Subscribe to Windows IT Pro

 

Get Newsletters

  • Get the Latest News
  • Product Updates
  • Helpful Tricks
  • Productivity Tips

Subscribe Now!

October 01, 1997 12:00 AM

Session Wall-3

John Enck
Windows IT Pro
InstantDoc ID #229
Rating: (0)
Combine networking monitoring and firewall protection

As a long-time network consultant, I've seen my share of network monitoring software and my share of firewall software. But I must confess that I had never seen a product that combined the capabilities of both products until I ran into SessionWall by AbirNet. SessionWall is unique: You can't easily categorize it or compare it with other products in the market.

What does SessionWall do? In the simplest terms, SessionWall is a session-level TCP/IP firewall, a network activity monitor and reporter, and a guardian of business behavior. Let's start with the firewall aspect because the concept of a session-level firewall is relatively new.

SessionWall as a Firewall
Most firewalls operate at the packet level to permit or prohibit traffic on the basis of traffic type (Telnet, FTP, HTTP, etc.) and the IP addresses of the systems that want to initiate or receive the traffic. For example, using a traditional firewall, you can block all FTP traffic or block FTP traffic to or from particular IP addresses. A typical firewall can block this traffic because you position it between your internal network and your external network (as Figure 1 shows). Therefore, it can see and control all traffic coming into and out of your network.

SessionWall, however, sits anywhere within your internal network (as you see in Figure 2). This flexibility makes SessionWall incredibly easy to deploy: You install SessionWall on a PC in your Ethernet, Token-Ring, or Fiber Distributed Data Interface (FDDI) network, and you're finished. But you're probably wondering how SessionWall can block traffic if it's not positioned between your internal and external network. This capability is one of SessionWall's most interesting aspects because it stops traffic by sending TCP/IP disconnect messages to each end of a session when someone attempts a protected operation.

Say that you want to Telnet to IBM's AS/400 in Rochester via the Internet, but the administrator has configured SessionWall to deny Telnet traffic. Because SessionWall monitors all TCP/IP activity on your network, it sees you initiating a Telnet request. Immediately, SessionWall spoofs a message to you from the Rochester AS/400 that disconnects the session and also spoofs a message to Rochester from you that disconnects the session. You end up going nowhere. This session-level implementation is different from a traditional firewall, which would have simply denied the Telnet session from leaving the internal network in the first place.

You configure SessionWall like a traditional firewall, however. To block traffic, you must define blockers for each type of traffic (e.g., Telnet, FTP, HTTP). A blocker can block all traffic, regardless of the IP addresses involved, or block traffic for specific clients or hosts. So you can, for example, deny all FTP traffic, regardless of origin or destination. Or you can let Joe in accounting cruise the Web and deny everyone else Web access. Similarly, you can prevent everyone from visiting the www.newjobs.com site. SessionWall offers a fair amount of flexibility in configuring blockers; you can implement any reasonable set of rules.

SessionWall has one limitation as a firewall: Its placement inside the network limits what SessionWall can see on the network to the traffic flowing over the network segment where you have SessionWall installed. If you have a routed or switched Ethernet network, you must be careful where you install SessionWall. If you install it on a switched or routed client segment, it will be able to see and control the traffic for only that segment, and not the overall network. With a little careful planning, you can often avoid this problem: Simply install SessionWall on the same segment where your Internet router resides.

SessionWall as a Monitor
As I noted, I've had plenty of experience with network monitors. Most of them operate at a low level in the network and can, at best, decode which network protocol is in use (e.g., IP, IPX, or NetBEUI) and which network service is involved (e.g., Telnet for IP, NetWare Core Protocol--NCP--for IPX, or Server Messenger Block--SMB--for NetBEUI). In general, traditional network monitors don't try to make sense of the data: They simply display it in hexidecimal or display format, and you must interpret it.

SessionWall, however, takes the concept of monitoring to a higher level. In addition to detecting IP traffic and determining what service the system is using, SessionWall gathers all the separate network-level packets and reassembles them to give you the complete picture of what is going on. Using SessionWall, you can see the entire content of people's POP3 and SMTP email messages, you can see the content of Web pages they visited (not including graphics), and more.

Now stop and think about what I just said. That's right: Using SessionWall, you can actually read other people's email and see what Web pages they are visiting. Look at Screen 1: SessionWall shows the content of an email message that I mailed to myself while being monitored. The ability to monitor traffic this way is amazing, powerful, but very dangerous. The ability to reconstruct messages and Web pages is the key to how SessionWall can be a business guardian, but putting this capability in the hands of mere mortals like you and I is downright scary.

Let's think about this dark side. Using SessionWall, you can read email from your boss and co-workers and find out all the office dirt. You can access important business and personnel information generated by management. You can even find out who has a bondage fetish, who is addicted to soap operas, and who is looking for a new job via the Web. In short, you get to see all kinds of information that you don't morally, and often legally, have a right to access.

AbirNet obviously knows this dark side of the product, and the company has put warning capabilities into SessionWall to soothe the ruffled feathers monitoring can cause. When you run the product, it displays several warnings, including, "Please note that improper use of these capabilities on a public network may violate a state or federal law," and "By pressing 'Continue,' you are certifying that you are authorized by the owner of your network to use this product and that you will not use it for any unauthorized, improper, or illegal purposes." These warnings let you know from the get-go that you are skating on dangerous legal or moral ice.

Related Content:

ARTICLE TOOLS


Want to use this article? Click here for options!

Comments
Add A Comment
  • murad naser
    8 years ago
    Mar 03, 2004

    can we have more than one interface on the sessionwall server to monitor and spoof more than one network segment , and can we use span on cisco switches , to monitor more than one segment and send tcp-reset massages

  • Sseseven
    11 years ago
    May 08, 2001

    I cannot accept the argument that network technicians need the ability to view these communications as a reason for using SessionWall. By the same reasoning, telephone technicians would be granted full license to listen to and reveal voice communications. In fact, this ability now takes a court order. Where employees know that email is routinely inspected, the productivity expected from the use of this technology does not appear. Instead, employees use paper or meetings to continue to exchange sensitive but not secret materials.

  • This article is very good
    11 years ago
    May 03, 2001

    I have read the "Session wall-3" , i want the email address of the author to contact getting more information about the Products
    Thank you very much

  • Gerry M. Allen
    13 years ago
    Aug 10, 1999

    I read with interest John Enck’s October 1997 review of SessionWall-3. The conclusions about perusing email and other communications trouble me. I cannot accept the argument that network technicians need the ability to view these communications as a reason for using SessionWall. By the same reasoning, telephone technicians would be granted full license to listen to and reveal voice communications. In fact, this ability now takes a court order.
    Where employees know that email is routinely inspected, the productivity expected from the use of this technology does not appear. Instead, employees use paper or meetings to continue to exchange sensitive but not secret materials. A general feeling of mistrust between employer and employee is furthered, and employees see the IS staff as an enabler of spying.
    Products that treat employers as divine and employees as sinful encourage further division between them. Competent management detects inappropriate behavior by managing, not by abdicating that task to software. My company chooses not to inspect the content of employees’ email or spy on their Internet activities. Instead, we focus our limited resources on being better than the competition—quite successfully, I might add.

    --Gerry M. Allen

You must log on before posting a comment.

Are you a new visitor? Register Here

advertisement

advertisement

White Papers

Get your Windows 7 deployment off to the right start by implementing PC lockdown. A locked-down environment is easier and cheaper to support since users are less likely to make unnecessary changes to the core system configuration - read more here!

Essential Guides

Is your iSCSI "lossy"? The reality is that most off-the-shelf Ethernet hardware deployed for iSCSI can lose packets, resulting in slow performance or application downtime. Learn how to assess your current iSCSI infrastructure and engineer an advanced iSCSI SAN infrastructure.

Web Seminars

What's the best way to keep your network safe from malware? In this web seminar, security expert Greg Shields suggests an alternative method to the traditional blacklisting approach that is common with anti-virus and anti-malware solutions.

eLearning Series

We bring the experts direct to you to share their real-world perspective and expertise. During each event, three sessions stream in real time, so you can learn, ask questions, and get solutions.
Upcoming event: Getting the Most with Exchange 2010 with Paul Robichaux

Subscribe to Windows IT Pro!

Cloud IT Pro DevProConnections Left-Brain Mobile Dev Pro SharePoint Pro SQL Server Pro SuperSite for Windows Windows IT Pro

© 2012 Penton Media, Inc.

Home About Us Advertise Customer Service Privacy Statement Subscribe/Renew Terms Of Use

Windows is a trademark of the Microsoft group of companies. Windows IT Pro is used by Penton Media Inc. under license from owner.