Monitoring Internet using firewall

[Murugs]

I am being asked to monitor the internet usage of several people in my company. I have no idea how to incorporate this. We have a T1 line connected to a firewall and a router and a win2k server running as PDC and nearly 18-20 clients all including 98,xp machines. W2k runs DHCP.
How do I monitor particular machines and their internet browsing habits..I have never meddled with my PIX firewall as I am little hesitant to do..as I am not fully aware of.
Is it something to do in the firewall ..I see a tab called monitoring in the PIX firewall section..Could some one guide me some steps of how to go about this.

regards
MP

 

[themut]

What you need is a protocol analyzer, it will give you the information you need.

 

[Murugs]

If possible could you throw more light on this.

regards
MP

 

[spazmahoney]

check out ethereal

 

[Murugs]

Guys..Pardon my ignorance on the subject here.
I really do not know what ethereal is..Is it an option in PIX or should I need to install any software..If yes where should I do?

 

[themut]

Checkout

http://www.ethereal.com

it is a packet sniffer so you can see all the traffic flowing through your network. It is really good and it is free, however you need a lot of time to go through all the information in order to determine what traffic and which machines are consumming your bandwidth. A good protocol analyzer will give you that information and more right away. If you want to learn more about protocol analyzer I'd suggest you search for "protocol analyzer" on any search engine. Remember google is your friend

 

[dx1]

Setup logging on the PIX:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094030.shtml

Then you can use these programs to analyze the logs and create fancy graphs and so on:

http://www.netiq.com

http://www.eiqnetworks.com

 

[chicocouk]

Ethereal will be next to no use if you are on a switched network, as there will be no traffic on your port for you to sniff. I also doubt that anyone has the time to go through ethereal logs to monitor a users internet (http) access.

Having said that, ethereal is a good free network sniffer, it's just not suited to this application.

 

[dx1]

>Ethereal will be next to no use if you are on a switched network, as there will be no traffic on your port for you to sniff

If it's a manageable switch and supports span/mirroring than ethereal will work fine. If not, then you will need a hub. Because of the amount of capture, I would only use ethereal when troubleshooting and filter the addresses/ports I want to see.

 

[Murugs]

Some update here..The tech support for our pix firewall sent me an email stating that I should use something called Kiwi Syslog Dameon

http://www.kiwisyslog.com

and point Pix Firewall logs to the kiwi syslog daemon, and to analyze the log I should buy a program called Nettracker.

I have installed kiwi syslog and how do I point to do the same..also are there any freeware like nettracker..

Any suggestions..
I need to pay the support guys some big money to come and look over. ..I am trying to figure out what I can do, else I am going to call them.
Thanks
MP

 

[themut]

You install kiwi on any mahcine and it will be your syslog server, then you need to configure the following commands on the PIX:

logging trap <level>
logging host inside <kiwi-ip>
logging on

where level could be from 0 to 7, and level 7 logs the most information. That's it you should be set...

 

[chicocouk]

You can import the syslogs into something like excel and write macros to pattern match and count stats if you're really keen to keep costs down. But then you get into a case of whether the man hours involved figuring that out is worth it, or whether it's more cost effective to get something like nettracker.

I'd be interested in any free syslog analysers too

 

[dingus1]

Here are a few references to free Pix log analyzers:

Pixlog -

http://cs.calvin.edu/~mpost89/pixlog/

Pixie -

http://www.retina.net/~jna/pixie/

FWlogwatch -

http://www.kyb.uni-stuttgart.de/boris/software.shtml

Logrep -

http://logrep.sourceforge.net/cgi-bin/logrep

Some are no longer supported so be sure to read all the site information. All are free. Personally I've only used commercial products like WebTrends Firewall Analyzer. If your good with Perl you can probably write something that suites your specific needs as well. Good luck.

 

[TheStressFactor]

I like using websense. It certainly is not free and can be pricey but the reports it generates, the blocking you can do, , ease of installation, and the amount of other features makes it worth it imho.

http://www.websense.com

 

[TalentedFool]

We use Surfcontrol .. again, not cheap but not expensive either. Same type of product as websense and is a complete package for monitoring internet usage. Provides you with some fancy graphs - shows youwhat sites users have visited, you can block sites, block certain files from being downloaded etc.

Ethereal is great if you know what your looking for when it's running and you know how to use it properly. If you're only after a monitor then Websense or Surfcontrol will be the best bet - specially if management want to know whats going on.

~ Remember - Nothing is Fool Proof to a Talented Fool ~

 

[LedZepRock]

You could skip all of that, what I have done is setup a Squid HTTP Proxy on Red Hat, and only allow HTTP access to the Internet via that, and then change everybodys proxy settings in Internet Explorer (can be done with policies so the users would not notice and change), I then use Webilizer (in Webmin) to view the logs, you get nice little graphs and lists, just like upper managment like

Just another angle.

Simon