Track Internet Usage

I need to find a better way to track the internet usage of our users.

non-profit organization, around 60 computers.

About a year ago, I had a proxy server setup which all our internet traffic went through - had some software called 602LAN SUITE installed, which had a lot of "extra" junk with it - but we owned a license and the logs it produced were great. I could pick a computer - pick a time frame, and within a minute have a nice report of all the sites and approx amount of time spent surfing the sites.

The down side was that it seem to slow our internet down - and occasionally just decide to stop working for about a minute then start working again. So anyway, because of some issues - the proxy server was removed and we were then just working through a firewall router box which did do some logging, but it was a pain - if I forgot to download the log, it was lost - then the format it was in was a pain - hard to sort, etc... anyway, just nightmare to get any sorts of logs.

So anyway, I'm now looking for a new solution which I hope to get some advice on. (hardware or software)

I need something that our internet traffic can go through - something with built-in firewall abilities is a plus. We need it to be able to log all the activities - and hopefully have a nice reporting system that we can use. We have also been looking at some software which loads on all our employees computers that will track all activities - but that just seemed like it was too much.... since for the most part we are very "friendly" when it comes to employees doing some non-work activities on their computers - as long as work gets done, nothing illegal, not too time consuming, and does not interfere with other employees - we tend to allow this.

Anyway, some suggestions - ideas - etc... would be great. Thanks.

Hello,

Do you have an acceptable use policy that your employees sign? See http://en.wikipedia.org/wiki/Acceptable_use_policy for some examples. An acceptable use policy and other policies will allow you to clearly inform your users as to appropriate activities and those that are less so. As well it would let them know the reality is they don't have the same privacy rights on work computers (depends on state law as well) as they do at home. The risks of the myriad of litigation are quite large and addressing them is quite important.

There are tons of solutions that would fit the bill for what you are trying to do but they will work or not depending on your current network setup and configuration. Performance wise the Unified Threat Management (unified/centralized security devices that are all in one security solutions such as Firewall, Proxy, IDS) are slower than separating out the boxes into distinct functions.

Another thing to think about it network segmentation. Are you locking down your network so that they cannot subvert your existing proxy solution. As well are users given administrative rights on their machine so they can install or change application or settings? Either way both of these can nullify your entire efforts.

I would check out a few affordable ones which I know well and can support, deploy and manage. All of these will be a fraction of the cost (lower TCO) of the big networking companies that I will not mention by name. As well I am suggesting commercially supported open source products because I assume you don't want to build your own solution with something like Ipcop/Smoothwall or Pfsense. If you really want you can buy those solutions as a hardware appliance or build it on a old server box. Let me know if you need any pointers and or help.

Endian (Build off of Ipcop and very cost effective)
http://www.endian.it/

Smoothwall
http://www.smoothwall.net/

Sonicwall (appliance only)
http://www.sonicwall.com/us/

Thanks,
Joseph

My Email & Contact Info

I find that in these situations, it's the managers and executives who go to the most interesting places.

Take two of my clients, for example -- one in City of Industry (right by Fry's) and one in Costa Mesa (right by the John Wayne airport). Both have managers with porn on their hard drives, and yet the company is making a big deal about their employees going to ebay? If I'm going to police others and have the ability to look at where they go, then perhaps they should have the right and look at where I and the executives are going, as well.

Several technical friends (engineers and IT types) work at large defense contractors. They (in theory) are blocked from going places, but they surf whereever they want, thanks to using solutions such as PuTTYing to their home boxes. The IT dept knows about this and doesn't do anything about it b/c and cost and inconvenience. The end result is that the non-techie ppl are the ones who can't check the sports page, surf ebay, etc.

If your users ever need a way to circumvent any of the filters, they're welcome to email me! I'm sure that we might figure out something that you haven't quite thought of!

Hey Rog,

You are right on that no security solution is perfect. Security would be easy if someone sold us "magic beans" solutions. A skilled hacker/cracker will find a way if they have motive, opportunity or means. However, layered processes, procedures and technologies are meant to reduce risks but can never claim to eliminate them.

This is exactly why I would suggest a layered approach of policy, proper process and technology. So in this case a proxy filtering solution would be good if its used along side a more locked down network (egress/ingress on many levels/layers), more locked down clients(least privileged), a AUP/user/HR training as to the risk and responsibilities of the (mis)muse of company owned technology.

Even a small reduction in the associated risks is far less than the complication and cost of litigation security breach or any other potential risk.

Thanks for you insight as I have seen much the same in my professional experience. On the flip side I have been places where it was so properly locked down that one couldn't so much as access the Internet or any other network for that matter for ANY reason. In some cases as weird as it sounds it is required.

Thanks man,
Joe

We use Squid and Dansguardian.

Thanks for the suggestions so far - out sick for the past few days, as soon as I catch up on everything else I will be looking into the suggestions here (so if anyone else has any suggestions, feel free to add them!)