Sequel Net Access Manager

Managing your employees access to Internet resources is time consuming. Your IS staff needs access to FTP so that they can download the latest and greatest drivers and patches from your vendors, but can you ensure that they also won't download photos from some x-rated Web site? Firewalls are typically not adequate for this task: They help protect your internal network from outside villains, but they often do not provide the internal protection and tracking that businesses want. But Sequel Technology's Sequel Net Access Manager can do the job.

You can use Sequel Net Access Manager to control access to the Internet from inside your company. This software lets you create comprehensive policies that dictate how and when your users can access Internet resources. You can create policies for individual users, for groups, or for the company. Within the policy framework, you can control Internet access several ways: by network protocol, time, site, and amount of traffic. Let's look at these options in more detail.

Maintaining Control
Managing access by network protocol means letting users access only specific Internet features. For instance, you can let a group of users access the Web but not use FTP or remote execution or access functions (e.g., rexec and Telnet). By adding an application protocol (such as FTP) to the software's configuration, you can enable or disable access to the protocol for individual users or groups. You can also enable access to the protocol only at certain times. Or you can prevent users from downloading certain file types (e.g., .bmp or .jpg files) by basing access permissions on file types.

Another way to restrict Internet access is to set access permissions to restrict the sites your users can connect to. For instance, you might want to let only members of your IS department access sites maintained by vendors whose equipment you use. An alternative is to allow access to all sites, except those you identify in your system's configuration. Unfortunately, you cannot mix and match these approaches. Implementing restrictions based on sites can be a big headache. Enabling access to only sites in your system's setup means you constantly have to add new sites your users need to access. Blocking sites is a better approach, but it requires that you monitor Internet activity and block any sites that users are abusing.

You can limit the amount of activity an individual user or group can generate. This feature--traffic quotas--lets you restrict the amount of information a user or group can pass through your Internet pipeline during any 24-hour period. For instance, you can assign the marketing group a higher traffic quota than the accounting group. Or you can assign individual users quota limits. When a user or groups of users exceed their traffic quota (measured in megabytes per day), the software logs a quota violation in the program's database.

Costly Prerequisites
Installation of Sequel Net Access Manager is somewhat complicated. Before you can install the software, you must make sure your existing network infrastructure is set up properly. You must set up your Windows NT Server as an active, multi-homed router. In non-networkese, this means that your NT Server must have two operational Ethernet cards. One Ethernet card connects to your internal LAN; the other connects to the equipment you use for your Internet connection.

This configuration is necessary because the software must inspect and take action on all Internet-bound packets on your network. If your Internet gateway router were accessible from every machine on the network, packets from your users' machines would bypass the software entirely and go directly to the Internet router. In that case, the software couldn't take corrective action (i.e., block access to sites, limit bandwidth). By placing Sequel Net Access Manager on an NT server between your Internet router and the rest of your LAN, it can effectively intercept all Internet-related activity.

The software's multihoming requirement is perhaps the biggest obstacle to setting up the software. It can also be a serious problem because you must do a significant amount of work to reconfigure your network topology. Instead of setting up their NT server as a multihoming router, most companies have only a firewall machine between their LAN and their Internet telecommunications hardware and have the firewall plug into a port on a hub. This configuration effectively lets every machine on the internal network see the firewall so it can access the Internet. Reconfiguring the physical layout of the network might involve buying additional hardware.

Another prerequisite is that the software's host NT machine have Microsoft SQL Server 6.0 or later. During installation, Sequel Net Access Manager creates a database with several tables to store information about users and access statistics. If you don't already have SQL Server, this requirement can result in another substantial expense.

Getting It Going
You install Sequel Net Access Manager in three phases: You install the software on your NT server, add it to your system configuration, and configure it with your company's user access policies. Installing the software from a CD-ROM is painless. After running the installation program, the software prompts you for the components you want to install: the Client Administrator, the Filter and Sequel Naming Service, and the database. Because the database component can be CPU intensive, you might want to install it on a server other than your dedicated Sequel Net Access Manager server. You can install the Client Administrator program on any NT server. You can install the naming service on either server, but the vendor recommends that you install this component after installing all the other components, especially when you plan to use the software's dynamic user tracking features.

For instance, you can use one machine running SQL Server to house the database so that the database doesn't steal CPU cycles from your NT server. This option is useful if your network connection tends to be busy. You can then use another client computer to run the Client Administrator for administering your Sequel Net Access Manager settings. The final computer is the regular NT machine that acts as the outbound firewall--it runs the filtering and naming components of the Sequel product.

After you install the software, you must add the necessary device drivers--the Sequel Net Access Manager Filter--into your network bindings. From Control Panel, Network, Protocols, click Have Disk to specify the location of the Sequel Net Access Manager files. The final step in the network configuration requires you to know which of the two network cards in your Network, Bindings tab points to the segment of your network where your Internet router resides. You have to disable the Sequel Net Access Manager Filter from this interface card and leave it active for only the Ethernet card that points to the LAN segment where user computers reside.