Monitor Network

[greatchap]

Hello Guys,

I have a small office (fewer than 10 employees) and I wish to monitor what my employees do. So I want a router which can log traffic and block sites. Can you suggest how to go about it or which router I can buy for that ?

I think a router can keep a very small log as its memory is limited. Can new routers keep log for a week or so ? If not, what should I do ?

Is there additional ways of monitoring employee's systems ? Though I am not keen on installing anything on their systems but if there is no option then can you recommend a good software for that.

Thank you,

Cheers,
GR

 

[diizzy]

You need some kind of http proxy for that, since you're asking how to do it I guess a linux/unix/-based solution is out of question. I'm not sure but the Zyxel USG models should have that capability but I'm not sure.
//Danne

 

[Red Squirrel]

May be too advanced but what I'd do is block outgoing http/https at the firewall for the main vlan, then setup another vlan that has a filter/proxy box on it. Perhaps squid. Not sure if it does filtering by default, but think it does. Then you have everyone's browser set to use that proxy. There may also be more advanced ways to make it more transparent. You could block sites by IP, then you don't need a proxy. Would need a way to quickly and easily do that though. Most commercial products like this you have to pay per seat, which is ridiculous, so I'd look at something free or something that you pay for it once.

 

[timta2]

Do they have cellular data access? If so, that might be a lost cause once they get wind of being watched.

 

[FLECOM]

a watchguard can do this

 

[greatchap]

Today's routers do have options like website blocking and logs. So why so much hassle ?

 

[dbwillis]

Untangle can monitor what web sites are heavy used ones, plus whos using in / out bandwith, its free as well

 

[/usr/home]

If you have a decent firewall/router you can even redirect traffic at the firewall to your internal proxy.

 

[RocketTech]

pfSense is a good choice, but will you be able to understand the logs? Besides monitoring your employees, can you give us a specific case you are trying to solve? General Paranoia isn't much of a use case.

 

[Riccochet]

Barracuda Web Filter

 

[greatchap]

Thanks for your replies guys. Let me tell you what I want so that scenario becomes a bit clearer.

I have a very small office with fewer than ten employees. I think at times when I am not around they can spend time surfing the net or doing something else.

I just want to keep a track on the websites they visit and block certain sites. This way they wont be able to visit blocked sites and I will also know what sites they are visiting at what date & time.

Since the no. of people in the office is less as the organization is small, I am not keep on spending money. Thus I thought a router which can block sites, record logs should be able to do the job. All the pcs run Windows XP or 7.

Please tell me how to go about it.

Thank You.

 

[RocketTech]

If you are trying to keep your employees from wasting time, forget about it. Employees have a long tradition and surprising amount of skill for wasting time. Technology will not replace a manager. If your goal is to block sites, pfSense is a good choice.
OpenDNS' service might be the easiest to implement and use; you can block categories such as entertainment, pr0n, what not. You need a solution that blocks by domain name- if you block by IP address, you won't block most popular sites since they have blocks of IP addresses.

 

[greatchap]

If you are trying to keep your employees from wasting time, forget about it. Employees have a long tradition and surprising amount of skill for wasting time. Technology will not replace a manager. If your goal is to block sites, pfSense is a good choice.
OpenDNS' service might be the easiest to implement and use; you can block categories such as entertainment, pr0n, what not. You need a solution that blocks by domain name- if you block by IP address, you won't block most popular sites since they have blocks of IP addresses.

Thanks for your reply.

I understand that technology won't replace a manager. But some steps such as a cctv or website blocking will bring about some change (in other words reduce wastage of time).

It looks like router is not up for the job. So should I install pfSense on all computers (1 option). Can you recommend me other software which are either free or cheap and can be installed on pcs.

 

[RocketTech]

Thanks for your reply.

I understand that technology won't replace a manager. But some steps such as a cctv or website blocking will bring about some change (in other words reduce wastage of time).

It looks like router is not up for the job. So should I install pfSense on all computers (1 option). Can you recommend me other software which are either free or cheap and can be installed on pcs.

I'd recommend you contact a professional familiar with what you want to accomplish. pfSense is a router distro, installed as an OS on suitable hardware.
My personal experience and philosophy are at odds with your management style; I'm afraid I won't be of much further help.

 

[/usr/home]

Redirect all TCP port 53 traffic to OpenDNS at the firewall and use OpenDNS to filter. I'm not sure if they log anything. Even if they did, you wouldn't even be able to differentiate which computer hit what site.

 

[schnell]

What is your budget?

We use cloud based Websense to filter the internet here. Simple install on all cleint machines that forces them through the Websense proxy no matter what browser they use. It is a system wide change so even if they try to use somthing like a portable firefox off a flash drive it is still filtered. Pretty neat It even filters machines no matter where they are in the world so laptop users are filtered even at home. Some people got pissed initially but in the end it is a company owned computer so we can't have you screwing it up at home with viruses because you needed to look at porn on a company computer. As soon as we asked what they were trying to look at they dropped it

All managers get an email every night at midnight with a breakdown of their underlings internet usage for the day.

 

[ChinaMan]

Squid proxy will do the trick. My three favorites are ClearOs with Web Proxy & Content Filter App, IPCop with Squdguard Addon, and Endian (formally IPCop).

 

[Tee]

Redirect all TCP port 53 traffic to OpenDNS at the firewall and use OpenDNS to filter. I'm not sure if they log anything. Even if they did, you wouldn't even be able to differentiate which computer hit what site.

They log stuff if you turn it on. The free version sucks for logs.

The paid version requires people to sign-in to a web browser with an email account and is track VIA account login.

 

[greatchap]

Thanks for your replies guys.

My budget is around $20 per system. It looks like I need to install a software which monitors,blocks and logs network traffic.

schnell: cloud based Websense sounds interesting but I dont know how much it will cost ?

Interguard has a software called Sonar and Web Filtering. Sonar is expensive but Web filtering in a program that monitors network and block sites etc. It costs $25 and has an integrated dashboard. It looks fine I guess. What do you guys say ?

 

[Jay_2]

We used to use webroot DWP, it was pretty good as it could protect and monitor company laptops even outside of the corp LAN

 

[DieTa]

I think it would be the easiest to install an IPCop as ChinaMan has recommended on a separate system and use it for filtering and logging. You can easily access the web interface and you should enable the Proxy transparent, so that all users HAVE TO use it. AddOns like Calamaris will generate a report for you which shows the sites your employees surf to. Let it run for a few days silent and without blocking anything, then you will get a good list of URLs to block.

I'm not sure how this in your country, but here in Germany you HAVE TO inform your employees that you log there traffic (and I think it's a good thing).

Also: I think that a free internet access motivates employees more than blocking it. While I understand that you as owner want a productive worker, I think a bit of freedom makes a workplace a better one - but that's just my opinion (and I'm saying that as Linux-Sysadmin who writes software to block URLs ^^).

 

[greatchap]

I think it would be the easiest to install an IPCop as ChinaMan has recommended on a separate system and use it for filtering and logging. You can easily access the web interface and you should enable the Proxy transparent, so that all users HAVE TO use it. AddOns like Calamaris will generate a report for you which shows the sites your employees surf to. Let it run for a few days silent and without blocking anything, then you will get a good list of URLs to block.

I'm not sure how this in your country, but here in Germany you HAVE TO inform your employees that you log there traffic (and I think it's a good thing).

Also: I think that a free internet access motivates employees more than blocking it. While I understand that you as owner want a productive worker, I think a bit of freedom makes a workplace a better one - but that's just my opinion (and I'm saying that as Linux-Sysadmin who writes software to block URLs ^^).

I appreciate your help. But because of lack of pc and technical know how, what you mentioned above is something that I want to try if other options fail.

I feel 2 solutions are viable. Either configure a router and enter a list of websites that I wish to block & log in a router. Or I install a software on all machines that will block/log websites and are not expensive.

I will let them know that they are being monitored. Thats okay.