Elron's IM required both Web Inspector and Message Inspector to fulfill the minimum requirements of this review. Web Inspector monitors HTTP and telnet traffic, and Message Inspector monitors FTP, POP3, SMTP and NNTP. Like SurfControl's SuperScout, IM excelled at reporting monitored traffic, but it could not touch eSniff 1100's ease of installation and configuration. Also like SuperScout and Pearl Echo, IM not only monitors network activity but also applies filters to block identified, inappropriate content. We focused on the monitoring activity.

Preplanning an IM installation with Web Inspector and Message Inspector requires a lot more thought than simply plugging in an eSniff 1100. In addition to the number of monitored users, both the speed of the Internet connection and the choice of server hardware are paramount concerns.

For a 1,000-user site with a 1.54-Mbps Internet connection, Elron recommends dedicating to IM Web Inspector a 500-MHz Pentium III system with 256 MB of RAM and a 1-GB hard disk running Windows NT 4 Server or Workstation or Windows 2000. For Message Inspector, a 500-MHz Pentium III with 128 MB of RAM running Windows NT 4 would suffice. Both machines require TCP/IP configurations using static IP addresses that include DNS and WINS (Windows Internet Name Service) servers.

Web Inspector and Message Inspector support Ethernet, 10/100 Ethernet and Fast Ethernet NICs capable of promiscuous mode. Gigabit Ethernet NICs are not supported. Using Web Inspector and Message Inspector in our test bed required two servers, one dedicated to each. Both products were connected to a switch in "Monitor Only" (pass-through) mode, allowing for passive monitoring.

Web Inspector

Web Inspector monitors traffic and reports usage by workstation name using DNS and WINS. If workstations are shared among users, you have the option to track and report usage based on Windows NT domain users and groups. Web Inspector also offers a feature unique among the products reviewed: It can require authentication to access the Internet when configured in pass-through mode.

Web Inspector's installation wizard checked for TCP/IP connectivity, DNS configuration and adequate disk space. Once it found the environment to be hospitable, 72 MB of data were installed. And, like Pearl Echo, Web Inspector installed an MSDE database server (run-time version of SQL Server) and created an ODBC (Open Database Connectivity) connection to the database.

Web Inspector, like eSniff 1100 and Pearl Echo, provides its own Web server for management. Before rebooting the test server, we turned off Microsoft Internet Information Server (IIS) 4.0 so as not to conflict with Web Inspector services. As an alternative, we could adjust Web Inspector's Web server port from the default (Port 80).

Although the installation completed without error, we were blindsided after accessing the Web Inspector's real-time monitor to configure workstation management. After entering the IP address for the subnet and the subnet mask, we found that the real-time monitor was not picking up any traffic from the Fast Ethernet card attached to our mirror port. A call to support quickly pinpointed the problem: Web Inspector's installation bound services to the Gigabit Ethernet NIC rather than the Fast Ethernet NIC without giving us the option to choose--even though the product does not support gigabit NICs.

We disabled the gigabit card and ran a utility (multi.exe) to bind Web Inspector to the Fast Ethernet card. The real-time monitor then began to pick up network traffic.

The real-time monitor displays Internet activity from identified workstations by origin and destination and acts as a management tool, enabling us to start and stop services, configure licensing, manage monitored workstations, and administer users and groups. We could also set up groups for reporting purposes and add entries to subject-matter dictionaries used to classify Web sites. Web Inspector, unlike eSniff 1100, lets users view and edit default entries used by its SmartList technology, which classifies URLs and verifies the classification by the content of the page.

Web Inspector's reporting capabilities were second to those of SurfControl's SuperScout but beat those of eSniff 1100 and Pearl Echo. We could access a table of users, workstations and sites, and drill down to the details of each to edit directory information or view more detailed reports, including a complete history of the Web sites accessed sorted by subject matter, date and time. Web Inspector, like SuperScout, can also generate the cost of surfing broken down by user, site or subject matter, such as "sexually explicit." An administrator can set a "SurfTime" cost based on Internet access rates broken down by the minute. Network-utilization breakout graphs also provide a big picture of network usage by protocol -- a very cool feature.

If default reports don't provide enough information, Web Inspector provides an interface to customize your own. We set the beginning date and time and defined the period for reporting to see how well Web Inspector monitored HTTP traffic for each client under test. Web Inspector captured 99.9 percent of the traffic generated and classified test pages along the same lines as eSniff 1100.

IM Message Inspector

IM requires that a second piece of software, Message Inspector, run on a separate server to monitor e-mail and FTP, NNTP, POP3 and SMTP traffic. We look forward to Elron's packaging Web Inspector and Message Inspector together later this year.

Message Inspector installs in two parts: server and client. Elron recommends separate servers, but the Silicon Graphics SGI 1450 box we used for testing had plenty of beef for both. Like Web Inspector, Message Inspector includes a default MSDE database for monitored traffic and installs a Web server (ComServer) to administer the software using the client code. During the installation, we identified the test-bed e-mail domain so Message Inspector would automatically add users as it found them.

The Message Inspector client that administers the system sports a snappy Java2 run-time environment. The Java interface provides an MDI (multiple document interface) with graphical components to administer the server and manage the monitoring activity. When Message Inspector examines FTP transmissions and mail messages, it passes the message through rules that are prioritized and ranked by an administrator. Each rule has defined conditions that specify actions to be taken if a message meets these conditions. Conditions can include editable filters designed to recognize content by specified words or phrases. For example, a filter named "confidential" may include the names of specific enterprise patents.

By default, no rule is set to control network traffic: Messages are allowed through and are tracked in the database. We maintained this configuration and added rules to capture and monitor FTP and NNTP. For FTP, we also needed to adjust a registry entry on the local machine running the Message Inspector. Once our configuration was set, Message Inspector began to capture and report on e-mail and FTP traffic moving on the test domain. All messages could be reviewed by origin, destination, subject line and the conditions that triggered the rule. However, we were taken aback to find that, unlike other products under review, Message Inspector does not capture the full text of the message; full text can be captured only when Message Inspector is used in "Monitor and Control," or pass-through mode, where suspect traffic can be redirected to a mail store. We believe that when Message Inspector identifies a message that could put the enterprise at risk, it should save the full message for follow-up action.

IM Web Inspector 5.1.3, IM Message Inspector 3.0.3. Available: Now. Elron Software, (800) 993-6000; fax (781) 993-6001. www.elronsoftware.com