Firewall advice?

[Novexx]

We have recently had our peer to peer networked moved onto a Window Server 2003, & in my misconception I understood that I would be able to monitor & block, if required users internet activity.
I now understand that Server 2003 is not capable of this & have been advised that the best solution is a managed hardware firewall.
If this is the case, what sort of solution would I require to monitor/log users internet activity & block as required?

My reason for wanting this ability is to try & curb idle web surfing in company time & to avoid putting our network in a vulnerable position because users are viewing not so clever/safe nonsense on the web.

Thanks in advance.

 

[Roadki11]

Well if you are trying to do it on the cheap i would look at this:

http://www.opendns.com/

RoadKi11

"This apparent fear reaction is typical, rather than try to solve technical problems technically, policy solutions are often chosen." - Fred Cohen

 

[LawnBoy]

The Smoothwall firewall is a linux distro that loads on an old PC with 2 nics and makes a very good firewall and also provides proxy services. Web based gui so you don't need to know anything about linux. Very Easy and Effective. And free.

From what I've seen a plain firewall doesn't log activity. Sounds like you need a proxy for more control and easier filtering.


--
The stagehand's axiom: "Never lift what you can drag, never drag what you can roll, never roll what you can leave.

 

[Novexx]

To be honest, I would prefer some sort of harware with a windows interface, something that can be plugged between switch & router, out of sight & managed from anywhere on the network with the correct access.

I could no doubt dig up an old PC & fire in a couple of gigabit NICs. My doubts here being that I know nothing about Linux, dont want a bottleneck (?), I dont want the possibility of the "old PC" failing & stopping all non-local network traffic.

Any ideas?

 

[pagy]

I'd second the idea of Smoothwall despite your doubts that you know nothing about Linux. I knew very little about Linux when I first used Smoothwall but you don't really need to anyway, it's all administrated via a web gui. Very easy to set up and maintain. If you don't want to run it on a old pc then use a new/newer one.

Or if you have money you could you Microsoft's ISA product.

Paul
MCSE 2003
MCSA 2003
MCITP Enterprise Administrator

If there are no stupid questions, then what kind of questions do stupid people ask? Do they get smart just in time to ask questions?
Scott Adams

 

[2ffat]

I would prefer some sort of harware with a windows interface, something that can be plugged between switch & router, out of sight & managed from anywhere on the network with the correct access.

I've have excellent results with WatchGuard. they have a variety of products to match your budget/needs. Most have a web interface. We use a Firebox that allows us to have an internal network and a public network for our visitors. It also allows us to set up a VPN, too.



James P. Cottingham
-----------------------------------------
[sup]I'm number 1,229!
I'm number 1,229![/sup]

 

[cmeagan656]

We use the FortiGate-60B by Fortinet. It includes network level and content level security is needed, including: Firewall, IPSec and SSL VPN, intrusion prevention, antivirus, Web filtering, and antispam. It has a web interface. We've used the FortiGate-60 series for 6 years now and have never had any problems.

Cheers.

 

[MockY]

I have to agree with the SmoothWall option. I run multiple ones at home, at work, friends' houses, business networks and so on. Like they earlier stated, you can run it on besically what ever hardware you so want. I generally stick with Mini ATX motherboards from the PIII era. They are generally found in many HP or Compaq systems (ASUS TUW-LA being an example of a perfect motherboard), you can get them on Ebay very cheaply, and you have a vast array of cases you can install it in.
You also have the option of buying used Nokia firewalls that already have the hardware needed and are in many cases rack mountable. And no prior Linux knowledge is necessary.

 

[mofusjtf]

Cisco works great with Websense.

 

[Novexx]

Thank you all for your replies, it will take a bit of looking around & a better understanding of this stuff before I do anything on this - cheers.

Is there anywhere on the web that you would advise I look for some sort of "beginners guide" to Server 2003? The server is installed, up & running, thanks to our local IT company, but I would really like to become more familiar & confident with the basic's myself. I am still having some trouble getting my head out of the peer-to peer way of thinking - any suggestions welcome.

Thanks all.

 

[mofusjtf]

Just go to your local Barnes & Nobel or Books-A-Million and they will have plenty of books that will provide you with a basic underdstanding and more of Server 2003 and networking.

 

[technome]

A beginners guide will not do you much good, it is like saying... I need a beginners guide to brain surgery

Bit daunting even as you pick up the book, but Mark Minasi's
Mastering Windrows Server 2003 by Sybex is fairly easy to understand, deals with real world server info, unlike Microsoft Press books or the clones there of. You will find beginners guides, but they are not in depth enough to get you out of trouble.


........................................
Chernobyl disaster..a must see pictorial

http://www.kiddofspeed.com/default.htm

 

[MockY]

I would advice you to do the same. However, don't purchase anything from Microsoft Press since those publications are very brief and poorly written. I don't have book in particular in mind however, but spend a few hours in the store, reading through a few to see what suits you the best.

Furthermore, you expressed that you want control over user's internet activities. Again SmnoothWall is very good at that if you install a Dansguardian addon. You will however need to know how to edit files with vi or vim so this might not be an option for you. This is however what I run for the network I manage at work and it works incredibly well.

Another option however that is all point-and-click would be Untangle. This is a self contained Linux OS with a large collection of Open Source software (and again, no Linux knowledge required) that you run on a designated machine that you have collecting dust somewhere. I have not used it since I use SmoothWall/Dansguardian, but it sure looks very slick. It is absolutely worth looking into.

http://www.untangle.com/

 

[zaccaz]

hi cmeagan656, what's your user sizing for 60b? many thx!

 

[cmeagan656]

Hi zaccaz,

We have 20 - 23 users on 20 clients and host our own mail server.

You can set various alert levels and can have the alerts and logs generated to a .csv file and emailed to you. You can also create different profiles - per client or server - to restrict or allow Internet access. For example, I had to create a profile for two clients to permit access to eBay bidding because eBay requires a .dll file to be dropped on the client in order to bid and I had all .dll files blocked.

You can block different file extensions for email, Inernet, etc.

We don't use the antispam filter as we already had XWall installed when we got the Fortigate and XWall was/is much more robust.

Cheers.