Looking for the best web filter appliance

[sc302 Veteran]

I know that this is a bit of a loaded question being that most only have dealt with maybe one appliance.  I have dealt with a few appliances.  I am really looking for the few that have multiple appliance experience with them.  I was a barracuda reseller in a past life so I am pretty familiar with the caveats of that product (slow interface), heavy memory load on custom block/accept rules.  Good appliance but could be better (esp being that they use supermicro boxes with crappy sata drives). 

[Packet1009]

had a look at http://www.checkpoint.ca/products/secure-web-gateway-appliance/ ?

[+BudMan MVC]

Why not just do the filtering in the cloud = no appliance at the site. Just point your clients to proxy at one of the major clusters in your area. Have lots of experience with this sort of product from websense, I thought bluecoat was going that direction as well.

Unless you home run your internet back to one location, which isn't very cost effective for that sort of traffic - you put in cheap internet access at your locations. Then do you content filtering so your users are surfing porn in the cloud. Filter the outbound traffic so they can only talk to the proxy networks from the company providing the service, and there you go done deal.

You just manage your rules via a web gui, etc.

Appliances are so yesterday ;)

Whats an added benefit to this type of solution is you can filter your users work machines, be it they are at your location their home or starbucks if you so desire. The update of bad sites in specific categories are real time pretty much - so if new bad site is found, you don't have to worry when your appliance has called home and updated its database, etc.

[sc302 Veteran]

As long as it works like the websense appliance/software will look at it. 

[ndoggfromhell]

BudMan has a great point about doing it in the cloud.  Personally I've had great luck with Sophos.  They bought up Astaro last year and we recently upgraded to the next step up piece of hardware.  The content filtering and reporting are truly exceptional.  We also use "dyndns" to add another layer of filtering just incase.  Sometime the "uncategorized" sites get past the UTM, but usually they get caught in by DynDNS.  Depending on the size of your organization, you might be able to use the free version on a piece of hardware or Virtual machine you already have laying around. 

[LittleNeutrino Veteran]

i have had the best experience in the past using a Sonic wall with Websense.

[sc302 Veteran]

def not free, too big at 500 users.  I am wondering where the breakpoint is at the cost of a appliance vs cost of cloud is where it would make more sense to go one way or the other (usually there is a financial cross point, one going up and the other going down). 

 

I have a sonicwall with the add on filtering now as well as a microsoft proxy server.  I have a cisco 5512 ips ngf sitting on my desk waiting for me to configure.  I need to get content filtering in order before I can replace the old sonicwall. 

[Haggis Veteran]

I use OpenDNS for in the house :)

[sc302 Veteran]

I use OpenDNS for in the house :)

:no:

[+BudMan MVC]

So I have managed the cloud websense stuff for quite a few customers, sizes were smallest 10k users to over 30k on the biggest one. We are looking to use it in house here in NA so only about 900 users, as we are finally breaking out internet to the different locations vs home run back to DC proxy, etc. Cost is pretty cheap for 900 users I can tell you, but not all that involved that project since its internal IT, which is not my dept. Just brought in because of experience with websense, etc.

But happy to answer any questions you might have on what the cloud version can and can not do for you, etc. I personally like it! Unless your in mainland china the performance is pretty good.. We had some issues with that location - the latency in and out of the china firewall just made it not very good, even with their cluster location in Hong Kong or Singapore - had to put in a local instance in that case.

We had some issues with Brazil location, but they were pointing to USA cluster vs the one in Sao Paulo - once they changed to point to that one then performance was fine ;)

[duddit2]

I've used cyberoam and fortigate appliances and both are more than capable, but the cloud filtering has the advantage of allowing you to manage multiple sites from one location. I have in the past had a client that had multiple sites and all were connected via the same ISP that allowed collocating the UTM, so we simply routed all traffic from the lesser capable edge devices at the sites to the one gateway (Cyberoam UTM at the ISP) and all rules were handled there.

 

A big benefit of this approach as well is unauthorised inbound traffic doesn't get to clog up your pipe before its told its not allowed, while allowing a simplified set of web access/proxy/application rules all in one place with central reporting.

 

Never used the cloud services as mentioned by others, but f Budman says they're capable then they're capable! :)