Session Wall-3

Combine networking monitoring andfirewall protection

As a long-time network consultant, I've seen my share of network monitoring software and my share of firewall software. But I must confess that I had never seen a product that combined the capabilities of both products until I ran into SessionWall by AbirNet. SessionWall is unique: You can't easily categorize it or compare it with other products in the market.

What does SessionWall do? In the simplest terms, SessionWall is asession-level TCP/IP firewall, a network activity monitor and reporter, and aguardian of business behavior. Let's start with the firewall aspect because theconcept of a session-level firewall is relatively new.

SessionWall as a Firewall
Most firewalls operate at the packet level to permit or prohibit traffic onthe basis of traffic type (Telnet, FTP, HTTP, etc.) and the IP addresses of thesystems that want to initiate or receive the traffic. For example, using atraditional firewall, you can block all FTP traffic or block FTP traffic to orfrom particular IP addresses. A typical firewall can block this traffic becauseyou position it between your internal network and your external network (asFigure 1 shows). Therefore, it can see and control all traffic coming into andout of your network.

SessionWall, however, sits anywhere within your internal network (as yousee in Figure 2). This flexibility makes SessionWall incredibly easy to deploy:You install SessionWall on a PC in your Ethernet, Token-Ring, or FiberDistributed Data Interface (FDDI) network, and you're finished. But you'reprobably wondering how SessionWall can block traffic if it's not positionedbetween your internal and external network. This capability is one ofSessionWall's most interesting aspects because it stops traffic by sendingTCP/IP disconnect messages to each end of a session when someone attempts aprotected operation.

Say that you want to Telnet to IBM's AS/400 in Rochester via the Internet,but the administrator has configured SessionWall to deny Telnet traffic. BecauseSessionWall monitors all TCP/IP activity on your network, it sees you initiatinga Telnet request. Immediately, SessionWall spoofs a message to you from theRochester AS/400 that disconnects the session and also spoofs a message toRochester from you that disconnects the session. You end up goingnowhere. This session-level implementation is different from a traditionalfirewall, which would have simply denied the Telnet session from leaving theinternal network in the first place.

You configure SessionWall like a traditional firewall, however. To blocktraffic, you must define blockers for each type of traffic (e.g., Telnet, FTP,HTTP). A blocker can block all traffic, regardless of the IP addresses involved,or block traffic for specific clients or hosts. So you can, for example, denyall FTP traffic, regardless of origin or destination. Or you can let Joe inaccounting cruise the Web and deny everyone else Web access. Similarly, you canprevent everyone from visiting the www.newjobs.com site. SessionWall offers afair amount of flexibility in configuring blockers; you can implement anyreasonable set of rules.

SessionWall has one limitation as a firewall: Its placement inside thenetwork limits what SessionWall can see on the network to the traffic flowingover the network segment where you have SessionWall installed. If you have arouted or switched Ethernet network, you must be careful where you installSessionWall. If you install it on a switched or routed client segment, it willbe able to see and control the traffic for only that segment, and not theoverall network. With a little careful planning, you can often avoid thisproblem: Simply install SessionWall on the same segment where your Internetrouter resides.

SessionWall as a Monitor
As I noted, I've had plenty of experience with network monitors. Most ofthem operate at a low level in the network and can, at best, decode whichnetwork protocol is in use (e.g., IP, IPX, or NetBEUI) and which network serviceis involved (e.g., Telnet for IP, NetWare Core Protocol--NCP--for IPX, or ServerMessenger Block--SMB--for NetBEUI). In general, traditional network monitorsdon't try to make sense of the data: They simply display it in hexidecimal ordisplay format, and you must interpret it.

SessionWall, however, takes the concept of monitoring to a higher level. Inaddition to detecting IP traffic and determining what service the system isusing, SessionWall gathers all the separate network-level packets andreassembles them to give you the complete picture of what is going on. UsingSessionWall, you can see the entire content of people's POP3 and SMTP emailmessages, you can see the content of Web pages they visited (not includinggraphics), and more.

Now stop and think about what I just said. That's right: Using SessionWall,you can actually read other people's email and see what Web pages they arevisiting. Look at Screen 1: SessionWall shows the content of an email messagethat I mailed to myself while being monitored. The ability to monitor trafficthis way is amazing, powerful, but very dangerous. The ability to reconstructmessages and Web pages is the key to how SessionWall can be a business guardian,but putting this capability in the hands of mere mortals like you and I isdownright scary.

Let's think about this dark side. Using SessionWall, you can read emailfrom your boss and co-workers and find out all the office dirt. You can accessimportant business and personnel information generated by management. You caneven find out who has a bondage fetish, who is addicted to soap operas, and whois looking for a new job via the Web. In short, you get to see all kinds ofinformation that you don't morally, and often legally, have a right to access.

AbirNet obviously knows this dark side of the product, and the company hasput warning capabilities into SessionWall to soothe the ruffled feathersmonitoring can cause. When you run the product, it displays several warnings,including, "Please note that improper use of these capabilities on a publicnetwork may violate a state or federal law," and "By pressing'Continue,' you are certifying that you are authorized by the owner of yournetwork to use this product and that you will not use it for any unauthorized,improper, or illegal purposes." These warnings let you know from the get-gothat you are skating on dangerous legal or moral ice.

In addition to the startup warning, SessionWall can automatically send allsystems an email message warning users that you are monitoring them. Thismessage struck me as an inherently sane thing to do: Monitoring people'sactivity with their knowledge is clearly more palatable than watching themwithout their knowledge. In many states, you are required to providethis notification, so please get some legal advice before you start wholesalemonitoring.

Finally, you can configure SessionWall to disregard certain types oftraffic. For example, you can tell SessionWall to watch your Web traffic butignore your email traffic. This capability lets you establish policies thatinform users that you can monitor certain types of traffic at any time but othertypes of traffic are off limits. Because the industry has a history ofemail-driven lawsuits, this capability is important.

Now, let's move out of this moral morass and look briefly at another aspectof SessionWall's monitoring capability: the ability to generate usage reports.Because SessionWall keeps track of detailed information, it can produce avariety of reports on network usage. You can see usage by server, by client, byprotocol, and more; Screen 2 shows the report selection screen. Once you selecta report, you can see the results on screen or in hard copy.

SessionWall's report information is invaluable to any networkadministrator. A network administrator can use this information to identifypotential problem clients or bottlenecked servers. This capability to providereal and valuable data about network utilization certainly overshadowsSessionWall's Big Brother specter. Furthermore, the content of the trafficdoesn't appear in the report, so the reports are unlikely to upset people(although Web site names appear, so people visiting inappropriate Web sites muststill beware.)

SessionWall as a Business Guardian
The final capability of SessionWall lets you establish and monitor acceptableconduct business practices in your network and monitor adherence to thosepractices. One obvious example is defining a policy that prohibits users fromaccessing adult-oriented sites. You can then configure SessionWall to monitorfor that kind of traffic (based on Web page keywords) and alert you when aviolation occurs. You might want to establish policies for email that prohibituse of words such as guarantee or preliminary in businesscorrespondence. Again, SessionWall can monitor email traffic and alert you whena violation occurs.

As a business guardian, SessionWall doesn't prevent this type of trafficfrom occurring; it merely notifies you so that you can take appropriate actionbased on your local human resource policies. So you can't, for example, use thiscapability to block access to all X-rated sites; SessionWall will permit theaccess but will alert you that it is going on. Configuring SessionWall to be aguardian is similar to setting up SessionWall to be a firewall. In this case,though, you set up events to watch for. You can define events for alltraffic or for traffic to or from certain stations.

For example, let's say that you work at a candy factory and you want toprevent your employees from visiting any Web sites about dentistry. First, youaccess SessionWall's Events menu. Then, in the WWW log row, you can configurethe clients to watch for, the servers to watch for, the type of activity tomonitor, the action to take, and when this policy is in effect. By default,events apply to all clients and all servers all day and night, so thisconfiguration will accomplish your goal.

To implement your policy, left-click on the Type entry in the WWW row andchoose Edit Item from the drop-down menu that appears. Then in the eventdescription, choose the Body string match option, and enter some key words forSessionWall to watch for in Web page content. As Screen 3 shows, you could lookfor words such as dentist and dental. Whenever SessionWall seesa Web page go by with that content, it will move to the action phase.

You configure the action through the Events menu by left-clicking on theAction entry and choosing the Edit Item option. You can have SessionWall take anumber of actions when this event occurs: It can send an alert message to yourdisplay, it can send you an email message, or it can fax you; or you canconfigure it to take a customized action. When you receive notification, you canlook at your monitor logs, see who has violated your business policy, and takeappropriate action in person.

SessionWall: Good or Evil?
When most people see SessionWall for the first time, they are amazed andalarmed at the information that it collects and displays. Seeing someone's emailor Web visit through SessionWall is a very sobering experience. However, thereality is that network analysts and network administrators have had thiscapability for years. Network monitor software (e.g., Novell's LANalyzer,Cinco's NetXRay, and Microsoft's Systems Management Server--SMS) gives youaccess to the same information; it just doesn't put it together in such a nice,easy-to-read format. So in many ways, SessionWall is just taking a dirty littlenetworking secret out of the closet for everyone to see.

I would hate to see SessionWall not considered or not implemented becausepeople perceive it as a Big Brother product. Other network monitor products arejust as intrusive. If you would consider implementing SMS but not SessionWall, Ichallenge you to rethink your logic.

More important, after you get over the emotional issues of seeing otherpeople's traffic, you see the extremely useful capabilities that SessionWalloffers. SessionWall is an easy-to-use firewall. It may not be as comprehensiveas a traditional firewall, but running SessionWall is better than having nofirewall at all. Even if you have a firewall, implementing SessionWall may makesense for the monitoring, reporting, and business guardian capabilities itoffers. These capabilities are well worth the price of admission.

So my advice is simple. Rant and rave about the Big Brother aspects ofSessionWall for a few minutes, and get those feelings out of your system. Thenlook at the warning and alerting features it supports to soften the blow ofnetwork monitoring (features, by the way, that you don't find in traditionalnetwork monitors). After that, look at the core capabilities the product offers.I think you'll find that SessionWall is more good than bad.