Options
If you were trying to monitor your employees...
whatthehell
Member Posts: 920
in Off-Topic
Hi All,
If you were trying to monitor your employee's internet traffic, what would you use?
Hardware? Software?
What in particular and why?
What do you think would be weaknesses in monitoring or possibly filtering the traffic too?
As always, thanks for any and all replies and good luck!
If you were trying to monitor your employee's internet traffic, what would you use?
Hardware? Software?
What in particular and why?
What do you think would be weaknesses in monitoring or possibly filtering the traffic too?
As always, thanks for any and all replies and good luck!
2017 Goals:
[ ] Security + [ ] 74-409 [ ] CEH
Future Goals:
TBD
[ ] Security + [ ] 74-409 [ ] CEH
Future Goals:
TBD
Comments
-
Optionstiersten Member Posts: 4,505Is this a homework assignment?
Any software proxy will do what you want. Install a proxy to handle each protocol that you want your users to be able to use e.g. HTTP and SMTP. Block all other traffic at the firewall.
Weaknesses would be users circumventing it by bouncing off another proxy out on the internet. SSL encrypted connections etc... -
Optionsoo_snoopy Member Posts: 124Well if you really didn't care and just wanted to check up on them most firewalls will tell you what pages are being viewed, or you can just mirror all of the internet traffic headers to a linux box and run TCP ****. Then Perl scub that and get a list of IP and websites.
The downside is that VPN's and proxies will skirt this, but isn't that just as bad as going to a website you shouldn't have been?
But if you really wanted to stop that, you could install an IPS and lock down all unauthorized proxies and secure forms of communications.I used to run the internet. -
Optionscoffeeking Member Posts: 305 ■■■■□□□□□□BlueCoat/WEbSense....expensive ones but work great...very granular.
-
Optionswhatthehell Member Posts: 920Thanks for responses.
No no homework assignment and not trying to be shayd
Just at current job, heard rumors that they have implemented some granular network monitoring and/or filtering, and trying to figure out what they might have in place. I figure, they most likely will do their research and go with the industry standard, which sounds like Websense I guess?
Either way, thanks for the posts!2017 Goals:
[ ] Security + [ ] 74-409 [ ] CEH
Future Goals:
TBD -
Optionsevanderburg Member Posts: 229 ■■■□□□□□□□We use the Barracuda web filter. It sits in between the firewall/IDS and the core switches. You can run it in audit only mode or blocking mode."You can never know everything and part of what you know is always wrong. Perhaps even the most important part. A portion of wisdom lies in knowing that. A portion of courage lies in going on anyway. " - Lan, Winter's Heart by Robert Jordan
-
Optionsmalcybood Member Posts: 900 ■■■□□□□□□□There are also software as a service (saas) managed services companies which do this all for you these days. Much like outsourcing your LAN/WAN management.
You would have a proxy redirector / cache such as squid in your hq site that redirects all internet requests to "the cloud". The IE browser options would be set to point to the proxy redirector first which forwards to the web security saas company cloud for content/virus scanning. It can also be used to virus / content scan external email.
Two companies that do this are messagelabs and scansafe but I'm sure you could find some more with a little googling. There are some limitations I suppose like outsourcing anything but this is an area I'd expect to see grow rapidly. You can get pretty granular reports through a customer portal as part of the service also and I think you can use LDAP with it to link it to your corp directory structure. -
OptionsHeroPsycho Inactive Imported Users Posts: 1,940Weaknesses would be users circumventing it by bouncing off another proxy out on the internet. SSL encrypted connections etc...
Microsoft's ISA Server with ClearTunnel could thwart that actually.
Collective Software | ClearTunnelGood luck to all! -
Optionsrwwest7 Member Posts: 300whatthehell wrote: »Thanks for responses.
No no homework assignment and not trying to be shayd
Just at current job, heard rumors that they have implemented some granular network monitoring and/or filtering, and trying to figure out what they might have in place. I figure, they most likely will do their research and go with the industry standard, which sounds like Websense I guess?
Either way, thanks for the posts! -
OptionsWanBoy67 Member Posts: 225No sorry, humans are too random. I want robots with web-updatable BIOS's for my employees. My firewall will have 1 rule...Yes we can, yes we can...
-
Optionstiersten Member Posts: 4,505HeroPsycho wrote: »Microsoft's ISA Server with ClearTunnel could thwart that actually.
Collective Software | ClearTunnel -
OptionsHeroPsycho Inactive Imported Users Posts: 1,940Neat. I always wondered if anybody would make something that'd reencrypt. I wouldn't use SSL anywhere that used that software tho
Smart man!
But in all honesty, that is the problem now. People are using SSL encrypted tunnels to bypass filtering that is essential to business security. If you have an AV web filter, how is the web filter supposed to filter the malware out of an SSL encrypted connection unless the SSL traffic is decrypted?
I understand the privacy concerns, but businesses are going to have to increasingly do this for their own protection.Good luck to all! -
Optionstiersten Member Posts: 4,505HeroPsycho wrote: »But in all honesty, that is the problem now. People are using SSL encrypted tunnels to bypass filtering that is essential to business security. If you have an AV web filter, how is the web filter supposed to filter the malware out of an SSL encrypted connection unless the SSL traffic is decrypted?
I understand the privacy concerns, but businesses are going to have to increasingly do this for their own protection.
I've seen people try to use SSH to tunnel out via the SSL port number. They'd have a server somewhere that would be listening on port 443. -
OptionsForsaken_GA Member Posts: 4,024I've seen people try to use SSH to tunnel out via the SSL port number. They'd have a server somewhere that would be listening on port 443.
Which is childs play. I can also get away with this for mail protocol secure ports. This is actually how I defeat the vast majority of filtering I've ever run into, I simply forward all my traffic over SSH. This is also why I'm not afraid to use public wireless networks.
Sadly, I've yet to meet a network admin that can prevent me from bypassing their security measures short of locking down all access to the outside world except port 80, and making absolutely sure that all packets going through port 80 are indeed http -
Optionstiersten Member Posts: 4,505Forsaken_GA wrote: »Sadly, I've yet to meet a network admin that can prevent me from bypassing their security measures short of locking down all access to the outside world except port 80, and making absolutely sure that all packets going through port 80 are indeed http
We lock down everything on the workstations as well so actually installing any software to bypass the network protection is going to be harder. We don't allow non company equipment to connect to the network either. -
OptionsForsaken_GA Member Posts: 4,024We lock down everything on the workstations as well so actually installing any software to bypass the network protection is going to be harder. We don't allow non company equipment to connect to the network either.
I can usually get around that as well. Most every job I've worked for that I've been forced to run a Windows workstation at, doesn't bother to lock down their CMOS. So I can boot off a CD. It's a simple task to boot a disk that will let me change the local Administrator password so that I can install whatever software I want, or I can simply boot a live CD and run what I want.
I've also seen folks get aorund the non-company equipment policies by simply using a commerical grade linksys router to spoof their desktops MAC address, and then they plug their laptop and desktop into that. In each of these cases the only real defense is the vigilance of other humans who notice that someones not doing what they're supposed to be doing. Users are crafty bastards, and where there's a will, there's a way.
Fortunately, I currently work in an environment where management understands we're a bunch of smart folks and that these kinds of safeguards would be counter-productive, in addition to futile (the futile part is mainly in that we have to use SSH to get our jobs done, so it can't be limited in any way, which pretty much means any security measures are out the window from the word go). They let us run whatever OS we want on our boxes, and don't really care if we hook our own gear up. They also let it be known that jobs are at risk if the work isn't getting done, and any abuse of company resources will not be tolerated. Other than the reception of a few DMCA letters because someone was being a little too blatant in their torrenting, it's worked out pretty well.
However, I think the *only* reason that works well is because we're a pretty small company in terms of employees, so we all know each other. When someone does something to cause issues, it gets noticed, and they know they better fess up, or someone's going to toss them under the bus. -
Optionsjibbajabba Member Posts: 4,317 ■■■■■■■■□□We use "Common Sense"My own knowledge base made public: http://open902.com
-
Optionstiersten Member Posts: 4,505Forsaken_GA wrote: »I can usually get around that as well. Most every job I've worked for that I've been forced to run a Windows workstation at, doesn't bother to lock down their CMOS. So I can boot off a CD.Forsaken_GA wrote: »I've also seen folks get aorund the non-company equipment policies by simply using a commerical grade linksys router to spoof their desktops MAC address, and then they plug their laptop and desktop into that.Forsaken_GA wrote: »Fortunately, I currently work in an environment where management understands we're a bunch of smart folks and that these kinds of safeguards would be counter-productive, in addition to futile (the futile part is mainly in that we have to use SSH to get our jobs done, so it can't be limited in any way, which pretty much means any security measures are out the window from the word go).
As we process/store financial data and there is an online banking facility, we have very specific security guidelines we have to follow and get regular audits.Forsaken_GA wrote: »They let us run whatever OS we want on our boxes, and don't really care if we hook our own gear up. -
OptionsForsaken_GA Member Posts: 4,024I work in a bank and there is a very small list of allowable applications that the users are allowed to run and access. Most users don't even have access to the general internet but only a limited subset of essential work sites.
That's the difference right there, you work in an environment where protection of data is essential, not just for good business reasons, but for good legal reasons as well. I've never worked in such an environment, so never had to deal with folks who are motivated to make sure I'm playing by the rules. I'd also like to think that I'd have the good sense to not even try, since I'd know that getting caught would be instant termination. Might as well just quit instead. -
OptionsForsaken_GA Member Posts: 4,024As we process/store financial data and there is an online banking facility, we have very specific security guidelines we have to follow and get regular audits.
Ah, PCI compliance. Yeah, I know exactly what you guys have to go through, one of our colo clients recently had to go through compliance certification, so we had to make a few changes in our datacenter procedure in order to accomodate them. -
Optionsgojericho0 Member Posts: 1,059 ■■■□□□□□□□anybody here use Websense's content gateway to deal with encryption tunnels to bypass proxies and for dealing with web 2.0 content
-
Optionsgojericho0 Member Posts: 1,059 ■■■□□□□□□□We've got 802.1x and Cisco NAC running. If we caught anybody tampering with the network or computers they'd be dismissed on the spot and promptly escorted out of the building.
Tiersten,
Its been a little while, but my old organization we used the NAC appliance as opposed to the framework which i assume you are running with .1x
With the appliance, automatic remediation (which was one of the big selling points) and reporting was pretty terrible. The other problem I had with it is the only way to stop the appliance from shutting down the switchport for a device like a printer that couldn't conform with your policy was to exempt it by mac address which of course could easily be spoofed. -
Optionstiersten Member Posts: 4,505gojericho0 wrote: »Tiersten,
Its been a little while, but my old organization we used the NAC appliance as opposed to the framework which i assume you are running with .1x
With the appliance, automatic remediation (which was one of the big selling points) and reporting was pretty terrible. The other problem I had with it is the only way to stop the appliance from shutting down the switchport for a device like a printer that couldn't conform with your policy was to exempt it by mac address which of course could easily be spoofed.
We had to whitelist the MAC addresses of printers. All the network printers are in public areas however with a large amount of foot traffic so if anybody was messing with the printers they'd be discovered pretty quickly. Nobody actually prints directly to a network printer however so we did put them on another VLAN. -
Optionsgojericho0 Member Posts: 1,059 ■■■□□□□□□□thats basically what we had to do as well. Cisco did buy something called NAC profiler that was supposed to ease some of the deployment but felt we wouldn't get too much bang for our buck.
as far as the compliance goes, i think a lot of the companies that were supposed to work with cisco decided they'd be better of making their own solutions.
do you use CSA as well? that i feel is my favorite security application cisco has ever bought/produced due to the granularity to secure just about everything from network to application and the fact it is all behavioral based and doesn't run on signatures. -
OptionsJosefinaS Member Posts: 1 ■□□□□□□□□□We are running Mac OS in the office, so we have ActyMac DutyWatch installed. It takes screenshots, records every keystrokes, stores internet and application usage history and so on. I'm satisfied with the results - I think, it has to be done, because not everyone understands that at work you should work.
-
OptionsHeroPsycho Inactive Imported Users Posts: 1,940gojericho0 wrote: »do you use CSA as well? that i feel is my favorite security application cisco has ever bought/produced due to the granularity to secure just about everything from network to application and the fact it is all behavioral based and doesn't run on signatures.
I tried deploying CSA 3 times with a slew of Cisco and Northrop Grumen engineers hell bent on selling it to my employer at the time. Either memory leaked or denied what should have been allowed everytime.
Hopefully it has improved since then (that was 4 years ago).Good luck to all! -
OptionsUnixGeek Member Posts: 151I run Untangle on a VM, and tunnel Internet traffic through it, so the topology is:
Client -> Untangle VM -> pfSense VM -> ISP's router
pfSense performs all of the essentials (firewall, NAT & VPN), so this way Untangle is configured as a transparent bridge that can be bypassed with a few clicks if any problems come up. -
OptionsNinjaBoy Member Posts: 968We use Microsoft ISA & the Sophos WS1000 web appliance (Sophos Web Security).
-Ken -
Optionsgojericho0 Member Posts: 1,059 ■■■□□□□□□□HeroPsycho wrote: »I tried deploying CSA 3 times with a slew of Cisco and Northrop Grumen engineers hell bent on selling it to my employer at the time. Either memory leaked or denied what should have been allowed everytime.
Hopefully it has improved since then (that was 4 years ago).
We really had no major issues with it concerning bugs. We just had to make sure it was in test mode for about 3 months to get a good baseline of what type of behavior was legit in our environment.