Frequently asked questions

1. How many user sessions can be stored on at once?

2. How Fudo PAM supports sessions archiving?

3. How to calculate storage space required for archiving sessions?

4. How users can hide their activities on servers which they access through Fudo PAM?

5. How to determine unauthorized access attempts to supervised servers?

6. Is it possible to hide the login screen when connecting over the RDP protocol?

7. Why the users list in the connection’s properties is incomplete?

8. Why is a user removed from the LDAP/AD server still present on the users list?

9. How frequently are users’ definitions synchronized with an LDAP/AD server?

10. I see * instead of the keystrokes in the session player. Is it possible to see the actual keyboard input?

11. Can I deactivate a session URL?

12. What should I do before returning a demonstration unit after testing?

AI session processing

13. How long does it take for the model to learn? How many sessions do I have to record to see results?

14. We have 20 accounts and 20 users in our company - how long will it take to see differences?

15. If I connect to different servers, does Fudo create a separate model for each of them?

16. If I give my login credentials to another person, will the AI detect that someone else has logged in and terminate the session?

17. Session status icon is yellow all the time - what does it mean?

18. Five users use the same account to establish connections - will the system be able to determine who and when has logged in onto the server?

19. How will the system determine that it wasn’t me if we all use the same commands?

20. Sessions are not analyzed, why is that?


1. How many user sessions can be stored at once?

Fudo PAM F1000 series is delivered with 24 TB of RAW hard drive space (15.9 TB usable) while the F3000 series appliances come with 96 TB of RAW storage space (59.9 TB usable) dedicated for storing users sessions.

Size of the stored session is determined by user’s activity. An hour of recorded connection takes on average:

RDP 218 MB active user session (no activity generates almost no data). Definite session size depends on the screen resolution, color depth and actual user activity.
SSH 41.5 MB active session.

Given that assumptions, internal storage space enables recording of:

  RDP SSH
F1000 28.6 years 150.2 years
F3000 112.8 years 592.5 years

Note

  • Disk usage figures include space taken up by the filesystem’s redundancy mechanism. The filesystem reserves a portion of available storage, which results in some of the storage space being reported as used on a newly initiated system.
  • Fudo PAM allows specifying how long sessions data should be stored, and will automatically delete session data after a certain time, determined by retention parameter, elapses.

2. How Fudo PAM supports sessions archiving?

All sessions are stored on Fudo PAM internal storage space. In addition to that, Fudo PAM allows exporting sessions in native format or a video record.


3. How to calculate storage space required for archiving sessions?

File size of sessions in native format are the same as in question 1. In case of video record, file size depends on the codec and resolution settings.


4. How users can hide their activities on servers which they access through the Fudo PAM?

In case of the SSH protocol, Fudo PAM supports SCP channel and monitors all transferred files, including scripts. This allows auditing given session searching for malicious code embedded in software sent to the server.

Protection of other communication channels (e.g. web browser or other applications) are task for different kind of solutions. There is no solution similar to Fudo PAM which are able to monitor such channels, thus it is important to create proper server configuration by the system administrator.


5. How to determine unauthorized access attempts to supervised servers?

Unauthorized access and DoS attacks attempts, can be determined by analyzing event log entries. Each ERROR or WARNING severity entries should be closely examined. Cases of login timeout errors can be potential DoS attack attempts.


6. Is it possible to hide the login screen when connecting over the RDP protocol?

Hiding the Fudo PAM login screen requires using the Enhanced RDP Security (TLS) + NLA security mode.


7. Why the users list in the connection’s properties is incomplete?

The users list in the connection’s properties does not contain users synchronized with the LDAP service. To assign a connection to an LDAP synchronized user, define a group mapping in the LDAP synchronization properties or disable the synchronization option for the given user.


8. Why is a user removed from the LDAP/AD server still present on users list?

Deleting a user object from an AD or an LDAP server requires performing the full synchronization to reflect those changes on Fudo PAM. The full synchronization process is triggered automatically once a day at 00:00, or can be triggered manually in the LDAP synchronization settings view.


9. How frequently are users’ definitions synchronized with an LDAP/AD server?

New users definitions and changes in existing objects are imported from the directory service periodically every 5 minutes. The full synchronization process is triggered automatically once a day at 00:00.


10. I see * instead of the keystrokes in the session player. Is it possible to see the actual keyboard input?

Presenting keyboard input qualifies as a sensitive feature and it is disabled by default. Enabling displaying keystrokes in the session player requires a consent from two superadmin users. Refer to the Sensitive features topic for the details on enabling this functionality.


11. Can I deactivate a session URL?

Active session URL can be deactivated anytime. URL revoking procedure is described in the Sessions sharing topic.


12. What should I do before returning a demonstration unit after testing?

After testing Fudo, you should delete all session and configuration data by resetting configuration to default settings and erase the flash drive with the encryption key.


13. How long does it take for the model to learn? How many sessions do I have to record to see results?

Models are trained as scheduled in the AI system settings.

  • For the SSH model the minimum are 65 sessions (with at least 25 different commands) and 5 unique predictors (e.g. users). Optimal results require 300 sessions per predictor (e.g. user) and 10 unique predictors (e.g. users).
  • For the RDP model, the minimum are 5 hours of session recordings per predictor (e.g. user). Optimal results require 30 hors of session recordings and 10 unique predictors (e.g. users).

14. We have 20 accounts and 20 users in our company - how long will it take to see differences?

This solely depends on the availability of session data. If there is enough session information available to build models, you can expect model to be trained the next day after first predictor session is recorded.

  • For SSH model the minimum are 65 sessions (with at least 25 different commands) and 5 unique predictors (e.g. users). Optimal results require 300 sessions per predictor (e.g. user) and 10 unique predictors (e.g. users).
  • For RDP model, the minimum are 5 hours of session recordings per predictor (e.g. user). Optimal results require 30 hours of session recordings and 10 unique predictors (e.g. users).

15. If I connect to different servers, does Fudo create a separate model for each of them?

Fudo creates and maintains one RDP and one SSH model for a single user.


16. If I give my login credentials to another person, will the AI detect that someone else has logged in and terminate the session?

Fudo PAM will detect that someone else has logged in and will set the session risk status to high, but it will not terminate the session.


17. Session status icon is yellow all the time - what does it mean?

Yellow color indicates that the model could not determine whether the session poses a threat or not. Under normal circumstances, these sessions should be considered as non-threatening. But if you suspect there has been a security incident, these sessions should be reviewed.


18. Five users use the same account to establish connections - will the system be able to determine who and when has logged in onto the server?

Users must have individual accounts created on Fudo PAM so it can correctly determine if an account security has been breached.


19. How will the system determine that it wasn’t me if we all use the same commands?

Every user runs the same commands differently. E.g. one user will execute ls -la and another will run ls -al. Combination of such subtle differences allows for determining a if the currently logged in user matches the profile.


20. Sessions are not analyzed, why is that?

In order for a session to be analyzed, there must be a matching model available. Also, session has to meet volumetric requirements - it must be long enough and carry enough information. Refer to AI sessions processing for more information.