Chapter 21

How Intranet Monitoring Software Works


In the last chapter, we saw how network administrators can block intranet users from visiting objectionable sites on the intranet using server software. But in many cases, intranet administrators want to do much more than simply block users from visiting objectionable sites. They may also want to track the overall usage of the Internet from inside the intranet, and be able to see in exquisite detail exactly how the Internet is being used-for example, to see the times of the greatest access, or which departments and subnets make the greatest use of the Internet. And they may want to track not only how people on the intranet are accessing the Internet, they may also want to see how they are using the intranet itself.

All that can be done-and a lot more-using intranet monitoring software. This is software that sits on a server, and monitors all traffic between the Internet and the intranet. It can also monitor all traffic on the intranet itself.

The software works by examining every IP packet coming into and going out of the intranet. It looks into both the IP header and at the data itself. The intranet administrator decides what kind of traffic to track. For example, access to intranet and Internet Web servers; FTP (File Transfer Protocol) usage; access to newsgroups; use of e-mail; and Telnet could all be tracked using this software. The monitoring software can then log all that traffic in extraordinary detail. It can track the destination address as well as the originating address; the amount of data transferred; the time of day; and many other pieces of data. All that data is automatically put into a database that intranet administrators can use to create reports of just about any type.

This information can help intranet administrators in many ways. It can help them know when new bandwidth needs to be ordered or new servers need to be installed. And it can also tell them if inappropriate sites are often visited.

Some monitoring software goes beyond merely tracking usage, and allows administrators to set access rules for the entire corporation or for individual departments. For example, it will allow network administrators to lock out certain sites from the entire corporation, such as those that have pornographic material on them. And it can let them decide on a department-bydepartment basis what kind of Internet access should be allowed.

While this type of software is certainly helpful to intranet administrators, some intranet users may be leery of it. They may think that it has a "Big Brother" feel to it, that intranet administrators are violating their privacy, or watching in detail how they use their computers. While that is a possibility, when used correctly the software can help to make sure that the network is functioning at top efficiency, and not to snoop into other people's lives.

How Intranet Monitoring Software Works

Server software is available to allow for extensive monitoring of how intranet users access the Internet. Administrators may find it useful to know, in general, what kinds of sites are being visited, and may even want to track what sites individual users are visiting. It is possible to do much more detailed analysis as well, including how much individual users access the Internet, what hours are most heavily trafficked, and much more. The software can also customize how people are allowed to access the Internet and/or the intranet. All outgoing and incoming traffic must pass through the monitoring machine.

  1. The software uses packet filtering, much like filtering routers (see Chapter 13). Both look at the data in the header of every IP packet coming in and going out of the intranet, and every packet traveling across the intranet. However, they differ significantly in that filtering routers make decisions about passing or dropping packets. Monitoring software simply lets the packets pass through, and tracks information about packets. Data such as the sender and destination address; size of the packet; type of Internet service involved (such as the Web or FTP) and time of day is captured to a database.
  2. While all packets must pass through the server, the software does not necessarily put information about every packet into the database. For example, information about HTTP packets (World Wide Web), file transfer protocol packets (FTP), e-mail packets (SMTP), newsgroup packets (NNTP), and Telnet packets might be tracked, while streaming audio packets might be ignored.
  3. Software included with the server program allows network administrators to view and analyze intranet and Internet traffic to a remarkable degree. It can show the total amount of network traffic by the day and the hour, for example, and show in any hour which Internet sites were being accessed and how much data was being transferred. It can even show what sites individual users on the intranet were visiting, and the most popular sites visited in graph form.
  4. Some software goes beyond analysis, and allows intranet administrators to change the kind of Internet access allowed to intranet users, based on traffic, usage, and other factors. For example, an intranet administrator could allow only certain departments access to some Internet resources.
  5. The software could also allow intranet administrators to ban certain sites from being visited by the entire intranet. For example, if there are pornographic sites that analysis has shown intranet users are visiting, the administrator could set rules that would ban anyone from visiting those sites. The packet filtering software would then not allow in any packets from those sites.