Sequel Net Access Manager

Keep an eye on your network activity

Managing your employees access to Internet resources is time consuming. Your IS staff needs access to FTP so that they can download the latest and greatest drivers and patches from your vendors, but can you ensure that they also won't download photos from some x-rated Web site? Firewalls are typically not adequate for this task: They help protect your internal network from outside villains, but they often do not provide the internal protection and tracking that businesses want. But Sequel Technology's Sequel Net Access Manager can do the job.

You can use Sequel Net Access Manager to control access to the Internet from inside your company. This software lets you create comprehensive policies that dictate how and when your users can access Internet resources. You can create policies for individual users, for groups, or for the company. Within the policy framework, you can control Internet access several ways: by network protocol, time, site, and amount of traffic. Let's look at these options in more detail.

Maintaining Control
Managing access by network protocol means letting users access only specific Internet features. For instance, you can let a group of users access the Web but not use FTP or remote execution or access functions (e.g., rexec and Telnet). By adding an application protocol (such as FTP) to the software's configuration, you can enable or disable access to the protocol for individual users or groups. You can also enable access to the protocol only at certain times. Or you can prevent users from downloading certain file types (e.g., .bmp or .jpg files) by basing access permissions on file types.

Another way to restrict Internet access is to set access permissions to restrict the sites your users can connect to. For instance, you might want to let only members of your IS department access sites maintained by vendors whose equipment you use. An alternative is to allow access to all sites, except those you identify in your system's configuration. Unfortunately, you cannot mix and match these approaches. Implementing restrictions based on sites can be a big headache. Enabling access to only sites in your system's setup means you constantly have to add new sites your users need to access. Blocking sites is a better approach, but it requires that you monitor Internet activity and block any sites that users are abusing.

You can limit the amount of activity an individual user or group can generate. This feature--traffic quotas--lets you restrict the amount of information a user or group can pass through your Internet pipeline during any 24-hour period. For instance, you can assign the marketing group a higher traffic quota than the accounting group. Or you can assign individual users quota limits. When a user or groups of users exceed their traffic quota (measured in megabytes per day), the software logs a quota violation in the program's database.

Costly Prerequisites
Installation of Sequel Net Access Manager is somewhat complicated. Before you can install the software, you must make sure your existing network infrastructure is set up properly. You must set up your Windows NT Server as an active, multi-homed router. In non-networkese, this means that your NT Server must have two operational Ethernet cards. One Ethernet card connects to your internal LAN; the other connects to the equipment you use for your Internet connection.

This configuration is necessary because the software must inspect and take action on all Internet-bound packets on your network. If your Internet gateway router were accessible from every machine on the network, packets from your users' machines would bypass the software entirely and go directly to the Internet router. In that case, the software couldn't take corrective action (i.e., block access to sites, limit bandwidth). By placing Sequel Net Access Manager on an NT server between your Internet router and the rest of your LAN, it can effectively intercept all Internet-related activity.

The software's multihoming requirement is perhaps the biggest obstacle to setting up the software. It can also be a serious problem because you must do a significant amount of work to reconfigure your network topology. Instead of setting up their NT server as a multihoming router, most companies have only a firewall machine between their LAN and their Internet telecommunications hardware and have the firewall plug into a port on a hub. This configuration effectively lets every machine on the internal network see the firewall so it can access the Internet. Reconfiguring the physical layout of the network might involve buying additional hardware.

Another prerequisite is that the software's host NT machine have Microsoft SQL Server 6.0 or later. During installation, Sequel Net Access Manager creates a database with several tables to store information about users and access statistics. If you don't already have SQL Server, this requirement can result in another substantial expense.

Getting It Going
You install Sequel Net Access Manager in three phases: You install the software on your NT server, add it to your system configuration, and configure it with your company's user access policies. Installing the software from a CD-ROM is painless. After running the installation program, the software prompts you for the components you want to install: the Client Administrator, the Filter and Sequel Naming Service, and the database. Because the database component can be CPU intensive, you might want to install it on a server other than your dedicated Sequel Net Access Manager server. You can install the Client Administrator program on any NT server. You can install the naming service on either server, but the vendor recommends that you install this component after installing all the other components, especially when you plan to use the software's dynamic user tracking features.

For instance, you can use one machine running SQL Server to house the database so that the database doesn't steal CPU cycles from your NT server. This option is useful if your network connection tends to be busy. You can then use another client computer to run the Client Administrator for administering your Sequel Net Access Manager settings. The final computer is the regular NT machine that acts as the outbound firewall--it runs the filtering and naming components of the Sequel product.

After you install the software, you must add the necessary device drivers--the Sequel Net Access Manager Filter--into your network bindings. From Control Panel, Network, Protocols, click Have Disk to specify the location of the Sequel Net Access Manager files. The final step in the network configuration requires you to know which of the two network cards in your Network, Bindings tab points to the segment of your network where your Internet router resides. You have to disable the Sequel Net Access Manager Filter from this interface card and leave it active for only the Ethernet card that points to the LAN segment where user computers reside.

Controlling Resources
When you complete the installation, you must either disable the software's filtering capability on the Ethernet card leading to your Internet connection, or immediately add all your users, groups, and computers to the Net Access Manager software. Unless you take one of these actions right away, nobody on your LAN can access resources on the Internet when the system hosting Sequel Net Access Manager comes up.

You establish policies for your company with the Client Administrator program. As you see in Screen 1, the Client Administrator program has an NT Explorer-like interface with a list of users and groups defined on the left side of the window and specific policies applicable to the user or group selected appearing on the right side. To monitor but not restrict Internet activity, from Tools, Corporate Defaults, select Allow Undefined Protocols and Enable Logging. These settings let you collect statistics on your users' activities without impeding their access to any sites.

To analyze users' activities, you must add the users to the software's database by clicking the Add User button on the Toolbar. In the dialog box, type the username, logon name, access level, and Sequel Net Access Manager group assignment. If you add a user to a group, you have to add the group first.

One major shortcoming in the software is its lack of communication with the NT security database. Although the software needs to maintain a separate database of users, Sequel Net Access Manager doesn't let you import a user and group listing from an existing NT domain into the software's database. Therefore, if you have a major NT installation with hundreds of users, you have to spend a great deal of time duplicating the user and group listings and keeping both databases up-to-date. Hooks into the NT security database, similar to SQL Server's Security Administrator, to automate some of these functions would be a nice enhancement to the software. The software has an import capability using a comma-separated file format that can save you a little time. To use the import function, use the AddUsers program in the Microsoft Windows NT Server Resource Kit to dump the database, massage the output, and feed it to the import routine.

Using the Policy tabs for each user and group, you can set individual access or group restrictions to Internet resources based on the site restrictions, quota restrictions, and application restrictions described earlier. This capability gives you an incredible amount of control over who can access your Internet pipeline and its programs.

You can also delegate the administration of groups so that one individual isn't responsible for all corporate users. To accommodate this delegation, Sequel Net Access Manager has four access levels to set for each user: None, Manager, Administrator, and System Administrator. Each access level has an increasing level of authority to administer different aspects of the software's operation. For example, you could assign a user Manager authority over the accounting group to let the user individually change the access permissions for the other people within the accounting group.

How Is It Working?
Sequel Net Access Manager would be incomplete without some method for analyzing your Internet activity to determine whether your policies are working or they need adjustment. To help you manage your Internet pipeline better, Sequel gives you six standard reports: Activity, Exceptions, Quota Violations, Profile, User Setup, and Corporate Setup.

The Activity Report lets you generate a detailed account of all user activity. You can create tables or charts to convey information such as site activity, user activity, and hourly traffic. You can tailor the report in many ways, including restricting information by date and sorting data in alphabetical order.

The Exceptions and Quota Violations reports can help you analyze who is being a bad citizen with your Internet pipeline. The Exceptions Report lists detailed rule violations (e.g., users attempting to use FTP when they do not have permission for that resource). The Quota Violations Report shows you who is hogging bandwidth and exceeding daily Internet data transfer limits.

For overall systems management, the Profile, User Setup, and Corporate Setup reports provide you with information about how your Sequel Net Access Manager installation is set up. The Profile Report summarizes permission profiles by user and group, the User Setup Report lists detailed information about each user, and the Corporate Setup Report shows all restriction information for the entire site.

Your Internet Controller
For any business concerned about employee Internet usage, Sequel Net Access Manager is a program you can't do without. The software's comprehensive ability to restrict access to specific Internet resources and monitor Internet use and its rich set of built-in reports makes this software a real winner. If you've been holding off connecting your company to the Internet because you're afraid you'll lose employee productivity, wait no longer. Sequel Net Access Manager gives you the control you need to manage your network link.

Sequel Net Access Manager
Contact: Sequel Technology * 425-556-4000 or 800-973-7835
Email: [email protected]
Price: Starts at $999 (for a server and five users)
System Requirements: Windows NT 3.51 or NT 4.0 and Microsoft SQL Server 6.0 or SQL Server 6.5
TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.