Content filter query... what's the best?

[cajuntank]

I am in charge of a K-12 network for over 1600 nodes. I am looking to replace our outdated, yet still somewhat working, Cisco Content/Cache Engine with Websense 5.X.

I have a Sonicwall 5060 Pro series appliance that will have content filtering (premium package) included, but I don't think this will be as in depth as I want it to be. So I am looking and investigating dedicated appliances that do content filtering & protocol shaping. I'll let my Sonicwall do the IPS, Anti-X, Firewall functions, and maybe content filterng as a failover should this "new" appliance fail.

I have talked to a salesperson and asked about some product and inquired about Barracuda's box. He said it was a good box, but mentioned that I'd be happy with a box from Cymphonix. He said in his opinion it had more functionality and was 50% better than the Barracuda.

I will do a demo of the box, but I would like to know what some other people are using and what they like or dislike about their solution?

TIA

 

[brianinms]

I have seen a Barracuda box in action and seems to work well. However, I am a huge fan of Websense.

 

[cajuntank]

I know Websense is good stuff, I've played with ver.5.x and 6.x...but I need to do something up to date and I don't think we're going to be able to afford the "cadilac" of content filters. I will be looking at the Barracuda box in my decision making...does the "proxy avoidance" work well? Our biggest issues are proxy avoidance (kids always find the best proxy sites to bypass our filtering) for http and https, and radio over the internet.
I'll also be looking at a Blue Coat and St. Bernard iPrism solution as well.
Anyone using any of these appliances?

 

[brianinms]

Yes the barracuda works pretty well with proxy avoidance. Another suggestion and a free one at that is to use OpenDns as your forwarders for your internal DNS. They actually let you have a management account to monitor DNS requests and you can block as well.

 

[vanka25]

We have a Barracuda 310 and it does a pretty good job of web filtering. There are a couple of things to keep in mind though.

1) As of right now there is no https filtering. This means that if the kids get a secure proxy the Cudda will not filter. They are working on a fix though and firmware version 3.3 (currently in beta) does add this functionality. I personally would never run beta firmware on a device that has the ability to cripple all of the company's internet access if it goes down; so I don't know how good of a job it does.

2) If you use terminal services, the Cudda will report all user activity as the first user that logs on. This is because the Cudda keeps track of user logins (not log-offs) and ties the login name to the IP address of the computer. Since it doesn't keep track of log-offs, it doesn't know when a user has changed. I believe they are working on a solution to have all http requests send login information and track users with that. But this too, I believe, is only in the beta firmware.

Over all though we're happy with the device and the control it gives us.

 

[cajuntank]

I have been told about the OpenDNS before, sounds like I need to look into that. Currently I do not have the ability to use them since I am on a network in where my ISP is my state department of education (with there setup, I could only get dns from them, mail from them, etc...). This will change here shortly in about another 2 months and I'll be directly, and free to do whatever I want, to AT&T, without my state department's involvement.

I had mentioned demo'ing the Cymphonix, iPrism, and Blue Coat SG appliances; anyone out there using one of these boxes?

 

[brianinms]

I don't have any experience with the rest. Could I be so bold to ask if you are in MS or LA?

 

[cajuntank]

MS...Lowndes County...
Brian, where are you at in MS?

 

[brianinms]

Hattiesburg. I use to work for BCI and now work for another Cisco Gold Partner.

 

[cajuntank]

We have done a lot of business here lately with BCI on some cabling projects; however, they have been coming out from AL since we're closer to AL than Jackson.

Does your company do a lot with the schools in MS?

 

[brianinms]

Yes, we are completing 4 of the Cisco 21S initiative project schools. Additionally I have worked with others in their transition to AT&T's MPLS due to my extensive experience. Im not here to sell anything but you can send me an email at my username here at gmail.com if you need anything.

 

[cajuntank]

Sounds good. Thanks.

 

[cajuntank]

Just as an update, looks like we'll be going with the Cymphonix appliance. The iPrism only did filtering and I need something to do protocol shaping as well. Getting the iPrism would have necessitated another appliance to do shaping, so $$$$ for both.

The Blue Coat offered additional hardware functionality that I didn't specifically need and was $$$$$.

The Cymphonix offered exactly what I was looking for and seems to be working pretty good right now. We are still doing tweaking, but I don't know of any filter you'll put in and not have to tweak a little to get it set where you need it to be for 1600 nodes. It had a very good price point as well, $$.

Thanks for everyones comments and if there is someone else using a Cymphonix appliance, I'd like to get some further insight/comments on their deployment.