Looking for something to monitor a user's web-browsing, in-line auditing preferred

Cerulean

Cerulean

[H]F Junkie
Joined
Jul 27, 2006
Messages
9,476
Greetings,

We have two Barracuda Web Filters, but at the moment they're not working and have to get Barracuda to do something special with them. This will take some time, so this isn't an option.

Right now we have a user with a dedicated VDI, and we need to monitor and audit this user's HTTP browsing history. Due to circumstances, since the beginning of this year, everyone has access to Google Chrome, Mozilla Firefox, Internet Explorer 10 (native with Windows 8), and Internet Explorer 8 (ThinApp). I did some research on this user's active VDI C:\Users profile and using the "Date accessed" column, found that this user is always using Private Browsing Mode in Mozilla Firefox. We need to do monitor the HTTP traffic history transparently and secretly.

Is there any freeware/open-source Linux distribution specifically just for this / Windows program, where we could assign a static IP to this user's VDI and point the default gateway to the monitor as a man-in-the-middle/in-line audit? Surely there is...
 
Squid is frequently recommended around here. Stick a server w/ it inline to your outbound link or use an extra port from your Squid server and SPAN (if your switching supports this) the port to the extra Squid server port so it can pick up all the HTTP requests the user makes.

A few other things:

  • Use DHCP reservations as a clever use will spot the static assignment and look .
  • I always detested this practice but found the pros outweight the cons - block all outbound network traffic by default and selectively open ports up as they are needed by the servers and require a proxy for the user to go outbound via web. The reason for this is I can get by webfilters all day long by just passing all of my HTTP/HTTPS traffic over an SSH tunnel which I can set up using ANY open outbound port that I find w/ a port scanner.
  • Look for a better long-term solution (i.e. Websense).
  • Use a GPO and prevent users from modifying proxy settings. Granted, this won't be very effective w/ Firefox, however, unless there is a business case you really should be restricting software.
 
This is only a temporary solution I'm looking for for 1-2 users that HR has requested to be monitored, not for 500+ users (we will use two Barracuda Web Filter 310's for this)
 
Those barracuda bastards... LOL too bad we had lots of good stuff to work with them when they were inline. https filtering and all.

Not to derail this too far off, but what are they NOT doing?
 
calvinj said:
Not to derail this too far off, but what are they NOT doing?
Click to expand...
I don't know and its not my business. I don't like these kind of assignments.

We're going to try do syslog from the core Cisco router/firewall of HTTP traffic + splunk.
 
You must log in or register to reply here.
Back
Top