This isn't really a worry, I'm just curious about it, is it possible for a network administrator to see every specific website visited by specific computers in a network?

While I do go on the internet during work hours, I don't think its a problem because there is a certain lag between my desk work and the printers I oversee. There are times where I'm out of jobs to prepare while the printers are fed and printing. On the other hand, I have coworkers (shipping and handling, for example) who neglect their work and allow for things to pile up while their shopping and browsing online.

I'm curious how indepth a network administrator can go on a specific computer basis.

Yeah, there are packages to track everything. They either reside on your gateway machine or sit on the wire looking at traffic. They can track it back to individual IPs or MAC addresses. Are you looking for software like this or are you trying to avoid being tracked?

I don't really care about being tracked, if they had a problem with the way I operate, they would have told me a long time ago. I've not changed my habits in five years. I think its fair that I just quickly look things up or refresh my emails when I'm out of work or am waiting on a 2gb file to open in illustrator. Otherwise I'd just be fiddling thumbs anyways.

So I'm not really looking at blocking or tracking, I was just wondering how far they could go. I would imagine they cannot read someone's gmails and what not, since that would be a breach of privacy.

They can't typically read your gmails because it goes over SSL. They can see the frequency which you access gmail, though. They can read anything that's not over SSL, technically. I don't know what the laws about that are, but when I was in the AF (>10 years ago), we could, in real time, see that employees were actively viewing porn while at work. We couldn't do anything about it because the laws back then weren't clear. But just because they can't prosecute you for something doesn't mean there's not a network operator dude sitting there looking at what you're looking at.

That makes sense. Thanks for the info, Brian, it answers something I've been curious about for a while. I'm not too worried about it. I figure in 5 years they would have told me if my casual browsing caused a problem. Besides I've got nothing to hide. I have better things to do than check porn at work and I don't recall ever sending a professionally innappropriate email.

o i think i've gotten more than a few unprofessional emails from you while you were working, le Jep.

/blush

She doesn't look like she's blushing.

She looks like she's frightened, like she just saw a nude old man doing yoga in the park, or just watched someone get run over by a car after attempting to flee from an earthquake.

or she just farted and would rather not taste it

or she just farted and wanted to taste it

touché

My company seems to let me do what I like on the basis that I'm never the one holding up projects and they really don't want to lose me. However I know for a fact that nobody monitors traffic, we just have a crappy content blocker and that's about it.

I'm probably in the same situation, Detty. It just remains unsaid. While I do not think I'm one of a kind and impossible to replace, I believe it would be their loss to lose me.

I cannot say for certain whether our traffic is being monitored or not. We have no specific blockers, and while I've gotten of certain spot checks in the past and certain rumors, I've not seen any specific evidence that we are monitored. If we are, kudos to them, because its fair that they keep tabs on our activity.

You can easily be monitored without knowing about it. And like Brian said, pretty much anything that's not encrypted before it's sent out can be monitored. So standard web pages, IM conversations, etc. are all fair game.

Much of what I do on a day to day basis is monitoring traffic to workstations within our enterprise.. With over 135,000 nodes reporting to the system I manage I can define policies that will alert a reviewer without the end user being any the wiser.

These policies can be as vague as "Opens web browser - record 2 minutes of video before and 2 minutes after the browser closes" or much more specific as they are in my case. The primary reason we don't do broad policies like that is the sheer volume of storage such collections would consume. It's cost prohibitive.

However, to say that I can't read a user's gmail is ignorant. Quite the contrary, we do have policies in place to capture all webmail traffic. The majority of those alerts are discarded with little more than a cursory glance, but if I wanted to and had I the manpower, I could read every email sent across my network regardless of its source or destination.

Looking at specific browsing habits is easy anyways depending on the type of end point security your company employs. Regardless of search history, all of that data can be forensically recovered either through existing "index.dat" files, or through carved files in deleted space.

Take a look at products like SureView and EnCase for Enterprise to get an idea of the type of systems I'm talking about.

Edit: The SureView product is produced by Raytheon (formerly Oakley Labs before the acquisition) NOT the product called SureViewSystems.

Well obviously anything that has special software installed on the client machine won't have a problem with SSL traffic. I would imagine that not all companies spend the dough to do that though.

Uh, what? Is the software you're using monitoring browsers on the client side, or do you mean you're capturing SSL-encrypted webmail as it moves through the network? Because if you mean the latter, I call BS.

That would only work for users that aren't using Gmail with SSL. Does Gmail use SSL by default these days? I know there is an option to enforce it. Same thing with other providers or any other website... if the content is transferred with SSL (not just authentication) then there is no way you're viewing it.

I am pretty sure GMail defaults to SSL nowadays.

Well knowing all this, I gotta say if they've been monitoring me, then they clearly don't have a problem with what I do (likely on the logical basis that my work is always done and done well and never held up by this). I've used gmail, gchat, and mibbit, often leaving them up and connect all day for days at a time in a tab that I'd visit from time to time.

There have been a few studies on internet usage in office jobs. Most of them find that people who are allowed to use the internet in a reasonable fashion for non-work related things (IM, e-mail, shopping) are more productive.

Its somewhat logical in my case, I find it keeps me more alert if I keep my brain active by doing some form of reading. Fiddling my thumbs causes me to get severly bored and make lame mistakes.

Both CM and Emon missed the part where I said the software captures video. We don't have to decrypt anything. We just watch you read your own email.

Edit: Also, the client does run locally on each workstation; it reports directly to a master node which outputs the events.

You didn't say that was how you did it. "capture all webmail traffic" is kind of ambiguous, since video is not webmail traffic

Yeah, no matter what way I read Yecti's post I read it as packet sniffing, not screen grabbing.

At work we have:
- All network traffic is logged, so they say. Of course they can't log SSL (or if they do, they can forge certs without the browsers detecting it).
- A whitelist is used and sites not on it are blocked with a "website not yet rated" message.
- A blacklist is used and sites on it are blocked with a RED FONT .
- Social networking (Twitter and Facebook) brings up a warning page reminding users to watch what they say about the company and work, but you can click through.
- I assume the three above are provided by some standard filtering package.
- Firefox is a permitted application. IE8 is not; we all run IE7. Chrome is not but my group has special permission to use it, so I do.
- IT can either log on to your computer via remote desktop or they can use a VNC-like app and take direct control under your user account at any time without warning.
- We run XP SP3 and McAfee, but oddly were not affected last week. IT must be doing something right I guess.
- We have internal IM provided by Office Communicator stuff. All logged, it claims.
- We run as limited users and can install whatever we want as long as it doesn't need admin privileges (I assume the honor system is used to keep unapproved apps off computers, plus IT can uninstall stuff if they catch you). You can ask IT to install something needing admin... I had someone install the IE Dev Toolbar for me. It wasn't nearly as useful as I thought it would be, bleh.

I tend to limit my browsing to my Google Reader feeds over SSL. I star anything that looks even vaguely NWS for later (and star downloads too for home, of course), rest of the stuff I'll just click through.

The only real "bad" thing I've done with the computer is I ripped out WinZip because it was annoying me (couldn't open a zip file I needed to open) and dropped in 7-zip which worked 100x better instantly. WinZip's uninstaller was broken so I couldn't save the license key when it uninstalled. Oops. Erm I'm sure that's not a problem.

I goes none of those ways were "carefully"?

i goes none of those ways were hurr

Obi_Kwiet clearly has yet to master the temporal nature of conversation.

Weird how it's right there in the quote above. The tool is capable of a lot more than that, but given the question the example was given as such. Shame none of you can read.

Also



Traffic != Packets.

To network administrators that weren't trained by Geek Squad, traffic implies packets or frames.

Yeah man, I can read TRAFFIC.

I may not know where they're driving, where they came from or why they're drivin' there, but I can take a picture of their dashboard. Hell yeah, man. My tie's cutting off the blood to my brain.

You're both retarded.

yep. the main symptom of mental retardation is the correct use of standard terms in standard ways.

As much as I hate to, I'm going to have to side with JonC and Emon on this one -- we've all been talking about network traffic, sniffing, etc., you bring up a post where you also talk about traffic. Your video quote there implies you can indeed use video if you want, but that you aren't because you don't do broad policies like that. It would have been clearer if you started off with something like...

"We can look at everything because we actually record movies of what the user is doing."

Video was only brought up as a specific example pointing out the folly of believing that just because gmail and other webmail providers encrypt data through SSL that it's impregnable and secure from your employer.

The scope of the system I administer isn't limited to video. However I'll agree that you could easily misunderstand. It doesn't change that traffic refers to all data transferred on a network. I wasn't talking about encapsulated packets. Had I been, I would have specifically mentioned packet sniffing and analysis.

If there's client side software, shouldn't it be possible to access the information after it's been decrypted?

Yes AFAIK filters can be put in place. Most likely most of the stuff employers would want to know if their employees are doing would most likely be done over normal HTTP though, too much trouble for too little payoff.

Besides you could just stick a server in the middle (like a man-in-the-middle attack) and NOT make it look like you're tricking your employees into believing their traffic is secure*. That could result in a lawsuit since it would log data you have every reasonable expectation of being secure. Only way I think it could be acceptable at all is if it is clearly outlined to all employees. When I started work at Large Corporation I got the essentials about the IT policy from my coworkers in unorganized form, but no formal guidelines were at any point given to me.

* - These attacks disrupt the SSL connection since they would require the server to decrypt and recrypt the traffic to log it, resulting in cert errors which the browser would preset to the user with nice scary warnings.

Yecti - Spector?

We're actually implementing Spector this week. Hooray honeypots in the DMZ.