need suggestion for security appliance for small business

[ThePiston]

We have a small (16-20 PC) medical office with a central MS 2003 Server. The server is just for our electronic medical records and does not serve as a proxy server.

I have AV installed on all PCs, but not anything special like a web security appliance can do.

I have read up on these appliances and it seems like the way to go for an easy install without a Linux central server. I know there are free services out there, but we do not run a Linux server.

I want to basically make sure none of my employees download anything inappropriate (on purpose or not) as well as blacklist URLs, scan emails and all traffic for threats, phishing, etc.

I guess I need some suggestions on an all-inclusive web security appliance that I can plug into the network easily and begin to filter everything. Reports would also be nice so I can see what everyone is up to.

Thanks

 

[ThePiston]

bump - no recommendations on a web security appliance?

 

[drebo]

My recommendation would be the Juniper SRX100H. They have unified threat management licenses available, as well, that include intrusion detection, antivirus, and web filtering. They're not cheap, but they work extremely well.

Alternatively, if you're only interested in web filtering, you could go for for the Juniper SRX100B and use opendns forwarders on your win2k3 server. You could then restrict outbound DNS queries at the firewall to only be allowed from the server, thereby restricting users' access to only what you allow in your opendns config. We've implemented this for a number of customers and it seems to work extremely well.

 

[ThePiston]

thanks. I want it all - antivirus, phishing, black lists, etc. I'd rather have all of that performed at level of the router and not in each individual work station. I have too many old machines that cannot be upgraded so this method is better. The H can do all of that?

 

[drebo]

Yes, depending on what throughput you want. You may need to go up to the SRX210HE. The SRX100H should be good up to 20mbps for full UTM. Faster than that, and you'll probably want to go to the SRX210HE.

 

[ThePiston]

we don't need much speed. simple file exchange and dsl internet. thanks

 

[theevilsharpie]

I'll throw in a recommendation for a Fortinet FortiGate-60C

 

[Emulex]

pfsense has some options for their IDS (snort based) to use commercial rules to block emerging threats. the software also can do vpn (free) and load balancers (any number of connections) and works well in a virtualized environment (esxi).

Mail scanning is very cpu intensive if its non-cloud based to filter out both virus and spam - you'd need a metric ton of cpu to do IPS and anti-spam and anti-virus on one appliance. Alot of the low end devices are not really that powerful - i see alot of low end celeron 420's still (dell oem) - i suspect they use cloud-based signature matching to reduce load but that increases your depency on their network.

cheap IPS? here's my idea - get symantec endpoint for smb and a simple router/firewall and use host-based IPS - it's far cheaper than the yearly costs of a host based IPS and it works better imo. you have these core2duo boxes at work doing nothing all day long but then you try to force all your traffic through 1 low end oem dell box and wonder why the i/o is so slow?

best of both worlds is host-based IPS from endpoint with an IPS that can do network access control to disconnect a machine that is infected to prevent spreading.

SEP + pfsense + some clamav/spamass = very high protection for very low cost - plus pfsense can load balance your dsl+cable modem to keep you online always.

pfsense can do snort ids with free sigs (older/lower quality) or you can pay snort for the best up to date sigs. if you throw 3GB of ram in a VM to pfsense (think esxi essentials) you will get a very very powerful router with vpn/ips - then rock a qmail/spamass/clamav rig or two for mail services.

I'm not sold on dedicated IPS - very expensive to keep the rules yearly and honestly the models you can afford have such weak hardware that 50 desktops can choke it - but host based IPS from SEP can do just as good of a job divvying up the load across 50 desktops that are doing squat.

Some food for thought.

 

[Aarondeep]

I gotta agree with Emulex on setting up a pFsense box would be the most cost effective solution.

SmallNetBuilder has a few good writeups on setting up pfsense check out http://www.smallnetbuilder.com/secu...1406-build-your-own-ids-firewall-with-pfsense

Other options you may also want to check out are:
1. untangle.com - easy to use but can be expensive
2. Clearfoundation.com - nicely priced but it's VPN solution is a bit weak

 

[theevilsharpie]

PFSense is a packet filter, not a UTM device.

 

[ThePiston]

I will look at pfsense, but I'm really not in the mood for building - more in the mood for plug and play. Something i can put in between internet and office LAN that will scan packets for threats and basically keep my staff from doing something stupid like downloading a virus or visiting a phishing page. The AV should be up to date as well as black-listed URLs. We only have one machine that uses Outlook so email scanning volume is no big deal. The other docs just use Gmail.

 

[drebo]

I gotta highly recommend against using any kind of linux/bsd based firewall. They're fine for playing around with at home, but I wouldn't go near one in a business setting. They're extremely high maintenance and if your amalgam of third-party programs stops working for whatever reason, there is no support...you're on your own.

Ask yourself how much downtime is worth: if the Internet is down, how much money/productivity do you lose? If the answer is greater than $0, a commercially available appliance is the only viable option.