Network Computingwww.networkcomputing.com

When deciding on a content-monitoring system, you must take into account some peculiarities in scalability and reporting. Clearly, any solution you're considering must scale to the number of users or workstations you plan to monitor and the capacity of your Internet connection. Monitoring systems typically are installed at or near Internet connections or behind firewalls, where they can view all packets sent and received. The content-monitoring tool should be connected to a hub or a switched port capable of mirroring all packets to a mirror or monitor port.

Hardware for content-monitoring tools should be beefy enough to monitor, capture and report on all your network traffic. That means a fast processor and plenty of RAM (for large sites, the reporting function can be off-loaded to Microsoft SQL Server). The NIC must be capable of promiscuous-mode operation so it will view all packets on the network, and 100-Mbps cards should be placed in strategic locations. After all, if the monitoring device is flooded with packets from a hub or switch, it will drop packets without capturing them, becoming a sieve rather than a sentry.

Once the hardware is set, you need to play an old game: interpretation. Content-monitoring systems interpret and classify network communications using filters. Filters are collections of words or phrases placed in subject-matter dictionaries, such as games, pornography and sports. Captured network traffic passes through these filters, which analyze words and phrases found in the body of messages. Rules are triggered based on a mathematical algorithm linked to the number of suspect words or phrases found. When a message is flagged, the monitoring software performs an action -- for example, saving a copy of the message for review.

But here's the catch: Some words have several meanings. For example, rag as a noun means a cloth used for cleaning purposes or a newspaper or is a derogatory description of a person; as a verb, it could mean to complain. The definition becomes clear only when a word or phrase is placed in context. However, the English language has many illogical expressions that can appear vulgar or illiterate. The content-monitoring systems we tested all have their own answers to these problems, and you need to investigate the various approaches to create a comfortable balance between protecting the enterprise and guarding employees' privacy.

For example, eSniff uses proprietary linguistic and mathematical analysis to monitor and report on communications that fall outside of eBoundaries, words and phrases collected in subject-matter dictionaries. Although you can add keywords, you cannot view or edit the default eBoundaries. Elron Software Internet Manager and Pearl Software's Pearl Echo provide tools to view and edit the default dictionaries; however, tuning these systems to match acceptable-use policies may be time-consuming. Even then, multiple site accesses and overlapping rules can be misleading.

Content-monitoring systems often report multiple site accesses from one URL request made by clients. Peripheral matter downloaded with the page, like banner advertisements and cookies, also are recorded as site accesses. Pearl Echo includes a tool to compress these duplicate hits to one-site access for reporting purposes. In addition to multiple site access, rules will act in unison on captured traffic. For example, messages with content that overlaps eSniff's eBoundaries or categories are reported in all matching categories. Many of the sites accessed in our tests overlapped games and shopping and doubled the number of hits we expected in those categories. Elron IM's rules are prioritized; when traffic triggers one rule, it does not trigger another.