Monitor your network content
A content-monitoring system needs to be tailored to the number of workstations in your enterprise. If you are considering its use, the Internet connection and its capacity must also be taken into account. In most cases, content-monitoring systems are behind the firewall where it is easy to view all packets coming in and going out. The hub or switched port should be capable of mirroring all packets to a monitor port or to a mirror. A fast processor and a lot of RAM are optimal for capturing and reporting network traffic. Another important feature is a NIC with promiscuous mode operation for viewing all packets on the network. Use 100-Mbps cards in different locations so in the event the monitoring device gets loaded with packets from a hub or switch it can handle them instead of dropping them.
Once you have the optimal hardware installed, your system needs to filter network communications. Use words or phrases placed in subject type dictionaries. General words like games, news, sports, etc., will cause filtering of captured network traffic according to an algorithm, which looks for words and phrases found in the body of each message. If a message is flagged through the use of a filter, the monitoring software will perform an action. The only problem with this system is that some words will have various meanings and can be misinterpreted by the monitoring tool. While trying to preserve a modicum of employee privacy, be aware that knowledgeable employees can sometimes "fool" a content-monitoring system by using jargon that is easily misinterpreted by the monitoring system. There are some content-monitoring systems that use proprietary linguistic and mathematical analyses to monitor communications that fall outside of words and phrases collected in subject matter dictionaries. You might be able to add keywords but not edit or delete default dictionaries. For those systems that do allow editing, it can become time consuming and tedious to overhaul the entire dictionary.
Multiple site accesses from one URL request are often reported and extraneous material is often downloaded with a page. Cookies and banner advertisements are recorded as site accesses. Some systems allow you to compress duplicate hits to one site access strictly for reporting. Be aware that messages with overlapping content or categories will be reported in all matching categories so duplication will be present. Your hits may be inflated in some categories. Discerning the true number takes some time to decipher. Check out the latest content-monitoring systems and decide which one will give you the most for your money with the least amount of fine-tuning.
Barrie Sosinsky (firstname.lastname@example.org)is president of consulting company Sosinsky and Associates (Medfield MA). He has written extensively on a variety of computer topics. His company specializes in custom software (database and Web related), training and technical documentation.
Did you like this tip? Let us know via e-mail.
Dig deeper on Network Security Monitoring and Analysis