He@tSeeker Pro™

The Distributed Intranet Firewall

1. The Intranet Problem

A large number of companies are connecting their networks to the Internet, looking for better integration with their clients and other commercial partners, all in the context of a growing global economy. Statistics show that this process is irreversible - the Internet continues to profoundly impact commercial and business applications. A presence on the Internet (and using it correctly) can give a company a very important competitive advantage.

However, when they begin to offer Internet access to their employees, the majority of companies face two potential problems. First is the risk that a direct connection to the Internet can represent to the security of the company’s information. If the company has access to the Internet, the Internet also has access to the company, unless the necessary precautions are taken.

Second is the problem of employee productivity. Since the Internet represents a seemingly endless information archive with many different subjects, it is easy to imagine that some of its services (WWW, IRC-Chat, FTP, Newsgroups, etc.) might be used by the employees for purposes incompatible with the company’s objective and mission.

  1. Traditional Firewalls
    2.

"Firewalls" were developed to resolve the problems of internal network security and access control to Internet services. Firewalls are aptly named, for they resemble the structures that prevent fire from spreading from one environment to another. Generally, firewalls are server-based applications that monitor and control the traffic between two networks.

Traditional gateway firewall products were specifically developed to protect networks from external intrusions over the public Internet. The main goal of these products is to control access to your private network by external sources. Since their introduction, traditional firewalls have been widely viewed as the "Holy Grail" for network security.

Today, that view is changing. Users are beginning to realize that firewalls are only part of the total security solution, not the entire solution itself.

According to recent security surveys by the Computer Security Institute/FBI and Ernst & Young (1997), nearly 50% of all network intrusions come from INSIDE. Protecting the "front door" of an organization with a traditional firewall does not secure a network from internally based attacks – dial-up access, Trojan Horse type programs, or disgruntled employees. Traditional firewalls act like a security guard at the main entrance; they control only the main door protecting the network – leaving backdoors, windows and emergency doors and other entrance points unguarded and open. These are "points of least resistance" within a network that make easy targets for hackers and other intruders.

In addition, the firewall market is rapidly becoming commoditized. It is dominated by 4 major players, and further consolidation is ongoing (Source: Frost & Sullivan research report, "US Network Security Markets" 1997). Given the size of the traditional firewall installed base – 344,000 units deployed – and the maturity of the existing firewall market (Frost & Sullivan, "US Network Security Markets"), this represents a significant new opportunity. The supply channel also is ready for the next security solution to sell to existing firewall customers.

If we examine the recognized elements of security and the functionality of traditional firewalls, we see that firewalls don’t provide a complete solution to any of the security elements, as shown in the following table:

Security Elements

Traditional Firewalls

Authentication

As traditional firewalls are the middle point between the Internet and the private network, they are based on IP addresses. They use IP addresses to authenticate machines; therefore, they cannot authenticate the user. But the world is based on people. It is necessary to authenticate both the machine and the user.

Access Control

Granularity: As in the building analogy, the guard at the entrance can’t know to what floor a person is going, who they are visiting, or what kind of message he is leaving.
Internal Network: Traditional firewalls are designed to control external access only. They lack the ability to protect Intranet servers against internal threats to Local Area Networks (LANs).

Privacy

Some traditional firewalls implement Virtual Private Networks (VPNs), but they only guarantee privacy between the two firewalls; they cannot guarantee privacy between the initial and the end point of communication because they are in the middle of the communication.

Integrity

Some traditional firewalls implement integrity when they implement VPNs, but as above, they only guarantee integrity between the two firewalls. They cannot guarantee integrity between the initial and the end point of communication.

Auditing

Traditional firewalls cannot provide auditing reports, track statistics and or graph data based on users, groups or department utilization, because they are based on IP addresses, not on the network’s user identification.

Non-Repudiation

Traditional firewalls cannot guarantee non-repudiation because they are based on IP addresses, not on users.

Performance

The more the granularity they try to work with, the more firewalls suffer serious performance problems; they can become a bottleneck to the network. Firewall performance affects everyone single user on the network.

 

3. The Distributed Firewall Architecture Concept

Based on the problems outlined above, the concept was developed whereby a "machine" will function as a server for some services and a client of other services and all microcomputers will be a client and server at the same time. Using the recognized military concept of security that says that the strength of security is measured by the weakest ring, it makes sense to protect the vulnerable inner portion of the network. Since networks are made of servers and stations, this means protecting stations as well as servers. This is the Distributed Firewall Architecture (DFA), designed to place security as close as possible to all objects requiring protection.

Another part of the DFA is that security solutions must be tied to the operating system(s). The closer the placement of the security solution to the kernel of the operating system, the stronger the security. Beyond that, attachment to the operating system provides that the security is transparent and simple for the end user and the environment. DFA allows legacy systems to continue to work the way they always have. This approach also is good for administrators because it allows them to implement Intranet security without having to make modifications to the environment and/or to end-user applications.

One of the strongest concepts of DFA is that users are separate from IP addresses. This provides the granularity needed to implement more sophisticated security measures. The technology is user-based, not IP address-based. Regardless of the IP address assigned to a user at any given time, he or she will be the same person, and needs to be authenticated as a person, not as an IP address.

The protection in the DFA model is based on the Seven Security Elements: Authentication, Access Control, Privacy, Integrity, Non-Repudiation, Auditing, and Enterprise Management. The DFA was created to accept the standards of and use each of the seven security elements. These seven elements combined in an integrated product will solve security problems in the future. Today, some products are available that solve one, two, or sometimes three of these elements, but no single product covers all seven elements. And most of these products don’t support all the main operating system platforms.

4. The Seven Security Elements

 

  1. He@tSeeker Pro™
    2.

Protecting against internal threats requires a radical new approach to firewall security. That’s why Fortress Technologies created NetFortress He@tSeeker Pro – an Intranet firewall that can be distributed and centrally managed to bring the implementation of security policy down to the individual desktop.

He@tSeeker Pro™ is a security, administration, and auditing software product, based on the Distributed Firewall Architecture (DFA). The main goal in the design of He@tSeeker Pro™ is the extension of network security from the point where the security of traditional firewalls ends.

Installed on a company’s workstations and servers to complement the security offered by traditional firewalls, He@tSeeker Pro™ allows access to Internet resources to be secure and productive, according to well-defined standards.

He@tSeeker Pro™ can be customized for a variety of projects and applications, such as user authentication, cryptography, ATM machines as an electronic commerce solution on the Internet, Extranets, home banking, election projects, electronic kiosk, among others.

He@tSeeker Pro™ monitors other applications that request services from the Windows Socket API (WINSOCK), intercepting these service requests and enabling or disabling access to the requested service’s program. Any program that has access to TCP/IP services based on WINSOCK can be monitored by He@tSeeker Pro™.

He@tSeeker Pro™ analyzes each data packet from a monitored application's request by the system-installed WINSOCK. In this way, it can determine if a logged user's requested package is compliant with the company's security policy. If this access request is not in compliance, the user will receive a standard message from the application being used, informing the user that the service was denied or the requested resource (Service or Host) is unavailable. He@tSeeker Pro™ also can be configured to display its own message notifying the user of any service denials.

To provide the needed security granularity, the He@tSeeker Pro™ uses two "fences." The first is at the IP level: this fence protects against attacks at the network layer. The second is at the TCP layer. Using both, He@tSeeker Pro™ provides the granularity needed to control the applications.

Whether resource usage is permitted or not, the He@tSeeker Pro™ system can register access trial in the station log file, saving the user’s name, date, time and the workstation used. This file can be exported to the server, allowing the auditor or super user to conduct professional network usage auditing, including all workstations.

Understanding WINSOCK

To gain a better understanding of He@tSeeker Pro™, the following briefly describes the WINSOCK.DLL, what it does and how it works.

In order for a client application, such as a browser, an FTP client, a Chat-IRC or any other client program, to access services of a server application using TCP/IP as physical transportation, it is necessary to establish a connection between the applications.

The API WINSOCK is a routine library that allows the client application to establish these connections, and access different services such as name resolution, IP address treatment, etc. It is an API (Application Program Interface) that allows the client application developed for the Windows (Windows 3.x, Windows 95 or Windows NT) environment to use TCP/IP services to communicate with server applications.

WINSOCK defines a standard followed by programmers who develop applications for the Windows environment. The WINSOCK is a DLL (Dynamic Link Library), executable code loaded and unloaded by Windows applications dynamically as necessary.

WINSOCK is based on the SOCKS library, created in Berkeley for the UNIX environment.

As an example, a Windows application (Windows 3.1, a Windows 95 or Windows NT) wants to use TCP/IP services to access Internet services (through a modem, with dial up access) or a corporate intranet (through the network cables, using the Ethernet protocol).

In any case, the application uses WINSOCK.DLL functions, located "between" the application and the workstation TCP/IP stack, to open a connection (socket) with the desired service and to transmit and receive data using TCP/IP.

For example, in the browsers Netscape Navigator and Microsoft Explorer, the CuteFTP (FTP client) and Mirc (IRC-Chat client) are Windows applications that use the WINSOCK API to access TCP/IP services.

He@tSeeker Pro™ guarantees total access protection to Internet / Intranet services by staying between the application and WINSOCK.DLL.

In a 32-bit environment such as Windows NT, He@tSeeker Pro™ uses WSOCK32.DLL to protect 32-bit applications. WSOCK32.DLL has the same functionality of the WINSOCK.DLL.

When the application tries to connect to a server to obtain any service through WINSOCK API calls, He@tSeeker Pro™ intercepts the request and checks it against the access rules defined by the administrator, and allows or blocks the access accordingly. The application is not able to access WINSOCK.DLL without being monitored and registered by the He@tSeeker Pro™ log.

Supported operating systems and Compatibility

He@tSeeker Pro™ is a Windows application, with 16-bit (Windows 3.1 or Windows 3.11) and 32-bit (Windows 95 and Windows NT) versions. In all cases, He@tSeeker Pro™ requires that a Winsock 1.1 API compliant networking package is installed. He@tSeeker Pro™ is compatible with the standard definition of WINSOCK 1.0 and with Proxies of HTTP and FTP.

Minimum hardware requirements

The minimum hardware requirements to install He@tSeeker Pro™ are basically the same as those for the operating system in use. The table shows the hardware requirements recommended to install He@tSeeker Pro™ for better performance.

Processor

Pentium

RAM memory

4 MB for Windows 3.x

16 MB for Windows 95

32 MB for Windows NT

Disk space

for He@tSeeker Pro™

3 MB for installation.

Additional disk space is required for LOG and configuration files.

Drive

3 ½ or CD-ROM

 

He@tSeeker Pro™ Main Sub-Systems

CFINET – Access Control Sub-System for 16-bit

CFINET32 – Access Control Sub-System for 32-bit

CFIWS32 – Access Control Sub-System for 32-bit

CFIHK32 – Access Control Sub-System for 32-bit

CFIHKMS – Access Control Sub-System for 32-bit

CFIITF*.DLL – Authentication and Users and Groups Network Database Access

CFIADMIN – Enterprise Security System Manager

CFIAUDIT – Auditing Sub-System

CFICRT32.DLL – Cryptography Sub-System

Environment Changes

To correctly install and activate He@tSeeker Pro™, some changes are made in the Windows environment during the installation process. The changes are based on the options chosen during installation and are dependent on the operating system where He@tSeeker Pro™ is being installed.

Windows NT

Windows 95

Windows 3.x

None of the other components of Windows Systems is changed by He@tSeeker Pro™ and only the directory indicated in the installation is used by He@tSeeker Pro™.

The deinstallation process restores the environment the way it was before installation.
  1. He@tSeeker Pro™ Main Features
    2.

    6.1. Access control to Internet resources

    He@tSeeker Pro™ controls access to Internet services such as WWW, FTP, USENET Newsgroups, IRC- Chat, etc., based on TCP/IP or other protocols. Generic applications that run in specific TCP ports can also be controlled. He@tSeeker Pro™ restricts access to specific users or group of users, based on the server host, IP address and domain name. For each service, He@tSeeker Pro™ defines up to four different levels of control: access allowed for all users without auditing; access blocked with auditing; access allowed for some users or groups; and access denied to all users or groups.

    He@tSeeker Pro™ is a software application that monitors and controls access to basic TCP/IP resources. It is used as a corporate Internet and intranet security solution. It is a workstation-based solution that complements the firewall, which is a server-based solution.

    He@tSeeker Pro™ uses a technology known as WINSOCK and TCP/IP trapping. When an application tries to connect to a remote Host to obtain an Internet service through calls to the WINSOCK, He@tSeeker Pro™ intercepts the request and verifies, based on defined rules, if it will permit or block the access.

    When an ICMP (ping) or some special TCP/IP ports are attacked, He@tSeeker Pro™ uses the TCP/IP trapping technology to detect, defend and drop the attack.

    He@tSeeker Pro™ must be installed in every workstation where local access control to the Internet is desired. He@tSeeker Pro™ does not replace a traditional firewall. Traditional firewalls are designed to protect servers, not network workstations, and they are unable to protect workstations that access the Internet through a modem. He@tSeeker Pro™ complements traditional firewalls in providing network security.

    6.2. Authentication

    He@tSeeker Pro™ uses a proprietary user database and automatically imports user authentication information used by the operating system. So, when installed on a NetWare environment, He@tSeeker Pro™ is able to read data from the Bindery (NetWare 3.x) or NDS (NetWare 4.x). He@tSeeker Pro™ can also access Windows 95 user information (user.pwl) and Windows NT account information (SAM).

    He@tSeeker Pro™ imports users’ information from the NetWare (Bindery and NDS), Windows 95 and Windows NT operating system automatically. This is done by installing the required DLL for each of these environments. He@tSeeker Pro™ can also be integrated with specific applications or other access control systems (e.g. Banyan Vines).

    To authenticate and give real security to users of Windows 95 and Windows 3.x systems, it is necessary to install Access Control Systems in the station so the authentication process will be trustworthy. He@tSeeker Pro™ can be easily integrated with all the access control systems available today.

    User identification and verification

    He@tSeeker Pro™ uses the resources of the operating system to identify and validate an active user, the groups to which the user is linked, and the user's access rights on the network. Thus the active user is recognized immediately and his or her access rights on the Internet or Intranet are loaded automatically. The system communicates directly with the network identification provider, through a system loaded during installation. The system utilizes its own DLLs to access the user database used by the main operating system, such as Novell Netware (Bindery and NDS), LAN Manager, Windows NT, Windows 95.

    6.3. Auditing, usage statistics and graphs

    One of the main features of the He@tSeeker Pro™ system is monitoring and consolidating Internet and Intranet usage. The auditing module is the tool that collects data from the He@tSeeker Pro™ firewall and stores it in a database. The Auditing tool enables network access and Internet and Intranet usage to be analyzed through spreadsheets, graphs or data. This data can be exported for analysis by other software.

    Another feature of the He@tSeeker Pro™ is the collection of information through the system log. Since this log is not available to regular users, it guarantees data security. The auditing module of the He@tSeeker Pro™ system is available only to Super Users and Auditors.

    He@tSeeker Pro™ offers a variety of report formats and statistical graphs of TCP/IP service usage, with executive information. Examples include: most frequently accessed hosts, most frequent user, and most used workstation. The auditing graphs can be configured by workstation, user, date, time or day of the week.

    All He@tSeeker Pro™ components use the auditing sub-system, composed of the following sub-systems:

    . Logging Events

    . Log Analysis, Statistics and Graphs Generation

    . Monitoring and Alarms

    The processes of monitoring, logging events and alarm are initiated when the Windows operating system is booted.

    The administrator can configure the information logged in the Management system of He@tSeeker Pro™. Services (HTTP, FTP, E-mail, etc.), as well as specific hosts, can be selected for, or excluded from, registration.

    The events registered in the log file vary, depending of the type of service used. In some services such as HTTP, FTP, Gopher, E-mail, etc., He@tSeeker Pro™ can identify what kind of information is being transmitted or requested. For example, with the FTP service, all types of access can be logged, such as CD, DOWNLOAD, UPLOAD, MD, RD, etc.

    The log file is in a proprietary format for the purpose of security and performance. It can be seen only by the He@tSeeker Pro™ Auditing sub-system. Nevertheless, it allows for the export of the log to the ASCII, DBF, DIF and HTML file formats.

    The spreadsheet fields are as follows:

    #

    Shows the entry number in the log file.

    Date

    Shows the date on which the event occurred.

    Time

    Shows the time that the event occurred.

    User

    Shows the name of the user accessing the service.

    Station

    Shows the workstation name where the event was registered.

    Activity

    Shows the type of registered event.

    Violation

    Shows security violation attempts. Incorrect passwords, unauthorized directory access, etc. are considered security violation attempts.

    Instance

    In situations where workstations are working with Windows, many processes (programs) are executed at the same time. The instance will identify which processes created the events.

    Object

    Identifies the object (Host, IP, Service, folder, directory, file, etc.) that instigated the event.

    The information presented on the spreadsheet is refreshed every 15 seconds, or whenever the user presses the left mouse button.

    The He@tSeeker Pro™ Auditing program registers some information related to attached files in the e-mail messages, such as filename, size and date.

    The auditing module allows the Audit or Super user to apply restrictions to the log being inspected, to obtain a partial view. For example, if it is desired to view only a user's records, or records based on a determined time interval, etc., auditing supplies the Configure Restrictions option, which affects the entire log file.

    Three versions of the log file are available:

    Spreadsheet: View the current selected log as a spreadsheet format. View all the events that happened during a certain time period. This function can be configured through restrictions.

    Graphs: Evaluating data in graph format is easier to understand than data displayed in raw numbers. He@tSeeker Pro™ makes several activity evaluations available in graph format, including 2D-Bar, 2D-Column, 2D-Total, 3D-Bar, 3D-Column and 3D-Pie.

    Statistics: This option provides viewing of the consolidated data in a spreadsheet format. He@tSeeker Pro™ enables the generation of several types of statistical analysis.

    Graphs and statistics can be viewed by frequency and time. Frequency is the number of times something occurs – e-mail is sent; a Host or URL is accessed; or a specific service is used. Time is the amount of time used to send e-mail, access a Host or URL or use a service.

    The Administrator or Auditor is able to generate several kinds of statistics and graphs, including:

    . Percentage of use of the equipment by host;

    . Percentage of use of the equipment by service (HTTP, FTP, Chat, E-mail, etc.);

    . Percentage of use of services per user;

    . Percentage of use of services per station;

    . Percentage of use of hosts per user;

    . Percentage of use of hosts per stations;

    . E-mail messages sent;

    . E-mail messages received;

    . Number of Accesses to hosts and services.

    6.4. Enterprise Security Management

    He@tSeeker Pro™ installation uses InstallShield™, so the process is simple, fast and secure. Its configuration and management is accomplished centrally from the Administration program. In this program, the administrator implements a series of rules compatible with the established security policy for Internet service use, specifying the hosts and services that must be globally permitted or blocked. Also, the administrator may implement special configurations for specific groups or users.

    The Administration program interface is simple and user-friendly. It is formed by a main window (work area) divided in two smaller windows. The "object tree" in the left window lists the different types of He@tSeeker Pro™ objects (Groups, Hosts, Users), separated by classes. The right window provides a description of the selected object and other important information about the object.

    6.4.1. He@tSeeker Pro™ object classes

    He@tSeeker Pro™ is a Windows application that utilizes the "object oriented" concept. Many of the elements represented in the work area are treated by the program as independent objects, having specific characteristics derived from an object class. For example, the "Group" class has objects created to represent groups of users and the "Users" class has objects that represent individual users.

    He@tSeeker Pro™ uses three types of objects:

     Hosts and services class

    The objects in this class represent any Internet resource that can be accessed through an IP address; for example, hosts, routers, networks, etc. A Host object can be created to represent a Web server on the Internet (WWW), so the administrator can configure the way the system will treat the access trials and the users and groups linked to this server.

     Users class

    These objects represent users. This class contains all the users registered in the system. He@tSeeker Pro™ automatically imports all user information from the operating system (Windows NT, NetWare, etc) to create its own user database.

     Users group class

    The Users group class includes all the user groups registered in the system. Both users linked to the group and the hosts and services linked directly to the group can be viewed.

    He@tSeeker Pro™ also has an object above all the classes described above, representing the Internet or the corporate Intranet. This object is represented by the planet earth icon; it is called the Internet/Intranet object.

  2. Specific Functionality of He@tSeeker Pro™
    3.

7.1. Authentication

7.1.1. Imports automatically users and group of users from the Novell Netware Server version 3.x accessing the bindery

7.1.2. Imports automatically users and group of users from the Novell Netware server version 4.x accessing the NDS

7.1.3. Imports automatically users and group of users from the Microsoft Windows NT server version 4 accessing the System Account Information - SAM

7.1.4. Imports automatically users from the Microsoft Windows 95 (standalone installation)
      1. Every time you execute the administration program, it checks to see if the Network Users Database has been changed. If so, it shows the administrator a message and allows him to resynchronize the He@tSeeker Pro™ database with the Network, deleting users and groups removed; inserting new users and groups on the Network; and reorganizing users that have been moved from one group to another on the Network. Everything is done automatically.

7.2. Access Control

7.2.1. By Time

7.2.1.1. Allow you to define individually the period of time USERS can or can not access the Internet

7.2.1.2. Allows you to define individually the period of time the SERVICES as FTP, HTTP, CHAT, etc. can be used.

7.2.1.3. Allow you to define individually the period of time the HOSTS can be accessed.

7.2.1.4. Allow you to individually define the period of time the IP addresses can be accessed.

7.2.2. Philosophy
        1. Two types of security philosophy can be defined:

Closed -- everything not defined is protected; and

Open -- everything is open until you establish a rule.

The closed philosophy is the default. He@tSeeker Pro™ intercepts the communication between the browser and WINSOCK.DLL, obtaining information about the service (HTTP), about the host and about its IP address. With this information, He@tSeeker Pro™ checks to see if there is any block definition rule or access permission to this specific URL for the user. The verification is done as follows:

Host: If there is a registered restriction in the system for this user relating to this host, it will be verified. If a registered restriction exists, it will be verified if the restriction applies to all services (Total block) or only to specific services. If there is a restriction to a specific service, the solicitation is aborted immediately. If the service or host is registered without restriction, the solicitation is sent to the server.

Services: If the host is not registered, He@tSeeker Pro™ will verify if the solicited service is registered in the system general configuration. If it is registered and there are restrictions, the solicitation is aborted. If it is registered without restrictions the solicitation is permitted.

Philosophy: If neither the host nor the service is registered, then the adopted access philosophy is verified. If it is open, the solicitation is sent to the server. If it is closed, the solicitation is aborted. NOTE: Even with the closed philosophy, access to the He@tSeeker Pro™ registered services is permitted, unless the access is clearly blocked in these services.

7.2.2. Protects IP address without name. When this option is on, if He@tSeeker Pro™ does not resolve an IP address during access to any given host, it will not allow the access. This option is disabled by default, which means that access will be enabled to hosts whose IP addresses cannot be resolved by He@tSeeker Pro™. In installations where a higher level of security is necessary, this option must be enabled. As a result, access to hosts whose addresses can not be resolved will be blocked.

7.2.3. Uses SOCKS Proxy Server; mark this option to configure He@tSeeker Pro™ when a Proxy Server is being used. He@tSeeker Pro™ supports the use of a Proxy Server in HTTP and FTP services, when executed inside the browser.

7.2.4. Enables Browser Security (Windows 95 clients only). Using this option the Administrator can disable the download of cookies, Java Applets, ActiveX controls and protect the Workstation against malicious JavaScript malicious code.

7.2.5 Enables Attack Protection on the IP Level (for Windows 95 clients only). The Windows operating system is vulnerable to a series of attacks when the NBT (NetBios Over TCP/IP) service is used. He@tSeeker Pro™ can disable the TCP/UDP network services related to NetBios, to prevent a hacker from launching a "denial of service" attack.

      1. Blocks Ports that are subject to attack:

        2. -- FTP

        -- Telnet

        -- Netbios Name

        -- Netbios Session

        -- Netbios Datagram

        -- TCP/IP service port blocking at the network layer

        7.2.7 ICMP Attacks: Some or all ICMP packets can be disabled, eliminating the possibility that the workstation can be attacked by Ping of Death and other ICMP-related attacks (for Windows 95 clients only). He@tSeeker Pro™ stops ICMP attacks like Ping-O-Death, Supersonic Ping, Ping Flooding, Route deterring, SYN flooding, and DNS denial of service attacks.

      2. Also blocks Win 95 Dial Up Networking (DUN) connections and ICMP through PPP.
      1. Services
        1. A name, which usually represents the used protocol (FTP, TELNET, HTTP, etc.), and a number that identifies the port on which the service can be accessed on the server (21 for FTP, 23 for TELNET, 80 for HTTP, etc. identify each service). He@tSeeker Pro™ allows you to control whatever service you want from number 1 through 65365.
        2. Deny Access: He@tSeeker Pro™ controls outgoing and incoming traffic on the workstation separately for each service, through its bi-directional control. If the Outgoing check box is marked, the outgoing traffic is protected. If the Incoming check box is marked, the incoming traffic is protected. In workstations that are only clients (do not run services), you can block only the outgoing traffic, marking the Outgoing check box, for a specific service. In computers that run services (e.g. a Windows NT Host Server running the IIS Web Server), access to the service can be blocked through the Incoming check box. The service will be inaccessible for all the other workstations.
      2. Hosts
        1. He@tSeeker Pro™ allows you to control whatever host you want. You can control by name or IP address.
          1. Name: Identifies the host on the Internet, according to the DNS (Domain Name Server), for example, www.ion.fortresstech.com. The name field allows the use of wild card masks (* and ?) to represent hosts that are part of the same domain. For example, to register and configure access to all hosts that are part of the ".gov." domain (hosts linked to the government), just register a host with the "*.gov.*" name. The domain name is always converted internally from the WINSOCK functions to an IP address. That is why host identification can be done through file name or IP address.
          2. IP Address: In this field you can enter the host IP address; for example, 200.240.30.49. This number does not need to be supplied if you already have the host name. The other way to represent a host is through the wild card mask ( * ) in an address range with the same content. Entire subnet ranges can be defined using wildcard masking so that entire A, B or C classes can be defined as a host.
          3. Host verification: this function allows you to find a host through its name or IP address and returns its real identification, indicated by its own host. When the host is found, He@tSeeker Pro™ presents a name suggestion, which you might use as a host name to obtain best results. For example, to the www.ion.fortresstech.com host, He@tSeeker Pro™ resolved the IP 207.120.127.90 and the name ion.fortresstech.com, and suggested the ion.fortresstech.com name for its protection.
        2. Control Access of Directories and Files: He@tSeeker Pro™ allows you to specify a path to a specific directory or file. For example, you can block or allow access to a specific directory or to a specific HTML page in a WWW server protecting the Access to an Intranet Directory.
        3. Deny Access: He@tSeeker Pro™ controls outbound and inbound traffic on the workstation separately, for each host, through its bi-directional control. If the Outgoing check box is marked, the outgoing traffic is protected. If the Incoming check box is marked, the incoming traffic is protected.
    1. Auditing

7.3.1. Registers the commands inside the host. This option registers all executed commands, such as application execution, directory change, etc., inside of the host in the log file.

7.3.2. Registers beginning and end of access to non-specified services. This option registers the beginning and the end of access to any service in the log file, even if this service is not registered in the system.

7.3.3. Registers the beginning and the end of access of the Services in the log file, indicating the accessed services.
      1. Registers the beginning and the end of access of the Hosts in the log file, indicating the accessed Hosts or IP address.
      1. Sends E-Mail to Admin on violation. This option allows you to configure the IP address of the Mail Server, which should be used from He@tSeeker Pro™ to send security denial of service alerts to the Administrator using e-mail. Use the Manage Administrator Mail List to select the users with administrator status who will receive security denial of service mail alerts.
      2. Monitoring and consolidating Internet / Intranet usage. The Auditing tool allows network access and Internet / Intranet usage analysis through spreadsheets, graphs or data. This data can be exported for analysis by other software.
      3. Collection of information through the system log. This guarantees data security, as it is not available to regular users. The auditing sub-system of the He@tSeeker Pro™ is available only to Super Users.
      4. He@tSeeker Pro™ has a variety of reports and statistics graphs of the TCP/IP service usage, with executive information, such as: Most frequently accessed hosts, most frequent user or most used workstation, etc. The auditing graphs can be configured by workstation, user, time and general.
      5. The log file is in a proprietary format for the purpose of security and performance. Nevertheless, it allows you to export the log to some standard formats to use with others tools like ASCII, DBF, DIF e HTML.
      6. Spreadsheet fields (see Section 5.3)
      7. The information presented on the spreadsheet is refreshed every 15 seconds, or whenever the user presses the left mouse button.
      8. The auditing module allows you to apply restrictions to the log being inspected, so you see a partial view. For this reason, auditing supplies the Configure Restrictions option, which affects the entire log file. You can create the restriction you want by selecting the setup fields, shown from left to right, and applying an AND or an OR operator after each condition, by selecting the corresponding button.
      9. Three versions of the log file: Spreadsheet, Graphs and Statistics
      10. He@tSeeker Pro™ makes several activity evaluations available in graph format, which can be presented in many ways. The Graph options are 2D-Bar, 2D-Column, 2D-Total, 3D-Bar, 3D-Column and 3D-Pie.
      11. Graphs and statistics can be viewed by frequency and time.
      12. The Administrator is able to generate several kinds of statistics and graphs, like:

        13. . % of use of the equipment by host;

        . % of use of equipment by service (HTTP, FTP, Chat, E-mail, etc.);

        . % of use of services per user;

        . % of use of services per station;

        . % of use of hosts per user;

        . % of use of hosts per stations;

        . e-mails sent;

        . e-mails received;

        . Number of Access to hosts and services.

      13. He@tSeeker Pro™ is able to export the log to five different Log Formats: HTML, ASCII, DIF, DBF and his private format.
      14. He@tSeeker Pro™ allows you to merge different workstation logs, generating a consolidated log file that shows all of the registered activity by date and time. When you work with consolidated log files you can see a more general picture of network usage, with more global statistics and graphs.
    1. Ease of Use and Transparency

7.4.1 Simple installation using InstallShield Technology
      1. Allows you to install from a Single Point
      2. Silent Client Installation
      3. Automatic Client Upgrade
      4. Show denial of service message, this option will show a "violation notification" message to the user when attempting to access a site or service that is blocked. If this check box is unmarked, the user will receive an error message from the application being used (for example, Netscape) if he or she tries to access something not permitted.

7.5. Management

7.5.1 Administrator Authentication through password. If this option is enabled, it requires a password to allow access to the Administration, Auditing and Uninstallation programs. The default is disabled.
      1. Three objects to be managed ( Users, Groups of Users and Hosts )

7.5.3 Time profiles can be used to specify time restrictions on access to Internet / Intranet services.

      1. GUI Interface
      2. Synchronizes the users and groups’ information displayed by He@tSeeker Pro™, along with the user's authentication method being used. He@tSeeker Pro™ reads and displays the users and groups database immediately after it is loaded. For example, if a user is excluded from the users database operating system after He@tSeeker Pro™ is loaded, the administrator can use the Synchronize command to delete the relationship of this user to the hosts and services.
      3. Enable/Disable He@tSeeker Pro™. This is a useful tool to determine if the software is enabled or disabled. This option is useful for network tests, when the absence of He@tSeeker Pro™ can be simulated without the need to uninstall the product.
      4. Uses DNS. This resource allows He@tSeeker Pro™ to control, not the Domain Name Server (DNS), to resolve names. This resource is enabled by default, and should be disabled only if the workstation uses a Proxy Server to access the Internet and does not have a DNS Server configured.
      5. Host verification. This function allows you to find a host through its name or IP address and returns its real identification, indicated by its own host. When the host is found, He@tSeeker Pro™ presents a name suggestion, which you might use as a host name to obtain best results. For example, to the www.xyz.everysite.com host, He@tSeeker Pro™ resolved the IP 207.120.127.90 and the name xyz.everysite.com, and suggested the xyz.everysite.com name for its protection.

2.9.98

 

He@tSeeker is a trademark of Fortress Technologies, Inc.
© 1998 Fortress Technologies Inc. All rights reserved.

©1998 NetVersant Technologies. All rights reserved.
For further information, please call
(800) 274-6065 or e-mail NetVersant.