Deploying KFSensor

There are many different ways of deploying and configuring KFSensor. How this is done depends on the security goals and the type of network that you wish to protect.

KFSensor should not be used in isolation as the only form of security, but should be deployed alongside other security mechanisms to provide security in depth as part of a well defined security policy. This section explains some of the factors in determining how and where to set up KFSensor.

Security goals

  • Detecting attacks
    The primary purpose of KFSensor is to detect and report attacks made on the machine on which it is installed.
  • Mitigating or blunting an attack
    By emulating vulnerable services KFSensor can divert the attention, confuse and waste the time of a potential hacker. Sometimes a hacker can be scared off, if they become aware they have been communicating with an IDS, such as KFSensor.
  • Incidence Response
    The event logs produced by KFSensor provide a rich audit trail, describing the who, when and how of an attack.
  • Research
    By exposing KFSensor directly to the Internet, that is without firewall protection, a large number of attacks will inevitably be generated and detected. This can provide you with valuable research material on the types and frequency of attacks experienced by production services.

Placement of KFSensor

A typical corporate network that is connected to the Internet is comprised of a number of different zones, protected and separated by firewalls. Each zone offers a different level of access to and protection from the Internet and other zones in the network.
  • Direct Internet connection

    A machine with a direct connection to the Internet is exposed to every malevolent hacker and worm on the Internet. As such it will have a large number of random and planned attacks directed at it. As such attacks are to be expected the value of deploying KFSensor is mainly limited to research purposes, as there is little if any other form of security to prevent attacks.

    This is the case for a stand alone home PC.

  • Demilitarized zone (DMZ)

    A DMZ is often set up to isolate an organization's public Internet servers such as web or mail servers. This zone is protected from the Internet via a firewall, but is kept separate from the internal network. The idea behind this is that the public Internet servers are at most risk of attack and should a system be compromised then the systems in the DMZ are isolated from the internal network and therefore any exploits are contained within the DMZ.

    Deploying KFSensor on a stand alone machine belonging to the DMZ is an excellent way of detecting problems outside the firewall and attacks launched from compromised servers within the DMZ.

    For example, a web server application vulnerable to a Unicode attack can be compromised by a carefully constructed HTTP request, which the firewall will not prevent. Once the web server is compromised a hacker could install a root kit, or trojan and use it as a base to launch unhindered attacks on other machines in the DMZ. KFSensor will quickly detect such attacks.

  • Internal network

    The internal network comprises the work stations and internal servers of the corporate environment. These machines are likely to be the least protected and contain the most sensitive corporate data. A firewall is typically deployed to provide the maximum isolation of the internal network from the Internet.

    There are many ways in which the internal network can be compromised, such as by a mis-configured firewall rule, or a virus attached to an email.

    One of the most common and dangerous ways in which a corporate's internal network can be compromised is by a malevolent employee. Such inside jobs are one of the hardest threats to protect against and to detect with other forms of security.

    KFSensor is especially effective when deployed on the internal network. All attacks detected are likely to be serious and the event logging makes it easy to determine the source of an attack within the internal network.

    KFSensor does not need to be deployed on a stand alone machine within the internal network, any Windows workstation can be used. KFSensor uses very little memory and CPU resources and therefore will not impact on a work station user's other tasks.
    This enables you to deploy an extensive intrusion detection system at no additional hardware cost.

  • Detection zone
    A separate zone can be set-up for the sole purpose of detecting attacks. This zone can be set up by configuration of firewall rules and Network Address Translation (NATS) to provide a zone with no legitimate use, but with a high likelihood of exposure to intruders searching for vulnerable systems.

Network Firewall configuration

A network firewall will typically be configured to block external access to all but a few named services on the local network it is protecting.

Such a firewall will need to be configured to allow external access to the machine KFSensor is running on. A balance needs to be made between allowing full access to the KFSensor machine which may result in too many events being detected and too restrictive a configuration which will reduce the effectiveness of KFSensor.

One approach is to begin by configuring the firewall to allow external access to all ports on the KFSensor machine and then adding rules to turn off specific ports that generate excessive traffic.

Default firewall configurations often block ICMP traffic which is used to ping a remote machine. Hackers often try to ping machines on a network as a prelude to further investigation. Therefore consider allowing ICMP traffic through to the KFSensor machine.

Consideration also needs to be given on whether a network firewall should allow the KFSensor machine to make external connections, or whether it should only be allowed to respond to connections from other machines.

In certain circumstances KFSensor may attempt to make connections to other machines. It does this in order to improve the level of deception. For example when simulating an open proxy to a remote SMTP server, KFSensor may connect to the real remote SMTP server in order to grab its banner in order to convince an attacker that they have gained remote access. These external connections may be enabled or disabled and are described later in this manual.

Blocking external connections by the KFSensor machine will therefore reduce the quality of deception in certain circumstances, but may be desirable in the interests of ensuring a higher level of security.

Server lock-down

One of the most important parts of securing your network is to lock-down or harden servers and work stations.
This involves shutting down any services that are not needed. For example there is rarely any need for a work station to run a web server or an SMTP server, but these are often installed and left running.

KFSensor can be configured to monitor ports used by well known services and will report an error if these services are left running.

Personal firewalls are designed to block traffic to the machine on which they are running.
It is not necessary to use a personal firewall on a KFSensor machine that has been properly locked down.

For more information on the local machine configuration see the KFSensor Administration Guide later in this manual.

Next: Types of attacks

KFSensor On-Line Manual Contents