If you were trying to monitor your employees...

whatthehell

Hi All,

If you were trying to monitor your employee's internet traffic, what would you use?
Hardware? Software?
What in particular and why?
What do you think would be weaknesses in monitoring or possibly filtering the traffic too?

As always, thanks for any and all replies and good luck!

tiersten

Is this a homework assignment?

Any software proxy will do what you want. Install a proxy to handle each protocol that you want your users to be able to use e.g. HTTP and SMTP. Block all other traffic at the firewall.

Weaknesses would be users circumventing it by bouncing off another proxy out on the internet. SSL encrypted connections etc...

Bert McGert

Ya, reads a little suspect

oo_snoopy

Well if you really didn't care and just wanted to check up on them most firewalls will tell you what pages are being viewed, or you can just mirror all of the internet traffic headers to a linux box and run TCP ****. Then Perl scub that and get a list of IP and websites.

The downside is that VPN's and proxies will skirt this, but isn't that just as bad as going to a website you shouldn't have been?


But if you really wanted to stop that, you could install an IPS and lock down all unauthorized proxies and secure forms of communications.

coffeeking

BlueCoat/WEbSense....expensive ones but work great...very granular.

whatthehell

Thanks for responses.

No no homework assignment and not trying to be shayd

Just at current job, heard rumors that they have implemented some granular network monitoring and/or filtering, and trying to figure out what they might have in place. I figure, they most likely will do their research and go with the industry standard, which sounds like Websense I guess?

Either way, thanks for the posts!

evanderburg

We use the Barracuda web filter. It sits in between the firewall/IDS and the core switches. You can run it in audit only mode or blocking mode.

malcybood

There are also software as a service (saas) managed services companies which do this all for you these days. Much like outsourcing your LAN/WAN management.

You would have a proxy redirector / cache such as squid in your hq site that redirects all internet requests to "the cloud". The IE browser options would be set to point to the proxy redirector first which forwards to the web security saas company cloud for content/virus scanning. It can also be used to virus / content scan external email.

Two companies that do this are messagelabs and scansafe but I'm sure you could find some more with a little googling. There are some limitations I suppose like outsourcing anything but this is an area I'd expect to see grow rapidly. You can get pretty granular reports through a customer portal as part of the service also and I think you can use LDAP with it to link it to your corp directory structure.

HeroPsycho

tiersten wrote: »

Weaknesses would be users circumventing it by bouncing off another proxy out on the internet. SSL encrypted connections etc...

Microsoft's ISA Server with ClearTunnel could thwart that actually.

Collective Software | ClearTunnel

RTmarc

We use Cymphonix

rwwest7

whatthehell wrote: »

Thanks for responses.

No no homework assignment and not trying to be shayd

Just at current job, heard rumors that they have implemented some granular network monitoring and/or filtering, and trying to figure out what they might have in place. I figure, they most likely will do their research and go with the industry standard, which sounds like Websense I guess?

Either way, thanks for the posts!

So are you trying to find ways around them monitoring you? Sounds shayd to me.

WanBoy67

No sorry, humans are too random. I want robots with web-updatable BIOS's for my employees. My firewall will have 1 rule...

tiersten

HeroPsycho wrote: »

Microsoft's ISA Server with ClearTunnel could thwart that actually.

Collective Software | ClearTunnel

Neat. I always wondered if anybody would make something that'd reencrypt. I wouldn't use SSL anywhere that used that software tho

HeroPsycho

tiersten wrote: »

Neat. I always wondered if anybody would make something that'd reencrypt. I wouldn't use SSL anywhere that used that software tho

Smart man!

But in all honesty, that is the problem now. People are using SSL encrypted tunnels to bypass filtering that is essential to business security. If you have an AV web filter, how is the web filter supposed to filter the malware out of an SSL encrypted connection unless the SSL traffic is decrypted?

I understand the privacy concerns, but businesses are going to have to increasingly do this for their own protection.

tiersten

HeroPsycho wrote: »

But in all honesty, that is the problem now. People are using SSL encrypted tunnels to bypass filtering that is essential to business security. If you have an AV web filter, how is the web filter supposed to filter the malware out of an SSL encrypted connection unless the SSL traffic is decrypted?

I understand the privacy concerns, but businesses are going to have to increasingly do this for their own protection.

Yeah. The SSL problem is pretty big at the moment and this is the only viable solution I can think of. I'd just avoid going to sites like online banking whilst at work thats all

I've seen people try to use SSH to tunnel out via the SSL port number. They'd have a server somewhere that would be listening on port 443.

Forsaken_GA

tiersten wrote: »

I've seen people try to use SSH to tunnel out via the SSL port number. They'd have a server somewhere that would be listening on port 443.

Which is childs play. I can also get away with this for mail protocol secure ports. This is actually how I defeat the vast majority of filtering I've ever run into, I simply forward all my traffic over SSH. This is also why I'm not afraid to use public wireless networks.

Sadly, I've yet to meet a network admin that can prevent me from bypassing their security measures short of locking down all access to the outside world except port 80, and making absolutely sure that all packets going through port 80 are indeed http

tiersten

Forsaken_GA wrote: »

Sadly, I've yet to meet a network admin that can prevent me from bypassing their security measures short of locking down all access to the outside world except port 80, and making absolutely sure that all packets going through port 80 are indeed http

Yeah. ClearTunnel would stop you from using non SSL traffic but you could still tunnel your connection over SSL instead of SSH. If it is a commercial/public service then you'd have to rely on your web filter to block it but that is easily circumvented if you've got your own server out there.

We lock down everything on the workstations as well so actually installing any software to bypass the network protection is going to be harder. We don't allow non company equipment to connect to the network either.

Forsaken_GA

tiersten wrote: »

We lock down everything on the workstations as well so actually installing any software to bypass the network protection is going to be harder. We don't allow non company equipment to connect to the network either.

I can usually get around that as well. Most every job I've worked for that I've been forced to run a Windows workstation at, doesn't bother to lock down their CMOS. So I can boot off a CD. It's a simple task to boot a disk that will let me change the local Administrator password so that I can install whatever software I want, or I can simply boot a live CD and run what I want.

I've also seen folks get aorund the non-company equipment policies by simply using a commerical grade linksys router to spoof their desktops MAC address, and then they plug their laptop and desktop into that. In each of these cases the only real defense is the vigilance of other humans who notice that someones not doing what they're supposed to be doing. Users are crafty bastards, and where there's a will, there's a way.

Fortunately, I currently work in an environment where management understands we're a bunch of smart folks and that these kinds of safeguards would be counter-productive, in addition to futile (the futile part is mainly in that we have to use SSH to get our jobs done, so it can't be limited in any way, which pretty much means any security measures are out the window from the word go). They let us run whatever OS we want on our boxes, and don't really care if we hook our own gear up. They also let it be known that jobs are at risk if the work isn't getting done, and any abuse of company resources will not be tolerated. Other than the reception of a few DMCA letters because someone was being a little too blatant in their torrenting, it's worked out pretty well.

However, I think the *only* reason that works well is because we're a pretty small company in terms of employees, so we all know each other. When someone does something to cause issues, it gets noticed, and they know they better fess up, or someone's going to toss them under the bus.

jibbajabba

We use "Common Sense"

tiersten

Forsaken_GA wrote: »

I can usually get around that as well. Most every job I've worked for that I've been forced to run a Windows workstation at, doesn't bother to lock down their CMOS. So I can boot off a CD.

It is part of our build procedures that the BIOS password is set. The case of the workstation is locked and its got a chain on it. We run Disknet to restrict access to removable devices and optical drives.

Forsaken_GA wrote: »

I've also seen folks get aorund the non-company equipment policies by simply using a commerical grade linksys router to spoof their desktops MAC address, and then they plug their laptop and desktop into that.

We've got 802.1x and Cisco NAC running. If we caught anybody tampering with the network or computers they'd be dismissed on the spot and promptly escorted out of the building.

Forsaken_GA wrote: »

Fortunately, I currently work in an environment where management understands we're a bunch of smart folks and that these kinds of safeguards would be counter-productive, in addition to futile (the futile part is mainly in that we have to use SSH to get our jobs done, so it can't be limited in any way, which pretty much means any security measures are out the window from the word go).

I work in a bank and there is a very small list of allowable applications that the users are allowed to run and access. Most users don't even have access to the general internet but only a limited subset of essential work sites.

As we process/store financial data and there is an online banking facility, we have very specific security guidelines we have to follow and get regular audits.

Forsaken_GA wrote: »

They let us run whatever OS we want on our boxes, and don't really care if we hook our own gear up.

If it isn't on the approved list then its not getting installed.

Forsaken_GA

tiersten wrote: »

I work in a bank and there is a very small list of allowable applications that the users are allowed to run and access. Most users don't even have access to the general internet but only a limited subset of essential work sites.

That's the difference right there, you work in an environment where protection of data is essential, not just for good business reasons, but for good legal reasons as well. I've never worked in such an environment, so never had to deal with folks who are motivated to make sure I'm playing by the rules. I'd also like to think that I'd have the good sense to not even try, since I'd know that getting caught would be instant termination. Might as well just quit instead.

Forsaken_GA

As we process/store financial data and there is an online banking facility, we have very specific security guidelines we have to follow and get regular audits.

Ah, PCI compliance. Yeah, I know exactly what you guys have to go through, one of our colo clients recently had to go through compliance certification, so we had to make a few changes in our datacenter procedure in order to accomodate them.

gojericho0

anybody here use Websense's content gateway to deal with encryption tunnels to bypass proxies and for dealing with web 2.0 content

gojericho0

tiersten wrote: »

We've got 802.1x and Cisco NAC running. If we caught anybody tampering with the network or computers they'd be dismissed on the spot and promptly escorted out of the building.

Tiersten,

Its been a little while, but my old organization we used the NAC appliance as opposed to the framework which i assume you are running with .1x

With the appliance, automatic remediation (which was one of the big selling points) and reporting was pretty terrible. The other problem I had with it is the only way to stop the appliance from shutting down the switchport for a device like a printer that couldn't conform with your policy was to exempt it by mac address which of course could easily be spoofed.

tiersten

gojericho0 wrote: »

Tiersten,

Its been a little while, but my old organization we used the NAC appliance as opposed to the framework which i assume you are running with .1x

With the appliance, automatic remediation (which was one of the big selling points) and reporting was pretty terrible. The other problem I had with it is the only way to stop the appliance from shutting down the switchport for a device like a printer that couldn't conform with your policy was to exempt it by mac address which of course could easily be spoofed.

Hah. Yeah. The auto remediation feature is better now but still not as great as they advertise.

We had to whitelist the MAC addresses of printers. All the network printers are in public areas however with a large amount of foot traffic so if anybody was messing with the printers they'd be discovered pretty quickly. Nobody actually prints directly to a network printer however so we did put them on another VLAN.

gojericho0

thats basically what we had to do as well. Cisco did buy something called NAC profiler that was supposed to ease some of the deployment but felt we wouldn't get too much bang for our buck.

as far as the compliance goes, i think a lot of the companies that were supposed to work with cisco decided they'd be better of making their own solutions.

do you use CSA as well? that i feel is my favorite security application cisco has ever bought/produced due to the granularity to secure just about everything from network to application and the fact it is all behavioral based and doesn't run on signatures.

JosefinaS

We are running Mac OS in the office, so we have ActyMac DutyWatch installed. It takes screenshots, records every keystrokes, stores internet and application usage history and so on. I'm satisfied with the results - I think, it has to be done, because not everyone understands that at work you should work.

HeroPsycho

gojericho0 wrote: »

do you use CSA as well? that i feel is my favorite security application cisco has ever bought/produced due to the granularity to secure just about everything from network to application and the fact it is all behavioral based and doesn't run on signatures.

I tried deploying CSA 3 times with a slew of Cisco and Northrop Grumen engineers hell bent on selling it to my employer at the time. Either memory leaked or denied what should have been allowed everytime.

Hopefully it has improved since then (that was 4 years ago).

UnixGeek

I run Untangle on a VM, and tunnel Internet traffic through it, so the topology is:

Client -> Untangle VM -> pfSense VM -> ISP's router

pfSense performs all of the essentials (firewall, NAT & VPN), so this way Untangle is configured as a transparent bridge that can be bypassed with a few clicks if any problems come up.

NinjaBoy

We use Microsoft ISA & the Sophos WS1000 web appliance (Sophos Web Security).

-Ken

gojericho0

HeroPsycho wrote: »

I tried deploying CSA 3 times with a slew of Cisco and Northrop Grumen engineers hell bent on selling it to my employer at the time. Either memory leaked or denied what should have been allowed everytime.

Hopefully it has improved since then (that was 4 years ago).

We really had no major issues with it concerning bugs. We just had to make sure it was in test mode for about 3 months to get a good baseline of what type of behavior was legit in our environment.