe
reply to mackey
said by mackey:

said by Brano:

One big difference, Watchguard can content filter HTTPS (encrypted) traffic

Do you know how it performs this MitM attack on HTTPS? Do you need to install a special SSL certificate on every computer?

Yes, you need to create (or export from appliance) your own CA cert that you will import into user's browser. That's pretty much the only feasible way to inspect https these days.
»www.watchguard.com/help/docs/wsm···t_c.html

Untangle's does it by IP address and SNI only »wiki.untangle.com/index.php/Web_···_Details


margioa
Premium
join:2007-04-06
Nicaragua
Reviews:
·deltathree
reply to Anav
said by Anav:

Which Untangle Standard appliance did you buy U10??

Actually, it was decided to acquire the "software standard package" (10-50 pcs) and use/re-active an old rack-mount server
--
Efforts and courage are not enough without purpose and direction.

H_T_R_N
Premium
join:2011-12-06
Valencia, PA
kudos:1
Reviews:
·voip.ms
said by margioa:

said by Anav:

Which Untangle Standard appliance did you buy U10??

Actually, it was decided to acquire the "software standard package" (10-50 pcs) and use/re-active an old rack-mount server

Curious, why not just use something like IPCop or the like? I get the buying something with a warranty and all but if you're reusing old hardware anyway, why spend 800 a year on a software license?