Solved

Looking for Firewall or UTM

Posted on 2007-11-26
7
212 Views
Last Modified: 2010-04-17
I have been at this for a while, researching and trying to figure out what is overkill, what is not enough. Here are my companies needs:

We have 20-25 users connecting to the internet, most are wired however some are wireless. The most important aspect of the firewall is the content filtering/URL blocking etc. I have found plenty of firewalls that do this, but it seems that there is always overkill or no group policies. I want to be able to set up group policies for the users. For example, Managers can have more access than our regular employees who will be more restricted. Also, it would be nice to have some sort of log to view which computer is accessing what.

I looked at Sonicwall and Watchguard, but they seemed to be too much or had too many subscription services for what I wanted. I wouldn't mind some virus scanning capabilities, but Sonicwall requires that you have McAfee installed on the client computers and frankly, I've had bad experience with the McAfee clients so I'd rather not go there.

From another question on EE, I checked out the ZyXEL ZyWALL 5 UTM appliance, but once again, it may be overkill for just 20-25 users. From what I could tell, it did not have group policies, but it at least had "excluded"IP addresses, which I could do.

Anyone have any suggestions on what would be a better appliance to look for? I would like it to have WiFi capabilities so I can cut down the appliances from 3 to 2 ( Currently am running a Linksys router and a  Netgear attached to it as an AP)
0
Comment
Question by:gfei
  • 5
  • 2
7 Comments
 
LVL 19

Accepted Solution

by:
SteveH_UK earned 250 total points
ID: 20353355
Have you considered a GnatBox appliance (www.gta.com).  They start off much cheaper than some of the others, but are very functional and compare well.

I speak as a certified GnatBox admin, but also as an admin of ISA Server 2006.
0
 
LVL 19

Assisted Solution

by:SteveH_UK
SteveH_UK earned 250 total points
ID: 20353362
However, policy restrictions were IP-based when I was last using a GnatBox, so I don't know if that is what you are looking for.
0
 
LVL 19

Assisted Solution

by:SteveH_UK
SteveH_UK earned 250 total points
ID: 20353371
See http://www.gta.com/products/gb250/ for a small-business version.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:gfei
ID: 20357350
Thank you for the info, I am checking it out now. You say policy restrictions are IP-based. I do assign static IPs on the computers. I was hoping for a solution that would allow me to assign IPs or MAC addresses to a group policy and then restrict them. Is that what you are referencing?
0
 
LVL 19

Assisted Solution

by:SteveH_UK
SteveH_UK earned 250 total points
ID: 20360608
No, none of these solutions work with Active Directory's group policy.

For these firewalls, you can assign computers (based on IP) to a set and then create firewall policy rules based on those computers.

I think there is also a client agent that allows user authentication, but I've never used it.  Of course, if you have user authentication then you can use user rules too!

Typical configurations would use DHCP to assign fixed IP addresses based on MACs, and then the firewall would assign rules based on these fixed IP address ranges.

Generally, firewalls work at Layer 3, which is IP, rather than Layer 2, which is Ethernet and is the layer at which MACs work.

If you only want to block access based on MACs, then you generally need additional support at the network switch/hub level.
0
 

Author Comment

by:gfei
ID: 20365846
Thank you for your responses. I am sorry I am not being too clear on this. My strong point in computers is certainly NOT in networking on this level.

I may have used "group policy" and made it sound like a Windows based group policy.  I speaking more  of a group  policy in the OS of the firewall.

My Linksys BEFSX41 allows for group created according to MAC address. And for these MAC addresses, I can apply certain content filtering rules. It's not very customizable but I've been able to block some of the more nuisance sites.

It seems that all the firewalls I have found that cost more money than the Linksys did do not have a group-creating ability for content filtering. Or a decent way to make exceptions. For example, we have about 10 standard employees who will only be able to access work-related sites. While about 5 managers & bosses would be given a bit more leeway. It seems most of the firewalls I have found have a "one ip address" exception. I need to be able to customize this according to the different computers accessing the internet through the firewall. I am not clear of the GB-200 is capable of that. It seems that this point is one of the most vague things I have found when it comes to firewall research.

Thank you again for all your input so far.
0
 
LVL 19

Assisted Solution

by:SteveH_UK
SteveH_UK earned 250 total points
ID: 20368346
I'm pretty sure the GB-200 does not have this limitation.  I've only used larger models myself.  Contact them directly, they're generally really good on e-mail and they'll probably help you think through what you need to do, even if you don't end up buying from them.

They can also pre-create a firewall configuration for you.

The lower end market, such as NetGear and LinkSys don't offer much in the way of features, and so you've done well to make it do what you want.  Enterprise firewalls don't work in quite the same way, but they do everything that you'll need.
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

It happens many times that access list (ACL) have to be applied to outgoing router interface in order to limit some traffic.This article is about how to test ACL from the router which is not very intuitive for everyone. Below scenario shows simple s…
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now