Proxy Servers

wickedy · 2 Aug 2006 at 11:03

Lo.

I'm after some assitance in identifying makes and models of hardware proxy servers. Someone has suggested a Blue Coat unit but I haven't been able to locate any other manufacturers that make hardware units.

Basically, one would be used to sit in our technology room (so pref. 19" rackmount unit) to perform content filtering on our new broadband conection.

Any assistance would be most welcome.

Thanks!

bigredshark · 2 Aug 2006 at 11:16

There are a few hardware units out there but they generally have extra capabilities beyond a proxy server, my preference as a proxy server would still be a 1U server running squid, providing you have someone who can administer it...

wickedy · 2 Aug 2006 at 11:20

Erm. No. Probably not.

Just after something that we requires the minimum of setup really.

Either way, can you suggest any manufacturers>

bigredshark · 2 Aug 2006 at 11:34

Well, you have a couple options, first up, do you need the proxy or are you just looking for filtering of web traffic.

If it's just filteringthen you're best with some form of netscreen, probably a 25 or 208 would suit most offices, it has good filtering capability and is also possibly the best firewall about.

If you want a proxy appliance then you could look at the following:

IronPort S300 - Capable but expensive...
Astaro Security Gateway 220 - Really superb appliance that does a lot
Bloxx CF100 - possibly closest to what you want, never used it though...

Bluecoat make a product called webfilter but it has to run on another of their appliances, like the AV200, which does antivirus too. so it works out expensive. They've made a good rep for themselves of late though

personally I'd get the netscreen or an Astaro box, hope that helps, any questions...gofor it!

wickedy · 2 Aug 2006 at 11:51

Well, I need to set up a small (6 max PCs) network at work for the sole purpose of providing a "Internet Cafe" style setup. It has to be a wired network.

Now, I hold my hands up and freely admit I know nowt about networking hardware. I've been reliably informed that, once I get the cable broadband sorted out, and wired into our Technology Room, I will need:

- a firewall; connected to
- a proxy server; connected to
- a network switch, which will in turn be connected to our computers via our in-house hardwired trunking.

I believe I need a proxy server to perform the content filtering - to block access to sites deemed unsuitable for viewing at work (i.e. those that contain racist, homophobic, sexist, defamatory, offensive, illegal or otherwise inappropriate material).

So far, I'm considering either a Cisco PIX 501 or Juniper NetScreen 5GT for the firewall. I've had the Blue Coat Proxy SG200 suggested for the Proxy Server and I'll find a suitable unmanaged (I think that's what I need) switch after I've got the other bits finallised.

Now, not knowing a huge amount (nothing) about what a proxy server can do, I don't exactly know what I should be looking for. Am I correct in stating the proxy servers can also provide anonymous internet browsing??

Also, where does antivirus scanning come into the equation?

Ta for the assitance. Please jot down anything you think may be of use!

bigredshark · 2 Aug 2006 at 12:04

In that scenario the firewall and proxy/web filter can easily be the same box, I believe the netscreen might have ability to do it even. The astaro box I mentioned is a good enough firewall that it could do both as well.

To be honest the setup you're talking about is very expensive for 6 machines, given what you've now said, I'd go for a netscreen 5GT and use surfcontrol on it. this does web filtering and is as good as any proxy appliance. surcontrol runs on a seperate machine (may as well be the cheapest 1u dell you can find).

more info here..

http://www.surfcontrol.com/Default.aspx?id=885&mnuid=1.1.9.1

and no, it can't do anonymous web browsing in this scenario, thats a idffernet use of proxy.

Only other thing I'd say is don't get the PIX, it's capable but a config nightmare (and thats coming from me, i have a CCNP)

Phemo · 2 Aug 2006 at 12:17

A NetScreen 5GT is a good idea. It can do SurfControl content filtering and it also supports WebSense on an external box. This would cover your content filtering needs but obviously it won't cache - depends how important caching is to you really? If you're not bothered about caching then definitely just a firewall is all you'd need. You can pick up a standard 5GT for under £300 (I think - I got my 5GT ADSL Wireless for free

).

Also, to clarify - Blue Coat's content filtering is SmartFilter which would need to be installed on an SG box. The AVs are just for antivirus scanning and they also need an SG to function.

Edit: NetScreen can also do content filtering from an internal database but this requires a Juniper license to do so. No idea how much this costs but if you did get a NetScreen it comes with 30 day eval licenses for optional extras such as Antispam, URL Filtering, Antivirus and Deep Inspection so you'd be able to try the Integrated URL Filtering out first.

img · 2 Aug 2006 at 12:56

we run a finjan unit

Finjan.com

provides surfcontrol, antispyware, antivirus etc depending what you get

Suggest you take a look. If you find you get something through it and can prove it they will give you money back or soemthing they are that confident.

#Chri5# · 2 Aug 2006 at 13:05

Have a look at the SonicWall TZ170 - that's a decent firewall which can also run content filtering. There's also a gateway anti-virus / intrusion protection option which can stop spyware and selected traffic types (for instance P2P).

If you want 1U rack solution, the Pro 2040 fits that bill but it's a bit overkill for 6 users.

wickedy · 2 Aug 2006 at 13:39

Phemo said:
Edit: NetScreen can also do content filtering from an internal database but this requires a Juniper license to do so. No idea how much this costs but if you did get a NetScreen it comes with 30 day eval licenses for optional extras such as Antispam, URL Filtering, Antivirus and Deep Inspection so you'd be able to try the Integrated URL Filtering out first.

Ah....

So, if I were to purchase the NS 5GT, I wouldn't necessarily need a proxy server for content filtering as the 5GT could do all that you've listed once I purcased the required license(s)...?

So a proxy server is basically designed for larger installations?

bigredshark · 2 Aug 2006 at 15:08

wickedy said:
Ah....

So, if I were to purchase the NS 5GT, I wouldn't necessarily need a proxy server for content filtering as the 5GT could do all that you've listed once I purcased the required license(s)...?

So a proxy server is basically designed for larger installations?

Yes, exactly!

Do not get the sonicwall, they're rubbish compared to the netscreens, there's a reason all the corporates run netscreens or PIXs

wickedy · 2 Aug 2006 at 15:13

bigred, phemo, et al,

Thanks muchly.

I could be back with more questions later but this is more than enough to get me going.

Cheers chaps.

FordPrefect · 2 Aug 2006 at 15:18

With a 5GT if you order the right option you can also get trend virus filtering built in. That on top of websense will pretty much give you everything that you were looking for from the proxy server except for caching but for only 6 PCs its probably not worth it.

wickedy · 3 Aug 2006 at 15:47

I'm back, and almost as confused as before.

bigredshark said:
To be honest the setup you're talking about is very expensive for 6 machines, given what you've now said, I'd go for a netscreen 5GT and use surfcontrol on it. this does web filtering and is as good as any proxy appliance. surcontrol runs on a seperate machine (may as well be the cheapest 1u dell you can find).

more info here..

http://www.surfcontrol.com/Default.aspx?id=885&mnuid=1.1.9.1

I've had a look at the netscreen product specs and at the surcontrol site and i'm confused. The 5GT comes with surfcontrol on it (I think) or do I need to install surfcontrol onto a seperate machine (a 1U dell jobbie) which is connected to the 5GT?

edit: Hang on.... Surfcontrol comes with it bu needs to be installed on the seperate but connected unit. I don't need to buy it seperatly. Yes??!? :confused:

FordPrefect · 3 Aug 2006 at 16:04

wickedy said:
I'm back, and almost as confused as before.

I've had a look at the netscreen product specs and at the surcontrol site and i'm confused. The 5GT comes with surfcontrol on it (I think) or do I need to install surfcontrol onto a seperate machine (a 1U dell jobbie) which is connected to the 5GT?

edit: Hang on.... Surfcontrol comes with it bu needs to be installed on the seperate but connected unit. I don't need to buy it seperatly. Yes??!?

You will need to install surfcontrol on another machine, the netscreen will then query the machine with surfcontrol on it.

wickedy · 3 Aug 2006 at 16:23

bigredshark · 3 Aug 2006 at 17:08

i have a couple of NS5 GTs in members market as it happens, in case it helps.

also, yes, you need to install surfcontrol on another machien which it'll query

derfderfley · 3 Aug 2006 at 17:39

How about the "Netpilot" range of products from equiinet. It will do everything you want in one box.

One thing to note, with most solutions you will have pay year on year licence costs for URL filtering / anti-virus / anti-spam. Factor these costs into any decision you make.

Lummux · 3 Aug 2006 at 22:00

derfderfley said:
How about the "Netpilot" range of products from equiinet. It will do everything you want in one box.

One thing to note, with most solutions you will have pay year on year licence costs for URL filtering / anti-virus / anti-spam. Factor these costs into any decision you make.

yeah these are really good, we have three and i cant fault them.