Sounds like a good argument for an IDS...
HIDS can be configured to do string monitoring on the logs, and NIDS can
watch the network traffic, BOTH going and coming, if placed in the right
places (seems like some folk forget this feature). With 5k users, you will
need several to cover the volume, reporting to a central console, just as
you likely have more than one machine proxying....
dcdave
----- Original Message -----
From: "Steven Sporen" <sporensecnet.co.za>
To: <focus-mssecurityfocus.com>
Sent: Tuesday, June 26, 2001 3:37 PM
Subject: Detecting internal users abusing the internet. MS-PROXY

> Hi,
>
> I have a situation where we have a large client who has about 5000
> employee's on their private network. All these users use MS Proxy through
an
> internal cache network to exit onto the Internet. I was hoping someone
could
> give some sensible advice regarding the monitoring and use of MS Proxy. Is
> it possible to detect if an internal user is for example port scanning
site
> on the internet? Are there good tools for processing the log files of MS
> Proxy? Any other constructive comments would be appreciated!
>
> Thanks
> Steven

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]