Looking for a Firewall for a Small Business

Hello all,

I've got a friend who owns a small business. He's got some employees
that like to surf the web a bit too much and wants to limit their
access to only a few sites. However, each employee needs to access
different sites, so the typical parental control feature doesn't work
so well. I've been trying to find him a firewall solution that will
allow him to specify rules specific to IP addresses (similar to ACLs in
a PIX I guess...), but all the router/VPN/firewall appliances I've
looked at (such as Linksys, D-Link, etc) seem to want to do URL/domain
limiting on a network-wide basis rather than based on IP. Short of me
creating a custom Linux firewall solution, does anyone know of a
product that would meet his needs? He doesn't need VPN, so finding
something without the VPN option would be great.

Re: Looking for a Firewall for a Small Business

In message <1168191168.016503.24790@v33g2000cwv.googlegroups.com>
"Bryan" wrote:

>I've got a friend who owns a small business. He's got some employees
>that like to surf the web a bit too much and wants to limit their
>access to only a few sites. However, each employee needs to access
>different sites, so the typical parental control feature doesn't work
>so well. I've been trying to find him a firewall solution that will
>allow him to specify rules specific to IP addresses (similar to ACLs in
>a PIX I guess...), but all the router/VPN/firewall appliances I've
>looked at (such as Linksys, D-Link, etc) seem to want to do URL/domain
>limiting on a network-wide basis rather than based on IP. Short of me
>creating a custom Linux firewall solution, does anyone know of a
>product that would meet his needs? He doesn't need VPN, so finding
>something without the VPN option would be great.

m0n0wall or pfSense would both do the trick.

--
No user-serviceable parts

Re: Looking for a Firewall for a Small Business

Bryan wrote:
> Hello all,
>
> I've got a friend who owns a small business. He's got some employees
> that like to surf the web a bit too much and wants to limit their
> access to only a few sites. However, each employee needs to access
> different sites, so the typical parental control feature doesn't work
> so well. I've been trying to find him a firewall solution that will
> allow him to specify rules specific to IP addresses (similar to ACLs in
> a PIX I guess...), but all the router/VPN/firewall appliances I've
> looked at (such as Linksys, D-Link, etc) seem to want to do URL/domain
> limiting on a network-wide basis rather than based on IP. Short of me
> creating a custom Linux firewall solution, does anyone know of a
> product that would meet his needs? He doesn't need VPN, so finding
> something without the VPN option would be great.
>

WatchGuard and SnapGear have FW appliance solutions for small business.
You can set all the IP rules you want. Linksys and D-link are NAT
routers and are not FW appliances.

http://www.cdw.com/shop/search/results.aspx?key=watchguard&s r=1&platform=all&x=30&y=9

http://www.watchguard.com/

SnapGear

http://www.securecomputing.com/index.cfm?skey=1485

You can go to the sites, check product spec sheets and call the vendors,
you can even get a refurbished used one at a low price with full
warrantee and support.

Re: Looking for a Firewall for a Small Business

DevilsPGD wrote:
> In message <1168191168.016503.24790@v33g2000cwv.googlegroups.com>
> "Bryan" wrote:
>
>> I've got a friend who owns a small business. He's got some employees
>> that like to surf the web a bit too much and wants to limit their
>> access to only a few sites. However, each employee needs to access
>> different sites, so the typical parental control feature doesn't work
>> so well. I've been trying to find him a firewall solution that will
>> allow him to specify rules specific to IP addresses (similar to ACLs in
>> a PIX I guess...), but all the router/VPN/firewall appliances I've
>> looked at (such as Linksys, D-Link, etc) seem to want to do URL/domain
>> limiting on a network-wide basis rather than based on IP. Short of me
>> creating a custom Linux firewall solution, does anyone know of a
>> product that would meet his needs? He doesn't need VPN, so finding
>> something without the VPN option would be great.
>
> m0n0wall or pfSense would both do the trick.
>

I'd add Bering Leaf uCLibc to the list, which has the advantage that
it's superbly supported.

Jim Ford

Re: Looking for a Firewall for a Small Business

DevilsPGD wrote:
> In message <1168191168.016503.24790@v33g2000cwv.googlegroups.com>
> "Bryan" wrote:
>
>> I've got a friend who owns a small business. He's got some employees
>> that like to surf the web a bit too much and wants to limit their
>> access to only a few sites. However, each employee needs to access
>> different sites, [..]
>
> m0n0wall or pfSense would both do the trick.

Hi,
i am fan of m0n0wall and sometimes of pfSense, but in this scenario,
they are a wrong solution. Both have no possibility of building groups
of IPs, so you have to build for every allowed IP and user a complete
rule. A PIX 515 could do the job, but can't handle static entries in the
DHCP-Server. One possible solution could be a Proxy (Squid) with
authentication and ACLs.

bye
Christoph

Re: Looking for a Firewall for a Small Business

DevilsPGD wrote in
news:6ed2q25fb13mlp2ohhhmf7u98virl4l71r@4ax.com:

> In message <1168191168.016503.24790@v33g2000cwv.googlegroups.com>
> "Bryan" wrote:
>
>>I've got a friend who owns a small business. He's got some employees
>>that like to surf the web a bit too much and wants to limit their
>>access to only a few sites. However, each employee needs to access
>>different sites, so the typical parental control feature doesn't work
>>so well. I've been trying to find him a firewall solution that will
>>allow him to specify rules specific to IP addresses (similar to ACLs in
>>a PIX I guess...), but all the router/VPN/firewall appliances I've
>>looked at (such as Linksys, D-Link, etc) seem to want to do URL/domain
>>limiting on a network-wide basis rather than based on IP. Short of me
>>creating a custom Linux firewall solution, does anyone know of a
>>product that would meet his needs? He doesn't need VPN, so finding
>>something without the VPN option would be great.
>
> m0n0wall or pfSense would both do the trick.
>

While they would work by defining the ip address of the blocked sites/
domains, and if I am not mistaken, you could set a static DHCP so that
each DHCP client would retain the same address each time- then assign
these clients to an alias group. then, make sure that alias/ group cannot
get to specific ip addresses by using appropriate rules. Not ideal, but
it would work. time consuming though. Check into IPcop or Smoothwall, and
look for a mod to go with one of those that may handle such a job. I am a
big fan of m0n0wall, but I don't know if it is the 100% best solution for
this unless you want alot of time consuming tasks to take up.
I am going to look around just for the heck of it now, you have my
interest peaked.


--

Back to your bridge Troll! You have no powers here!

Re: Looking for a Firewall for a Small Business

Bryan wrote:
> Hello all,
>
> I've got a friend who owns a small business. He's got some employees
> that like to surf the web a bit too much and wants to limit their
> access to only a few sites. However, each employee needs to access
> different sites, so the typical parental control feature doesn't work
> so well. I've been trying to find him a firewall solution that will
> allow him to specify rules specific to IP addresses (similar to ACLs in
> a PIX I guess...), but all the router/VPN/firewall appliances I've
> looked at (such as Linksys, D-Link, etc) seem to want to do URL/domain
> limiting on a network-wide basis rather than based on IP. Short of me
> creating a custom Linux firewall solution, does anyone know of a
> product that would meet his needs? He doesn't need VPN, so finding
> something without the VPN option would be great.
>
Bryan,

Whilst the technical solutions offered appear to be adequate, your
friend should really think about having a security policy that does not
allow personal web surfing and enforces audit and accountability. That
way rather than having his employees spending all day attempting to
bypass the security measures to access the sites that they want to
access, they have the very real threat of disciplinary action or
dismissal if they fail to abide by the rules. By all means, install one
of the solutions suggested but without a suitable IT security policy
that is understood and agreed to by all his staff it would be largely
pointless.

Bogwitch

Re: Looking for a Firewall for a Small Business

Christoph,

I like this idea... my corporation uses a web proxy to keep employees
from accessing certain cites. This requires our web browsers to be
configured to use the proxy. If our browsers are not configured
correctly, we cannot access the web at all. Is this possible with
Squid? Would it be possible with Squid to allow certain users to
access certain sites and other users to access other sites?

On Jan 7, 1:57 pm, Christoph Hanle wrote:
> DevilsPGD wrote:
> > In message <1168191168.016503.24...@v33g2000cwv.googlegroups.com>
> > "Bryan" wrote:
>
> >> I've got a friend who owns a small business. He's got some employees
> >> that like to surf the web a bit too much and wants to limit their
> >> access to only a few sites. However, each employee needs to access
> >> different sites, [..]
>
> > m0n0wall or pfSense would both do the trick.Hi,
> i am fan of m0n0wall and sometimes of pfSense, but in this scenario,
> they are a wrong solution. Both have no possibility of building groups
> of IPs, so you have to build for every allowed IP and user a complete
> rule. A PIX 515 could do the job, but can't handle static entries in the
> DHCP-Server. One possible solution could be a Proxy (Squid) with
> authentication and ACLs.
>
> bye
> Christoph

Re: Looking for a Firewall for a Small Business

Hi Bryan,

You may wish to investigate the Cisco Product Advisor:

http://tools.cisco.com/GCT/PCTPST/index.jsp

as well as the Cisco Solution Designer:

http://www.ciscowebtools.com/sa2/child/1.0/index.asp

Sincerely,

Brad Reese
http://www.BradReese.Com

Re: Looking for a Firewall for a Small Business

Bogwitch wrote in news:Lceoh.47018
$Qa6.28547@newsfe6-gui.ntli.net:


> Bryan,
>
> Whilst the technical solutions offered appear to be adequate, your
> friend should really think about having a security policy that does not
> allow personal web surfing and enforces audit and accountability. That
> way rather than having his employees spending all day attempting to
> bypass the security measures to access the sites that they want to
> access, they have the very real threat of disciplinary action or
> dismissal if they fail to abide by the rules. By all means, install one
> of the solutions suggested but without a suitable IT security policy
> that is understood and agreed to by all his staff it would be largely
> pointless.
>
> Bogwitch
>

Gotta give Bogwitch credit where credit is due. 100% right. Employees
need to be made aware of the acceptable uses for the internet, and of the
fall out if they fail to abide by them, and (required by law in some
areas) of the fact they are being watched.
So, by following this branch, perhaps you could look into a simple proxy
server/ firewall/ router combo. Again, you could look to something like
IPcop (with a couple ad ons) or a relative to sit silently between your
internal network and the modem. The key in my opinion is to keep the cost
low with high gains, so if you are partial to using name brand
appliances, by all means go with what you are comfortable with. I like
seeing otherwise useless old P2 boxes have a second chance at life ;-)
Block certain sites etc for the network as a whole, but enable the
logging feature so that the information is kept on file. Go a step
further and throw in a simple SNMP logging utility on one of your less
used servers (if any). If (when) you find a violation, just present the
offending employee with the information, and that is usually sufficient
to put a halt to it without getting management involved needlessly. If
the employees are aware that they are being watched, sometimes that is
more effective than implementing a high maintenance technical solution.

--

Back to your bridge Troll! You have no powers here!

Re: Looking for a Firewall for a Small Business

Bryan wrote:
> Christoph,
>
> I like this idea... my corporation uses a web proxy to keep employees
> from accessing certain cites. This requires our web browsers to be
> configured to use the proxy. If our browsers are not configured
> correctly, we cannot access the web at all. Is this possible with
> Squid? Would it be possible with Squid to allow certain users to
> access certain sites and other users to access other sites?
>

You start getting too complicated with this and you'll be the one there
supporting it, count on it.

Re: Looking for a Firewall for a Small Business

In message <45a15e98$0$27625$9b4e6d93@newsspool2.arcor-online.net>
Christoph Hanle wrote:

>i am fan of m0n0wall and sometimes of pfSense, but in this scenario,
>they are a wrong solution. Both have no possibility of building groups
>of IPs, so you have to build for every allowed IP and user a complete
>rule. A PIX 515 could do the job, but can't handle static entries in the
>DHCP-Server. One possible solution could be a Proxy (Squid) with
>authentication and ACLs.

m0n0wall would make you work for it, pfSense could be tricked into doing
the job using aliases...

--
If I were still loyal to the Goa'uld, you would know it.
It would be immediately apparent as I would not hesitate to kill you where you sit.
-- Teal'c

Re: Looking for a Firewall for a Small Business

Post removed (X-No-Archive: yes)

Re: Looking for a Firewall for a Small Business

On Sun, 07 Jan 2007 14:56:18 -0800, Bryan wrote:

> Christoph,
>
> I like this idea... my corporation uses a web proxy to keep employees
> from accessing certain cites. This requires our web browsers to be
> configured to use the proxy. If our browsers are not configured
> correctly, we cannot access the web at all. Is this possible with
> Squid? Would it be possible with Squid to allow certain users to
> access certain sites and other users to access other sites?
>

I use squid in "transparent mode", that means that the proxie is
invisible to the users. Not too difficult to configure.

Re: Looking for a Firewall for a Small Business

Post removed (X-No-Archive: yes)

Re: Looking for a Firewall for a Small Business

Bryan wrote:
> Christoph,
>
> I like this idea... my corporation uses a web proxy to keep employees
> from accessing certain cites. This requires our web browsers to be
> configured to use the proxy. If our browsers are not configured
> correctly, we cannot access the web at all. Is this possible with
> Squid? Would it be possible with Squid to allow certain users to
> access certain sites and other users to access other sites?
>

Hi,
it can be done with a standard squid in non transparent mode with user
authentication. You have to create the user, you have to create groups
of users and you have to create a list of allowed sites per group. Then
you have to bring it together with ACLs. If this is done, changes and
additions are easy to manage, but with a big handicap: squid needs a
restart after a change.
unlike some others in this tread, i am talking about whitelisting and
not about blacklisting, this means only allow single sites, but not
allow all and only block certain sites or type of sites.
bye
Christoph

Re: Looking for a Firewall for a Small Business

In message Leythos
wrote:

>In article ,
>rudy@mail.attic.ccc says...
>> On Sun, 07 Jan 2007 14:56:18 -0800, Bryan wrote:
>>
>> > Christoph,
>> >
>> > I like this idea... my corporation uses a web proxy to keep employees
>> > from accessing certain cites. This requires our web browsers to be
>> > configured to use the proxy. If our browsers are not configured
>> > correctly, we cannot access the web at all. Is this possible with
>> > Squid? Would it be possible with Squid to allow certain users to
>> > access certain sites and other users to access other sites?
>> >
>>
>> I use squid in "transparent mode", that means that the proxie is
>> invisible to the users. Not too difficult to configure.
>
>But the real issue is getting a quality configuration that permits users
>to access the internet while blocking undesired content categories -
>like blocking "Shopping" or "Sports" or "Web Mail" sites - how does your
>solution provide that?

One option is to simply fire them for abusing company resources, and
review the URL list after the fact.

--
His voice is to entertainment what the kazoo is to classical music

Re: Looking for a Firewall for a Small Business

Post removed (X-No-Archive: yes)

Re: Looking for a Firewall for a Small Business

In my case they only need access to one site on the web to do their
work. All other sites can be blocked.

Bryan

On Jan 8, 8:28 am, Leythos wrote:
> In article ,
> r...@mail.attic.ccc says...
>
> > On Sun, 07 Jan 2007 14:56:18 -0800, Bryan wrote:
>
> > > Christoph,
>
> > > I like this idea... my corporation uses a web proxy to keep employees
> > > from accessing certain cites. This requires our web browsers to be
> > > configured to use the proxy. If our browsers are not configured
> > > correctly, we cannot access the web at all. Is this possible with
> > > Squid? Would it be possible with Squid to allow certain users to
> > > access certain sites and other users to access other sites?
>
> > I use squid in "transparent mode", that means that the proxie is
> > invisible to the users. Not too difficult to configure.But the real issue is getting a quality configuration that permits users
> to access the internet while blocking undesired content categories -
> like blocking "Shopping" or "Sports" or "Web Mail" sites - how does your
> solution provide that?
>
> --
>
> spam999f...@rrohio.com
> remove 999 in order to email me

Re: Looking for a Firewall for a Small Business

On Jan 8, 10:22 am, Christoph Hanle wrote:
> Bryan wrote:
> > Christoph,
>
> > I like this idea... my corporation uses a web proxy to keep employees
> > from accessing certain cites. This requires our web browsers to be
> > configured to use the proxy. If our browsers are not configured
> > correctly, we cannot access the web at all. Is this possible with
> > Squid? Would it be possible with Squid to allow certain users to
> > access certain sites and other users to access other sites?Hi,
> it can be done with a standard squid in non transparent mode with user
> authentication. You have to create the user, you have to create groups
> of users and you have to create a list of allowed sites per group. Then
> you have to bring it together with ACLs. If this is done, changes and
> additions are easy to manage, but with a big handicap: squid needs a
> restart after a change.
> unlike some others in this tread, i am talking about whitelisting and
> not about blacklisting, this means only allow single sites, but not
> allow all and only block certain sites or type of sites.
> bye
> Christoph

This sounds exactly like what I'm wanting to do. I'll give it a go.
Can you point me in the direction of one or two tutorials on how to
configure Squid in this manner?

Re: Looking for a Firewall for a Small Business

Post removed (X-No-Archive: yes)

Re: Looking for a Firewall for a Small Business

Hi Bryan,

AmiWall

Reduce employee personal Internet usage during the working day.

Increase respect of your corporate Internet usage policy, provide open
and honest feedback such as WebMail use during work hours.

Plugs into an existing proxy or firewall such as Squid.

http://sourceforge.net/projects/amiwall/

Sincerely,

Brad Reese
Cisco Tools
http://www.bradreese.com/cisco-tools.htm

Re: Looking for a Firewall for a Small Business

Did you see the check point solution?
Today they have a firewall for small business, safe@. this firewall
have a webfiltering service with categories...I have this firewall
installed at some customers and it's work very well.
If want more information you can access this url:
http://www.sofaware.com/products.aspx?boneId=152&objId=26&ns Id=143


Daniel

Bryan wrote:
> Hello all,
>
> I've got a friend who owns a small business. He's got some employees
> that like to surf the web a bit too much and wants to limit their
> access to only a few sites. However, each employee needs to access
> different sites, so the typical parental control feature doesn't work
> so well. I've been trying to find him a firewall solution that will
> allow him to specify rules specific to IP addresses (similar to ACLs in
> a PIX I guess...), but all the router/VPN/firewall appliances I've
> looked at (such as Linksys, D-Link, etc) seem to want to do URL/domain
> limiting on a network-wide basis rather than based on IP. Short of me
> creating a custom Linux firewall solution, does anyone know of a
> product that would meet his needs? He doesn't need VPN, so finding
> something without the VPN option would be great.

Re: Looking for a Firewall for a Small Business

Daniel,

I looked into this and it looks very promising. Since the firewall has
antivirus and antispam capabilities, is it safe to not have antivirus
software on the machines behind it? Do the web filtering services
support white listing (block all sites, only allowing ones on a list)?

Thanks!

On Jan 11, 1:15 pm, "Daniel" wrote:
> Did you see the check point solution?
> Today they have a firewall for small business, safe@. this firewall
> have a webfiltering service with categories...I have this firewall
> installed at some customers and it's work very well.
> If want more information you can access this url:http://www.sofaware.com/products.aspx?boneId=152&objId=2 6&nsId=143
>
> Daniel
>
>
>
> Bryan wrote:
> > Hello all,
>
> > I've got a friend who owns a small business. He's got some employees
> > that like to surf the web a bit too much and wants to limit their
> > access to only a few sites. However, each employee needs to access
> > different sites, so the typical parental control feature doesn't work
> > so well. I've been trying to find him a firewall solution that will
> > allow him to specify rules specific to IP addresses (similar to ACLs in
> > a PIX I guess...), but all the router/VPN/firewall appliances I've
> > looked at (such as Linksys, D-Link, etc) seem to want to do URL/domain
> > limiting on a network-wide basis rather than based on IP. Short of me
> > creating a custom Linux firewall solution, does anyone know of a
> > product that would meet his needs? He doesn't need VPN, so finding
> > something without the VPN option would be great.- Hide quoted text -- Show quoted text -

Re: Looking for a Firewall for a Small Business

> is it safe to not have antivirus
> software on the machines behind it?

That would very foolish with users that will stick a CD or diskette into
a drive that can have a virus, with it spreading to the machines on the
network. The FW and its AV that's protecting from Internet access will
most likely be nowhere to be found in a LAN situation.