Tag Archives: network traffic noise

Why Your Firewall Logs Don’t Actually Show What Employees Are Doing

If your IT team is pulling reports directly from your firewall logs and sending them to HR, there is something important you need to understand: those reports are almost certainly not showing you what you think they are.

This is not a criticism of your IT team. It is a structural problem that goes all the way back to how the internet was built. Understanding it explains why investigating employee web activity is so much harder than it looks, and why the tools you choose to do it matter enormously.

A Quick History Lesson That Changes Everything

In the early days of the internet, before the web browser as we know it existed, every service on the internet had its own dedicated channel. Each was clearly separated and easy to identify:

  • Web browsing used one channel
  • Email used another
  • File transfers used another
  • Remote access used another

If you monitored network traffic in those days, you knew exactly what kind of activity generated it. The separation was clean.

Then the browser arrived and transformed everything. As internet use exploded, there was an urgent push to secure web communications. A single encrypted channel became the universal standard. Suddenly the vast majority of all internet communication was flowing through one pipe.

That shift created the foundation of the problem we are dealing with today.

When Everything Moved Into One Channel

As web-based applications took off, they naturally adopted the same communication structure built for websites. Online banking, cloud storage, collaboration tools, SaaS platforms all followed the same path. Why build something new when the existing infrastructure was already everywhere and already trusted?

The result is that today, a single channel carries an enormous mix of traffic: the websites your employees deliberately visit, the web applications your business relies on, and a long list of activity that has nothing to do with human behavior at all.

That last category is where the real problem lives.

The Traffic Nobody Talks About

Here is what is actually flowing through your network alongside your employees’ web activity, and what ends up recorded in your firewall logs:

  • Operating system and software updates. Microsoft checks for Windows updates. Adobe verifies software licenses. Your endpoint security platform downloads new threat definitions. Every one of those actions generates network connections that get logged alongside everything else.
  • Website trackers. Modern websites are embedded with dozens of third-party tracking scripts that continuously send usage data back to analytics platforms, advertising networks, and content delivery services. A single visit to a news website can silently generate hundreds of outbound connections in the background, none of which represent a deliberate action by your employee.
  • Application background activity. Cloud applications, collaboration platforms, and business software regularly check in with their servers for updates, license validation, and performance data. This happens automatically, continuously, and invisibly throughout the workday.

None of this traffic reflects what an employee chose to do. But it all shows up in the firewall log, recorded exactly the same way as an intentional website visit.

The core problem in plain terms:
Your firewall has no way to distinguish between a connection your employee deliberately made and a connection their computer made automatically in the background. It logs them all the same way. A raw firewall report treats them all the same way. And that means any analysis built on raw firewall data is working with fundamentally flawed information.

The Second Problem: How Firewalls Actually Log Web Activity

Even setting aside all of the background noise, there is a second fundamental issue with reading firewall logs directly.

Firewalls record network connections, not website visits. Those are not the same thing.

When one of your employees opens their browser and navigates to a single website, their computer may establish dozens or even hundreds of separate network connections to fully load that page. The text, images, stylesheets, fonts, and interactive elements of a modern website often come from multiple different servers and domain names. Each connection is logged individually.

So what HR sees when someone forwards them a raw firewall report is not a clean record showing that an employee visited ESPN. It is potentially 100 separate log entries with different domain names, different connection times, and different data volumes that together represent one single website visit. Without something to reconstruct those connections into a coherent browsing session, the data is essentially unreadable to anyone without deep technical expertise.

Asking a non-technical person in HR to draw conclusions from that is not just unhelpful. It creates a genuine liability risk. Disciplinary action taken on the basis of misread or misunderstood firewall data is exactly the kind of situation that leads to serious HR and legal complications.

Why Not Just Use a Screen Recording or Keystroke Tool?

It is a fair question. If the goal is to know what employees are doing online, why not use something that captures everything directly? Screen recordings and keystroke logging tools sound more thorough on the surface. And from a pure marketing standpoint, they often look impressive in a product demo.

The answer comes down to legal reality, and it is significant.

In U.S. case law, infrastructure logs including firewall logs are an accepted and well-established legal basis for businesses to monitor activity on company-owned networks and equipment. Employers have a recognized right to monitor how their infrastructure is being used, and properly generated firewall-based reports have consistently held up in workplace investigations, disciplinary proceedings, and litigation.

Screen capture and keystroke logging tools occupy very different legal territory. Depending on your state, your industry, and how those tools are deployed, using them can expose your organization to meaningful legal liability including privacy violation claims from employees. The requirements around disclosure and consent are considerably more complex, and any disciplinary action based on that type of monitoring is far more vulnerable to a legal challenge.

There is also a practical reality that rarely gets discussed openly: who is actually going to review the output? Consider what it means to capture screen recordings for an entire workforce. An hour of video per employee per day. Thousands of keystrokes to read through per person. The volume of data these tools produce is completely unmanageable at any realistic scale. They make for compelling product demonstrations. They do not make for workable investigation workflows.

The bottom line on alternative tools:
Firewall-based reporting done correctly gives HR exactly what they need: a clear, accurate, legally defensible record of what an employee did online, in a format anyone can read, generated in minutes rather than hours. The alternatives that appear to offer more actually deliver less, and at a substantially higher legal and operational cost.

Why This Takes More Than a Report Template

Solving the firewall noise problem is not a matter of formatting the log data differently or applying a filter. It requires sophisticated software that can do several things simultaneously:

  • Strip out all non-human background traffic before any analysis begins
  • Reconstruct individual user browsing sessions from potentially hundreds of separate connection records
  • Translate ambiguous technical domain names into recognizable website names that anyone can understand
  • Present the results in a format that a non-technical person in HR or management can read, interpret, and act on

This is precisely what Cyfin was built to do, and why it required a dedicated team of developers to build it. The problem it solves is genuinely complex, even if the output looks simple. That simplicity is the entire point.

What This Means for HR and Management

If your organization is trying to investigate employee web activity using raw firewall reports, or any tool that has not specifically solved the noise and session reconstruction problem, you are working with data you cannot trust.

Reports that mix human activity with background noise will overstate what employees are actually doing online. Sessions that span dozens of log entries will be impossible to interpret without proper reconstruction. Any investigation built on that foundation, however well-intentioned, is built on information that will not hold up to scrutiny.

Accurate employee web investigations start with accurate data. Accurate data starts with understanding what firewall logs actually contain. And making that data usable for HR starts with a tool that was specifically designed for that purpose.

About Cyfin

Cyfin by Wavecrest Computing has been purpose-built for employee web use reporting and investigations since 1996. Our noise-filtering engine and session reconstruction technology transform raw firewall log data into clear, human-only reports that HR and management can read, understand, and act on independently, without needing IT to interpret the results.
https://www.wavecrest.net • 321-953-5351