Sequel Net Access Manager

Keep an eye on your network activity

Managing your employees access to Internet resources is time consuming. Your IS staff needs access to FTP so that they can download the latest and greatest drivers and patches from your vendors, but can you ensure that they also won't download photos from some x-rated Web site? Firewalls are typically not adequate for this task: They help protect your internal network from outside villains, but they often do not provide the internal protection and tracking that businesses want. But Sequel Technology's Sequel Net Access Manager can do the job.

You can use Sequel Net Access Manager to control access to the Internetfrom inside your company. This software lets you create comprehensive policiesthat dictate how and when your users can access Internet resources. You cancreate policies for individual users, for groups, or for the company. Within thepolicy framework, you can control Internet access several ways: by networkprotocol, time, site, and amount of traffic. Let's look at these options in more detail.

Maintaining Control
Managing access by network protocol means letting users access only specific Internet features. For instance, you can let a group of users access the Web but not use FTP or remote execution or access functions (e.g., rexec and Telnet). By adding an application protocol (such as FTP) to the software's configuration, you can enable or disable access to the protocol for individual users or groups. You can also enable access to the protocol only at certain times. Or you can prevent users from downloading certain file types (e.g., .bmp or .jpg files) by basing access permissions on file types.

Another way to restrict Internet access is to set access permissions torestrict the sites your users can connect to. For instance, you might want tolet only members of your IS department access sites maintained by vendors whoseequipment you use. An alternative is to allow access to all sites, exceptthose you identify in your system's configuration. Unfortunately, you cannot mixand match these approaches. Implementing restrictions based on sites can be abig headache. Enabling access to only sites in your system's setup means youconstantly have to add new sites your users need to access. Blocking sites is abetter approach, but it requires that you monitor Internet activity and blockany sites that users are abusing.

You can limit the amount of activity an individual user or group cangenerate. This feature--traffic quotas--lets you restrict the amount ofinformation a user or group can pass through your Internet pipeline during any24-hour period. For instance, you can assign the marketing group a highertraffic quota than the accounting group. Or you can assign individual usersquota limits. When a user or groups of users exceed their traffic quota(measured in megabytes per day), the software logs a quota violation in theprogram's database.

Costly Prerequisites
Installation of Sequel Net Access Manager is somewhat complicated. Beforeyou can install the software, you must make sure your existing networkinfrastructure is set up properly. You must set up your Windows NT Server as anactive, multi-homed router. In non-networkese, this means that your NT Servermust have two operational Ethernet cards. One Ethernet card connects to yourinternal LAN; the other connects to the equipment you use for your Internetconnection.

This configuration is necessary because the software must inspect and takeaction on all Internet-bound packets on your network. If your Internet gatewayrouter were accessible from every machine on the network, packets from yourusers' machines would bypass the software entirely and go directly to theInternet router. In that case, the software couldn't take corrective action(i.e., block access to sites, limit bandwidth). By placing Sequel Net AccessManager on an NT server between your Internet router and the rest of your LAN,it can effectively intercept all Internet-related activity.

The software's multihoming requirement is perhaps the biggest obstacle tosetting up the software. It can also be a serious problem because you must do asignificant amount of work to reconfigure your network topology. Instead ofsetting up their NT server as a multihoming router, most companies have only afirewall machine between their LAN and their Internet telecommunicationshardware and have the firewall plug into a port on a hub. This configurationeffectively lets every machine on the internal network see the firewall so itcan access the Internet. Reconfiguring the physical layout of the network mightinvolve buying additional hardware.

Another prerequisite is that the software's host NT machine have MicrosoftSQL Server 6.0 or later. During installation, Sequel Net Access Manager createsa database with several tables to store information about users and accessstatistics. If you don't already have SQL Server, this requirement can result inanother substantial expense.

Getting It Going
You install Sequel Net Access Manager in three phases: You install thesoftware on your NT server, add it to your system configuration, and configureit with your company's user access policies. Installing the software from aCD-ROM is painless. After running the installation program, the software promptsyou for the components you want to install: the Client Administrator, the Filterand Sequel Naming Service, and the database. Because the database component canbe CPU intensive, you might want to install it on a server other than yourdedicated Sequel Net Access Manager server. You can install the ClientAdministrator program on any NT server. You can install the naming service oneither server, but the vendor recommends that you install this component afterinstalling all the other components, especially when you plan to use thesoftware's dynamic user tracking features.

For instance, you can use one machine running SQL Server to house thedatabase so that the database doesn't steal CPU cycles from your NT server. Thisoption is useful if your network connection tends to be busy. You can then useanother client computer to run the Client Administrator for administering yourSequel Net Access Manager settings. The final computer is the regular NT machinethat acts as the outbound firewall--it runs the filtering and naming componentsof the Sequel product.

After you install the software, you must add the necessary devicedrivers--the Sequel Net Access Manager Filter--into your network bindings. FromControl Panel, Network, Protocols, click Have Disk to specify the location ofthe Sequel Net Access Manager files. The final step in the network configurationrequires you to know which of the two network cards in your Network, Bindingstab points to the segment of your network where your Internet router resides.You have to disable the Sequel Net Access Manager Filter from this interfacecard and leave it active for only the Ethernet card that points to the LANsegment where user computers reside.

Controlling Resources
When you complete the installation, you must either disable the software'sfiltering capability on the Ethernet card leading to your Internet connection,or immediately add all your users, groups, and computers to the Net AccessManager software. Unless you take one of these actions right away, nobody onyour LAN can access resources on the Internet when the system hosting Sequel NetAccess Manager comes up.

You establish policies for your company with the Client Administratorprogram. As you see in Screen 1, the Client Administrator program has an NTExplorer-like interface with a list of users and groups defined on the left sideof the window and specific policies applicable to the user or group selectedappearing on the right side. To monitor but not restrict Internet activity, fromTools, Corporate Defaults, select Allow Undefined Protocols and EnableLogging. These settings let you collect statistics on your users' activitieswithout impeding their access to any sites.

To analyze users' activities, you must add the users to the software'sdatabase by clicking the Add User button on the Toolbar. In the dialog box, typethe username, logon name, access level, and Sequel Net Access Manager groupassignment. If you add a user to a group, you have to add the group first.

One major shortcoming in the software is its lack of communication with theNT security database. Although the software needs to maintain a separatedatabase of users, Sequel Net Access Manager doesn't let you import a user andgroup listing from an existing NT domain into the software's database.Therefore, if you have a major NT installation with hundreds of users, you haveto spend a great deal of time duplicating the user and group listings andkeeping both databases up-to-date. Hooks into the NT security database, similarto SQL Server's Security Administrator, to automate some of these functionswould be a nice enhancement to the software. The software has an importcapability using a comma-separated file format that can save you a little time.To use the import function, use the AddUsers program in the MicrosoftWindows NT Server Resource Kit to dump the database, massage the output, andfeed it to the import routine.

Using the Policy tabs for each user and group, you can set individualaccess or group restrictions to Internet resources based on the siterestrictions, quota restrictions, and application restrictions describedearlier. This capability gives you an incredible amount of control over who canaccess your Internet pipeline and its programs.

You can also delegate the administration of groups so that one individualisn't responsible for all corporate users. To accommodate this delegation,Sequel Net Access Manager has four access levels to set for each user: None,Manager, Administrator, and System Administrator. Each access level has anincreasing level of authority to administer different aspects of the software'soperation. For example, you could assign a user Manager authority over theaccounting group to let the user individually change the access permissions forthe other people within the accounting group.

How Is It Working?
Sequel Net Access Manager would be incomplete without some method foranalyzing your Internet activity to determine whether your policies are workingor they need adjustment. To help you manage your Internet pipeline better,Sequel gives you six standard reports: Activity, Exceptions, Quota Violations,Profile, User Setup, and Corporate Setup.

The Activity Report lets you generate a detailed account of all useractivity. You can create tables or charts to convey information such as siteactivity, user activity, and hourly traffic. You can tailor the report in manyways, including restricting information by date and sorting data in alphabeticalorder.

The Exceptions and Quota Violations reports can help you analyze who isbeing a bad citizen with your Internet pipeline. The Exceptions Report listsdetailed rule violations (e.g., users attempting to use FTP when they do nothave permission for that resource). The Quota Violations Report shows you who ishogging bandwidth and exceeding daily Internet data transfer limits.

For overall systems management, the Profile, User Setup, and CorporateSetup reports provide you with information about how your Sequel Net AccessManager installation is set up. The Profile Report summarizes permissionprofiles by user and group, the User Setup Report lists detailed informationabout each user, and the Corporate Setup Report shows all restrictioninformation for the entire site.

Your Internet Controller
For any business concerned about employee Internet usage, Sequel Net AccessManager is a program you can't do without. The software's comprehensive abilityto restrict access to specific Internet resources and monitor Internet use andits rich set of built-in reports makes this software a real winner. If you'vebeen holding off connecting your company to the Internet because you're afraidyou'll lose employee productivity, wait no longer. Sequel Net Access Managergives you the control you need to manage your network link.