Are there ways to monitor Internet Policy with VPN/ISP solutions?

[Rick Smith]

At 10:57 AM 7/14/99 EDT, Brent Jarvis wrote:

>I am very fresh to this technology and have been doing some preliminary
>investigation on implementing a VPN solution using a tunnel between an ISP
and
>out company.

It's not clear what you mean by this -- it sounds as if you're encrypting a
phone line from your company to the phone company central office. The phone
call can still be tapped as it travels from the phone company to the party
being called. Well, substitute 'Internet' for 'phone' and 'ISP' for 'phone
company.'

> One concern I have is, if we lose the ability to monitor employee
>activity on the WEB, then it will be difficult to enforce our policy. What
>techniques are there to retain the ability to monitor WEB activity and what
>are the costs.

The only way to monitor employee activity is if all employee traffic passes
through some control point in your network. This is why many companies have
only one (or a few) centralized point of presence on the Internet. You
install a firewall/VPN/monitoring suite at your point of presence, and use
the monitoring capabilities to detect and possibly enforce your policy.

Note that you can't enforce a policy if everyone uses desktop modems to
access the Internet, or if you have dozens of branch offices and each one
communicates directly to the Internet.

>I prefer not to link back into our company before going to the
>Internet.

I guess that means you have numerous branch offices that link directly to
the Internet. One way to enforce policy at numerous sites is to install
firewalls with Web filtering at each site. It's expensive, though.

> Also are there others on the list that have opted to not monitor WEB
>activity and if so did this decision come back to bite you later.

It's hard to predict which choice will cause the most trouble long-term.
You can add Web filtering later if you need to. Much of it depends on
cultural aspects of your organization and community. Meanwhile try to
establish a way to keep logs (periodically if not continuously) of Web
usage and visually examine them for signs of possible trouble. Some times
you can enforce your policy simply by letting people know that you can
monitor their behavior and will inform them of misuse. 

Rick.
smith at securecomputing.com

****************************************************************
TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com

The VPN FAQ (under construction) is available at
http://kubarb.phsx.ukans.edu/~tbird/FAQ.html

We are currently experiencing "unsubscribe" difficulties.  If you
wish to unsubscribe, please send a message containing the single line
"unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com

****************************************************************