Re: [K12OSN] Traffic monitoring

["Terrell Prude', Jr." <microman cmosnetworks com>]

We had the same problem for a while.  We came up with a cheaper 
idea--use our existing infrastructure to block those other types of 
traffic.  All you've got to do is do a little policy-based routing, the 
same basic type that you'd use to, say, block Code Red (our district 
does this).  Shuts it down COLD.  I'll assume you use cisco routers, 
since most people do, and the newer models, such as 2600's and 3600's 
(and up, of course) support this very nicely.  However, there is a 
little bit of a learning curve, and you must know TCP/IP pretty well 
(ports, IP headers, google for what to look for, etc.).  The learning 
curve's not horrible, but it's certainly there.

--TP

Chris Hobbs wrote:

> Hi All,
>
> I attended the California Educational Technology Professional 
> Association (CETPA) Annual Meeting/Convention last week, and now have 
> some new ideas for our district, but as always, I'm looking for free 
> solutions.
>
> One of the products I looked at (begrudgingly[1]) was a traffic 
> monitoring and reporting solution from LightSpeed Systems. Basically, 
> it monitors all traffic in/outbound, and reports on what it deems 
> inappropriate. This goes beyond web filtering, as it has the capacity 
> to look for inapppropriate content in instant messaging, e-mail (SMTP 
> as well as web), p2p file sharing, etc. It's big plus is ease of use 
> and nice reporting (anyone who has ever had to explain a squid log to 
> a superintendent or HR director can understand the importance of 
> this). If you're interested in seeing an example of the reporting, you 
> can check it out at <http://reports4.lightspeedsystems.com/>, assuming 
> you have IE since it requires it :( The price for the box and software 
> would be $10K, with another $2K annually for maintenance - not cheap.
>
> One feature that caught my ear was its ability to use Snort rules 
> natively, which means the next worm that comes around, you can easily 
> drop in a quick snort rule from your favorite mailing lists - pretty 
> slick.
>
> Of course, when I heard that, I immediately wondered if we couldn't 
> skip the middle-man and just use snort itself. It's been awhile since 
> I've played with it, so I installed the latest version this weekend at 
> home, and looked around.
>
> Sure enough, there is a short rule file called porn.rules. There are 
> also policy.rules for things like IM, though not content specific.
>
> ACID exists for reporting, though more involved reports might be 
> possible with other tools, such as Access or Crystal Reports, since 
> snort can log to a sql server.
>
> So in short, it looks doable. My question is whether anyone is already 
> doing so - snort is obviously designed to work as an intrusion 
> detection system, which explains its dearth of policy and porn rules. 
> Has anyone seen more complete lists of snort rules out there that 
> might be more appropriate for monitoring a school network?
>
> Thanks for the input!
>
> [1] I have no desire to be Big Brother. However, we have had incidnets 
> that demanded investigation. I'm sure there are many more that should 
> have been caught. While I have no desire to be the "network nazi", I 
> do belive the school network should be used for school activities. We 
> are nearing our current bandwidth limits, and I bet curtailing 
> inappropriate use would save us the cost of upgrading our pipe.