Content Monitoring

Monitor the Actual Content of the Data Stream

Building the Net Armory

Expanding Internet security into content monitoring, Sessionwall is more than just a cheap, powerful firewalling tool to monitor network data flow, making it an excellent firewall backup. Its verification function is also invaluable
Dave Cartwright

Traditional firewalls watch data packets as they flow into and out of the network, admitting them or turning them away, as appropriate. While many firewalls have more advanced filtering, there is still a gap in the armory - content monitoring.

One example is email. Imagine a message enters the network from the Internet, and that an attachment to the message contains a virus. The message is allowed through because the firewall has been told to allow incoming mail connections to the mail server. Another example is Web site filtering - a firewall can be instructed to either permit Web services or deny them, perhaps with a time-of-day factor to allow lunchtime surfing.

One step beyond

Sessionwall takes firewalling one step further through monitoring the actual content of the data streams entering and leaving the network, and acting on rules which the network manager can configure. The data streams are split into sessions, so a user connecting to an FTP site, downloading half a dozen files, then disconnecting, would count as a single session. Each session is analyzed to monitor validity and also for unwanted items such as incoming viruses, or perhaps company-confidential material being sent out to the Internet.

The filtering rules are defined via a graphical screen which allows you to say who can do what, and when. The system can be told to ignore run-of-the-mill packets, to log certain activities and to block sessions, if necessary. It will also work with a URL list to identify 'unprofitable' surfing, which means you do not have to block all Web access just to prevent unnecessary Internet usage.

A major Sessionwall advantage is the way its screens are laid out. Because all incoming data is split into sessions, it can be summarized by server, client or type. The top left-hand panel of the GUI shows these sessions; when you click on a session, its detail is shown in the right-hand pane. So for a Telnet session, for example, a sequence of client-to-server and server-to-client communications is given in the right-hand pane, enabling you to reconstruct the entire blow-by-blow sequence of events of that session.

Bright enough

For an HTTP (Web) session, the right-hand pane shows a text-only thumbnail of the page that was downloaded; you can click a button to have the full page downloaded, if you want to monitor on the content. One nice touch is that the system is bright enough to deduce user names from sessions. It knows, for example, that the client-to-server transmission after a log-in prompt in a Telnet session is the username for that session, and this is the key it uses to index the session in the list. This aids readability and helps you find the items you are interested in among the rest of the sessions being monitored.

It also means you can set rules which block a particular user's access, no matter which workstation he or she is using - something you cannot do with a traditional firewall. One of the new features with this release of Sessionwall is the ability to track Windows NT and Remote Access Server IDs; the other major development is the ability to send configuration commands to Cisco routers, so that the latter can help in the firewalling process.

Sessionwall has a number of uses. Although it is marketed as a firewalling tool, and it works fine in this role, it is also invaluable as a firewall verification tool. The problem with network security, especially relating to Internet connectivity, is that new methods of attack are devised all the time, and network managers do not find out about them in a timely manner. By having a Sessionwall server inside the firewall, you can monitor any unwanted traffic streams, enabling you to catch illicit traffic that has somehow made it through the packet firewall and alerting you to the fact that there is a new problem to deal with. It's also a useful test of your firewall programming - Sessionwall can be used to double-check that you haven't unwittingly allowed a traffic type through that should have been blocked.

Release 4.0 of Sessionwall maintains the usefulness of its predecessors while adding a few new features. It is inexpensive yet powerful, and provides useful information and blocking facilities for all sizes of network.

Sessionwall has been renamed eTrust Intrusion Detection and is now considered to be part of the eTrust suite of eBusiness security products. To learn more about eTrust Audit and its components and features, please visit our web site dedicated to eTrust by clicking on the button below.