Over the past week, I have worked with a number of people who wanted to know if their Internet filter was working. There are the obvious things to do like try and access blocked websites yourself. However, in today's world a lot of other applications use the standard web ports 80 (HTTP) and 443 (HTTPS) so trying to test for all of this activity becomes a time consuming task.
The list of applications and services which are Internet or cloud-based is growing by the day. I find it a struggle sometimes trying to keep up with what's the latest file sharing service or what's the new way to stream music and video from the Internet. For this post, I am going to look at ways you can monitor unusual activity on your Internet gateway.
Your proxy or filtering system may be able to provide you with some reporting, but my experiences are that most of these systems are good at filtering and providing proxy services but poor at reporting. I regularly come across networks where the network manager has to grant access to certain sites to some users but block for others.
As an analogy, your Internet filter is like security personnel outside a venue. They will do a good job blocking people with no tickets or who don't adhere to the dress code. However, some will always sneak through and this is where a security camera can complement the job of the security personnel. The footage can be watched in real-time, or, can be reviewed after the event if a certain incident needed to be investigated. A network monitoring system on your network can be seen like cameras watching over what is going on so that everything is running efficiently. I am not talking big brother here, more the practice of watching out for anomalies which may cause bigger problems.
My advice to anyone wanting to keep a close eye on what is happening on an Internet connection is to implement some sort of monitoring solution. Ideally, you need to monitor all connections going to and from the Internet and perform deep packet inspection (DPI) on network packets. DPI will help to identify applications like BitTorrent and music streaming services which use the standard web ports.
It is relatively easy to get monitoring in place. You just need to identify where your firewall, proxy or Internet gateway device connects to your local network. If you are unsure where to start, I looked at ways for discovering your network core in a previous post. Once you find the network switch where these devices connect, you need to setup port mirroring. Port mirroring allows you to take a copy of the Internet traffic without impacting performance.
There are many tools and applications available which can look at this network data. From free applications like Wireshark to systems which offer a single-pane-of-glass view into all Internet activity. Whatever system you choose, make sure it can do most the following:
- Provide reporting on the top clients and users based on traffic volumes.
- Has the ability to look inside proxy traffic so that you can see what sites users are accessing via your proxy servers.
- Allows you to create reports which look at the total volume of data coming into and out of your network.
- Includes DPI features so that you can detect applications like Bittorrent, file sharing and music streaming services. DPI systems will also help to detect zombies on your network.
- Includes a search facility so that you can search for specific words within website names like share, upload, download, box.
A lot of the free tools won't have many of these features. However, using something like Wireshark and these steps you can check for specific activity on your Internet connection.
- Install a packet capture application on a laptop.
- Close down all applications and services on this laptop which may use Internet connectivity.
- Start capturing packets and access the service that you want to check for. If it's a file sharing or music streaming service you may need to install a client to test the service.
- Watch the connections appearing in your packet capture applications. You will be looking for external IP addresses associated with the service.
- Do a look-up of the IP addresses via an Internet search engine to get its full range. You should end up with something like 192.168.0.0/16 which is referred to as a subnet. Many services will use multiple subnets so watch for this in the search results.
- Close down all applications on your laptop except for the packet capturing application.
- Move your laptop to the core network switch and plug into the port where mirroring is setup.
- Filter the traffic based on the IP subnet(s) you found earlier. If you get results, then other users on your network may be running the applications in question and your Internet filter is not working as expected.
- If you want to check for BitTorrent activity, watch out for connections where the source and destination port (TCP or UDP) numbers are high. This is not easy to do and I would always recommend getting a proper system which can do DPI for detecting this activity.
Darragh Delaney is head of technical services at NetFort Technologies. As Director of Technical Services and Customer Support, he interacts on a daily basis with NetFort customers and is responsible for the delivery of a high quality technical and customer support service.
This story, "How Do I Know if My Internet Filter is Working?" was originally published by Computerworld.