Ok so I get told to be the porno police by my boss. That's cool. It's all ready my job, and I all ready have a system that I understand to check for it. Basically I've got a content filter that emails me when a blocked site is attempted to be accessed. One block I ignore, but if I get 10 in a row from the same IP address, I check out what they're trying to get to and then take appropriate action.

Now, to find out who is actually trying to get to the "banned" material, I have to match up the IP to the machine that had that IP at the time of the block. That's in one log. After that I have to match up who was logged into that machine at the time of the block. That's in another log. It's a bit of a bear, but considering I've had to investigate this type of thing maybe ten times in 3 years, it's no biggie.

Now my boss had the bright idea to order me to make user level blockage reports for all staff on a monthly basis. I tell him I think that I can do that, but it will probably cost him some money. I get to fiddling around inside the Sonic Wall Pro 300 content filter and see that while it won't take LDAP authentication directly from my LDAP server, it does have the capability of doing RADIUS lookups.

"AHA!" says I, and couple of hours later I have a working RADIUS test server that passes the auth request off to my LDAP server and returns to my content filter a yes/no on the user/pass entered. I know this because my content filter has a RADIUS test thingee in its RADIUS config. Just plug a u/p in and it tests it and says it works. I can also see my RADIUS and LDAP logs that show a successful transaction in both services. "Hunky dorry gee whiz," I think, "I can do this thing for free." All it requires is one entry of the u/p when a user fires up his/her browser. This tells the Sonic Wall who's browsing and what username to log it under. Basically I've got usernames and IPs in my logs now.

So far so good. Now it's time to set the reporting end up. Sonic Wall makes reporting software called Viewpoint. It just so happens that buying the Pro 300 gave us free access to Viewpoint. Viewpoint is basically a glorified front-end to a syslogd service. It parses logs and generates reports on things like "Web Usage" and "Blocks Per User". Blammo! Exactly what I'm looking for. I d/l the latest version of the (Windows only) program, install it, and follow the directions for configuring my Sonic Wall to talk to the Viewpoint server. (Basically this is just setting up one syslogd to talk to another).

I triple check everything to make sure all is good, backup my Sonic Walls config, and turn that shit on. BOOM GOES THE DYNAMITE! All hell breaks loose and the network slows to a crawl. No problem, I think to myself, login to the Sonic Wall and turn that shit off. So I pop in the content filter's IP to login... timeout. I try to get on the web, no problem. I try to get to a blocked site, blocked. I check the Viewpoint server. It was connected to the Sonic Wall at first, but now its not. I portscan the firewall. 443 is open but I can't get a connection via https. 80 is open but I can't get a connection via http.

Finally, I physically walk down to the content filter, and its activity meter is pegged. I hook up a laptop and fire up Ethereal. The thing is spewing syslogd data so fast that its poor processor can't keep up and other services aren't fielding requests. I go check my system requirements for my userload to insure that I read what I thought I read. I read what I thought read and this box should be able to handle a network about 10 times the size of mine with reporting on.

Ok says, I, I can't get in via the web but there has to be a command line interface or at the very least some sort of emergency serial interface that I can login with on a Mac. No nada nunca. Sonic Wall's official "fix" of this problem is to do a firmware reset, !but! not only does this screw my configuration back to zero, but also it uses a "dual-bios" trick to rewrite my firmware back to what shipped from the factory so that my "backup" is basically useless. In the time it takes to get all the settings needed to get the firmware back to where it needs to be, I can just reconfigure the box from scratch...* of course intarwebs access is down the whole time I'm doing this without that I reconfigure my whole network to ignore the content filter (which all other machines see as their gateway router).

So to sum up -- Fuck You Sonic Wall. I'm buying another Barracuda filter.

/and don't get me started about having to pay for security firmware updates. Features I can see, but when you have a bug in your product that allows me to be attacked, that update should be free./

*Not true, you just have to have a Windows machine to restore the mofo. Still getting another cuda.