Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: dcdave (dcdaveatt.net)
Date: Wed Jun 27 2001 - 12:26:03 CDT
Sounds like a good argument for an IDS...
HIDS can be configured to do string monitoring on the logs, and NIDS can
watch the network traffic, BOTH going and coming, if placed in the right
places (seems like some folk forget this feature). With 5k users, you will
need several to cover the volume, reporting to a central console, just as
you likely have more than one machine proxying....
----- Original Message -----
From: "Steven Sporen" <sporensecnet.co.za>
Sent: Tuesday, June 26, 2001 3:37 PM
Subject: Detecting internal users abusing the internet. MS-PROXY
> I have a situation where we have a large client who has about 5000
> employee's on their private network. All these users use MS Proxy through
> internal cache network to exit onto the Internet. I was hoping someone
> give some sensible advice regarding the monitoring and use of MS Proxy. Is
> it possible to detect if an internal user is for example port scanning
> on the internet? Are there good tools for processing the log files of MS
> Proxy? Any other constructive comments would be appreciated!