Combine networking monitoring and firewall protection

As a long-time network consultant, I've seen my share of network monitoring software and my share of firewall software. But I must confess that I had never seen a product that combined the capabilities of both products until I ran into SessionWall by AbirNet. SessionWall is unique: You can't easily categorize it or compare it with other products in the market.

What does SessionWall do? In the simplest terms, SessionWall is a session-level TCP/IP firewall, a network activity monitor and reporter, and a guardian of business behavior. Let's start with the firewall aspect because the concept of a session-level firewall is relatively new.

SessionWall as a Firewall
Most firewalls operate at the packet level to permit or prohibit traffic on the basis of traffic type (Telnet, FTP, HTTP, etc.) and the IP addresses of the systems that want to initiate or receive the traffic. For example, using a traditional firewall, you can block all FTP traffic or block FTP traffic to or from particular IP addresses. A typical firewall can block this traffic because you position it between your internal network and your external network (as Figure 1 shows). Therefore, it can see and control all traffic coming into and out of your network.

SessionWall, however, sits anywhere within your internal network (as you see in Figure 2). This flexibility makes SessionWall incredibly easy to deploy: You install SessionWall on a PC in your Ethernet, Token-Ring, or Fiber Distributed Data Interface (FDDI) network, and you're finished. But you're probably wondering how SessionWall can block traffic if it's not positioned between your internal and external network. This capability is one of SessionWall's most interesting aspects because it stops traffic by sending TCP/IP disconnect messages to each end of a session when someone attempts a protected operation.

Say that you want to Telnet to IBM's AS/400 in Rochester via the Internet, but the administrator has configured SessionWall to deny Telnet traffic. Because SessionWall monitors all TCP/IP activity on your network, it sees you initiating a Telnet request. Immediately, SessionWall spoofs a message to you from the Rochester AS/400 that disconnects the session and also spoofs a message to Rochester from you that disconnects the session. You end up going nowhere. This session-level implementation is different from a traditional firewall, which would have simply denied the Telnet session from leaving the internal network in the first place.

You configure SessionWall like a traditional firewall, however. To block traffic, you must define blockers for each type of traffic (e.g., Telnet, FTP, HTTP). A blocker can block all traffic, regardless of the IP addresses involved, or block traffic for specific clients or hosts. So you can, for example, deny all FTP traffic, regardless of origin or destination. Or you can let Joe in accounting cruise the Web and deny everyone else Web access. Similarly, you can prevent everyone from visiting the www.newjobs.com site. SessionWall offers a fair amount of flexibility in configuring blockers; you can implement any reasonable set of rules.

SessionWall has one limitation as a firewall: Its placement inside the network limits what SessionWall can see on the network to the traffic flowing over the network segment where you have SessionWall installed. If you have a routed or switched Ethernet network, you must be careful where you install SessionWall. If you install it on a switched or routed client segment, it will be able to see and control the traffic for only that segment, and not the overall network. With a little careful planning, you can often avoid this problem: Simply install SessionWall on the same segment where your Internet router resides.

SessionWall as a Monitor
As I noted, I've had plenty of experience with network monitors. Most of them operate at a low level in the network and can, at best, decode which network protocol is in use (e.g., IP, IPX, or NetBEUI) and which network service is involved (e.g., Telnet for IP, NetWare Core Protocol--NCP--for IPX, or Server Messenger Block--SMB--for NetBEUI). In general, traditional network monitors don't try to make sense of the data: They simply display it in hexidecimal or display format, and you must interpret it.

SessionWall, however, takes the concept of monitoring to a higher level. In addition to detecting IP traffic and determining what service the system is using, SessionWall gathers all the separate network-level packets and reassembles them to give you the complete picture of what is going on. Using SessionWall, you can see the entire content of people's POP3 and SMTP email messages, you can see the content of Web pages they visited (not including graphics), and more.

Now stop and think about what I just said. That's right: Using SessionWall, you can actually read other people's email and see what Web pages they are visiting. Look at Screen 1: SessionWall shows the content of an email message that I mailed to myself while being monitored. The ability to monitor traffic this way is amazing, powerful, but very dangerous. The ability to reconstruct messages and Web pages is the key to how SessionWall can be a business guardian, but putting this capability in the hands of mere mortals like you and I is downright scary.

Let's think about this dark side. Using SessionWall, you can read email from your boss and co-workers and find out all the office dirt. You can access important business and personnel information generated by management. You can even find out who has a bondage fetish, who is addicted to soap operas, and who is looking for a new job via the Web. In short, you get to see all kinds of information that you don't morally, and often legally, have a right to access.

AbirNet obviously knows this dark side of the product, and the company has put warning capabilities into SessionWall to soothe the ruffled feathers monitoring can cause. When you run the product, it displays several warnings, including, "Please note that improper use of these capabilities on a public network may violate a state or federal law," and "By pressing 'Continue,' you are certifying that you are authorized by the owner of your network to use this product and that you will not use it for any unauthorized, improper, or illegal purposes." These warnings let you know from the get-go that you are skating on dangerous legal or moral ice.

In addition to the startup warning, SessionWall can automatically send all systems an email message warning users that you are monitoring them. This message struck me as an inherently sane thing to do: Monitoring people's activity with their knowledge is clearly more palatable than watching them without their knowledge. In many states, you are required to provide this notification, so please get some legal advice before you start wholesale monitoring.

Finally, you can configure SessionWall to disregard certain types of traffic. For example, you can tell SessionWall to watch your Web traffic but ignore your email traffic. This capability lets you establish policies that inform users that you can monitor certain types of traffic at any time but other types of traffic are off limits. Because the industry has a history of email-driven lawsuits, this capability is important.

Now, let's move out of this moral morass and look briefly at another aspect of SessionWall's monitoring capability: the ability to generate usage reports. Because SessionWall keeps track of detailed information, it can produce a variety of reports on network usage. You can see usage by server, by client, by protocol, and more; Screen 2 shows the report selection screen. Once you select a report, you can see the results on screen or in hard copy.

SessionWall's report information is invaluable to any network administrator. A network administrator can use this information to identify potential problem clients or bottlenecked servers. This capability to provide real and valuable data about network utilization certainly overshadows SessionWall's Big Brother specter. Furthermore, the content of the traffic doesn't appear in the report, so the reports are unlikely to upset people (although Web site names appear, so people visiting inappropriate Web sites must still beware.)

SessionWall as a Business Guardian
The final capability of SessionWall lets you establish and monitor acceptable conduct business practices in your network and monitor adherence to those practices. One obvious example is defining a policy that prohibits users from accessing adult-oriented sites. You can then configure SessionWall to monitor for that kind of traffic (based on Web page keywords) and alert you when a violation occurs. You might want to establish policies for email that prohibit use of words such as guarantee or preliminary in business correspondence. Again, SessionWall can monitor email traffic and alert you when a violation occurs.

As a business guardian, SessionWall doesn't prevent this type of traffic from occurring; it merely notifies you so that you can take appropriate action based on your local human resource policies. So you can't, for example, use this capability to block access to all X-rated sites; SessionWall will permit the access but will alert you that it is going on. Configuring SessionWall to be a guardian is similar to setting up SessionWall to be a firewall. In this case, though, you set up events to watch for. You can define events for all traffic or for traffic to or from certain stations.

For example, let's say that you work at a candy factory and you want to prevent your employees from visiting any Web sites about dentistry. First, you access SessionWall's Events menu. Then, in the WWW log row, you can configure the clients to watch for, the servers to watch for, the type of activity to monitor, the action to take, and when this policy is in effect. By default, events apply to all clients and all servers all day and night, so this configuration will accomplish your goal.

To implement your policy, left-click on the Type entry in the WWW row and choose Edit Item from the drop-down menu that appears. Then in the event description, choose the Body string match option, and enter some key words for SessionWall to watch for in Web page content. As Screen 3 shows, you could look for words such as dentist and dental. Whenever SessionWall sees a Web page go by with that content, it will move to the action phase.

You configure the action through the Events menu by left-clicking on the Action entry and choosing the Edit Item option. You can have SessionWall take a number of actions when this event occurs: It can send an alert message to your display, it can send you an email message, or it can fax you; or you can configure it to take a customized action. When you receive notification, you can look at your monitor logs, see who has violated your business policy, and take appropriate action in person.

SessionWall: Good or Evil?
When most people see SessionWall for the first time, they are amazed and alarmed at the information that it collects and displays. Seeing someone's email or Web visit through SessionWall is a very sobering experience. However, the reality is that network analysts and network administrators have had this capability for years. Network monitor software (e.g., Novell's LANalyzer, Cinco's NetXRay, and Microsoft's Systems Management Server--SMS) gives you access to the same information; it just doesn't put it together in such a nice, easy-to-read format. So in many ways, SessionWall is just taking a dirty little networking secret out of the closet for everyone to see.

I would hate to see SessionWall not considered or not implemented because people perceive it as a Big Brother product. Other network monitor products are just as intrusive. If you would consider implementing SMS but not SessionWall, I challenge you to rethink your logic.

More important, after you get over the emotional issues of seeing other people's traffic, you see the extremely useful capabilities that SessionWall offers. SessionWall is an easy-to-use firewall. It may not be as comprehensive as a traditional firewall, but running SessionWall is better than having no firewall at all. Even if you have a firewall, implementing SessionWall may make sense for the monitoring, reporting, and business guardian capabilities it offers. These capabilities are well worth the price of admission.

So my advice is simple. Rant and rave about the Big Brother aspects of SessionWall for a few minutes, and get those feelings out of your system. Then look at the warning and alerting features it supports to soften the blow of network monitoring (features, by the way, that you don't find in traditional network monitors). After that, look at the core capabilities the product offers. I think you'll find that SessionWall is more good than bad.

SessionWall-3
Contact: AbirNet * 817-251-7000 or 800-245-1688
Web: http://www.abirnet.com
Price: Starts at $995 (supports 125 concurrent sessions)
System Requirements: Windows 95, Windows NT 3.51, or Windows NT 4.0