Small office dilemma - "the firewall" - suggestions?

[pete_c]

S - Small office of say less than 30 folks.  Restrict access per machine or per user on Windows 7 workstation to 1-2 websites only. No access to anything else.
O - Hardware - Netgear WN2000 - new desktops running Windows 7
A - Netgear WNR2000 - allows functionality of blacklisting / whitelisting websites but it appears that I cannot do much granular stuff with it.
P - Make suggestions; implement using Netgear or PFSense?
 
Quandary
 
The issue here is to restrict certain employees to only utilizing 3-4 websites; restricting any wondering to any other sites.  Budget consideration; most inexpensive means possible; with least maintenance and support.
 
I have seen a per workstation kludge of making adjustments to default settings relating to host files; browsers, et al.
 
Over the last year I have become familiar with the PFSense firewall.  That said I can do this easily with PFSense and I do not see a way to do this with the Netgear WNR2000.  The workstation methodology appears to be a bit of a kludge.
 
Any suggestions?

 

[dgage]

I recently went with Pfsense at my house as I was getting poor performance from my "high-end" consumer router (oxymoron). I also wanted more security and the ability to blacklist certain types of sites for my family. So far so good so that is what I would recommend but I'm still really a Pfsense novice; mainly because it has just worked and I haven't had to play with it.

 

[wuench]

You could do it with the Netgear if you put DDWRT on it.  But that may be harder to maintain...

 

[pete_c]

Thank-you dgage.
 
Personally I like what I have seen using PFSense now for a few months and comparing it to the embedded in a box type firewall.  I have used/using DD-WRT.  I always liked it.
 
This morning the concern (conversation) has taken on a new twist of sorts dealing with the "addiction" or "right" of using the computer for personal communications on social web sites et al versus being a productive employee sticking to defined "job description".   The PDA phone (office rules) is put in the employees room / section of the office to dissuade texting.
 
Its difficult in a small office environment. 

 

[tmbrown97]

I think it comes down to how much maintenance you want to do, and what sort of hardware you want to set up.  I've seen a couple options...  1) is of course things like a DD-WRT router and/or PFSense - if you want to run that many machines; or you can run a proxy/firewall...
 
If I wanted to keep things stupidly simple, I'd consider a UTM - in my house I'm using a Netgear UTM5 right now - I'm not paying for all the subscription stuff, but if I were, it has all sorts of malware and email blocking inbound and outbound as well as website filtering - all built into the one little box.
 
Another option I was turned onto not too long ago - is using Kerio software on a small dedicated box as an all-in-one.  I removed it at one of my clients who wasn't properly licensed in favor of doing things a different way with Cisco routers and VPN - but it wasn't a bad option at all - very easy to use and very flexible.  I had it virtualized, but the local Kerio consultant recommended getting a custom one of these boxes: http://www.mitxpc.com/proddetail.asp?prod=EKIAD2500DL&cat=209
Not a bad little machine - would be good for HA too - has serial ports, Dual NICs, etc

 

[pete_c]

Thank-you Work2Play.
 
She has been doing mostly when necessary or per function IT in her business. 
 
The business is at a juncture now relating to having to utilize (mandate) online web services for data entry and multitasking employee(s).

 

[video321]

I've used DD-WRT and recently made the transition to pfSense - and it was at just the right time! I've used a lot of features of DD-WRT and in the back of my mind was always the threat of the hardware failing and then worrying about finding another router that supported the features I wanted, such as VLANs, and having to manually configure it all over again. I sure wasn't planning on keeping a duplicate router as a spare around, so not long ago I started looking at other options. As it goes... my router failed right as I was making the transition - a slow death, of course. pfSense gives me the granular controls I want along with integrating my OpenVPN endpoint. To make sure I never have to worry about hardware issues I've virtualized it. But even if you do need to swap out hardware it's just a matter of assigning the NICs.

 

[Jozza]

Hi pete_c,
 
Have you had a look at Mikrotik's RouterOS? They sell appliances as well. I'm looking at this as an option to segment up my network when I actually get to move into my house. However, a few guys at work are using it, and from what I've seen the power to price ratio is amazing.
 
I'm assuming there is a reseller in the US somewhere.
 
Jori

 

[fcwilt]

If I wanted to keep things stupidly simple, I'd consider a UTM - in my house I'm using a Netgear UTM5 right now - I'm not paying for all the subscription stuff

 
JOOC why did you buy one of the UTM models if you weren't going to use those features?
 
Color me confused.

 

[fcwilt]

S - Small office of say less than 30 folks.  Restrict access per machine or per user on Windows 7 workstation to 1-2 websites only. No access to anything else.
 
The issue here is to restrict certain employees to only utilizing 3-4 websites; restricting any wondering to any other sites.  Budget consideration; most inexpensive means possible
 
Any suggestions?

 
Given that it is a business environment I would suggest that you not buy too cheaply.
 
What is the budget for hardware? Do you have a budget for an annual subscription?

 

[pete_c]

Thank-you folks,
 
No real IT budget; whatever worked basically purchased from wherever.  There is an yearly sub for the the office management software.

 

[fcwilt]

Thank-you folks,
 
No real IT budget; whatever worked basically purchased from wherever.  There is an yearly sub for the the office management software.

 
Hey Pete,
 
A "traditional" firewall for the most prevents outsiders from "breaking in". However it doesn't do a thing for insiders downloading some file that is dangerous. That is where UTM comes in - UTM stands for "Unified Threat Management".
 
It is a set of features that are "added" to a traditional firewall type of device - these features encompass Anti-Virus, Anti-Spam, Anti-Malware, Content Filtering, Intrusion Prevention and more. These features help protect the insiders from doing foolish things and visiting places that the boss has decided are off limits.
 
Because the "bad guys" are forever thinking up new ways to dp bad things the makers of these devices have to constantly update their database how how to combat the bad buys latest inventions. So to keep you device loaded with the latest information they makers use a subscription model where you pay a recurring ree and you device gets automatically updated.
 
The fee is often a significant fraction of the original cost of the hardware.
 
For example:
 
http://www.firewalls.com/firewall/sonicwall-firewall/sonicwall-tz?p=h
 
You can check the prices of the hardware and the recurring fees. For instance their entry level device costs (in round numbers) $300 and an annual subscription is $200.
 
I think it is money well spent if it keeps your network up and running - downtime has costs too.

 

[tmbrown97]

Hi pete_c,
 
Have you had a look at Mikrotik's RouterOS? They sell appliances as well. I'm looking at this as an option to segment up my network when I actually get to move into my house. However, a few guys at work are using it, and from what I've seen the power to price ratio is amazing.
 
I'm assuming there is a reseller in the US somewhere.
 
Jori

If you don't mind the learning curve, the RouterBoards are pretty cost effective and very powerful.  The features you can get in a 5-port gigabit box are amazing, such as VPN Server, Site to Site VPN's, Custom DHCP, DNS Server, filtering/firewall, etc - but it's a HUGE learning curve - there are no hints on the UI - it's barebones access to raw functionality and you need to know enough about what you're doing.  Pete I'm sure could handle it just fine - but it's not for the faint of heart.  I've used them for a couple clients, and I'm looking at a VOIP project that'll use about 20 of them to get remote VOIP phones on-network that don't have VPN functionality built-in (reusing old hardware).
 

JOOC why did you buy one of the UTM models if you weren't going to use those features?
 
Color me confused.

When I made the transition, it was abrupt because I was transitioning off a company owned Cisco router that had a permanent VPN into the office and supported my VOIP extension at home, as well as other things I needed.  I was quick and easy to put this UTM in and it supported VPN into the house, multiple VLANs and some other features I needed.  Since then, my needs have changed again - and I'm actually kinda back to needing a Cisco router again to be a member of my new company's DMVPN but haven't gotten around to that just yet.  My own network is the last of my priorities.

 

[drvnbysound]

I don't know if I specifically found it mentioned... Do you need to restrict access on all computers, or only certain ones?

 

[pete_c]

Yup; its restricting all internet web site access except for 2-3 websites starting initially on one computer in the office. 
 
I can do this with PFSense. 
 
I cannot though do it with the Netgear that is utilized there today.
 
I did write to the PFsense folks regarding an if then scenario of a primary build and set up; then a sub to there support services.  They did respond that they do offer subs for maintainance and support.
 
Thank you guys for your suggestions.