New direction needed

We're looking at an all-in-one type of solution that will take care of doing things like, spyware defense, web monitoring, bandwidth monitoring, etc.  I've been looking at Websense Enterprise 5.1.  We have 115 users in 3 locations and we're only going to get bigger over the next few years.  Currently, we have PestPatrol in place for anti-spyware....I franky hate it. our vendor suggested it and it's been nothing but a pain from day one, so I want to get rid of it.  We have Astaro Linux v5 for firewalls at all 3 locations, but it's one of those systems, in my opinion, that is too much hands on for us...too much manual upkeep.  Our IT department is not equipped to babysit it.

I need varying opinions and ideas on where you think we should be looking.  If Websense is not what we need, then please feel free to throw in any suggestions.  

Thanks in advance!
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

> .. that is too much hands on
*Security is not a product, security is a process*
If you don't get used to that, you better look for someone who knoews that and can manage your systems.

Said this, we can focus on your question.
Your question is a bit vage, could you please tell us what exactly you want to protect?
On your linux boxes you won't have a spyware or any other malware problem, usually. The webserver is most likely
also not running on your Astaro. So please give a bit more information "where" you need to protect "what".
Websense is an expensive proposition, and it was designed to work in concert with specific firewalls, and you need multiple servers. It was not really designed for dispersed application if each site has their own Internet connection.

Fortinet has won several awards as best in class for the all-in-one products.

Symantec Gateway appliances would be my second choice

My personal preferred solution would include multiple best of breed products so that you don't have any one failure bring you down completely. My solution would be Cisco PIX Firewall at each location, VPN's connecting the sites together, iPrism appliance at each location for content filtering, Ironmail spam control appliance, and Trend Micro corp edition AV, and a desktop agent like Cisco SA on every desktop.
Agreed with lrmoore on Fortinet products, especially its FortiGate line of products. You may wish to look at Fortigate 60, 100, 200 range of products, which should fit in your network. It's cost-effective and rich in features (AV, IDS/IPS, Firewall, VPN...etc). Once installed, it can be fully automated to update itself with the latest AV definition and attack definitions.

We had a few of these boxes deployed locally and remotely to our branch/remote offices. It's also easy to manage with a low learning curve for IT Professionals to manage it.

As for the Symantec Gateway appliances, we had evaluated the product and our findings indicates that its 'no match' for the FortiGate products in terms of performance and cost-effectiveness.

Employing the 'Defence-in-Depth' methodology would be a good idea as illustrated by lrmoore. However, from your question, my assumption is that your IT Dept is not well-versed in handling sophisticated products. Therefore, Webroot Spy Sweeper Enterprise would be a good choice for centrally-administering the enterprise anti-spyware solution.

That all i can say with the limited input that was provided...;-)
[Note: all comments are in my humble opinion only, based on evaluation on the products and implementation.]
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

epuenteAuthor Commented:
Let me clarify a few items...When I made the comment about having to "babysit" the linux firewall, it's not because we aren't capable of maintaining it, however with 2 IT people for 115 users, we are compelled to find something that we can have run smoothly, with minimal upkeep, after intial set up and deployment.  I certainly understand the importance in manintaining a secure network.  

The last 2 comments are what I am looking for in regards to alternatives.  i do apologize for being vague in me description.

But, let me "paint" the picture a little more...2000 network...We are set to connect the remote offices via P2P (with redundancy).  We currently have Trend Micro as a AV solution at all sites. The main office hosts a Citrix farm.  The remotes manitain their own internet connection.  I want to be able to monitor and report on the internet usage at each location.

I appreciate everyone's opinions...It certainly clears things up better.

hmm, sounds like we can buy products to make us feel secure, I'm learning too ...
agree with you ahoffmann-- technical solutions do present only the illusion of security to protect us from human ingenuity..
At least we can state that we are practicing due dilligence by taking prudent precautions to protect ourselves against known enemies. It's the ones that we don't know about today that will harm us in the end tomorrow...
to complete my last comment: didn't say that such products are useless, just that there seem to be some to give a "secure feeling"
everyone has to decide h..self if this feeling is sufficent
epuenteAuthor Commented:
Very good observations on all points...There will always be those who want to take someone down just for the thrill of it.  The key is to keep pace with them by maintaining strong security initiatives.

Any further input on my addidtional information?
Since you already have the licenses and some expertise with Trend Micro products, that is a plus in itself.
I still like the PIX at each location. Using the web GUI you can monitor bandwidth utilization at each site, but you need something else to monitor internet activity. I still suggest using something like the iPrism appliance or a proxy server to give you that reporting capability. Does each site have a Windows server? You can install ISA 2004 in proxy mode and get all the reporting and useage information you could ever want - from a central location.
Main things we need to take care of:
 - Everything starts with Policies and procedures. Security is nothing but a tecnical implementation that helps to enforce policies, and the procedures required to handle compliance checking and violation actions
 - basic firewall capabilities, NAT, stateful packet inspection, deep packet inspection
 - VPN capabilities for site-site and/or remote users
 - Anti-spyware - PestPatrol and SpySweeper Enterprise are about the only two products to date that have an enterprise version of the software
 - Anti-virus - you already have a major investment in one of the best products
 - Intrusion detection - be careful what you ask for. How do you want it to report? You have to really babysit these for a good while until all the false-positives are taken care of.. most are signature based. Look for something to supplement with anomaly based "0 day" protection (Cisco agent on every server/PC is one example). Intrusion Detection has really been taking a beating in the industry. Intrusion Prevention is the new buzzword..
 - Patch management to keep up with all the latest patches. Managing that so that all you PC's don't go out and try to download SP2 (all 250+MB) all at the same time using AutoUpdate...  
 - Anti Spam - What kind of email system do you use? Are there anti spam plugins that you use/can use?
 - Wireless - Use it? Don't use it? If you don't use it, how do you know if someone brings in their own? If you do use it, how do you hande intrusion detection of the airwaves?

Bottom line - if you want one product that you can (as Ron Popiel would say) "set it and forget it", as much as it pains me to say this - then I would still highly recommend the Fortinet line..or the Symantec Gateway products.

If security is a major issue, or if you have to comply with government directives (SOX, HIPAA, GLB, etc), then look for best of breed point products.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.