If you have a spare pc w/ two NIC cards and you can use untangle. pretty awesome free package. http://www.untangle.com/Solutions/Package-Comparison-Matrix
internet-modem/router-untangle-switch/wap-computer
You might want to check out Untangle. They offer a packaged setup of linux tools with an easy to use GUI / web management console. It offers the ability to create custom rules based on LDAP integration, captive portal, antivirus scanning, and even some malware protections. IIRC they offer heavily discounted pricing for edu.
pfSense is quite powerful. If you're not comfortable with its level of technical-ness on the setup, you might also want to look at Untangle. Not sure how well it scales, but it is definitely also able to do all you are asking for. They have an a la carte model where you only pay for the particular components you need.
Among other things, they offer a customizable captive portal, LDAP/AD integration, web filtering, and gateway antivirus.
You could consider using untangle as your NGFW. It's a great piece of software, and they offer appliances, a 500 user appliance is $1999. You can build your own if you have a PC with multiple NICs. http://www.untangle.com
Definitely worth a look.
Don't know about virtualbox, but I'd start with some of these:
http://www.sophos.com/en-us/support/utm-downloads.aspx
http://www.untangle.com/store/get-untangle/
And if you're resourceful you can get images for some other things like ASA, and fortigate...
Those four would be my recommendation for what to start playing with if you're new to firewalls.
Untangle is pretty neat, too, though for home I prefer pfSense.
My one gripe with pfSense, and maybe this is a problem with my setup, is that I could not get web filtering to work reliably with SQUID and Squidguard. Untangle has an wonderful "it just works" web filter (free version isn't as fine grained, but for most cases, it works fine).
Oh, and when you get it all set up, I would challenge you to build yourself an OpenVPN server so you can always connect your laptop or cell phone back to your own network for whenever you're at a coffee shop. Good little exercise in getting used to the firewall rules.
The best firewall is a separate appliance device, not some software that you run on Windows. Here is such an example: http://www.astaro.com/landingpages/en-worldwide-homeuse
here is another one:
http://www.untangle.com/Download-Untangle
Check out Untangle for a firewall appliance. It's awesome! And free! AND enterprise worthy out of the box. There are paid services too, but the free apps do everything most small business/home users could want. I run it on my corporate network, as well as at home. Great, great software. VPN'ing has NEVER been so easy.
Here's my experience:
I use untangle on a 3.4GHz P4 with 2GB Ram. It doesn't noticeably reduce throughput. 62 workstations & 7 Servers. (3 Bonded T1s).
There is AD Sync, but you have to pay for it: Directory Connector - $378 for 3 years @ 11-50 PCs
I use the Directory connector, it's trivial to implement, you just run a script at login via Group Policy.
Take a look at Untangle http://www.untangle.com/Lite-Package
The linked lite package is free and should provide basic Web filtering capabilities to block content deemed inappropriate. There are payed versions that can provide AD integration if said network is Windows based.
The Lite version also some basic reporting capabilities for accountability purposes.
If you had the spare hardware (800 MHz processor, 512MB RAM, 20 GB HD, 2 NICS Requirements) Untangle is an amazing network control solution. Not to mention the easy VPN, filtering, and security options it has.
Edit: To expand on it, it acts as a router for your network, with uber-options. Limiting different computers, restricting computer to sites, emailing you statuses, dynamic DNS, and tons of other options. It's powerful enough for enterprise, but great for home use also. Many of the modules are absolutely free.
Read up on this http://www.untangle.com/shop/HTTPS-Inspector/
Facebook is basically doing a man in the middle attack on everyone on there "free internet"
I am assuming the Free Basic android app trust certificates from Facebook as a root CA. Letting them sign for any site.
So yes they can read banking information and any other information people access with there Free Basic android app.
We use Untangle (which uses Spamassassin). It is free and dead simple (entirely GUI driven). You can set it up as a transparent bridge and put it anywhere.
Io mi sono reso conto della cosa solo perché è arrivato il messaggio letteralmente all'istante, altrimenti avrei fatto il tuo stesso ragionamento.
Invece per il cellulare (ma è comodo per tutto) io uso come ho scritto in un altro post http://www.untangle.com/shop/Ad-Blocker che nella versione gratuita fa un buon lavoro. Certo serve un computer dedicato, però i requisiti modesti rendono la cosa facile.
I use OpenDNS for our public wifi, but that's for people's own devices, not ours. But I wouldn't consider using it as a web filter for our equipment. Local appliances are best for that purpose (but they are expensive).
Have you looked into any of the free solutions, like Untangle? They also have nonprofit pricing for their main stuff
It installs in either router mode, where you connect various networks to it, or in transparent bridge mode.
http://www.untangle.com/untangle-ng-firewall/resources/how-to-deploy
In firewall mode, it becomes your firewall and nats traffic between the Internet and you LAN, and all that stuff.
In bridge mode, it's like a "smart network cable" that filters, controls, and logs traffic. Just like the firewall mode, but you'd normally sit this behind another firewall. Maybe one that doesn't do any fancy stuff. Like a Cisco ASA or the like.
Honestly, I'd use it as the main firewall unless you have a good reason not to. (Like an intricate, existing VPN network or something)
Make sense?
You can set it inline or use it as a router. Internet---Firewall---Untangle---DMZ----Guest is how ours is configured. Here is the handful of ways it can be configured (scroll to the bottom).
no problem here you can use the free download. You will need a extra computer with two network ports. One for in and out out. It may seem a little confusing at first, but once you figure it out, it is easy. It also has free things like virus blocker and add blocker. Youtube untangle and it will show you stuff for it too.
good advice anyway :)
how did he overrun the mac address blocking?
torrents are difficult to block, normally you need a state-of-the-art firewall like utangle, but of course these things are not really cheap (and you need some knowledge to run them).
Untangle - because it includes snort, clamav, content filtering (for my kids), it's free, and it doesn't require me to do a whole heck of a lot of maintenance. Plus, I enjoy seeing the reports it emails me on detections.
http://www.untangle.com/store/u10-appliance.html
Amazing support, fast and open-source VPN, extremely powerful content filtering, I really can't recommend it enough.
I'd ask Comcast if they could set you up with a cable modem (not the modem/router combo), I'm sure you wouldn't be the first business that wants to run their own firewall. You really want your device to be internet-facing.
I would recommend an Untangle box if you need rackmount. Set up a server, using pretty much any hardware, and install http://www.untangle.com/
We recommend at least a Pentium 4 Processor (or a similar AMD processor), 80 GB hard drive, 2 network cards, and 1 GB of memory.
I would suggest looking at Untangle. It's some amazing software. I've never used pfsense, but I've used IPcop before, and Untangle blows it out of the water in every way. It's worth a look before you settle on pfsense, but do what is best for your company.
I maintain two untangle machines right now - one in my company's infrastructure, and the other in my own rack at home. Some of the best firewalling (and then ~~some~~ a ton) software I've ever used.
I'm using Untangle for all of what you're describing here. It has a powerful and feature rich admin page, is easy to set up, and can be administered via CLI or Web interface. You'll need a decent proc and a min of 2gbs of ram to run it, it's an enterprise level firewall appliance OS that runs on baremetal. I love it, it works really well. Best of all, it's free. There are additional paid application packages you can download (load balancing, branding, etc) but I haven't found anything I've needed to buy yet.
It's a full-on OS/appliance all in one installer disc.
Because you have two young IT people and one seemingly has a specific job, I'm assuming that your servers are rarely patched, if at all.
What you're looking for is an intrusion detection and prevention system. I personally installed Untangle at work as it's part of our firewall package. There's tons of freeware open source IDPS projects out there where all you have to do is supply the hardware. The most popular aimed just at IDPS is Snort.
I'm assuming you're using active directory. Are the programs reverting upon logging out and logging back in or just randomly?
Also, what antivirus solution are you using?
The RT311 is over 10 years old. It may not be able to keep up. Do you have an old PC (1GHz or better) that you can put Untangle or IPCop on? Just to give it a try.
Yeah, this. There's a Linux based firewall that I often hear recommended because it also allows for bandwidth monitoring and throttling by client. As I recall, it doesn't require much in the way of Linux chops. I haven't tried it out yet, and can't for the life of me remember what it's called.
Edit: Untangle is the name. And it's not Linux, but it is open source.
We just purchased Untangle a bit ago, running it in a VM to provide internet whitelisting for some departments and blacklisting for others; they let you block by category and have several ways of inspecting sites using HTTPS: ssl-stripping (requires installing a new CA on all PCs), SNI information, hostname/server certificate, server IP (can mix-and-match). They also have options to enforce safe search, enforce youtube for schools, etc.
They have a landing page specifically for schools: http://www.untangle.com/solutions/k12/
They pretty much all do. We use TightVNC. It's more for backup if Remote Assist isn't working, since the "remote control" aspects of it aren't nearly as smooth. But we have viewed people's screens with it before - looking for a bandwidth hog we found someone who was watching GILF porn - he had found a site the firewall wasn't blocking.
As far as cheap monitoring, it's tough because you have to have all the web traffic go through there one way or the other. The only thing I can think of off hand would be to repurpose a server and make it an Untangle box. I know they have a web filter in the free version, but I'm not sure if it is feature rich enough for you. The nice thing is, it's a fairly easy setup if you want to test it.
I'm in a similar position and definitely not an expert who should be answering, but I have been looking into Untangle myself. They have self hosting/free options http://www.untangle.com/shop/NG-Firewall-Free/ Might be worth looking into before biting the budget bullet.
Also I think openDNS has a self-hosting option for non profits.
I am in a similar industry working for a business of similar size.
Untangle provides free basic web filtering and reporting, there is also a more robust paid option as well as many other features such as anti-virus, bandwidth control, phish blocker, etc.
I have an Untangle box (a midrange PC with 2 NICs) at each location setup as a transparent gateway. I have to administrate each one individually but there isn't much to do, occasionally I might have to whitelist a site that was blocked.
If you've got an extra machine around you can install Untangle on it. Untangle is a multi appliance suite, but what you're looking for is the application filter. The app filter will allow you to block torrents, video games, IM, etc. There is a licensed version and a free version, I used the free version for a long time when we had the same issue happen. Untangle can also send you reports and you can see what IP's are doing what. The look at your DHCP server or what ever is handling DHCP for logs to see what computer the traffic originates from even when its being blocked.
You'll need to figure out how this will sit in your network either as a router or as a transparent bridge. I personally set it up as a router so that I could create a DMZ between my core router and the rest of the network for added security.
Link: http://www.untangle.com/
Alternatively, and this is good to do regardless, you should be blocking all ports that are not required for your network. This includes blocking them from the LAN side. A lot of people make the mistake of setting firewalls LAN -> Any. By only allowing standard ports like 80,443, 21, 25, 110 etc you can also eliminate the use of protocols and applications that shouldn't be ran on your network. You'd be surprised what your users are doing with personal devices you are not aware of and how much those devices are eating up your bandwidth and causing overhead.
Io uso Untangle su di un computer vecchio http://www.untangle.com/shop/Ad-Blocker che tra le funzionalità gratuite ha il blocco pubblicità. Il problema è che l'analisi dei dati via ssl è solo a pagamento, quindi per esempio ogni servizio di Google bypassa il blocco. Di positivo c'è che le pubblicità peggiori non sono via ssl e quindi la cosa funziona bene lo stesso... aggiunge complessità alla rete ma alla fine in casa viene apprezzato da tutti il blocco pubblicità ed anche se per ora non è servito a nulla, nessuno si lamenta certo di un controllo antivirus prima che il file sia stato scaricato.
If you can you put your BT business hub in bridge mode, I would suggest looking into rolling your own router. Untangle makes it pretty easy to do this.
Would you post your Ubuntu PC's routing table and OpenVPN configuration?
I agree, go with either go with the barracuda of gfi for an email archiver. As for the firewall if you are only looking for one that does the standard stuff.. but you need a Friendly interface ( which leads me to believe you have no one on site that is familiar with running a firewall)
1) The PA's are really simple to use but have a lot of vulnerabilities and the prices start to add up really quick on licenses.
2) sonicwall would be a BETTER choice very simple easy interface and a fewer vulnerabilities
3) next you may want to look at
a) pfSense very easy and free still less vulnerabilities then the PA's
b) Untangle (http://www.untangle.com)
c) Watchguard Firebox
Truthfully with the amount of Firewall I have deployed and or manage I would stay away from the PA all together..
Sorry for the formatting doing this on my smart phone while in the Air ( go Jet Blue Wifi)
Check out Untangle NG Firewall. Since you're on a budget, you can use an old PC with a couple NICs in it and the free edition/package. Gives you detailed reports of who went where and how much data they (and the network as a whole) used.
Here's part of one of our client's weekly reports (this particular one is 98 pages of charts/graphs/data): http://i.imgur.com/JFa67eW.png
Install takes about 10 mins, and is totally guided. Definitely worth checking out.
Nice that you have a Mitel phone on the network. I assume that the freePBX server is the controller for it. Any issues that way? I have quite a few of those phones here are the office and remote, but we use their controller.
Also, look into adding a firewall somewhere for all of those devices. I didn't see one in your VM's but I suggest Untangle. We use it here as a transparent one on our own hardware and it rocks. Free too.
I put Untangle behind my router and the spam filtering is fantastic. The paid version is even better. Creates quarantines, and lets users manage them.
Also, it's on premises. :)
If your server is in-house, throw Untangle in front of it. Works great, learns well, and has white/black lists. The Lite/free version is basically SpamAssassin, and the paid version is Commtouch. Both work great.
Huge fan of Untangle. Amazing control over what goes in and out of the network, and who can access what. Great reporting, and I've found the support to be great. It runs on their appliances or on any thing that will run Debian Linux. (Which it's based on). You can also get the right mix of applications or subscriptions you want. I've worked with ASAs, Sonicwalls, Watchguards, and of course home/smb units like Netgear 318/338s. Untangle is by far my favorite. I'd be happy to address and particular uses or challenges you're needing or looking to solve if you'd like.
PfSense is great but I'd also take a look at setting up an Untangle box. It will also give you VPN, Web Filtering, Spam/Phishing/Virus/IntrusionApplication control and a captive portal if you want. All available in their free version. Just need a desktop grade box with a few GB of ram and two nics.
> Introducing Untangle 10.0 - Know More about Your Network Traffic than the NSA
Question, I see the free version doesn't work with Https - can you work around that by decrypting traffic with a corporate cert, filtering and re-encrypting?
Nobody for Untangle? They have two versions, the paid (based on Commtouch) and free (based on SpamAssassin). Super easy to set up as a transparent device, and excellent catch rates. Plus automatic quarantines for users to find any false positives.
> I kind of thought it'd be a requirement for a school to have some sort of proxy/filter?
It is. Well, at least in my state it is. Not sure about anywhere else.
[EDIT} Op, if you guys are operating without a filter, you might want to take a look at ClearOS Community Edition or Untangle. Though, I personally recommend ClearOS.
The only thing off the top of my head that I know could do it would be a software appliance like Untangle. Unfortunately, the app in UT that you would need is not available in the free version, so you would have to pay.
I'm sure there are other programs out there that will do what you need, but I don't personally know of them.
We're replacing our Watchguard unit with another Watchguard. Mostly because the software included is actually pretty decent compared to totally web-based solutions/interfaces. We're doing UTM functions, and while our current model requires a standalone, separate server for this functionality, the new one we're going with does not. (Which was one of my requirements. I think it's ridiculous to buy a UTM device that doesn't do UTM onboard)
That being said, for a 50-person shop, check out Untangle. We use 2 Untangle boxes in conjunction with our Watchguard box because the reporting and such for each application/function we run on it is 10x better, and their configuration is super easy. They have paid and unpaid versions. The paid model comes with support. One thing I really like about Untangle is that I can build it on just about any hardware I've got, and it's free if you don't need the support. (We don't use the paid version, just the "Lite" version). You can also make as many internal or DMZ ports as your PC/server can handle with added NICs.
Our new setup will be a Watchguard firewall, with NO UTM functionality or subscriptions, and 1 Untangle box sitting behind that to handle Web/Virus/Spam filtering, etc.
Thankfully I've not been hit by this attack. I was hit about 3 years ago. Since then I've built and installed an untangle firewall to block malicious traffic. It's a free linux distro that can run as a hardware firewall. But this type of exploit does require one to be online to use.
Check out Untangle Firewall. It's got LOADS of features, is free, installs on any normal server hardware, and is very stable. I run that here in my NOC and at home, it's a great firewall OS.
There are both community (free) and commercial (paid) versions. I run community edition in both locations, since it gives us everything we need without having to buy upgrade packages.
I have set up quite a few networks with Untangle,
it is very easy to use and the community is helpful, best of all the community (free) edition will do everything you need, and for a very reasonable amount it can do significantly more.
I have not had any experience throwing a wireless card into it so i would recommend an access point for that. Its scalable and reliable, I haven't had any issues, PM me if you have any questions. Ill be glad to help
If you've got an old (ish) workstation and a spare NIC (or 2) lying around give Untangle a go.
We had SonicWALLs at our 3 locations when I started, and I moved all sites to Untangle boxes and have loved every minute of it. The newest box I had it installed on was a Precision 340 (purchased in 2003) at our hq protecting 40 users and about 1-2,000 messages/day through the spam/AV/phish modules.
They have appliances that you can pick up from them or from resellers also.
? havent looked into the specs of it too deeply but couldnt you get away with just be a vanilla box dual nic'ed? just checked the specs and a 1-50 user untangle box needs a p4 with 1 gig of ram. i have like 3 of those sitting decommisioned under my feet right now. specs for untangle: http://www.untangle.com/build-your-own-untangle-server
You might look into Untangle.
I think the free version does everything that you need, but it's been a while since I've used it.
As long as you're installing a gateway, you should try to get a caching proxy built in. I'm not sure if the free version of Untangle handles that or not.
It's a GREAT gui. Untangle.com, you can just download the iso. Best guess is about 450mb. Let me grab a screencap... This one is of my corporate installation. Some of the appliances don't fit in the capture, just pretend they're there.
Just noticed imgur is misbehaving, if that link doesn't work let me know and I'll host somewhere else until MrGrimm fixes things.
Just some stats:
It scans about 200-250k sessions a day. Running on dual PIII xeons at 1.4ghz, 36.6gb raid0, 2gb of ram. Plenty of horsepower for the ~150 devices on our smallish network. Current uptime is 99 days, but that's because I had to do some work in the server room a few months ago that necessitated powering it off.
I feel like I bring this company up every day. Untangle makes a great networking appliance and they have a free version where you can add Kaspersky for like 10 bucks a month. Check it out.
Enterprise versions are not too expensive from what I remember.
I'm a big fan of Untangle. A P4 with 512MB of RAM can do an Untangle firewall for 20+ users, but it must be a dedicated machine. Sometimes you can go to a local computer shop and pick up an old P3 or P4 for under $100 with no OS on it.
Check out Untangle. You can block categories of websites, flag them but not block them, do this for some users or all users, enforce safe searching on sites like Google, and so on. It also does a lot of other awesome firewall type stuff. If memory serves correct, you can create a black list of keywords that you can flag as well. Even if you can't track keyword searching altogether, you will be able to tell who's trying to access restricted websites or restricted categories of websites.
Edit: I think it's ethical if it's a specific class of restricted content, and someone isn't reading all other unrestricted content. In this case, your boss isn't pouring over everything someone is doing, they just want to know when someone is doing something wrong. This seems kosher to me. Consider this a network "camera" if you will, not significantly different than one you might have to enforce policies and protect assets in the real world. People passing around porn at work can get companies in a lot of trouble.
If you have the capability of adding a proxy or similar to the network, check out the Lite package by Untangle. We use the premium package, but the free Lite software is pretty great too. Outstanding software, IMO.
My boss recently came up with this idea at a manager's meeting, too, and I'm looking for something similar. I have a utangle that's tracking the hits to non-work-related web sites (and there are a bunch), but, like you, I've been told to see what they're doing, too.
I hate being that guy, too, but you gotta do what you gotta do. If you do end up finding something, please do make sure you post here.
Why not Untangle? It is surprisingly good in "free" flavour and if paid for can do everything the big boys do for less. You can also run multiple Untangle boxes for single function: eg a SPAM filter only. I've never used it as a full UTM but have deployed it (free version) many times in-front of a mail server and as a web filter. So far it has been rock-solid and super easy to work with.
Wait a second. I just realized you guys are missing something here: I absolutely detest advertising. To the point of it being a minor pathology. Maybe I should do an AMA.
I detest it to the point where I actively work to eliminate it from my life. Sometimes, the effort and time spent is significantly greater than what would be spent simply watching the ad, but it's the principle.
I hate advertising so much that I have stopped watching broadcast TV of any kind. I have stopped going to the movies. I have no way of watching TV in my house, other than Netflix. I never listen to the radio, and I pay for ad-free versions of podcasts. I will scissor ads out of the magazines I want to keep. I have no credit cards because I hate getting junk mail.
If I could trade "never having to deal with another Internet ad, ever" with "not having access to Google", I would. In a heartbeat. Fortunately, Adblock and Untangle exist.
In short, I have done everything reasonable, and quite a bit that's UNreasonable, to excise all advertising from my life. This is my perspective. Since it's working for me and my family, I'd say it's a valid perspective.
maybe consider a UTM (unified threat management) distro? one that is easy to configure and has tons of features is Untangle. There is also one called Endian. There are plenty others you can mess around with that are a little "lighter" than untanlge. some examples would be monowall, pfsense, and ipcop. Running these will not only allow you to configure DHCP but will also integrate things like virus protection, malware protection, spam filters, ad blockers, etc...
I don't think their free editions come with automatic scanning, so actually having the employees open up the programs and clean out everything maybe a bit of a hassle.
Have you considered putting a untangle web-router in? Edit: The software for untangle is free and can be installed on most systems
I use an Untangle firewall on a dedicated box scrounged together from spare parts I had lying around. It takes some networking know-how, but it has the advantage of being exeptionally difficult to bypass by tech-savvy teens. It's all GUI, so no need to worry about mucking about in the command line like a bunch of other linux-based firewall solutions. Another benefit is the fact that Untangle is free, except for the cost of a box to run it on.
Untangle can be configured to send a daily, weekly, or monthly reports in a PDF to your email address. The report breaks down what machines went where, as well as tons of other info. It can block sites based on a constantly updated rule set (such as pornography, proxies, violence, gaming, etc.) as well as sites added manually.
Not the easiest method to be sure, but it is powerful, flexable, and free if you have a spare PC lying about. Probably overkill for you situaltion, but I figured I'd give my two cents.
Another option, if you want to skip adding another box to your network, is to use the parental controls feature on the Macs in your house. All the machines can be managed locally by going from box to box, or you can manage the machines from a single "parent" computer. Here is a great article on setting up parental controls on the account you want monitored. Since these controls are local to the machine, they can be bypassed, depending on how tech savvy the user is. Still, parental controls may be more on-track for what you need.
There are also parental controls for iOS, but they don't really get as granual as just displaying sites visited. For those devices you're still stuck with putting a firewall box on your network.