KFSensor consists of two separate applications; a sensor server which runs in the background and the monitor which provides the user interface. In KFSensor professional edition both the sensor and the monitor run on the same machine ensuring that communication between the two is easy and secure.
In the Enterprise edition the sensor and monitors can be on different machines and the communication between them passes over the network. In addition Enterprise edition includes a third application, the collator service. This communicates with each sensor to make copy of the events on the Administration machine.
A KFSensor Sensor installation acts as a server, accepting incoming connections and requests for from the Administration monitor and the collator service. This may seem counter intuitive as the typical design would have the sensor act as the client contacting an administration server. However, there is a very good reason for KFSensor design. KFSensor are often placed in an organizations DMZ segment of the network. Firewall rules allow incoming connections to servers in the DMZ, but prevent out going connects, especially into the internal network, when the Administration installation is usually kept.
In order to counter these risks KFSensor Enterprise uses its own secure communication protocol.
Standard secure communications protocols, such as SSL, address some but not all of the requirements needed for KFSensor Enterprise.The KFSensor secure protocol ensures the following security goals are met:
By using the highest standard of encryption and validation algorithms available and using the strictest protocol negotiations KFSensor is designed to ensure maximum security.
KFSensor Enterprise relies on public/private key encryption to ensure its authentication.
Each KFSensor installation has its own unique public/private key pair. The public keys are shared between the installations,
but the private key remains on its own installation.
This ensures that if a KFSensor installation is compromised then the security of the other installations remains intact.
Applications such as secure web servers rely on the publication of public certificates that are signed by a trusted certification authority.
This enables users to verify a server's certificate with a trusted third party.For KFSensor this infrastructure is undesirable for the following reasons:
Only the KFSensor administrator is responsible for creating, issuing and managing their own unique keys.
Fortunately we have made this process as easy as possible and this is explained in the next section KFSensor Enterprise Configuration.