Transparent Internet Bandwidth / Usage monitoring
This is a discussion on Transparent Internet Bandwidth / Usage monitoring within the Linux Networking forums, part of the Linux Forums category; I am interested in created an internet bandwidth monitoring system for non-profit organizations. These organizations range from 10 to ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
04-25-2008
|
|||
|
|||
Transparent Internet Bandwidth / Usage monitoring
I am interested in created an internet bandwidth monitoring system for
non-profit organizations. These organizations range from 10 to 200 users. The system would only be in place for a week at a time, it is not a long term solution. It is my understanding that to do this I would need a device that sits between the internet and my firewall (or a device that is my firewall). I thought that a decent linux box with two ethernet cards would be well suited to this, but I do not know its impact on a number of issues: 1. Would this computer interfere with routing to internal devices (both those with dedicated IP addresses and those using NAT)? 2. Would the computer be able to take the load of so much traffic in addition to monitoring? 3. What software should I use? 4. Is there a simpler, reasonably priced, hardware solution? 5. Is it an unbelievable security risk to place a box unprotected on the WAN side of my firewall? Can I place a secondary firewall on the other side? Thanks in advance. 
|
|
04-26-2008
|
|||
|
|||
|
Re: Transparent Internet Bandwidth / Usage monitoring
On Fri, 25 Apr 2008 10:35:47 -0700, Sam wrote:
> I am interested in created an internet bandwidth monitoring system for > non-profit organizations. These organizations range from 10 to 200 > users. The system would only be in place for a week at a time, it is not > a long term solution. [..] > 3. What software should I use? Google for "iptables monitor bandwidth"... -- Regards/mvh Joachim Mæland If everything seems under control, you're just not going fast enough. -Mario Andretti
|
|
04-27-2008
|
|||
|
|||
|
Re: Transparent Internet Bandwidth / Usage monitoring
On Apr 26, 6:06*am, Joachim Mæland <jm-n...@profine.net> wrote:
> On Fri, 25 Apr 2008 10:35:47 -0700, Sam wrote: > > I am interested in created an internet bandwidth monitoring system for > > non-profit organizations. These organizations range from 10 to 200 > > users. The system would only be in place for a week at a time, it is not > > a long term solution. > [..] > > 3. What software should I use? > > Google for "iptables monitor bandwidth"... > > -- > Regards/mvh * * Joachim Mæland > > If everything seems under control, you're just not going fast enough. > -Mario Andretti I had come across iptables, which seems to do what I want. Most of the sites that mention it, however, cite it as a way to monitor personal bandwidth, not organizational wide bandwidth. While clearly it would work for that purpose, my concern is routing and security. Any thoughts on those topics?
|
|
04-27-2008
|
|||
|
|||
|
Re: Transparent Internet Bandwidth / Usage monitoring
On Sat, 26 Apr 2008 21:00:19 -0700, Sam wrote:
> I had come across iptables, which seems to do what I want. Most of the > sites that mention it, however, cite it as a way to monitor personal > bandwidth, not organizational wide bandwidth. While clearly it would > work for that purpose, my concern is routing and security. Any thoughts > on those topics? This article shows how to set up counters on a host/subnet basis: http://www.linux.com/articles/50649 1. Adding an iptables enabled bridge/router between your current firewall and WAN will surely not pose additional security risks to your LAN. This setup however is not able to separate traffic on a subnet/host basis, (in your LAN). 2. Adding an iptables enabled bridge/router between your current firewall and LAN subnets/hosts does not pose additional security risks to your LAN, unless you make it reachable from the WAN side of the firewall. 3. I can't see why adding custom chains for differential monitoring to an existing iptables enabled firewall would have security implications. Heck; iptables is the Linux firewall, and has been, almost since dinosaurs walked the earth. Reading counters from the bridge/firewall might disclose sensitive information about your LAN and traffic patterns, but there's nothing to suggest that a cracker can read those counters, without owning the bridge/ firewall/router in the first place. -- Regards/mvh Joachim Mæland If everything seems under control, you're just not going fast enough. -Mario Andretti
|
|
04-27-2008
|
|||
|
|||
|
Re: Transparent Internet Bandwidth / Usage monitoring
On Apr 27, 2:29*am, Joachim Mæland <jm-n...@profine.net> wrote:
> On Sat, 26 Apr 2008 21:00:19 -0700, Sam wrote: > > I had come across iptables, which seems to do what I want. Most of the > > sites that mention it, however, cite it as a way to monitor personal > > bandwidth, not organizational wide bandwidth. While clearly it would > > work for that purpose, my concern is routing and security. Any thoughts > > on those topics? > > This article shows how to set up counters on a host/subnet basis:http://www.linux.com/articles/50649 > > 1. Adding an iptables enabled bridge/router between your current firewall > and WAN will surely not pose additional security risks to your LAN. This > setup however is not able to separate traffic on a subnet/host basis, (in > your LAN). > > 2. Adding an iptables enabled bridge/router between your current firewall > and LAN subnets/hosts does not pose additional security risks to your > LAN, unless you make it reachable from the WAN side of the firewall. > > 3. I can't see why adding custom chains for differential monitoring to an > existing iptables enabled firewall would have security implications. > Heck; iptables is the Linux firewall, and has been, almost since > dinosaurs walked the earth. > > Reading counters from the bridge/firewall might disclose sensitive > information about your LAN and traffic patterns, but there's nothing to > suggest that a cracker can read those counters, without owning the bridge/ > firewall/router in the first place. > > -- > Regards/mvh * * Joachim Mæland > > If everything seems under control, you're just not going fast enough. > -Mario Andretti How would routing work? Could computers with dedicated external IPs still use those IPs inside of the iptables box?
|
|
04-28-2008
|
|||
|
|||
|
Re: Transparent Internet Bandwidth / Usage monitoring
On Sun, 27 Apr 2008 14:07:52 -0700, Sam wrote:
> How would routing work? Unless building a bridge or running on the firewall itself: Not very easy to implement and will normally require NAT. > Could computers with dedicated external IPs still use those IPs inside > of the iptables box? Yes, if you build a bridge (and possibly manipulate MAC addresses on the bridge). That would be my preferred solution, if I had to stay away from modifying the chains on the firewall. Sorry to say; Your questions suggest a necessity for some heavy duty networking, firewall and bridge building reading... This is a good start: http://tldp.org/HOWTO/HOWTO-INDEX/ne...html#NETBRIDGE BTW: Recent distributions does NOT require patching nor compiling for bridging to work. Just search your package repository for bridge or bridge-utils and install what you need. -- Regards/mvh Joachim Mæland If everything seems under control, you're just not going fast enough. -Mario Andretti
|
 |
«
Previous Thread
|
Next Thread
»
| Thread Tools | |
| Display Modes | |
Linear Mode
|
|
All times are GMT +1. The time now is 09:30 AM.
