Sunday, February 14, 2010


Logging at the Gateway
The Internet functions as a “network of networks.” When a computer tries to make a connection to another computer, it first checks to see if the destination is on the same local network (subnetwork or subnet) as it is. If the destination is not on the same subnet, then the packet must be routed outside the network through what is commonly referred to as a “gateway.” The router that functions as the gateway is essentially the virtual in/out door from the organization’s network to the rest of the world. Many logging technologies are
then designed to capture and record all of the packets that enter and leave the
organization, or at least the header information that indicates the sender, recipient, and content of the message.
Gateway logging can be a useful tool in that it provides a central point of control for the network. However, it is difficult to accurately gauge how long an employee stares at a particular page, and if all that time (s)he is actually staring at that page or if (s)he has actually gone to lunch and returned later. Moreover, gateway logging can quite often be defeated by the use of encryption tools. A recent case involving the Scarfo family in the Philadelphia
organized crime scene was using PGP (a freely available encryption program) to code computer files which contained family business. Gateway logging (in this case, the gateway was the Internet service provider) did the FBI little good in identifying the contents of the messages, even though they had a search warrant. Another technology had to be used to get the information they desired, as is discussed below.
Sniffing at the Client
When gateway logging is not sufficient, another means of electronically monitoring connections is to monitor them at the source, or make a record at
the client’s machine. In the Scarfo case, the FBI did exactly that. They installed a keystroke logging program (whether it is hardware or software, and exactly how it got there, is still classified) on Scarfo’s computer. It recorded all of the keystrokes that he used, including the ones that made up his passphrase (a series of words used in PGP, much longer than a password). Once the FBI had
his passphrase, they could decode his messages and then had the evidence to
make the arrest.
Client sniffing programs are excellent at recording exactly what the user is doing with the computer at any given time. Many will not only record all of the keystrokes that the user makes, but also will calculate mouse movements and active windows, allowing the reconstruction of the entire computing session. Moreover, they capture undesirable activity that may not be directly network related, such as playing games and typing job application letters. However, these programs are not without their own faults. First of all, the manager must install the program on the user’s computer, which may not be as easy as it sounds, especially with laptop and other mobile computers. Second, the program must not be detectable (and thus able to be compromised) by the monitored employees. Third, the program must work on a variety of operating
systems, including different flavors of Windows, Unix, Linux, and Macintosh, in order to work with all computers. This is not a limitation of gateway logging, as network protocols such as TCP/IP tend to be device independent. Next, the manager has to actually get access to the data captured by the program. Finally, the manager must be able to sift through the mountains of generated data to determine whether or not there is any untoward activity, or enough of it to warrant further investigation. This all being said, there are products available which meet the above concerns to varying degrees, and the next section will discuss some of those products.

No comments:

Post a Comment