Transparent Internet Bandwidth / Usage monitoring

I am interested in created an internet bandwidth monitoring system for
non-profit organizations. These organizations range from 10 to 200
users. The system would only be in place for a week at a time, it is
not a long term solution.

It is my understanding that to do this I would need a device that sits
between the internet and my firewall (or a device that is my
firewall).

I thought that a decent linux box with two ethernet cards would be
well suited to this, but I do not know its impact on a number of
issues:

1. Would this computer interfere with routing to internal devices
(both those with dedicated IP addresses and those using NAT)?
2. Would the computer be able to take the load of so much traffic in
addition to monitoring?
3. What software should I use?
4. Is there a simpler, reasonably priced, hardware solution?
5. Is it an unbelievable security risk to place a box unprotected on
the WAN side of my firewall? Can I place a secondary firewall on the
other side?

Thanks in advance.

On Fri, 25 Apr 2008 10:35:47 -0700, Sam wrote:

> I am interested in created an internet bandwidth monitoring system for
> non-profit organizations. These organizations range from 10 to 200
> users. The system would only be in place for a week at a time, it is not
> a long term solution.
[..]
> 3. What software should I use?

Google for "iptables monitor bandwidth"...


--
Regards/mvh Joachim Mæland

If everything seems under control, you're just not going fast enough.
-Mario Andretti

On Apr 26, 6:06*am, Joachim Mæland <jm-n...@profine.net> wrote:
> On Fri, 25 Apr 2008 10:35:47 -0700, Sam wrote:
> > I am interested in created an internet bandwidth monitoring system for
> > non-profit organizations. These organizations range from 10 to 200
> > users. The system would only be in place for a week at a time, it is not
> > a long term solution.
> [..]
> > 3. What software should I use?
>
> Google for "iptables monitor bandwidth"...
>
> --
> Regards/mvh * * Joachim Mæland
>
> If everything seems under control, you're just not going fast enough.
> -Mario Andretti

I had come across iptables, which seems to do what I want. Most of the
sites that mention it, however, cite it as a way to monitor personal
bandwidth, not organizational wide bandwidth. While clearly it would
work for that purpose, my concern is routing and security. Any
thoughts on those topics?

On Sat, 26 Apr 2008 21:00:19 -0700, Sam wrote:

> I had come across iptables, which seems to do what I want. Most of the
> sites that mention it, however, cite it as a way to monitor personal
> bandwidth, not organizational wide bandwidth. While clearly it would
> work for that purpose, my concern is routing and security. Any thoughts
> on those topics?

This article shows how to set up counters on a host/subnet basis:
http://www.linux.com/articles/50649

1. Adding an iptables enabled bridge/router between your current firewall
and WAN will surely not pose additional security risks to your LAN. This
setup however is not able to separate traffic on a subnet/host basis, (in
your LAN).

2. Adding an iptables enabled bridge/router between your current firewall
and LAN subnets/hosts does not pose additional security risks to your
LAN, unless you make it reachable from the WAN side of the firewall.

3. I can't see why adding custom chains for differential monitoring to an
existing iptables enabled firewall would have security implications.
Heck; iptables is the Linux firewall, and has been, almost since
dinosaurs walked the earth.

Reading counters from the bridge/firewall might disclose sensitive
information about your LAN and traffic patterns, but there's nothing to
suggest that a cracker can read those counters, without owning the bridge/
firewall/router in the first place.


--
Regards/mvh Joachim Mæland

If everything seems under control, you're just not going fast enough.
-Mario Andretti

On Apr 27, 2:29*am, Joachim Mæland <jm-n...@profine.net> wrote:
> On Sat, 26 Apr 2008 21:00:19 -0700, Sam wrote:
> > I had come across iptables, which seems to do what I want. Most of the
> > sites that mention it, however, cite it as a way to monitor personal
> > bandwidth, not organizational wide bandwidth. While clearly it would
> > work for that purpose, my concern is routing and security. Any thoughts
> > on those topics?
>
> This article shows how to set up counters on a host/subnet basis:http://www.linux.com/articles/50649
>
> 1. Adding an iptables enabled bridge/router between your current firewall
> and WAN will surely not pose additional security risks to your LAN. This
> setup however is not able to separate traffic on a subnet/host basis, (in
> your LAN).
>
> 2. Adding an iptables enabled bridge/router between your current firewall
> and LAN subnets/hosts does not pose additional security risks to your
> LAN, unless you make it reachable from the WAN side of the firewall.
>
> 3. I can't see why adding custom chains for differential monitoring to an
> existing iptables enabled firewall would have security implications.
> Heck; iptables is the Linux firewall, and has been, almost since
> dinosaurs walked the earth.
>
> Reading counters from the bridge/firewall might disclose sensitive
> information about your LAN and traffic patterns, but there's nothing to
> suggest that a cracker can read those counters, without owning the bridge/
> firewall/router in the first place.
>
> --
> Regards/mvh * * Joachim Mæland
>
> If everything seems under control, you're just not going fast enough.
> -Mario Andretti

How would routing work? Could computers with dedicated external IPs
still use those IPs inside of the iptables box?