Web Traffic Auditing @ Ward Buildings
-
- New Member
- Posts: 19
- Joined: Wed Aug 20, 2008 10:29 am
Web Traffic Auditing @ Ward Buildings
Background::
We have several ward buildings that are using the Cisco ASA routers locked down using the LDS restricted firewall setting/access. We are considering changing these ward buildings to the less restrictive mode (long story). I've search through all the forums and wasn't able to find the answer...
Question:
1) Is there a way to monitor web traffic at the ward building level (either by logging into a web page or having church HQ send a weekly/monthly report)?
2) If a problem arises, could I (Stake Technology Clerk) call global support and have them send me a list of websites visited?
In a nutshell, is there a way (without installation additional hardware/software) for me or a member of the Stake Presidency to audit traffic at a local building?
Thanks,
Cameron
We have several ward buildings that are using the Cisco ASA routers locked down using the LDS restricted firewall setting/access. We are considering changing these ward buildings to the less restrictive mode (long story). I've search through all the forums and wasn't able to find the answer...
Question:
1) Is there a way to monitor web traffic at the ward building level (either by logging into a web page or having church HQ send a weekly/monthly report)?
2) If a problem arises, could I (Stake Technology Clerk) call global support and have them send me a list of websites visited?
In a nutshell, is there a way (without installation additional hardware/software) for me or a member of the Stake Presidency to audit traffic at a local building?
Thanks,
Cameron
-
- Community Moderators
- Posts: 3183
- Joined: Sun Jan 13, 2008 6:48 pm
- Location: California
ccmichaelson wrote:Background::
We have several ward buildings that are using the Cisco ASA routers locked down using the LDS restricted firewall setting/access. We are considering changing these ward buildings to the less restrictive mode (long story). I've search through all the forums and wasn't able to find the answer...
Question:
1) Is there a way to monitor web traffic at the ward building level (either by logging into a web page or having church HQ send a weekly/monthly report)?
2) If a problem arises, could I (Stake Technology Clerk) call global support and have them send me a list of websites visited?
In a nutshell, is there a way (without installation additional hardware/software) for me or a member of the Stake Presidency to audit traffic at a local building?
Thanks,
Cameron
Cameron, to put it simply - NO. The GSD (global service desk) cannot provide you a report of the sites that have been visited and there's no easy way I know of to keep a copy locally.
You might be able to setup a proxy server and monitor the Internet from there, but my efforts in that regard resulted in problems between the proxy and the firewall. Someone else may have some ideas, but I do know you can't get it from HQ.
The computers should not be open to everyone to use without some supervision. If you're running a small family history room then you should have a FH consultant in the room when the computers are being used. If you're referring to the administrative computers in the clerk's office, then I'd expect access to those computers to be restricted to only those people who have keys to the clerk's office, which is usually limited.
-
- Member
- Posts: 85
- Joined: Wed Jul 16, 2008 5:34 pm
I'll admit I have the same concerns. This is especially true in our Stake Center where the wireless was installed at the time of building construction and is managed/administered by Church headquarters so I can't even do mac filtering. I'm worried the password will get shared beyond where it should so being able to monitor what's going on would be nice.
- Mikerowaved
- Community Moderators
- Posts: 4734
- Joined: Sun Dec 23, 2007 12:56 am
- Location: Layton, UT
If you are serious about network monitoring, seek out an IT specialist in your stake familiar with Wireshark (formerly called Ethereal), WinPCap, and man-in-the-middle promiscuous packet sniffing. You will need a spare PC (most PIII machines will work fine) running either Windows or (preferably) Linux with dual NICs. (You might consider searching your YM or YSA organizations for a qualified person. ) They should be able to set the filtering to provide a log of the information you're looking for.
Sorry, but there is no easy way to do it. There are a few ready-made software packages out there that might do what you want, but I have yet to find one that I like, or is as flexible (or affordable) as Wireshark, and all will require additional hardware (unless you only want to monitor wireless traffic).
Sorry, but there is no easy way to do it. There are a few ready-made software packages out there that might do what you want, but I have yet to find one that I like, or is as flexible (or affordable) as Wireshark, and all will require additional hardware (unless you only want to monitor wireless traffic).
So we can better help you, please edit your Profile to include your general location.
-
- New Member
- Posts: 10
- Joined: Thu Feb 15, 2007 12:02 pm
- Location: El Dorado Hills, Folsom Stk, California
Wireshark collects too much data
You might want to consider using something OTHER than Wireshark. It collects TOO much data. You may want to consider instead setting up a localized proxy server or SOCKS or something to that effect that will keep local/logged copies of data requests and not keep info on every single packet like Wireshark does. And Wireshark is not easy to understand and is probably overkill, unless you need to look at packet contents or need to conduct network/security analysis. You can run into potentially problematic areas especially if you happen to have a member of a bishopric or stake presidency submit or receive web based email from the likes of yahoo (and its ilk). You 'll collect confidential information in those packets. (Yahoo has a secure login for getting into your account, but uses WIDE OPEN protocols for actually interfacing with webmail. I hate it, but Yahoo doesn't seem too interested in changing it... ATT uses Yahoo for webmail, fyi. And I suppose the NSA uses ATT... but I digress...)
Justin
Justin
- dtaylor26-p40
- New Member
- Posts: 16
- Joined: Tue Apr 01, 2008 9:31 pm
- Location: Ogden, Utah
Other network appliances?
If running wireless is an option, you might want to have the WAPs log the requests. I have seen that option in the Netgear WAPs I've installed, but I haven't used it. Most firewalls also have the ability to record the traffic, but I may be misleading you in this case- I haven't played around w/ the Church setup enough to know if that's possible. When I spoke with the GSD last week, I was told that aside from the website access, the rest of the firewall was fine to manage as I saw fit. I haven't read enough other posts to know if this conflicts w/ others, if it does, then I'm wrong.
Just some thoughts. My wife says most of mine usually aren't good ones, so take it for what it's worth.
Just some thoughts. My wife says most of mine usually aren't good ones, so take it for what it's worth.
-
- Community Moderators
- Posts: 3183
- Joined: Sun Jan 13, 2008 6:48 pm
- Location: California
Logging of everything that goes through the network is bound to have an effect upon your response times. A better solution would be to try a product called "FreeProxy". It's free (as it's name implies). You would install it onto an extra PC and then redirect all network traffic to this proxy address.
It's purpose is to give you additional control over Internet access, but it also does a fairly good job of keeping a log of traffic. You can adjust it so it only logs files which exceed a specified size. You can experiment with this to get what you want.
It's purpose is to give you additional control over Internet access, but it also does a fairly good job of keeping a log of traffic. You can adjust it so it only logs files which exceed a specified size. You can experiment with this to get what you want.
-
- Community Moderators
- Posts: 9858
- Joined: Mon Mar 17, 2008 12:30 am
- Location: USA, TX
Both the Cisco PIX 501 adaptive security appliance and the Cisco ASA 5505 adaptive security appliance, used by the Church and commonly referred to as firewalls, are managed by the Church. Access by local units is not possible since they are password protected and the passord(s) is (are) not given out. Therefore to manage any aspect of the appliance is impossible. You can indirectly manage some features by calling the GSD and requesting modifications. I guess you could ask to have the log file downloaded to a computer on the back side of the device and then access it that way.dtaylor26 wrote:Most firewalls also have the ability to record the traffic, but I may be misleading you in this case- I haven't played around w/ the Church setup enough to know if that's possible. When I spoke with the GSD last week, I was told that aside from the website access, the rest of the firewall was fine to manage as I saw fit.
JD Lessley
Have you tried finding your answer on the ChurchofJesusChrist.org Help Center or Tech Wiki?
Have you tried finding your answer on the ChurchofJesusChrist.org Help Center or Tech Wiki?
- Enigma1-p40
- New Member
- Posts: 41
- Joined: Fri Jan 09, 2009 9:59 am
- Location: Provo, Utah
If this happens Russ, get permission from your stake president and call us at the GSD and we can setup an alternate password for you.russp wrote:I'll admit I have the same concerns. This is especially true in our Stake Center where the wireless was installed at the time of building construction and is managed/administered by Church headquarters so I can't even do mac filtering. I'm worried the password will get shared beyond where it should so being able to monitor what's going on would be nice.