Product and Features

  1. What is Session-Auditor?
  2. What is the advantage of Session-Auditor comparedwith other products?
  3. What is the advantage of network based audit against host based audit?
  4. How does Session-Auditor work?
  5. I have deployed intrusion detection systems and Sniffers, do I still need Session-Auditor?
  6. How about the performance of Session-Auditor?
  7. Generally speaking, how long time of network traffic can SA built-in storage support?
  8. How to guarantee the high performance of SA?
  9. Does SA support any database?
  10. Does SA support user defined report?
  11. Does SA support key word search?
  12. Does SA support privilege separation of administrator?
  13. Does SA support policy customization in order to record specific sessions only?
  14. Besides monitoring, does SA have any access control capabilities?
  15. Does SA support all functions of RDP protocol transparently?
  16. Does SA support all functions of SSH transparently?
  17. How to guarantee the completeness of audit records without any loss of packet?
  18. How to guarantee the integrity of recorded data?
  19. Does SA support online upgrade?
  20. How does the management client work, B/S or C/S?
  21. Why choose C/S, not B/S?

Deployment

  1. How to deploy Session-Auditor?
  2. Do I have to install agents on the hosts?
  3. Does SA work in SPAN model?
  4. Does Session-Auditor have BYPASS feature?
  5. Does Session Auditor Sensor support VLAN-TRUNK?

Q:What is Session-Auditor?

A: Session-Auditor (SA) is one security audit product by BMST to provide monitoring, recording, control, replay and search of network sessions. The protocols it support cover Windows Remote Desktop (RDP), SSH, TELNET, RLOGIN, Oracle, MS SQL, and other remote maintenance operations.

Q:What is the advantage of Session-Auditor comparedwith other products?

A: SA support transparent audit of those encrypted protocols, such as RDP and SSH, both recording and replay. That’s the unique value of SA.

Q: What is the advantage of network based audit against host based audit?

A: The recorded data are collected from network directly, with little potential to be tampered or modified purposely, compared against those host based audit systems which collect log files from the hosts that might be compromised. Additionally, with SA, it is not necessary to install agents on hosts so that the potential impact to hosts is minimized. Another obvious advantage of SA is its simple implementation and strong flexibility.

Q: How does Session-Auditor work?

A: SA has 3-tier architecture: SAC (console), SAD (datacenter) and SAS (sensor). One SAC can connect and control multiple SADs, while one SAD can connect multiple SAS. One SAS can monitor and record sessions from multiple servers. Recorded data is transferred from SAS to SAD, where they can be searched and analyzed according to the commands from SAC. SAC is the command center for the whole audit system.

Q: I have deployed intrustion detection systems,sniffers, do I still need Session-Auditor?

A: Yes, you do. Intrustion Detection Systems (IDS) and sniffers only work for those non-encrypted protocols, while SA supports recording, replay and control of encrypted and non-encrypted protocols. At the same time, compared against IDS, SA records not only intrusion activities, but complete recording of legal and illegal activities. That is the right direction of internal control and audit systems.

Q: How about the performance of Session-Auditor?

A: SA has multiple models, supporting network bandwidth from 400M to Giga Ethernet.

Q: Generally speaking, how long time of network traffic can SA built-in storage support?

A: Even the low end of SA series products have more than storage capacity of 1TB. For a subnet with about 100 servers, 1TB can accommodate operation data of up to 3 months. Additionally, SA supports data dumping, i.e. the stored data can be dump out to other storage media.

Q: How to guarantee the high performance of SA?

A: SA uses 3-tier architecture. The bottom tier, ie.SAS, is a dedicated hardware, for data packets collection and forwarding only. So it brings little impact to network performance. SAS works at layer 2. SAD is responsible for computing extensive protocol analyzing. But it works off-line. So it does not introduce impact to network performance either.

Q: Does SA support any database?

A: At this moment, SA supports ORACLE, SYBASE, MS SQL Server.

Q: Does SA support user defined report?

A: SA supports flexible report customization, with data interface to field development.

Q: Does SA support key word search?

A: Yes, SA supports regular expression and key word search

Q: Does SA support privilege separation of administrator?

A: Yes. Administrators can be authorized to backup, view, manage privilege respectively.

Q: Does SA support policy customization in order to record specific sessions only?

A: Yes. Administrator can define network objects and flexible audit policy accordingly.

Q: Besides monitoring, does SA have any access control capabilities?

A: Yes. SA has a built-in firewall with access control capability so that administrators can manage and control sessions according to security policy without additional firewalls. This helps save money and lower network delay and latency.

Q: Does SA support all functions of RDP protocol transparently?

A: Yes. SA supports Remote Desktop Protocol for all OS version (Windows 2000/XP/2003/R2) and complete functions (including audio, file system, clipboard, redirect of local hard disk and etc.)

Q: Does SA support all functions of SSH transparently?

A: Yes. SA supports all version SSH protocol (SSH1/SSH2) and full SSH functions (including sftp, scp, port forwarding, x11 forwarding). SA supports SSH data transmission with compression mode.

Q: How to guarantee the completeness of audit records without any loss of packet?

A: Completeness of recording data is guaranteed from the following two aspects in SA:

  • a. SAS works in line as a transparent proxy and it is impossible for any packet to bypass SAS or to be dropped. For those sniffer-like products, loss of a single packet might lead to failure of audit to whole session.
  • b. SAS is designed to collect and forward packets only. The complicated protocol analysis and audit are left to SAD which works off-line and won’t impact the network performance at all.

Q: How to guarantee the integrity of recorded data?

A: SAD uses RAID to store recorded data.

Q: Does SA support online upgrade?

A: Yes

Q: How does the management client work, B/S or C/S?

A: The management console is C/S, i.e. special purpose GUI client. Browser is not supported.

Q: Why choose C/S, not B/S?

A: The advantage of B/S lies at the convenience provided to users: connection from anywhere with a common browser. However, SA is for very special purpose and administrators often have steady connection style. Meanwhile, most of the recorded audit data is confidential. So SA chooses dedicated GUI clients.

Q: How to deploy Session-Auditor?

A: The simplest scenario is that SAS is in-line connected between servers and terminals, while management ports of SAS, SAD and SAC should be configured into one single VLAN. In most cases, the topology of the targeted network environment need not to be changed at all.

Q:Do I have to install agents on the hosts?

A: SA is a network based audit product, without necessity of installation of various agents on hosts. This helps lower the implementation and operation cost.

Q: Does SA work in SPAN model?

A: No, SA supports in-line bridge mode only.

Q: Does Session-Auditor have BYPASS feature?

A: Yes. SA supports BYPASS at the hardware level, i.e. whenever SAS encounters failure or other sort of outage, the two network interfaces will be connected directly to guarantee the continuity of business.

Q: Does SA Sensor(SAS) support VLAN-TRUNK?

A: Yes

Back to Top