Nowadays in most countries the privileged access is controlled by law for important servers, remote desktops and network equipments. We have to audit and record the commands and applications ran by the system administrators, these are the most basic rules. The records can be evidence in case of data theft.
There are many appliances available on the market, which are able to capture important network traffic, but the simple copy of these packets are not usable by humans, so the traffic has to be processed and transformed. Application firewalls are able to do this work, if they are prepared to analyze the protocols mostly used for system admininistration. In case of investigations we have to be able to replay and search the recordings.
Most appliances provide these functionality, but next to the extra features performance has an important role, if we have to choose between them. Many parties find it useful to know how many parallel connections can an appliance handle. For the customers it is major for scaling their auditing infrastructure for their requirements. For the developers it can be used as a feedback about the effects of their new features on the global performance.
The Balabit Shell Control Box is able to record, replay connections like a video and alert in realtime. The SCB is based on the Zorp application firewall, which preprocesses the network traffic for the appliance.
In my thesis I plan and implement an infrastructure, which is able to measure the performance of the SCB when different functions are enabled.