Search /
Docfinder:
Advanced search  |  Help  |  Site map
RESEARCH CENTERS
SITE RESOURCES
Click for Layer 8! No, really, click NOW!
Networking for Small Business
TODAY'S NEWS
Net/Systems Management /

Peeping tools

Nine tools that can snoop on your employees.

Related linksToday's breaking news
Send to a friendFeedback

By Travis Berkley
Network World, 07/10/00

The Web. The 'Net. Cyberspace. Whatever you call it, your employees and co-workers are going online to find stuff - some useful, some inappropriate. So how is a network manager supposed to keep on top of such things?

Forum: Should you be "Big Brother" at work? What do you think? Join an online discussion.

The range of solutions is as varied as the Web itself, so we decided to present a roundup of nine products that fall into three categories: products that look for files stored across your network; products that monitor where your employees are surfing; and products that dig a little deeper into the monitoring process.

We begin with products that make sure "bad" files (pornography, games, MP3 files and those nasty Napsterites) don't get stored in places they aren't supposed to.

What have we here?

FileScreen 2000, by W. Quinn Associates, works with Microsoft Windows NT and Windows 2000. It also uses the Microsoft Management Console and Microsoft Data Access. Not only can it search the drives and shares across your domains, but it also aims to prevent users from storing files that you deem inappropriate.

The program must be installed on every Windows server or workstation that you want to protect. But you can install the software remotely to any machine in the domain, making the task manageable. The replication features ensure that each installation uses the same set of policies and filters. It works in two ways: Each client agent monitors file activity in real time as items are saved, moved or renamed. The central management console also lets you scan any drive that you can map to.

The overhead associated with this method is very small. In fact, the documentation states that the overhead "is so small that it is not measurable." That's a pretty bold statement, but rest assured that disk throughput didn't suffer once FileScreen 2000 was installed and running.

Out of the box, FileScreen 2000 has almost 20 predefined screening groups. These groups are categorized by common types of files, such as graphics (either 2-D image files or 3-D game files), audio files and Office files. The screening groups are referenced by policies that determine what action to take when it finds a "bad" file. Policies can be configured individually or by workgroup. Additionally, filters can be employed within the policy to skip a particular storage area.

When the program finds an infraction, the incident is logged on a database and stored for a configurable period of time. Reports can be generated to summarize infractions and show problem spots. You can then select all of the results and delete them in a single click.

Administrators can be notified via a pop-up window on the management console or by e-mail. The program can also make an entry in a server's event log or send an SNMP trap. Each policy can have its own set of actions. By default, the user is notified of an infraction with a pop-up dialog box. But if the policy is set to only observe and record, an administrator may choose to not inform the employee of his or her transgression and only save the evidence. Your policies may vary.

Built into the console is a monitor that lists the infractions that have been logged. You can run a query that refines this list down to a particular policy violation or to a user or group. The results can also be printed or saved. A very nice ergonomic feature is a zoom feature that adjusts the font size to suit the situation.

However, FileScreen 2000 isn't quite a magic bullet. Some of your savvy users can find ways around the restrictions. The sole criterion FileScreen 2000 uses is the name of the file, including the extension. A sneaky user could store all of their .jpg files as .jp_, for example, and not trip any of the policies. But FileScreen 2000 is smart enough not to allow renaming back to the offending name. So a cagey user would be able to disguise files, but it would be difficult to use them.

FileScreen 2000 could be a far more useful program if the reporting features were more flexible. While there are several handy reports available out of the box, most administrators would welcome additional reports on more topics or the ability to create your own without an add-on reporting tool. While not a drawback, these functions could be a nice enhancement in future revisions.

Looking for Quakers

Our next file seeker is AntiGame Plus by DVD Software. AntiGame Plus was initially designed to find games that might be lying around on various PCs and servers across the network. However, it can also be used as a nifty clean-up utility.

You can use AntiGame Plus interactively or in a silent mode that runs without the user's knowledge.

Out of the box, AntiGame Plus Version 5.0 can detect 10,850 games. The program doesn't rely on file names as that would be an easy way to defeat detection. Instead, it looks for matches in file size and a signature of the file, which works like a checksum. If the file size and signature match AntiGame's database, the program declares a detection. This scheme isn't foolproof, but it achieves reasonable content scanning and retains decent level of performance. It falls short with games that have multiple patches to the executables. For example, it didn't detect an installation of Quake II that had an added enhancement pack. This changed the signature of the executable, which made it look different than the original game.

With each new release, AntiGame adds more games to the list, in addition to delivering them as updates through a subscription service. Game lists are updated two to four times each year, and the administrator can connect to a DVD server through the Internet to update the database. The server will either confirm an up-to-date database or download a newer version.

A bonus to AntiGame Plus is its ability to find and remove anything that you can define. Remember those electronic Christmas cards that float around each December? You can create a customized entry to seek out and destroy these pesky vermin. A companion utility creates secondary databases that can also be used for scanning. It's fairly easy to create a new definition and associate other files to delete.

By default, AntiGame scans only executable files (those with .exe or .com file extensions). You can also scan all files to catch Dynamic Link Libraries or other file types. In addition, AntiGame can scan archives, such as .zip files, which could catch a Napster installation.

Another nice feature of AntiGame Plus is its deployment - it doesn't have to be installed on the machines it scans. This lends itself to being launched from logon scripts, such as those in NetWare or NT. AntiGame's silent mode won't show up on the user's screen, nor will it appear as an icon on the desktop or system tray. However, if the user has authority to launch the task list under NT, it will show up as a process. The only real clue that might tip off the user is the droning of the hard drive for the duration of the scan. Because the scan is taking place on the users' workstation, reports have to be saved to a location the employee has access to.

DVD Software recommends running "scan and log" first. Once games are confirmed, you can change it to actually delete the offending files.

Finding the players

The next product is GameWarden by Wards Creek Software. GameWarden specializes in tracking gameplay across your network, terminating or preventing it where appropriate. A client is loaded on each machine that you want to track. The client then communicates with a server to report information and check the gameplay policies.

Loading the client can be done through any logon script or similar mechanism. Once running, GameWarden is silent and difficult to detect. It reports activity to the server and checks to see what actions it needs to take.

GameWarden can configure policies based on user name, time of day or even length of game play. For example, if you want to allow some game playing, you can set a time limit. When that limit has been reached, the game play will be flagged as "excessive." The user can then be notified, or the game can be automatically terminated. In either case, the event is logged for review by the administrator.

Currently, GameWarden cannot accept new games defined by a local administrator. Updates can only come from the authors of GameWarden because they use hard-coding instead of a database. So if someone were to bring in the latest gaming craze, chances are GameWarden wouldn't detect it, unless their updates were frequent and timely - and GameWarden hasn't been updated in close to a year.

Another thing to note is that GameWarden is blind without its client. If your users discover you're using GameWarden and understand how it works, they can prevent the client from loading. If so, their gameplay would go totally undetected.

GameWarden does have some decent reporting functions. It makes it easy to see who has been playing listed games and for how long. Popular games and popular times of day are other reports available. A nice enhancement would be for GameWarden to determine if the users in your company were playing multiuser games against each other or against Internet opponents.

The underlying functionality of GameWarden is quite sound. But without timely updates its use is limited. The local administrator either needs to be given the capability to add new game definitions, or game updates to GameWarden need to be released more frequently.

Surfing sheriffs

Our next category of products looks where users are Web surfing and what services they are using at those sites. At a minimum, they provide the telltale signs of who's been where. In some cases they can even prevent unauthorized or unproductive use.

First up is SuperScout, by surfControl. SuperScout runs on NT servers and workstations. SuperScout tracks what sites users are surfing to, tracks the types of traffic they are generating and can block users from sites deemed inappropriate.

SuperScout pulls user names from NT domains and Novell Directory Services trees and matches them to users' workstations. The administrator can create subnets or domains to aid in tracking sites and users. If more group definitions are needed, you can create user groups separate from those found in your network structure. This gives you the granularity you may need if you have overlapping groups of users or groups who have been granted exceptions. Security and blocking are handled with a rules-based engine. The administrator can set up a hierarchy of allow-or-deny rules that scrutinize who can go where and when, and who to notify if a rule is breached.

SuperScout is optimized to help get a handle on your staff's Web surfing. But it can easily be adapted to look at virtually any TCP/IP service. For example, it's easy to create a rule to allow Web surfing to a particular site but disallow FTP access. If a user tries to FTP to that site, it will be blocked by surfControl.

A subscription service is also available from surfControl to automatically classify and update sites and the categories they fall into. This lets surfControl worry about what is an adult site and what isn't. Just create a rule to block the category and be done with it. surfControl staff look at the sites to categorize them. For example, a medical site containing the word "breast" would probably not be considered a "vulgar" site. If you still want some control over site categorization, you can create more categories.

Also, the Web4Business list helps categorize businesses by industry. For example, you could allow free browsing to other businesses within your industry, but block access to other types of sites.

Notification of infractions can be accomplished using Simple Mail Transfer Protocol mail. There are seven variables that can be inserted into the message body to give the administrator a quick idea of what the problem is. For example, you could have an antiporn rule that would send an e-mail that says "at [time, username] accessed porn at [site] from [workstation]."

SuperScout doesn't have a Web interface, nor can it show statistics in real time. But the powerful reporting tool makes up for it. Many predefined reports can help you see how the network is being used, and for what purpose. Some reports are tabular, such as a list of all the sites accessed; others are graphical, such as the top 10 sites visited according to frequency.

The reporting engine is also very flexible in creating custom reports. Whether it's by time, by group of users, by site or another category, within a few mouse clicks an informative report is just around the corner.

Making WebSense

Our next surf snooper is WebSense for Microsoft Proxy Server, by WebSense. WebSense is a plug-in for Microsoft Proxy Server that enhances its functionality by restricting and/or reporting the traffic passed by the Microsoft Proxy Server.

WebSense maintains a categorized database which is periodically updated. While it contains a vast number of sites (well into the thousands), administrators can add their own sites or categories.

When defining categories, there are the mundane permit and block options. WebSense also has built in two other options: "defer to AfterWork" and "defer to AfterWork/continue."

A category listed as "defer to AfterWork" will inform the employee that the site is restricted, but it grants the option of postponing viewing. If the employee agrees, the program connects him or her to the AfterWork.com site, where the URL can be stored and retrieved at a later time. AfterWork.com, a portal site launched by WebSense, has individual logons where a user can store and organize any number of URLs. The site is available for free and doesn't have to be used in conjunction with WebSense, making it easy for an employee to access stored URLs from http://home.

The "continue" option warns the user that the site is restricted but will let him or her continue viewing the site for work-related purposes. In addition, there is an administrator-specified timeout for how long the employee can continue to view the site before it's blocked. A good example would be weather-related sites - you don't want your users browsing there all of the time, but letting them quickly scan a forecast wouldn't hurt.

WebSense also categorizes sites via keyword scanning in the URLs. It would be possible to leave a category unblocked but use the keywords to catch exceptions. For example, you might be willing to let your employees browse government sites, but you don't want them going to the Internal Revenue Service site to download tax forms. You can simply add a blocking keyword of "IRS" to the government category. You would need to be careful if a word like "sex" was included in certain URLs, such as "Middlesexnews. com."

These category definitions can then be used to create policies. A policy simply states a time interval and days of the week that a particular category is in force. There can be multiple definitions active in any policy. For example, it is easy to allow browsing to sports sites over the lunch hour, but block them during normal work hours.

These policies are tied to workstations that use the proxy server. The administrator can tie a policy to an NT domain defined group or to an individual user. Workstations or entire networks can also be set up to use specific policies. Finally, a default policy is in place for objects that don't fit any of these groups.

The WebSense Reporter (a separate application that works with other WebSense programs) comes with a large number of predefined reports and graphs. Some are detail-oriented, while others summarize events. If information about a particular user's browsing habits is needed, it's easy to specify the user and the date range to produce a history of where they've been. Other noteworthy reports are top sites and categories, times and bytes transferred, and reports for uncategorized or unknown sites.

Overall, WebSense is a powerful and easy-to-use package. It extends the capabilities of the Microsoft Proxy Server and provides some useful reports.

Watching the traffic

The last two products in this category are by Elron Software. Internet Manager watches traffic moving across a specific segment on your network, presumably the segment nearest to your Internet connection. Message Inspector watches e-mail and news traffic as well as FTP and telnet, and pays special attention to content.

Internet Manager is able to log or block traffic based on policies created by the administrator. These policies can be based on any combination of user name or group, workstation address and time of day. Currently, Internet Manager can tie into an NT domain to query user names. There is also an agent that can be installed on user workstations to mandate that browsing will occur with an authenticated connection. In other words, if this mandate is set, it defeats anonymous browsing by simply bypassing the logon prompts on a Windows 95 machine. But Internet Manager will work fine without this agent.

Internet Manager takes a slightly different approach to managing sites. It doesn't use preconfigured site lists, but relies totally on dictionaries containing inappropriate words or phrases. The list is categorized into each dictionary, such as one for sexual content, one for sports, one for gambling and so on.

Internet Manager not only scans the URL, but also any Common Gateway Interface (CGI) parameters included. It can be configured to automatically block sites that contain words and phrases found in its dictionaries. It will then send a notification to the administrator about the action it has taken. Also, the administrator is free to interactively block or unblock sites that scroll across the real-time monitor screen.

In addition, four different dictionaries can be identified to provide special on-screen notifications by having the activity highlighted in a particular color and possibly playing a .wav file to go with it. This makes it very easy to see from across the room when a particular dictionary has caught an infraction.

An interesting caveat to the dictionary approach: As we were trying to trigger rules in the stocks dictionary, we were amazed to see www.etrade.com flagged as a sexual content site, and immediately blocked. After further review, the solution became obvious: E*trade uses "xxx" as empty values in its CGI calls. You guessed it: "xxx" is a phrase in the sexual content dictionary. A quick "unblock" of E*trade fixed the problem. But this shows that you have to be careful about what you put into your dictionaries. Of course, if your climate is more temperate, Internet Manager could have been configured to simply warn the administrator of this condition and not automatically block the site.

Internet Manager has its own Web server and provides a Web interface to do remote administration and reporting. It's a very nice interface, which rivals the real-time monitor in functionality. In fact, the only function that the Web interface does not seem to have is the scrolling site list. The one drawback is that Internet Manager won't use any existing Web server that is on the machine. It wants to serve up its own HTML, so you need to take care that any other Web server ignores the Internet Manager port.

The reporting features of Internet Manager are also impressive. Reports can be broken out by user, site, time of day, protocol (for example, HTTP, FTP or telnet) or the dictionary that caught the infraction. Graphs of popular sites, most frequently used dictionaries and others are also available. Perhaps as a future enhancement, Internet Manager will be able to generate these reports on a scheduled basis and mail them. Currently, they are generated on demand through the Web interface, where they can be printed.

Internet Manager is an effective and easy-to-use tool. Once you get into the mindset of using dictionaries instead of site lists, it becomes easy to create policies to effectively screen unwanted content.

Looking at e-mail

The next product was Elron's Message Inspector. Primarily a tool to scan e-mail and news messages, it can also watch FTP sessions. Depending on how Message Inspector is used on your network, it can simply generate reports, or take a very active role in managing content. If it can see the network traffic nearest your Internet connection, it can effectively monitor all SMTP and news messages coming into your company. However, if Message Inspector is given two network interfaces and configured to forward messages, it becomes much more powerful, as we'll detail below.

Message Inspector is configured through a Java-enabled browser. But if you elect to install the client locally on your machine, it will install a Java Virtual Machine for you to run without a browser. The upside is that the local administration and the Web administration are identical. However, the interface isn't as glamorous as you have come to expect from traditional Windows-specific program interfaces. This doesn't mean that the functionality isn't there - it just isn't as pretty.

Message Inspector, like Internet Manager, relies on dictionaries. These basically list keywords that can be used to identify inappropriate message traffic. One of the predefined categories is "confidential." This category can be used to hold project code words, trademark names or other information. Message Inspector can then be set to watch for these words and phrases to make sure no one is leaking information. Of course, Message Inspector can watch for the standard fare of sexually explicit words, sports, gambling or drug terms, and so forth. These filters are used in conjunction with time of day, addresses and user names to create policies.

Once it's found the offending words, Message Inspector can log the event, redirect it, reject it, notify the administrator or send it. But if you configured it with two interface cards, Message Inspector can do much more. The program can still pass and log messages, but it also now can block or redirect messages. The messages could first be sent to an administrator for approval, then delivered as normal later.

Message Inspector can also block certain file types. If you have no use for .jpg or .gif files at your company, it's easy to create a policy that looks for message attachments with those extensions, news messages with those contents or even FTP sessions.

One very attractive feature of Message Inspector is its spam filter. Message Inspector has a predefined filter list that can catch most of the spam traffic out there. The administrator can decide to delete the messages entirely, or the subject lines can be prefixed with the word "spam," for example. Because some employees may have a use for certain spam messages, this feature gives the administrator flexibility to warn without deleting these types of messages. Furthermore, you could attach a warning that says "Danger! Virus potential!" to .vbs files, which were used in the recent LoveLetter virus attacks.

Message Inspector also has nice reporting features. It can report on broken policies, times of day, particular addresses and particular users. Graphs can also be generated and archived.

One minor drawback is that Message Inspector has no real-time monitor. Reports can be generated quickly, but if there's one thing administrators like, it's up-to-date information.

Checking the wire

The last category contains products that dig a little deeper. After using them for a while, one gets the sense that they were made by folks who have spent a lot of time in wiring closets sniffing packets.

The first product in this category is LittleBrother Pro, by LittleBrother Software. As the name implies, it's always watching. LittleBrother Pro installs very quickly on any Windows platform, either as a single stand-alone installation, or in a client/server setup where the data is

collected and stored on one machine and management and reporting takes place on another. The single-machine configuration is recommended during the installation. A version of the Apache Web server is included if the machine doesn't have a Web server to run LittleBrother Pro's Web interface.

As with most products of this type, it must be installed at the appropriate place on your network to see and capture the relevant data - presumably as close to your Internet connection as possible. In addition to TCP/IP, LittleBrother Pro can also be configured to monitor IPX and AppleTalk protocols. And, while the default setup monitors all traffic, LittleBrother Pro can be set to only watch Web traffic.

Out of the box, LittleBrother Pro watches and listens. It also has many useful reports available. For example, it can generate reports or display in real time your "top talker" - the user and workstation generating the most traffic. In addition, that information can be broken down into which sites he or she is trying to visit, and what services are employed (telnet, FTP or Web protocols). To complement this, there is also a "top sites" report that shows the company's favorite hangout and who is frequenting it. This information can be detailed according to time connected or data transferred.

LittleBrother Pro also rates the sites and services into four basic groups: neutral, productive, unproductive and not rated. Not rated is self-explanatory, but usually involves protocols or sites that LittleBrother Pro has no knowledge of, such as your local servers. The other three ratings are somewhat subjective, depending on your business. For example, out of the box, an attempt to browse www. weather.com would log an unproductive hit in LittleBrother Pro's databases.

There are numerous site categories defined in LittleBrother Pro's databases. A few examples are business, computing and science, all rated productive; politics, humor and entertainment, all rated unproductive; and education, health and law, all rated neutral. Within these categories are hundreds of predefined sites. As the administrator, you are free to change the ratings of these groupings. For example, if you are an investment firm, you may wish to change "money/investment" from its default unproductive status to productive.

As new sites are discovered, LittleBrother Pro can be configured to either notify the administrator, or attempt to automatically categorize the site and report its efforts.

LittleBrother Pro can also be thrust into the role of traffic cop. Although not active out of the box, several optional rules can prevent access to various sites and services. A good example is the "block sports" rule that prevents all traffic to sites grouped in the unproductive sports category. There are also rules to block services, such as chat or telnet, instead of the sites to which they are connecting. The rules can act on individual users or groups of users and can be set to be active in one-hour increments.

Multiplayer game traffic also doesn't get by LittleBrother Pro. It recognizes traffic from popular network games and rates this type of traffic as unproductive. Using the real-time monitor, it's easy to see how much bandwidth is being used not only by games, but by streaming media applications, too. For example, it could look for well-known Napster ports, or look for connections to the main Napster servers. The real-time monitor is a very handy tool that can be used to keep tabs on your high-traffic users or popular sites. It updates itself every few seconds.

The administrator is free to create customized rules, user groups, site categories, reports and ratings. In addition, most of the settings are customizable, except changing the original contents of or deleting these default categories. However, LittleBrother Pro can be configured to receive updates to the categories on a regular basis.

Finally, Little Brother's Web interface is very easy to navigate. The interface is password-protected, just like the desktop application. It is mainly a reporting tool, however. If you need to make any changes to the behavior of LittleBrother Pro, you need to fire up the desktop client.

Extreme traffic cop

Our final product is TrafficMax by IntelliMax Systems, which runs on any Windows platform. It makes the administrator add the services manually, but the install is still a 5-minute exercise. As with most products of this type, TrafficMax can only report on what it sees. The more segments you need to watch, the more places you'll need to deploy part of TrafficMax.

TrafficMax deploys across the network using agents, as opposed to a complete and separate install at various spots. Each agent collects the same information and enforces the same policies. But the agents can all be controlled and managed from a central administration console, which by default is the first installed machine.

If you like to have as much information as you can squeeze onto a screen, TrafficMax will be your best friend. There are a plethora of graphs available, each updated in real time. Various graphs target specific layers, such as packet details and types, Ethernet details, TCP/User Data Protocol (UDP) statistics, and so forth. Charts are also available detailing specific values. Each can be generated according to traffic, access time and so on. The available graphs have details that are available with a double-click of the mouse. Each of these informative displays is printable.

In addition, reports can be scheduled to run on daily, weekly or customized intervals. The results can be stored or sent out via e-mail. The file formats include HTML, comma-separated value or .bmp and .jpg.

TrafficMax can also be configured to watch for threshold values when collecting these statistics. For example, finding a duplicate IP address may be a source of concern, such as a misconfiguration or a potential spoofer. TrafficMax can send an SNMP trap, alert the administrator with a page, send e-mail and even create entries in the NT event logs. TrafficMax also has the ability to block connections to sites and resources deemed inappropriate. It also employs the use of categorizing sites into groups. As with most products, the groups and categories defined by IntelliMax cannot be modified. But they can be updated automatically at specific intervals, manually, or not at all. Of course, you are free to create your own groupings and categories, even referencing those created by IntelliMax.

Blocking policies can be created using these groupings, individual sites or network ranges. The action can be to block or simply log the event. Specific ports or services can be named, and policies can also be set for certain times of the day. Another interesting feature is the ability to block based on the direction of traffic. For example, you may wish to block inbound requests but allow outbound requests. However, one drawback is that you cannot create a policy that will follow a user from workstation to workstation.

TrafficMax puts a lot of information at your fingertips. In fact, if you open up all the windows that are available, you could easily suffer from information overload. Luckily, the screens are very configurable. Since TrafficMax goes to the trouble of creating HTML files and Web-friendly graphics, it would be nice to see them create a Web interface, at least for reporting.

Related links

Berkley is the LAN Support Supervisor at Computing Services for the University of Kansas. He can be reached at berkley@ukans.edu

Reaction: Here's what some Fusion users are saying about this article: What do you think? Add your comments to the thread

Dicey ethical dilemmas
Before you track employees' Web surfing habits, make sure your company has a clearly defined policy.
Network World, 05/29/00.

Privacy pointers
Employees may not have any privacy rights when it comes to online communications at work, but they can do a few things to draw the blinds a little against prying eyes.
Network World, 12/27/99.

FileScreen 2000

Antigame Plus

GameWarden

SuperScout

WebSense

Internet Manager

Message Inspector

LittleBrother

TrafficMax


NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
Click here to sign up!
New Event - WANs: Optimizing Your Network Now.
Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
Attend FREE
Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.
* HOME    * RESEARCH CENTERS     * NEWS     * EVENTS

Contact us | Terms of Service/Privacy | How to Advertise
Reprints and links | Partnerships | Subscribe to NW
About Network World, Inc.

Copyright, 1994-2006 Network World, Inc. All rights reserved.