Juniper to log user browsing habits
I'm the network admin for a network of about 100 or so PCs. We have a Juniper SSG 140 for our firewall and DHCP server. I want to log employee browsing habits but Juniper does not seem to make it very easy - all I see are Syslog options and I got a syslog server running but it only shows IP addresses - not very helpful. Is there a way I can have something readable, such as username xyz went to this website at this time? Even the websites show just the IP addresses. I can't believe that equipment this expensive (the Juniper) doesn't have some solution that doesn't require me to write my own software to provide reverse DNS for every entry. I'd rather not reinvent the wheel if someone knows where I can get one.
Your best bet is to set up a proxy server to collect and possibly block internet access, unfortuantely most firewalls don't include that type of functionality.
If you know Linux the open source Squid proxy along with Sarg to analyze Squid logs is a good solution and really you'd only need an old workstation to run the software.
Otherwise you are pretty much stuck buying an expensive filtering app/appliance like Bluecoat or Surf Control.
Hmm.. The Juniper replaced our previous proxy server which was a Linux server with 7 NICs and Shorewall which ran very well and never had problems but couldn't handle the VLAN tags we needed for our WAN connections, which in addition to its VPN functionality is why we went with Juniper.
Sounds like another proprietary appliance locking us into their method of doing things - every time I turn around it's $1,500 for this and $1,500 for that on that thing. Something like $1,500 a year just to keep its anti-virus and Deep Inspection stuff working and updating properly.
If nothing else I might have to put a proxy in place between the Juniper and the LAN but that's sure adding another layer of complexity to the whole thing.
Oy. I wonder if Cisco would have been a better option.
Where I work, though it's all Mac, we use sonic wall. Seems to work well, you can block pages based on categories or custom preferences. Also, we have static IP's, a little more work, but easier to keep track of. Then you know who is with each machine, and you simply just create an admin account in the background, turn the login options so all they see are a line for username and password, they don't even have to know there is a seperate account on the machine. On ours we are able to actually see what someone is doing.
I work for a school, but for example, one of my bosses in IT saw something on a student machine, froze the computer at a specific screen where the person was, then called the teacher. But on something like that you can actually browse the machine as though you are on it. So you could go to their IE or firefox and look at browsing history there. Maybe that would be something to look at.
Bad thing about Cisco now is there are some reports that there's actually counterfeit Cisco equipment floating around, so if that's the case and you get on of those boxes, who knows what you are getting.
Also, something that may help, is we use imaging, so every year if we wanted to, we could actually make a master image that we could then load to each machine in the office. Same login and password, nice because if you have a crash, 15-20 minutes, you are back up and running again. Just everything gets done by computer name and IP address through our inventory. We can see which static IP is having probs. Nice on that end too, because if someone calls you and says their machine is having issues, grab it remotely by static IP, possibly fix what's wrong and your set.
Nah, you would have had the same problems with a Cisco, when you get into an enterprise grade firewall like a Cisco or Juniper they are fairly specialized as to what they do (although they continue to add features) you lose some versatility but gain much more thorough packet inspection vs an "all in one" type of device.
Give Squid a shot, I think you'll like it, also I'd image the Juniper has a protocol to allow traffic of a specified type like port 80 and 443 to be automatically forwarded to the proxy, for Cisco devices it is called WCCP. This will eliminate the hassle of manually configuring a proxy on each workstation. It is an extremely useful feature and works well for my clients who use proxy servers.