NetFort Advertising

Top 5 Reasons why you should be Monitoring Internet Traffic

Top 5 Reasons why you should be Monitoring Internet Traffic

The perimeter of most networks is a busy place. From the constant bandwidth battles with resource hungry applications to the security threats posed by malware like Ransomware. Gone are the days of SNMP graphs for monitoring the internet user; today’s IT professionals need the detail provided by deep packet inspection technologies and firewall logs. Monitoring internet traffic is vital for keeping a network running secure and efficient.

Deep packet inspection once had the name of an expensive and difficult to use technology, as most solutions were appliance based and required specific skill sets to use. However, there are many low cost and easy to use products available now. All you need to do is is setup a SPAN port or install a TAP and you will gain visibility of what is happening on your Internet connection.

Recently, we asked our customers what their top use cases were for internet traffic analysis. Interestingly, the results returned a number of operational and security use cases. Here, we just take a look at the top 5.

1. Look for unexpected traffic on specific ports

There are two primary TCP ports used for internet browsing. TCP port 80 for non-encrypted communications and TCP 443 for encrypted sessions. However, many applications can use these ports, such as Skype, Dropbox and Bitorrent. In today’s world, you cannot assume that all activity on port 80 or 443 is web page browsing.

Many of our customers want reports which look for all outbound traffic on port 80/443 but where the traffic type isn’t HTTP/HTTPS. They are struggling with flow tools as they were never designed as a web usage tracker. Monitoring tools which look at packet payloads and identify what applications are riding on ports 80 or 443 are a more accurate solution. This is the most common security use case we hear about when it comes to monitoring internet traffic.

unexpected traffic on specific ports

2.  Identify traffic which generated a large number of connections through firewalls

Almost all firewalls in use today are of a stateful variety. A stateful firewall is a network firewall that tracks the operating state and characteristics of network connections traversing it. The firewall is configured to distinguish legitimate packets for different types of connections. Only packets matching a known active connection are allowed to pass through the firewall. More recent firewalls are also application aware so that they can understand what applications are generating connections and apply filters based on this.

Our customers are reporting that in extreme cases their firewalls start dropping connections if there is a large increase in outbound or inbound connections. A typical example is the Bittorrent application which can generate hundreds of connections simultaneously. Make sure your monitoring tool has a means of tracking the number of network connections on a per client basis. When monitoring internet traffic, tools that look at traffic volumes alone will not spot the problems. You need tools which can report on the number on connections on a per user or IP address basis.

Identify traffic which generated a large number of connections through firewalls

3. Understand who is misusing\abusing the Internet at remote locations

Bandwidth capacity to remote networks is still an issue for most network managers. When links get busy, you can’t keep increasing the capacity. Once you do so, bandwidth hungry applications will chew up the new bandwidth. It may also be a very expensive option, so getting visibility as to what is happening on these links is vital.

One of the most common causes of WAN issues, is excessive internet traffic. Sometimes this is accidental; a user copying hundreds of HD images onto a Dropbox folder, to more deliberate like using the workplace network to download movies. If you experience concerns about remote networks or with the WAN links to them, you should start by monitoring internet traffic. Our video at the end of this blog post, explains what to do.

4. Report on proxied web activity on a per user basis

Proxy servers were once implemented to speed up access to popular sites. In theory, they would cache popular webpages which cut down on bandwidth use. This has become more complicated as most content is now dynamic such as Facebook news feeds; so proxy servers are now mostly used for their site blocking capabilities.

While proxy servers may be good at caching and filtering, they were never designed as a user web reporting tool. Flow based monitoring tools will not work either, as they will either report clients connecting to a proxy or the proxy connecting to external websites. Stitching this information together is a complicated process.

Packet capture applications solve this problem as they look inside HTTP headers to extract information like client, proxy and website. This is why, they are popular when it comes to reporting on proxied web activity on a per user basis.

5. Reports that can tell if users are streaming content like movies or games

The internet is a wonderful place, but it is also full of distractions; from watching live events to checking out recent movies or spending hours playing online games. While we all need our releases from everyday life, too much streaming can overload computer networks.

I recently worked with a client who had major issues at a remote site. Users there, were reporting that access to business applications was slow. They logged onto their LANGuardian application and found that a number of users at the remote site were streaming live soccer to their PC’s which overloaded the WAN connection.

How to monitor Internet activity using a SPAN port

About NetFort

NetFort provides network traffic and security monitoring software for virtual and physical networks. NetFort’s flagship product, LANGuardian, is unique in the marketplace thanks to its powerful deep-packet inspection technology that can be downloaded and deployed on standard physical or virtual hardware to provide comprehensive visibility in minutes. Organizations worldwide depend on LANGuardian solutions from monitoring user activity to file activity monitoring, web activity monitoring, network security monitoring, bandwidth troubleshooting, wire data analytics, network forensics to packet capture.

To see LANGuardian in action – try our interactive demo today!