?
Solved

VERBOSE network monitoring solution(everybody's experience is needed plz)

Posted on 2011-05-12
5
Medium Priority
?
400 Views
Last Modified: 2013-12-06
hello everybody,

I'm newly hired in a new company (hence new network), and i've been assigned the task to implement a very verbose monitoring system, but the thing is i don't have much experience in that field, and i don't know what to search because it's not an IDS or IPS :

1-We need a program/system to monitor a specific user traffic, i want to know every URL he is going to, every system he logs in to ,i even want to know if he pinged a specific IP !!

2-Same as "1" but for all our users

3-We need a monitoring system to log everything going on on the network , of course based on ip/mac/etc. source to destination and time/date.

4-we need a prog/system to be a centralized location to collect all our windows clients logs,windows servers logs and sql servers logs, and display them in a more proper manner than the built in windows event viewer.

notes:
-we are in a windows server 2008/ windows 7 environment
-all our switches are cisco 3560 so i can do port mirroring if needed

I know i may sound insane but please i need everybody's experience, and thank you in advance :)
0
Comment
Question by:a77
  • 2
  • 2
5 Comments
 
LVL 17

Expert Comment

by:surbabu140977
ID: 35748908
1) You are not into monitoring definition. You will be more or less spying on user. Get some spywares which are available in the market. In a simpler sense,  netflow will tell you which Ip is going where and using which protocol, proxy servers will give you detailed log of which web sites user(s) are visiting, spywares  will tell you what user is typing in their m/c. :) :)
We cannot recommend spywares in EE.

2)Covered above.

3)You need to log everything???? HMMM.......... it's weird. Anyway, get a free syslog(e.g kiwi syslog server) server and enable syslogging in networking devices. If you log "everything", in a few days you will be running out of space. make sure you clean the logs frequently. People log ONLY what they need. So you should be consulting someone about what to log.

4)I have no idea, you have to wait for some windows experts. I am not very familiar in windows.


Best,
0
 
LVL 12

Accepted Solution

by:
Craig Bowman earned 1000 total points
ID: 35748990
Sounds like you need a all in one keylogger to me.  You have mentioned most of the things a good keylogger will do.  

If you are in fact looking into monitoring these files captured from this type of logger I would recommend software from http://www.relytec.com/   You can install at a central machine and look through the logs of any machine it is put on via network share, ftp, etc.  

Either way you go, that kind of solution is going to take up a lot of space when saving the data from that many people and you might want to hire someone else just so sift through the data :)
0
 

Author Comment

by:a77
ID: 35750190
surbabu, honestly we got hacked 2 times from the internal network so we are now in getting-crazy mode :)
so we are investigating now and we need to monitor any new attempts, but i think what i'm asking is a traffic analyzer, like the way IDS's work, it read all the traffic from a mirrored port and analyzes them.

cbowman92:i think we will use keyloggers on our main suspects, but i'm not comfortable with it, sounds like a final solution if nothing else worked.


0
 
LVL 17

Assisted Solution

by:surbabu140977
surbabu140977 earned 1000 total points
ID: 35752944
Got hacked internally?????? Analyzing traffic would do no help then. If someone is hacking from inside you can hardly do anything. That's why a proper security plan with IDS/IPS should be there. There are no tools that will assist you in this.
You got hacked that's fine, but how can you be sure that the guy(s) did not  steal credentials to hack? No monitoring would help then.

1) Proper user authentication/authorization access need to be done.(Tacacs/RADIUS)
2) Put the spywares to track who is doing what. (This is impractical for large number of users)
3) Netflow will only tell you who accessed what.
4) Most of internal hack happens by exploiting social loopholes and insecure administration.
5) Implement domains and disable the external usb/DVD/CD so users won't be able to run executables.
6) lastly, you should know which employee has got capabilities, so monitor them with spywares or cbowman's recommendation.

Best,

0
 

Author Comment

by:a77
ID: 35753180
well it seems like netflow + a keylogger would be my best solution to monitor specific users.
thank you guys, but one last question, cbowman, do you know if that "all in one keylogger" is detected by antivirus? if yes do you know another one that's not ?
thank you surbabu ;)
0

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Managing 24/7 IT Operations is a hands-on job and indeed a difficult one. Over the years I have found some simple tips and techniques to increase the efficiency of the overall operations. The core concept has always been on continuous improvement; a…
In this article, we’ll look at how to deploy ProxySQL.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
Suggested Courses
Course of the Month13 days, 10 hours left to enroll

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question