Sunday, May 04, 2008

The Cheap Thrill of Using Enterprise Security Tools to Monitor Your Kid's Surfing Habits

One of the nice things about working for a security vendor is being able to able to run cool product on your home network (like when I brought a Cisco 7120 home!). And given the complexity of my home network (4-5 routing/forwarding devices, 2-3 switches, and 10-20 hosts up at any given time) it's not as much overkill as you might think.

The image below shows a 5-day view of my network events using LCE.

The 2nd row is the "firewall" category which primarily consists of syslog's from my two Cisco 851's. The events drop off 2-3 days ago when I disabled the ACLs and forgot to turn them back on.

Oops.



The last row is "web" which you'll see a spike during the last day.

What happened is I finally qot squid up an running for my son so he could use the Linux box in his room. Yeah normally a bad idea but probably not relevant if have security tools that cost as a midsize car watching your network.

If I drill down on the "web" events and find that they are all from squid logs (access.log) which I'm monitoring with an LCE client.



Most of the denies were to sb.google.com so I went into the whitelist and added that so that should flatten that plot.

Drilling down on the cache hits, I can see many of the thumbnails for one of the game sites I let him go to are being cached:

1209917543.808 7 192.168.2.170 TCP_HIT/200 19581 GET http://media.y8.com/gfx/y8bartender1.jpg - NONE/- image/jpeg
1209917543.870 52 192.168.2.170 TCP_HIT/200 12089 GET http://media.y8.com/gfx/thumb_399.jpg - NONE/- image/jpeg
1209917543.871 4 192.168.2.170 TCP_HIT/200 15471 GET http://media.y8.com/gfx/y8family_restaurant.jpg - NONE/- image/jpeg

And a one of the misses shows the sort of games my 9-year old likes to play.

1209906995.596 154086 192.168.2.170 TCP_MISS/503 1420 GET http://y8.com/tags/Killing - DIRECT/y8.com text/html

No comments: