KeyFocus

 KFSensor
 About
 Overview
 Screen shots
 Features
 Compare editions
 Download trial
 Buy KFSensor
 News
 Manual
 Knowledge Base
 Links
 Extras
 Factsheet (.pdf)
 

KFSensor Features

KFSensor contains a wealth of sophisticated and essential security features, many of which cannot be found in competing products.

The key design philosophy was to make the product easy and quick to setup and use. The interface is totaly GUI based and the pre-configured settings make it suitable for most corporate environments, without the need for extensive configuration.

KFSensor is available in three editions; Standard, Professional and Enterprise.
To compare which features are available in each edition view the Compare Edition page.

Advanced Features

Monitors every port
KFSensor Professional monitors attacks on every TCP and UDP port, as well as detecting ICMP or ping messages. It also monitors all network activity of native Windows server applications. Allowing these to act as part of a honeypot configuration.
Remote administration
KFSensor Enterprise Edition contains the ability to manage and monitor multiple honeypot installations. Events from different sensors across the network are concatenated in real time allowing an immediate view of attacks as they happen.

KFSensor uses 3072 bit RSA public/private key authentication and 256 bit AES encryption to provide the top of the range security for communication between sensors.

IDS signature engine
KFSensor is the first product to combine the benefits of signature-based IDS with a honeypot system.
Its fast signature search engine, has a minimal impact on system performance and can handle thousands of rules.
It is easy to update the rulebase with new rules from different sources and to create new rules directly from an event.

Service Emulation

KFSensor, the Windows honeypot server system, features a number of different types of emulation, both simple and complex. These can even be extended by the use of custom scripts.
Flexible configuration
KFSensor can emulate different services on multiple ports and on different host IP addresses. It is possible to run any emulation on any port.
Multiple scenarios
Different honeypot scenarios can be defined, containing different port and service configurations. It is easy and quick to switch between scenarios while the system is running.
Port listening
The most basic type of trap, it holds open a port; reads the data sent to it and records the event. Most useful in detecting worms.
Banner
More sophisticated than a port listener, the Banner is able to display either a service prompt or error message message. Although limited in its capabilities, the Banner has the advantage of being very easy to configure by a novice user.
Command console
Emulates the Windows command shell, otherwise known as a DOS box. A number of worms bind CMD.EXE to a listening TCP port.
HTTP
This is a fully working web server that correctly emulates Microsoft's IIS web server. It handles the more obscure aspects such as range requests and client side cache controls.
SMTP
The Simple Mail Transfer Protocol emulation is capable of acting as a open relay server, the perfect trap for hackers looking for a target to relay spam.
Window networking / NetBIOS / SMB / CIFS
KFSensor can emulate all four of Microsoft's NetBIOS and SMB/CIFS services. Insecure file shares are one of the most common and potentially dangerous security vulnerabilities exploited. KFSensor decodes NBT and SMB packets and logs them in a human readable format and even enables worms to upload malicious code to a secure area, for later analysis.
SOCKS
KFSensor supports 4/4A/5 SOCKS protocols and can be configured with eight levels of emulation behaviour. SOCKS servers are frequently used to relay spam and to launch attacks on other servers. KFSensor contains advanced depception technology that allows spammers to believe their mail is getting through whilst secretly blocking mail from being relayed.
MS SQL Server
Supports both TCP and UDP SQL Server ports and can capture passwords used in intrusion attempts.
FTP
File Transfer Protocol emulation.
POP3
Post Office Protocol emulation.
Telnet
Telnet server emulation.
Terminal Server
Terminal Server is a Microsoft application that allows remote users to log on to a server.
VNC
VNC is a cross platform remote control application. The emulation allows hackers to attempt to log on, but rejects all passwords.
Relay
A Relay server is used to allow visitors to access a service running on another machine
External
It is possible to write your own simulations in languages such as PERL or C. KFSensor is also compatible with scripts written for Honeyd.

Events

Sophisticated emulations of services are not in themselves enough to make a honeypot into a useful security tool. Detailed logging of all attacks is required and in this KFSensor excels.
Event details
All the network traffic that makes up a connection is concatonated into a single event, countering the problem of message fragmentation. As well as recording items such as the start and end time of an attack, the visitor's IP and port addresses, all the data transfered both to and from the honeypot is recorded.
Configurable display columns
The interactive event list can be configured from any combination of the thirty possible columns types available.
View by port
KFSensors Explorer type interface includes a port tree structure that color codes those ports depending on how recently the have been attacked. Selecting a port automatically filters the events to show only those targeted at that port.
View by visitor
The port view can be exchanged to a tree of visitors. This allows the events to be filtered to just show those events from a particular visitor.
Severity
Each event is assigned a severity. The severity allows more serious attacks to be identified by color coding and different actions can be link to different serverities. For example an email alert may only be sent based on a high severity event.

Alerts

In order to inform you when an intrusion occurs KFSensor supports a number of different mechanisms to alert you. These can be configured to only activate when a specified severity is detected.
System tray alerts
KFSensor provides a visual alert by displaying an alarm icon in the system tray at the bottom right of the Window's desktop.
This flashes either yellow or red when an alert is detected.
Audio alerts
KFSensor can play an customizable alert sound when an event occurs.
EMail alerts
KFSensor can send alerts via email. There are two different formats of email alert messages; short and long. The short format provides minimal information on an event and is suitable for sending to a portable device, while the long format provides much more detailed information and is suitable for a normal email client.
SysLog alerts
KFSensor can send alerts to a UNIX SysLog server.
Event log alerts
KFSensor can send alerts to the local machine's Event Log, enabling it to be detected by third party event monitoring software.
External application alerts
KFSensor provides the ability to invoke an external application to handle an alert event. This flexible feature can have many different uses such as: 1. Creating your own custom event log file
2. Launch an immediate port scan on the IP address of a visitor to the honeypot
3. Send alerts to a third part application

Other Features

Denial Of Service (DOS) attack protection
KFSensor is equipted with several mechanisms to counter DOS attacks.
Scenario rules
It is possible for KFSensor to react differently depending on the IP address of a visitor. For example rules can be defined which cause the server to ignore requests from certain sources or to increase the severity of an alert.
Database integration
KFSensor can optionally store events into an ODBC SQL based database. As well as improving the system's performance, it also has the advantage that you can create your own custom reports using any database tool.
Export logs in multiple formats
Events can be exported to file in the following formats; XML, HTML, tab separated and CSV.
Systems service
KFSensor runs as a systems service, allowing it to start before a user has logged on.
Secure configuration
KFSensor has been designed according to the least privilege principle. Unlike most other products KFSensor does not need Admin or root privaledges to function. By taking advantage of Window's native security mechanisms the host machine can be secured against any possible compromise of the KFSensor system.
High integrity version
KFSensor is available in a special high integrity version, which has the potentialy most risky honeypot features compiled out. This makes it suitable for use in the most security sensitive areas of an organisation.
Extensive Documentation
Detailed help documentation is available for all aspects of the product and there is a detailed guide on how to configure and get the best out of product.

System Requirements

The efficient design of KFSensor allows it to run on even the most modest of machines, if not exposed to much traffic. However its requirements will grow according to the amount of traffic it receives.
Minumum requirements
Suitable for use on an internal network.
  • Windows NT, Windows 2000, Windows XP, Windows 2003 Server
  • Processor 1Ghz
  • 30mb hard disk space
  • 128mb RAM
  • 1 LAN card
  • Western European language keyboard
Recomended requirements
Suitable for an system exposed to the Internet.
  • Windows NT, Windows 2000, Windows XP, Windows 2003 Server
  • Processor 1.5Ghz or greater
  • 500mb hard disk space
  • 512mb RAM
  • SQL Database, e.g. MS SQL Server, MySQL
  • 1 LAN card and/or direct internet connection
  • Western European language keyboard