EH-Net

I would like to ask you what web/url filtering application/solution do you use/recommend? I know that there are more than one question here but I would like to hear different opinions.

Best regards,
L.

I have experience with ISA server.  The nicest thing about it is that it integrates with Active Directory seamlessly.   The Watchguard content blocker is also decent.   I haven't used these myself, but people swear by the Barracuda appliances. 

We use Websense and it is a pretty decent product.  We block Skype traffic and sometimes legit traffic gets tagged as Skype which causes problems.  The support is a mixed bag.  For example, I live in the States and sometimes I will get a support team from Asia, which is a 12 hour difference making the communication tedious.  You may get lucky and get a more local team if you ask for it while opening the ticket.

I have heard Palo Alto has an appliance that I was interested in a a few years ago and would be curious to see what other people's opinions are.

I used ISA in the past, but not for filtering web traffic.  It is a huge plus that it integrated with AD like Ketchup had mentioned.

My school uses lightspeed systems TTC, http://www.lightspeedsystems.com/

I've had good experiences with Sonicwall.

I've always been a fan of Dansguardian (http://www.dansguardian.org).  The original developer of the OSS project has gone to work for Smoothwall (http://www.smoothwall.com) and they offer a really slick commercialized version of it now too.  But as long as you don't mind editing configs with vim/emacs and grepping through logs, then the FOSS version  (http://www.smoothwall.org)is great.  The commercial version pretty much just gives you a nice GUI and advance reporting.  The commercial version also does nice/easy LDAP integration, though that can also be done with the FOSS version, just not quite so easy to setup.

My comment is, it depends on the environment to be bluntly honest. Not all solutions work in all environments, so this question is likely going to get you a mixture of answers. Not all wrong, not all right. I could assume you want low-cost (Open Source models) but I don't like to assume. You could want an enterprise solution in which event, a solution like Dans Guardian is seriously lacking.

Where I work I recently replaced all of my FW-1's with a combination of Juniper's SRX and SSG's. The SRX's have the capability to work with Websense so we no longer needed Bluecoat. (Sayanora!) All works just fine however, I work at a SoHo/Mid-Sized corporate environment which works just fine for us.

On my managed security side of things (customers of ours), I mainly use Juniper SSG's most of the time, since the costs involved with deploying an SRX at a small company is almost always intolerable. For these setups it also depends on a few factors before decisions are made, and almost always, they're different. How much time I want to spend configuring and deploying something, how creative I want to be, what's the tolerance of the client: Do they want pretty "Warning you shouldn't be seeing this" pages or would they settle for customization (aka default ugliness (Dan's Guardian default page is ugly)). For logging (do they want pretty or am I the one looking at the logs (when I do I pass them through Splunk and OSSIM filtering))

Plenty of questions each unique to each location. If it is a small office, you can take a look at Untangle which does web-filtering as well (http://www.untangle.com/) if you don't want to go with Squid/Dans Guardian. If you want to do some creative-filtering with IPS/IDS/EPS (Extrusion Prevention System), you could cobble together a neat NSM using Squid, Sguil (http://nsmwiki.org/Main_Page), pads, etc

Ahh...I went through this a couple years ago.  We had a Internet Web Security Suite (IWSS) by Trend Micro.  They stated it was a solid product...until...people were in google searching anonymous proxy and clicking until they got through.  TM then stated it was not meant to be a true proxy server.
So - we had to switch to protect our network.  We switched to 8e6 (now M86 Security).  This product is solid.  Can't recommend it enough.  It works directly with AD.  It throws up 'blocked' pages on those that should not be viewed.  Also - it allows the user to click on a link to email the info if the page is needed for 'business' use.
If you would like more info on this, let me know and I can get more specific on the use of it (no finders fee - just truth!).

Thank you for the answers.
Actually I am doing a research for a potential employer. The case is for a medium size company (500 employers, 3 locations) so I looked at commercial products, and I my finalist are Mcafee 500E, Symantec 8450 and M86. I am looking for the price of M86, but the others are arround 2500$.
I saw that Cisco Iron Port does an excellent job, but the company in the case study supposed to do business in the transport biz, so they will not spend 7500$ just for this (I supose :) ).

CDW sells the M86 product.  You might want to contact them to see if there are any deals.  Plus - M86 does an eval unit as well just to make sure it works for your needs.

I think I'll go with M86, because it is very possible that they already have an AV solution from McAfee or Symantec, so they will only benefit from the combination of them.