How can I use a Cisco 5505 to monitor website usage by staff members?

How can I use a Cisco ASA 5505 to log outside IPs (ie. websites) visited by staff members?

My goal is to create logs as needed of a staff member's website usage.

I have spent considerable time looking through the configuartion options and manuel; it is beyond me where to start. Any advice where to start would be great. Thank in advance.

I'm not sure the firewall is the best way to monitor website usage.  But the way to do it with the firewall would be to enable logging in the fire wall and send the messages to a syslog server.  Then you will need another piece of software to analyze the log messages on the syslog server to get your reporting on what computer went to what web sites.  You may also have to have your domain report to the syslog server what user logged on to the workstation at what time to match user IDs to the web sites visited.

There may  be a better solution using a product designed to monitor and protect website usage like a websense http://www.websense.com/content/WebSecurityOverview.aspx appliance.  I haven't used websense but understand it provides both protection and logging

Dave

lol, this is one of the easiest things to do on the Cisco ASA.

But how about NOT being an overcontrolling network admin?  That is my advice on "where to start".

I'd use [ OpenDNS ] for this.  They give reports that are easy to read if you set up a free account.  Read their privacy policy and terms of service to make sure it fits with your agency.  And you can take the further step of filtering the content if you need to.

Hey Rog,

Long time no see.

Since some of us ARE overcontrolling network administrators, could you outline the methodology to which you alluded? 

I'm finally going to get my hands on some 5505's next month, for an organization that's large enough and plagued with enough problems to justify a few weeks of heightened vigilance.

-ENO

Like ENO, I too am an "over-controlling" network administrator.  Our org used to allow free reign for our users and they would call and complain that the applications they were running were slow.  We had users streaming music and video on multiple machines.  Since I've controlled where they go, people can actually accomplish work without having to worry about bandwidth. 

It's just one button in the ASDM to turn it on and another to send to a logging server.  I've just change to an IOS base firewall and too lazy to pull the ASA out of the closet.

Rog,

I plead ignorance if this is the easiest thing to do. Please do provide some more detail where such settings are on the Cisco ASA 5505 device manager.

Thanks for considering my question.

Thanks Dave, I'll note Websense as an option. Chris, thanks for suggesting OpenDNS. I resonate with Glamontagne, helping staff get work done is my goal here.

The non-profit I work for has been pretty casual to-date with our user's surfing time; and it isn't paying off.

for me, I use IPCOP as proxy server.  I'm too I think I'm over control, but it's is far better than having to fix 100s of computers for virus/spyware/popup problem.  I limit the ability to download (doc, exe, zip), do web filter, blacklist.  and also let them know that all internet vist will be log, what happen under their login will be their responsibility.  There is also a statement to obtain the username request form that they have to sign said those log can be use as part of employee review.   Too much abuse/non work related can be use for termination.  x-rate stuff is a NO NO.   if found, usually will be ground for termination.  So, am I over control???   I will do what ever it take to protect my network and prevent bad thing from happening. it's far better than the alternative.