Looking for Firewall or UTM

I have been at this for a while, researching and trying to figure out what is overkill, what is not enough. Here are my companies needs:

We have 20-25 users connecting to the internet, most are wired however some are wireless. The most important aspect of the firewall is the content filtering/URL blocking etc. I have found plenty of firewalls that do this, but it seems that there is always overkill or no group policies. I want to be able to set up group policies for the users. For example, Managers can have more access than our regular employees who will be more restricted. Also, it would be nice to have some sort of log to view which computer is accessing what.

I looked at Sonicwall and Watchguard, but they seemed to be too much or had too many subscription services for what I wanted. I wouldn't mind some virus scanning capabilities, but Sonicwall requires that you have McAfee installed on the client computers and frankly, I've had bad experience with the McAfee clients so I'd rather not go there.

From another question on EE, I checked out the ZyXEL ZyWALL 5 UTM appliance, but once again, it may be overkill for just 20-25 users. From what I could tell, it did not have group policies, but it at least had "excluded"IP addresses, which I could do.

Anyone have any suggestions on what would be a better appliance to look for? I would like it to have WiFi capabilities so I can cut down the appliances from 3 to 2 ( Currently am running a Linksys router and a  Netgear attached to it as an AP)
Who is Participating?
SteveH_UKConnect With a Mentor Commented:
Have you considered a GnatBox appliance (www.gta.com).  They start off much cheaper than some of the others, but are very functional and compare well.

I speak as a certified GnatBox admin, but also as an admin of ISA Server 2006.
SteveH_UKConnect With a Mentor Commented:
However, policy restrictions were IP-based when I was last using a GnatBox, so I don't know if that is what you are looking for.
SteveH_UKConnect With a Mentor Commented:
See http://www.gta.com/products/gb250/ for a small-business version.
Cloud Class® Course: C++ 11 Fundamentals

This course will introduce you to C++ 11 and teach you about syntax fundamentals.

gfeiAuthor Commented:
Thank you for the info, I am checking it out now. You say policy restrictions are IP-based. I do assign static IPs on the computers. I was hoping for a solution that would allow me to assign IPs or MAC addresses to a group policy and then restrict them. Is that what you are referencing?
SteveH_UKConnect With a Mentor Commented:
No, none of these solutions work with Active Directory's group policy.

For these firewalls, you can assign computers (based on IP) to a set and then create firewall policy rules based on those computers.

I think there is also a client agent that allows user authentication, but I've never used it.  Of course, if you have user authentication then you can use user rules too!

Typical configurations would use DHCP to assign fixed IP addresses based on MACs, and then the firewall would assign rules based on these fixed IP address ranges.

Generally, firewalls work at Layer 3, which is IP, rather than Layer 2, which is Ethernet and is the layer at which MACs work.

If you only want to block access based on MACs, then you generally need additional support at the network switch/hub level.
gfeiAuthor Commented:
Thank you for your responses. I am sorry I am not being too clear on this. My strong point in computers is certainly NOT in networking on this level.

I may have used "group policy" and made it sound like a Windows based group policy.  I speaking more  of a group  policy in the OS of the firewall.

My Linksys BEFSX41 allows for group created according to MAC address. And for these MAC addresses, I can apply certain content filtering rules. It's not very customizable but I've been able to block some of the more nuisance sites.

It seems that all the firewalls I have found that cost more money than the Linksys did do not have a group-creating ability for content filtering. Or a decent way to make exceptions. For example, we have about 10 standard employees who will only be able to access work-related sites. While about 5 managers & bosses would be given a bit more leeway. It seems most of the firewalls I have found have a "one ip address" exception. I need to be able to customize this according to the different computers accessing the internet through the firewall. I am not clear of the GB-200 is capable of that. It seems that this point is one of the most vague things I have found when it comes to firewall research.

Thank you again for all your input so far.
SteveH_UKConnect With a Mentor Commented:
I'm pretty sure the GB-200 does not have this limitation.  I've only used larger models myself.  Contact them directly, they're generally really good on e-mail and they'll probably help you think through what you need to do, even if you don't end up buying from them.

They can also pre-create a firewall configuration for you.

The lower end market, such as NetGear and LinkSys don't offer much in the way of features, and so you've done well to make it do what you want.  Enterprise firewalls don't work in quite the same way, but they do everything that you'll need.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.