Should i ditch ISA 2004 and get a SonicWall?

Since i'm filtering at the application level, i know my internet access for my school is slower than it could be. I do run ISA server with Websense for content filtering. I wonder if i should switch to a hardware-based solution. Will that still give me content filtering? Coming INTO our network from the internet - i can understand the need for a firewall. I just don't understand going OUT of our network. Currently, we have about 175 computers going out a proxy server running ISA 2004 and Websense.

I'm also sick of that damn proxy client on each computer, cause it loses its settings, and the kids don't know how to configure it, so i have to go in and help them.

Reply to
cameronbrandon
Loading thread data ...

Content filtering comes in many flavors - there is website content filtering, then there is HTTP session filtering (removal of cookies, activex, scripting, etc..), and then there is SMTP filtering - where you can remove attachments based on file type, size, bad headers, etc...

WatchGuard is my favorite firewall vendor and they provide WebBlocker for website content filtering - 14 categories that you can pick from, including start/end times for filtering. In addition you can have multiple HTTP rules and provide FULL filtering for the subnet the kids machines are in, limited filtering for the teachers/administrators machines, and no filtering for the network staff's machines. I have 4 HTTP filters setup in most offices.

The SMTP filtering is what saves most users butts, it can block attachments over XXX MB in size (but it applies to the email server, not users), can block any form of file based on it's extension - so you don't have to allow executables into the email system, and even bad headers...

As for outbound, there is little you really need to allow, HTTP, HTTPS, DNS, PING, FTP (maybe), and a couple others...

With the Firebox you get inbound IPSec and PPTP session ability at the firewall itself - this means you can setup users in the firewall that can VPN (using Microsoft's PPTP tool) into the network and have any access you create rules for.

The HTTP Proxy services in the WG Firewall would not require any setup on the workstations anywhere in your system.

Don't forget to isolate the kids machines networks from the teachers/administrators, kids have a way of finding "things" that don't need to find.

Reply to
Leythos

Lately there are so many options for integrated security services solutions. The main areas are:

1- Firewalling 2- IDS/IPS 3- Antivirus 4- Antispam 5- IM Control/Spyware 6- Web Filtering 7- VPN & Remote Access With ISA you will have partial solutions for most areas. For performance you may try load balancing multiple ISA servers but that may not ease your load on desktop management. You need to lock down desktops with AD logon scripts anyway.

But if you want to leverage your current websense license, check websense integration partners. Websense can be integrated with a myriad of devices or it can run standalone depending on your config.

There are sp many integrated security devices. I work with Fortinet. They do the job for a good budget. Cisco and Symantec also have solutions. I guess that Sonicwall offers similar solutions.

If you already have a real firewall, you may move your proxying to a dedicated server. Something like a bluecoat SG series box can cache,filter , authenticate your outbound traffic, you may also deploy this solution in a transparent non-intrusive way. This wil cut down your support time too. On Bluecoat you may use your existing websense license.

On the high end there are dedicated solution for each security function but that is more feasible for larger deployments.

cheers,

- y.

Reply to
efes911

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.