Small office firewall

[Jaybk26]

Hey everyone,

I've been asked to find a good firewall for a small office (20-30 employees) but I don't have much experience with them. It needs to be able to block classes of websites (i.e. no pornography), and keep everything a little safer.

I'm presently looking at the SonicWall TZ215, but noticed that in order to block entire classes of websites I'd have to purchase a subscription to their Content Filtering Service. This might be doable, but we'd prefer something that wouldn't require a recurring subscription.

So my main two questions are:

1. Has anyone had any experience with the TZ 215 and their Content Filtering Service? Would that be an intelligent choice for my needs?

2. Does anyone know of a firewall that can block classes of websites without requiring a recurring subscription?

Thanks in advance for your time and advice!

 

[PaulR08]

The SonicWall firewall is a good product from what I have heard. If you opt for using a DNS content filter service like OpenDNS, it will block these types of websites for free.

 

[bill001g]

This is the huge problem with content filters. You have to pay the poor guys who have to surf porn all day long to make the lists

There are a couple of open source lists you should be able to load into the sonicwall manually but what you are paying for is the ease and convenience when you buy subscription lists. Fortigate also is a good one to look at for content filter. Of course the best one I have ever found is bluecoat but their subscriptions are outrageous. You can try out the blue coat filter lists by loading a PC product designed to protect families called K9 that is free and uses the exact same filter list.

This is a tough problem but the way filter lists are normally sold to management in a US based company is to look at the costs of a hostile workplace lawsuit. It only takes a couple to pay for the filter lists for many years.

You also need to look at how you bypass these systems and out maneuver the "smart" guys who do things like use other DNS servers or the host files to bypass opendns or use proxy or vpn server to block the filter lists. Bluecoat calls these sites "proxy avoidance" as a group.

You can also block the guys that try to use openvpn to open session to their house after you block all the public vpn sites. Openvpn does not follow the standards for SSL traffic that is it trying to spoof so many firewalls can now detect this with deep packet inspection. There are vpn clients though that are not detectible because they really run SSL or a private proxy running over https is also not detectible.

The other ones you want to of course block is bit torrent. Mostly this is to prevent the cease in desist letters you get from this RIAA but many people download lots of porn with this too. You only want to leave open the common ports and then set the firewall to inspect the traffic to ensure it is not a vpn. Many firewalls can detect bit torrent over ssl much like they can detect openvpn.

 

[Jaybk26]

The SonicWall firewall is a good product from what I have heard. If you opt for using a DNS content filter service like OpenDNS, it will block these types of websites for free.

I'm new to the confiugration phase of content filters, what is OpenDNS run on? Would it run from the firewall? Or would I need a server?

 

[Jaybk26]

Thanks for the well phrased, useful advice. I'm fine with a little more work. Do you happen to have a list of those open source content filters, and maybe a link or two on how to set it up? I apologize for my inexperience, I'm a little out of my league.

 

[bill001g]

The last time I did this with free lists I was using a squid proxy. This is a list of those
http://www.squidguard.org/blacklists.html

You would have to find similar black lists designed to run on your platform. Some of these are simple files and can be converted with small scripts from one form to another.

opendns runs on many consumer grade routers. The lowest subscription for opendns uses their filter categories with little ability to make changes but it is very cheap.

I never use opendns because all you do to defeat it is change your DNS in your pc to 8.8.8.8 or any of the other public DNS servers. If you attempt to force use of only open dns by blocking port 53 then they just use a different port or key in host entries or access machines via IP address only.
Opendns only stops the people who are too lazy to try to bypass it. It is easy and cheap to run though so many people still use it.

 

[choucove]

We've used a number of the Sonicwall TZ firewalls for several small businesses, and have a couple currently running the Content Filtering services as well. One in particular is a TZ 215 unit at our library running content filtering for the public computers. I can tell you it is very effective and very easy. You can set up multiple content filtering policies and apply them to groups of computers, single computers, or entire network ranges.

The only other thing that I have played around with some that can do content filtering is a pfSense box. This requires installing the specialized linux distribution on a computer system and setting it up either as your gateway or as a transparent filter device on the outside of your network. The problem here is again it requires manually managing lists of blocked and allowed sites. I think this can be simplified by subscribing to providers that have pre-made and managed lists available that can be plugged into the pfSense box, but I don't know of any that are free.

Given all the additional benefits you get with the pre-built Sonicwall devices, including gateway antivirus, support, multi-LAN, VLAN, and multi-WAN options, it just makes sense to spend the money on a Sonicwall for most businesses. Much less of a hassle. And if content filtering is a must for the business needs, then the subscription cost per year is well worth it for the simplicity.