KFSensor

 

KFSensor Enterprise Configuration

Basic Mode

There are three stages to setting up a KFSensor Enterprise network in Basic Mode.
  1. Installation
    The basic installation and configuration is the same as for the Professional Edition.
    Each installation will perform the role of either Sensor or Administrator. This is determined by the registration key.
    N.B. Sensor registration ids always start with a dollar '$' character.
  2. Create unique id and security keys
    Each KFSensor installation needs to be given a unique Sensor ID, which is used to identify by other installations.
    A unique public/private key is needed for each installation.
  3. Exchange key pairs
    In order for an Administrator to communicate with a Sensor both installations need to be configured to enable this.
    This is done by exchanging the public keys.

Full Enterprise Mode

To enable Full Enterprise Mode it is only necessary to configure the KFSensor Administrator installation.
There is a special dialog box in the Administrator console to make the configuration easy.

On the KFSensor Administrator installation select the Settings -> Full Enterprise Mode... menu.

  • Step 1 - Database Logging
    A requirement for Full Enterprise Mode is that database logging is enabled. This is explained in the Database Log section of the manual.
  • Step 2 - Collator Service
    The Collator is an application which runs without a user interface as a Windows system service.
    It provides the core functionality of the full enterprise mode. There is a button to enable an easy installation.
  • Step 3 - Enable Full Enterprise Mode
    The final stage is a matter of selecting which full enterprise features are required.
    It is best to accept the defaults initially as it is no problem to change these options later.
    For a full description see the Full Enterprise Mode dialog box manual page.

Step by step instructions

The following sections provide a details guide to the way to configure parts of a KFSensor Enterprise installation.
KFSensor Enterprise Sensor Local Key Configuration
  1. Install KFSensor as normal.
  2. After the Set Up Wizard has completed the Local Sensor Configuration dialog will be displayed.
  3. A message box will be displayed which will warn you that you need to change the default Sensor ID and change the local key. It is vital that this is done as the standard local key that is installed is common to all KFSensor installations.
  4. Change the Sensor ID to a unique string that will be used to identify the installation.
  5. Press the Create button to generate a new public/private key pair that will be unique for this installation. KFSensor uses multiple sources of random data to ensure the generated key is unique. This will take a number of seconds as the key generation algorithm is very processor intensive.
  6. Check the Enable remote admin check box to ensure that this KFSensor Enterprise Sensor will accept remote connections.
  7. If you want a remote KFSensor Enterprise Administrator to be able to reconfigure the local sensor then check the Allow remote configuration check box. If this in not checked the sensor will only allow a remote KFSensor Enterprise Administrator to view its events.
  8. If the machine contains multiple network addresses then you may wish to bind the sensor to only one of these addresses. In this case enter the IP address into the Address field.
  9. The port field contains the port number which the sensor will listen on for remote administration connections. The default KFSensor port is 9747. For additional security you should select your own port number.
  10. Press OK.
  11. KFSensor will then shut down and you will need to restart it from the start menu.
KFSensor Enterprise Administrator Local Key Configuration

Configuring a Administrator installation is almost exactly the same as that of the Sensor.
The only difference is that there is no need to select the Allow remote configuration check box.

Exchanging Keys

To enable a KFSensor Enterprise Administrator and Sensor to communicate it is necessary for each of them to have the other party's public key.

To do this you first need to export the public key from each installation.

  1. Select the Settings -> Local Sensor Configuration menu.
  2. Press the Export button
  3. Enter a password twice which is at least eight characters long.
  4. The password is used to encrypt the keys stored in the file to keep them secure.
  5. Enter the full path and file name of key file that will be created.
  6. Use the browse button to make selecting this file path easier.
  7. Press OK and then Cancel the Local Sensor Configuration dialog.

Once you have done this you will have to transfer the key files between the two KFSensor installations.
The key files only contain the public key and are encrypted with a 256 AES key. However it is worth ensuring that the transfer of these files is done in a secure manner and copies of these files are destroyed.

Installing the Administrator's public key on the Sensor
  1. In the KFSensor Enterprise Sensor installation select the Settings -> Remote Admin of Local Sensor menu item.
  2. This dialog lists all the Administrators that can connect to this sensor.
  3. Press the 'Add' button.
  4. Next press the 'Import' button of the 'Add Remote Admin' dialog.
  5. Select the file containing the Administrators public key and enter the correct password.
  6. After pressing 'OK' the public key will be checked and if valid the Administrator will appear in the list of Remote Admins.
  7. Press 'OK' to confirm your changes.
  8. You will then have to restart the local sensor for the changes to take effect.
Installing the Sensor's public key on the Administrator
  1. In the KFSensor Enterprise Administrator installation select the Settings -> Admin of Remote Sensors menu item.
  2. This dialog lists all the Sensors that this Administrator may connect to.
  3. Press the 'Add' button.
  4. Next press the 'Import' button of the 'Add Remote Sensor' dialog.
  5. Select the file containing the Administrators public key and enter the correct password.
  6. Enter the IP address and port number that this Sensor is using.
  7. If the key is accepted the remote sensor will appear in the list.
  8. After pressing the 'OK' button on the 'Admin of Remote Sensors' dialog the newly installed Sensor will appear in the ports view of the main monitor window.
Connecting to the remote Sensor from the Administrator
  1. Initially a remote sensor will appear as a grey icon in the tree.
    This is because the Administrator has not yet attempted to connect to the remote sensor.
  2. Select the Sensor in the tree and either press the connect button on the tool bar, or select the File -> Sensor Connection -> Connect menu item.
  3. If the remote sensor's icon turns green the connection is accepted and you will be able to view the events and reconfigure the remote sensor in the same way as you can with the local sensor.
  4. If the icon turns blue then the Administrator is unable to make a connection to the remote sensor.
    In this case check the remote sensor is running, the address on the remote sensor is correctly configured and that remote admin on the Sensor is enabled.
  5. If the icon turns red then a connection has been made but was rejected by the remote sensor.
    This is almost always due to the Sensor not being configured to accept the Administrator's public key.
  6. If the system clock on the Sensor differs from that on the Administrator then the number of seconds difference between the two will be displayed. It is important that all system clocks are set to the correct time to avoid confusion when analyzing events.
This procedure needs to be repeated for each Administrator and Sensor pair that you wish to configure.

Alternative key creation method

Instead of creating each public/private key pair on the machine on which they will be used, KFSensor provides an alternative method.

By selecting the Settings->Create Sensor Key File menu item a key file can be created that contains a new public and private key pair.

This key file can then be imported into the Local Sensor Configuration dialog of the KFSensor installation that it is intended for.

Using this method of key creation enables all the keys required to be created at the same time and makes the installation of a large number of KFSensor installations easier.

However this method does require careful administrative control, as each file produced contains a private key. Therefore care has to be made in ensuring the security of the key files.

Related Topics


KFSensor On-Line Manual Contents