Suggested Enterprise Web Proxy

Hello all

We need to replace an aging ISA server. It is used as a web proxy with Cyblock web filter. What products have people had success with and enjoy using?

Thanks!

John

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

AlexNguyen

We're using Blue Coat's ProxySG: Blue Coat – ProxySG

Chivalry1

Enterprise: If you asked me 10 years ago I would have told you BlueCoat without blinking. But Cisco IronPort Web security appliance to date is the best. Its pricey but is VERY effective.

Medium Enterprise: Ok....dont scorn me....But Microsoft Forefront Threat Management Gateway 2010 is really good. I have really enjoyed managing with the FASTVue Reporting (3rd Party). Pricing is not bad and easy to administrator. I know...I know....its not a dedicated appliance, but everything does not require a piece of hardware.

Small Business: Well I am old school.....so a SUSE Enterprise Linux installed with Squid Proxy and Calamari for reporting. And yes WCCP is supported by Squid. Administration will be a challenging if you have not administrated linux before.

networkjutsu

Previous employer: Uses BlueCoat
Soon to be previous employer: Uses WebSense

nosoup4u

We previously used websense but now we use TMG.

sieff

Cisco IronPort.

Coolhandluke

Used to use ISA (dual servers) then upgraded both to TMG.
The web filtering was getting pricey so we switched one of the servers to smoothwall. Very capable software for what it does but some of the features are ..... limited.

Chivalry1

networkjutsu wrote: »

Previous employer: Uses BlueCoat
Soon to be previous employer: Uses WebSense

I detest websense....It is such a bad product!! I would rather install a system with ZoneAlarm Home Edition to protect my enterprise.

TBRAYS

We use McAfee Web Gateway, previous employer used Websense which was horrible

kj0

At the Branch we use ISA on '03
[*] (95% of branches currently) and on the branches that have just been upgraded to '08 we are running Squid. And at the Head Office we run Bluecoat which also has the Branches going through it..

[*]Let me mention that there are 1400+ Branches in the state, so they are in the process of being upgraded

FloOz

We use Proxy Pro Networks at my job. Havn't had any issues with it thus far

networkjutsu

Chivalry1 wrote: »

I detest websense....It is such a bad product!! I would rather install a system with ZoneAlarm Home Edition to protect my enterprise.

Hah! I can bypass both of them. I guess they weren't configured properly?

it_consultant

I used to use the proxy built into watchguard, now we use the proxy built into palo alto. Both work great as far as I can tell. It is still technically a proxy even though the traffic is only "proxied" inside the appliance instead of to a completely separate server or filter. I don't think it is necessary anymore to have a completely separate web filter appliance.

RTmarc

The Palo Alto - and all UTMs - are good as long as you are doing cut-and-dry filtering across categories. When you start getting into exceptions and variations of access across your user base it starts to get ugly. We examined the notion of using that option in our PA but abandoned it after comparing our current ruleset with what we would have to do to match it on the PA.

All of that being said, the Cisco IronPort is the best that I've worked with. Extremely easy to setup and manage, excellent technical support, and is an all-around great product. The biggest weakness that I found with it is that troubleshooting can be of a challenge at time because all of the raw packet information is not presented in the GUI. You can still find everything you need to know but it will require you to SSH into the WSA on occasion to view the raw logs. So, it's a matter of convenience versus capability. It can do it, just not in the most convenient way occasionally; for what that's worth. I thought the out-of-the-box alerting was a bit weak but that was a non-issue for us since we had all logs going to our SIEM and used it for alerting; e.g., "malware was blocked for user on website."

I think of Blue Coat as I do Blackberry. At one point they were the leader of the pack. Unfortunately for them, they rested on their laurels and let the competition pass them up and beat them at their own game. I think they are a better solution than a module in a UTM firewall (assuming you need more than a straight category-based blocking scheme) but most of their competition is superior in nearly every way.

If you have a UTM firewall I would look at the built-in capabilities of that box first. Evaluate them to see if they can fulfill your requirements with regards to filtering, exceptions, and inclusions. If not, look at the IronPort first, McAfee Web Gateway second, and then WebSense (assuming they don't price themselves out of the running). As a last resort, I'd look at Blue Coat.

cnfuzzd

Thanks for the responses everyone.

I am still in a bit of a pickle. We have a perfectly fine Cisco ASA 5510 that is working perfectly. We have a horribly configured physical server running ISA 2006 and Cyblock. Our MSP is suggesting we replace the Cisco with a Sonicwall NSA 3500. I am a little hesitant about the Sonicwall (never really enjoyed working with them, but it was the entry level products that someone else had configured), but I am suspecting that the quotes that come back from Blue Coat, Websense, and Cisco will all be higher than the Sonicwall itself. We will probably end up going with the Sonicwall. With only 400 users, I am not sure that we are ready for the "bigger" solutions.

John

it_consultant

We have two Cisco IronPort appliances with 3 year support and they were about $12 grand. We bought all the higher end reporting and clustering licenses as well so the price inflated a bit. The ironport line is not that expensive compared to other solutions. I wouldn't go replacing your Cisco with a Sonicwall. If you are hell bent on getting rid of Cisco (an emotion I can relate too) I would look at the popular firewall providers like Juniper, Checkpoint, and Palo Alto - which is what I use.

The ironports were for email, not web filtering.