by June 30, 2004 0 comments

Games and music downloads get 17 and 11 percent, respectively. These not only affect bandwidth consumption but also open up your company to security threats and bring down productivity. What can you do about it?

Internet connectivity is one of the most used and abused services in any organization. Though its usability has been extolled enough, it’s the abusage that most system administrators pull their hair out over. Most of them know that their users visit prohibited websites, download music and movies using P2P applications and chat online. Such activities not only cause network congestion and deprive other users of bandwidth, but also open connections to unknown resources on the Net that can bring in viruses and spam. So what can they do about it?

The solution is to control who is allowed to access what and when on the Internet. Unfortunately, it’s not a solution that you can implement once and then forget. You need to constantly monitor your Internet bandwidth and determine a few things: check whether your ISP is delivering the promised bandwidth, track how your users are using it, monitor the mechanisms you’ve put in place to control its usage and keep going back to your Internet-access policy to ensure that it’s implemented correctly.

If your situation changes, then you need to change your policy to reflect that. For instance, your situation may change if you need to implement a new application on your network that requires significant Internet bandwidth. Then you will need to change the policy to accommodate your solution, which could be to take away bandwidth from some other application or purchase more bandwidth.

Before choosing a tool to manage Internet access, you need to plan its deployment. For example, you need to determine which user or group needs or does not need access to particular sites or service (e-mail, Web, file transfer), which
applications consume how much bandwidth and during what time of the day is the maximum traffic flow.

On the basis of this information, you need to create an acceptable Internet usage policy. The policy should clearly state:

  • The scope of Internet usage
  • The kind of Internet usage (business purposes, research and market intelligence) that’s encouraged
  • Users who are authorized to use the Internet
  • If the proxy server can be bypassed
  • Whether the organization has set up any kind of Internet access monitoring and content-filtering system
  • The measures that the organization could take if it finds an employee misusing the Internet. For example, some
    organizations state in their policy that they would publish on their intranet the list
    of banned sites along with the names of users who were found accessing them.
and Manage Internet Access with:
Server 2000
on Windows
on Linux

Remember, that the clauses of the policy will be governed by your business’ objectives; there is no €˜one rule that fits all’. Some companies may use corporate IMs
(Instant Messengers), while others may prohibit their use. Once the policy has been set, it is critical to communicate it to the

BE BIG BROTHER: Monitor bandwidth and Internet activity
Now that you have your policy in place, it is time to get your hands dirty and start implementing the monitoring and controlling measures. You can monitor everything from Web access, e-mail and websites providing audio/video streaming to
e-commerce transactions and even VPN connectivity between your various offices.

To check if you are getting the right amount of bandwidth, you need to monitor to see if your ISP is providing you the promised bandwidth and check for other internal bottlenecks, such as any misconfigured or overloaded proxy server.

Many tools are available for this. Some of the better-known ones are MRTG, PRTG, PRTG Pro and Ntop. MRTG (Multi-Router Traffic Grapher) is widely used by most ISPs and is available for Windows and Linux. PRTG (Paessler Router Traffic Grapher), a variant of MRTG, is a freeware Windows-based tool that lets you monitor only a single network port. Once PRTG is installed, you need to add a sensor for the network ports you want to monitor. A sensor is nothing but the IP address of the network card you want to monitor. You also need to ensure that SNMP is enabled on the machine you are monitoring, as PRTG uses it for polling and gathering data. The tool provides real-time graphs of the traffic moving in and out of the network port. It can create detailed HTML reports of the bandwidth on a daily, weekly or monthly basis. You should use it to monitor the network port of your Internet

PRTG Pro is PRTG’s commercial edition that lets you add as many sensors as you like.

PRTG captures raw packets from your Internet gateway and displays them in a detailed real-time graph. It even generates comprehensive HTML-based reports of them

Another powerful tool is Ntop. It can capture data that travels through your Internet gateway and provides a complete drill down of the type of traffic that’s flowing, which protocols is it using and which users are accessing how much bandwidth. It can tell you which machine is using which application, which will help you determine who all are using IMs and P2P applications (such as Kazaa) on your network and how many users are accessing the Web through HTTP. It will, however, not tell you the specific websites being visited by different users. For that you will need other tools. It has a built-in Web server, which allows you to see all its reports through a Web browser.

If you want to use Ntop, you can read on to find out how to do so. Else, you can skip to the next section titled Make Sense of Data. Ntop is available on many OSs; we show you how to run it on Linux.

Source: Internet Misuse Survey 2002 commissioned by Websense International
According to a survey, 23 percent of employees were dismissed because of Internet misuse

You need to place Ntop just before your proxy or Internet gateway so that it captures all the information before it moves out.
Now copy the source tarball from this month’s PCQEssential CD and unzip it to install it as shown below.

#cp ntop-3.0.tgz /
#cd /
#tar €”zxvf ntop-3.0.tgz
#cd ntop-3.0
#make install

When Ntop is run on PCQLinux 2004, it asks for some files that it was unable to find in /var/ntop folder. So, you need to create them manually by running the following commands.

#touch addressQueue
#touch dnsCache
#touch macPrefix
#touch ntop_pw
#touch prefsCache

Now, you need to give these files full rights by running the following.

#chmod 777 /var/ntop/*

Copy /etc/ntop.conf.sample to /etc/ntop.conf and run the following command.

#ntop €“w 3000 €“W 0

With this your Ntop server will be up and running.

It works on port 3000. To access its frontend, fire up a browser and enter the link http://127. 0.0.1:3000. You can also access Ntop from any
other machine with the external address of the Ntop machine and port 3000.

When you first start Ntop, you will find some links on the welcome page. Here, click on the Summary link to see graphs for network traffic, host traffic and network load.

There are some other links as well, such as IP Summary, All Protocols, Local IP and Admin. The first two links will give details about the protocols and the last will give you access to administrate the Ntop server.

Source: Internet Misuse Survey 2002 commissioned by Websense International

But, to create proper reports, you need to know how often the data should be captured. For instance, Ntop can capture huge amount of data, which can quickly fill up your entire hard drive. So, you may not need to constantly capture the data. Instead, define specific time periods for doing so. You could, for instance, configure it to run for a few minutes in the morning when all employees come in. Then you could run it for a few minutes every hour for the rest of the day and finally stop it after office hours.

An Ntop screenshot showing the total network traffic over time. This gives you an idea of which hosts on the network are most active and when

MAKE SENSE of DATA: Analyze the reports
Once the reports are made, you need to analyze them periodically to understand the usage patterns. For instance, you would find that the first thing all employees do in the morning is check their mail. Hence, you’ll find heavy Internet usage in the morning. However, if you notice that the usage is becoming heavy throughout the day then you would need to investigate further. For all you know, it might be heavy downloads such as movies or music or mass mailing that’s causing the load. If it’s genuine work that is happening, then you need to consider purchasing more bandwidth. The same logic applies to other applications as well, such as ERP applications over your WAN.

The type of reports you can get depends upon the tools you use. There are tools that specifically monitor the website traffic and generate reports based on them. Also, the type of reports you want depends on the analysis you require. You get reports on frequent Internet users, protocol traffic flow, most-frequently visited sites and the websites that consume more bandwidth. User-specific data includes the amount and type of data sent and received.

Create access rules to restrict unwanted Web content, using SurfControl

TAKE CONTROL: Control Internet access
Finally, you need to take action based on the reports generated. The action may include informal warnings, publishing lists of frequent abusers and using tools to control or limit access. There are tools available to control specific types of applications, such as chat clients, Kazaa and download accelerators. Also, there are tools that can perform multiple functions, such as control Web access and chat simultaneously. Then there are tools that can do application prioritization to help provide the QoS (Quality of Server) to applications that really need it. Let’s talk about how to control these applications using various tools.

For blocking sites, you can use a tool called SurfControl that needs to be installed on a gateway machine (which in our case was Windows 2000 Advance Server). You can buy SurfControl for Rs 99,000 for 50 users from
During installation, Surf- Control will prompt you to select the network segment that you want to monitor and control. After installing it, install MSDE (Microsoft’s SQL Data Engine). SurfControl provides its own version of MSDE, which contains SurfControl’s rules database as well. The software uses SQL database to store Web filters and polices.

A report by SurfControl showing the top 10 sites visited and users who spent maximum time online

Before you can filter Web content, you need to stop all the SurfControl services. Do so by right clicking on the SurfControl icon in the system tray. After this create a database in SQL server. For this, open €˜Create MSDE/SQL Database’ from Start>Programs>SurfControl Web Filter. This will launch a wizard that will create a database in SQL. First the wizard will ask you the name of the server on which you would like to create the database. Give the name of the SQL server and click on Next. Then you will be asked to set the type of authentication for accessing the database. Here you have two authentication options, one is €˜Use Trusted Authentication’ and the other is €˜SQL Authentication’. We used the first one to keep it simple; this authentication mode uses Windows username and password for database access. When you click on Next, you will get the remaining options. Select all the options and click on Next and then on Finish. With this your SurfControl is ready for use.

SurfControl has built-in standard and real-time monitoring tools, which will give you detailed reports showing which machine is hogging how much bandwidth. It also shows which machines are accessing which websites. Now to create rules for filtering specific Web content, go to Start>programs>SurfControl Web Filer>Rules Administrator. This will open a window showing you a few pre-created sample rules for corporate environments. You have to check the Rules box and click on Commit from the menu bar to apply changes. These sample rules restrict adult, gambling, online video/audio and hacking content. Rules can be applied based on IP addresses, MAC addresses, machine names and domain users.

It also has a wizard that guides you in creating rules according to your organizational needs. To create new rules click on €˜Add Rule Wizard’ from the toolbar. The rules can be of three types: Allow, Deny and Threshold. By default it is set to Allow.

If you need Deny or Threshold rule, then check on the option you want and click on Next to continue. Once this is done, the wizard follows a step-by-step procedure and asks you to specify the objects you wish to add to the rule. These objects are: Who, Where, When and Notify objects. You will also be asked for the status of the rule, active or inactive, and where you want this rule to appear in the Rules Administrator. This is important as rules are processed in a top-down manner so, whether a rule is triggered depends on what rules are given above in the list. If you want to change any of these rules then click on Next. This will take you to a dialog box where you can configure each object. Finally, a Finish screen will appear where you can check the details of the rule objects that you have created and click on Finish. After creating all the rules remember to click on Commit in the toolbar, so that the rules that you have created can be applied.

Control Bandwidth: With ISA Server 2000?

An important measure in contolling the Internet access is to limit the bandwidth usage. This is needed so that no single user
can hog all the bandwidth by running something like a download accelerator.

You can use Microsoft’s ISA Server 2000 to limit the amount of bandwidth. We’ll demonstrate how you can do so. Installing the server is a simple wizard driven process, so we’ll not get into that. Once installed, go to Start>Programs to access the Management console. Then double click on the server icon located on the left side of the window. Next double click on Policy Elements and right click on Bandwidth Priorities. Then choose New>Bandwidth Priority from the menu and enter low, medium or high (depending on what you want) and give a description in the description box. After this you will find two text boxes for specifying outgoing and incoming value ranging from one to 200. Fill these text boxes with the value. A higher value means higher priority. Finally, click on OK to finish.

You can allocate and prioritize bandwidth for different applications using ISA Server 2000

Now, to create bandwidth rules, open ISA Server’s Management console. Double click on the server icon to expand its tree.

Right click on Bandwidth Rules and select New>Bandwidth Rule. This will run a wizard, asking you the name for the new rule. Give a suitable name and click on Next. The wizard will now ask you to select the protocols you want to prioritize. After this click on Next. Here you can choose the time when the priority should be activated. Keep it to Always and click on Next.

Now you need to set the client type, who will be accessing the bandwidth. This will throw up three options: Any request, Specific computers and Specific users and groups. The first is self-explanatory. In the second, you need to specify the IP addresses of the clients, while in the third option you need to specify the user names in your domain. Finally, click on Finish to complete the process.

Block P2P apps: With P2PWatchDog
One of the biggest bandwidth hoggers are P2P applications such as Kazaa. Unfortunately, the trouble with Kazaa is that it’s a very smart application. It can dynamically change the ports it uses to access the Internet, so even if you block one port, it will go to another. Therefore, you can’t block Kazaa through simple port blocking mechanisms. You’ll have to use specific tools for doing so.

You may not want to stop all the fun. P2PWatchDog lets you block P2P applications during specified hours

Here, we’ve used a commercial application called P2PWatchDog. This tool kills P2P connections on the network and is available for Windows and Linux. You can download a fully functional evaluation version from, or purchase it online for around $200.

To block P2P applications on Linux, you can use FTwall. It’s an IPtables-based Linux firewall to block traffic to/from client
software such as Kazaa and KazaaLite. (Read Block Kazaa, page 40, PCQuest, November 2003 on using various software to block P2P applications on Linux.) You can download the software from

Block public IMs: With TerminatorX
Public IMs such as AOL, MSN, Yahoo and ICQ consume significant amounts of bandwidth. We used a utility called TerminatorX to block public IMs. It has two small programs that can run on any Windows client. One is a black list generator that creates black lists of messengers or P2P applications that you may want to
block. And the other is a terminator program that runs in the background and terminates these applications.

To implement this solution, copy the software on a server shared folder and execute the terminator program on the clients, from the server using login script. This will run an instance of the terminator program on the clients’ machines. Alternately, applications such as SurfControl can also prevent IM usage.

TerminatorX has an extensive list of chat clients and chat rooms that you can block

Control spam
An anti-spam solution is a must today. Anti spam on the server end is much more effective than on the client systems. Along with this, you also need to ensure that users are aware of certain guidelines that could reduce the rate of spam. Most people while sending mail to many people simultaneously, tend to put all the e-mail IDs in the €˜To:’ field of the mail client. This exposes the e-mail IDs of all the people, making it easier for spammers to get access to them. Therefore, a better practice is to put all the recipients in the BCC field. Most e-mail clients offer some basic form of spam control, such as rules to block senders on different criteria. In Outlook Express, for instance, select the mail you think is spam and select the option €˜Block Sender’ from message menu. On the commercial front, most anti-virus software vendors have now also introduced anti-spam software. These include companies such as TrendMicro and Symantec.

Capture packets: With Ethereal
Lastly, we would like to recommend one tool for most network administrators €”a packet-capture utility. You’ll find both free and commercial variants here. We’ve been using a freely available tool for both Linux and Windows, called Ethereal.

While there are many client-side
spam-control software, spam is best controlled at the mail-server end. Not only does it conserve
bandwidth, but also improves employee productivity

Packet-capture utilities are a quick way of determining what’s happening on your network. It will be able to tell you the source and destination of packets for a whole range of different protocols, be it TCP, UDP or IPX. Ideally, you should install it on a notebook and plug it into various segments of your network to determine the traffic flow. First, determine the traffic patterns under normal conditions to get an idea of your network’s behavior. Then run it on a regular basis to determine anomalies. We found it to be a great way to detect worm activity on our network. For instance, many worms tend to spread by throwing a lot of ARP (Address Resolution Protocol) requests on the network. An infected machine will, therefore, generate a huge number of ARP packets, which can easily be captured by a packet-capture utility. You can then determine
which machine is the culprit and resolve the issue.

By Anindya Roy, Sanjay Majumder and Sushil Oswal

No Comments so far

Jump into a conversation

No Comments Yet!

You can be the one to start a conversation.