Suggested Enterprise Web Proxy

cnfuzzdcnfuzzd Member Posts: 208
Hello all

We need to replace an aging ISA server. It is used as a web proxy with Cyblock web filter. What products have people had success with and enjoy using?

Thanks!

John
__________________________________________

Work In Progress: BSCI, Sharepoint

Comments

  • AlexNguyenAlexNguyen Member Posts: 358 ■■■■□□□□□□
    We're using Blue Coat's ProxySG: Blue Coat – ProxySG
    Knowledge has no value if it is not shared.
    Knowledge can cure ignorance, but intelligence cannot cure stupidity.
  • Chivalry1Chivalry1 Member Posts: 569
    Enterprise: If you asked me 10 years ago I would have told you BlueCoat without blinking. But Cisco IronPort Web security appliance to date is the best. Its pricey but is VERY effective.

    Medium Enterprise: Ok....dont scorn me....But Microsoft Forefront Threat Management Gateway 2010 is really good. I have really enjoyed managing with the FASTVue Reporting (3rd Party). Pricing is not bad and easy to administrator. I know...I know....its not a dedicated appliance, but everything does not require a piece of hardware.

    Small Business: Well I am old school.....so a SUSE Enterprise Linux installed with Squid Proxy and Calamari for reporting. And yes WCCP is supported by Squid. Administration will be a challenging if you have not administrated linux before.
    "The recipe for perpetual ignorance is: be satisfied with your opinions and
    content with your knowledge. " Elbert Hubbard (1856 - 1915)
  • networkjutsunetworkjutsu Member Posts: 275 ■■■□□□□□□□
    Previous employer: Uses BlueCoat
    Soon to be previous employer: Uses WebSense
  • nosoup4unosoup4u Member Posts: 365
    We previously used websense but now we use TMG.
  • sieffsieff Member Posts: 276
    Cisco IronPort.
    "The heights by great men reached and kept were not attained by sudden flight, but they, while their companions slept were toiling upward in the night." from the poem: The Ladder of St. Augustine, Henry Wadsworth Longfellow
  • CoolhandlukeCoolhandluke Member Posts: 118
    Used to use ISA (dual servers) then upgraded both to TMG.
    The web filtering was getting pricey so we switched one of the servers to smoothwall. Very capable software for what it does but some of the features are ..... limited.
    [CCENT]->[CCNA]->[CCNP-ROUTE]->COLOR=#0000ff]CCNP SWITCH[/COLOR->[CCNP-TSHOOT]
  • Chivalry1Chivalry1 Member Posts: 569
    Previous employer: Uses BlueCoat
    Soon to be previous employer: Uses WebSense


    I detest websense....It is such a bad product!! I would rather install a system with ZoneAlarm Home Edition to protect my enterprise. :)
    "The recipe for perpetual ignorance is: be satisfied with your opinions and
    content with your knowledge. " Elbert Hubbard (1856 - 1915)
  • TBRAYSTBRAYS Member Posts: 267
    We use McAfee Web Gateway, previous employer used Websense which was horrible
    Bachelors of Science in Technical Management - Devry University
    Masters of Information Systems Management with Enterprise Information Security - Walden University
    Masters of Science in Information Assurance - Western Governors University
    Masters of Science Cyber Security/Digital Forensics - University of South Florida
  • kj0kj0 Member Posts: 767
    At the Branch we use ISA on '03
    [*] (95% of branches currently) and on the branches that have just been upgraded to '08 we are running Squid. And at the Head Office we run Bluecoat which also has the Branches going through it..


    [*]Let me mention that there are 1400+ Branches in the state, so they are in the process of being upgraded
    2017 Goals: VCP6-DCV | VCIX
    Blog: https://readysetvirtual.wordpress.com
  • FloOzFloOz Member Posts: 1,614 ■■■■□□□□□□
    We use Proxy Pro Networks at my job. Havn't had any issues with it thus far
  • networkjutsunetworkjutsu Member Posts: 275 ■■■□□□□□□□
    Chivalry1 wrote: »
    I detest websense....It is such a bad product!! I would rather install a system with ZoneAlarm Home Edition to protect my enterprise. :)

    Hah! I can bypass both of them. I guess they weren't configured properly? :)
  • it_consultantit_consultant Member Posts: 1,903
    I used to use the proxy built into watchguard, now we use the proxy built into palo alto. Both work great as far as I can tell. It is still technically a proxy even though the traffic is only "proxied" inside the appliance instead of to a completely separate server or filter. I don't think it is necessary anymore to have a completely separate web filter appliance.
  • RTmarcRTmarc Member Posts: 1,082 ■■■□□□□□□□
    The Palo Alto - and all UTMs - are good as long as you are doing cut-and-dry filtering across categories. When you start getting into exceptions and variations of access across your user base it starts to get ugly. We examined the notion of using that option in our PA but abandoned it after comparing our current ruleset with what we would have to do to match it on the PA.

    All of that being said, the Cisco IronPort is the best that I've worked with. Extremely easy to setup and manage, excellent technical support, and is an all-around great product. The biggest weakness that I found with it is that troubleshooting can be of a challenge at time because all of the raw packet information is not presented in the GUI. You can still find everything you need to know but it will require you to SSH into the WSA on occasion to view the raw logs. So, it's a matter of convenience versus capability. It can do it, just not in the most convenient way occasionally; for what that's worth. I thought the out-of-the-box alerting was a bit weak but that was a non-issue for us since we had all logs going to our SIEM and used it for alerting; e.g., "malware was blocked for user on website."

    I think of Blue Coat as I do Blackberry. At one point they were the leader of the pack. Unfortunately for them, they rested on their laurels and let the competition pass them up and beat them at their own game. I think they are a better solution than a module in a UTM firewall (assuming you need more than a straight category-based blocking scheme) but most of their competition is superior in nearly every way.

    If you have a UTM firewall I would look at the built-in capabilities of that box first. Evaluate them to see if they can fulfill your requirements with regards to filtering, exceptions, and inclusions. If not, look at the IronPort first, McAfee Web Gateway second, and then WebSense (assuming they don't price themselves out of the running). As a last resort, I'd look at Blue Coat.
  • cnfuzzdcnfuzzd Member Posts: 208
    Thanks for the responses everyone.

    I am still in a bit of a pickle. We have a perfectly fine Cisco ASA 5510 that is working perfectly. We have a horribly configured physical server running ISA 2006 and Cyblock. Our MSP is suggesting we replace the Cisco with a Sonicwall NSA 3500. I am a little hesitant about the Sonicwall (never really enjoyed working with them, but it was the entry level products that someone else had configured), but I am suspecting that the quotes that come back from Blue Coat, Websense, and Cisco will all be higher than the Sonicwall itself. We will probably end up going with the Sonicwall. With only 400 users, I am not sure that we are ready for the "bigger" solutions.

    John
    __________________________________________

    Work In Progress: BSCI, Sharepoint
  • it_consultantit_consultant Member Posts: 1,903
    We have two Cisco IronPort appliances with 3 year support and they were about $12 grand. We bought all the higher end reporting and clustering licenses as well so the price inflated a bit. The ironport line is not that expensive compared to other solutions. I wouldn't go replacing your Cisco with a Sonicwall. If you are hell bent on getting rid of Cisco (an emotion I can relate too) I would look at the popular firewall providers like Juniper, Checkpoint, and Palo Alto - which is what I use.

    The ironports were for email, not web filtering.
Sign In or Register to comment.