We have had smoothwall network guardian, for nearly a year, and it's renewal is coming up soon. (The recent renewal quote I had was £2000 for the next year).
So I'm currently looking into alternatives to see if I can get an easier system to use for better value, as a lot of smoothwall's functionality we don't use. All I really need is group based filtering and internet logging.
I'm aware the product has a great rating on edugeek which is one of the reasons we bought it last year. It has been better at filtering then RMs safetynet system we used before it, but there are a few things I hate about it:
The interface is horrible, it should be task based not divided into confusing submenus. The most common tasks are not on the home page (ban site, un-ban site, reports).
The interface is slow, reports take ages to run - although this could be the server spec
Using NTLM login, means that annoying login boxes pop up whenever an updater program runs (non-ntlm app) confusing users.
The aforementioned box then requires the domain\user syntax which confuses users even more.
Laptops which are plugged into the network and use wireless - smoothwall sees as two devices and so uses two licenses - to be fair smoothwall did increase our licenses for free when this happened.
I have been unsuccessful so far in getting it to work with guest access using ruckus guestpass. dual authentication, guest access etc
I'm also thinking about changing back to RM's system (which we get as part of the internet connection) then using a product like securus or policy central to log violations. So students learn to use the internet responsibly.
So in summary:
Is there an alternative to smoothwall that logs, and allows filtering by AD group? or is smoothwall the best system?
What does everyone think about going the other way and using securus to counter student misuse of the net?
We installed the Sophos WSA1000 three years ago and it has been excellent. It integrates with AD and you can set it to filter by groups. Since we installed it we have not had any problems with Proxy sites as Sophos reads the code of the page and cleverly blocks them. The box also scans for virus/worms/trojans etc. The box also updates Sophos every hour with any site category changes that are made, these are then checked by Sophos employees to confirm the category change and if they agree then the update is sent to all Sophos boxes.
On the reporting side there are limitations, but you can set regular reports to be emailed out and we have set ours up to backup the logs daily. These are in the squid format and we use a squid reader to get the information we need.
When we have had a problem, Sophos have been excellent at solving the issue and keeping us informed as to what they are doing, most issues are corrected remotely, a remote access facility is built in to the box, so send Sophos a request, they ask you to turn on the remote access and once complete they turn off the connection, and ask you to check. The connection does time out as well.
The updates are automatic, just choose a time and then choose a different time for automatic restarts and you really can set it and forget it.
I have spoken to Sophos as we were planning to replace the box this year but after a chat with our supplier we decided that we would just extend the warranty, the extra speed of the new hardware didn't warrant the cost. But if we wanted to upgrade the hardware all that is needed is to run a backup and re import on to the new unit, job done.
Just to let you know I don't work for Sophos, it is just that the Sophos unit has been a godsend and solved far more problems then we ever thought it would.
Sorry to hear your having a hardtime with the Smoothwall Kit, I must admit i don't have a Smoothie box as i no longer work in education but when i trialed one back in March i was very pleased with it after some great training from the smoothwall team i was well away.
Suppose you may think that the cost's are pretty large, but you get what you pay for to be honest you cannot knock the kit and the software it runs on it and even if it does have certain issues i am sure if you bring these to the attention of the support team they would happily get it fixed for you if at all possible.
You might have already done this anyway, but have you spoken to Tom of the forums and explained your issues to him, i am sure he would be able to get one of the Technical Team to contact you and get things sorted.
P.S. I not involved with Smoothwall in any way, but have had very long chat's with the team and just thought i'd add my input but get on to the team who knows might be able to get your problems sorted and even sort some kind of deal out
Try squid and dansguardian. AFAIk its what smoothwall is based on, its free and you can also download free blacklists. You could also try smoothwall express but i dont think that does the filtering side
HCC, Very interesting post. We were / are considering taking another smoothwall trial, but the key factors for us are exactly what you mention.
1) We need seamless authentication for domain computers, all browsers. Absolutely no login should be required for a domain PC
2) We need guest laptops, phones, ipods etc to be able to authenticate via a login box.
3) We need decent reporting
4) We need VPN access for Mac/PC that the teachers can set up themselves that we dont have to install certificates or anything for, ie they can use their integreated AD logins..
5) Support - Worried about being overseas what is the turnaround in support issues.
Can Smoothwall do all this ?
(Tom, please feel free to contact me to discuss this )
First of, I hope you've raised these issues with someone in Tech here HCC. If not, we should have a look at them.
Often, slow interfaces are due to large volumes of reporting data. Sometimes a database rebuild can help this without bumping server hardware.
We are aware that our interface isn't great. There are changes afoot - notably Guardian will have a revamped interface in October, but the menu system which you find so irritating is slightly more ingrained (I won't go into the gory details of why its set up like that.. suffice to say we arent its biggest fans either) and won't be getting a full new look til early next year, but we are going more task based at the behest of customers like yourself.
Licencing wise - again, we know "counting IPs" isn't great, though there aren't many alternatives, we think we have found one. Watch this space. Though as you have found out, if you run into licencing issues, we are happy to resolve them in your favour
Finally... everyone's favourite. Authentication. Yuck. It is a pain in the backside, but it isn't a Smoothie-specific pain. NTLM will only work with wininet based browsing - that's microsoft for you. And there's not much else in the way of auth methods that are "seamless". However - we can now offer multiple auth methods on the same box, which might solve some of your issues. Additionally, we should (depends on your setup) be able to remove the need to type in the domain\ portion of the username.
@RabbieBurns - drop me a mail. Short answer is: you should be ok on all those fronts. Support should not be a problem, as our Sydney distributor is pretty spot on, and between our UK and US based internal support offices, we can usually get support to them pretty rapidly if they need it.
Tom, Thanks for the insite.
I have been a user of Smoothwall products for many years, but I would say yes to the OP's criticisms of SW.
I usually have to leave report running overnight and the NTLM auth problem has always been with us.
The trainijhng we had a Stone was 'not ideal' at all and I do feel that this has stopped some of us using the product better.
Are there any podcasts/webinars/you tube vids even! that go into demonstrating some of the products facilities?
This may be a stupid question (brain not working well at the moment) but does the user have to log in to access the internet when using SW?
No, it integrates.
Policy based access control and user authentication are the keys to UTM security; based on authenticated user identity rather than assumed identity derived from a computer's IP address. Microsoft Active Directory®, Novell eDirectory™, LDAP and RADIUS authentication servers can be used to verify user identity, their group membership and hence determine the security policies to be applied.
@Rabbie - drop me a mail with any concerns you have and i'll put you in touch with the right folk.
@Salan - We hope to re-vamp our training to be more "bite size" and easy to deliver soon. I'll let Edugeekers know as soon as we manage that! If reports are taking overnight - we have issues there. Worth talking to support direct. I understand Stone's training wasn't ideal - it was their first go at it IIRC.
@36degrees - not a stupid question - the answer is "maybe" - how do you want it to work? You don't *have* to authenticate users, but if you want names in the reporting and different levels for different users, then you will need to. NTLM is the most common method of authentication. It generally works OK, but the more you deviate from Windows+IE, the less friendly it is! NTLM lets you authenticate without ever retyping a logon. There are a number of other authentication methods, but all ultimately involve entering a second logon (which in many many cases is the same as your first logon.. this is only limited by your network setup) - and some of these modes can save passwords etc.
Going back to the original question:
I take it, based on the replies so far that edugeekers consider that smoothwall is the best for filtering/logging.
I didnt mean to be negative to smoothwall in my first post. I agree it's a good product, but it could be sooo much easier to use and maintain with a few tweaks. Glad to hear they are being worked on.
I have been in touch with support and they are usually very good - we have already had them purge the database to try and improve the speed, yet the speed problem remains. This is another reason I was seeking an aternative, as it looks like the server smoothwall is on needs upgrading; which will eat further into my budget this year. So that leaves me with the option of renewing and upgrading the server or going back to the old system.
Are they any views on using securus etc as a complement to RM's basic filtering? (I know smoothwall and securus do different jobs)
@HCC - No worries about being negative - if we don't get negative feedback it is hard to improve. Would welcome any detailed criticisms by email as well - particularly "stuff you do every day" which is hard.
If you could also let me know what server platform you're running on, and how many users you have, we can assess wether it should be sufficient. FWIW, we are releasing 3 sets of updates (Reporting, auth, Guardian) of which only reporting is out fully (make sure you are up to date), each of which will cause that component to use *less* resource than its predecessor, so you may find that in the coming months you get some "free" performance.
I would personally suggest that Securus + RM will eave you open to abuse in the anonymizer area..
Due to the management team being tighter than a ducks **** over here, we can only dream of commercial products such as smoothwall. A free alternative that I can vouch for is a Squid/Dansguardian/Webmin install on linux (i like ubuntu). Can be a little fiddly to set up, but there are guides out there and if you choose to go this route I can probably help out (I did it fairly recently).
I have mine bound to the windows domain, authenticating using ntlm on active directory users (not on groups), with various access level groups for staff, students, evil students, etc. Once it is set up, particularly with webmin, it is dead easy to use and maintain. I certainly have no problems with the interface (non-linux using tecnicians maintain the block lists and exceptions lists with no issues at all), and the reports just read from plaintext log files, so depending on what you report on can be dead quick or a little slow. Never had to leave it overnight though!
That said, if there was the remotest chance they would give me some money for stuff like that, I would look into smoothwall - it may well be the case that a professional product with official support would be worth the investment!
Throwing my hat in - I did extensive testing with a lot of vendors, as proxies/ anonymizers were hammering my internet, and we needed something solid.
Smoothwall was by far the best we tested filtering wise - and I've still yet to come across anything that impressed me to that extent. The approachability and friendliness of the support teams is also great -and they constantly seem to be improving the product.
They're one of the few companies on here that gets their praises sung often - and that was happening long before they were a sponsor. They're popular for a reason...well, popular with us - less so with the students ;-)