Network Monitoring

[10661776]

I have a home network consisting of the following devices, all using wifi.

-Belkin AC1200 router
-One retina MacBook Pro
-One iMac
-iPad
-iPhone 6s
-iPhone 5s
-Xbox

I would like to have better control and monitoring of my network, to determine data usage, security, and potential parental content monitoring.

I have looked into a few different options such as Wireshark, Domotz, etc. but they seem complicated. Is there something that makes sense for a non IT person on a home network?

 

[Mikael H]

Sorry, but in my opinion the only tools that provide relevant data also take some knowledge to set up. Statistics and monitoring are very sensitive to crap in -> crap out style problems.

 

[Ajmaq]

Well ... do you want to get the values individually? for the data you can see if your Internet provider gives you some option to see how much data do you use per day. Security and parental... check the parental configuration of each device, otherwise if you really want to control it all you need to centralize everything with a MDM.

 

[10661776]

Ideally it would be nice to have a dashboard that organizes all the the information together, but that i guess doesn't exist yet. It seems that the home network people would be interested in this.

By MDM you mean Master Data Management? My quick google search of this leaves me the impression that is for very large networks. Are there no solutions for a small home network?

 

[Ajmaq]

Hi,

MDM (Movile Device Management) well... is like every device is connected and manage, you can set rules and add configurations for each devices... (talking about Moviles) but i can see that this s something you can do at home, is to set up yourself all the devices (so you have like administrator rights on the devices) and from there you can apply the settings, configurations and parental controls that you need.

 

[10661776]

I have searched this term "Movile" and have not determined what system has this. Can you give a company or software example?

 

[chrfr]

I have searched this term "Movile" and have not determined what system has this. Can you give a company or software example?

I'm pretty sure that's a typo which was intended to be "mobiles". There's no mobile device management system called Movile.
Your guess is correct: setting up mobile device management is a nontrivial job that isn't appropriate for a home user.

 

[Ajmaq]

OUPS! sorry for the miss type. the software is expensive and like chrfr said... isn't appropriate for a home user.

 

[hobowankenobi]

If you want MDM, check out Meraki. Free up to 100 devices last I checked.

But, I don't think MDM is really what you need. For the parental stuff, hard to beat OpenDNS. Filters everything on every device on the network, as it gets filtered before it gets to the device. Really great when one considers guest devices....and how they are beyond your control. Easy to setup, nothing much to do once it is configured.

Free personal version is good, and the paid subscription ($20 per year) is even better.

Data usage and security is typically handled at the router level. Many better-than-consumer will give you this info. Consider Ubiquiti gear.

A router that I would like to try—but have not yet—looks promising too, again to filter all devices on the network, plus other goodies like throttling bandwidth and content: Synology RT1900

 

[Les Kern]

For the parental stuff, hard to beat OpenDNS. Filters everything on every device on the network, as it gets filtered before it gets to the device. Really great when one considers guest devices....and how they are beyond your control. Easy to setup, nothing much to do once it is configured.

Free personal version is good, and the paid subscription ($20 per year) is even better.

Actually OpenDNS doesn't do deep packet inspection, and breaking through to get what you want takes seconds. I ran into this when I was tech director at a school district. After quite a lot of research I settled on Untangle's Composer. Problem is the box was 15 grand. For home use the only sure way is to have white lists or take away the internet altogether. Okay, that's not an option, so the other logical answer is to talk to your kids frankly about it and set expectations. Not telling anyone how to parent here, just offering the options.
Meraki and something I am familiar with, JAMF, having set up hundreds of iPads with, will not give you any kind of monitoring. And it also works on white lists, the backlists being full of holes.
For general monitoring of things like bandwidth, I have had success with Netuse Traffic Monitor. I linked it to my last device before the cloud and, paired with my router, did a decent job. I have also used Wireshark and other similar software solutions, and they are not only complicated but incredibly time-consuming.
I guess the bottom line here is that unless you are rolling in dough, you're basically screwed.

 

[960design]

My first thought was WireShark. You fear it may be too complex. Well it certainly is fully featured, but you only need to use a small subset of it's power. The 'dashboard' is there, but it something that you will have to read up on and learn about.

My second though was pFsense. It is free if you have the computer to run as a firewall or just purchase one from them: https://store.pfsense.org/SG-2220/

This should be able to do everything you need.

@Les Kern, pFsense may also be something for you to look into. If you have the hardware ( really doesn't require anything expensive, heck Newegg has 2 lan micros for less than $200, but that's why I went with the pFsense box, to support them and the price was about the same, with less work.

 

[hobowankenobi]

Actually OpenDNS doesn't do deep packet inspection, and breaking through to get what you want takes seconds.

OK, crackable. You say seconds.....but for who? Average kids? A pretty good speed bump to the bad stuff for non-hacking users. Even just being able to set DNS manually is all one needs......but non-tech users + non-admin account on devices are easy, manageable ways to raise the bar.

But it is still useful...depending on the savvy and determined the users are. Never said OpenDNS was perfect, but compared to nothing, or compared to enterprise grade filtering (which is too $$$ and too ??? for home use), it has real value.

Sticking with perimeter filtering and control, one is left with a service like OpenDNS, or a router. Most consumers or prosumers will not be able to manage an advanced enterprise router. Assuming this is for a house hold, choices/feature sets like in this review seem more plausible.

And Circle looks like a very real option too. The feature set is impressive.

 

[Les Kern]

OK, crackable. You say seconds.....but for who? Average kids? A pretty good speed bump to the bad stuff for non-hacking users. Even just being able to set DNS manually is all one needs......but non-tech users + non-admin account on devices are easy, manageable ways to raise the bar.

But it is still useful...depending on the savvy and determined the users are. Never said OpenDNS was perfect, but compared to nothing, or compared to enterprise grade filtering (which is too $$$ and too ??? for home use), it has real value.

Sticking with perimeter filtering and control, one is left with a service like OpenDNS, or a router. Most consumers or prosumers will not be able to manage an advanced enterprise router. Assuming this is for a house hold, choices/feature sets like in this review seem more plausible.

And Circle looks like a very real option too. The feature set is impressive.

I agree for the most part... It's good to note that the paid OpenDNS is a lot more powerful, but still, any kid lets say 14 or older who knows how computers work (and so many do now with my experience having to monitor thousands of those little rascals) can break OpenDNS pretty easily. That's the reality, and I think the original poster should know this is a more complicated issue than one might imagine,
I have not seen the Circle yet, this is the first I have heard of it, and yes, it looks like it could a winner. Will be looking forward to seeing the more serious reviews. I don't have to worry much any more as I retired from EDU (I'm not THAT old!) and my daughter is 21 now. Nice to keep up with the technology though. Thanks for the heads up.
[doublepost=1472192062][/doublepost]@Les Kern, pFsense may also be something for you to look into. If you have the hardware ( really doesn't require anything expensive, heck Newegg has 2 lan micros for less than $200, but that's why I went with the pFsense box, to support them and the price was about the same, with less work.[/QUOTE]

Wow, it does packet inspection... at that price too. Looks great. At home I really don't have anything any more. If I get something like that it's for "playing". I have no filters as my daughter is all growed up now and I got out of the tech director game this past July.

 

[adam9c1]

Please elaborate on how to circumvent opendns?

 

[Les Kern]

Please elaborate on how to circumvent opendns?

First, kids have time, lots of time, and they are relentless. OpenDNS blocks proxies, but not all of them, so the game "whack-a-Mole" comes to mind. Proxies come and go in minutes, and it's impossible to keep up with them. Enterprising kids can even make their OWN proxy with little effort. There is Tor on a pen drive. Just reboot if that hole isn't plugged by the IT team. And when you have BYOD there is no local control. Plus, kids have phones. Too many holes man. But is it a solution? For some it certainly is. Just have to know that going in it isn't a perfect solution.

 

[satcomer]

All I know is changing the DNS settings in your router (password the router with a good router password) then kids won't have a clue!

 

[DJLC]

Re: MDM

Check out http://screen.guide/. Made by the same company that does Mosyle Manager, which is the MDM I'm using at work this year for our student iPads. Very impressed.

 

[Eric M]

Ok, since this is something that I've actually implemented I thought I'd share (I have a mixture of wired and wireless devices on my home network as well but that makes no difference). I used Virtual Appliance Sophos UTM (formerly Astaro) as my home router, firewall, AV transparent proxy and packet scanner all-in-one.

Mine is currently set up as a VM on Dell T20 with a dedicated NC360 dual gigabit NIC and it works great. Before the move to T20, I used to run it on HP N40L Microserver with no issues whatsoever.
This will run on any old PC with 4+ GB Ram as long as you supply 2 NICs.

So the setup looks like this:

ISP ROUTER (in modem mode) --> SOPHOS UTM --> HP ProCurve Switch (wired clients) --> Apple AirPort Extreme (wireless clients)

​

Limitation: once you register for a Home licence, you can manage "only" 50 devices.
Link to the software: https://www.sophos.com/en/products/free-tools/sophos-utm-home-edition.aspx
Some more info: https://blogs.sophos.com/tag/sophos-utm-home-edition/

 

[hobowankenobi]

Ok, since this is something that I've actually implemented I thought I'd share (I have a mixture of wired and wireless devices on my home network as well but that makes no difference). I used Virtual Appliance Sophos UTM (formerly Astaro) as my home router, firewall, AV transparent proxy and packet scanner all-in-one.

Mine is currently set up as a VM on Dell T20 with a dedicated NC360 dual gigabit NIC and it works great. Before the move to T20, I used to run it on HP N40L Microserver with no issues whatsoever.
This will run on any old PC with 4+ GB Ram as long as you supply 2 NICs.

So the setup looks like this:

ISP ROUTER (in modem mode) --> SOPHOS UTM --> HP ProCurve Switch (wired clients) --> Apple AirPort Extreme (wireless clients)

​

Limitation: once you register for a Home licence, you can manage "only" 50 devices.
Link to the software: https://www.sophos.com/en/products/free-tools/sophos-utm-home-edition.aspx
Some more info: https://blogs.sophos.com/tag/sophos-utm-home-edition/

Thanks for sharing. Have watched this product, but never used it (....a fan of Sophos AV tools).

How do you like it? Anything better or worse than expected?

 

[Michael Anthony]

I have a home network consisting of the following devices, all using wifi.

-Belkin AC1200 router
-One retina MacBook Pro
-One iMac
-iPad
-iPhone 6s
-iPhone 5s
-Xbox

I would like to have better control and monitoring of my network, to determine data usage, security, and potential parental content monitoring.

I have looked into a few different options such as Wireshark, Domotz, etc. but they seem complicated. Is there something that makes sense for a non IT person on a home network?

Your router should be able to measure data use, show what users are connected, block certain ports and software services, and measure data usage

 

[Altemose]

Please elaborate on how to circumvent opendns?

Manually changing the DNS settings on a computer will override what the router settings are.

All I know is changing the DNS settings in your router (password the router with a good router password) then kids won't have a clue!

Anyone with admin capability can change the DNS settings on their local machine/device. Simply setting OpenDNS on the router simply makes it the default that clients connected to the network use when they use DHCP to get an IP.

 

[satcomer]

Manually changing the DNS settings on a computer will override what the router settings are.



Anyone with admin capability can change the DNS settings on their local machine/device. Simply setting OpenDNS on the router simply makes it the default that clients connected to the network use when they use DHCP to get an IP.

Yes but most kids don't go into a router!

 

[mildocjr]

The problem you will be facing with finding such a program is that every free monitoring program I've seen, logs packets not streams of data. Understand that monitoring your network for an image means that you'll need about (example) 20 packets to get the entire image.

As nice as it would be just to get the image, they want to make it difficult for Joe Blow to just capture the data in a way that he or she can understand.

Wireshark is going to be your best bet outside of spending a couple of bucks (in the technology scale), but you'll need to understand how filtering works with regular expressions. You can capture the data, and even save files sent over your network. What you'll find out quickly once you've gotten this far is that the packets are then organized and saved in a raw format, so you'll end up having to guess the file type of a image, text, or movie file.

You can set up a DNS server that everyone talks to before they hit the Internet and configure it to block specific websites, however, you'll find out that it's about as cumbersome for Joe Blows as Wireshark is. You'll need to know how to set up A, CNAME, and PTR records in order for it to work for you.

Another alternative for you is to set up a proxy server in place of your DNS server, but keep in mind that it falls under the same vulnerability as a DNS server, all your kid has to do is point to an outside DNS server, it doesn't take much research for a kid trying to get to a site they love to figure out how to do this. So again your best bet is to learn how to use Wireshark. I will warn you, if you have many people in your family who watch Netflix or play online games, the capture file will be huge.

Not really an easy way around this without having to learn a few things.

 

[Eric M]

Thanks for sharing. Have watched this product, but never used it (....a fan of Sophos AV tools).

How do you like it? Anything better or worse than expected?

Right where to begin...
The good:

• Clean and smart interface
• Menus and options easily accessible
• Once configured, rock solid and very efficient (200Mbit/s line and with all the bells and whistles turned on, downloads average @20MB/s)
• The ability to manage other Sophos products from the same console
• Sophos UTM portal has a wealth of information on the product and the possible issues you can and will eventually encounter

The bad:

• Initial configuration took a while (2-3 hours) so not quite plug and play
• The logic used by Sophos when creating firewall, NAT, masquerading rules is...well, lets just say here that it takes some getting used to. Coming over from the pfSense camp I expected something well, I don't know, different I guess...

The ugly:

• I lost access to the management portal once and for the life of me couldn't get it to reset. Ended up reverting back to the backup image I took the night before. That night I invented a number of new swear words... (to this day I don't remember exactly what I did to break it but I know for a fact that it was me breaking it by tinkering with various options and not the product itself).

All in all, I like the product a lot. The fact that I can apply different filtering policies, block or allow certain websites (this is a blessing if you have kids) based on keywords, REGEX or pre-defined categories is very handy. Took a while to get used to the interface and the way various rules are created but once past that it was smooth sailing.

 

[hobowankenobi]

Right where to begin...
The good:

• Clean and smart interface
• Menus and options easily accessible
• Once configured, rock solid and very efficient (200Mbit/s line and with all the bells and whistles turned on, downloads average @20MB/s)
• The ability to manage other Sophos products from the same console
• Sophos UTM portal has a wealth of information on the product and the possible issues you can and will eventually encounter

The bad:

• Initial configuration took a while (2-3 hours) so not quite plug and play
• The logic used by Sophos when creating firewall, NAT, masquerading rules is...well, lets just say here that it takes some getting used to. Coming over from the pfSense camp I expected something well, I don't know, different I guess...

The ugly:

• I lost access to the management portal once and for the life of me couldn't get it to reset. Ended up reverting back to the backup image I took the night before. That night I invented a number of new swear words... (to this day I don't remember exactly what I did to break it but I know for a fact that it was me breaking it by tinkering with various options and not the product itself).

All in all, I like the product a lot. The fact that I can apply different filtering policies, block or allow certain websites (this is a blessing if you have kids) based on keywords, REGEX or pre-defined categories is very handy. Took a while to get used to the interface and the way various rules are created but once past that it was smooth sailing.

Good deal. Thanks for the review!

Will continue to watch, and hope it continues to improve.