On 20/03/2014 19:37, A Mohan Rao wrote:
Ok,
Actually i have 600 internet users and i have 22 Mbps leased line.
I m not gave any users to full permission but some users are go to out
of the way with lots of free proxy sites download videos or movies
thats why i need to watch that user https and ftp traffic.
Consider what are the problems you are trying to solve:
* Some people are using excessive amounts of limited resources (bandwidth)
* Some people are using the network for purposes not related to their
work or studies
* Some people are using the network for undesirable or maybe even
illegal activities
What you need is called an AUP - Acceptable Use Policy. In that you define:
* What users are allowed and are not allowed to do
* That they consent to their use being monitored and logged
* What the consequences of failing to comply are
For example if this is a university environment, you can say that their
access may be suspended or withdrawn, and that they may also be subject
to the university disciplinary procedure, up to and including explusion.
All users need to read (and preferably sign) this document. They can do
this as part of getting access, e.g. at enrollment time.
Then you monitor your users. There are a bunch of different tools for
this: my favourite is Netflow, which together with collection tools
(e.g. nfdump and nfsen) can quickly identify, say, the top 10 bandwidth
hogs on your network over a chosen time range, and then lets you drill
down into the detail of exactly what they were doing, in terms of the
network addresses and ports they were communicating with.
Another is Snort, which can identify suspicious activity like
virus-infected machines and bittorrent. (There are legitimate uses for
bittorrent of course - but your Netflow data will tell you much they
were uploading or downloading, and you can investigate further)
If this is an open computer lab, then maybe a bit of "shoulder surfing"
will do the trick.
Finally, you need to be able to associate traffic on an IP address with
an individual. If you can get users to login to the network before they
use it, e.g. using a captive portal, or WPA Enterprise on wireless,
that's ideal. Or if they are logging into an Active Directory domain
that may give you the information you need. Using ARP and bridge
forwarding tables, you can identify an IP address down to which physical
port they are plugged into.
Ultimately this is an issue of behaviour and discipline, not technology.
A firewall can't decide what's acceptable or not. And as you've found
yourself, any technology blocks you put in place will be circumvented by
those clever enough, whilst inconveniencing the rest of your users.
Regards,
Brian.
_______________________________________________
List mailing list
[email protected]
https://lists.pfsense.org/mailman/listinfo/list
