Looking for a Firewall for a Small Business

Hello all,

I've got a friend who owns a small business. He's got some employees that like to surf the web a bit too much and wants to limit their access to only a few sites. However, each employee needs to access different sites, so the typical parental control feature doesn't work so well. I've been trying to find him a firewall solution that will allow him to specify rules specific to IP addresses (similar to ACLs in a PIX I guess...), but all the router/VPN/firewall appliances I've looked at (such as Linksys, D-Link, etc) seem to want to do URL/domain limiting on a network-wide basis rather than based on IP. Short of me creating a custom Linux firewall solution, does anyone know of a product that would meet his needs? He doesn't need VPN, so finding something without the VPN option would be great.

Reply to
Bryan
Loading thread data ...

m0n0wall or pfSense would both do the trick.

Reply to
DevilsPGD

WatchGuard and SnapGear have FW appliance solutions for small business. You can set all the IP rules you want. Linksys and D-link are NAT routers and are not FW appliances.

formatting link
formatting link
SnapGear

formatting link
You can go to the sites, check product spec sheets and call the vendors, you can even get a refurbished used one at a low price with full warrantee and support.

Reply to
Mr. Arnold

I'd add Bering Leaf uCLibc to the list, which has the advantage that it's superbly supported.

Jim Ford

Reply to
Jim Ford

Hi, i am fan of m0n0wall and sometimes of pfSense, but in this scenario, they are a wrong solution. Both have no possibility of building groups of IPs, so you have to build for every allowed IP and user a complete rule. A PIX 515 could do the job, but can't handle static entries in the DHCP-Server. One possible solution could be a Proxy (Squid) with authentication and ACLs.

bye Christoph

Reply to
Christoph Hanle

DevilsPGD wrote in news: snipped-for-privacy@4ax.com:

While they would work by defining the ip address of the blocked sites/ domains, and if I am not mistaken, you could set a static DHCP so that each DHCP client would retain the same address each time- then assign these clients to an alias group. then, make sure that alias/ group cannot get to specific ip addresses by using appropriate rules. Not ideal, but it would work. time consuming though. Check into IPcop or Smoothwall, and look for a mod to go with one of those that may handle such a job. I am a big fan of m0n0wall, but I don't know if it is the 100% best solution for this unless you want alot of time consuming tasks to take up. I am going to look around just for the heck of it now, you have my interest peaked.

Reply to
AwPhuch

Bryan,

Whilst the technical solutions offered appear to be adequate, your friend should really think about having a security policy that does not allow personal web surfing and enforces audit and accountability. That way rather than having his employees spending all day attempting to bypass the security measures to access the sites that they want to access, they have the very real threat of disciplinary action or dismissal if they fail to abide by the rules. By all means, install one of the solutions suggested but without a suitable IT security policy that is understood and agreed to by all his staff it would be largely pointless.

Bogwitch

Reply to
Bogwitch

Christoph,

I like this idea... my corporati> DevilsPGD wrote:

Reply to
Bryan

Hi Bryan,

You may wish to investigate the Cisco Product Advisor:

formatting link
as well as the Cisco Solution Designer:

formatting link
Sincerely,

Brad Reese

formatting link

Reply to
www.BradReese.Com

Bogwitch wrote in news:Lceoh.47018 $ snipped-for-privacy@newsfe6-gui.ntli.net:

Gotta give Bogwitch credit where credit is due. 100% right. Employees need to be made aware of the acceptable uses for the internet, and of the fall out if they fail to abide by them, and (required by law in some areas) of the fact they are being watched. So, by following this branch, perhaps you could look into a simple proxy server/ firewall/ router combo. Again, you could look to something like IPcop (with a couple ad ons) or a relative to sit silently between your internal network and the modem. The key in my opinion is to keep the cost low with high gains, so if you are partial to using name brand appliances, by all means go with what you are comfortable with. I like seeing otherwise useless old P2 boxes have a second chance at life ;-) Block certain sites etc for the network as a whole, but enable the logging feature so that the information is kept on file. Go a step further and throw in a simple SNMP logging utility on one of your less used servers (if any). If (when) you find a violation, just present the offending employee with the information, and that is usually sufficient to put a halt to it without getting management involved needlessly. If the employees are aware that they are being watched, sometimes that is more effective than implementing a high maintenance technical solution.

Reply to
AwPhuch

You start getting too complicated with this and you'll be the one there supporting it, count on it.

Reply to
Mr. Arnold

m0n0wall would make you work for it, pfSense could be tricked into doing the job using aliases...

Reply to
DevilsPGD

Your problem is that you're not looking at Firewalls (Linksys, D-Link), you're looking at NAT Routers that also provide some fancy features, but, their not firewalls.

Most "Firewall" appliances have services you can purchase, to specify what category of content your employees can view - as an example, watchguard has some 40 categories that you can block. In most medical centers centers we block about 35 categories for "users" and 30 for managers.

Between using DHCP Reservations to keep managers PC's at a known location, and making a HTTP block the most restricted by default, we've managed to get productivity back to where it should be (almost like not having internet access, except to approved sites).

Not only does a WatchGuard (a firewall appliance) let you control, very nicely, where they can go, it can block POP3, web mail, IM, Chat, Proxy jumping, etc... all while allowing your users to browse to approved sites...

Info on web blocker:

formatting link

Reply to
Leythos

I use squid in "transparent mode", that means that the proxie is invisible to the users. Not too difficult to configure.

Reply to
God Rudy

But the real issue is getting a quality configuration that permits users to access the internet while blocking undesired content categories - like blocking "Shopping" or "Sports" or "Web Mail" sites - how does your solution provide that?

Reply to
Leythos

Hi, it can be done with a standard squid in non transparent mode with user authentication. You have to create the user, you have to create groups of users and you have to create a list of allowed sites per group. Then you have to bring it together with ACLs. If this is done, changes and additions are easy to manage, but with a big handicap: squid needs a restart after a change. unlike some others in this tread, i am talking about whitelisting and not about blacklisting, this means only allow single sites, but not allow all and only block certain sites or type of sites. bye Christoph

Reply to
Christoph Hanle

One option is to simply fire them for abusing company resources, and review the URL list after the fact.

Reply to
DevilsPGD

Yea, that works - fire someone without any proof or idea that they are doing it :)

Reply to
Leythos

In my case they only need access to one site on the web to do their work. All other sites can be blocked.

Bryan

getting a quality configuration that permits users

Reply to
Bryan

This sounds exactly like what I'm wanting to do. I'll give it a go. Can you point me in the direction of one or two tutorials on how to configure Squid in this manner?

Reply to
Bryan

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.