Help me select a Hardware Firewall

[mitchelt]

We have a pretty basic office setup with 25 users...no active directory or anything, just a domain login.

I would like to get a new hardware firewall that allows me to set global restrictions on which web sites cannot be accessed and also be able to do restrictions based on specific users...not sure if that is via a MAC address or IP.

For example...the shipping guys have no need to go to YouTube, but the salesmen may need to go to YouTube to see a product demo. And no one needs access to Facebook.

I'm not too much of a network geek..so please keep the conversation level low.

Thanks!

Mitch

 

[cmetz]

mitchelt, odds are very high that the most cost-effective approach to this problem is going to be a PC running one of the free router/firewall software OS distributions. You might also be able to set it up with DD-WRT or OpenWRT on a SOHO-grade router, but at much lower convenience (harder to administer) and performance. If you've got a network of 25 PCs, odds are you can find somebody due for an upgrade and repurpose his old box as your firewall.

There are commercial "hardware firewall" devices that can do this, but they'll cost more.

 

[mitchelt]

cmetz, thanks for the info. We currently have the Sonicwall TZ170 and it works well...the only problem is it just does global restrictions. We would like to stick with a hardware solution.

Thanks!

 

[spidey07]

Fortinet has some nice offerings to do what you want user wise.

 

[drebo]

Juniper SRX100. Runs about $650 for the high-memory model which is exactly what you need. Then you can license web filtering.

The problem with per-user/per-IP/per-whatever filtering is that it really requires more advanced software than you're going to find in a cheap device. You can use a proxy like Squid, but that's high maintenance, expecially if you don't have a linux administrator.

 

[naimcohen]

would monowall not be upto the job? I have limited experience with it but it seems like it would be capable of doing it...

http://m0n0.ch/wall/

 

[Nothinman]

We have a pretty basic office setup with 25 users...no active directory or anything, just a domain login.

That doesn't make sense. Unless you've got an NT4 domain, you've got AD if you have domain accounts.

I would like to get a new hardware firewall that allows me to set global restrictions on which web sites cannot be accessed and also be able to do restrictions based on specific users...not sure if that is via a MAC address or IP.

For example...the shipping guys have no need to go to YouTube, but the salesmen may need to go to YouTube to see a product demo. And no one needs access to Facebook.

I'm not too much of a network geek..so please keep the conversation level low.

Thanks!

Mitch

Commercial solutions for this are usually priced outrageously, so your best bet really is a PC running a form of Linux with a proxy managed either by a web front end or manually. Have you looked at Untangle?

 

[Aarondeep]

Three free options i suggest you look into:
1. http://m0n0.ch/wall/
2. http://www.clearfoundation.com/
3. http://www.ipcop.org/

 

[brad310]

Im not sure how you would accomplish that task...what i would say is just create a written policy about what people are allowed to do, and get a web monitor. Then, if there's an issue, print out the logs. Done.

When ppl know they're being actively big brothered they'll cut the sh!t. however...if you have an AD domain, use a group policy. If you dont have group policy, you can list the blocked sites in the IE options since you have a small user base.

 

[Thor86]

Endian Community Firewall. Software is fully functional and free, just if you want corporate support is a paid service. They also offer hardware, but any low-end x86 hardware can be used for the free setup. Very easy setup, supports multiple vlans which can be your departmental segregation for web filtering.

 

[Cable God]

Juniper SRX100. Runs about $650 for the high-memory model which is exactly what you need. Then you can license web filtering.

The problem with per-user/per-IP/per-whatever filtering is that it really requires more advanced software than you're going to find in a cheap device. You can use a proxy like Squid, but that's high maintenance, expecially if you don't have a linux administrator.

I second this. Sounds like a great fit for a smaller Juniper SRX. It is a turn-key solution out of the box with some of the best support in the industry.