A SuperScout server is essentially a giant, glorified packet sniffer that works at the port and URL layer. Information is logged to Microsoft Access database, included with the product, or another SQL database. For high-bandwidth networks, you'll want to use a separate Microsoft SQL 7 server because it works faster and more efficiently. One SuperScout server, however, may not be able to keep up with T3-level traffic. Given the product's lack of built-in load-balancing features, you may need to put a few SuperScout servers across strategically placed backbone links on your network and write data to a centralized, dedicated Microsoft SQL server.

As network packets arrive, the software examines the URL and determines what type of site is being accessed. The software also can communicate with a Microsoft Windows NT Server to determine which user is logged into the workstation. So instead of monitoring 192.168.1.174, you can see engineers\demaria, for example. Reports and filtering can be created for SuperScout groups of users as well, but each user can be a member of only one group.

Classified Information

Deep in the halls of SurfControl, people scour the Internet, classifying sites as computing, search engine, entertainment, adult and so on. SurfControl has a list of 1.4 million sites that the company claims is updated regularly. During my tests, about half the traffic captured was not in the database. And the demo license I received did not allow for category database updates. Although it's possible that the newest database will perform better, the Internet changes faster than humans can categorize it, so a large portion of site classifications will likely be missed. You also can set up keyword blocking, such as blocking all sites that contain xxx in their domain names.

The report-analysis aspect of the monitoring software is informative, when it works. You can generate reports showing bar graphs and pie charts on site categorization, protocols used (based on TCP port numbers), usage over time, top number of sites and users, and so on. But in my tests on a large network, I found this feature useless. I took a dual 600-MHz system with 1 GB of RAM, running SQL Server 7.0 under Windows NT 4.0 SP4, and attached it to the Syracuse University Internet connection overnight. It reported 17,656 hits. However, category lists, types of traffic (HTTP, FTP, telnet and so on) transmitted, top users and other reporting options recorded wrong numbers. For example, the reports said less than 2 MB of data was transferred overnight across the university network. In response to my query, SurfControl tech support said there is a known problem with the program modules responsible for generating and displaying reports. On larger databases, they sometimes fail. The company plans a maintenance release this month to fix the problem.

The filtering and bandwidth-control features worked correctly. The procedure is simple: SuperScout runs every packet it comes across through a series of rules, similar to the way a firewall works. When a client tries to access a prohibited Web site, SuperScout sends a Web page to the client machine with faked headers, and then sends a TCP reset connection to both ends. The user should see only a denied access page.

You install the filtering server transparently, with no desktop configuration changes needed. It will also work with Microsoft Proxy Server. You can specify individual IPs, MAC (Media Access Control) addresses, subnets, NT domain objects or a custom combination of these to set up access rules. Support includes blocking individual sites, whole domains or even categories. You can also set it up so blocking is done at certain times. For example, you can have financial sites blocked by all users except the IS staff from 8 a.m. to 5 p.m.

The only problem is that there is no blocking guarantee, especially when dealing with heavy loads. SurfControl said a teaser page, or perhaps the first page of a site, might get through before the SuperScout server can respond. On my low-traffic network of less than 5 Mbps, I got a few teaser pages. It's likely that a high-traffic network would suffer a bit more.

The bandwidth-control mechanism lets you block content by port or by analyzing the URL. SuperScout lets you deny traffic from URLs ending with extensions such as .rm or .mp3. Note that this only looks at the URL, not the content. Renaming beachboys.mp3 to beachboys.jpg is a workaround.

E-Mail Notifications

The only form of reporting rule violations is by e-mail. Each rule can be individually set to trigger an e-mail message. The e-mail can comprise the user's name, site accessed, category, time stamp and which rule was broken. If SuperScout catches the blocked site first, you get one e-mail message. If the remote site starts sending back content first, however, the user's browser may try to download other elements. Each of those connections will be blocked, and an individual e-mail message will be sent for each element. I got 16 e-mails after trying to visit two blocked sites. I would like to see a way to compile one big list of violations. You may need to write scripts and procmail to make the data easier to digest.

There is no undo in the filtering program. While you need to click "commit changes" for any policy changes to take effect, if you make a mistake, the program is unforgiving. Likewise, there is no way to export or import the rule set.

With more beta testing, SuperScout could become quite useful. In small networks, manually checking the database for violators is possible, but until a bug release is out, the product isn't ready for the enterprise.

Michael J. DeMaria is a system administrator in Syracuse, N.Y. Send your comments on this article to him at demaria@nand.net.