Home > IT Answers > Security > I need your input
Help

Question

  Asked: May 3 2007   2:49 PM GMT
  Asked by: TheVyrys

I need your input


Compliance, Laws, Regulations, standards, Outsourcing, Oracle, DB2, Exchange, Spam, Exchange security, OS, Servers, Security, Desktops, Management, Microsoft Office, Microsoft Windows, Patch management, SQL Server, Networking, Availability, Hardware, Routers, Switches, Hubs, Cabling, 3Com, Cisco, Network management software, Fault isolation, Network applications management, Network testing, Performance management, Protocol analysis, Remote management, Network monitoring, Networking Services, DNS, Active Directory, DHCP, Lotus Domino, Application security, Instant Messaging, Encryption, Database, secure coding, Current threats, Viruses, worms, Hacking, Spyware, Trojans, backdoors, human factors, Identity & Access Management, Digital certificates, Single Signon, provisioning, Security tokens, Biometrics, Network security, Firewalls, VPN, Intrusion management, Incident response, Forensics, Wireless, Platform Security, vulnerability management, patching, configuration, PEN testing, Security Program Management, Risk management, CRM, Policies, Disaster Recovery, Web security, access control, Browsers, SSL/TLS, filtering, Development, DataCenter, Desktop management applications, Intel, LANDesk, Microsoft Systems Management Server, Tech support, Interoperability, Software, Monitoring, Microsoft Virtual Server, WebServices, Web Services Standards, Web site design & management, Content management applications, Corporate portal applications, Mobile, Mobile security

Howdy folks,

I have the following set up:

2 Domain Controllers - Win2k3 Standard
1 member server with Exchange 2003 Standard
100 XP Pro workstations
T1 connection

Currently I use a sonicwall Pro 200 firewall, Symantec Corporate edition 10 AntiVirus, and Symanted Mail Security for Exchange.

Everything works fine.

I need to be able to control internet access a little better than just with group policy proxy settings and such, and also monitor internet usage.

It was suggested that I use Microsoft ISA server 2006 and I can purchase it through a non-profit agreement for about $60.
I have never used it or seen it used and hoped you would offer your experiences/knowledge about the product.

My questions:
1. Will it provide internet access control on a per user basis?
2. Can I allow only certain websites, or block certain websites?
3. Would this replace my Sonicwall firewall, or just add to it? (I would love to cancel the support agreement)
4. Does the remote user connection feature work well/reliable?
5. Is a users internet surfing speed affected by going through ISA server? This is VERY important to us.
6. Do the logs provide detailed history of internet activity?
7. Is there any SPAM, Antivirus, spyware/malware protection built in to this product?
8. Finally, are there any general, or specific "gotchas" or "pain in the butts" to watch out for with this product.

Feel free to offer other product suggestions if this one is not recommended.

Thanks...and hopefully that's not too many questions

Subscribe to Alerts! Get questions and answers delivered to your Inbox.


E-mail me updates on this question



   SUBSCRIBE

hidden modal window
Help

Answer Wiki (Improve, edit or add to this answer)

IMPROVE THIS ANSWER
View History
 RATE THIS ANSWER
0
Click to Vote:
  •   0
  •  0
Last Answered: May 3 2007  8:25 PM GMT  by bobkberg




In general, I like (and resell) the Sonic Wall products - although I work on all sorts of other stuff.

My question to you is with 10 users, why do you need such fine-grained control? Among other things, the SonicWall products provide reports on who (IP) has gone to what web sites - if you need evidence to change behavior.

Just my $.02 worth,

Bob
  • AddThis Social Bookmark Button

Browse more Questions and Answers on Security, CIO and Oracle.

Looking for relevant Security Whitepapers? Visit the SearchSecurity.com Research Library.


RSS - Discussions Help

Discuss This Answer


You must be logged-in to discuss a question. Log-in/Register

tmac24  |   May 3 2007  9:15PM GMT

I currently use an ISA 2004. We have a much larger environment (1600 worstations 1000 staff 3500 students.)The isa server can control access for users or groups. However there is no gatway anti-virus or spam filter. It does not affect our connection speeds. It gives great reports on internet usage, protocl usage, by IP and user name. If you can get the ISA server that cheap you may also want to look into something like webwasher. It’s software based will run on the same machine as the isa (it’s basically a plugin) it will do anti-virus at the gateway, spam filter, content filter, reporting, SSL filtering (monitors proxy sites and blocks them) It is modular so you can purchase only what you think you need. So far it was one of the better products I have seen.

<a href="http://www.securecomputing.com/index.cfm?skey=22" rel="nofollow">http://www.securecomputing.com/index.cfm?skey=22</a>

 

tbitner  |   May 7 2007  11:14AM GMT

We have ISA 06 in our company (300 employees) and it’s setup by our Sys Admin, but I’ll tell you what I know.

1. Yes it can tie into Active Directory users and groups
2. Yes we block websites such as myspace and youtube
3. Our’s sits on a public DMZ behind our Juniper firewall, although the ISA is a firewall in itself.
4. Don’t know.
5. Probably a slight improvement in speed since ISA caches requests.
6. Don’t know
7. See other reply
8. It seems challenging since our Sr. Sys Admin is frequently tinkering with it. I know there’s books to teach you ISA though.

- Our remote vpn users who terminate on the Juniper don’t seem to get filtered through the ISA even though their browser is configured for it. This may be something wrong on our end.

- we had to install ISA client software on computers that used “complex protocols” (microsoft term) to access the internet such as FTP, telnet, SSH.

- Sometimes traffic destined for the internet is difficult to trace, because it could either go directly through the firewall or the ISA depending on the protocol.

Another filtering program is Websense which I setup for a previous company exactly the same size and technology as yours (except pix firewall environment).

You install the software on a server on the LAN and configure the firewalls to intercept HTTP traffic and ask websense if it’s allowed or denied. I didn’t notice any performance decrease and I thought it was very easy to use and setup. It doesn’t work for home vpn users though.

Reporting also ties into Active Directory so you can filter on any user/group, category, etc. It’s strictly web filtering and I think it was costing us $5000/yr for 250 users.

On a side note, a great appliance for SPAM/VIRUS/SPYWARE filtering is from Barracuda Networks (www.barracudanetworks.com). We also used this instead of Symantec Spam/AV Filter on our Exchange server. The great thing about it was that is sat in front of all the servers and prevented their resources being sucked up by processing junk. It also eliminates virues from having the chance to even touch a server and then being scanned by the local AV scanner; possibly exploiting a Symantec AV flaw.

 

TedRizzi  |   May 9 2007  11:21AM GMT

I use CA’s Secure Content Manager, to provide the services that your looking for.
it does anti-spam,spyware, virus protection, website blocking, and reporting. it can do detailed logging. for both smtp and http protocols.
I use it as a proxy server for http and ftp, and filter all incoming email thru it. for spam and virus protection.

 

DavidLevine  |   Sep 26 2007  4:07PM GMT

You can certainly use ISA Server as a solution. I am not all that familiar with it so I can’t really speak to what it will do out of the box, but I know that there are a bunch of plugins for ISA that will do content filtering… SurfControl, Marshall, etc. They all have products that plug in to ISA. Since you already have an investment in SonicWall you might want to look at them also. They certainly offer content filtering solutions baked into thier firewalls. (we use a similar product from St Bernard - a filtering appliance called iPrism which has been fantastic for us).

You could also probably setup a squid proxy on a white box and use some open source content filtering… thats an option…

There is also free software (especially if you are a non-profit) from BlueCoat systems. It is called K-9. I have used it for very small projects before and it is a good option.

Hopefully your find some of this useful…

Best,

David

 

Gwenz  |   Nov 9 2007  6:03PM GMT

The ISA server would give you the per user control and ability to block. I would use group policy though, instead of assigning usage control on a per user basis. ISA does not come with any built in anti-virus software.

I’m curious, are you using any system management tools? You have an ideal configuration for Essentials 2007, including adding an ISA server.

Check out : <a href="http://www.microsoft.com/sce" rel="nofollow">http://www.microsoft.com/sce</a>

Gwen
<a href="http://myitforum.com/cs2/blogs/gzierdt/default.aspx" rel="nofollow">http://myitforum.com/cs2/blogs/gzierdt/default.aspx</a>

 

Buddyfarr  |   Feb 21 2008  3:45PM GMT

We use ISA and have had a lot of issues with it. One product we are looking into is Secure Computing’s Webwasher appliance. It will do all the web filtering on a username basis, AV, Malware and also will do SSL filtering. It actually unecrypts the SSL, finds out where it is going, filters it out if it is not allowed. If it is allowed it re-encrypts it and passes it along.