Small business internet usage monitoring & multiple connections

We have 2 buildings (lets call them A and B).
Building A is the main building and has about 25 users and the main Windows 2003 SBS server.
Building B has about 10 clients.
Each building has a 3Com SuperStack 3 Switch 3250 which are then joined together with a 1Gbps fibre optic connection.
Building A has a 2Mbps ADSL internet connection.
The internet connection is connected to the network via a Draytek Vigor 2600, which has been set up as the default gateway.
The Windows server acts as the DHCP & DNS server.
Several users connect to our network via a VPN connection to the Draytek router, so that they can check their emails from home via Outlook.
I also VPN into the network to use a remote desktop with the server.
The majority of the clients are desktop computers running Windows XP Pro SP2, although there is 1 laptop which is still using Windows 2000.
Everything is on the same subnet and domain.

This setup works fine as it is, but gives me no control of what everybody is downloading or the amount of bandwidth they are taking up. I want to be able to monitor the amount of internet bandwidth taken up by each client on the network, and control how much is available to everyone. If possible I would also like to be able to monitor the sites people are visiting on the internet and block certain ports.


Due to some regulations that our company has to follow, we are installing a backup 512Kbps ADSL connection in building B. If building A blows up we will relocate as many users as possible into building B and will increase the ADSL connection to 2 Mbps. I have purchased a 3Com OfficeConnect ADSL router for use with this connection.
It would be a shame to have this internet connection going to waste, with nobody using it, so if possible I would also like to be able to put this connection to use. I have considered adding this to the clients as another gateway, so if the main connection goes down they automatically start using this one. How effective this would be, I don’t know.



I have had a quick look around and I think something by SonicWALL will provide all of these features.
An alternative, cheaper and more flexible solution would be setting up a Linux proxy server running on one of the many old boxes lying around. I had tried SmoothWall a year or so ago, but from what I remember I couldn’t monitor the amount of bandwidth being used by each client.


We are only a small company and this whole thing isn’t absolutely urgent, so if it costs much more than about £500 it probably won’t happen. I’m almost certain that we aren’t the first small business wanting to do this sort of thing on the cheap.



Any pointers, hints, tips or guidance in general would be greatly appreciated.

Thanks in advance



A60wattfish

 

I'd go for a hardware firewall like those produced by SonicWall and Watchguard. Getting one that will accurately control each individual's access for £500 would be tight. But you should be able to get one that at least logs everyone's activity. To be honest with that budget, the problem isn't the hardware, but rather the number of user licenses. Most decent sub £500 firewalls come with only a 10 user license. Adding the additional licenses to cover all your users will probably double the cost. We use a netasq firewall as these come with no user restrictions, but are probably outside your budget.

The other option is to go for one of the cheaper firewalls that come in at around £150. DLINK and 3Com do units around this price. Look for firewalls that give you stateful inspection and VPN. These units won't give you the user by user control, but will probably give you fairly detailed logs (you may have to set up SMNP logging to get the level of detail you are looking for). However, this level of firewall is better than relying on NAT on the router to protect you - not recommended in my opinion.

Putting both routers as gateways will not acheive what you want. The system isn't clever enough to try the next option in the routing table if the first fails. The best bet is to use DHCP on your network, and then reconfigure DHCP to redefine the gateway if the first fails. This will require users to IPCONFIG /RENEW to get the updated path, but that isn't too much hassle.

The other option if you are more worried about the connection going down rather than the router, is to use a static route from the default gateway to the router with the working internet connection. Alternatively, set up static routes on you server and use it as your default gateway. To change which router is used by your users - simply change the static routes on the server.

 

If memory servers correctly doesn't SBS come with ISA also if so ISA will do what you want. The particular thing that you are trying to do is called bandwidth shaping, you can permit certain ip's an allotted amount of bandwidth, although be warned that ISA is a complete nuisance to setup if you don't know what you are doing, I would suggest setting it up on a test computer and getting it runnin forst off

 

ISA in an option, but bear in mind that the server running ISA needs to be on the edge of your physical network - it must be the connection between your network and the internet. To achieve this the server will need to be dual homed (two network cards).

For your set up, you would need two ISA servers - one on each ADSL connection (unless you want to run a dedicated line from the remote ADSL into the outside of the ISA server - which with two buildings, I think is likely to be impractical).

I think two ISA servers will take you over budget. If you go the firewall software on a PC option something like Smoothwall would be a better option on your budget.

 

Thanks for all of the replies and sorry for taking so long to reply. I hadn't forgotten about this thread, but as usual work got in the way of things.

I have had a look and I think ISA will be possible on our server, although I am a bit weary of having our main server being the first port of call for the internet connection.
In addition I don't think installing another ISA server would be an option, as we have Windows 2003 SBS as our main servers operating system, whose license limits you to one server per network. This isn't to much of a problem, as using our additional internet connection is more of a nicety than a necessity.


Since I wrote my original message management have become more interested in scanning our internet connections. This has meant I should be able to spend alot more (a couple of thousand), if required, but now I have the added requirement of actively scanning what users are visiting for viruses and spyware.
I have been looking through the solutions provided by Watchguard and they look like the sort of thing I'm looking for. In particular the Firebox X Core series has caught my attention. The x500 looks very nice, and appears as though it will also cover a few additional security features which we are interested in. Namely the spam filter (currently done through an external company) and desktop virus guard (our current subscription with McAfee is coming up for renewal).


As always, your replies are greatly appreciated.


Thanks



a60wattfish

 

I currently work for www.entirety-services.co.uk they sell a complete security service that uses fortigate firewall solutions. These are very easy to setup and are a very good product.

http://www.entirety-services.co.uk/frontend/unifiedsecurity/index.php

 

Thanks Paul, I'll have a look into that. Could you give a rough guess as to the sort of price range would I be looking at for one of your systems, with the details I have mentioned in previous messages in this thread?

Thanks


a60wattfish

 

I'm glad your looking at the hardware firewall option - I am sure it is the best option.

Watchguard is definitely worth a look. I've got a pair of SOHOs managing a VPN connection to a couple of small branchs. Logging on these small units is disappointing though. However, the large X series should give you much better logging - more in line with what you are after.

SonicWall also make excellent firewalls in the same price bracket and are well worth a look at. Our main firewall is a Netasq F50 which I have to say I like a lot. However, it is a little quirky (and French!!!).

I think you may be missing a trick here. If you scan for viruses at the gateway, with the same AV software you use to scan at the desktop you're not achieving a lot. However, if your gateway scanner runs different AV software to that on the desktop, you've greatly reduced the chance of a virus slipping past as if the gateway sweep misses it, there is a chance the desktop search will catch it.

 

I've actually spent the last couple of days doing some solid research into UTM devices.
There has been another slight change in the requirements. If possible we want to be able to scan emails for spam using the device. This is already done by an external company, and we don't have any complaints but doing it in house will be a lot cheaper.

After much comparing I think it has come down to one of two different devices.
My choices are the SonicWALL TZ 170 and the ZyWALL 35 UTM.
The both seem to cover all of my requirements nicely and both are more or less the same price to purchase and run.
That said, it looks as though ViewPoint for the SonicWALL provides extremely detailed reports on each individuals internet usage and the spyware filter seems a lot better than the ZyWALL.
However, looking through the manual of the ZyWALL the configuration of the device seems a lot more complete and the ZyWALL can do proper email spam filtering (which will be a nice bonus) and is also ready for using multiple WAN connections.

The SonicWALL appears to be capable of using multiple WAN connections and can do spam filtering, but it'll cost an additional ~ £300 to upgrade the OS from standard to enhanced. The spam filtering also doesn't appear to be anywhere near as powerful as the ZyWALL.


There is one small thing bugging me, and that is VPN. As I said before, several users VPN into the network to check their emails and do various other bits and bobs, and I VPN in sometimes to do a remote desktop to the server. I read somewhere that the ZyWALL uses standard VPN protocols, so I should be able to connect to that without a problem, but I'm not so sure about the SonicWALL. I also don't know whether you need a license to VPN in to the network with either device.

Thanks for that tip, I never thought of it like that. We have now sorted out what AV software we are going to use so this is no longer a problem.



Thanks again ReggieB


a60wattfish

 

For anyone interested I have got a SonicWALL TZ 170 on trial. I've managed to get it all setup and more or less everything is working without a problem. I just need to work out how we are going do handle VPNing.