Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Ask Slashdot: Low-Cost Tools To Track Employees' Web Use?

timothy posted about 3 years ago | from the possibly-hostile-answers-expected dept.

Piracy 384

First time accepted submitter red-nz writes "I come from New Zealand where new anti-piracy laws have come into effect that prosecute the owner of the internet connection for copyright violations. This is now a major issue for businesses, as they of course don't want to be liable for employee infringements. We have some good firewalls that are capable of doing basic filtering by 'category,' e.g. P2P sites, etc., but ideally would love to find a low-cost or even better Open Source alternative to expensive reporting tools (such as WebMarshal or Websense) that is capable of reporting on individual employees' usage with friendly reports (i.e. dont just show the URLs of the 3000 items their browser requested that day). It may be too much to ask but if the software could also show how long they spent on each site, it would be fantastic. Anyone got any winners out there they can share?"

cancel ×

384 comments

Sorry! There are no comments related to the filter you selected.

and it's thwarted with...... (4, Insightful)

Lumpy (12016) | about 3 years ago | (#37410306)

A simple encrypted proxy or VPN over port 80 to home.

Re:and it's thwarted with...... (4, Informative)

imemyself (757318) | about 3 years ago | (#37410332)

True - but then it would be the person at home (or who runs the proxy) who would appear to be sending the traffic. So it would not be the business's problem.

Re:and it's thwarted with...... (1, Insightful)

Anonymous Coward | about 3 years ago | (#37410586)

Would it be though? The law states the owner of the Internet connection. Not where it appears to be coming from. Presumably that still remains with the business.

Re:and it's thwarted with...... (1)

Spunkee (183938) | about 3 years ago | (#37410704)

Any ISP logs, etc. regarding the content accessed would show it to be accessed from the home's internet connection -- not the business's.

Re:and it's thwarted with...... (1)

jhoegl (638955) | about 3 years ago | (#37410808)

All of this can be easily thwarted by the following

GPO to lock down browser history options, script to pull browser history from system nightly, browser history viewer.

You see, edge hardware is effective, but browser history will tell all.

Re:and it's thwarted with...... (1)

Anrego (830717) | about 3 years ago | (#37410336)

True but pointless.

The reason someone torrents from work is to use their employers bandwidth, which is usually substantially more than they have at home.

If you are going to ultimately be transfering the data from your home connection.. why not just do it from home...

Re:and it's thwarted with...... (3, Insightful)

said213 (72685) | about 3 years ago | (#37410396)

"which is usually substantially more than they have at home."

I realize that this is not the case for everyone, but my home cable connection is at least one degree of magnitude greater than the bandwidth available at my place of employ. The reason someone torrents from work is because they can do it while hiding behind someone else's liability.

Re:and it's thwarted with...... (0)

Anrego (830717) | about 3 years ago | (#37410464)

The reason someone torrents from work is because they can do it while hiding behind someone else's liability.

Good point, although parent's VPN idea is still moot as that infringing traffic is now coming from the connection owned by the infringer.

Re:and it's thwarted with...... (1)

Anonymous Coward | about 3 years ago | (#37410524)

The reason someone torrents from work is because they can do it while hiding behind someone else's liability.

That doesn't sound very plausible. You're much more likely to be fired or otherwise suffer career damage for downloading at work than you are to be sued or whatever for downloading stuff at home. Would many people even believe that they're less likely to be individually identified in the event of a work dispute through using the work PC? I guess your employer might shield you but it sounds like a long shot if you're talking about actual legal action.

Re:and it's thwarted with...... (0)

Anonymous Coward | about 3 years ago | (#37410556)

The reason someone torrents from work is because they can do it while hiding behind someone else's liability.

That doesn't sound very plausible. You're much more likely to be fired or otherwise suffer career damage for downloading at work than you are to be sued or whatever for downloading stuff at home. Would many people even believe that they're less likely to be individually identified in the event of a work dispute through using the work PC? I guess your employer might shield you but it sounds like a long shot if you're talking about actual legal action.

Correction, your *employer* is much more likely to suffer damage. If the company is a typical mom-n-pop they have no means of telling who did what, so if the hammer does come down it would take a volunteered confession to actually fire someone over it.

Re:and it's thwarted with...... (4, Insightful)

Anonymous Coward | about 3 years ago | (#37410596)

uh, the "reason" someone torrents from work is because they are at work.
if they were at home, they'd torrent there.

maybe they'll lose their job and have lots of time to download stuff at home, but i'm sure they're not thinking "this is great i have so much more bandwidth here" nor are they thinking "this is great now no one will know who i really am because i'm hiding behind a corporate network"

they're thinking "damn i hate my job, i'm so bored, i'll download some stuff to pass the time"

Re:and it's thwarted with...... (1)

Lumpy (12016) | about 3 years ago | (#37410708)

Sorry but Cable internet at home is faster than the T3 we have here at work. most businesses dont have a T3 but instead have a T1 that most DSL can equate or beat.

Re:and it's thwarted with...... (0)

Anonymous Coward | about 3 years ago | (#37410828)

1996 called, they want their preconceptions about business internet connections back.

Re:and it's thwarted with...... (2)

RobertLTux (260313) | about 3 years ago | (#37410420)

which brings the point that unless your computers are very expensively locked down just about everything you could do is useless

you might be able to to something at the gateway but then again you will still have problems. i would say that this law has mandated the purchase of some very expensive hardware. Even if you find something cheap that would work you still could be tagged for not complying with the law due to "not having the required certified hardware".

Re:and it's thwarted with...... (0)

Anonymous Coward | about 3 years ago | (#37410618)

not if it is done correct. in my office, i block all traffic completely and only route it through my proxy that requires authentication. i have separate groups with different black-lists; and MIME type restrictions in place as well. it works very well for the most part (some things are problematic like activation, but i have a pass-thru list on the PIX firewall itself that allows it through.

as for proxy, i have it sitting on the mail server, on a sun system, using their web proxy server 4.

Re:and it's thwarted with...... (1)

sgt scrub (869860) | about 3 years ago | (#37410632)

Encrypted traffic over port 80 is easy to detect. A policy to block it and fire anyone using it wouldn't take very long to become a policy in an environment that wants to monitor all your web traffic.

Re:and it's thwarted with...... (1)

1u3hr (530656) | about 3 years ago | (#37410804)

Encrypted traffic over port 80 is easy to detect. A policy to block it and fire anyone using it

Yep. and you'd stop people wasting time accessing banks, email, etc.

And fire anynoe who clicks on a https link. Zero tolerance is the only way to keep the *AAs profits safe.

Re:and it's thwarted with...... (1)

grub (11606) | about 3 years ago | (#37410654)

A proxy can be configured to block everything but legitimate HTTP requests. It's not just "port 80 == allow out"

Re:and it's thwarted with...... (0)

bluefoxlucid (723572) | about 3 years ago | (#37410796)

except that the port 80 stuff is easily configured with a scramble key and HTTP RQ legitimacy, with transport, etc. TCP packet comes to server, it gets encoded--the whole description of what it is. Client connects to client-end SOCKS proxy server [Proxy Client], [Proxy Client] makes http request that says "HTTP GET /index.html?session=ENCODEDSHIT HTTP/1.1 blahblahblah html head body (p)ENCODED ENCRYPTED DATA(/p) img src=fubar.gif MORE DATA COMING CHECK FUBAR.GIF" and then it "HTTP GET /fubar.gif HTTP/1.1" "HTTP POST /otherlinx.php" and so on. HAVE FUN, SHIT HEAD.

Re:and it's thwarted with...... (1)

hansamurai (907719) | about 3 years ago | (#37410744)

I personally like socks over port 443, encrypted traffic on the expected encrypted port!

Re:and it's thwarted with...... (1)

pcardno (450934) | about 3 years ago | (#37410774)

And it immediately goes from being a relatively minor slap on the wrists disciplinary issue for accessing dodgy websites to being a gross misconduct instant dismissal issue for deliberately going out of your way to circumvent corporate policy.

Security cameras (1)

tomhudson (43916) | about 3 years ago | (#37410312)

You don't even have to plug them in - just point them at each desk and make sure they have a little blinking red LED. Remind everyone in cubicleland to welcome their security-cam-wielding pointy-haired overlords.

Re:Security cameras (0)

Jeng (926980) | about 3 years ago | (#37410326)

Too expensive to monitor and it is kinda hard to tell what website someone is on via a camera that is looking over their shoulder.

Re:Security cameras (1)

janeuner (815461) | about 3 years ago | (#37410364)

== Too expensive to monitor and it is kinda hard to tell what website someone is on via a camera that is looking over their shoulder. ==

Especially when they aren't plugged in. Reading is hard.

Also: http://www.amazon.com/SE-Dummy-Security-Camera-Flashing/dp/B000XBMP5E [amazon.com]

Re:Security cameras (1)

tomhudson (43916) | about 3 years ago | (#37410410)

I think you missed the "you don't even have to plug them in" part.

Combine that with simple logging thru a proxy server and you're done, because once people think a camera is keeping an eye on them all the time, they tend to not surf pr0n sites from work as much, so you have far fewer log files to go through in the end if there IS a problem.

Re:Security cameras (1)

Jeng (926980) | about 3 years ago | (#37410696)

Security Theater is not effective.

Example, I used to work in shipping at Dell, we had to walk though metal detectors to leave work everyday. We were also required to wear steel toe shoes, therefor the metal detectors always went off. People were stealing shit right and left because they knew that security was ineffective.

Re:Security cameras (0)

Anonymous Coward | about 3 years ago | (#37410434)

Whoooooosh!

Re:Security cameras (1)

RMingin (985478) | about 3 years ago | (#37410770)

Nobody said to watch them.

"Fear will keep the local systems in line..." - Tarkin

Ouch man, just ouch (0)

Anonymous Coward | about 3 years ago | (#37410316)

First, condolences on those new laws.

I can’t recommend any software. I will say this kind of stuff sounds like the kind of stuff you pay through the nose for. I doubt any open source projects would form up to build such a tool (but always possible.. some people are unusual).

My first thought when putting myself in the shoes you describe, would be to transfer the liability. I guess it depends on how much money we are talking about when a copyright violation occurs. If you get sued, can you then sue the employee who did the infringing to re-coup your loses? Can you put this in a contract? If so this is the approach I would take... and just do enough monitoring to link violation to violator.

Disclaimer: I’m a programmer, not a business manager and certainly not a lawyer.

Re:Ouch man, just ouch (1)

Anaerin (905998) | about 3 years ago | (#37410558)

As other people have mentioned, Squid in Transparent Proxy mode, and a IPTables forwarding of all port 80 traffic to the Squid box will allow you to both speed up access, and optionally block/monitor the sites people are going to (and/or block ads, replace images, all that kind of fun stuff). Some simple reporting with Regular Expressions and perl/php/lua/python/[insert your chosen web development language here] will enable you to see who is accessing what, and how often.

Re:Ouch man, just ouch (0)

Anonymous Coward | about 3 years ago | (#37410672)

Yes, you have exactly the answer. One way to implement is to remove access to the internet through your proxy for everyone. You can do this in various ways with different proxy server software. Ours is setup to work on group membership, so we'd remove everyone from the group. Have the users go to a URL that has them electronically sign a document (differing legality in different jurisdictions; may have to have a print copy sent in depending on location) that amends their employment agreement to transfer this liability and let's them know what infringement is, etc. Once they file the requisite electronic or paper document they are added back to the group. A real pain in the rear, but it seems like that's what your new laws set all the companies there up for. Certainly much cheaper to do than logging their site visits and auditing them weekly, monthly, etc.

squid (1)

grub (11606) | about 3 years ago | (#37410324)


Use squid and a squid log analyzer.

Since when did Ask Slashdot become a Google proxy? Sheesh.

Re:squid (1)

hedwards (940851) | about 3 years ago | (#37410384)

Since we started allowing bootloaders to post, duh.

Re:squid (1)

Kildjean (871084) | about 3 years ago | (#37410414)

Since the management is gone... =(

Re:squid (1)

nharmon (97591) | about 3 years ago | (#37410440)

I agree: Squid + SARG is the best free solution.

Re:squid (3, Informative)

jeffmeden (135043) | about 3 years ago | (#37410684)

Back many years ago when I had concerns like this, I used the ACID network monitor that allows for complete tracking of all activity. It doesn't do any blocking but it does make report generation of all network activity very simple. However, it sounds like the solution to go for is something like Squid doing transparent proxying with content filtering. Also, block any ports in AND out that arent used for HTTP (80 and 443) to completely nix the chance of P2P working in any reasonable way. But alas, if the submitter were after a good filter why should they care what the users are doing; they surely aren't doing it on any illicit sites (assuming the filtering rules are effective?)

Seems like this should be two questions: one is what free/open ruleset can be trusted (as there are many good free tools at hand to enforce the rules) and two what additional inspection should take place to all content that might not be blocked, to find employees that spend too much time doing stuff on the "edge" of permissibility?

Dear Slashdot (-1)

Anonymous Coward | about 3 years ago | (#37410334)

I don't know what I'm doing for my job, and I would like you to do my research for me. Preferably your solution should be "open source", although I don't really know what that means, I just don't want to pay for it.

Re:Dear Slashdot (1)

Applekid (993327) | about 3 years ago | (#37410644)

I don't know what I'm doing for my job, and I would like you to do my research for me. Preferably your solution should be "open source", although I don't really know what that means, I just don't want to pay for it.

What's wrong with minimizing the financial impact of regulatory compliance?

Re:Dear Slashdot (0)

Anonymous Coward | about 3 years ago | (#37410752)

Dear Slashdot. I'm an arrogant asshole who ridicules anyone who asks for even the slightest bit of help. Additionally I have almost negligible social skills and use Anonymous Coward to hide my sociopathic hostility to others.

Re:Dear Slashdot (0)

Anonymous Coward | about 3 years ago | (#37410820)

Let me Google that for you. http://tinyurl.com/3r4m3t3 [tinyurl.com]

Trojan (0)

Anonymous Coward | about 3 years ago | (#37410346)

title says it all

Firewall (1)

Krneki (1192201) | about 3 years ago | (#37410354)

Block everything except port 80 and 443.

If anyone needs any other port, demand a written request.

Re:Firewall (1)

Anrego (830717) | about 3 years ago | (#37410406)

I agree that would block most possibilities for infringement...

would just note that you do still have rapidshare and friends

Re:Firewall (0)

Anonymous Coward | about 3 years ago | (#37410444)

With port 80 and 443 all the filelockers are still excessable, brilliant.

Re:Firewall (1)

cheekyjohnson (1873388) | about 3 years ago | (#37410494)

Wouldn't stop them from torrenting, though.

Proxy (1)

griessh (2205486) | about 3 years ago | (#37410360)

I would install a proxy server. I used for many years wingate from QBIK (an austarlian company) and was very happy with the options and logging they offered: http://www.wingate.com/qbik/index.php [wingate.com]

Alternative (3, Interesting)

ArhcAngel (247594) | about 3 years ago | (#37410378)

Anyone who requires internet access gets a wireless broadband card in their name that they can expense. Now they are the owner of the connection and you are off the hook.
IANAL especially not in New Zealand

Re:Alternative (0)

Albanach (527650) | about 3 years ago | (#37410578)

And a lawyer is exactly who OP needs to talk to.

You need legal advice on what information you should track and collect if any. If you have logs that show infringement but you haven't taken action - because you missed it in amongst hundreds of thousands of other log lines - will your firm have increased liability?

You need legal advice before you can form a requirements specification. Then you can look for software, free or commercial, that meets those requirements.

accumulate the data usage (2)

drolli (522659) | about 3 years ago | (#37410398)

just talk to the top ten users, if they have no explicit reason for consuming so much data. If they cant explain it, search their computer, if they have done something wrong fire them and make sure everybody in the office knows why.

Re:accumulate the data usage (1)

jeffmeden (135043) | about 3 years ago | (#37410716)

just talk to the top ten users, if they have no explicit reason for consuming so much data. If they cant explain it, search their computer, if they have done something wrong fire them and make sure everybody in the office knows why.

This is novel and effective. Find the total use, divide by the number of users, and then seriously question anyone who uses more than 2 or 3 times the average. Unless *everyone* is torrenting, of course.

Wrong approach (2)

morcego (260031) | about 3 years ago | (#37410402)

Business shouldn't do blacklisting. They should do whitelisting (everything is forbidden, you only allow specifics).

That is the only way to have a somewhat working control system (and even that is not perfect).

Block everything. Allow what needs to be allowed.

Re:Wrong approach (3, Insightful)

ShakaUVM (157947) | about 3 years ago | (#37410516)

>>Block everything. Allow what needs to be allowed.

And then you'll have to hire 10 more IT guys just to deal with all the legitimate requests for unblocking that will come pouring in.

I used to work at a place like that. It eventually was just easier for them to give me the password to unblock sites myself, rather than pester them about it.

Whitelisting has too much overhead (2)

sjbe (173966) | about 3 years ago | (#37410532)

Business shouldn't do blacklisting. They should do whitelisting (everything is forbidden, you only allow specifics).

That presumes two things. 1) that the overhead of whitelisting is not prohibitive and 2) That your users have rather specific and unchanging needs. Speaking for our business, the overhead of whitelisting would be incredibly burdensome. We deal with many vendors and have to research topics all the time. There is no reasonable way to know in advance exactly which websites we will need to visit. Furthermore it requires a significant investment of time which could be better spend elsewhere.

The best alternative is to block specific problem websites (Facebook, Twitter, etc for example) and only allow access to those via a whitelist. Keep logs of network access in case further problems arise. If someone is found to be ignoring company policies you can warn them or fire them and make an example out of them. You can solve 99% of the problem with quite a lot less work.

Re:Wrong approach (1)

Jim_Maryland (718224) | about 3 years ago | (#37410562)

That's pretty much what my employer has done. Sites are categorized and when we attempt to visit a blocked site, we get a page with details of why the site isn't accessible and a link is included to make a request to change access. For some categories, we also get a link to override the block (have to login with our VPN IDs) or we get a link that basically says we acknowledge that we're visiting a site where caution needs to be used. I'm not sure what software is being used, but seems a reasonable approach for an employer to take to control bandwidth usage and site visits for non-business purposes.

Re:Wrong approach (0)

Anonymous Coward | about 3 years ago | (#37410584)

I've seen systems where they do this, and then have a system in place where anyone can bypass it by specifying their username/password (except for explicit blocks).

This way work doesn't get held up because some suppliers manual is not on the list.. or some programming reference site.. or whatever ... but there is still a record linking employee to site (with a quick little rational) that assumably gets reviewed at some point (or maybe is just held incase shit hits the fan).

Re:Wrong approach (1)

pnewhook (788591) | about 3 years ago | (#37410802)

No, you have to assume your employees are mostly professional and use the corporate web access to support their job. Only block and restrict when employees visit sites they shouldn't. Every employee shouldn't have to request each and every site they visit just because a couple of employees are too cheap or lazy to download from their home connection.

Rethink (1)

imemyself (757318) | about 3 years ago | (#37410408)

You should probably worry more about people using P2P protocols than just browsing the web. A web proxy is probably not the best tool to reduce your business's risk in that situation. I would wager that there is a substantially higher risk of being "caught" using P2P software to share copyrighted content, than browsing websites that have content for download.

Regardless, if there is a substantial financial risk to the business from copyright violations, it should be easy to justify spending money on something. Barracuda has a decent web filter - but again, they may not be what you need.

zScaler (3, Informative)

CrudPuppy (33870) | about 3 years ago | (#37410418)

Check out the zScaler proxy. Lots of good benefits, including what you need. I use it for all my employees and love it, especially the reporting and fine-grained control.

Car Analogy (1)

ArhcAngel (247594) | about 3 years ago | (#37410428)

So in New Zealand if somebody steals my car and uses it to rob a bank I will be arrested for robbing a bank?

Re:Car Analogy (1)

Larryish (1215510) | about 3 years ago | (#37410626)

Only if you are the driver.

Or a Maori, or an ab.

Change the employee agreement (2, Interesting)

White Flame (1074973) | about 3 years ago | (#37410430)

If the employer also becomes a private ISP, and every employee is charged 1NZD per month for internet access at their workstation (taken straight from the paycheck, after everybody gets a 12NZD/year raise), then they own and are liable for the internet connection at their desk, not the company.

Re:Change the employee agreement (4, Insightful)

MyLongNickName (822545) | about 3 years ago | (#37410628)

I am glad that you are a practicing lawyer in New Zealand and have educated us on this wonderful workaround. Could you please give us the contact information for your legal practice just in case someone in law enforcement questions the validity of your fine resolution to this problem? Because clearly your method trumps the employer-employee agency laws.

custom hosts + pfsense or ipcop (0)

Anonymous Coward | about 3 years ago | (#37410432)

1st: in order to reduce the size of your reports (and also security risks), implement MVPS's custom hosts file (winhelp2002.mvps.org/hosts.htm)
2nd: use IPCop or pfSense, as they work OK and do the trick

VPN (0)

Anonymous Coward | about 3 years ago | (#37410438)

Tell all of your users to use a VPN and don't be party to stupid laws pushed on your country by Hollywood.

ntop (4, Insightful)

bsDaemon (87307) | about 3 years ago | (#37410442)

ntop (http://www.ntop.org) should be able to do more or less what you want, but you might have to tweak a few things. However, it would also help you get a better handle on all your network usage in general, so I'd look into it anyway if I were in your situation.

Wrong business plan (3, Insightful)

Dunbal (464142) | about 3 years ago | (#37410452)

You should be asking about low cost politicians.

Cephalopod (1)

mojatt (704902) | about 3 years ago | (#37410456)

Squid [squid-cache.org] works well as a transparent proxy, when used in conjunction with a log parser [mrunix.net] , might be just what you're looking for.

xangati (1)

alen (225700) | about 3 years ago | (#37410472)

lots of the tools and FW's are based on linux and open source

we use one called xangati. it's an appliance that track's the amount of everyone's data use. there are alerts that trigger if you use too much data in a specified time

The URL databasae is what you end up paying for (1)

RatherBeAnonymous (1812866) | about 3 years ago | (#37410506)

I've used several URL tracking systems. None of them were entirely open source, but there are some available. The real costs come in with the URL database. These databases are complied and maintained by real people. There are some community driven databases that are free to use, Untangle [untangle.com] has one, but they will not be as complete or consistent.

Kerio Control (2)

LoudMusic (199347) | about 3 years ago | (#37410508)

I honestly am unsure of pricing but I believe it's fairly inexpensive. We use Kerio Control and are migrating to the 3110 appliance.

http://www.kerio.com/control [kerio.com]

It does all kind of neat reporting.

We also use Cymphonix traffic shaping devices that have insane detail on reporting but I believe they're very expensive.

http://cymphonix.com/ [cymphonix.com]

Re:Kerio Control (0)

Anonymous Coward | about 3 years ago | (#37410826)

Kerio control's pricing is on their website, and isn't too bad if you're really using all of the features, but if you're only using it for the web usage replying it's a little overpriced.

Very bad law (0)

Anonymous Coward | about 3 years ago | (#37410538)

Why should I care about someone elses' content? It's their job to monitor and enforce, not mine.

FreeBSD + IPF + Squid (1)

rbeef (990946) | about 3 years ago | (#37410546)

I use a transparent Squid proxy. Traffic is redirected using IP Fiter on a FreeBSD system. I could use PF (or IPFW) however just not enough time in the day to "fix" something that just aint broke at the moment.

entangled web appliance (0)

Anonymous Coward | about 3 years ago | (#37410552)

www.untangle.com. its free and runs on any Intel chip

Well... (0)

Anonymous Coward | about 3 years ago | (#37410568)

I don't know of any software, my Big Brother on the other hand....

GFI WebMonitor (0)

Anonymous Coward | about 3 years ago | (#37410582)

First of all you shouldn't seek a technical solution (alone) for a communication / policy problem. Talk to the employees and establish a resonable policy.

Beyond that, check out if GFI WebMonitor [gfi.com] is right for you.

(disclosure: I work for GFI Software, not on that product though.)

More than one kind of tracking (2)

Ceriel Nosforit (682174) | about 3 years ago | (#37410592)

Remember to track how much this tracking is costing you so that you have numbers to point to when you complain about it. You also need to sanitize the URLs for personal information since a lot of personal information gets passed through them. You could get sued, possibly face criminal charges, for gathering too much data.

And Skype??? (0)

Anonymous Coward | about 3 years ago | (#37410594)

Please can somebody tell me how tho tell skype traffic from other p2p traffic?

Is skype allowed in your workplace? Did you already saw how much noise (on the network) skype does? I did and it's driving me nuts...

DansGuardian (2)

HellKnite (266374) | about 3 years ago | (#37410616)

DansGuardian [dansguardian.org] with a proxy like squid should give you a basic websense-alike system - but even with all ports closed at the firewall except 80 and 443, bittorrent will likely still get through.

If you're truly worried about litigation, it seems like you could find a little money to deal with the issue. Take a look at Palo Alto Networks firewalls, especially the up and coming low-end model the PA-200.

Untangle (0)

Anonymous Coward | about 3 years ago | (#37410620)

Untagle firewall. It has usage reports based on IP. I work at a library and can monitor everything every user/employee does and get a report daily. http://www.untangle.com/

Simple method: shotgun (0)

Anonymous Coward | about 3 years ago | (#37410646)

Apply directly to your authoritarian face, submitter.

what about a company policy instead? (0)

Anonymous Coward | about 3 years ago | (#37410650)

what if the company simply instituted a internet policy explicitly forbidding the use of company internet for piracy?

Re:what about a company policy instead? (1)

mwvdlee (775178) | about 3 years ago | (#37410780)

Because the law states the owner is responsible, and laws don't care about right, wrong, justice or morality.

You all are assuming too much. (0)

Anonymous Coward | about 3 years ago | (#37410658)

Most people that are problem users in a typical company are not going to know how to set up a VPN, or SSH tunnel, or even a simple proxy. Standard solutions should work fine for the most part. After you set up your content filter and firewall, just track the data usage as was said previously. Being proactive will do FAR more than simply relying on a software or hardware package which is in all likelihood easily beat by the employees with the know-how. The employees without the know-how will be stopped by nearly any decent filter (the company I work for uses Cymtec which seems to work pretty well).

Get a UTM (1)

morgandelra (448341) | about 3 years ago | (#37410674)

Some people prefer Untangle, but I have found that for Business usage, Endian Firewall is way better. Lots more options and stuff to play with. http://www.endian.com/ [endian.com] will provide you with: Transparent HTTP/DNS/FTP/SMTP/SIP proxying, NTOP, IPSEC, OpenVPN, multiple zones for network security and way more.

Squid is your friend. (2)

SwedishChef (69313) | about 3 years ago | (#37410676)

I've set up several squid proxies for companies that claimed to want to keep track of employee's web surfing. The log files are pretty extensive and there are several 3rd party utilities out there that can provide reports that even managers can read. Most of the time. Going through the reports is a lot of work and usually the Achilles heel of this sort of project in my experience.

A couple of things...
1. Set your border router to accept connections from the Squid box and your Exchange (or email) servers only.
2. Check for MAC addresses mapping to the same IP address. (Most employees don't understand how to spoof a MAC address but lots of them can change their IP address.)
3. Fire the first person to be caught and make sure everyone in the company knows about it.

If you set a Policy that mandates firing and don't do it then word will get out. If you don't bother to check the reports then word will get out. None of the companies that paid me exorbitant sums of money to set this sort of thing up ever fired anyone and all of them stopped bothering to check the reports after a few weeks. I think mostly because the managers were the ones doing most of the abuse and, after all, we can't fire *them*!.

Two OSS tools (0)

Anonymous Coward | about 3 years ago | (#37410700)

SquidProxy and DansGaurdian. The first an authenticated proxy, the second a content manager/proxy. You can blacklist and whitelist sites in addition to those DansGaurdian already has.

The real solution (3, Informative)

bmo (77928) | about 3 years ago | (#37410706)

Is to get the law repealed.

If business owners are on the hook for the behavior of their employees, they should get together and get this law repealed. If enough do, it sounds like a slam-dunk to me. The reason why it hasn't already been done is that probably too many business owners don't know that they're on the hook.

--
BMO

Re:The real solution (1)

King_TJ (85913) | about 3 years ago | (#37410818)

Yep! I'd mod this comment up if I could. Not that I don't appreciate reading the comments to learn more about various proxy solutions out there -- but this is clearly a situation where the law itself is what's really unacceptable.

It's simply not a good law, any time it's designed to punish someone other than the perpetrator as the responsible party. I don't live in New Zealand, but if I did? I'd definitely question whether I wanted to even provide ANY internet access to my employees, if I ran a business there with this type of legislation in effect.

After all, no matter what barriers I construct, it's potentially possible that a crafty enough person would find a way around them to download copyrighted material and then I could lose my whole business over it. No thanks!

At risk of sounding like a shill... (1)

SecuritySimian (1150141) | about 3 years ago | (#37410712)

As a previous poster suggested, about the only shoestring option that you have (and able to withstand legal scrutiny) is whitelisting. The downside is that it's a morale killer and you have to answer regularly to accusations of playing the morality police.

As you stand a chance of experiencing legal penalties, your leadership should belly up for a proper tool. My personal pick through my years of managing this function is Websense Web Security. It's not as expensive as you might think, especially for what it brings to the table. Their pricing fits nicely for nearly any size of organization. I currently manage a 5000 seat deployment, and I couldn't be happier with the job it does for me, or the minimal amount of care and feeding that the system requires.

-SS

how long they spent on each site... (2)

1u3hr (530656) | about 3 years ago | (#37410734)

"show how long they spent on each site"?

How on earth could any software determine that? You may open a tab for a dozen sites . You can load a page of text, once, and spend an hour reading it with no further fetches. You could have a stock ticker/ weather stats/million other things running in a small window, gettign data every few seconds.

Basically, unless you look over their shoulder, you can't know how much of their attention was on a site for how long.

Classic mission creep: start with monitoring illegal downloads, end up checking on how the staff spend each minute at work, just because you can. Think how intrusive this is and how much it would be resented.

Squid as transparent proxy plus calamaris (2)

whoever57 (658626) | about 3 years ago | (#37410742)

Set up your firewall to redirect all outgoing port 80, 8080, etc packets to the proxy (running squid), then use calamaris to analyze the logs (or roll your own analysis). Squid can also block urls based or regular expression matching.

What is lacking in your current solution? (2)

nrozema (317031) | about 3 years ago | (#37410758)

Sounds like your current solution - "category" based filtering at the border combined with a strong company policy - is already more than adequate to cover most potential liability to the company.

The rest of your question sounds like you're using this legislation as an excuse to implement some downright draconian and invasive "productivity enforcement" measures that have nothing to do with the stated problem.

Irony? (1)

mwvdlee (775178) | about 3 years ago | (#37410766)

Just pirate one of the commercial spyware tools.

Transfer the liability to your employees (0)

Anonymous Coward | about 3 years ago | (#37410776)

Give each employee fifty dollars a month and let them arrange their own internet connections.

Untangle (1)

OneC0de (1851710) | about 3 years ago | (#37410786)

http://www.untangle.com/ [untangle.com] Is a great, free tool to help block, track, and limit web browsing activities. Based off of Debian I think.

Trust (1)

nilbog (732352) | about 3 years ago | (#37410794)

Hire and continue to employ people you trust. If you don't trust them to be responsible with their internet usage, why are you paying them? The only thing web monitoring will do is let them know that you don't trust them, and give them permission to act in an untrustworthy manner.

Massive waste of time (1)

nfc_Death (915751) | about 3 years ago | (#37410806)

I cannot imagine a bigger waste of HR, IT, or managements time to go chasing around data regarding their employees web usage.
If you hired intelligent, effective management you wouldn't need to go policing your employees after the fact.
Instead of asking; How can we find out which of our employees isn't working and then make them pay, how about finding out which of our employees is no longer being challenged or effective in their job and how can we help them.
You aren't their parents you're their employer, it's your job help them succeed, and if you cannot then refill the position.

Barracuda Web Filter (0)

Anonymous Coward | about 3 years ago | (#37410812)

Will do everything you need.....

Untangle Lite (0)

Anonymous Coward | about 3 years ago | (#37410816)

You might look at Untangle.com for Untangle Lite version. Basic reporting and VERY lite filtering for free, paid versions with more features also available. Relatively simple interface.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>