Right now we have about a 25-30 PC network, connected to the internet with a run-of-the-mill SonicWall Firewall/Router device. There isn't much filtering / blocking other than outgoing SMTP (for viruses etc.). I recall reading that at some point a network/company reaches critical mass and needs to send things through a web proxy/gateway... but not why!
My guess is maybe for content filtering (don't visit porn sites, etc.) and/or virus stuff (so they don't download virus infected files), but do we need a dedicated device for that? Why won't things like Cisco ASAs do the job? What other reasons would we have for doing that? How might I determine if/when we need to move to a web proxy?
Currently we have no plans of monitoring/limiting web access and each desktop has antivirus installed.
An outbound proxy server can provide more than one benefit to your network:
The answer to the question "when do we need to move to a web proxy" is generally answered by "when you need one of the above functions".
You need Content Caching when you're sending "a lot" of traffic through your internet connection. Perhaps the connection is slow, or perhaps you're getting overage charges that you'd like to avoid.
As for the other functions, you need a proxy when you want to perform that function. There are generally other ways to accomplish those functions as well, yes, but a proxy is usually the "easiest".
Myself, I installed a Web Proxy to provide a local cache. We had a setup with about 40 users.I used a dedicated Linux Server with a Squid proxy on it so I cannot talk of the Barracuda web filter. I setup our gateway to enable transparent proxying so nobody would see the difference. With time, some limited filtering was added (some known bad sites) and I moved our DNS forwarding to OpenDNS to reduce de risk of people ending up on fishing sites. As for you, we never looked at limiting peoples access to the internet.
The benifits I got from adding a local cache were:
My understanding is that with the basic Barracuda Web Filter is really there to prevent poeple from surfing unappropriate content or use IM. The larger versions seems to include caching. From my experience I would not setup a web filter without caching because I would feel I do not get any kind of return on investment by just filtering peoples connections.
I've heard similar a number of times and in my experience it doesn't work. Education of users is the way.
Included in my duties is maintaining an office network of ~50 computers and we don't have a proxy solution in place. What I do though is to immediately firewall someone off if they are causing problems. Then go and talk to them and explain why I have done it.
This might seem a little harsh but it works wonders, they soon realize what they can and can't do and generally users don't do the same thing twice.
Note that I probably have 1 incident a month where I have to firewall someone off and they will generally be allowed back on as soon as I have finished speaking to them.
At my current job we use a filter as a result of people watching streaming video on and off their lunch breaks. We have a rotating lunch schedule so as group1 is off for lunch, group2 is still working. This was killing our bandwidth to the outside world, as a result we purchased a Barracuda Web filter. It works just fine, our need was to open up expensive bandwidth.
It also helped clean up some spyware/general internet crap throughout our network, which was a nice bonus.
Perhaps the document you where reading was talking about a web-cache instead of just a proxy/gateway? A cache is a proxy that stores frequently visited pages and delivers them to your clients instead of making a request across your wan link every time someone on your network requests something.
On one networks with around ~100 users I tend to see that about 25-30% of the requests are served from the cache, of course this only amounts to about a 8-12% savings in bandwidth, because stuff that is frequently re-used tends to be smaller files.
If you have limited bandwidth caching does help speed things up a bit.
When a company reaches a certain size, your legal department will force you to start censoring web access due to sexual harassment risks. A proxy makes this easier to implement.
Basically anything that a woman wants it to be is sexual harassment in the US. With the custom of laying out offices so that everyone can see everyone else's monitor, this creates a huge risk.
Just because there's obviously nothing wrong with it or no way a reasonable person could be offended doesn't mean it isn't sexual harassment.
How large a company depends on the industry, where in the world you are, and how many women are working there. Usually a company can withstand one incident before a crackdown. The company's role is to show that they're doing something about it, it doesn't matter that it is impossible to prevent.
I would set up a proxy from day one, this way you can restrict non-IT people more heavily than IT people, and make it less likely that the company will force something extremely restrictive on everyone.
And you NEED the logging if you're running a serious business.