Tracking Web Activity by MAC Address
Associating Internet activity with MAC addresses
Tracking web activity is nothing new. For many years IT managers have tried to get some sort of visibility at the network edge so that they can see what is happening. One of the main drivers for this is the need to keep the network secure. As Internet usage is constantly growing, malicious, phishing, scamming and fraudulent sites are also evolving.
While some firewalls and proxy servers include reporting capabilities, most are not up to the job. These systems were designed to block or control access and reporting was just added on at a later date. Server log files do not always have the answer either. They are meant to provide server administrators with data about the behaviour of the server, not what users are doing on the Internet.
Some vendors are pitching flow type (NetFlow, IPFIX, etc…) tools to address the problem. The idea is that you get flow records from the edge of your network so you can see what IP address is connecting to what. However, as with server logs, NetFlow isn’t a web usage tracker. The main reason for this is that it does not look at HTTP headers where a lot of the important information is stored.
One of the best data sources for web tracking is packet capture. You can enable packet capturing with SPAN\mirror ports, packet brokers, TAPs or by using promiscuous mode on virtual platforms. The trick is to pull the relevant information and discard the rest so you don’t end up storing massive packet captures.
Relevant information includes things like MAC address, source IP, destination IP, time, website, URI and username. You only see the big picture when you have all of these variables in front of you.
Why track Internet activity?
- Root out the source of Ransomware and other security threats. Track it down to specific users, IP addresses or MAC addresses
- Maintain logs so that you can respond to third party requests. Finding the source of Bittorrent use would be a common requirement on open networks.
- Find out why your Internet connection is slow. Employees watching HD movies is a frequent cause.
- Out-of-band network forensics for troubleshooting or identifying odd network traffic.
Customer Use Case
End user is a very large airport in EMEA. Basic requirements and use case is tracking web activity, keeping a historical record of it for a period of one year, and because most of the users are just passing through (thousands of wireless users every hour!) the only way to uniquely identify each user or device is by MAC address.
Luckily for us, because the LANGuardian HTTP decoder captures and analyses wire data off a SPAN or mirror port it can easily track proxy or non-proxy traffic by IP or MAC address. The customer can also drill down to URI level when they need to investigate an incident. For them LANGuardian is an ideal solution for tracking BYOD activity as there are no modifications to the network and no agents, clients or logs required.
The MAC address variable is an important one when it comes to tracking devices on your network. Most networks use DHCP servers so you cannot rely on tracking activity based on IP addresses only. MAC addresses are unique per device so they will give you a reliable audit trail as to what is happening on your network.
Do you track web actvity on your network? If so, what data sources do you use? Comments welcome.