Slashdot Mirror
Ask Slashdot: Low-Cost Tools To Track Employees' Web Use?
First time accepted submitter red-nz writes "I come from New Zealand where new anti-piracy laws have come into effect that prosecute the owner of the internet connection for copyright violations. This is now a major issue for businesses, as they of course don't want to be liable for employee infringements. We have some good firewalls that are capable of doing basic filtering by 'category,' e.g. P2P sites, etc., but ideally would love to find a low-cost or even better Open Source alternative to expensive reporting tools (such as WebMarshal or Websense) that is capable of reporting on individual employees' usage with friendly reports (i.e. dont just show the URLs of the 3000 items their browser requested that day). It may be too much to ask but if the software could also show how long they spent on each site, it would be fantastic. Anyone got any winners out there they can share?"
A simple encrypted proxy or VPN over port 80 to home.
Do not look at laser with remaining good eye.
You don't even have to plug them in - just point them at each desk and make sure they have a little blinking red LED. Remind everyone in cubicleland to welcome their security-cam-wielding pointy-haired overlords.
First, condolences on those new laws.
I can’t recommend any software. I will say this kind of stuff sounds like the kind of stuff you pay through the nose for. I doubt any open source projects would form up to build such a tool (but always possible.. some people are unusual).
My first thought when putting myself in the shoes you describe, would be to transfer the liability. I guess it depends on how much money we are talking about when a copyright violation occurs. If you get sued, can you then sue the employee who did the infringing to re-coup your loses? Can you put this in a contract? If so this is the approach I would take... and just do enough monitoring to link violation to violator.
Disclaimer: I’m a programmer, not a business manager and certainly not a lawyer.
Use squid and a squid log analyzer.
Since when did Ask Slashdot become a Google proxy? Sheesh.
Trolling is a art,
title says it all
Block everything except port 80 and 443.
If anyone needs any other port, demand a written request.
Love many, trust a few, do harm to none.
I would install a proxy server. I used for many years wingate from QBIK (an austarlian company) and was very happy with the options and logging they offered: http://www.wingate.com/qbik/index.php
Anyone who requires internet access gets a wireless broadband card in their name that they can expense. Now they are the owner of the connection and you are off the hook.
IANAL especially not in New Zealand
"A person is smart. People are dumb, panicky dangerous animals and you know it." - K
just talk to the top ten users, if they have no explicit reason for consuming so much data. If they cant explain it, search their computer, if they have done something wrong fire them and make sure everybody in the office knows why.
Business shouldn't do blacklisting. They should do whitelisting (everything is forbidden, you only allow specifics).
That is the only way to have a somewhat working control system (and even that is not perfect).
Block everything. Allow what needs to be allowed.
morcego
You should probably worry more about people using P2P protocols than just browsing the web. A web proxy is probably not the best tool to reduce your business's risk in that situation. I would wager that there is a substantially higher risk of being "caught" using P2P software to share copyrighted content, than browsing websites that have content for download.
Regardless, if there is a substantial financial risk to the business from copyright violations, it should be easy to justify spending money on something. Barracuda has a decent web filter - but again, they may not be what you need.
Every time you post an article on Slashdot, I kill a server. Think of the servers!
Check out the zScaler proxy. Lots of good benefits, including what you need. I use it for all my employees and love it, especially the reporting and fine-grained control.
A year spent in artificial intelligence is enough to make one believe in God.
So in New Zealand if somebody steals my car and uses it to rob a bank I will be arrested for robbing a bank?
"A person is smart. People are dumb, panicky dangerous animals and you know it." - K
If the employer also becomes a private ISP, and every employee is charged 1NZD per month for internet access at their workstation (taken straight from the paycheck, after everybody gets a 12NZD/year raise), then they own and are liable for the internet connection at their desk, not the company.
1st: in order to reduce the size of your reports (and also security risks), implement MVPS's custom hosts file (winhelp2002.mvps.org/hosts.htm)
2nd: use IPCop or pfSense, as they work OK and do the trick
Tell all of your users to use a VPN and don't be party to stupid laws pushed on your country by Hollywood.
ntop (http://www.ntop.org) should be able to do more or less what you want, but you might have to tweak a few things. However, it would also help you get a better handle on all your network usage in general, so I'd look into it anyway if I were in your situation.
You should be asking about low cost politicians.
Seven puppies were harmed during the making of this post.
Squid works well as a transparent proxy, when used in conjunction with a log parser, might be just what you're looking for.
lots of the tools and FW's are based on linux and open source
we use one called xangati. it's an appliance that track's the amount of everyone's data use. there are alerts that trigger if you use too much data in a specified time
I've used several URL tracking systems. None of them were entirely open source, but there are some available. The real costs come in with the URL database. These databases are complied and maintained by real people. There are some community driven databases that are free to use, Untangle has one, but they will not be as complete or consistent.
I honestly am unsure of pricing but I believe it's fairly inexpensive. We use Kerio Control and are migrating to the 3110 appliance.
http://www.kerio.com/control
It does all kind of neat reporting.
We also use Cymphonix traffic shaping devices that have insane detail on reporting but I believe they're very expensive.
http://cymphonix.com/
No sig for you. YOU GET NO SIG!
Business shouldn't do blacklisting. They should do whitelisting (everything is forbidden, you only allow specifics).
That presumes two things. 1) that the overhead of whitelisting is not prohibitive and 2) That your users have rather specific and unchanging needs. Speaking for our business, the overhead of whitelisting would be incredibly burdensome. We deal with many vendors and have to research topics all the time. There is no reasonable way to know in advance exactly which websites we will need to visit. Furthermore it requires a significant investment of time which could be better spend elsewhere.
The best alternative is to block specific problem websites (Facebook, Twitter, etc for example) and only allow access to those via a whitelist. Keep logs of network access in case further problems arise. If someone is found to be ignoring company policies you can warn them or fire them and make an example out of them. You can solve 99% of the problem with quite a lot less work.
Why should I care about someone elses' content? It's their job to monitor and enforce, not mine.
I use a transparent Squid proxy. Traffic is redirected using IP Fiter on a FreeBSD system. I could use PF (or IPFW) however just not enough time in the day to "fix" something that just aint broke at the moment.
www.untangle.com. its free and runs on any Intel chip
I don't know of any software, my Big Brother on the other hand....
First of all you shouldn't seek a technical solution (alone) for a communication / policy problem. Talk to the employees and establish a resonable policy.
Beyond that, check out if GFI WebMonitor is right for you.
(disclosure: I work for GFI Software, not on that product though.)
Remember to track how much this tracking is costing you so that you have numbers to point to when you complain about it. You also need to sanitize the URLs for personal information since a lot of personal information gets passed through them. You could get sued, possibly face criminal charges, for gathering too much data.
All rites reversed 2010
Please can somebody tell me how tho tell skype traffic from other p2p traffic?
Is skype allowed in your workplace? Did you already saw how much noise (on the network) skype does? I did and it's driving me nuts...
DansGuardian with a proxy like squid should give you a basic websense-alike system - but even with all ports closed at the firewall except 80 and 443, bittorrent will likely still get through.
If you're truly worried about litigation, it seems like you could find a little money to deal with the issue. Take a look at Palo Alto Networks firewalls, especially the up and coming low-end model the PA-200.
Untagle firewall. It has usage reports based on IP. I work at a library and can monitor everything every user/employee does and get a report daily. http://www.untangle.com/
I don't know what I'm doing for my job, and I would like you to do my research for me. Preferably your solution should be "open source", although I don't really know what that means, I just don't want to pay for it.
What's wrong with minimizing the financial impact of regulatory compliance?
More Twoson than Cupertino
Apply directly to your authoritarian face, submitter.
what if the company simply instituted a internet policy explicitly forbidding the use of company internet for piracy?
Most people that are problem users in a typical company are not going to know how to set up a VPN, or SSH tunnel, or even a simple proxy. Standard solutions should work fine for the most part. After you set up your content filter and firewall, just track the data usage as was said previously. Being proactive will do FAR more than simply relying on a software or hardware package which is in all likelihood easily beat by the employees with the know-how. The employees without the know-how will be stopped by nearly any decent filter (the company I work for uses Cymtec which seems to work pretty well).
Some people prefer Untangle, but I have found that for Business usage, Endian Firewall is way better. Lots more options and stuff to play with. http://www.endian.com/ will provide you with: Transparent HTTP/DNS/FTP/SMTP/SIP proxying, NTOP, IPSEC, OpenVPN, multiple zones for network security and way more.
I've set up several squid proxies for companies that claimed to want to keep track of employee's web surfing. The log files are pretty extensive and there are several 3rd party utilities out there that can provide reports that even managers can read. Most of the time. Going through the reports is a lot of work and usually the Achilles heel of this sort of project in my experience.
A couple of things...
1. Set your border router to accept connections from the Squid box and your Exchange (or email) servers only.
2. Check for MAC addresses mapping to the same IP address. (Most employees don't understand how to spoof a MAC address but lots of them can change their IP address.)
3. Fire the first person to be caught and make sure everyone in the company knows about it.
If you set a Policy that mandates firing and don't do it then word will get out. If you don't bother to check the reports then word will get out. None of the companies that paid me exorbitant sums of money to set this sort of thing up ever fired anyone and all of them stopped bothering to check the reports after a few weeks. I think mostly because the managers were the ones doing most of the abuse and, after all, we can't fire *them*!.
No one ever had to evacuate a city because the solar panels broke!
SquidProxy and DansGaurdian. The first an authenticated proxy, the second a content manager/proxy. You can blacklist and whitelist sites in addition to those DansGaurdian already has.
Is to get the law repealed.
If business owners are on the hook for the behavior of their employees, they should get together and get this law repealed. If enough do, it sounds like a slam-dunk to me. The reason why it hasn't already been done is that probably too many business owners don't know that they're on the hook.
--
BMO
As a previous poster suggested, about the only shoestring option that you have (and able to withstand legal scrutiny) is whitelisting. The downside is that it's a morale killer and you have to answer regularly to accusations of playing the morality police.
As you stand a chance of experiencing legal penalties, your leadership should belly up for a proper tool. My personal pick through my years of managing this function is Websense Web Security. It's not as expensive as you might think, especially for what it brings to the table. Their pricing fits nicely for nearly any size of organization. I currently manage a 5000 seat deployment, and I couldn't be happier with the job it does for me, or the minimal amount of care and feeding that the system requires.
-SS
How on earth could any software determine that? You may open a tab for a dozen sites . You can load a page of text, once, and spend an hour reading it with no further fetches. You could have a stock ticker/ weather stats/million other things running in a small window, gettign data every few seconds.
Basically, unless you look over their shoulder, you can't know how much of their attention was on a site for how long.
Classic mission creep: start with monitoring illegal downloads, end up checking on how the staff spend each minute at work, just because you can. Think how intrusive this is and how much it would be resented.
Set up your firewall to redirect all outgoing port 80, 8080, etc packets to the proxy (running squid), then use calamaris to analyze the logs (or roll your own analysis). Squid can also block urls based or regular expression matching.
The real "Libtards" are the Libertarians!
Dear Slashdot. I'm an arrogant asshole who ridicules anyone who asks for even the slightest bit of help. Additionally I have almost negligible social skills and use Anonymous Coward to hide my sociopathic hostility to others.
Sounds like your current solution - "category" based filtering at the border combined with a strong company policy - is already more than adequate to cover most potential liability to the company.
The rest of your question sounds like you're using this legislation as an excuse to implement some downright draconian and invasive "productivity enforcement" measures that have nothing to do with the stated problem.
Just pirate one of the commercial spyware tools.
Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
Give each employee fifty dollars a month and let them arrange their own internet connections.
http://www.untangle.com/ Is a great, free tool to help block, track, and limit web browsing activities. Based off of Debian I think.
Hire and continue to employ people you trust. If you don't trust them to be responsible with their internet usage, why are you paying them? The only thing web monitoring will do is let them know that you don't trust them, and give them permission to act in an untrustworthy manner.
or else!
I cannot imagine a bigger waste of HR, IT, or managements time to go chasing around data regarding their employees web usage.
If you hired intelligent, effective management you wouldn't need to go policing your employees after the fact.
Instead of asking; How can we find out which of our employees isn't working and then make them pay, how about finding out which of our employees is no longer being challenged or effective in their job and how can we help them.
You aren't their parents you're their employer, it's your job help them succeed, and if you cannot then refill the position.
Will do everything you need.....
You might look at Untangle.com for Untangle Lite version. Basic reporting and VERY lite filtering for free, paid versions with more features also available. Relatively simple interface.
Let me Google that for you. http://tinyurl.com/3r4m3t3
pfSense has a very easy to use Squid module, which along with the LightSquid proxy report module will do the job. Easy and no cost
Both of these have pretty colors that management will like.
Competition Good, Monopoly Bad.
Interestingly, you probably have to choose between two different liabilities. On one hand, that new law seems to mandate that you take proper actions to protect your network against illegal use. On the other hand, any broad surveillance of your employees is probably illegal regarding work laws, and if you engage in that, you might be liable for criminal activities (check in your own country, that differs wildly, but is not uncommon that even when using your equipments, your employees have a right to privacy). Choose your evil.
you are. Fight the man, not the people.
-fellow upside-downian from across the other side of the puddle
We use Websense, but I have no idea how much it costs. Websense categorizes websites based on URL and you can block individual categories. You can also block protocols individually. You can also just log and not block. Very flexible. The database of categories is updated daily. You can customize what they categorize as much as you want. If you submit a request for global recategorization, it usually gets done within an hour. This goes out to the public database. This is common when you launch a website that used to be a parked domain. You make sure Websense has it categorized correctly rather than as "parked domain" because that one is usually blocked.
Now the problem with website categorization is that 90% of the internet is not categorized by Websense. Then there is the increasing problem of sites serving content from multiple URLs or IPs. SSL is only blockable if you explicitly put the IP in. URLs are parsed with regex, so you get some false positives sometimes.
You probably don't need to block sites as much as you need to block protocols. It does that too. You can also track bandwidth usage, etc. There is full AD integration and you can define different blocking policies based on group membership, etc.
You can do whitelist only with it if you want.
After writing all of that it sounds expensive. I don't know how much it costs. You can probably use Websense Express depending on your needs and number of employees.
With Ultrasurf it is possible to bypass the proxy and the visits are not logged..
http://ultrasurf.us/
So then you'll have to start disalowing all the ultrasurf binaries in your policy..=
"I'm required to stop copyright violations, so how can I best spy on my employees' surfing habits and see how much time they spend on each website?"
First: You are not required to monitor what you employees download at all. Under NZ law it is not illegal to watch copyrighted material via direct download (youtube etc.) You only need to worry about p2p applications. These are easy to spot as they *upload* to lots of different ip addresses at the same time. If someone has 500 open ports and a Gigabit/second outgoing bandwidth, go talk to him!
Second: People tend to leave their browsers on all day with 10 different tabs open, so even if you could view the time spent on different sites, that info would be meaningless.
Third: Spying on your employees surfing habits can piss them off, and is likely not worth it, for the same reasons why people don't work better if you mount "security" cameras behind their backs.
..Squid?
http://www.squid-cache.org/
How does this work in Hotels, Motels, B&Bs? The ones that offer internet access. Or are we going to find that visiting NZ means going offline for the trip?
I've been to NZ, so I know that internet access at such locations is patchy at best, but it could get a lot worse.
RogerWilco the Adventurous Janitor
be google
DNA is the ultimate spaghetti code.
WORK TIME is for WORK RELATED ACTIVITY.
P2P is for your HOME CONNECTION in your OWN TIME.
I think it would be entirely justifiable for a firm to enforce a zero tolerance policy, with a no-quarter instant dismissal policy for ANY AND ALL violations!
Operation Guillotine is in effect.
Limit the bandwith of your employees. There is no need for a huge bandwith if they are only viewing text sites, but downloading stuff becomes impossible.
The winning move would have been to fight tooth and nail to prevent this idiotic legislation from being passed in the first place. I mean really, it says what? "Let's punish whoever we can get our hands on, for someone else's crime."
Although I am from the US, I tend to agree with many of the criticisms saying that we are responsible as a group for our own loss of freedom. People didn't speak up when they should have. Now they suffer. That's the way it works.
There's no 100% safe method to provide an internet connection for employees and prevent abuse. So if these ridiculous laws persist, you will need to transfer ownership of each employee's internet connection to said employee. Ask your lawyers how to accomplish that ...
"I love my job, but I hate talking to people like you" (Freddie Mercury)
Seems to me that asking this question here is like going on a vegetarian's blog and asking whats the best cheap knife to butcher a cow with...
Find out what requirements you need to follow so that you won't be held liable for what an employee downloads on your connection.
IANAL, but I would assume that you won't be held liable if some rogue employee hacks to bypass your security measures to prevent p2p downloads. There will likely be certain requirements that must be met before you are held liable for what an employee does.
"Next time you purchase an election, make sure you don't elect morons who slap stupid laws up without thinking about their undesired consequences."
--OR--
"This is what you wanted, so this is what you're getting. You wanted business-friendly government, and now you have it. PAY UP."
I wouldn't offer them a cheap solution at all. In fact, I'd offer them the most expensive solution you can find.
One day I feel I'm ahead of the wheel / the next it's rolling over me / I can get back on / I can get back on
what about untangle, there is a free version and that what we are using at work, work great.
Here is what I found in researching a solution for a community college. Most are way out of range on the price scale, but some are quite attractive. Companies and Products to provide solutions for "employee monitoring" Spector CNE - $130 per seat Interguard SONAR - $45000 IMonitor EAM Pro - $6500 for 500 PCs (20% discount for edu) Work Examniner Standard - around $25 per seat OS Monitor (Asia) 200 users $900 Basic Version $1800 full version OfficeShield - $20 per seat at 100 Pearl Echo Suite - $?? Microsoft Gold Partner NetVizor - 100 seats $1355 / 250 seats $2545
I object to power without constructive purpose. --Spock
http://www.untangle.com/
Untangle is a software appliance that manages every aspect of network control from content security to web caching, remote access to policy enforcement, all from one simple, drag & drop command center.
Free and easy. Just provide your own hardware...
FRANKLIN and JOHNSON approach the CEO. ...well it's a hell of a lot cheaper than what we're paying now.
Franklin & Johnson: SIR!
CEO: I didn't ask for you
Franklin: We're finished with the employee internet usage analysis
Johnson: It's not pretty.
CEO: What's not pretty? What is this about, I'm trying to print an e-mail here.
Johnson: Sir, Franklin here has some bad news about employee productivity.
Franklin: Yes, Sir.
Johnson: Tell him, Franklin.
Franklin: It's about Reddit.
CEO: Ahaha, reddit. I'm on that site now. Those clowns.
(Johnson and Franklin look at each other)
CEO: Did you know that companies still use Windows 98??
(Johnson and Franklin look at each other)
CEO: Well, did you, Johnson?
Johnson: Actually I did know that.
CEO: Bullshit, you didn't know shit. Did you know about this Franklin?
Franklin (hedging): Uh, I suspected as much.
CEO: Bullshit, Franklin, you didn't suspect shit. This is going to change everything.
(Johsnon and Franklin look at each other).
CEO: Do you have any idea what a Windows 98 license costs?
Franklin tries to change the subject: Sir, about this report.
CEO:
Johnson: Franklin has something he wants to tell you.
CEO: it comes with Wordpad. We could finally put an end to this openoffice versus microsoft office bullshit you guys are always on my ass about. Now there's a standard I could get behind.
Johnson (meekly): I, uh.
CEO (dreamily). Anyway, guys, I'm going to need you to look into this and get back to me a cost/benefit analysis by next week. I want you to consider a full desktop cycle, where we source all new development machines with windows 98 class hardware, that shit must be like $50 a pop now.
Johnson gulps.
CEO: Now what was it you had to tell me Franklin?
Franklin: About the employee Internet usage, Sir.
CEO: RIght! You have my full attention. What are these schmucks wasting all their time on.
Franklin: well, to look at the numbers here, it would seem to be reddit.
CEO: you keep reddit out of this.
Franklin (boldly): Sir, in an 8-hour workday, the average employee spends 9.5 hours on Reddit.
CEO reflects: Yeah, that's about right. If we're just talking about catching up on the front page and top comments.
Franklin, deliberately: Sir, I said, in an eight-hour workday, an employee spends an average of 9.5 hours on Reddit.
CEO: right...
Franklin: That's not even possible.
CEO: I'm surprised it's not more. A lot of people eat lunch at their desks.
Franklin: The eight hours includes lunch.
CEO: Franklin, I'm not going to get into an argument over work hours with you, we are an industry-leading shop. Besides, maybe not everyone is a redditor, the average could really be higher.
Franklin: that doesn't make any sense. anyway, my recommendation is to block this site.
CEO: what site.
Franklin: Reddit, sir.
CEO: What about reddit?
Franklin: We should block reddit, sir.
CEO: I don't understand what you're saying.
Johnson: He's saying we should block reddit, Sir.
CEO, aghast: Are you two out of your mind??
Johnson: according to our analysis, productivity would increase by 278% within thirty-five minutes..
CEO reflects. Seething anger: "productivity"? "Pro-duc-tivity"
Franklin: People would get work done.
CEO, bitter. Work? What do you think this place is, a fucking shit shoveling plant? We have customers. Let me tell you schmucks how to run a business. You increase prices, and you cut costs.
Franklin and Johnson are bewildered.
CEO: You want to increase prices, I got my sales team working on doubling it. You want to cut costs, well, you know what -- fuck that windows 98 report. I've just made my decision. Within 2 weeks I want a windows 98 on every desk in this office.
Franklin and Johnson look down in dejected failure.
CEO: Yeah, bitches. That's called leadership. Reddit just saved this company at least $100,000 over the next couple years. Now get out of my sight. Go on, go go go go there's a kitten with ice cream over it. You want to block that? Fucking animals. (mutters) want to run a Nazi concentration camp.
CEO scrolls and chuckles.
[exeunt Franklin and Johnson]
Untangle firewall has good web proxy, and protocol control. You can filter by type etc... Easy to use. Transparent bridge setup if you already have a firewall. Can block all common proxy sites, and you can install the firewall module and turn off peoples ability to go out on a VPN unless they come from specific IPs. It can also do Ad Blocking, Spyware Blocking, Virus Blocking, IPS, IDS, get OpenSource system. I use it at home and work, and it is Free as in beer if you bring your own hardware. http://www.untangle.com/
Kosh: "Understanding is a 3 edged sword, your side, their side, the Truth."
i think that the best solution out there is UNTANGLE. you can install it on pretty cheap hardware as a transparent bridge and you have very granular control over every aspect of the internet. it uses a module system, you only have to decide which modules to deploy, and it takes care of the rest.
you can track each user and generate automatic reports that are e-mailed to you.
whitelist functionality supported, and it has a pretty good free content filter (of which p2p is one category), and if you pay for the subscription you get a really great filter.
antivirus also helps a little, might be cheaper to pay for kapersky on the firewall and just use cheap/free antivirus on each machine (or just lock down all of the ports, but that usually causes a lot more bitching).
The web cache helps a ton for bandwidth use! it has almost halved our bandwidth use at home because my wife and i generally read all of the same web-pages.
check it out here: http://www.untangle.com/
What would cost more, censorware acceptable to the government, or a small server hosted in the Philippines?
Hire somebody to infiltrate the lobbyists for those laws offices. Have them download your company's stuff which you do not license to them and report it. Do the same for any politician that voted this law into office.
Custom electronics and digital signage for your business: www.evcircuits.com
We’ve been using a URL/Web Policy enforcement tool from Cymtec. It’s called Sentry and it blocks Websites by Category as well using McAfee’s Smart Filter Software for automated updates. Easy executive reporting on users and violations. Ability to enforce policy and drop packets at the application layer as well. Under $4K annually so it’s cheaper than getting this from our ISP.
http://www.cymtec.com/products/cymtec-sentry/multi-office/
Ask Slashdot: Low-Cost Tools To Track Country Population' Web Use?
With love from China (Iran/...) !
Cymphonix boxes are buggy, I've been working around problems with ours for too long, we're switching to Barracuda soon.
Check this out. We’ve been using a URL/Web Policy enforcement tool from Cymtec. It’s called Sentry and it blocks Websites by Category as well using McAfee’s Smart Filter Software for automated updates. Easy executive reporting on users and violations. Ability to enforce policy and drop packets at the application layer as well. Under $4K annually so it’s cheaper than getting this from our ISP.
http://www.cymtec.com/products/cymtec-sentry/multi-office/
Untangle is probably what you want
www.untangle.com
I know I know where do i get off actually answering the questions asked.
While this won't track URL's, we use Argus for tracking bandwidth/host usage.
It's got a nice client interface to insert data into MySQL, damn near real-time, I can pull accurate reports within 30 seconds. Unfortunately the MySQL feature is kinda new & there's no really good web interfaces.
Not really an out of the box solution either, but it's free & if you're familiar with MySQL and web development, you can make a nice reporting interface fairly easily. I whipped one up with jQuery and flot for charting over a weekend, and tied it into our inventory database. It'll show network utilization grouped by the local source, with a count for bytes sent/recv for each remote host. But it's layer 2-4 only, so no URL's are reported.
One of these days I might release my web interface for Argus, but the code needs cleanup and commenting so eh...I wouldn't expect it any time soon.
http://www.qosient.com/argus/
What disciplinary actions do you take, and why?
here's my advice:
maybe you shouldn't be such a fucking tool, asking for advice on how to spy on your own employees, in order to more efficiently rat them out to Die Polizei. Slashdot, why are you helping this dickbag??
Is to get the law repealed.
If business owners are on the hook for the behavior of their employees, they should get together and get this law repealed. If enough do, it sounds like a slam-dunk to me. The reason why it hasn't already been done is that probably too many business owners don't know that they're on the hook.
That's certainly how it would be resolved in the U.S.A.
"Who controls the past controls the future. Who controls the present controls the past." -- George Orwell
Add your list of unapproved sites to your hosts files, then chmod 644 /etc/hosts
Just Google for the lists of sites and add them like this
127.0.0.1 bing.com
127.0.0.1 slashdot.org
I use a combination of ZeroShell for routing, and Untangle for monitoring and filtering.
Untangle comes with modules, about half of which are free and open source, and the other half commercial. :/ (This is easy enough to block, ironically using Untangle itself, to filter its two ad URLs... But the point still remains)
This past year things have been going a bit downhill for the free version, namely two critical modules were made paid-only, and a webfilter-lite made to replace it.
They also now stick ads on your adblocker pages if you don't have at least one paid module
Most of the Untangle paid modules are more for a corporate setting, while the home usage options were free. The main downside I see to the paid modules are they are all monthly/yearly costs. Not a single "Pay for it and forget about it" option.
That said, I dropped all the paid modules and am running the free version both at home and work.
At home it's nice for the http/email stream virus scanning, which it sends RST packets if it detects anything to keep the infection from even reaching the PCs.
At work we use it for filtering, unfortunately for a similar reason.
It also has some nice reports too, and a separate interface so you can grant managers access to the reports but not the controls/settings.
You can run it as a router or as a transparent bridge in case you can't make changes to your network setup. Just pop it between the edge router and your switch.
I hate having to filter like this personally, but it's being demanded from the top, and not exactly the battle I want to give up my job over, so there it is.
No computer in a place I worked can VPN or tunnel by any known means in or out, except for two designated terminal servers, which can't initiate sessions, and which users can't access from the inside. Remote shell sessions, blocked. SSH, blocked. Even telnet, IM, chat, POP and IMAP are blocked. Pretty much the only thing possible is straight web surffing, and a lot of sites and content types (like video) are blocked. And it's not all just by port but by traffic and content analysis.
Yes, it's all obscenely expensive, IDS (with signature subscriptions), routers, firewalls and several other servers with expensive software involved just for that. The only thing cheap was GPO to block things like installing software or any ActiveX components.
It makes me wonder how big the IT industry lobby was in getting this law passed.
If someone has named an employee as selling your trade secrets that's a legitimate reason to spy on that employee. But it's not legitimate to spy on everyone because you have a bad apple in the bunch.
If your boss gets a hair brained idea like that you should first attempt to talk them off the ledge, and if that fails hand in your resignation. You don't want that on your conscience for the rest of your life and a company with that kind of oppressive corporate culture is not likely be a good place to work in the short run or to succeed in the long run.
What she really needs to do is talk to her insurance agent and get coverage that protects the company when it gets sued. She should also hire a lawyer to sit with you and someone from operations and come up with an employee handbook that burdens the company's business with as few addition costs as possible while still allowing the company to fire employees that cause more trouble than they are worth. Once a decent cost estimate for all this is available she needs to adjust her prices 5%-20% to account for the new costs imposed by the law, other business in the same sector will be under the same pressure as well. She should make sure that she lists the reason for the price increases in the announcement.
She should also join some kind of business lobbying coalition. Many countries have "Chamber of Commerce" type lobbying groups which will give your Senators and Representatives and their families free vacations to Bali and the like if they "play ball". This should make sure the really dumb laws mostly just hurt poor people.
eSoft provides some awesome solutions and reporting for website usage and employee tracking, including free virtual appliances (website blocking by category is extra).
www.esoft.com
I'm sure you could do something interesting with www.untangle.com. With the webfiltering options... It's kind of designed for this stuff...
I use Untangle and OpenDNS. Works for me.
The OP is asking for information on employees that has little to do with stopping copyright violations.
Also, a simple Google search would turn up plenty of commercial content filters out that will do what exactly what he asks.
I've never used it myself, but I'm pretty sure Untangle can do that sort of stuff. http://www.untangle.com/
Just use OpenDNS and put blocks on all related categories. Done.
Or, you could just force group policy via active directory to not allow removal of browsing history, though this won't stop other browsers (assuming you let them install anything) nor P2P programs (which OpenDNS can't stop once installed, but can stop from downloading).
Of course, if you have wifi, good luck, cause you'll need router level logging or an appliance.
I personally think you should just hire an extra person per employee to stand behind them as they work. Though, I'm not sure even that would satisfy the draconian New Zealand government.
I8-D
red-nz ....i have a winner for you. i have you researched EdgeWave. They have a self-contained appliance called the "iPrism" that will give you a report just like you are asking with time of surfing duration. It is called Web Hourly Statistics. www.edgewave.com
We have some good firewalls that are capable of doing basic filtering by 'category,' e.g. P2P sites,
Sounds like he's using one of those awful fucking hellspawned Watchguard boxes. The P2P filter blocks harmless P2P news sites and forums while allowing torrents and other P2P programs to operate unhindered. Block "Downloads" for extra fun, then your employees won't be able to browse public domain clip art sites and your IT guys won't be able to access Sourceforge.
"When information is power, privacy is freedom" - Jah-Wren Ryel
are you running there ? .. There are very few positions in most businesses where Internet access is required to perform your job.. This is why I have always thought that web based apps and cloud computing are going to cause more problems than it solves.. Now you have to play babysitter. If you can't trust employees to do the right thing with access it's best that they not have it at all.
waiting for ad.doubleclick.net
When your browser opens a connection to a web site, it creates a client-side socket and makes the request over that connection. The web server services that request, sends a reply, and then can opt to close the connection or wait for more data from the client (persisten connection). Not all web sites (services) use persistent connections and not all operating systems/web browsers keep the client side socket open for "more data".
Think of it this way: It's not like making a phone phone call where both ends are established and a magic counter begins runing. The technology was never engineered to do that. It's more like tying a message to brick and throwing it over a wall and then waiting for another brick to come back with a replay attached. You really have no method to tell for sure if the website you were connecting to actually threw the brick back. You have no method to tell if the attached reply wasn't intercepted on it's way over the wall.
The best you can hope for is a timestamp from your border gateway showing the egress connection. You can extrapolate how long a person _may_ have been on a site by looking at the duration their machine was opening connections to it.
Join the Slashcott! Feb 10 thru Feb 17!
The easiest way to deal with this is to prevent users from installing P2P software. Unless your users are doing application testing (and that should be first done from the IT department), then having them setup with a set of applications with no permissions to add more (and I believe you can block them from installing apps in personal directories, though I am not a windows specialist and cannot give you instructions on how to do that), you're preventing 95% of people from using P2P.
Of course, that assumes that you're going to have IT do a program install check on each of the machines, and that none of your employees use software requiring admin permissions to run properly.
After that, just use one of the other suggested methods of bandwidth usage reporting and talk to those users. If you can find no valid reason for the bandwidth use, have IT inspect their machines. If you find fault, act upon it.
Also before doing that, make sure every employee has been clearly informed of the usage policy of the network at your company. In said policy, outline the consequences of breaching the rules established in said policy. And leave a clause that allows for random spot-check of any computer at the discretion of either IT or any superiors.
If you have all users in the same location, you could use Blue Coat Enterprise Reporter. If you have mobile users, you could use the Blue Coat ThreatPulse service which is a SaaS solution.
If New Zealand is dumb enough to pass such an asinine law then you need to get another job. It seems like governments are getting dumber and dumber. What a bunch of a-holes. Looks like the content industry has made some big donations to your elected representatives.
http://www.untangle.com
I've been using this software to control my home, business and remote networks for over five years now. It is not perfect, but the price is right and it will accomplish what you need, plus much more. I can't recommend it highly enough.
IDK about you guys but I'd be insulted if someone wanted to track my web usage. Nowhere I've ever worked (Yahoo!, Raptr, etc.) has monitored or restricted our Internet access, and I'd simply not tolerate it if they tried. Are most geeks here similar or is tracking seen as acceptable?
pfSense 2.0 is a FreeBSD Firewall/router that can do Layer 7 filtering for P2P protocols. You can also easily install packages for squid and squidguard to transparently proxy web connections and block undesireable sites and/or content. You can use its own user manager or Radius to require the users to login to use the internet, etc.
It an do dialin, VPN server and client, loadbalancing and uses the pf packet filter from OpenBSD.
The software costs nothing and is easily maintained and installed.
http://www.pfsense.org/
Most people think of it as something to monitor outside traffic coming in, but it can also be used to monitor inside traffic going out.
Seriously, the place was locked down tight. I had to get a rule change in a firewall approved through channels just to get two internal servers to talk to each other.
Use privoxy for webproxy. It is mainly aimed on removing ads but it acts great to capture traffic data depending on the level of debug you set. Use splunk on the data to do your reporting.
privoxy also also black/white listing and is very comprehensive in what you can allow or restrict. Plus I got this done in my organization it almost completely removed malicious code from running via websites. It appears that the majoriy of the webhacks are coming from the ads rather than the main site itself. So privoxy too care of it. Works great. Decided not to pursue websense with privoxy doing the job.
to be honest, the best possible outcome, is that every business in AU and NZ does nothing, and when they all get sued/charged, then the courts and the legislature will deal with their own mess, instead of passing it on to you, like they tried to do with this law.
The 3-strikes law covers P2P traffic only. Adding web traffic reporting isn't going to do anything to help you.
Now if you are being asked to do web traffic reporting then sit down with management and work out what they want, why and who is going to be responsible for reviewing traffic (hint - this should be HR not IT). Doing this should give you enough information to justify some expenditure, even if it is just a new server/VM for Squid.
What if they bring in a half-dozen dvds of mp3s from home and copy them to the computer? It is still a copyright violation. Have a policy about DRM on people's machines and scan for these files on their hard drives. There is probably software that makes this easy.
Set up NTLM browser authentication if your a Windows shop (warning this can break some non-authenticating apps, but it will save you from having to track down who held what IP when on the DHCP server). Then use a combination of cut, sort, uniq with count to print out stats. Awk, Perl or Python if you're more gangsta. Similar to here: http://dvas0004.wordpress.com/tag/squid/
It's not nearly as pretty as what WebSense or Bluecoat Reporter will print out, but with a little tweaking and perhaps importing into Excel you
can create bar graphs. If you're just looking for copyright offenders, this should be pretty easy. The general crap HR often wants 'time spent on the web' is very hard to gauge with even the expensive tools, since leaving a tab with a weather.com open will look like you've surfed it 10,000 times.
Honestly, I just use CLI tools to analyze logs, no pretty graphics but keep in mind they do math and print out stats on things like bytes used. You can always paste it into a doc or pdf and spruce it up with graphs.
http://sourceforge.net/projects/ttracker/
Basically, it does nothing but track the titlebars of every window that's open, and which one is in focus at any given time. And since every browser lists the URL in the title bar, it works like magic.
And it writes everything to a simple CSV file, so you can analyze it any way you choose. But it also has some nifty reporting screens, if you really care.
If you're only interested in web access, there's something else that you can do. Look into ".pac" files on windows. Basically, think a javascript file that gets run every time any URL is accessed by anything in all of windows. As in "return null" will make everything die, and "return slashdot.org" will make every URL return the slashdot homepage. You can easily write a five-line jscript file to log everything to a file through the FSO.
Seriously, if you have to ask this question, you are not ready for the real life fact of what it will cost you from a time and support perspective. I, along with another engineer, manage web filtering for a company of ~1200 employees. Though we have many duties in our roles, we both spend significant amounts of time ongoing on web filtering activities from exceptions to the reports on user behavior (and this is using high-end web filtering gear like BlueCoat and Palo Alto). It is simply not worth your time to use technology to replace what your management should be doing. Knowing of this new anti-piracy rule, you should use this as an opportunity to discuss the situation with all of your team-leads/supervisors/managers and make them aware. Have them make their teams aware. Let them know that there are two outcomes -- extremely restrictive web filtering or an honesty system. I think with appropriate communication you'll find the honesty system works quite well.
Amusingly enough, the new law has one ironic effect. Before, infringement notices to ISPs generally got passed on to the offending user with a don't-be-bad note. The new law has a provision that the ISP has the right to charge for the time this takes them to research. In most cases this now means the ISP, upon receiving the infringement notice, turns around and invoices the complainant $25 before going any further (and as the complainants are usually mostly automated scripts, it mostly seems to end there). Ironically enough, at least in the short term, it probably means *less* punters getting infringement notices, and more costs to the "rights holders" for pursuing the process. In some ways a bit of a phyrric victory.
Yes, I think this could well be a pyrrhic victory for the copyright trolls and extortion racketeers. Far from being a bad law this could well turn out to be a rather good one, whether intentional or not. Anything that costs these creeps money will discourage them from 'blanket bombing' everyone on the internet with threatening legal letters. Anyone with a genuine complaint will not fear a small charge for proceeding with it.
And as far as the OP goes I would suggest hiring good people, then trusting them. A competent manager should easily be able to spot folk stepping out of line and they can be dealt with individually as necessary. It is BAD policy, period, to show your staff you don't trust them. As I understand it only P2P comes under this NZ legislation so presumably a capable admin should be able to block the necessaries without any interference in people's work or freedoms, thus showing the authorities that they have taken all reasonable precautions. All these 'blanket' regulations ever do is penalise the innocent so they get really pissed off and their work suffers, and cause just enough inconvenience to the guilty that they spend even less of their time working for you. They are an appalling way to run a business, or a country.
The Snare/Epilog open source agents will get you part of the way there; they'll handle the log forwarding side for you. They're coded over the ditch in Oz.
Kiwi syslog might be another step in the process; locally made and supported in NZ; it'll manage the collection side of things, but not the analysis.
From there... sorry - I only have commercial stuff to suggest for the analysis side, so I'll let others bring up some options.
[Disclaimer: I'm a snare developer, so take comments in that context]
It occurs to me that 'copyright spammer' is maybe a better description of these people than 'troll', as their business model is identical to that of those pond-life - send threatening letter to everyone on the planet with a computer, on the calculated basis that enough of them will be sufficiently frightened to pay up without question for the spammer to profit. I suspect a charge of $25 a pop for sending spam emails would slow that business down a bit! Any way of making that work, anyone?
Whats how long they have webpages open got to do with piracy.
Some people say it's over rated, but give it a try. It's also open source! Careful though because it can make you think about things.
Astaro is a commercial package - but low cost - free for home use. It has most of the reporting you identified together with fairly good protocol filtering above and beyond the simple firewall.
Run everyone through a proxy. At the end of every week, print out the name of every user and every site they have visited. Display the printout in the lunch room.
Benefits:
1) Accountability. Nobody's going to visit LesbianMidgetAmputeeFisting.com if they know everyone in the office will know about it.
2) Information Sharing: People will learn of other (hopefully work related) sites and tools, and will know with whom to discuss them.
3) Reduced bandwidth. Nobody wants to be accused of wasting time at work, so people will naturally reduce their casual web browsing.
Total cost of implementation: A few reams of paper and a few minutes a week.
We tried this in an office of 50 people who were fed up with a content filtering firewall that thwarted legitimate work. First week's results were a little off-colour (we kinda forgot to remind people we were doing it) but subsequently almost every bit of web browsing was work-related, relevant and minimal. Facebook use at work all but vanished. However, staff didn't feel they were being treated like children by a machine controlling where they surfed.
Do you or your partner snore? - Visit www.snoring.com.au
If your only concern is Internet browsing, using a proxy such as squid will do. From your firewall, either block http request or redirect it to your squid proxy, it's up to you. With regards to the reporting tool that you require, check out squint - it seems it can accommodate your requirement:
http://www.ledge.co.za/software/squint/index.php
There is also a good MySQl based squid logger which is MySAR:
http://www.productionmonkeys.net/guides/squid/mysar
I am using both logging tool on my environment and they both work great.
hth
I use a cool little app called rescue time that runs in the background and reports everything I'm doing to their web server, which can then give me an idea of how much time I spent on productive programs/sites (note though that it just reports time, an employee who does 2 hours of work in the morning then slacks off until the clock says 5 might still be 4x as productive as someone who just creates work to look busy)
It does url's and reporting really well though and does have a spy on my employees mode as long as you control the terminals, just be careful on the interpretation of the productivity stats
I've got an idea: Since the sum total of ideas expressed on Slashdot comments have probably already been expressed elsewhere, and are available on Google, it's probably superfluous to post comments on Slashdot.
Also, since all of the articles posted on Slashdot are (obviously) available elsewhere on the Web, and hence, also via Google, it would make sense to also not post articles on /., being redundant.
In fact, to the logical geek mind, the thing that would make the most sense is for slashdot.org to simply be turned into a DNS redirect for google.com.
Why didn't anyone think of that before? In fact, I think CmdrTaco did indeed realize that the very existence of Slashdot is futile in the face of Google, and voluntary stepped down for that reason.
I'm not a lawyer, but I play one on the Internet. Blog
Testra spread their evil to NZ as well by buying up things over there. The last time I dealt with their spawn over there it was a two month process to change a single MX record in DNS so that a client could reliably get their email. That's two months in almost the same timezone with multiple communications per day!
squid proxy server with authentication can really help here. You can then pull reports of usage and track individual users usage.
If you are using an NT domain at work squid integrates quite well with those nowadays. Webalyser is just one tool that is available to track usage.
I had a craphead boss at one job who spent a relentless amount of time trying to track what everyone did. Now mind you even us IT guys never really abused the net access but he was bound and determine to see every single thing we did.
I finally got fed up with his silly antics and I would change my mac address every morning. Next I would fire up a ssh tunnel through 443 to a outside host.
One day he asked me why I never showed up on the usage reports, I told him I have no interest in the internet so I never really use it.
Shameless plug: why not record their sessions? use https://sourceforge.net/projects/rautor triggered on application use.
It's called "group with other similarly affected people, and work for revoking that stupid law".
http://www.snort.org/
You could hire some security guards to monitor what each employee is doing with your computers.
One security guard per staff member sounds about right.
Of course, you will also need security guards to monitor the security guards and made sure they are doing their jobs right....
Shouldn't be an issue, as I believe there's a worldwide unemployment problem right now and big governments are getting bigger.
Sarg - Squid Analysis Report Generator is a tool that allow you to view "where" your users are going to on the Internet.
http://sarg.sourceforge.net/sarg.php
What the fuck, New Zealand? Sieg heil, you nazi bastards.
why not just hire better employees so you dont even have to worry about it
amongst a sea of losers?
This is a question I am asked weekly as an IT consultant, let me explain the fastest, most effective way to gain insight into your network- completely free.
In order to do this efficiently, you need to focus on flow technology within your routers. Your current hardware is currently capable of this, it just needs to be turned on within the configuration. If you already have flow exporting enabled, you can now use a netflow analyzer to see everything happening on your routers and switches.
Download a free netflow analyzer at http://www.plixer.com/products/netflow-sflow/scrutinizer-netflow-sflow.php
Once installed you will be able to filter and report on exactly what you are looking for. I can't walk you through the product, but i'm pretty sure it comes with a free setup by their support staff.
I have written a few great scripts that can and will track what an employee is doing. Or a great one that tracks what Window is open on their screen and for how long, so that way you can tell if they are working and if so how long they are spending on work vs. personal web surfing. --also you can buy signal jammers on the cheap to block cell phone usage in your office, good tool to keep them on their PC and their hands off their cell phones. I just caught our CEO playing a game on his cell though.. so cant stop that, but at least they cant get out to the net. Scripts can also be set up to Kill (close) webpages that open on an end users PC.. so say you want to stop a person from going to a site that Websence thinks is okay, like www.bing.com you can make it so when they go to that site it just automaticly closes the browser. -my scripts are open source.. free for all... but updates to them cost $10 per update.
Thank you to everyone who answered the question instead of imposing their ethical beliefs that were completely irrelevant. This has been informative!
you should lobby your MP (New Zealand was a democracy last time I checked) and ask them to reverse this police-state law.
I hope this software could help it is a screen monitoring software that monitor which application, document, or websites is actively being used and for how long does a person spend time on that particular website. It is a good monitoring software also it is not intrusive that can invade employee privacy. This software also could help employee to stay focus and motivated in the long run at work. http://www.timedoctor.com/blog/2011/04/14/compare-screen-monitoring-software