1. Powerful Analysis Function
Q.1-1 Do
you disclose data format recorded by the PacketBlackHole? (I
want to access directly to the data that I want to refer).
A.1-1 Yes, recorded data (pkt file) can be
accessed in any way because they are recorded in general libpcap
format. Besides, analyzed data can be viewed if you have basic
knowledge on sql since they are recorded in mysql data base.
Q.1-2
I want to record the e-mail which is coded by PGP.
A.1-2 PacketBlackHole does not deal with PGP
code. However, you can read the e-mail log by the private key
and the pass phrase since PGP mail log is recorded.
Q.1-3 Can
IRC and ICQ be viewed online?
A.1-3 Yes, IRC (chatting system) is searched
in the window of "TCP Session Record" by choosing
the item of 'traffic except neither mail nor Web' 'AND' 'Port
No.' '6667'. Japanese characters are garbled because code is
different. ICQ (the system in which chatting and file transfer
is possible among fellows online) is viewed at 'udp port 4000'
in the "grep" in the window of gIndex Searchh or is
searched in "ICQ" in the window of "Intrusion
Detection and Attack Detection". IPMessenger is viewed
at 'udp port 2425' in the 'grep' of "Index Search"
window.
Q.1-4 Can
we search the telnet log?
A.1-4 Yes. As described above, you can search
the log in the window of "TCP Session Record" traffic
on the item of traffic outside of web mail and at port No. 23.
Protocol analysis of telnet is possible and details can be viewed
if you access to D->Detail. (Application on TCP/IP corresponds
to port No. ftp 21, http (WWW) to 80 and https to 443, respectively).
2. Privacy
Q.2-1 Is
it possible to protect mails of board members from a system
administrator?
A.2-1 Yes, we have private mail function.
Mails of the specific mail addresses are protected and subject,
body, attached files and destination address are hidden, but
the administrator can look at the mail traffic of the addresses.
Q.2-2
Do you have a good idea for protecting privacy of employees?
A.2-2 Private mail function is recommended.
If users declare the private mail by inputting some specific
string of letters such as "private" in subject of
the mail, the title, body and attached files are hidden. But
the administrator can detect the traffic of private mails.
3. Stealth technology
Q.3-1 Teach
me stealth technology that PacketBlackHole has.
A.3-1 The PacketBlackHole cannot be detected
by any host except for the predefined detecting terminals (hosts)
since it does not respond to the command "ping" or
port scanning. This means that users with malicious designs
cannot make a steppingstone of PacketBlackHole nor they cannot
alter system logs or packet data. Stealth function is improved
if each port is assigned to each network address since an administrative
use port and a port for packet capture are different. But an
administrative port can also be shared by a capture port by
the same address.
4. Detection and tracing
for invasion
Q.4-1 Is
the PacketBlackHole prepared for protecting buffer overflow
when it detected attacks causing intentional buffer overflow?
A.4-1 Yes. Processing program of PacketBlackHole
is written by the language protected for buffer overflow. PacketBlackHole
can detect buffer overflow on ordinal servers but it will not
be attacked.
Q.4-2 Is
it possible to trace the person who is viewing a specific site?
A.4-2 Yes. PacketBlackHole judges from
overall data on Mac address, IP address, content of communication,
mails sent or received, account name of a server or computer
name and so on.
Q.4-3 Explain
me how to use optional virus check function and its effectiveness.
A.4-3 Virus check function is effective
for decrypted HTTP, SMTP, POP3 and FTP. This function is also
effective for part of WinMX and IMAP4. PacketBlackHole can send
warning editable notices to a sender, a receiver of the virus
and an administrator. Since details of the virus are known,
it can be used for virus check service by providers and so on.
5. Easy installation
and easy operation
Q.5-1
Explain me set-up conditions and alternation of existing facility.
A.5-1 Purpose for introducing PacketBlackHole
is different company by company: some companies have plans to
introduce detecting and recording machines in advance and some
do not have. But, in general, PacketBlackHole protects network
security, improves efficiency of work and manages facilities
and resources. PacketBlackHole is a support machine for monitoring.
It is fully compatible with your existing network since obtained
data can be viewed by using web browser such as internet explorer
and so on. Only you do is to add proprietary hardware to the
network system. 24 hour monitoring by network administrators
is not necessary since PacketBlackHole records all traffic logs
and alternation of recorded data is not easy due to its stealth
function.
Q.5-2 What
is up-grade service?
A.5-2 Up-grade of the software by the
up-grade site or up-grade by the CD-ROM is possible for one
year after purchase in the case of active license. In the case
of hardware breakdown, parts are exchanged.
Q.5-3
The repeater hub, option, is for Fast Ethernet and it can only
connect to 100Base/TX, isnft it?
A.5-3 There are three kinds of hubs. The
repeater hub sends all data sent from a terminal to every terminal.
The switching hub analyzes the data sent from a terminal, detects
the destination address and sends it only to the address. The
dual speed hub recognizes automatically the speed of the data
and can respond each speed. It responds to the two kinds of
data transmission speed. PacketBlackHole needs the repeater
hub of option in the linefs speeds 100Base/T, if the line is
10Base/T, then it needs repeater hub 10Base/T.
Q.5-4 Do
I have to use the repeater hub of option?
A.5-4It is good if you use it. We use the
repeater hub of option in tuning of PacketBlackHole. You can
use the port mirror function of switching hub, but the copy
of the data may be impossible depending on the device's performance.
Q.5-5What
is the reason why dual speed hub cannot use?
A.5-5 If data communications are done by
10Base/TX to 10Base/TX, PacketBlackHole cannot get the data.
What is the tangible setup of PacketBlackHole at the gateway
of LAN connection? Do I need to stop the networks?
Q.5-6
What is the tangible setup of PacketBlackHole at the gateway
of LAN connection? Do I need to stop the networks?
A.5-6 PacketBlackHole is good to be set
between the router and the firewall. You need not to stop them.
The operation is just like to add single stage of the hub.
6. And the Rest
Q.6-1 What
is OS of PacketBlackHole?
A.6-1 PacketBlackHole 3.0 based on Linux
which specialize in packet acquisition is.
Q.6-2 What
does PacketBlackHole do when the data is filled up the disk?
A.6-2 It erases the data in order of the
length of time from the disk.
Q.6-3 What
is the administrative network card?
A.6-3 It is desirable that the administrative
computer interface is separated from data acquisition interface.
In doing so PacketBlackHole does not record the data that the
administrative computer accessed PacketBlackHole. But it is
recorded the log data.
Q.6-4 Can
I install the software of PacketBlackHole on the Windowfs drive?
A.6-4 You cannot do. If you do, it does
not work enough.
Q.6-5 Do
you have authentication methods except password when PacketBlackHole
access Web?
A.6-5 There is Web authentication, IP address
authentication and Mac address authentication
Q.6-6 Can
the data travel through the nets as usual if PacketBlackHole
goes down?
A.6-6 The hub is working, so the data can
do.
Q.6-7 PacketBlackHole
can trace down the person who watch the Web site.How do you
define the person?
A.6-7We do by Mac address, IP address, his
messages, received messages, the login name of the server and
the name of the computer he uses.
Q.6-8 What
is the time for retrieval of the obtained data?
A.6-8 It takes about 20 seconds, actual
measurement, for e-mail and about 50 seconds for Web to extract
from the data of 33GB. If you use index search function, you
can get it at the faster pace.
Q.6-9 Is
the log data compressed?
A.6-9No, it is not.
Q.6-10
Can I analyze the stored data and make graphs?
A.6-10 PacketBlackHole has report function.
For example, how many accesses were done each URL, which user
did e-mail send most and so on? You can analyze the data and
make graphs by the software like Excel.
Q.6-11
How many e-mails can PacketBlackHole record?
A.6-11 Standard model PBH-FR1/FT1 can record
about 3,000,000 e-mails a day and PBH-FE2 can record about 5,600,000
e-mails a day.
Q.6-12
Tell me about UPS.
A.6-12 UPS (Uninterruptible Power Supply)
can connect to PacketBlackHole, and use the one of the maker
APC. It can quit PacketBlackHole automatically at black out
start. Use WOL (Wake On LAN) when it is recovered. It cannot
let PBH switch on automatically.
Q.6-13
Tell me about the tape drive.
A.6-13 There is the external tape device
(LTO), option, which records the data of PacketBlackHole. We
do not recommend any other device. Nor DAT device we do not
do also, because the speed is too late.
Q.6-14
Tell me about the tape drive more in details.
A.6-14 The specification of the tape drive
is PacketBlackHole T200, and it is not auto-changer method.
It is the only collected data that the tapes drive backup. After
the data disappears from the hard disc, the backup data can
be restored from the tape drive. The PacketBlackHole deletes
old files of the hard disc to make room for the data from the
tape drive. In the meantime, data collection and analysis are
performed continuously and backup by the tape drive is taken
all the time automatically.
Q.6-15
Tell me about Raid.
A.6-15 RAID can store backup data outside
PacketBlackHole. If it connects with the SCSI board, it will
work as an external storage.
Q.6-16
Where is PacketBlackHole installed, in case there is a fire
wall in a network?
A.6-16 To capture accesses from the inside,
place it inside of the fire wall.
Q.6-17
How many sets of PacketBlackHole were sold?
A.6-17 198 sets of PacketBlackHole were
done in Japan from June, 2001 to February, 2003.
Q.6-18
Can download of acquisition data be performed?
A.6-18 Download of the data via the network
can be performed on the window. It can also carry out by bundling
up with a general-purpose download tool.
Q.6-19
What can be used as searching tools?
A.6-19 General protocol analyzers, binary
editors, and some text editors can be done.
Q.6-20 How
to scan the host names?
A.6-20 On < System Configuration - Edit
Host Name > window, input IP address of DNS server and IP addresses
range, from 192.168.0.1. to 192.168.0.254, for example, then
press Submit. It takes much time, sometimes 15minutes and other
times 30 minutes to scan the names. Please use a control port,
when there are both a capture port and a control port.
Q.6-21 Is
PacketBlackHole effective as a proof?
A.6-21 Since it is raw data, it is admitted
most scientifically as a proof. There is no judicial precedent
yet.
Q.6-22 Please
let me know about support system.
A.6-22 We provide the send-back and software
support. It is in 9:00- 18:00 at weekdays.
Q.6-23 What
is the meaning of PacketBlackHole introduction?
A.6-23 It is impossible to consider the
life without a network for many people. Human being in ordinary
society also lives in network society. Injustice exists in network
society as well as in ordinary society. The necessity that a
security maker builds healthy network environment instead of
the peace organization of our country is imminent.
