SonicWall support services set to expire... should I move to Ubiquiti Routers?

JaredBusch

@coliver said:

Is there any value in web filtering? Or is that using technology to solve an HR problem?

The productivity part aside, yes it is using technology to solve a managerial issue.

But there is nothing wrong with that. That is the POINT of technology used properly. The problem is the cost versus the benefit now is really falling away.

scottalanmiller

@coliver said:

Is there any value in web filtering? Or is that using technology to solve an HR problem?

As long as HR is directly it and it is not an IT initiative on there own, I see nothing wrong there. Now why HR feels that web filtering is effective and worth spending money on is the question. Web filtering, even at the biggest enterprises, never blocked me from doing things. It just made me less productive.

A Former User

@scottalanmiller said:

Ubiquiti is very good, but does not do web filtering. If you need that I would either get it externally to your firewall (this is what a web proxy is for) or move to something like Sophos.

DNS is better than a proxy these days. Proxies break to many things. Use http://www.nxfilter.org/p2/ for DNS filtering. It's free. Run it on a linux VM and you can even do Zone Transfers from your AD DNS so AD will still work fine with clients pulling off of it.

A Former User

@scottalanmiller said:

@coliver said:

Is there any value in web filtering? Or is that using technology to solve an HR problem?

As long as HR is directly it and it is not an IT initiative on there own

Even with just IT if it's used to block spyware, malware etc its still good.

Dashrender

@scottalanmiller said:

I think outside of the enterprise, web filtering is mostly going away. And even there it is becoming minimized. It is becoming more and more expensive while doing less and less.

yeah I was wondering if this was the case.

Dashrender

@JaredBusch said:

Web filtering via a web proxy is really dead anyway. The world is moving to SSL and you cannot get in that anyway without setting up a more intrusive man in the middle style proxy on your network.

I would love to recommend DNS based filtering, but the only quality service I am aware of it Umbrella by OpenDNS. Unfortunately it is very expensive.

Yep, I'm fully aware but general web filtering should still prevent a lot of nasty things (I would think) because you still have to know the name/IP of the host you are trying to connect to.

scottalanmiller

@Dashrender said:

@JaredBusch said:

Web filtering via a web proxy is really dead anyway. The world is moving to SSL and you cannot get in that anyway without setting up a more intrusive man in the middle style proxy on your network.

I would love to recommend DNS based filtering, but the only quality service I am aware of it Umbrella by OpenDNS. Unfortunately it is very expensive.

Yep, I'm fully aware but general web filtering should still prevent a lot of nasty things (I would think) because you still have to know the name/IP of the host you are trying to connect to.

Yes, but that is so easy to work around. I wonder how many people are actually blocked compared to how many appear to be blocked?

Dashrender

Considering over 50% of my employees can't find google if it's not their homepage, it's a pretty good block. Those that can find google without either it being the homepage, or having a shortcut - I'm not worried about those people because they typically aren't the ones finding themselves infected with crap.

Another thing I was able to accomplish last year - I removed local admin from 90% of my users, so perhaps the whole spyware/crap ware thing is less of concern now.

A Former User

@Dashrender said:

Another thing I was able to accomplish last year - I removed local admin from 90% of my users, so perhaps the whole spyware/crap ware thing is less of concern now.

You can stll get spyware, malware and viruses in limited accounts. heck cryptolocker and crypto wall both are designed to run with admin permissions.

JaredBusch

@Dashrender said:

Considering over 50% of my employees can't find google if it's not their homepage, it's a pretty good block. Those that can find google without either it being the homepage, or having a shortcut - I'm not worried about those people because they typically aren't the ones finding themselves infected with crap.

Another thing I was able to accomplish last year - I removed local admin from 90% of my users, so perhaps the whole spyware/crap ware thing is less of concern now.

The malware can be hosted on an SSL site just as easily as anything else. This defeats the web proxy right there.

Google returns SSL search results for most things if it is available also.

JaredBusch

@Dashrender said:

Yep, I'm fully aware but general web filtering should still prevent a lot of nasty things (I would think) because you still have to know the name/IP of the host you are trying to connect to.

Knowing the name/ip would be DNS filtering not web proxy filtering.

Dashrender

@thecreativeone91 said:

@Dashrender said:

Another thing I was able to accomplish last year - I removed local admin from 90% of my users, so perhaps the whole spyware/crap ware thing is less of concern now.

You can stll get spyware, malware and viruses in limited accounts. heck cryptolocker and crypto wall both are designed to run with admin permissions.

lol, yeah I know, but at the same time, a web filter probably isn't going to save me from those either as they morph and shift so frequently the filters can't keep up.

Dashrender

@JaredBusch said:

@Dashrender said:

Yep, I'm fully aware but general web filtering should still prevent a lot of nasty things (I would think) because you still have to know the name/IP of the host you are trying to connect to.

Knowing the name/ip would be DNS filtering not web proxy filtering.

I'm not the one who mentioned Proxy Filtering... I only said web filters.
That said, the Sonic Wall is my only device (other than a switch) between the users and the internet. I'm not sure if it's doing true proxying or not? I don know that non SSL traffic was being scanned for viruii, another part of the packaged purchased 3 years ago..

Sounding like i should just forget about any protections at that level and Ubiquiti routers should be fine for me.

A Former User

@Dashrender said:

I'm not the one who mentioned Proxy Filtering... I only said web filters.
That said, the Sonic Wall is my only device (other than a switch) between the users and the internet. I'm not sure if it's doing true proxying or not? I don know that non SSL traffic was being scanned for viruii, another part of the packaged purchased 3 years ago..

Sounds like a transparent proxy most likely. You can do SSL filtering with proxies by decrypting it and using an SSL cert on your proxy but it is not recommended in most cases, you'll be decrypting bank information and everything else on your proxy like that.

A Former User

@Dashrender said:

lol, yeah I know, but at the same time, a web filter probably isn't going to save me from those either as they morph and shift so frequently the filters can't keep up.

No one solution will prevent them. But a network level DNS filter or firewall to stop Malware, spyware etc can be an important part of the solution.

Dashrender

@thecreativeone91 said:

@Dashrender said:

I'm not the one who mentioned Proxy Filtering... I only said web filters.
That said, the Sonic Wall is my only device (other than a switch) between the users and the internet. I'm not sure if it's doing true proxying or not? I don know that non SSL traffic was being scanned for viruii, another part of the packaged purchased 3 years ago..

Sounds like a transparent proxy most likely. You can do SSL filtering with proxies by decrypting it and using an SSL cert on your proxy but it is not recommended in most cases, you'll be decrypting bank information and everything else on your proxy like that.

I'm personally not against that, this is my company network, our policy states that anything you do on it can be monitored by the company... don't read more into that than is there

Dashrender

@thecreativeone91 said:

@Dashrender said:

lol, yeah I know, but at the same time, a web filter probably isn't going to save me from those either as they morph and shift so frequently the filters can't keep up.

No one solution will prevent them. But a network level DNS filter or firewall to stop Malware, spyware etc can be an important part of the solution.

If NXfilter is priced better than that other option, OpenDNS, it might be doable. But as Scott mentioned, who's driving it, and is the cost really worth the provided value.

Currently I'm driving (that is, IT is driving it) to help keep our network safer. The price of the features with SonicWall weren't outrageous. But my current box is EOL. I can pay to keep the current thing active for a few more years, or upgrade to the current model... if I'm upgrading I might as well move to something we all agree is something better, less troublesome. And well perhaps the Gateway transparent proxying and AV scanning might not have been worth it... until we live without it for a while again I can't really say.

A Former User

@Dashrender said:

If NXfilter is priced better than that other option, OpenDNS, it might be doable. But as Scott mentioned, who's driving it, and is the cost really worth the provided value.

It's free for the non-hosted option.

scottalanmiller

I'm thinking about firing one up in a VM that I put on Pertino. Would be awesome to have a simple way to appear as being from the US rather than Spain.

Dashrender

@scottalanmiller said:

I'm thinking about firing one up in a VM that I put on Pertino. Would be awesome to have a simple way to appear as being from the US rather than Spain.

I'm sorry..one what?