Really not sure if this is the place to be asking this, but here goes..
Our company has grown exponentially in the last year. As such, our internet connection needs some serious managing and limiting to not only ban facebook and other stupification sites, but also to limit the bandwidth that is dedicated to certain services like youtube.
Setting up new firmware and limits on every single one of our routers is, naturally, out of the question, and I would now like to know if there is some kind of hardware device that would offer me this functionality (both limiting and throttling the bandwidth to and from certain resources) without fail. I would install this device between our ISP's line and our building switch, in order to control the entire company's bandwidth allocation.
Googling revealed nothing useful, except some software solutions which are inadequate for our situation.
Update:
We are in one building. The building has two entry point connections on the ground floor, which connect to the building switch. That is, we have two synchronous (up = down) ADSL connections, once for each floor basically. This switch then branches out and connects to each of the two current floors we own (that is, to each of the several routers on each floor). 99% of the company works on Macs (I know...), and those Macs are connected wirelessly to the aforementioned routers. The WANs themselves are not interconnected in any way other than the fact that they all go back to the same building switch eventually.
I had originally thought about flashing every router with new firmware and then putting some serious limiting on those, but not only is that not very safe for the routers, it is also tedious - especially if I need to change a condition later on. This would require me to run around again and deal with each one. What I'm basically aiming for here is a single device able to both limit the bandwidth to some sites (i.e. limit Youtube to 100kb/s) and block others completely (facebook), preferably by subnet (for example, 192.168.3.x would have only bandwidth throttling, while 192.168.2.x would have a complete blockade on facebook). If you could just point to such a device if it exists, we will pay up to $5,000 for it, this is how important it is to us to do this instantly and hassle free for an indefinite amount of time.
Update 2:
Info on current routers: Right now we use LinkSys WRT54GL for our routers. There are 5 in total, three on the ground floor and two on the first floor.
Update 3:
We are in a rented building. The building has a master rack to which I have no access, and must hunt down the network admin of the building. We are a part of a university campus, and we occupied 50% of a building, for now. The structure is as follows - there is a floor rack on the ground floor, into which our internet connection is plugged. From there, we branch it out to VoIP and internet access for users, in the following manner: the ground floor gets one channel, which makes a total of 3 of those SOHO routers. The ground floor rack is connected to the main building rack, which in turn spreads this connection out among the first floor rooms, of which each has its own router. So, basically, I have no control over or access to the main building rack.
Bart suggested we replace those SOHOs. What would be the optimal setup? Should I just get one strong access point for each floor? How is this usually done, what kind of hardware/software combo would you suggest? I am open to everything, even completely restructuring the entire company network if need be. I would like to learn how to do this properly from the get-go.
What kind of routers are you using? It sounds like you're just using SOHO type routers? You might want to look at getting better routers and switches with management built in and monitorable through SNMP.
That said I'd also put in a proxy server that can log activity and block certain traffic. Proxying can help some of your speed woes, blocking can limit others.
Upgraded routers can also handle traffic shaping and limiting, as well as QoS. If you must do it on the "cheap", you could start using a Linux box (there are several turnkey solutions) to do the traffic monitoring and shaping. Install, configure, set it as the gateway for everyone's system to route through. An inexpensive box can also do the proxying work for you, and you could have options for VPN access.
We ran a SquidGuard box for awhile to filter and proxy traffic. Turned out it was also pretty good at helping track down certain malware on the network when we filtered for certain broadcasts that were scattering through the routing tables from a particular (infected) client. It was also great for getting browsing activity reports.
Just make sure any filtering or whatnot is allowed in your policies and employees are made aware of network monitoring. Sometimes it's the law, other times it's just a nice courtesy to your users to be reminded they're using company resources, not personal resources.
A Linux gateway, complete with iptables and the netem kernel module will do the trick for you. However, there would be quite a bit of configuration work involved, so essentially you would be exchanging money for time. Plus, this will require somebody with halfways decent linux skills, it's definitely not something for a newbie to try.
Here's a situation update a couple months after. Many thanks to @Bart Silverstrim for suggesting this approach.
We made a new linux magic box, a PC gateway running CentOS x64. This machine serves as the router for the entire network. We equipped it with a high end Intel NIC, and used that to distribute our LAN company-wide. This enabled us the following setup:
Now when the company grows again, all I have to do is clone the AP configuration, set up the device's IP and add it to the huntgroups on the Gateway, and the network has been extended. What's more, I have full overview over network stats, website visits, bandwidth usage, packet classification and more.
The whole thing cost us a week of planning, and around 5000€ total.
A little bit more information would be helpful like are there multiple locations? Are they VPN'd? WAN'd? If each location has a seperate public access, then theres really no way around accomplishing anything that doesn't require going to each site.
But, if you have some extra Windows Server boxes (a Linux box would also work if your so inclined), you can always setup an RAS as you gateway and do some throttling that way. I think it even plays into group policy. As for content filtering, you can always use a proxy (either setup through your router or individual machines) that are setup to block inappropriate/non-work related sites. Theres free and paid sites, but you usually get what you pay for. Let us know a little more about your setup. ;)
We have been assessing the PacketLogic device from Procera Networks and it's been going very well.
With an expanding company like yours sound like a proper proxy / content filtering system is the best long term solution. The capex can look high but the cost of ownership is very low for a good solution, the IT team has better things to do than read logs and being the Internet police.
I'm a big fan of BlueCoat proxy servers, they include the services you require and more. You can have bandwidth limits based on the on the content class, for example we limit online video streaming web sites to 2Mbps to avoid contention during sporting events. Another example is blocking all social networking websites, the bluecoat proxy appliance downloads web-site category definitions nightlty to have up to date rules day, the day to day maintenance required by the IT team is minimal.