The basis of good security is to have security in depth.
KFSensor complements other types of security, without replacing them.
Used as part of a comprehensive security policy KFSensor adds an additional layer of protection to
detect security breaches that may not be picked up by other means.
There are some similarities between the way KFSensor and firewalls work. Both monitor ports to detect
unauthorized connections. However, their purpose is very different.
A firewall aims to prevent access to most ports by blocking connections according to
a rule base. A hacker attacking a network protected by a firewall will be prevented from even identifying the services
that are running.
KFSensor however, welcomes connections and sends a back a response. A hacker will thus be misinformed about the services that are running.
Anti-Virus software uses a signature database to identify known viruses, trojans and worms, known collectively as malware.
It does this by examining a hard disk or the contents of email attachments.
KFSensor detects the actions malware perform. For example a new installation of a Code Red worm immediately begins
to scan other machines on the same network to detect vulnerabilities it can exploit.
These actions are detected and reported immediately by KFSensor. Another advantage of KFSensor is that it is just as effective
at detecting new viruses that have not yet been added to the anti-virus signature database by anti-virus software vendors.
NIDS perform the same role as KFSensor, using a different technique. They monitor traffic on the network looking for known attack patterns within the data being transferred. Because they rely on the same signature database techniques as anti-virus software they suffer the same problems with new attack patterns. They also suffer from the problems of wrongly identifying legitimate traffic as suspicious. Often the false positives can overwhelm the reporting of genuine attacks.
KFSensor also contains a signature database to identify know attacks, but it is not dependent on this to detect an attack. Because of the low incidence of false positive reporting by KFSensor, it can draw attention to actual attacks that enables interpreting attacks to be more productive.
Next: Deploying KFSensor