0

I am managing a network in a condominium. Right now, I am looking for a method for logging the users' activities without using a user login system. We have this login system not long ago, but people hate it. Some people have problems with Internet TV. Their boxes don't have any I/O port for Captive Portal. Some people want to use Internet on more than one machine simultaneously.

So I was thinking of removing logging in system, yet according to my country's government law, if there is an illegal activity from my building, I must be able to present the evidence that the illegal activity is from a room in a condominium.

In the case of someone doing illegal activities, what can I do here in order to know the user's identity without creating a user account? I know that this may sound contradictory, but I am just a rookie in networking. Is something like this possible or am I asking for the impossible?

[edit]Sorry that I was too brief the first time.

Karl
  • 123
  • 6
  • Wait...how would you have users using your system without a login? Are you talking about something like a cafe' with anonymous web access? – Bart Silverstrim Jun 12 '11 at 11:47
  • No, we are talking about a program on the server gateway that can manage networking. We can filter out P2P, etc. in our network without having users to log in. – Karl Jun 13 '11 at 03:03
  • Are you in an environment where you CAN'T log them in, like a cafe' or other anonymous web access. – Bart Silverstrim Jun 13 '11 at 11:20
  • We CAN create user accounts for the users to login. Yes, we can do that. I am the admin. But the thing is, so far, people hate logging in. We just have this login system for a week now. There are several problems: people who have Internet TV have problems with captive portal (they don't have I/O input in their device), some people want to use more than 1 device. (currently allowing 1 account per machine and the owner of the building wants it this way) So I am asking here: is there a way around this? – Karl Jun 13 '11 at 16:43
  • And my environment is a condominium. – Karl Jun 13 '11 at 16:55
  • I have edited the post to clarify things. – Karl Jun 13 '11 at 17:02
  • 1
    your only real option is to log based on physical interfaces. You have a drop running to a particular interface on your switch, you know who owns that drop, you know who to make accountable for traffic entering and exiting that interface. – Michael Lowman Jun 13 '11 at 17:04
  • 1
    Michael - you should post that as an answer – Ziplin Jun 13 '11 at 17:11
  • A drop running to particular interface on my switch? What do you mean by the "drop"? You mean MAC Address and IP that are stored on the switch? – Karl Jun 14 '11 at 06:27

2 Answers2

1

Your only real option is to log based on physical interfaces. You have a drop running to a particular interface on your switch, you know who owns that drop, you know who to make accountable for traffic entering and exiting that interface.

In a normal setup, you'll have one or more Ethernet lines running to each condo. The end of these, where the user plugs in, is usually referred to as a "drop". To implement this solution a managed switch or high-end router is needed. A managed switch allows the administrator to login via a command line or web interface and make configuration changes. Such switches have many options for logging and feature support, although using them requires some degree of technical expertise. The Cisco Catalyst family is a good example.

When I wrote that comment, I assumed you wanted logging of all traffic at Layer 3, corresponding to which IP addresses were accessed by which computers on which ports. If instead you want Layer 7 logging, you have a few more options.

Logging at Layer 7, the application layer, involves logging a specific protocol. This is only really feasible for HTTP. HTTP traffic can be logged by configuring Squid as a transparent proxy: you must modify routing tables on your main gateway (the host between your network and the internet) to redirect HTTP traffic from the condos to a separate Squid machine. Squid can then log the traffic (and process it, if desired) before sending it back to the gateway. You must configure the gateway to allow all traffic from the Squid machine to go directly to the Internet.

This transparent proxy solution may end up being rather resource-intensive; hence the use of a separate machine for your proxy. Squid must interpret and process all HTTP data being sent and received through the condos' computers.

The networking setup can also be a little tricky. It's important to evaluate your requirements and to create a maintainable system.

Michael Lowman
  • 3,604
  • 20
  • 36
0

The first thing you would want to do is to break out each condo into it's own subnet. This will be the quickest way to easily identify what traffic is coming from what condo. You will then want to setup some proxy to log / filter traffic. Squid is the first one that comes to mind.

HostBits
  • 11,796
  • 1
  • 25
  • 39