Are any of the users on my network using online file sharing services i.e. dropbox, usendit?

  • 1
  • Question
  • Updated 7 years ago
  • Answered
Photo of Aisling Brennan

Aisling Brennan, Official Rep

  • 393 Posts
  • 8 Reply Likes

Posted 8 years ago

  • 1
Photo of Darragh Delaney

Darragh Delaney, Employee

  • 58 Posts
  • 5 Reply Likes
Recently the support team here at NetFort found that the use of online file hosting services is increasing significantly on computer networks. In a lot of cases the networks would host sensitive data. A file hosting service or online file storage provider is an Internet hosting service specifically designed to host static content, typically large files that are not web pages. Typically they allow HTTP and FTP access. These hosting sites are used for many purposes but most common ones are:

1. Users transferring large files externally. In most networks they would be blocked from sending large files via email
2. Users downloading large files like video. Some file hosting sites have auto resume options if downloads get cut off for whatever reason.
3. Users accessing personal data like photos, music and video hosted online.

For the purposes of this blog entry I am going to look at two very popular services which operate in slightly different ways.

1. YouSendIt -
2. Dropbox -

YouSendIt provides a number of services starting off with a free one which allows users to send up to 100MB files up to a pay option which allows users to send unlimited file sizes. It works by getting the sender to enter the recipients' e-mail addresses, attach the file and send it; the recipients receive an e-mail notification with a URL that lets them download the file. It defaults to using encryption via HTTPS.

Dropbox usually involves the installation of client software. There are a total of 10 clients, including versions for Microsoft Windows, Mac OS X, and Linux (official and unofficial), as well as versions for mobile devices, such as Android, Windows Phone 7, iPhone, iPad and BlackBerry, and a web-based client for when no local client is installed. Dropbox offers a free service with 2GB of storage up to their Pro 100 service which offers 100GB of online storage.
Users drag and drop files into specific folders on their systems and these folders synchronise automatically with the Dropbox service. Data is transferred over secure HTTPS connections.

There are two main types of folder available, private and public. The private folders are only accessible by the Dropbox user who uploaded them. Any files or folders created within the public folders are accessible by anyone with the correct link. On Windows the Dropbox data is contained within a ‘My Dropbox’ folder as shown in the image below. The ‘tick box’ associated with each folder signifies that each folder is in synch with its online version.

So what’s the problem?
While these services are very useful both for sending large files, providing a location when your contacts can download your files and provides for online backup of important data they introduce serious security holes into your network and can result in massive bandwidth consumption on your Internet gateways.

From a security point of view users may be sending sensitive data to online folders or directly to contacts or in a worse case situation they place sensitive data within publicly accessible folders. The traffic will just appear as regular web (HTTPS) traffic on the network and most firewalls will be oblivious to the actual content. We have even heard reports of users using their own mobile broadband connections to get data off the network and onto the file sharing sites. This circumvents any filtering which may have been put in place on the corporate firewall or proxy.

These applications can result in massive amounts of data been sent in/out on Internet gateways. A new user to the services can suddenly synch 2GB of data resulting in serious congestion for other users sharing the same network. This becomes even more of a problem if the end users are on the far side of an expensive WAN (wide are connection) link.

Recently Dropbox has been accused of lying to its end users about its privacy and security practices so one would question if it’s the right place for sensitive data to be hosted.

If it’s encrypted then I cannot monitor users, right?

While it is true that full analysis cannot be done with encrypted traffic unless some sort of inline device is used to capture the encryption keys and re-establish the connections you can detect and monitor the activity with the right sort of monitoring tools. There is three types of data that you need to focus on:

1. Website usage analysis. Both direct and proxy based
2. Traffic analysis of all traffic in/out Internet gateway
3. File share traffic between clients and the local file share servers.

To get this data there are also a number of options from enabling auditing on servers to installing agents on clients and servers. However the method I would recommend is to deploy a traffic analysis tool capable of DPI (deep packet inspection) and monitor the Internet gateway(s) and traffic to/from the main file-share servers. To explain this more let’s look at the following network diagram.

The network manager wants to check if users are accessing online file hosting sites and also wants to monitor what files\folders users are accessing on the local network. To meet the requirements a traffic analysis system is deployed (LANGuardian) which is capable of performing DPI and user activity analysis. The core switch is configured to mirror (sometimes referred to as SPAN) traffic on the file server and firewall connections. This allows us to pick up on any user traffic going to/from these services. If they had a proxy server in use I would also monitor this connection.

What sort of reports would I need to run?
For the purposes of this article I am going to use the LANGuardian reports to check for file hosting site activity. You can apply the same principles to other monitoring solutions.

Check website activity
Within the LANGuardian I select Modules\Web\Top Websites from the reporting menu on the left hand side of the GUI. I enter Dropbox as the website and run it for either a current or historical time period. You can also check for multiple sites buy using a search filter like dropbox|yousendit|fileden

The results show that there is Dropbox activity on my network

The next question I want to answer is what sort of data volumes was associated with this activity. To do this I select the report Bandwidth\IP\Traffic Distribution from the left hand reporting menu as users have direct Internet access on my network. For proxy based users it’s much easier by selecting Modules\Web\Top Proxy Clients and use the filters to focus on the client(s) in question. In my case I want to focus on

The report output shows HTTPS traffic and drilling down on this (clicking on blue text) shows that its is associated with the Dropbox service.

Drilldown results

The next question to answer is to see if we can try and figure out what files were uploaded to Dropbox. As its an encrypted protocol we cannot get this information from the connections going between the client and the Dropbox service but we can look at the activity between the client and our file sharing servers at the time the user was accessing the Dropbox service. To do this we select Modules\Windows File Shares\Advanced Reports\Top Clients :: By Volume and use the report filters to focus on the client in question. The output of the report shows traffic volumes associated with file share traffic and drilling down reveals what files were associated with this. In my case I find the traffic was associated with two large MP3 files

While I cannot say for certain that these were the files uploaded to Dropbox it does give me an idea as to what was going on. With Active Directory integration enabled on the LANGuardian I could also get the username associated with this activity.

• As I mentioned at the start of this article use of these file sharing sites is on the increase.
• If users are allowed to access these sites they present a serious security hole for sensitive data
• If you do block access don’t assume users cannot access them. They may use external proxies or anonymizers. We also heard of users using mobile broadband to access the sites.
• If you don’t have something in place already plan to get a traffic analysis system in place at the core of your network to monitor the file servers and internet gateways
• The network protocols may be encrypted between the sites and the online service but you can still pick up the traffic with a decent traffic analysis system
• The network protocols between the clients and the file shares may not be encrypted so you will get a good idea as to what is going on by performing DPI on this data.
Photo of IT-help


  • 52 Posts
  • 2 Reply Likes
The LANGuardian intrusion detection system can identify signatures associated with Dropbox and give you detailed information on the hosts involved such as this one:
ET POLICY Offsite File Backup in Use

It can tell you if users on your network are storing and synchronizing files on Dropbox. You can drill down from a summary report to details of individual users, folders, and file names. You can also see how much bandwidth is being consumed by Dropbox traffic.