KFSensor Enterprise Edition Administration

KFSensor Enterprise Edition enables multiple KFSensor installations across an organization to be managed effectively and efficiently from a single user administration interface.

Additional benefits
  • View events from every sensor in the administrator console
  • Reconfigure each sensor remotely
  • Collate log information in a central database in real time
  • Automatic updates of each sensor's signature rule base
  • Alerts can be sent from administration machine or sensor machine
  • All communication between installations secure
In the Enterprise Edition there are two types of KFSensor installations:
  • KFSensor Enterprise Sensor
    This has all the functionality of KFSensor Professional, with the additional ability to be controlled by remote KFSensor Enterprise Administrators
  • KFSensor Enterprise Administrator
    This has all the functionality of KFSensor Professional, with the additional ability to control multiple KFSensor Enterprise Sensors as well as its own local sensor. An Administrator installation also includes the ability to collate logs from and distribute updates to remote Sensor installations. The set up procedure is the same for both types. The installation type is determined by the registration key used to activate the installation.

Deployment Options

There are two ways of deploying KFSensor Enterprise;
Basic Mode

In Basic Mode the Administrator console queries the sensor whenever the user wants to see the events on a remote sensor. This mode is simpler to configure but does not enable the more advanced features.

Full Enterprise Mode

In the Full Enterprise Mode events from each sensor are inserted into a central database and copies of each sensor's event log files are additionally made on the Administration installation. This is done automatically by a background service on the Administration machine.

The Full Enterprise Mode provides these benefits:
  • Improved performance
    The Administration console has faster local access to each sensor's events.
  • Central store of events
    Making a central copy of all events from each Sensor means there is less need to make regular backup of the Sensor machines disks drives. Storing all events on a central database allows the Reports module to analyze all the activity on the entire network. While all the reports can report on all the activity on the entire network, there are a number of Enterprise Edition only reports that can compare sensors and identify attackers that target more than one sensor.
  • Easier signature rule base management
    Simply update the signatures on the Administration machine and have it deployed to each sensor automatically and securely.
  • Central alerts
    Each Sensor can be configured to send alerts, for example by email. In the Full Enterprise Mode there is the option of sending the alerts from the Administration machine instead of the Sensor machine. Handling the sending of alerts from all sensors in one location makes configuration easier. It also gets around common problems, such as a Sensor located in a DMZ not having access to the internal SMTP server to send an email alert.
  • Runs in the background
    These benefits are provided by a systems service, so it works without the need for a user to be logged on.
Additional requirements
Configuring Full Enterprise Mode is straight forward but the following points should be considered, before implementation. It is easy to switch between full and basic modes if you change your mind after deployment.
  • Database server required
    An SQL database is required. KFSensor works with many different database servers, but we only guarantee support for MS SQL Server and MySQL. It is usual to run the database service on the same machine as KFSensor Administrator is installed.
  • Reliable Administration machine
    In Full Enterprise Mode the Administration is constantly collating new events from each of the sensor installations, so ideally the machine should be always running and secure from un-authorized access. Your personal workstation may therefore be unsuitable for this purpose, if there are a large number of sensors or heavy traffic. It is always possible to have two Administration installations, one for the collation of events and the database and another simply for the administration console.

