Associating internet activity with MAC addresses
Tracking web activity is nothing new. For many years, IT managers have tried to get some sort of visibility at the network edge so that they can see what is happening. One of the main drivers for this is the need to keep the network secure. As internet usage constantly grows, malicious, phishing, scamming, and fraudulent sites are also evolving.
While some firewalls and proxy servers include reporting capabilities, most are not up to the job. These systems were designed to block or control access and reporting was just added on at a later date. Server log files do not always have the answer, either. They are meant to provide server administrators with data about the behavior of the server, not what users are doing on the internet.
Some vendors are pitching flow type tools to address the problem. The idea is that you get flow records from the edge of your network so you can see what IP address is connecting to what. However, as with server logs, NetFlow isn’t a web usage tracker. The main reason for this is that it does not look at HTTP headers where a lot of the important information is stored.
Track MAC addresses on your network
One of the best data sources for web tracking is packet capture. You can enable packet capturing with SPAN/mirror ports, packet brokers, TAPs, or by using promiscuous mode on virtual platforms. The trick is to pull the relevant information and discard the rest so you don’t end up storing massive packet captures.
Relevant information includes things like MAC address, source IP, destination IP, time, website, URI, and username. You only see the big picture when you have all of these variables in front of you.
Why track internet activity?
- Root out the source of ransomware and other security threats. Track it down to specific users, IP addresses, or MAC addresses
- Maintain logs so that you can respond to third-party requests. Finding the source of Bittorrent use would be a common requirement on open networks.
- Find out why your internet connection is slow. Employees streaming movies is a frequent cause.
- Out-of-band network forensics for troubleshooting or identifying odd network traffic.
Real-life use case
Consider this example: The end user is a large airport in Europe. Their basic requirement and use case is tracking web activity, keeping a historical record of it for a period of one year. And, because most of the users are just passing through—thousands of wireless users every hour—the only way to uniquely identify each user or device is by MAC address.
WIth a solution including an HTTP decoder, they can capture and analyze wire data off a SPAN or mirror port to track proxy or non-proxy traffic by IP or MAC address. They could also drill down to URI level when they need to investigate an incident.
The MAC address variable is an important one when it comes to tracking devices on your network. Most networks use DHCP servers so you cannot rely on tracking activity based on IP addresses only. MAC addresses are unique per device so they will give you a reliable audit trail as to what is happening on your network.