They have an old cisco pix firewall , but need a simple/free method for the protection of <36 mac computers in a training class environment. The have zero budget for additonal hardware or software so , I suggested the Fortinet "forticlient" ; http://www.forticlient.com/
This post will show you how you can setup the forticlient for AV and webfiltering. It's available for windows/macosx & a few phone Os
1st the version of forticlient running on macosx 10.8.x and 10.9.x
Okay let's start with AV, once you start the client & after the installation you need to update the AV definitions. This takes approx 2-10mins depending on internet access. And yes you need internet access to get the updates.
The system will indicate if it's updated;
Now, here's the fun part, you will need the administrator account. You can tell the forticlient when to scan for automatic scan and you have a few options such as full scan or custom. Most will opt for full scanning. Without the end-user having administrator access, he/she will not be able to make changes or to disable the client.
Optional, you can set the level of logging and download the logs under the preferences;
Now webfiltering. It too is simple to configured but has a lot more to configure.
You must defined categories that you can allow or disable access. These categories will use the fortiguard services inspection and reputation database and based on the website Categorization , you will be allow or disallow based on the setting in the forticlient
NOTE: Within each major category are sub-category that you can control;
Example; Adult/Mature Content has 15 sub-categories
To allow/block/warn/monitor you need to click the "category name" and set the action.
example, the passing of a pornographic websites
Now if we left the category "porn" set to block, and tried to go to a porn site, we would get a block message.
Note1: in a school environment you will most likely block everything and then add the categories for education
Note2: if you fill the site is catagorized into a wrong setting, you can submit a request to fortinet for a review by clicking the "click here" tab. Here they will allow you submit the url for review ( rarely does a site get categorized wrongly imho )
Here's my final block/allowance by categories for this particular school;
Note the client has an exclusion list, so you can list urls or wildcards to allow for certain site to be allowed or block regardless of the main category selection.
Example we will allow porntube.com
not: But beaware , a site like a pornsite for example , has numerous hyperlinks. So just allow http://www.porntube.com , will still now display the full graphic/text of the page. Each other text/graphic hyperlink could be in a different category.
So now you have a free & easy AV/Webfiltering for MACOSX.
A few key points to remember;
- it's free, so what you pay is what you get ( it's really not a bad solution btw )
- it can take a considerable amount of time 4-8 mins to modify each client webcategory ( I don't think a simple up a upload configuration file method). So if you had maybe 50+ desktop/laptops, this would not be an ideal solution to managed. Everytime you want to make a change, you would have to touch X amount of machines
- ideally you want a simple AV/Webfiltering inspection firewall or proxy like a fortigate or pfsense for example
- Using a centralize firewall , will allow you to provide full protection without the need to make adjustments per client machine
note: If you need to administrate the client and need to run updates or install applications, remember to disable the forticlient. If you have a hard lock-down webfilter, you will most likely block simple things like updates. This will require the administrator login
Restart the client or reboot the machine to re-enable the protection :)
And lastly, another free solution for MACosx and AV protection is the opensource ClamAVx
It's just as good or better, but on protects for AntiVirus. This is a great solution if you have some existing webfiltering device ( i.e HTTP/HTTPs proxy ) and need to add AV protection.
The forticlient is great for a few home machines, and for protection for your kid's computer. Or at your company lobby/cyber-cafe as a guest machine access. In this case you might allow access to webmail or a limited set of sites.
Freelance Network/Security Engineer Providing security solutions using Fortinet hardware.
kfelix -----a----t---- socpuppets ---dot---com
=( @ @ )=