SSi Service Strategies Inc.

Traffic Analysis

 
Home
Up
Information Request
Evaluation Request
Site Contents
Contact SSi
Glossary of Terms
Site search
Notices

 

 

SSi

Network Traffic Analysis Review

Sessionwall Goes for Network Traffic Content

REVIEW

CA Security's SessionWall-3 Version 4.0: Powerful network traffic analysis; handles session specific monitoring and blocking operations from Network Week

  BY DAVID CARTWRIGHT

Content management is gaining greater recognition as something one ought to do with one's network. Traditional firewalls handle the basic access side of things, but such devices are not capable of filtering on a session-by-session basis. CA's Sessionwall is intended to complement the traditional firewall by handling network traffic analysis and the session-specific monitoring and blocking operations.

The package has been around for some time now, and the good news is that the new release looks just like its predecessors. There are three panes to the main screen: at the bottom is a list of all the devices the system has spotted on the network, with a summary of the traffic seen going to and from that device. Above this on theleft of the screen is the session list, which can be summarized by traffic type (HTTP, FTP, Telnet, etc) or client/server machine. On the right is a pane which varies, depending on which item is selected in the left-hand pane.

The system is basically a powerful network traffic analyzer with the ability to block any or all traffic streams. Everything is context-sensitive, which means that rather than just watching the packets fly past, the system can, intelligently, figure out what is going on. Much of the functionality is pretty simple (for example, in a Telnet session, the system will work out that the bit the user typed after a 'login:' prompt is their username, and will index the session by this username), but it makes for excellent readability, as you can order the data so that it is easy to see the bits you want without getting swamped by the bits that you want to keep but which you're not interested in just now.

For each session, the package breaks down the individual client/server interactions in the right-hand pane. So, for an FTP session, you get a series of blocks labeled 'Client->Server', 'Server->Client', and so on, from which you can deduce the entire progression of the session. For Web sessions the right-hand pane contains a graphic-less thumbnail of the page accessed - if desired, you can click a button and have the page retrieved from the server, so you can see what naughty pictures were downloaded.

Although the Sessionwall server runs as a passive firewall (i.e. packets don't actually have to pass through it to get in to or out of the LAN), it can block connections by issuing the correct tear-down instructions to the IP data streams. A TCP RST signal is just as effective as a traditional firewall refusing to pass a packet after all.

Anyone who has used FireWall-1 will find the action definition screen (used to define how streams are handled) hauntingly familiar. For each type of session (there are loads of built-in ones, and you can define your own), you tell the system what to do - which could be anything from completely ignoring the session to blocking it entirely.

Also built in to the system is a URL directory, which can be used in conjunction with the rather sneaky 'pointless surfing' session category to prevent people from wasting too much of the company's time playing with the Web.

Sessionwall has established itself as an excellent content monitor for network traffic analysis, and release 4.0 brings some new features (identification of NT and RAS usernames, and the ability to program Cisco routers' security-related parameters) to the party without impacting the usability that has traditionally made it attractive. As well as being a useful content firewall in its own right, it is also a handy verification tool you can sit alongside a traditional firewall. For example, if Sessionwall spots a session that shouldn't have got through the firewall, perhaps because a new method of attack has been discovered, you can take action to fix the firewall before any of your peers even suspect there's a problem with that make of device.

The package is easy to install. We ran it on a Dell PowerEdge 1300 server with twin 350MHz Pentium II CPUs and 128MB RAM (it wasn't at all happy on the 64MB P133 that we'd previously run its predecessors on) and installation was simply a case of running the installer, then typing in a serial number. If you choose to run Sessionwall as an NT service, there is no need to install NDIS network card drivers manually.

We threw a variety of traffic at the device and it happily figured out what was going on, both with permissible sessions (Web, FTP, etc) and with rogue traffic (pings of death and SYN flood attacks, for instance).

SessionWall-3

Pros:

bulletSummarizes sessions comprehensively but readably
bulletCan tear down unwanted connections, despite not being an intrusive network device

Cons:

bulletPackage is getting more resource-hungry with each revision

Sessionwall has been renamed eTrust Intrusion Detection and is now considered to be part of the eTrust suite of eBusiness security products. To learn more about eTrust Audit and its components and features, please visit our web site dedicated to eTrust by clicking on the button below.

 

  If you would like to request additional information on a subject or evaluate a product or service, please click on the appropriate button below.
   
 

 

 

Service Strategies Inc.

2392 Mount Vernon Rd

Dunwoody, GA 30338-3092

678-441-0020   800-662-1615

assist@ssimail.com
 
 

Copyright © 1998-2002 Service Strategies Inc. All rights reserved.
Revised: November 20, 2003.