Firewall Suggestions?

[TechCarnivore]

Hi Gang,
I would like a few suggestions as security isn't really my focus, though that's going to change...

I have around 150 PC's on our LAN running a 6MB dsl connection. Being that these PCs are accessed by school children I need to protect them and ourselves from
- Viruses/Spam
- Offensive or Problematic Web Content (Porn, Myspace Etc.)
- Application Protection (IM, P2P/Torrent/File Sharing)

I'd like an appliance, because it would probably be more challenging to managed individual licenses.

I know of products like Astaro, Cymphonixs, and Cisco PIX, but am unsure of the differences.
Suggestions please...

 

[mattKnight]

You don't mention what you network is based around, but I assume it MS server technology.

I've used MS ISA server (coupled with Surf Control) to solve a similar problem.

It allows different levels of protection (based on login or AD group membership). If things go wrong, you also have logging and reporting to trace - who did, when, where and with whom!

It did work quite well, but I accept that it isn't the cheapest option.

Take Care

Matt
If at first you don't succeed, skydiving is not for you.

 

[TechCarnivore]

You are correct, it is Microsoft based server/client environment. Server 2003, and windows xp clients.
I thought of ISA, but was unsure how ISA compared to appliance based technology. Price isn't our greatest concern. Care to share your experiences with ISA?

 

[jet042]

I've had good success with SonicWall devices (specifically the TZ170). The main problem with them is that they are expensive and don't come with everything you are looking for built in (content filtering is extra, as is managed virus scanning). It very quickly can get hugely expensive, but they are pretty reliable.

 

[mattKnight]

We used ISA 2003 in an edge firewall and locked it down so that NO Anonymous outbound traffic was allowed (even DNS requests were logged by IP and AD username) We only allowed OB traffic on port 80 and 443 (and DNS) after it been authorised (i.e. username is memeber of "internet Allowed" AD group)

We had to make special firewall rules for AV updates etc.

Our web filtering used surfcontrol running of the same box as ISA. Obviously, we used the SC ISA plugin, which integrates tightly with the ISA. The SC blocks URLS and protocols etc (as do most web filters) on a category basis and produces a bunch of reports for managment - we used it to ban users who had transgressed the rules. We applied a strict whitelist (so we didn't have to deal with proxies) of sites although a blacklist is entirely possible (I believe that SC updates its categories regularily and the categories include proxies)

I can't remember much more than that - it was 2 years ago and in my previous job! but if you have specific questions I can offer some limited advice!

Take Care

Matt
If at first you don't succeed, skydiving is not for you.

 

[ArizonaGeek]

I can tell you what NOT to use, Symantec Firewalls ... our biggest mistake. We've been fighting with them for 6 months we're now at the point where we've told them we are buying new firewalls and they can take theirs back and stick them someplace uncomfortable. Thankfully I think they've decided the firewall business isnt for them and have passed everything on to Juniper but just in case you see a cheap used one someplace, just keep on walking.

Cheers
Rob

The answer is always "PEBKAC!

 

[mantastic36]

I've worked in a school setting before and found watchguard all-in-one appliances very easy to use, easy to setup and with certain add-ons a bit more cost involved but not much, can do web-based protection, virus protection and act as persistent vpn tunnels... Take a look at a watchguard firebox before you make a decision.

Dave

 

[dput]

We have used ISA and Watchguard. I like the ISA, but I found that the Watchguard felt a little bit like it was cobbled together. We switched from the Watchguard, after 5 years, and went with a Fortinet. I have been very happy with this box. It was designed as a unified firewall protector from the beginning. It can do web content filtering, virus scanning and do all of the normal firewall rules. It even does some IPS. It can allow for SSL VPN's for authorize users.

We have found it to be a very easy to use, but highly functional unit.

Dan

 

[doprdele]

Have you considered network segregation? If one of these 150 PC stores personal data. You don't want to be the IT person named in a data breach.
Is this a middle school or high school? There are certain proxy services that allow users to bypass your security to view websites, which is something else you might want to considering when designing your solution.
If $$ is no issue I suggest looking at Iron Port for content filtering.

Have you contacted any vendors yet? Most of the time they will present a full solution with a visio, and you can shop on the open market for the items.

 

[hoinvip]

For segregation purposes, you might like to consider a multi-homed firewall with a content filtering appliance on a DMZ. Something like a Cisco PIX515E with 3 NICs would provide sufficient interfaces and then maybe you could look at something like Secure Computing's Webwasher product for content filtering.

Sizewise, the WW250 fits the size of site you're discussing and isn't *too* expensive. We've just installed one and found it to be impressive on Malware/Virus detection.

If you want any more info, please let me know.

 

[Scotsdude]

check out

http://www.bloxx.com

not strictly a firewall, but will cover just about everything you want. I know several places which route their internet connection through a bloxx appliance then through a firewall appliance. Seems to work pretty well.

------------------------------------------------------
Matt
Life is all shadows and dust.
Live it up with women and wine while you can