Web Traffic Auditing @ Ward Buildings

Discussions about Internet service providers (ISPs), the Meetinghouse Firewall, wired and wireless networking, usage, management, and support of Meetinghouse Internet
ccmichaelson-p40
New Member
Posts: 19
Joined: Wed Aug 20, 2008 9:29 am

Web Traffic Auditing @ Ward Buildings

Postby ccmichaelson-p40 » Thu Dec 04, 2008 3:43 pm

Background::
We have several ward buildings that are using the Cisco ASA routers locked down using the LDS restricted firewall setting/access. We are considering changing these ward buildings to the less restrictive mode (long story). I've search through all the forums and wasn't able to find the answer...

Question:
1) Is there a way to monitor web traffic at the ward building level (either by logging into a web page or having church HQ send a weekly/monthly report)?
2) If a problem arises, could I (Stake Technology Clerk) call global support and have them send me a list of websites visited?

In a nutshell, is there a way (without installation additional hardware/software) for me or a member of the Stake Presidency to audit traffic at a local building?

Thanks,
Cameron

techgy
Community Moderators
Posts: 3174
Joined: Sun Jan 13, 2008 6:48 pm
Location: California

Postby techgy » Thu Dec 04, 2008 8:40 pm

ccmichaelson wrote:Background::
We have several ward buildings that are using the Cisco ASA routers locked down using the LDS restricted firewall setting/access. We are considering changing these ward buildings to the less restrictive mode (long story). I've search through all the forums and wasn't able to find the answer...

Question:
1) Is there a way to monitor web traffic at the ward building level (either by logging into a web page or having church HQ send a weekly/monthly report)?
2) If a problem arises, could I (Stake Technology Clerk) call global support and have them send me a list of websites visited?

In a nutshell, is there a way (without installation additional hardware/software) for me or a member of the Stake Presidency to audit traffic at a local building?

Thanks,
Cameron


Cameron, to put it simply - NO. The GSD (global service desk) cannot provide you a report of the sites that have been visited and there's no easy way I know of to keep a copy locally.

You might be able to setup a proxy server and monitor the Internet from there, but my efforts in that regard resulted in problems between the proxy and the firewall. Someone else may have some ideas, but I do know you can't get it from HQ.

The computers should not be open to everyone to use without some supervision. If you're running a small family history room then you should have a FH consultant in the room when the computers are being used. If you're referring to the administrative computers in the clerk's office, then I'd expect access to those computers to be restricted to only those people who have keys to the clerk's office, which is usually limited.

ldsrussp
Member
Posts: 80
Joined: Wed Jul 16, 2008 4:34 pm

Postby ldsrussp » Tue Dec 09, 2008 8:08 am

I'll admit I have the same concerns. This is especially true in our Stake Center where the wireless was installed at the time of building construction and is managed/administered by Church headquarters so I can't even do mac filtering. I'm worried the password will get shared beyond where it should so being able to monitor what's going on would be nice.

User avatar
Mikerowaved
Community Moderators
Posts: 3131
Joined: Sun Dec 23, 2007 12:56 am
Location: Layton, UT

Postby Mikerowaved » Tue Dec 09, 2008 12:51 pm

If you are serious about network monitoring, seek out an IT specialist in your stake familiar with Wireshark (formerly called Ethereal), WinPCap, and man-in-the-middle promiscuous packet sniffing. You will need a spare PC (most PIII machines will work fine) running either Windows or (preferably) Linux with dual NICs. (You might consider searching your YM or YSA organizations for a qualified person. ;)) They should be able to set the filtering to provide a log of the information you're looking for.

Sorry, but there is no easy way to do it. There are a few ready-made software packages out there that might do what you want, but I have yet to find one that I like, or is as flexible (or affordable) as Wireshark, and all will require additional hardware (unless you only want to monitor wireless traffic).
So we can better help you, please edit your Profile to include your general location.

jmasters-p40
New Member
Posts: 13
Joined: Thu Feb 15, 2007 12:02 pm
Location: El Dorado Hills, Folsom Stk, California

Wireshark collects too much data

Postby jmasters-p40 » Fri Feb 06, 2009 3:10 am

You might want to consider using something OTHER than Wireshark. It collects TOO much data. You may want to consider instead setting up a localized proxy server or SOCKS or something to that effect that will keep local/logged copies of data requests and not keep info on every single packet like Wireshark does. And Wireshark is not easy to understand and is probably overkill, unless you need to look at packet contents or need to conduct network/security analysis. You can run into potentially problematic areas especially if you happen to have a member of a bishopric or stake presidency submit or receive web based email from the likes of yahoo (and its ilk). You 'll collect confidential information in those packets. (Yahoo has a secure login for getting into your account, but uses WIDE OPEN protocols for actually interfacing with webmail. I hate it, but Yahoo doesn't seem too interested in changing it... ATT uses Yahoo for webmail, fyi. And I suppose the NSA uses ATT... but I digress...)

Justin

User avatar
dtaylor26-p40
New Member
Posts: 16
Joined: Tue Apr 01, 2008 8:31 pm
Location: Ogden, Utah

Other network appliances?

Postby dtaylor26-p40 » Fri Feb 06, 2009 1:56 pm

If running wireless is an option, you might want to have the WAPs log the requests. I have seen that option in the Netgear WAPs I've installed, but I haven't used it. Most firewalls also have the ability to record the traffic, but I may be misleading you in this case- I haven't played around w/ the Church setup enough to know if that's possible. When I spoke with the GSD last week, I was told that aside from the website access, the rest of the firewall was fine to manage as I saw fit. I haven't read enough other posts to know if this conflicts w/ others, if it does, then I'm wrong.

Just some thoughts. My wife says most of mine usually aren't good ones, so take it for what it's worth. :)

techgy
Community Moderators
Posts: 3174
Joined: Sun Jan 13, 2008 6:48 pm
Location: California

Postby techgy » Fri Feb 06, 2009 2:18 pm

Logging of everything that goes through the network is bound to have an effect upon your response times. A better solution would be to try a product called "FreeProxy". It's free (as it's name implies). You would install it onto an extra PC and then redirect all network traffic to this proxy address.

It's purpose is to give you additional control over Internet access, but it also does a fairly good job of keeping a log of traffic. You can adjust it so it only logs files which exceed a specified size. You can experiment with this to get what you want.

jdlessley
Community Moderators
Posts: 6522
Joined: Sun Mar 16, 2008 11:30 pm
Location: USA, TX

Postby jdlessley » Fri Feb 06, 2009 10:07 pm

dtaylor26 wrote:Most firewalls also have the ability to record the traffic, but I may be misleading you in this case- I haven't played around w/ the Church setup enough to know if that's possible. When I spoke with the GSD last week, I was told that aside from the website access, the rest of the firewall was fine to manage as I saw fit.
Both the Cisco PIX 501 adaptive security appliance and the Cisco ASA 5505 adaptive security appliance, used by the Church and commonly referred to as firewalls, are managed by the Church. Access by local units is not possible since they are password protected and the passord(s) is (are) not given out. Therefore to manage any aspect of the appliance is impossible. You can indirectly manage some features by calling the GSD and requesting modifications. I guess you could ask to have the log file downloaded to a computer on the back side of the device and then access it that way.
JD Lessley
Have you tried finding your answer on the LDS.org Help Center page or the LDSTech wiki?

User avatar
Enigma1-p40
Church Employee
Church Employee
Posts: 41
Joined: Fri Jan 09, 2009 9:59 am
Location: Provo, Utah

Postby Enigma1-p40 » Wed Oct 14, 2009 10:57 am

russp wrote:I'll admit I have the same concerns. This is especially true in our Stake Center where the wireless was installed at the time of building construction and is managed/administered by Church headquarters so I can't even do mac filtering. I'm worried the password will get shared beyond where it should so being able to monitor what's going on would be nice.


If this happens Russ, get permission from your stake president and call us at the GSD and we can setup an alternate password for you. :)


Return to “Meetinghouse Internet”

Who is online

Users browsing this forum: No registered users and 1 guest