monitor network usage

Posted on 2005-03-11
Medium Priority
Last Modified: 2010-04-11
Greetings.  I am an IT Specialist for a bank and my banks auditors want us to be able to monitor network usage (ie. who accesses what on our hard drives on our file servers [or similar]).  We currently have no group policies (which we should).  We have a "public" share on our file server which any one w/ a pc at work can access and we have a prviate folder set up for each employee.  VLANs would be difficult to implement because in our branch office people often wear different hats throughout the day.  We would also like to monitor internet usage.  Maybe my best bet would be to implement group policies.

With cisco pix firewall, can you monitor and block internet usage based on ip/url?  If so, this would solve my internet usage issues.

Thanks for any help.

Question by:hptechnician
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2

Assisted Solution

tmehmet earned 600 total points
ID: 13520969
You should be able to apply logging to the files and directories on your file servers. Within the local security policy for the server, there is an  audit policy, within that you can log various kinds of access and events for both success and failure.

This may well fill up your logs so you need to keep an eye on it.

Your best bet for  monitoring internet usage is to use a Proxy server, it can not only make it much easier to control internet usage, it can provide a level of detail for activity beyond what the PIX can do. Also, if you try to log too much on the firewall, it will impact performance and may actually hurt internet access performance.

re group policies, these are fine but I'n not sure if they will help your logging and monitoring requirements. It is used to control the 'environment' rather than monitor user activity.

LVL 38

Accepted Solution

Rich Rumble earned 400 total points
ID: 13521284
Turning on event logging on a windows box is a very good idea, if people are connecting through your pix or vpn, those log's are also valuable to have.
here are some monitoring tools that may suit your needs:
http://www.ntop.org/overview.html (measures bandwidth usage by protocol) (windows versin here http://www.openxtra.co.uk/products/ntop-xtra.php )
http://www.kiwisyslog.com/ (log monitoring for your network gear and windows log's- also see snare and other here http://www.kiwisyslog.com/links.htm )
http://www.snort.org/ (network intrusion detection)
http://www.microsoft.com/technet/prodtechnol/windows2000serv/maintain/monitor/03w2kadb.mspx (turn on event logging on M$)

A pix has no way of blocking based on useage, you either allow or deny connections via a pix
LVL 24

Expert Comment

ID: 13521932
Auditors care more about data
Concentrate less on traffic, more on controlling and tracking access to data, resulting in logs they can read

Assisted Solution

tmehmet earned 600 total points
ID: 13522125
Consider taking logs offline (in near real time if possible), that way if an attacker tries to cover their tracks they modify local logs only and differneces appear between local and remote, you know theres a problem. If you have a lot of servers, you'll probably do this anyway and use come sort of log correlation to keep an eye on things.

Also consider a file integrity checker, you can then mark files and directories for alerting when changes are made on 'critical'' files. Its another level of auditing that can help immensely with forensics and investigations.

Combined with daily backups (allowing ability to track changes) of files and the suggestions/comments above, you can get a very good solution that will easily meet and exceed your auditor requirements.

Featured Post

Ransomware Attacks Keeping You Up at Night?

Will your organization be ransomware's next victim?  The good news is that these attacks are predicable and therefore preventable. Learn more about how you can  stop a ransomware attacks before encryption takes place with our Ransomware Prevention Kit!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
Check out the latest tech news, community articles, and expert highlights in August's newsletter.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question