How KFSensor Enterprise Works

KFSensor consists of two separate applications; a sensor server which runs in the background and the monitor which provides the user interface. In KFSensor professional edition both the sensor and the monitor run on the same machine ensuring that communication between the two is easy and secure.

In the Enterprise edition the sensor and monitors can be on different machines and the communication between them passes over the network. In addition Enterprise edition includes a third application, the collator service. This communicates with each sensor to make copy of the events on the Administration machine.

A KFSensor Sensor installation acts as a server, accepting incoming connections and requests for from the Administration monitor and the collator service. This may seem counter intuitive as the typical design would have the sensor act as the client contacting an administration server. However, there is a very good reason for KFSensor design. KFSensor are often placed in an organizations DMZ segment of the network. Firewall rules allow incoming connections to servers in the DMZ, but prevent out going connects, especially into the internal network, when the Administration installation is usually kept.

Security Risks

As with any network enabled application there are a number of security risks which must be addressed. These include the possibilities that:
  • An attacker may be able to view the events sent from the sensor to the monitor
  • An attacker may gain administrative control of a remote sensor.
  • An attacker may be able to edit the event information to remove evidence of an attack or to insert bogus events.
  • An attacker may be able to identify or fingerprint the KFSensor traffic

A secure solution

In order to counter these risks KFSensor Enterprise uses its own secure communication protocol.

Standard secure communications protocols, such as SSL, address some but not all of the requirements needed for KFSensor Enterprise.

The KFSensor secure protocol ensures the following security goals are met:
  • Secrecy
    All data transferred is encrypted by the AES algorithm using a 256 random key.
  • Authentication
    KFSensor uses 3072 bit RSA public/private keys to ensure that both the sensor and the monitor are both authenticated to each other.
  • Validation
    All encrypted data is signed using the SHA1 algorithm.
  • Finger printing
    Protocols such as SSL contain standard header information which can be easily decoded, even if the message they contain is secure. This makes it easy to finger print SSL traffic. Every message sent using the KFSensor protocol contains additional random data of a random length. The entire message is put through an additional randomization process to ensure the message headers and the message itself are unique.

By using the highest standard of encryption and validation algorithms available and using the strictest protocol negotiations KFSensor is designed to ensure maximum security.

Authentication management

KFSensor Enterprise relies on public/private key encryption to ensure its authentication.

Each KFSensor installation has its own unique public/private key pair. The public keys are shared between the installations, but the private key remains on its own installation.
This ensures that if a KFSensor installation is compromised then the security of the other installations remains intact.

Why KFSensor does not use certification authority

Applications such as secure web servers rely on the publication of public certificates that are signed by a trusted certification authority.

This enables users to verify a server's certificate with a trusted third party.

For KFSensor this infrastructure is undesirable for the following reasons:
  • KFSensor trusts no one, not even other KFSensor installations.
  • KFSensor should be independent of an organization's security infrastructure.
  • Unlike protocols such as SSL, KFSensor never passes a copy of a public key over the network. Each public key needs to be installed on each machine that wishes to use it.

Only the KFSensor administrator is responsible for creating, issuing and managing their own unique keys.

Fortunately we have made this process as easy as possible and this is explained in the next section KFSensor Enterprise Configuration.

Related Topics

KFSensor On-Line Manual Contents