There's only one way to find out if the acceptable-use policies you've implemented are doing any good: Monitor what your users do. And if you want to enforce the policies, you'll need to block unauthorized Internet and intranet access.
We looked at seven products designed to monitor and block user access to Web sites, Internet file archives, newsgroups and other Internet resources. Beyond monitoring and blocking, the products also generate usage reports that can help you with capacity planning. In our tests, a beta version of SessionWall-3 Release 3.0 from AbirNet scored the highest, earning our Blue Ribbon Award, and Little Brother Pro 3.0 from Kansmen placed a close second. Both products feature comprehensive monitoring and reporting capabilities. SessionWall-3's in-depth blocking ability gave it a slight edge over LittleBrother Pro. SessionWall-3 does more than just monitor your Internet connection, it also detects denial- of-service attacks, including Ping of Death and WinNuke; intrusion attempts such as File Transfer Protocol (FTP) server attacks and attempts to read Web server directories; viruses attached to e-mail messages, Java applets and ActiveX components; and protocol abuse. SurfWatch Professional Edition 2.0 from SurfWatch Software and WebSense for Windows NT 3.1 from NetPartners Internet Solutions also offer comprehensive reporting and monitoring functions but trail the front-runners in other areas. SurfWatch lost points for subpar installation, inadequate documentation and its clunky interface; WebSense's score was hurt most by poor documentation. The other three products we tested - WizGuard Proxy Server 1.0 from WizGuard, SOS Pro 1.5 from Sterling Strategic Solutions and NNPro for Networks 2.0 from NetNanny Software International - have a lot of ground to cover before we would recommend any of them for a corporate network. WizGuard Proxy Server has limited features, and SOS Pro and NNPro for Networks are suitable only for very small networks because of their inherent architectures.Architecture strategies
The seven products we tested tackle monitoring and blocking three different ways. Those that use a packet analyzer configuration run on a computer attached to a network. But rather than having network requests pass through them, packet analyzers capture and analyze packets as they pass by on the network. Leading scorers SessionWall-3 and LittleBrother Pro operate this way. In a packet analyzer configuration, if a packet contains an unauthorized request such as a banned Web site, the program immediately replies to the packet's originator with a protocol exchange that terminates the transaction, effectively blocking the request. There are a couple downsides to this method. First, the packet analyzers can only "see" the network segment to which they are attached, requiring that a packet analyzer be placed on all segments of the network. In a switched network, packet analyzers must be placed on what is called the diagnostic or promiscuous mode port so all traffic can be seen. If the switch doesn't have such a port, the packet analyzer must be placed on the gateway machine. Second, the packet analyzers' platform must be powerful enough to process the captured network traffic at a high enough rate so transactions aren't missed. That said, even if one or two packets are missed, it's highly probable that a packet analyzer will detect and control the vast majority of transactions because most IP exchanges, such as browser and FTP requests, involve multiple exchanges. In a relay configuration, the second approach to monitoring, software sits between managed clients and the resources they are trying to access and operates like a simple proxy server or an add-in filter for dedicated proxy products. WebSense and WizGuard Proxy Server are proxy servers, although they're not what we'd call industrial-strength. SurfWatch integrates with proxy products such as Microsoft's Proxy Server, acting as an add-in filter. Deploying a relay architecture requires you to modify the proxy address settings of client browsers, which you can do with automatic configuration scripts or software distribution tools included in desktop management suites (NW, Aug. 17, page 33). It is vitally important that you reconfigure existing proxy servers so they won't accept requests directly from browsers, but instead allow connections only from the relay software. This action ensures that requests only flow from the browser to the relay software to the proxy server. A potential problem with relay configuration is that the process of accepting requests from clients, examining the requests, logging them and then passing the permitted requests to the Internet takes time and computing power. Processing overhead can significantly slow down user response. The third approach to monitoring requires modifying the client operating system or applications. SOS Pro and NNPro are based on such client-side modifications. It's the most basic architecture used for monitoring and blocking, but it's also the least satisfactory. Rollout costs are significant, and support overhead is high. And because the monitoring and blocking system works inside client software, there is the potential for a whole range of bugs and unpredictable interactions to cause problems. SOS Pro and NNPro require a mapped drive to a PC acting as the management system for a group of controlled users. That setup creates another weakness for these architectures - if you delete the mapping, management no longer works. For corporate IT purposes, relay and packet analyzer configurations are the most practical.Nuts and bolts
Beyond the way these products integrate with the network is the issue of how they actually monitor and block access. Once the software has fielded a request for a URL, for example, the URL must be compared to a list of sites. The request can be tracked or tracked and blocked. Given the increasing number of Web sites on the Internet, determining which sites should be blocked is not something you want to take on alone. SurfWatch supplies a database of URLs that are updated daily. SurfWatch will warn you if filters are more than 30 days old. SessionWall-3 uses a similar scheme (minus the out-of-date warning) that is available by subscription. You update SessionWall-3 and SurfWatch databases from their management interfaces but, unfortunately, neither automates the process. WebSense and LittleBrother Pro incorporate a database updating system as part of their management interfaces, and both can do it automatically. NNPro's URL database can be downloaded from its Web site through a browser and is updated twice monthly. Neither WizGuard Proxy Server nor SOS Pro offers a predefined list of URLs to be blocked. All the products with predefined databases allow you to customize their lists, but we found that locating inappropriate sites the vendors didn't include was a challenge. One way to identify unacceptable URLs is through independent ratings. SessionWall-3 and SOS Pro support blocking based on RSACi ratings created by the Recreational Software Advisory Council. However, because the RSACi rating scheme is used by only a small percentage of Web sites, its value is limited. Scanning for keywords in the URL and examining content are two other ways products identify undesirable sites, and they are methods that SessionWall-3, SurfWatch, SOS Pro and NNPro support. LittleBrother Pro performs only URL scanning, and WizGuard Proxy Server scans for pornography. However, while keyword scanning can help detect suspect words, it can't distinguish between inappropriate and legitimate sites, leading to overblocking. The technique may also block a page of results from search engines, even though the page contains links to permissible sites. You should make sure that all search engines you use are exempt from blocking.Managing the managers
How you configure and manage the product is a vital ease-of-use issue. WizGuard Proxy Server and SurfWatch provide only a Web management interface; NNPro, SessionWall-3, LittleBrother Pro and SOS Pro have only a management console. Only WebSense offers a console application and a Web management interface. We were surprised that not all products offer a Web management interface, and the interfaces in those that do were unsophisticated. This is an area in which all the vendors need to do some work. Like administration, reporting features vary widely among the seven products. SessionWall-3, LittleBrother Pro, SurfWatch and WebSense offer excellent reporting, whereas NNPro and WizGuard Proxy Server only display raw log data, with no analysis features. At the bottom of the scale is SOS Pro, which reports only the browsing activities of users running its bundled but primitive Web browser. With the exception of NetNanny's NNPro, installing these products was fairly straightforward. NetNanny supplied a beta version that was poorly documented, but once we involved a technical support engineer, installation proceeded more smoothly. Although you may balk at yet another network management tool, monitoring and blocking are services you really should consider. Even if you never look at the logs, telling users that you can see exactly where they go encourages them to obey your acceptable-use policies. RELATED LINKSGibbs can be contacted at mgibbs@gibbs.com; his Web site is at gibbs.com.
Enterprise Monitoring and Blocking: How Sequel Technologies Net Access Manager can help solve your monitoring woes. Network World, 10/5/98
NetBoy suite earns praise in net monitoring market:
Creating acceptable-use policies:
SeNTry eases net watching:
Eye on 'Net users:
The Recreational Software Advisory Council's Internet rating systems
Network World Fusion Focus on Windows NT, 8/11/98.
Network World, 7/6/98
Network World, 6/1/98
When intranet users begin indiscriminately surfing the World Wide Web, you'll want a tool for monitoring their Internet usage. Network World, 5/25/98
