Sunday, May 04, 2008

The Cheap Thrill of Using Enterprise Security Tools to Monitor Your Kid's Surfing Habits

One of the nice things about working for a security vendor is being able to able to run cool product on your home network (like when I brought a Cisco 7120 home!). And given the complexity of my home network (4-5 routing/forwarding devices, 2-3 switches, and 10-20 hosts up at any given time) it's not as much overkill as you might think.

The image below shows a 5-day view of my network events using LCE.

The 2nd row is the "firewall" category which primarily consists of syslog's from my two Cisco 851's. The events drop off 2-3 days ago when I disabled the ACLs and forgot to turn them back on.


The last row is "web" which you'll see a spike during the last day.

What happened is I finally qot squid up an running for my son so he could use the Linux box in his room. Yeah normally a bad idea but probably not relevant if have security tools that cost as a midsize car watching your network.

If I drill down on the "web" events and find that they are all from squid logs (access.log) which I'm monitoring with an LCE client.

Most of the denies were to so I went into the whitelist and added that so that should flatten that plot.

Drilling down on the cache hits, I can see many of the thumbnails for one of the game sites I let him go to are being cached:

1209917543.808 7 TCP_HIT/200 19581 GET - NONE/- image/jpeg
1209917543.870 52 TCP_HIT/200 12089 GET - NONE/- image/jpeg
1209917543.871 4 TCP_HIT/200 15471 GET - NONE/- image/jpeg

And a one of the misses shows the sort of games my 9-year old likes to play.

1209906995.596 154086 TCP_MISS/503 1420 GET - DIRECT/ text/html

No comments: