Lesson 4: Auditing Internet Access
To ensure that the Internet acceptable use policy is followed in an organization, you can enable Proxy Server 2.0 auditing to track all Internet access performed by the Proxy Server. Auditing enables an administrator to review the Internet resources that are accessed from the private network and ensure that only authorized resources are accessed. If unauthorized access is performed, the logs provide evidence and allow the administrator to implement restrictions to block further access.
After this lesson, you will be able to
- Develop an auditing strategy for tracking Internet access by private network users
Estimated lesson time: 30 minutes
Designing Proxy Server Auditing
Proxy Server 2.0 enables logging of actions performed by the Web Proxy, WinSock Proxy, and Socks Proxy services. The log data allows an administrator to review all Internet access. Unless logging is enabled, there's no way to ensure that the Proxy Server is properly configured and that employees are obeying Internet acceptable use policy.
By default, audit logs are written text files stored in the systemroot\system32\MSPlogs folder, where systemroot is the folder where Windows 2000 is installed. Proxy Server maintains the following logs for auditing Internet access:
- Web Proxy log (W3yymmdd.log). Audits all access performed by the Web Proxy service
- WinSock Proxy log (Wsyymmdd.log). Audits all access performed by the WinSock Proxy service
- Socks Proxy log (Spyymmdd.log). Audits all access performed by the Socks Proxy service
NOTE
Depending on the amount of logging, you can choose to create new log files every day, week, or month. The interval that you select will be based on the amount of data being logged and the amount of disk space available for storing the log files.
You can configure logging to use either regular logging or verbose logging. Verbose logging provides the most detail but requires more disk resources due to the additional information that's logged. Each of the three logs uses the same fields. Table 15.8 shows the data that's logged by the Proxy Server services when either regular logging or verbose logging is enabled.
Table 15.8 Fields Included in Proxy Server Logging
| Field Name | Regular Logging | Verbose Logging |
|---|---|---|
| Authentication Status (ClientAuthenticate) | X | |
| Bytes Received (BytesRecvd) | X | |
| Bytes Sent (BytesSent) | X | |
| Client Agent (ClientAgent) | X | |
| Client Computer Name (ClientIP) | X | X |
| Client Platform (ClientPlatform) | X | |
| Client User Name (ClientUserName) | X | X |
| Destination Address (DestHostIP) | X | |
| Destination Name (DestHost) | X | X |
| Destination Port (DestHostPort) | X | X |
| Log Date (LogTime) | X | X |
| Log Time (LogTime) | X | X |
| Object MIME (MimeType) | X | |
| Object Name (Uri) | X | X |
| Object Source (ObjectSource) | X | X |
| Operation (Operation) | X | |
| Processing Time (ProcessingTime) | X | |
| Protocol Name (Protocol) | X | X |
| Proxy Name (ServerName) | X | |
| Referring Server Name (ReferredServer) | X | |
| Result Code (ResultCode) | X | X |
| Service Name (Service) | X | X |
| Transport (Transport) | X |
Alternatively, you can log the proxy services to an Open Database Connectivity (ODBC)-compliant database such as a Microsoft SQL server. The advantage of using SQL Server is its improved search and management capabilities to review the logged data. The disadvantage is that ODBC logging uses more processor time than text-based logging. Before you implement ODBC logging you must determine whether the Proxy Server has any resource issues related to the processor.
NOTE
Proxy Server 2.0 includes SQL scripts for creating the SQL database tables required to store the Proxy Server logs.
Whatever method you choose for auditing, you must ensure that review of the logs is included in the Proxy Server administrator's regular actions. Unless the logs are reviewed, there's no way to ensure that the Proxy Server is functioning as expected. If you use ODBC logging, the database product provides query mechanisms to find data related to a specific user or protocol. If you use text logging, consider purchasing a third-party product, such as Seagate Crystal Reports, that provides reporting options for text-based log files.
Making the Decision
Table 15.9 outlines the design decisions that you face when implementing logging of Internet access.
Table 15.9 Designing Proxy Server Logging
| To | Do the Following |
|---|---|
| Examine Internet usage from the private network | Enable logging at the Proxy Server for the proxy services enabled on your network. |
| Conserve disk space related to logging at the Proxy Server | Implement regular logging rather than verbose logging. Use a daily interval for logging and move the older log files to other computers. Use ODBC logging and configure the logging to take place at a remote server. |
| Ensure that all information of a proxied session can be analyzed | Enable verbose logging to record more details about the proxied sessions. Configure the Proxy Server to stop all services if the log files are full. |
Applying the Decision
Wide World Importers must enable logging of the Web Proxy and WinSock Proxy services to meet the objective of logging all Internet usage. They will log to an ODBC data source such as SQL Server to facilitate the viewing of the logs. This allows the Proxy administrator to query for specific information within the log files, such as the protocol or user that requested the service, and to produce better reports of Internet usage.
To record the greatest amount of information, configure the Proxy Server to use verbose logging. Verbose logging records additional fields, such as Authentication data and the amount of data transmitted by the session.
Lesson Summary
Implementing a proxy service isn't enough to maintain security when private network users connect to the Internet. You must perform regular auditing of Internet usage to ensure that existing policies are being followed. Auditing will reveal the first indications of whether the Internet acceptable use policy needs updating. Auditing allows an administrator to secure the network by analyzing existing traffic patterns.
EAN: 2147483647
Pages: 172