Rollout: eTelemetry's Metron

Metron tracks down network slackers and miscreants and does so out-of-band, so users are unaware that Big Brother is watching.

September 28, 2006

6 Min Read
Network Computing logo

Ever since high-speed internet access became ubiquitous, managers have worried that otherwise dedicated employees would fritter away their days shopping and reading Dilbert cartoons. Although there are several ways to track each person's Internet usage based on IP address, only eTelemetry's Metron appliance can identify the user without forcing that person to authenticate at the gateway.

Metron tracks down network miscreants, and does its job out of band, so users aren't aware that Big Brother is watching. Proxy servers, virus strippers, firewalls and content filters, such as those from SurfControl and Websense, monitor Internet usage and sit in the data path between your users and the Internet. Metron, by contrast, examines Internet traffic from a switch port you've configured to mirror the data flowing on the port connected to the inside of your firewall.Metron is also the only product we've seen that can track not just how much traffic a user generates but also the length of time he spent surfing the Web or exchanging instant messages. And it can send you an e-mail if one of your users exceeds a set threshold.

Metron's $34,995 list price covers two server appliances: the 2U, Opteron-powered Metron, which examines and classifies Internet traffic, and the 1U Locate appliance, which collects information about networked users and computers. Each appliance has two Ethernet connections. One port links to your network for access to its Web interface, and the second port "sniffs" network traffic. To match IP addresses to actual user names, Locate monitors user authentication traffic going to and from your Active Directory domain controller(s) or other LDAP servers. When Locate sees a logon or logoff from a workstation to the directory server, it records the user ID and IP address. The appliance also polls your network switches every 30 minutes to correlate stations' MAC and IP addresses and to track systems to switch ports.

MeTron vs. The CompetitionClick to enlarge in another window

Locate The Loafers

When we tested Locate, we could see which users were logging into systems by MAC or IP address. The appliance also found and disabled the switch port connected to any offending user--a handy feature when our IDS started beeping like crazy. Metron's Web interface displayed bandwidth-utilization graphs for our users by department, as long as the department information was found in Active Directory. We also could drill down to see the biggest bandwidth users and most popular external sites.Although network-management applications like CiscoWorks and Foundry Networks' IronView can track a MAC or IP address to a switch port, Locate trumps this. Network-management tools collect all their data from your routers and switches, so they can tell you where a machine is, but not who's logged in. They also don't keep much historical data, so you can view only the current mapping between a user or MAC address and switch port. With Locate, you can set a "time slice" and view historical data. On networks with short DHCP lease times, this could be the only way to figure out who was "sharing" Snakes on a Plane when the query comes in from the MPAA.

ETelemetry's patented, passive approach to data collection is intriguing. Metron sees the user's login packets as they go to the domain controller, and links the user ID to the source IP address of the packet. Even if your users don't log in to Active Directory, Metron can still track those users, based on information from multiple sources, including SMTP traffic, to determine who's logged into any IP address. E-mail messages, after all, includes both e-mail and IP addresses.

Rough Edges

ETelemetry is a new company and this debut offering has some kinks. Pricing is the biggest hurdle. Barracuda Networks' Web Filter 810, for example, costs $10,000 less, can strip spyware and viruses from user downloads and can handle 200 Mbps of Internet traffic. Metron can only classify a 45-Mbps stream.

Metron and Locate also need some fit-and-finish work. Setting the initial IP address with little buttons on the front panel is bad enough, but there's no Web interface for changing it. Similarly, you can upload a .CSV file with the data for a new switch you're adding to the network, but the only way to edit the data to change the SNMP community strings, for instance, is to upload a new file to replace all the existing data. If you saved the file you initially uploaded you could edit it, but there's no way to even download the existing file.ETelemetry's reliance on port mirroring to see authentication and Internet traffic means Metron and Locate are most suitable for networks where this kind of traffic is concentrated. If you have multiple domain controllers connected to different switches, you'll need to dedicate a $6,000 Locate collection node to each switch. The vendor is also planning to release an agent that will run on each domain controller and report back to Locate.

Similarly, if you have multiple internal connections to your firewall, you'll need to have them all run through a single switch that can mirror the data flows from all those links to a single point where Metron can see it, or run multiple streams through an expensive multiport tap.

Is Monitoring Enough?

The real question we have about eTelemetry Metron is how many enterprises really want an unobtrusive Internet usage monitor. Why not block access to nonbusiness-related sites, using a content filter working with a proxy server or firewall? If you just want to gauge the problem's severity, products such as Marshall's Security Reporting Center can produce a wider range of reports than Metron can. Content filters and some firewalls also classify the sites your users visit. They can report that Joe in finance was among your Top 10 Internet users last week, and that he visited gambling and travel sites.

However, these other solutions can only link network traffic to users if you force them to authenticate a second time at the firewall or proxy server to get access to the Internet. Since Metron learns which IP addresses are associated with each user through Locate, it's transparent to your users. That will cut helpdesk calls from those who can't or won't enter their user ID and password again. nHoward Marks is an NWC contributing editor and founder and chief scientist at Networks Are Our Lives, a network design and consulting firm in Hoboken, N.J. Write to him at [email protected].

Stay informed! Sign up to get expert advice and insight delivered direct to your inbox

You May Also Like

More Insights