Solved

High internet usage, need logging software

Posted on 2010-09-02
14
232 Views
Last Modified: 2013-11-16
Hi Guys,

i want to install the latest Micosoft Forefront Threat Management mainly for logging web traffic. We are having many data usage issues at the moment and i want it to restrict certain traffic from leaving my network form specific users.

1. Will forefront proxy log all traffic going out of my network and report the usage?
2. What other cheeper products are there available?
0
Comment
Question by:ReinerWentzel
  • 7
  • 5
14 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 33588324
It reports the usage by site and by user. it does not log duration - it can't as it has no idea how long you have stayed on the site. For example, you could open a page at 9 AM, switch straight to another application then return to that browser window at lunchtime. The duration would read as three hours but the reality would be a matter of seconds.

No idea about cheaper products - this is the ISA and Forefront zone.

Keith
0
 
LVL 2

Author Comment

by:ReinerWentzel
ID: 33588445
but will isa log all other traffic going out even torrrents not using the browser? or virusses?
0
 
LVL 4

Expert Comment

by:EshuunDara
ID: 33589863
ReiinerWentzel:  That depends.  In many environments, users aren't allow to reach the internet directly.  In this instance, if your forefront server was the only IP that was allowed to get to the internet, and it is configured for logging, then your answer is yes.  
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 33590848
Lets be clear on a couple of things. ISA will log all traffic - it has to in order to meet the EAL4+ accreditation requirements. However, there are caveats. For example, an SSL connection between a client and an external server. ISA will log the fact that an SSL session has been created but it obviously cannot then identify what traffic has gone across that link session as it is encrypted within the SSL tunnel. Forefront TMG IS able to break out that traffic as it has a new function called https inspection (although this has legal implications if used that need to be carefully thought through).

ISA logs traffic based on source and destination and by protocol. if you have used an authentication method for users (as opposed to the All Users option) then it will report the credentials of the user who carried used the traffic as opposed to just reporting the IP address of the client.

You can purchase GFI Webmonitor to install over the top of ISA if you want really in-depth reporting. Not that cheap but is certainly the best ISA reporting tool i have found.

Bandwith splitter is the additional product if you really want to get 'down and dirty' and start controlling by bandwidth quotas and the like.

Keith
0
 
LVL 2

Author Comment

by:ReinerWentzel
ID: 33599183
thx for the advice. i have a trial of isa 2004 that i would like to try. my plan is this : (please note the network is a mess at the moment and no structure - company does not have money at the mom for proper infrastructure - i just want to solve the data issues first) we have Windows 2000 Server(i know very old lol) used as a file server only(no dhcp). i want to install ISA 2004 in cache mode only. and then redirect all internet options under proxy to the isa server. will this work and does this mean the isa is the only server allowed out of the network? sorry i am still new to isa.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 33599227
No, it just means that internal clients and servers make a session between themselves and ISA and ISA uses its IP address as the source when heading out to the next hop which is likely your firewall/external router.
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 2

Author Comment

by:ReinerWentzel
ID: 33606439
Hi Keith, i will respond to that question shortly and award points. Sorry just been very busy :-) Ok so lets say i install 2 network cards in my Server 2000 box with on going to my internal network and the other to my external adsl modem and install ISA 2004 on the Windows 2000 box. I then enable DHCP on my 2000 box so that clients use the internal card's ip as the gateway. And then enable the proxy in the internet options of each client. Will all traffic in and out be logged so i can trace where my internet cap is going? i dont care about detailed reports, all i want is source, destination, protocol and usage?
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 33606453
OK - ISA 2004 will give you source/destination/protocol, no issue. bear in mind that if you want source by username you need to ensure users are authenticated. using an All Users criteria in a rule will result in source logging by IP address, not user name.

Usage will be reported by traffic passing through the interfaces, not by time spent on a site as that is pretty much impossible for ISA. It has no knowledge of whether a person spends 50 minutes reading a web page or 10 seconds reading it (as no other traffic passes through its interfaces).

Keith
0
 
LVL 2

Author Comment

by:ReinerWentzel
ID: 33606522
Thx for the response. Just to finalise everything. I will need two network cards for my setup? one for external and one for internal? i will need to point all clients to my isa as their gateway? How will i restrict only the isa to have access to the external network?
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 33606662
I don't understand your final point. What do you mean restrict access to the ISA? Why would you want to do that?
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 33606667
Yes for the network cards though and the gateway.
0
 
LVL 2

Author Comment

by:ReinerWentzel
ID: 33606731
what i mean is : allow only my isa to have internet access. so this forces all clients to have the isa as there gateway and this is the only way they can have internet access? this forces all traffic to go through the isa server. I dont want a client or traffic not going through isa as this will obviously then not be logged by isa
0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 500 total points
ID: 33606814
OK - I think I get your drift.

Think about protocols as opposed to ports.
Create a new protocol on the ISA 2004 server (or any version over ISA 2000 really) - call it 'transparent http' or 'pure-tcp80' or something similar. This is an outbound tcp port 80 to port 80, no secondaries.

Create a new access rule and place it above your normal outbound http/https rule along the following lines:

rule name:  Block tcp port 80
Action:  Deny
protocol:  transparent http (or whatever you called it)
from:  Internal
To;  External
Users:   All users

This will block tcp port 80 traffic and effectively cover ANY internal device that tries to get to an external web server directly, as opposed to the same access that is operating with the web proxy settings in place. Remember this will effect ANY device so you may need to put other rules above for appliances etc that cannot operate with a proxy. Down to you to work out the right sequencing/order etc but you will get the point.

Anyway, if the ISA is the default gateway, the traffic would have to go through ISA anyway but the above is good best-practice.

Keith

Make sure you close any existing opening browsers on the pc before testing on a client. A browser only looks at the proxy the first time the browser is opened on a session.




0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Suggested Solutions

There are several problems reported according slow link speeds or poor performance in TMG 2010, UAG 2010 or ISA 2006. I want to collect here some of the common issues together to give a brief overview what can be the reason. Nevertheless, not all of…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now