Sygate Personal Firewall Pro User Guide
Contents
1. E I Block All Applications Security Test Running Applications indows es v Hide Broadcast Traffic Norton LAPLINK Core MAC Bridge NDIS User Internet AntiVirus Component Driver mode IJ Explorer Show Message Console Security Status Normal The Personal Firewall interface is re sizable so you can view it as a full screen or part screen image Menus and Toolbar The top of the screen displays a standard menu 21 Sygate Personal Firewall Pro User Guide Toolbar Buttons The buttons located below the menu items can be used to quickly access logs view the Help file or access the Applications List Traffic History Graphs One of most noticeable features of the Personal Firewall is the set of Traffic History graphs that are located below the toolbar on the main console Running Applications v Hide Windows Services L Hide Broadcast Traffic The Traffic History graphs produce a real time picture of the last two minutes of your traffic history The graphs reload new information evety second providing instant data as measured in bytes about your incoming and outgoing network traffic The Traffic History graphs are broken into three sections On the left side of the graphs section are the Incoming and Outgoing Traffic History graphs These provide a visual assessment of the current traffic that is entering and leaving your computer through a network interface This include2. Internet Explorer C Program Files Internet E plorerIEXPLORE EXE Application Restrictions Trusted IPs for the Application For example 10 0 0 1 192 168 0 1 192 168 0 76 Remote Server Ports For example 80 1450 1024 1209 Act as Client TCP v UDP Local Ports For example 80 1450 1024 1209 Act as Server MER v UDP Allow ICMP traffic Allow during Screensaver Mode C Enable Scheduling ring the per id beloy Excluding the period Delo Beginning At Month i Day Hour Minutes Duration Days a 8 Hours Minutes 4 Make sure that the correct application in selected in the Name of Application list box 5 Decide if the application should be allowed network access during Screensaver Mode Click Allow during Screensaver Mode to allow Click to clear this choice and thus to block the selected application during Screensaver Mode 6 Enter trusted IPs or IP ranges in the Trusted IPs for the Application text box You must enter a valid IP address range The following IP address ranges are not valid choices 0 0 0 0 29952 0D DO 99 127 X X X 7 Enter the ports or ranges of ports that can be utilized for this application 37 Sygate Personal Firewall Pro User Guide 8 Click OK if you want the application restrictions to be in effect at all times If you wish to set a time limit or schedule specific periods when the restrictions wil
3. Setting a Password To set a passwotd for the Personal Firewall open the Tools Options General tab Click the Set Password button at the bottom right of the dialog box The Password dialog box appears Password Old Password New Password Confirm New Password Leaving the New Password field and Confirm New Password field blank will disable password protection Enter your new passwotd in the New Password field and repeat it in the Confirm New Password field Click OK to confirm ot click Cancel to discard your changes From then on this tab will show that password protection has been enabled Password Protection Password Protection Enabled Enable password protection can protect your security Set Password setting being changed by others either mistakenly or As maliciously Ask password while exiting Entering Your Password Once you have set a password the Personal Firewall prompts you for that password whenever you double click the System Tray icon to access your secutity settings You can also choose to have the Personal Firewall prompt you for a password before exiting the Personal Firewall by clicking Ask password while exiting in the Password Protection dialog box The Password dialog box that prompts you fot your passwotd is the same in either case 14 Getting Around f Password Please enter your password Enter your password and click OK to acces
4. M M Remote Host Apply this rule to All addresses MAC address IP Address es Subnet Rule Summary This rule will block both incoming and outgoing traffic from to all hosts on all ports and protocols This rule will be applied to all network interface cards To block or allow traffic for a specified source 1 Click the Advanced Rules Host tab 2 Select the way in which you want to identify the traffic source Click All Addresses if you are planning on blocking traffic from all sources for this rule 3 Click MAC Address and type the corresponding address or address range 4 Click IP Addresses and type the corresponding address or address range 5 Click Subnet and type the corresponding subnet IP address and Subnet mask The Rule Summary field at the bottom of the General tab provides a summary of the rule s functionality Click OK to set the rule or click on another tab to further specify rule conditions and properties 59 Sygate Personal Firewall Pro User Guide Advanced Rules Specify Ports and Protocols The Ports and Protocols tab provides an area to specify which ports and protocols if any should be affected by the traffic specified in the rule f Advanced Rule Settings General Hosts Ports and Protocols Scheduling Applications Apply this rule to Protocol r Traffic Direction Rule Summary This rule
5. e Viewing the Security Log e Viewing the Traffic Log e Viewing the Packet Log e Viewing the System Log e Back Tracing Logged Events 65 Sygate Personal Firewall Pro User Guide Understanding Logs Personal Firewall logs are some of the key sources of information on how your Personal Firewall interacts with the network With logs you can tell when you have been blocked from the network and to some extent why You can also troubleshoot connectivity problems or possible network attacks In the Personal Firewall a log is a record of information attempting to enter or exit you computer through your network connection There are four separate logs that monitor different aspects of your network connection Logs are an important method for tracking your computer s activity and interaction with other computers and computer networks They are particularly useful in detecting potentially threatening activity such as port scanning that is aimed at your computer To view the different logs available in the Personal Firewall click on the Logs icon on the toolbar at the top of the main screen Click the Logs button to view the log that you most recently viewed Logs OR click the down arrow and select a log type There are four different logs in the Personal Firewall e Security Log e Traffic Log e Packet Log e System Log Another important capability of the Personal Firewall is Back Tracing which enables you to use ICMP t
6. will be converted to uppercase automatically Receiving and Installing the Software Registration for Sygate Personal Firewall Pro Sygate Personal Firewall Pro Thank you for installing Sygate Personal Firewall Pro You have 18 day s remaining in your trial period When this trial period expires you will need to purchase a license key by clicking the Buy PRO button below Registration Information In order to register your product successfully all fields are required and you must be connected to the Internet Name Company Position Title Phone Number E mail Serial Number Registration Code Note Your license key will be sent in the confirmation email after you make your purchase For support or to see our privacy policy please visit www sygate com Uninstalling the Software If you need to uninstall the Software 1 Click the Start Menu on your task bar 2 Click Settings Control Panel Add Remove Programs 3 Click Sygate Personal Firewall Pro 5 5 4 Click Remove Windows guides you through the process You can also remove Sygate Personal Firewall Pro from the Start menu 1 Click the Start Menu on your task bar 2 Click Sygate Personal Firewall UnInstall Sygate Personal Firewall Pro Sygate Personal Firewall Pro User Guide Chapter 2 Test Your System s Vulnerability This chapter describes ways to test the vulnerability o
7. The UDP scan will scan ports on your computer that are connected to devices such as routers and proxies for users connecting to the Web site through such a device The scan takes about 10 minutes and should be logged in the Security log as a portscan from Sygate Test Your System s Vulnerability Performing an ICMP Scan When an ICMP scan has completed scanning a uset s computer it displays a page with the results of the scan If a user is running the Personal Firewall all scans are blocked Sygate Personal Firewall Pro User Guide Chapter 3 Am I Under Attack Help The System Tray Icon is Flashing If the system tray icon is flashing the Personal Firewall is in Alert Mode because e e Anattack has been recorded on your computer in the Security Log OR e You ate missing a file or an application that is required by your System Administrator before you can log into the network If a file or an application is missing a message is probably displayed that lists the missing files or applications that you need to install before you can proceed To assess the status of the attack e Double click the System Tray Icon If the reason for the flashing is an attack the Security Log is automatically displayed Otherwise the icon stops flashing The system tray icon can tell you many other things as described here Shortcut to the Software the System Tray Icon Sygate Personal Firewall Pro User Guide
8. information appear The Remote information always represents the attempted attacker whereas Local information always represents your local system Your system is always considered the Local system o Ifyou select Source View from the View list then Remote Host Remote MAC Remote Port ICMP Type and Local Host Local MAC Local Port ICMP Type information no longer appear Instead Source Host Source MAC Source Port ICMP Type and Destination Host Destination MAC and Destination Port ICMP Type appear e If someone sends a message or attacks your system then the originator s IP address MAC address and port ICMP type are listed in the Source Host Source MAC and Source Port ICMP columns whereas your IP number MAC address and your port are listed in the Destination Host Destination MAC and Destination Port ICMP Code because you are the recipient 75 Sygate Personal Firewall Pro User Guide e If you send a message or attack someone else s system then your IP address MAC addtess and port ICMP code are listed in the Source Host Source MAC and Source Port ICMP Code columns whereas the recipient s IP number MAC addtess and port ICMP type ate listed in the Destination Host Destination MAC and Destination Port ICMP code sections 3 Click a different log name if you wish to view a different log 4 Click Refresh or press F5 to update the log that you are viewing Icons for the Traffic Log When you open a Traffic Log i
9. or by annoying the user by altering data A virus is designed to replicate Generally it is spread by infecting other files vulnerability scan An attempt to use security attacks to detect security weaknesses in a computer The Sygate Personal Firewall includes a Test button that assesses an Firewall s vulnerability to attack It requires a public IP address See also port scan W wireless access point wireless AP A network connection that allows a computer or user to connect to an enterprise network without the use of a hardwired connection to the network See also access point end point worm A type of computer virus that can replicate itself over a computer network and perform destructive tasks such as using up computer memory resoutces Worms do not infect other files as viruses typically do but instead worms make copies of themselves over and over depleting system resources hard drive space or depleting bandwidth by spreading over shared network resources See also virus 112
10. while running an authorized application It is designed to do something other than what it claims to and frequently is destructive in its actions The Sygate Personal Firewall automatically detects and terminates known Trojan horse applications before the Trojan horse attempts to communicate trusted application An application that is allowed to run on a Sygate Personal Firewall See also application authentication Application Learning U UDP See User Datagram Protocol UDP unicast Sending a message to one specific computer See also broadcast multicast 111 Sygate Personal Firewall Pro User Guide User Datagram Protocol UDP A communications protocol for the Internet network layer transport layer and session layer that uses the Internet Protocol IP when sending a datagram message from one computer to another UDP does not guarantee reliable communication or provide validated sequencing of the packets V virtual private network VPN A secure network connection that interconnects different corporate network sites allows remote users to connect to the enterprise network and allows controlled access to different corporate networks Although a VPN provides a secure tunnel for network traffic it leaves the connection points open to attack virus A program that is designed to spread from computer to computer on its own potentially damaging the system software by corrupting or erasing data using available memoty
11. ER ENT EAS UR EUNTES ORE YR RE ds 9 Help The System Pray Icon is Flashing descen ren toe iei te qiie qe quoq 9 Chapter 4 The Software qm Comte xt cs ou co seeds tenant nenas Chad na Ind Sn dE IRR EVA e AIR ae ERAS 11 IntfOGOuCtiOtb ino tete tede d t Dette 11 some Options May Not QW asin iitinen tibl ceto vcis oh bles nori o ubl o ag 11 How PitewallsWorkt eh ette en aoa t eae t EE 12 What Does the Softwate DO eerte nitet terrere rer te reete eee eere Tenn 12 Personal Firewall Defaults an Introduction sesssssssesssssesesseesessrssessteseestssessessessessessessese 12 Chapter 5 Getung Around sic triti tia eh ER e PEE EE ER PE VES VR RE aTi 13 Starting and Usine The DO WATC darte itte aaia tado ibi terea upbesivelgeipe 13 Password Protecting Your Security Sebllfigsau etes civita tru E ple EROR Rad 14 Setting d PASSIVE osea ra leiipsubctenitudidu ben nibilo nd resiu Sel us vl peb eri 14 Entering Y oue Password unu aedi a tuo d var valve a e dba d en a Ru d RH Eg 14 Disabling Password PEOteCHOD ree dieit caesi teda cn EU Ad pu ERG 15 Shortcut to the Software the System Tray 1600 tomi indeed eda eoa ita aa 15 Alert Mode Flashing System Tray 16050 ots tette eb dtes t re dh p 16 Esmedhe System Dav IOotbubitutbotestelbt bet lite bata o te Ma att GU UR Dii bsdt 18 What the systems Tray Icon Tells Y Otlotaso Sasha i sita EP tbi Dabit 19 sine the Main Consoles ics i a ei abd tro bdi adi te eaitatbatn propi ai fu cfloms akt ima 21 N
12. Firewall is usually set to start automatically when you turn on your computer y y y y P gt rotecting you immediately If you want to make changes in the configuration of your P gy y ity g g y Personal Firewall or if you want to review logs of potential attacks on your Personal Firewall you bring up the application itself so that you can make changes You have two main ways of opening the Personal Firewall application System Tray Icon This way is easy to find it is the icon that is on your system tray Normally it looks like this an appearance that indicates that all is well and that your system is transmitting traffic both to and from the network To use the system tray icon right click on it and make choices from there For more information on how to use the system tray icon see Shortcut to the Personal Firewall the System Tray Icon The Main Console This is the control center for the Personal Firewall From here you have access to all of the settings and rules for the Personal Firewall To bring up the main console choose Sygate Personal Firewall Pro from the Start menu The main console appears For more information on the main console see Using the Main Console 13 Sygate Personal Firewall Pro User Guide Password Protecting Your Security Settings You can set your Personal Firewall to use a password prior to making any security changes and to require a password before shutting down the Personal Firewall
13. List of Tables Table 1 Table 2 Table 3 Table 4 Table 5 Table 6 Table 7 Table 8 Table 9 Table 10 Table 11 Table 12 Table 13 Table 14 Table 15 Table 16 Table 17 Table 18 Table 19 System Dray Lesh COO iv astaiutntin tabu oa taken tron tate nes aieo ni i ala rd 16 System Tray COM cia bootntofa beh ba Iba Uh bati ta Pea Pda et Ond Peta bh db aiat 18 What the System tay Icon Tells Y OU esi anititectoentt ahi Rea ba Leib o Gea Eoi fa 19 Running Applicauons Wie Chie do ucsdanibatant dotted id e b n Dreh diu fdatis 23 Firewall Menas nieee a a a nie nied 25 Pop up Remember My Answer saepe qe men que d aem mated REQUE 30 Firewall Application Access DECUS aen oir nb ehe tta qp Y dep don cta 2d Personal Firewall Security Log 10088 2m etenoosevpd metet ima ant 71 Personal Firewall Security Log Parameters and Description ices 71 Viewing Personal Firewall Security Log Events by Date sss 73 Personal Firewall Traffic Log Mons etae toe etre da itte Pane idi 76 Personal Firewall Traffic Log Parameters and Description 76 Viewing Personal Firewall Traffic Log Events by Date sess 78 Personal Firewall Packet Log 1o aseiatonie eee Cote ib de bi i Pa Minden 81 Personal Firewall Packet Log Parameters and Description sss 81 Viewing Personal Firewall Packet Log Events by Date sess 83 Icons for the Personal Firewall System Logauocstuaongtest tte mace dui 84 Personal Fi
14. Logs 3 Day the events recorded over the last 3 days including the current day Logs 73 Sygate Personal Firewall Pro User Guide Table 10 Viewing Personal Firewall Security Log Events by Date Events Displays for 1 Week the events recorded over the past 7 days Logs 2 Week the events recorded over the past 14 days Logs 1 Month the events recorded over the last 30 days Logs Show All all Security Log events Logs 3 Thelog displays the requested events 74 Monitoring Your System Logs Viewing the Traffic Log Whenever your computer makes a connection through the network this transaction is recorded in the Traffic Log Viewing the Traffic Log To view the Traffic Log on the Personal Firewall 1 Click the down arrow near the Logs icon on the toolbar and then choose Traffic Log OR Click Tools Logs Traffic Log OR Right click the Tool Bar icon and then click Logs Traffic Log You can also click the down arrow next to the Logs icon to choose a different log The most recently viewed log appears by default but you can choose any of the logs to view From the View list select Local View the default setting or Source View You can select how you view local and remote IP addresses MAC addresses or ports ICMP types o Ifyou select Local View from the View list then Remote Host Remote MAC Remote Port ICMP Type and Local Host Local MAC Local Port ICMP Type
15. MN anatsatri tbis Cxulde Sea te i hen itai Queda tae tta tere x What s New tot the Fitewalle 2 23232 aite tret esie reed eset eee eet dehet es X Related Documetntatioti 5 5 rete S IONAS enisedr et die A OA xi Intended Audience Renan xi Technical SUppOEE aquo ie leere rini etd ee eS rb ee do Tee A de oce RR xi Third Party Product Support enciende t tre iret te trie duh roi Een Fede ev Feier xii Chapter 1 Receiving and Installing the Software eene 1 Receiving the SoEEWATO du dore teu pode d eripe v Nee uM ada cans Fu M gp avon E aiae 1 T stalline the Firewall SoftWa te qase tue Ge dup eR HS tg ne genu T A FUN d T v 1 Registering Sygate Personal Firewall PfO14 mi pn ad ideo Rl p RA tts 2 Uninstalling the Softwaren eae I aco bann po o oH OM PM NR OP P TER RU Per Oc rei gea 3 Chapter 2 Test Your System s Vulnerability eee 5 Using Svoate s Online SeEVICESo qu d edam te amd uod estie emp cR E DIRE 5 Performing a Quick SCcatio quo iEn cota dea Uta ta Re dr e NH A 6 Petforming a Stealth CAM vitesse cated ves dtd tua taieni eta ti cte n EU FU Va un S dT ved n E Coi 6 Perros I rojatt Scannen tebeditadute Sesto gto on falt efidU aU aa Mauss 6 Pettormins a TOP Seattia be ire ibo LA Rod tcta EA oso penp dod bled fui 6 Pertomugo a UDP Seatbasaetbo d ebat utopia te anita ainda ai nena bo De a 6 Perro ne aa ICMP Scans asus dac eniin eto at bii faa Ban Etat Bac aad bui fen 7 Chapter 3 Am I Under Attacke oca HIR EU EEVS
16. Our Syste nsnur 53 TLonsSeteloo e SIZE aont arf du ponat ae Ron osten a calo t temer 53 Dorset Ie DAYS an e a craic o E soe ac T 53 To ette Logi e ene ninn e met rena e ia A ia nba Ga 54 To Enable th Securit Lopes sones p ci equ CORR m QN EET yer me Rte Ter eres ie 54 To Enable fhe System Lop 1o qae hee Quee cia quparsih doque qd b Qaeda 54 To Enable the TTAERDO Do don aaa a von quat eut dba dash e DUREE S 54 To Enable the Packet Do cuneo side Queda qr Depib da quic ih qaare ida UE 54 Chapter 8 Configuring Advanced Rules for Secutity esee 55 Seting up Advanced RES ates saci ar aea b db ub eR D EL B s 55 Overview of Creating Adyanced Rules 4 casi bituraga tries F e boi du dul ido Cu 56 Advanced Rules Provide a Name Specify Allow or Block es 57 Advanced Rules Spectty a SOURCE au encanta dstu ui ica Dun doc DU ona fs artsy 59 Advanced Rules Specify Ports and Protocols zx rae qo eo bae ao Ie siia 60 JUI Protocols putat det ped d eto Ru uv o ce IR ee ue de uo d uta 60 TCP 60 EP au esti tt Meteo dee ntt osi quta t qu bt Qu ae 61 ICME ton ayaa oth ean aici osha tapete anche Aa oats wa Talabani dy 61 IP Type cut Dub ne n duieadtdesdtiiibu bet be e i chs el iie oc telet tur 61 Advanced Riles Define a schedule ieatvseetes vede qeu ME PR M rop Dd 62 Advanced Rules Specifying Applications vest oe da eushetpit alerted tecatetite edits 63 Appendix A Monitoring Your System Logs ese
17. Right click the Tool Bar icon and then click Logs The most recently viewed log appeats You can also click the down arrow next to the Logs icon to choose a different log The most recently viewed log appears by default but you can choose any of the logs to view From the View list select Local View the default setting or Source View You can select how you view local and remote IP addresses or names The following example is from the Security Log o If you select Local View from the View list then Remote Host Remote MAC Local Host and Local MAC information appear The Remote Host and Remote MAC always represent the IP address and MAC address of the attempted attacker whereas Local Host address and Local MAC always represent your IP address and your MAC address Your system is always considered the Local system o If you select Source View from the View list then Remote Host Remote MAC Local Host and Local MAC information no longer appear Instead Source Host Source MAC Destination Host and Destination MAC appear 68 Monitoring Your System Logs e f someone sends a message or attacks your system then the originator s IP address and MAC address are listed in the Source Host and Source MAC columns whereas your IP number and your MAC address are listed in the Destination Host and Destination MAC because you are the recipient e If you send a message or attack someone else s system then your IP address and MAC add
18. Then select which traffic Incoming or Outgoing should be affected by the rule ICMP If you select ICMP as the protocol for your rule you will be shown a list of ICMP types Select the types of ICMP that you wish allow or block by placing a check next to them Then select the direction of traffic to be affected by the rule IP Type Should you select IP Type from the list of protocols you will see a list of IP protocol types displayed on the lower half of the Ports and Protocols tab Then select the traffic direction from the pull down list Click OK The Rule Summary at the bottom of the window provides a description of the tule and what traffic it will affect on your system 61 Sygate Personal Firewall Pro User Guide Advanced Rules Define a Schedule Scheduling is a good way to create a rule that you want to take effect only during or excluding certain time periods For instance if you want to block all traffic after 10 PM then you can create a schedule that will permit the rule to do so 1 Open the Scheduling tab Click Enable Scheduling 1 Advanced Rule Settings Enable Scheduling During the period below Excluding the period below Beginning At Month Every Month vi Day Everyday Hour 00 v Minutes 00 Duration Minutes Rule Summary This rule will block both incoming and outgoing traffic from to all hosts on all ports and prot
19. can write specific rules for Advanced Rules Allowing or Blocking network access For more information see Setting up Advanced Rules Removes the display of the System Tray Hide System Tray icon for the Personal Firewall The Personal Icon Firewall is still running but you no longer see the icon To re enable the icon run the 18 Getting Around Table 2 System Tray Icon Menu Option What It will do for you Personal Firewall and choose the option to show it From the Start menu choose Sygate Personal Firewall Then from the Tools menu toggle the Hide System Tray Icon to toggle the choice back on Help Topics Opens the online help system Opens the About window providing information on your installation of the Personal Firewall Disables the Personal Firewall Option Alert This option may appear dimmed or not at all For further information see Some Options May Not Show Exit Sygate Personal Firewall You can roll your mouse over the System Tray Icon to see your current security level What the System Tray Icon Tells You The table below illustrates the different appearances that the System Tray Icon may have and what they mean Table 3 What the System Tray Icon Tells You The Personal Firewall is in Alert Mode This means that an attempted attack against your computer has been g recorded in your Security Log To make the icon stop flashing double click on the icon Th
20. fee based Sygate provides documentation support and accepts documentation feedback by email Documentation feedback documentation sygate com Third Party Product Support If you obtained this product from a hardware or software company other than Sygate Technologies directly your software license as well as all service and support should be obtained through that vendor Check the addendum provided with the package for service and support information xii Chapter 1 Receiving and Installing the Software This chapter describes the various methods by which you may have received the Personal Firewall software or which you may use to get another copy if your system administrator directs you to them It also goes over the simple steps needed to install the software if it has not already been installed It concludes with instructions on how to uninstall the Personal Firewall Receiving the Software The Personal Firewall software can be distributed to you in a number of ways one of which was used to get the software to your computer You may need to take some action to go and get the software or the software may already be installed Download from the Sygate site You connect to the Sygate Technologies Web site to download this tool by going to smb sygate com With this type of installation you may be prompted for your agreement to the license agreement location of the software on your hard drive and so on as described in
21. in the Personal Firewall This feature blocks all communication from a source host once an attack has been detected For instance if the Firewall detects a DoS attack originating from a certain IP address the Personal Firewall will block any and all traffic from that IP for the duration specified in the seconds field Block all traffic while the service is not loaded By default this option is enabled in the Personal Firewall This feature prevents any traffic from entering or leaving your computer during the seconds between the time that your machine turns on and the Personal Firewall is launched This time frame is a small secutity hole that can allow unauthorized communication Enabling this feature prevents possible Trojan horses or other unauthorized applications from communicating with other 48 Setting Up Protection by Configuration Changes computers This also takes effect if the Personal Firewall crashes or if the Personal Firewall is shut down Allow initial traffic By default this option is enabled in the Personal Firewall This option enables initial traffic needed for basic network connectivity to take place This includes initial DHCP and netBIOS traffic so that the Personal Firewall can obtain an IP address for example Enable DLL authentication By default this option is disabled in the Personal Firewall DLL stands for dynamic link library which is list of functions or data used by Windows applications M
22. indicate known attacks If a match occurs the attack is blocked See also Fragmented Packets policy See security policy port A connection on a computer where devices that pass data to and from the computer are physically connected Ports are numbered from 0 to 65535 Ports 0 to 1024 are reserved for use by certain privileged services See also Authentication port local port remote port source port port scan A method that hackers use to determine which of your computer s ports are open to communication It is done by sending messages to computer ports to locate points of vulnerability Although it can be a precursor to an intrusion attempt port scanning does not in itself provide access to a remote system See also Portscan Checking Portscan Checking An option on the Sygate Personal Firewall that monitors all incoming packets that are blocked by any security rule If several different packets were blocked on different ports in a short period of time a security log entry is generated Portscan Checking does not block any packets A security policy needs to be created to block traffic in the event that a port scan occuts priority The order in which rules take effect Rules with a higher priority 0 being highest 15 being lowest take effect before rules with lower priority Advanced Rules by default have a priority of 5 protocol driver blocking A security measure that blocks malicious applications from using their own pr
23. inquo rds quique updates a N 47 Enablecanuel P SP OOH Gi dsc addere cod Plu ndo doen osos vtae e e 47 Enable driver leyel pEOLU Oriente qx ede RD QU RR SEU enge masa edge 47 Enable OS fingerprint masquetadkpg uses npe rts e n E p olo ih 47 ExiablegisalihoanodeBEQGWSIBO asque edet det Ui Dat a Qu bea REDE 47 INSEBICISDEOEGEEION ea epe que sube quvDe dq deed qaad Davos A 48 Enable DOS pEOLGCHOBS geira an ud ao mE oo bte UR UN DU A ARUM tig tal STR 48 An Applicaton ER oan tees atate a quer que Supp eda dud 48 Block Universal Plug and Play UPnP Traffic ntt enters 48 Automatically block attacker s IP address for second s sss 48 iv Table Of Contents Block all traffic while the service is not loaded is us iieri eene teres 48 Pelle tila trafi cnm 49 FE able DEI caute adole oi ussptectt tied idee boeteibleis rnani ekun erts obstat 49 Automatically allow all known DLLs 4 ane n eavedtev nna pete he viel s rep idt 49 Reset all fingerprints for all applications ausente iter peche bote tuluees 49 Smart Traffic Handling is dirette erra i RECO E A E 50 Enable smart DNS ista E pt Ue it C aiu Od Ca dE Uds 50 Enable smart DG Ps cae ups dq RU c Nu 50 Enablessmart WIN Saien onn ti cd dard cedri Ce n Ted cetur 50 Setting Up Email Notification of Security Events nina aiii ptatuteteditatio mamas 51 Tosxetivate E Mail Notifications sasana ea a aina 51 ll DUAL Your Securite ansaa peni a a a a e 52 Logging Security Events om Y
24. log 4 Click Refresh or press F5 to update the log that you are viewing Icons for the Packet Log There is only one icon displayed in the Packet Log It indicates the capturing of raw data packets Table 14 Personal Firewall Packet Log Icon g Full data packet captured Firewall Packet Log Parameters and Description Each tow represents a logged event and the columns display information regarding the event The columns are Table 15 Personal Firewall Packet Log Parameters and Description Name of Description Parameter Time The exact date and time that the packet was logged Remote Host Name of the remote computer only appears in Local View this is the default Remote Port Port on the remote host that sent received the traffic only appears in Local View this is the default Local Host IP Address of the local computer only appears in Local View this is the default Local Port Port used on the Personal Firewall computer for this packet only appears in Local View this is the default Source Host Name of the source computer only appears in Source View Source Port Port on the source host that sent received the traffic only appears in Source View Destination IP Address of the destination computer only appears in Source View Host Destination Port used on the destination computer for this packet only appears in Source Port View 81 Sygate Personal Firewall Pro User Guide Table 15 Personal
25. permission If a protocol driver attempts to access the network you will see a pop up message asking if you want to allow it Enable OS fingerprint masquerading By default this option is enabled on the Personal Firewall This option keeps programs from detecting the operating system of a computer running the Personal Firewall software When OS Fingerprint Masquerading is enabled the Personal Firewall modifies TCP IP packets so it is not possible to determine its operating system It is recommended that you enable this option along with Enable anti IP spoofing Enable stealth mode browsing By default this option is disabled on the Personal Firewall Stea th mode is a term used to describe a computer that is hidden from web servers while on a network A computer on the Internet for instance if in stealth mode cannot be detected by port scans or communication attempts such as ping 47 Sygate Personal Firewall Pro User Guide NetBIOS protection By default this option is enabled on the Personal Firewall This option blocks all communication from computers located outside the Personal Firewall s local subnet range NetBIOS traffic is blocked on UDP ports 88 137 and 138 and TCP ports 135 139 445 and 1026 Be aware that this can cause a problem with Outlook if connecting to an Exchange server that is on a different subnet If that occurs you should create an advanced rule specifically allowing access to that server For furt
26. personal email address or another email address 3 Enter a recipient email address in the To field This can be an administrator s email address ot your email address if you are accessing email remotely 4 If you wish you can send a courtesy copy of each email to a specified email address in the Cc field 51 Sygate Personal Firewall Pro User Guide 5 Enter a subject in the Subject field 6 Enter your SMTP Server Addtess 7 If your email server requires authentication click My E Mail Server Requires Authentication Enter the address of the authentication servet in the Authentication Server Address field 8 Enter your username and password for the authentication server in the appropriate fields 9 Click OK to save changes Updating Your Security The Updates tab provides the capability of configuring your Firewall to check for 1 Options General Network Neighborhood Security E Mail Notification Log Updates Sygate Personal Firewall Sygate Personal Firewall Pro can be configured to automatically notify you when a newer version is available or you can manually check for newer versions by clicking the Check Now button Automatically check for new versions Signature Updates Sygate Personal Firewall Pro can be configured to automatically download and install new signature update files for you or you can manually update the signature files by clicking the Update Now button Automa
27. protect your system by making changes in the Firewall s configuration options This is where the most complex security policies can be crafted How to Change Configuration Options The Options selection of the Tools menu offers several settings for the Personal Firewall including e mail notification of attacks screen saver mode log file configuration and Netwotk Neighborhood options You can open the Options window either from the Tools menu at the top of the main console or by right clicking the System Tray Icon and selecting Options from the menu that appears The Options window consists of the following tabs e General tab see Review of General Configuration Options e Network Neighborhood tab see Sharing Files and Folders e Security tab see Setting Detailed Security Options e E Mail Notification tab see Setting Up Email Notification of Security Events e Log tab see Logging Security Events on Your System e Updates tab see Updating Your Security The OK and Cancel buttons are located at the bottom of every tab in the Options window The OK button applies any changes that you have made in the Options window and then closes the window Clicking the Cancel button ignores any changes you may have made in the Options window and closes the window while retaining the previous settings 41 Sygate Personal Firewall Pro User Guide Review of General Configuration Options The broadest lev
28. user database with the directory server See also Active Directory Lightweight Directory Access Protocol LDAP System Library A Sygate library containing preconfigured IDS signatures to help detect and prevent known attacks See also custom library signature library system tray The lower right section of the taskbar on the Windows desktop which is used to display a clock and icons representing certain programs such as volume control network connection status and antivirus software The Sygate Personal Firewall icon can be displayed here T Transmission Control Protocol Internet Protocol TCP IP Internet protocols that every Internet user and every Internet server uses to communicate and transfer data over networks TCP packages the data into packets that get sent over the Internet and are reassembled at their destination IP handles the addressing and routing of each data packet so it is sent to the correct destination trigger An event that causes a rule to take effect When creating rules you can assign specific triggers which cause Firewalls to react in a specific way and actions which specify what to do when the trigger takes place For example you can block all traffic originating from a certain IP address or block traffic during certain hours of the day Triggers can be linked to specific applications hosts schedules and services Trojan Trojan horse An application that carries out an unauthorized function covertly
29. will block both incoming and outgoing traffic from to all hosts on all ports and protocols This rule will be applied to all network interface cards Select a protocol from the top list box All Protocols As indicated the ALL selection will affect all protocols on all ports for both incoming and outgoing traffic TCP If you select TCP from the Protocol list box you will be given shown two more list boxes in which you can specify which ports remote and or local should be affected by the rule You can type the port numbers or select the port type from the list boxes for the both local and remote ports 60 Configuring Advanced Rules for Security If you do not enter or select a port number then all ports will be affected by the rule If you enter a port number for the local port entry but not for the remote port entry then the local port you entered and ALL remote ports will be affected by the rule Then select which traffic Incoming or Outgoing should be affected by the rule UDP If you select UDP from the list box you will then see two port list boxes You can type the port numbers or select the port type from the list boxes for both local and remote ports If you do not enter or select a port number then all ports will be affected by the rule If you enter a port number for the local port entry but not for the remote port entry then the local port you entered and ALL remote ports will be affected by the rule
30. with Microsoft SMS and other software distribution tools Related Documentation This document describes how to use the Sygate Personal Firewall Pro and includes the following documentation e Online Help This help file provides the same information as the printed documentation which is available in PDF format from the Sygate web site at http smb sygate com suppott for easy printing e Sygate Personal Firewall Pro User Guide this guide Describes how to use Sygate Personal Firewall Pro PDF format Intended Audience This documentation has been written for end users of the Personal Firewall software This documentation assumes that the user is familiar with the basic functioning of Windows operating systems and standard Windows items such as buttons menus toolbars windows etc Further this guide assumes that the user has an Internet connection whether through a local area netwotk DSL connection dial up modem wireless access point or other connection method Technical Support Sygate Technologies provides a wide variety of service and support programs Contact Sygate through its web site by email or by telephone Sygate web site http smb sygate com support Sygate Forums http forums sygate com vb Email Support http smb sygate com support forms proreq_form htm xi Sygate Personal Firewall Pro User Guide Priority http smb sygate com support documents pspf priority php Telephone Support
31. you have set your NTS or PPPoE application to Allow under the Applications List Create Advanced Rules to Allow incoming and outgoing traffic to and from all hosts and applying to lt all NICs gt as follows o UDP remote and local ports 67 and 68 one rule o TCP remote and local ports 67 and 68 one rule Create an Advanced Rule to trust the IP of your Internet Service Provider Try disabling NetBIOS protection o From the Main Menu click Tools Options Security o Be certain that NetBIOS Protection is disabled The default for this setting is enabled Try disabling driver level protection o From the Main Menu click Tools Options Security o Be certain that Enable driver level protection is disabled The default for this setting is enabled Try disabling all security options o From the Main Menu click Tools Options Security O Click to clear all options 97 Sygate Personal Firewall Pro User Guide Should Allow the win32 kernel core or ntkernel component What about ICMP As a tule if you are unsure about any application you should not allow it to access the Internet Only the applications that you specifically know about should be allowed Under most circumstances blocking the Windows kernel should not create a problem However some Internet Service Providers ISPs send you an ICMP message to verify that you are online Blocking this message may cause them to turn off their interaction w
32. 10 Chapter 4 The Software in Context This chapter introduces you to what the Personal Firewall is and how the Personal Firewall works putting it into context It includes e Introduction e Some Options May Not Show e How Firewalls Work e What Does the Do e Key Features e Defaults an Introduction Introduction The Personal Firewall is a secutity agent that 1s installed on workstations servers and laptops in the network enterprise and on home and small business systems Once installed it provides a complex and customizable firewall In addition it can also provide intrusion detection and prevention such as detecting and identifying known Trojans port scans and other common attacks and to selectively enable or block the use of various networking services ports and components As you saw in the previous chapter something that you may want to do immediately is to test your System s vulnerability using Sygate s Web site to test it For further information on this see Test Your System s Vulnerability The Personal Firewall is designed to protect your computer from intrusion and misuse whether malicious ot unintentional Some Options May Not Show This document the Sygate Personal Firewall Pro User Guide describes all options that the Personal Firewall supports but describes some options that are only available with the Pro version of Sygate Personal Firewall Options that are disabled may app
33. Firewall no traffic is flowing in that direction Alert Mode Flashing System Tray Icon The System Tray Icon will sometimes flash on and off This tells you that the Personal Firewall is in Alert Mode Alert Mode occurs when the Personal Firewall records an attempted attack on your computer To view the attack information e double click on the icon The Security Log will open displaying new log entries 16 Getting Around The icon will stop flashing after you double click it and view the Security Log Note that opening the Security Log through the main console will not cause the System Tray Icon to stop flashing f Log Viewer Security Log File Edit View Filter Action Help Security Typ T Horse v 10 13 2003 18 26 25 Trojan Horse 4 10 13 2003 18 00 15 Trojan Horse 10 13 2003 17 58 53 Trojan Horse Lj 10 13 2003 17 58 21 Trojan Horse e 10 13 2003 12 48 52 Denial of Service 10 13 2003 12 47 47 Denial of Service v 10 13 2003 12 46 21 Denial of Service L5 10 13 2003 12 45 37 Executable File Change Denied Severity Direction Critical Critical Critical Critical Critical Major Major Major Major None None None None None Outgoing Dutgoing Dutgoing Dutgoing Protocol Remote Host None 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 10 50 0 201 10 50 0 201 10 50 0 201 10 50 0 201 Trojan horse Back Orifice 2000 International detected in C VWINDOUSXSYSTEM32XVUMGR32 EXE proce
34. Firewall Packet Log Parameters and Description Name of Description Parameter Direction Direction that the traffic was traveling in incoming or outgoing Action Action taken by the Personal Firewall Blocked or Allowed Application Name of the application associated with the packet Name Packet Decode and Packet Dump for the Packet Log Below the Log Viewer ate two additional data fields that provide further detail regarding the selected event In the Packet Log these fields are labeled Packet Decode which provides data on the type of packet logged and Packet Dump which records the actual data packet Back Tracing Packet Log Events 1 From the Packet Log file click on the event you want to back trace so that the entire row is highlighted 2 Either right click the row and select Back Trace from the pop up window or click the Action menu and select Back Trace 3 The Personal Firewall traces the event information The Back Trace Information window is displayed with a trace route log 4 Click Detail at the bottom of the Back Trace Information window to view detailed information about the original IP address A drop panel displays detailed information about the owner of the IP Address from which the traffic event originated 5 Click Detail again to hide the information For further information on Back Tracing see Back Tracing 82 Monitoring Your System Logs Viewing the Packet Log Events by Date To filt
35. Installing the Software Other Web download You receive an e mail message or other pointer to a location on the Web or a setver on yout Extranet where a zipped file exists Run that file and it will unzip the Personal Firewall files and then run the Setup exe program to install the Personal Firewall With this type of installation you may be prompted for your agreement to the license agreement location of the software on yout hard drive and so on as described in Installing the Software Installing the Firewall Software To install the software 1 Run Setup exe The Personal Firewall Setup window appears Click Next The License Agreement dialog box appears Scroll through the agreement to make sure that you agree with its terms Sygate Personal Firewall Pro User Guide 3 Click I accept the license agreement if you agree then click Next The Destination Folder dialog box appears 4 Click Next to accept the default location for the Personal Firewall files or click Browse to select a different location The Ready to Install the Application dialog box appears 5 Click Next If you are updating a previous installation the Upgrade Installation dialog box appears 6 Ifyou want to keep the previous configuration click Yes Otherwise click No The Updating System window appears while the files are copied to your system followed by the Finish window 7 Click Finish The Installer Information dialog box
36. Lenus and Toolbat 2ise entities beetles hte be ee rb era 21 lii Table Of Contents Tol oE BATEKO E S ote dud ve ede qr RM EO tet p IP Ue i erret et n Rh 22 Traffic EHStOFY CS EATS Ss bove Pepe tait etate rage a decisiva Togo 22 iere Mb iai om T ES 22 Bunne Applications Field eis eua ede earned ibt eben tc nietos oet 23 NIessage Console etcetera be iUo orti ibt d bet ie e aan eu bu iutiaQe 24 Status DAP oido te ais teed o E TU A UR MSN IRSE IS CRI End 24 Usine the Menus and Loolbat au eaten ipo n er i rend a e roe Ead 25 Toolbar Buttons cider poer pe dae Rc Eo eU ean OR C cancer e NER cA M en 27 Understanding Pop Up Messapesuiseecieo tacite caste dicic ted eese a e cd c 27 Why Did I Gera Pop Up Messaser wih hu miatiatinle ti tap a tedbadsta inane 27 New Applicaton POPUP rcs iis nthaicichiieh satan ladish erat push tie Dind asit terre bn odis 27 Changed Application BOp Wpsatueeitauubo dos iPad ovi aa onem aD EO o ibd 31 SP tojatFLotse WAenttios aiat usta iile entia ta nerd Et Caen ba Seb eb Oba 32 Why Did I get a Security INOGHCAHOB a ce deett a cen dy adn Reste ten 33 Blocked Application NOLIHCATIOTDU d qeu adea ERRARE SR qd MARO Rea 33 Security Alert Notification n qtd eee anaa i eani aa rp a 33 Chapter 6 Setting Up Protection Based on Application eee 35 How to Set Permissions by Application ou iate bre Edad ede eiie ehe oe iri 35 Advanced Application Configufatioti aisi arbe tioni ter RE n e e Re
37. Local Host address and Local MAC always represent your IP address and your MAC address Your system is always considered the Local system o Ifyou select Source View from the View list then Remote Host Remote MAC Local Host and Local MAC information no longer appear Instead Source Host Source MAC Destination Host and Destination MAC appear e f someone sends a message or attacks your system then the originator s IP address and MAC address are listed in the Source Host and Source MAC columns whereas your IP number and your MAC address are listed in the Destination Host and Destination MAC because you are the recipient e If you send a message or attack someone else s system then your IP address and MAC addtess are listed in the Source Host and Source MAC columns 70 Monitoring Your System Logs whereas the recipient s IP number and MAC address are listed in the Destination Host and Destination MAC sections 3 Click a different log name if you wish to view a different log 4 Click Refresh or press F5 to update the log that you are viewing Icons for the Security Log When you open a Security Log icons are displayed at the left side of the first column These are graphical representations of the kind of attack logged on each line and they provide an easy way to scan the Security Log for possible system errors Table8 Personal Firewall Security Log Icons Icon Description x Severe attack W Major attack KJ
38. Minot attack i Information Personal Firewall Security Log Parameters and Description The log is a data sheet where each row represents a logged event and the columns display information regarding the event The columns are Table 9 Personal Firewall Security Log Parameters and Description Name of Description Parameter Time The exact date and time that the event was logged Security Type Type of Security Alert for example DoS attack executable file Ping of Death Severity The severity of the attack either Severe Major Minor or Information Direction Direction that the traffic was traveling in incoming outgoing or unknown Most attacks are incoming that is they originate in another computer Other attacks like Trojan horses ate programs that have been downloaded to your computer and therefore are already present they are considered outgoing Still other attacks are unknown in direction they include Active Response or application executable changed Protocol Type of protocol UDP TCP and ICMP Remote Host Name of the remote computer only appears in Local View this is the default Remote MAC MAC address of the remote computer only appears in Local View this is the default 71 Sygate Personal Firewall Pro User Guide Table9 Personal Firewall Security Log Parameters and Description Name of Description Parameter Local Host IP address of the local computer only appears in Local Vie
39. Personal Firewall The application setvice name version status and path are provided in a simple screen Like the Running Applications field you can change the display view for the applications and services shown in the Applications List To change the view right click anywhere in the Applications List Select View from the list of options and then select the desired view The different views are explained in the section covering the Main Console For details see Using the Main Console for the Personal Firewall To select an application or service for configuration click on any of its attributes as shown in the Applications List The application or service name must be highlighted before you can change or configure its status See Setting up Advanced Rules for information on security settings options 35 Sygate Personal Firewall Pro User Guide The buttons at the bottom of the Applications List screen provide the option to remove selected or all applications from the list Once an application service is removed from the Applications List its status is erased When that application service attempts to connect to the network again you will be notified through a new application pop up message see New Application Pop up and be asked to assign a new status to the application setvice Applications The applications listed below are those that have been checked by Sygate Personal Firewall Pro You can change their
40. Running Applications field and click the desired status Allow Ask or Block from the menu that appears Trojan Horse Warning Hopefully you will never see a pop up message like the following Sygate Personal Firewall Pro 10 14 2003 12 09 36 C WINDOWS system32 UMGR32 EXE a Trojan horse application has been detected on your computer It has been blocked by Sygate Personal Firewall Pro Wbat Does Tbis Mean This message indicates that the Personal Firewall has detected a known Trojan horse on your computer It also explains that the Trojan horse has been blocked from accessing your netwotk This means that a Trojan Horse is present on your system and has been activated Either you tried to open the program identified as a Trojan horse or it has been triggered by another program on your computer It is possible that the Trojan was on your computer when you installed the Personal Firewall or that you have recently downloaded it through a legitimate application such as a web browser The Trojan tried to access your network connection and has been blocked by the Personal Firewall What Should I Do You should immediately notify your IT department The Personal Firewall will block the Trojan from sending any information out of or into your computer but it is still important to remove it from your system as soon as possible The Personal Firewall will terminate the Trojan process automatically but removal will require the assista
41. S This feature allows Windows Internet Naming Service WINS requests only 1f they were requested If the traffic was not requested the WINS reply is blocked The user can enable or disable this feature e Active Response Protection Active response is a feature that automatically blocks all communication from a source host once an attack has been detected For example if the Personal Firewall detects a DoS attack originating from a certain IP address the Personal Firewall will automatically block any and all traffic from that IP for the duration specified in the seconds field The user can now stop a current active response session e Anti Application Hijacking Protection The Personal Firewall now protects against even more attacks including such exploits such as TooLeaky and others Preface e Enhanced performance The Personal Firewall is now faster and takes fewer system resources e Improved Logging Capabilities The Personal Firewall adds new logging flexibility including the option to disable all logs e Support for Windows Server 2003 The Personal Firewall is now supported on Windows Server 2003 for Small to Medium Businesses For server deployments greater than 500 seats and that need centralized management Sygate Secure Enterprise is required e Improved Microsoft System Installer Support The Personal Firewall is now packaged by default as a Microsoft System Installer MSI package to simplify deployment
42. Security This chapter describes how to configure advanced security rules for the Personal Firewall It P gu goes through the various steps in creating an advanced rule that the Personal Firewall provides through its user interface including e Setting up Advanced Rules e Overview of Creating Advanced Rules e Advanced Rules Provide a Name Specify Allow or Block e Advanced Rules Specify a Source e Advanced Rules Specify Ports and Protocols e Advanced Rules Define a Schedule e Advanced Rules Specifying Applications Setting up Advanced Rules The Personal Firewall offers users the unique option to configure advanced rules that can override the rules automatically created by the firewall during normal user firewall interaction You may not realize it but every time you allow or deny access to an application you ate creating a rule for that application If you use Advanced Configuration to specify application access rights such as scheduling and port rights you are specifying parameters for the selected application and thus creating an application rule However these rules are application specific so that if you create a schedule for an application the schedule applies only to that application Advanced tules on the other hand are rules that you can create directly that affect all applications If you create an advanced rule that blocks all traffic between 10 PM and 8 AM the rule will ove
43. access status remove them from the list or configure the advanced setting of each application Application List File Name Version Access Path Intemet Explorer E LAPLINK Core Com 14 500 320 Allow C Program Files LapLink Gc IMAC Bridge Driver 5 1 2600 11 Allow C WINDOWS System32 D P INDIS User model 5 1 2600 11 Allow C AWINDOWS system32 dr FF Norton Antivirus 7 60 00 926 Allow C Program Files NavNT srby ig Windows Explorer 6 00 2800 1 Allow C WINDOWS explorer exe o Windows Update Au 5 4 3790 14 Allow C WINDOW S system32 wu d gt Advanced Application Configuration You can configure advanced security settings for each application on your application list by setting certain restrictions on which IP addresses and ports an application can utilize Only users who have a firm grasp on computer ports and application protocols should use the advanced configuration options lest unintended results occur To Set Advanced Configuration 1 Open the Applications List by clicking on the Applications icon on the Personal Firewall main console or by right clicking the System Tray Icon and selecting Applications from the list of choices 2 Click the Advanced button at the bottom left corner of the Applications List screen 36 Setting Up Protection Based on Application 3 The Advanced Application Configuration window opens Advanced Application Configuration Name of Application
44. appears telling you that you must restart your computer to begin using the Personal Firewall 8 Click Yes to reboot your system and begin using the Personal Firewall or click No if you plan to restart manually later Registering Sygate Personal Firewall Pro To register Sygate Personal Firewall Pro select either one of the following options Option 1 Click Register Later and you will get a FREE Fully Functional 30 Day trial period for Sygate Personal Firewall Pro to determine if this product meets your needs Option 2 If you have already purchased a license key from the Sygate Online Store and would like to register the software for your computer now please fill out ALL fields given on the registration screen use N A for those that do not apply and click Register Now You must be connected to the Internet to complete the registration process Note All characters entered into Serial Number and Registration Code will be converted to uppercase automatically The license key might contain look alike characters such as the alphabet I in uppercase and the number 1 or the alphabet o in uppercase and the number 0 Option 3 If you do not have a license and would like to purchase Sygate Personal Firewall Pro now click Buy Pro and you will be taken to the Sygate Online Store where you can purchase and obtain a license key s Note All characters entered into Serial Number and Registration Code
45. ased Intrusion Detection system that operates on every computer on which the Firewall is installed In addition Sygate s Intrusion Detection wotks in conjunction with Sygate s Intrusion Prevention SIP As soon as a known attack is detected it can be automatically blocked by one or several of Sygate s Intrusion Detection and Prevention systems also commonly referred to as Intrusion Prevention Systems IPS Sygate supports the following Intrusion Detection and Prevention systems Port Scan Intrusion Detection and Prevention Sygate s Port Scan Intrusion Detection and Prevention system detects port scans Although it can be a precursor to an intrusion attempt it does not in itself allow access to a remote system Whenever a port scan is detected the port scan Intrusion Detection and Prevention system does not automatically block ports Port Scan Detection is automatically enabled Trojan Intrusion Detection and Prevention Sygate s Trojan Intrusion Detection and Prevention system automatically terminates known Trojan Horse programs before the Trojan Horse attempts to communicate Signature Based Intrusion Detection and Prevention Sygate s Signature Based Intrusion Detection and Prevention system identifies known attacks by using a technique called pattern matching For example Sygate s pattern matching Intrusion Detection and Prevention system can watch web servers that can be programmed to look for the string phf in GET cgi bin phf a
46. atically launch the Personal Firewall at start up Screensaver Mode Enabling the Screensaver Mode option automatically sets your security level to Block All when your computer s screensaver is activated As soon as the computer is used again the security level will return to the previously assigned level Hide Notification Messages You can enable or disable the system tray notification messages by clicking here Additionally you may select to allow audio announcement of the notification window Password Protection Enabling Password Protection will protect your settings from being changed by another user Password Protection will prompt you to enter your password every time you access the Personal Firewall main console For details see Password Protecting Your Secutity Settings 43 Sygate Personal Firewall Pro User Guide Sharing Files and Folders The Network Neighborhood tab provides multiple interface support and network browsing rights configuration The Network Neighborhood tab is made up of three sections Network Interface Network Neighborhood Settings and Description Options G ieneral Network Neighborhood Security E Mail Notification Log Updates Network Interface MAC Bridge Miniport 10 0 20 84 Network Neighborhood Settings Allow to browse Network Neighborhood files and printer s Allow others to share my files and printer s Description Network Neighborhood has been comple
47. ce the difference and ask you if you want to allow it If you have not made any changes to the setvice or application such as 23 Sygate Personal Firewall Pro User Guide an upgrade then you will want to block these applications from running and alert your system administrator See Understanding Pop Up Messages for details on pop up messages Message Console The Message Console of the Personal Firewall is located below the Running Applications field on the main console It provides a real time update of server client communication including profile downloads Profile Serial Numbers and server connection status 10 10 2003 12 17 00 New Option Settings is applied 10 10 2003 12 47 38 New Option Settings is applied 10 10 2003 12 51 06 New Option Settings is applied The Message Console is by default hidden from view To view the Message Console click Show Message Console below the Running Applications field on the main console The Message Console will appear To hide the Message Console from view click Hide Message Console The Message Console will collapse so that only the Show Message Console button is apparent Status Bar The Status Bar located along the bottom of the Personal Firewall main console provides the user with the current location profile information Security Status Normal 24 Getting Around Using the Menus and Toolbar The top of the Personal Firewall screen displays a
48. ck ended Rule Name The rule that determined the passing or blockage of this traffic 77 Sygate Personal Firewall Pro User Guide Description and Data Fields for the Traffic Log Below the rows of logged events are the Description and Data fields When you click an event row the entire row is highlighted A description of the event is displayed in the Desctiption field Back Tracing Traffic Events for the Traffic Log 1 From the Traffic Log file click on the event you want to back trace so that the entire row is highlighted 2 Hither right click the row and select Back Trace from the pop up window or click the Action menu and select Back Trace 3 The Personal Firewall traces the event information The Back Trace Information window is displayed with a trace route log 4 Click Detail at the bottom of the Back Trace Information window to view detailed information about the original IP address A drop panel displays detailed information about the owner of the IP Address from which the traffic event originated 5 Click Detail again to hide the information For further information on Back Tracing see Back Tracing Viewing the Traffic Log Events by Date To filter the log events by date 1 Click the View menu in the Log Viewer window 2 Select which events you want to view from the list Table 13 Viewing Personal Firewall Traffic Log Events by Date mia Displays i m Logs theevents recorded on the current
49. cons are displayed at the left side of the first column They are graphical representations of the kind of traffic logged on each line and provide an easy way to scan the Traffic Log Traffic Log includes information about incoming and outgoing traffic Table 11 Personal Firewall Traffic Log Icons Incoming traffic passed through the Personal Firewall 8 P g Incoming traffic blocked by the Personal Firewall o g y Outgoing traffic passed through the Personal Firewall going P g Outgoing traffic blocked by the Personal Firewall going y e Traffic direction unknown passed through the Personal Firewall Ca Traffic direction unknown blocked by the Personal Firewall Personal Firewall Traffic Log Parameters and Description Each row represents a logged event and each column displays information about the event Table 12 Personal Firewall Traffic Log Parameters and Description Name of Description Parameter Time The exact date and time that the event was logged Action Action taken by the Personal Firewall Blocked Asked or Allowed Severity The severity of the attack either Severe Major Minor or Information Direction Direction that the traffic was traveling in incoming or outgoing Protocol Type of protocol UDP TCP and ICMP Remote Host Name of the remote computer only appears in Local View this is the default Remote MAC MAC address of the remote computer only appears in Local View this is 76 Monitorin
50. cuted See also application authentication application fingerprint DLL DLL fingerprint DLL fingerprint A 128 bit number that is generated by performing an MD5 hash of an entire DLL packet It is unique for each DLL The MD5 hash or fingerprint of each DLL is stored on the Sygate Personal Firewall If the DLL is changed in any way the DLL fingerprint changes See also DLL DLL authentication MD5 hash domain A group of computers that are part of a network and share a common directory database Each domain has a unique name and is organized in levels that are administered as a unit using common rules domain name The name by which a group of computers is known to the network Most organizations have a unique name on the Internet that allows individuals groups and other organizations to communicate with them See also domain DoS attack See Denial of Service DoS driver level protection A Sygate software feature that blocks protocol drivers from gaining access to the network unless a user gives permission If a protocol driver attempts to gain access to the network through a client running the Sygate Personal Firewall depending on the rule set the protocol driver is allowed blocked or a pop up message displays See also protocol driver blocking Dynamic Host Configuration Protocol DHCP A TCP IP protocol that provides dynamic configuration of host IP addresses and enables individual computers on an IP netwotk to extract config
51. d SYGATE Sygate Personal Firewall Pro User Guide Version 5 5 Copyright Information Copyright 2003 by Sygate Technologies Inc All rights reserved No part of this document may be reproduced or transmitted in any form or by any means electronic mechanical or otherwise without prior written permission of Sygate Technologies Inc Information in this document is subject to change without notice and does not constitute any commitment on the part of Sygate Technologies Inc Sygate Technologies Inc may own patents or pending patent applications trademarks copyrights and other intellectual property rights covering the subject matter of this document Furnishing of this documentation does not in any way grant you a license to any patents trademarks copyrights or other intellectual property of Sygate Technologies Inc Sygate Sygate Secure Enterprise and the Sygate S Logo are registered trademarks or trademarks of Sygate Technologies Inc Microsoft and Windows are registered trademarks of Microsoft Corporation All other companies and product names referenced herein may be trademarks or registered trademarks of their respective holders Documentation Version Online SPFPro2519 HSPFPr055 7 Printed PS PFPr055 7 Table of Contents Preface e n IG ERN ENIMDEMENIMEIME MEM EN MU MI MM ix Preface to Help for Sygate Personal Firewall Pto segre eiiis tte ix Getting Felsen qud quo DD ERAT UR ROV acd als qu MU dedans ix
52. day 2 Day the events recorded over the past 2 days Logs 3 Day the events recorded ovet the last 3 days including the current day Logs 1 Week the events recorded over the past 7 days Logs 78 Monitoring Your System Logs Table 13 Viewing Personal Firewall Traffic Log Events by Date Events Displays for 2 Week the events recorded over the past 14 days Logs 1 Month the events recorded over the last 30 days Logs Show All all Traffic Log events Logs 3 Thelog is automatically displays the requested events 79 Sygate Personal Firewall Pro User Guide Viewing the Packet Log The Packet Log captures every packet of data that enters or leaves a port on your computer The Packet Log is disabled by default in the Personal Firewall because of its potentially large size To enable the Packet Log open the Options window by selecting Options from the Tools menu Click on the Log tab and click the check box next to the text Enable Packet Log Then click Apply If you do not have an Options window the Packet Log is not available for your Personal Firewall Viewing the Packet Log To view the Packet Log on the Personal Firewall 1 Click the down arrow near the Logs icon on the toolbar and then choose Packet Log OR Click Tools Logs Packet Log OR Right click the Tool Bar icon and then click Logs Packet Log You can also click the down arrow next to the Logs icon to choose a
53. ddress can be modified to any interval from 1 to 65 000 seconds adapter See network adapter Advanced Rule A rule that can be added on Sygate Personal Firewall to enforce a security policy Advanced Rules can exhibit complex relationships between applications IP addresses and services See also firewall rule Simple Rule Agent A computer running Sygate Security Agent software is also called an Agent computer An Agent can be client controlled or server controlled See also client Client Control Server Control Sygate Security Agent Sygate Personal Firewall Anti IP Spoofing An advanced setting that prevents an intruder from taking advantage of the ability to forge or spoof an individual s IP address See also IP Spoofing 99 Sygate Personal Firewall Pro User Guide Anti MAC Spoofing An advanced setting that prevents an intruder from taking advantage of the ability to forge or spoof the MAC address of an individual s computer Anti MAC Spoofing allows incoming and outgoing ARP traffic only if an ARP request was made to that specific host It blocks all other unexpected ARP traffic and logs it in the security log See also Smart ARP MAC address MAC Spoofing antivirus Software and technology that is used to detect malicious computer applications prevent them from infecting a system and clean files or applications that are infected with computer viruses Sygate software works together with but does not include anti
54. different log The most recently viewed log appears by default but you can choose any of the logs to view 2 From the View list select Local View the default setting or Source View You can select how you view local and remote IP addresses or ports o If you select Local View from the View list then Remote Host Remote Port Local Host and Local Port information appear The Remote Host and Remote Port always represent the IP address and port of the attempted attacker whereas Local Host address and Local Port always represent your IP address and your port Your system is always considered the Local system o If you select Source View from the View list then Remote Host Remote Port Local Host and Local Port information no longer appear Instead Source Host Source Port Destination Host and Destination Port appear e If someone sends a message or attacks your system then the originator s IP address and port are listed in the Source Host and Source Port columns whereas your IP number and your port are listed in the Destination Host and Destination Port because you are the recipient 80 Monitoring Your System Logs e If you send a message or attack someone else s system then your IP address and pott are listed in the Source Host and Source Port columns whereas the recipient s IP number and port are listed in the Destination Host and Destination Port sections 3 Click a different log name if you wish to view a different
55. e If you believe that you have triggered this application it would be safe to click Yes You have the option to tell the Personal Firewall to remember your answer in the future If you click Remember my answer and do not ask me again for this application the Personal Firewall will remember your choice and will act accordingly the next time this application tries to access your network connection If you have tried to open an application such as a web browser or a program that uses another application to access the Internet such as a media streaming program and you feel comfortable granting this application access to your network connection then you can click Yes The application will then be able to access your network You can change the status of the application at any time either in the Running Applications field or in the Applications List However if a pop up message is unexpected and you can t see any reason why the listed application should try to access your network connection click No and click Remember my answet This will assign the application the status of Block so that it will be automatically blocked from your network connection any time it tries to gain access You can change the status of the application at any time either in the Running Applications field or in the Applications List You should also run a virus scan to make sure that you have not inadvertently downloaded a virus ot a Trojan horse that could
56. e DoS A network based attack that is characterized by an explicit attempt by an intruder to prevent legitimate users of a service from using that service See also Denial of Service Checking Denial of Service Checking An advanced setting that instructs the Sygate Personal Firewall to check for incoming traffic using known Denial of Service DoS techniques DES See Data Encryption Standard DES destination IP address The IP address of the computer that is receiving packets of information destination port The port of the computer that is receiving packets of information DHCP See Dynamic Host Configuration Protocol DHCP directory server Software that manages users accounts and network permissions Active Directory is an example of a directory server accessed using Lightweight Directory Access Protocol LDAP See also Active Directory Lightweight Directory Access Protocol LDAP DLL Dynamic link library a list of functions or data used by Windows applications Most DLLs have a file extension of dll ocx exe dtv or fon 101 Sygate Personal Firewall Pro User Guide DLL authentication The ability to validate shared or application specific dynamic link libraries DLLs and ensure the integrity of applications The Sygate Personal Firewall can be instructed to allow ot block known DLLs An added level of protection can also be enabled to block DLLs from being dynamically allowed when an application is exe
57. e 65 Le Tete NO LOS ui trashatbuted in Diath advent abbates taire deem tasl aa Fai uon oodd ls 66 Expor neg E098 bo pates bte roten ihadndlani ind ed bodie 67 Viewing LOSS EET 68 Viewin the Security Bos comen qaad NS 70 Viewing the Security Logusrsnieesisesai ei eia i repu pe iiri iasi n 70 Teons forthe Security ROS cnr n ray Qu E R a a UNA 71 Personal Firewall Security Log Parameters and Description sss 71 Description and Dat Fields for the Security Logd advertere ibas 72 Back Tracing Hack Attempts for the Security Logan tetra in asia 72 Filtering the Log Events by Seventy in the Security Log etes 73 Filtering the Log Events by Date in the Security Log aee 73 Viewing the Traffic Log densi ep tetti re te tb do i e ii 75 Viewing the Traffie Dp d Diete si ate ridi te br Ini e RE aa iis 75 Table Of Contents Icons tor th Ta LHC Opus aveces ertet OA siti te ael st o tel qe tent ped Gains 76 Personal Firewall Traffic Log Parameters and Description sees 76 Description and Data Fields for the Traffic Logic rbv ebore 78 Back Tracing Traffic Events for the Traffic LOg outset nta ei edits 78 Viewing the Traffic Log Events by Daten ote afeiirieterdentte si bp drei ad 78 Viewing the Packet Lo99 ote d ERU LES ERR ROUEN Gan camara 80 Viewing the Packet Dogs doses dae dato lue e a ari re n 80 Icons for the Packet Logs acescuenteipn e c e Ee UO A RH REA ASH 81 Firewall Packet Log Parameters and Descripti
58. e Security Log will open displaying a new log entry 19 Sygate Personal Firewall Pro User Guide Table 3 What the System Tray Icon Tells You g The Personal Firewall is in Allow All mode The Personal Firewall is in Block All mode Incoming traffic is flowing uninterrupted there is no outgoing traffic Both incoming and outgoing traffic are flowing uninterrupted There is no incoming traffic outgoing traffic is flowing uninterrupted Incoming traffic is blocked outgoing traffic is flowing uninterrupted Incoming traffic is blocked there is no outgoing traffic Both incoming and outgoing traffic are blocked There is no incoming traffic outgoing traffic is blocked Incoming traffic is flowing uninterrupted outgoing traffic is blocked No traffic is flowing in either direction 20 Getting Around Using the Main Console The Main Console for the Personal Firewall is available from your Start menu click Start Programs Sygate Personal Firewall Pro Sygate Personal Firewall Pro The main console appeats You can also bring up the main console by clicking the System Tray Icon as shown in the previous section The Personal Firewall interface is simple and intuitive The main console click to view image provides real time network traffic updates online status and links to logs help files and the Applications List 1 Sygate Personal Firewall Pro File Security Tools View Help
59. e not recently upgraded the application and see no reason why this message should appear this could be an instance of a Trojan horse trying to access your network Detail Clicking the Detail button expands the pop up box providing further details on the connection the application is attempting to establish Information such as the file name version and path are provided Look at these items to make sure that they match the description of the application that you normally use The details section should also indicate the location to which the file was attempting to connect either local meaning that it was trying to connect to your computer or remote meaning that the application was attempting to connect to an outside destination Additionally the local and remote port numbers and IP addresses should be provided What Should I Do If you have recently upgraded the application mentioned on the pop up message it is probably safe to click Yes and allow the application network access However if you do not 31 Sygate Personal Firewall Pro User Guide think that you have recently upgraded the listed application you should click No and run an antivirus software program or if you are at work contact your IT department I Cbanged My Mind What if you change your mind about an application after you have allowed it or blocked it Simply go to the main console of the Personal Firewall right click on the application s icon in the
60. e problematic or dangerous to your computer 3 Ask The Personal Firewall Asks whether incoming and outgoing traffic is allowed to access yout computer or an organization s network resources When you run the Firewall it initially asks you whether to permit your applications to access network resoutces Optionally it remembers your responses so that you do not have to tell it again for example that you plan to use Internet Explorer or Netscape Navigator By using firewall rules the Personal Firewall can systematically Allow Block or Ask about what action to take on incoming traffic from specific IP addresses and ports The configuration of those rules with other security settings provides a security agent that protects your computet Personal Firewall Defaults an Introduction The Personal Firewall comes with default security policy settings As a security agent those settings are designed to be relatively secure out of the box However the user can customize the default settings and default rules extensively For a more detailed summary see Defaults A Summary of Rules and Settings 12 Chapter 5 Getting Around This chapter presents an overview of the tools that you use in getting around in the Personal Firewall It includes Starting and Using the Logging In and Logging Out Shortcut to the Software the System Tray Icon Using the Main Console Starting and Using the Software The Personal
61. e simultaneously to more than one destination on a network See also broadcast unicast N NetBIOS protection A feature on the Sygate Personal Firewall that blocks all communication from computers located outside the client s local subnet range NetBIOS traffic is blocked on UDP ports 88 137 and 138 and TCP ports 135 139 445 and 1026 See also subnet network adapter A device that connects a computer to a network network interface card NIC A device that is installed in a computer that provides the ability to communicate with other connected devices on the network ntoskrnl exe NT Kernel amp System a standard Windows service that initializes the kernel and drivers needed during a session O OS Fingerprint Masquerading A feature that keeps programs from detecting the operating system of a computer running the Sygate Personal Firewall software When OS Fingerprint Masquerading is enabled the Firewall modifies TCP IP packets so it is not possible to determine its operating system outbound traffic Traffic that was initiated from the local computer See also inbound traffic 106 Glossary P packet A unit of data sent ovet a network It is accompanied by a packet header that includes information such as the message length priority checksum and the source and destination address When packets are sent over a network protected by Sygate Personal Firewall each packet is evaluated for specific patterns that
62. ear dimmed or may not appear at all on your computer The following note appears next to those options 11 Sygate Personal Firewall Pro User Guide Option Alert This option may appear dimmed or not at all For further information see Some Options May Not Show How Firewalls Work A firewall is hardware software or a combination of both that is used to prevent unauthorized Internet users from accessing a private network All information entering or leaving the network must pass through the firewall which examines the information packets and blocks those that do not meet the security criteria Sygate Personal Firewall Pro starts with extensive firewall capabilities and then enhances those capabilities with additional ones What Does the Software Do The Personal Firewall protects an individual computer from network traffic that can cause harm to that computer It does this in a variety of ways which can be summarized into three categoties of firewall rules 1 Allow The Personal Firewall A ows some traffic to flow This is usually traffic that is known to be safe usually because you have defined it application by application to be safe Examples of traffic normally classified as safe include Outlook Internet Explorer Netscape Navigator Outlook Express and other common networking and communications software 2 Block The Personal Firewall B oc s some traffic This is usually traffic that is known to b
63. east critical signature A rule that defines how to identify an intrusion Sygate s Intrusion Detection System identifies known attacks by pattern matching against rules or signatures stored in the System Library or a custom library See also signature library System Library signature library A set of IDS signatures Sygate provides a library of known signatures in the System Library which can be kept up to date by downloading the latest version from the Sygate Technologies web site to your Sygate Personal Firewall Pro See also System Library Smart ARP An advanced secutity setting for Sygate Personal Firewall that allows Address Resolution Protocol ARP requests only if the machine that sent the incoming packet is recognized within the enterprise s network address space If the incoming network request is not recognized from being with the enterprise s network address space the request is blocked Smart DHCP Allows a DHCP client to receive an IP address from a DHCP server while protecting against DHCP attacks from the network Sygate Personal Firewall software allows an incoming DHCP response for five seconds if that system is awaiting a response from a DHCP request If no DHCP request was made by the Firewall system Smart DHCP does not allow the packet Note that Smart DHCP does not block any packets blocking is done by the normal security rule set See also Dynamic Host Configuration Protocol DHCP 108 Glossary S
64. ed as shown in the following illustration Sygate Personal Firewall Pro 10 23 2003 16 33 40 Internet Explorer IEXPLORE EXE is trying to connect to www google com 216 239 57 99 using remote port 80 HTTP World Wide Web Do you wantto allow this program to access the network p Bemember my answer and do not ask me again mo for this application No Detail lt lt Detailed information of Internet Explorer IEXPLORE EXE and the connection itis trying to establish File Version 6 00 2600 0000 xpclient 010817 1148 File Description Internet Explorer IEXPLORE EXE File Path G Program Files Internet Explorer IEXPLORE EXE Process ID OxB70 Heximal 2928 Decimal Connection origin local initiated Protocol TCP hocal Address 10 50 2 43 Local Port 1526 Remote Name www google com Remote Address 216 239 57 99 Remote Port 80 HTTP World Wide Web Ethernet packet details Ethernet II Packet Length 76 Destination 00 02 b3 5f a2 da Source 00 e0 29 24 5b 42 Type IP 0x0800 Internet Protocol Version 4 What Should I Do This kind of message is common when you first start using the Personal Firewall In this particular example Internet Explorer is trying to access the www google com web site at the remote port 80 Most servers use port 80 to send and receive information on the Internet so this isn t anything unusual 29 Sygate Personal Firewall Pro User Guid
65. el of configuration options for protecting your Personal Firewall appears on the General tab This tab provides access to options for the basic running of the Personal Firewall Options General Network Neighborhood l Security E Mail Notification Log Updates Sygate Personal Firewall Pro Service C Hide Sygate Personal Firewall Pro System Tray Icon Automatically load Sygate Personal Firewall Pro service at startup Screensaver Mode C Block Network Neighborhood traffic while in screensaver mode Notification Hide notification messages Password Protection Password Protection Disabled Enable password protection can protect your security Set P d setting being changed by others either mistakenly or A maliciously Two buttons appear at the bottom of the Options window and can be accessed from each tab e Clicking the OK button applies any changes that you have made in the Options window and then closes the window e Clicking the Cancel button ignores any changes you may have made in the Options window and closes the window while retaining the previous settings System Tray Icon Checking this box will hide the System Tray Icon from view or if it is hidden will show the System Tray Icon For details on the System Tray icon see Shortcut to the Software the System Tray Icon 42 Setting Up Protection by Configuration Changes Sygate Personal Firewall Service Click this box to autom
66. er the log events by date 1 Click the View menu in the Log Viewer window 2 Select which events you want to view from the list Table 16 Viewing Personal Firewall Packet Log Events by Date ax Displays i D Logs theevents recorded on the current day 2 Day the events recorded over the past 2 days Logs 3 Day the events recorded over the last 3 days including the current day Logs 1 Week the events recorded over the past 7 days Logs 2 Week the events recorded over the past 14 days Logs 1 Month the events recorded over the last 30 days Logs Show All all Packet Log events Logs 3 Thelog is automatically displays the requested events 83 Sygate Personal Firewall Pro User Guide Viewing the System Log The System log records all operational changes such as the starting and stopping of services detection of network applications software configuration modifications and software execution errors The System Log is especially useful for troubleshooting the Personal Firewall Viewing the System Log To view the System Log on the Personal Firewall e Click the down arrow near the Logs icon on the toolbar then choose System Log OR Click Tools Logs System Log OR Right click the Tool Bar icon and then click Logs System Log You can also click the down arrow next to the Logs icon to choose a different log The most recently viewed log appears by default but you can choose any of the
67. es The notification pictured below indicates that the Personal Firewall has logged an attack blocked from 1071072003 15 37 58 to 10 10 2003 15 47 58 Port Scan attack is logged i Traffic from IP address 192 168 0 3 is Do not show this window again 33 Sygate Personal Firewall Pro User Guide If you do not want to see these notifications you can either click Do not show this window again or you can disable these messages altogether in the Options window under the General Tab 34 Chapter 6 Setting Up Protection Based on Application This chapter describes the various ways in which you can protect your system using the Personal Firewall beginning with the individual applications that you have running on your system You can set the permission status of an application and you can change it later on See below for setting an application s status and see Reviewing and Changing the Permission Status of an Application for information on changing it later on How to Set Permissions by Application To set the permissions Allow Block Ask for your applications one by one you approach through the Applications List You can access the Applications List by clicking the Applications icon on the toolbar or by selecting Applications under the Tools menu The Applications List shows all applications and services that have asked you fot permission to access your network connection since the installation of the
68. es can be set up to verify that clients attempting access are running antivirus software patches and hot fixes as well as checking specified registry key values then update the client s system and files automatically if they are out of date Formerly called Host Integrity Restoration This is a feature of Sygate Secure Enterptise Host Integrity Restoration See Host Integrity Remediation 103 Sygate Personal Firewall Pro User Guide ICMP See Internet Control Message Protocol ICMP icon A small visual image displayed on a computer screen to represent an application a command an object or to indicate status Icons shown on screens in Sygate software are also used to display status For example in the Sygate Personal Firewall interface blinking blue lights indicate incoming and outgoing traffic IDS See Intrusion Detection System IDS inbound traffic Traffic that was initiated from a remote computer See also outbound traffic Internet Control Message Protocol ICMP An Internet protocol defined in RFC 792 that is primarily for reporting errors in TCP IP messages and exchanging limited status and control information Internet Information Services IIS Web services software from Microsoft that is the Hypertext Transport Protocol HTTP server for the Microsoft Windows platform Intrusion Detection System IDS A device or software that detects and notifies a user or enterprise of unauthorized or anomalous acce
69. f your system to outside threats The test is available directly from Sygate via an online connection Using Sygate s Online Services Assessing your vulnerability to an attack is one of the most important steps that you can take to ensure that your system is protected from possible intruders With what you learn from this battery of tests you can more effectively set the various options on your Personal Firewall to protect your system from attack Click the Security Test button located on the main console of the Personal Firewall or select Test Your Firewall from the Tools menu mj Security Test The Sygate Technologies Web page http scan sygate com displays If you then choose Scan Now the Sygate Online Services scanner scans your computer and attempts to determine your IP address operating system Web browser and other information about your system You can then choose one of the more focused scans To find out more about each one click the name of the scan e Quick Scan e Stealth Scan e Trojan Scan e TCP Scan e UDP Scan e ICMP Scan Sygate Personal Firewall Pro User Guide To scan your system Click the name of the scan and then click Scan Now A brief document of frequently asked questions about Sygate Online Services is also available from the main scan page Click Scan FAQ at the bottom left side of the screen Performing a Quick Scan Quick Scan is a brief general scan that encompasses several sca
70. g Your System Logs Table 12 Personal Firewall Traffic Log Parameters and Description Name of Description Parameter the default Remote Port and ICMP type on the remote computer only appears in Local View Port ICMP this is the default Type Local Host IP address of the local computer only appears in Local View this is the default Local MAC MAC address of the local computer only appears in Local View this is the default Local Port and ICMP code used on the Personal Firewall computer only Port ICMP appears in Local View this is the default Code Source Host Name of the source computer only appears in Source View Source MAC MAC address of the source computer only appears in Source View Source Port and ICMP type on the source computer only appears in Source View Port ICMP Type Destination IP address of the destination computer only appears in Source View Host Destination MAC address of the destination computer only appears in Source View MAC Destination Port and ICMP code used on the destination computer only appears in Port ICMP Source View Code Application Name of the application associated with the attack Name User Login name of the user Domain Domain of the user Location The Location Office Home VPN etc that was in effect at the time of the attack Occurrences Number of occurrences of the attack method Begin Time The time the attack began End Time Time that the atta
71. grade 3 Your computer has received a data packet that is not associated with any particular application 4 The Personal Firewall has detected a Trojan horse on your computer New Application Pop up You may occasionally see the following pop up message on your computer screen Sygate Personal Firewall Pro 10 23 2003 16 33 40 B Internet Explorer IEXPLORE EXE is trying to connect to www google com 216 239 57 99 using remote port 80 HTTP World Wide Web Do you wantto allow this program to access the network Bemember my answer end do not ask me again 27 Sygate Personal Firewall Pro User Guide Wbat Does Tbis Mean The information on the pop up tells you that Internet Explorer application 1s trying to access your network connection Internet Explorer is trying to load www google com which has an IP address of 216 239 39 99 The server that powers that site is using server port 80 This pop up appeared because Internet Explorer has been opened either directly by you indirectly by you or by another application You might have tried to open Internet Explorer If so either this is the first time that you have done so since you installed the Personal Firewall or you have assigned Internet Explorer a status of Ask meaning that every time Internet Explorer tries to access your network connection the Personal Firewall will ask you to grant it access for more information on status see Reviewing and Changi
72. he Firewall and VPN are both working 1 Be sure that you have set the VPN client and all of its components to Allow under the Applications List 2 Besure that CheckPoint SecuRemote s firewall has not been enabled If it has you will need to take the following steps o Uninstall both the Firewall and the CheckPoint VPN client o Reinstall the Firewall o Reinstall the CheckPoint VPN client software specifying to install it wzthout the CheckPoint firewall 3 Check your Traffic Logs to see if anything is being blocked when you try to use the VPN If it is create an Advanced Rule to allow those ports or applications 4 Try creating an Advanced Rule to trust all traffic for the IP of your VPN server 5 Try disabling driver level protection o From the Main Menu click Tools Options Security 96 Troubleshooting Sygate Personal Firewall Pro 6 o Becertain that Enable driver level protection is disabled The default for this setting is enabled Try disabling all security options o From the Main Menu click Tools Options Security O Click to clear all options What should I do if experiencing a slow or non existent connection after installing the Personal Firewall Here is the recommended procedure Take the following steps in order Stop taking steps when your connection is working properly 1 2 Be sure that you set your browser to Allow under the Applications List For DSL connections be sure that
73. he attacks originate from one particular IP address 88 Appendix B More About Default Values This appendix provides a summary listing of the Personal Firewall default settings Defaults A Summary of Rules and Settings This table provides a summary of rules and settings for the Personal Firewall Default Rules and Settings for the Personal Firewall The following rules and settings apply e VPNs enabled VPWNs are enabled e IDS is enabled IDS is enabled immediately and a new IDS library can be downloaded to the Personal Firewall by using the Update function e Ask before application use Ask for user permission before permitting an application to use the network and log that decision e Security Normal The menu shows File then Security with the choices of Normal Allow all Block All Normal is the default choice e Popup messages enabled e Allow ping reply e Allow traceroute e Browse Network Neighborhood enabled e Disable Network Neighborhood sharing Block access to any files on the end user s computer e Screensaver Ignore status e Windows Kernel Ask before permitting access e Block broadcast traffic Block all multicast and broadcast traffic and do not log it 89 Sygate Personal Firewall Pro User Guide e Block all other traffic Block all remaining network traffic and log it This is the final rule to be implemented and catches everything that has not otherwise been covered 90 Ap
74. he following type of access status e Allow An application with a status of Allow is permitted to have access to network connections Under the Allow status an application or service can be configured so that it can only access the network if using a certain port or during certain hours 38 Setting Up Protection Based on Application e Ask When a new application attempts to access your network connection while you are under the default security setting Normal the Personal Firewall displays a pop up window to ask if you want to allow the application to have access to the netwotk because the application has a default access status of Ask If you have not allowed or blocked an application the Personal Firewall prompts you every time it tries to gain access to the network or modem e Block An application with a status of Block is denied access to the network You have several choices when the application pop up message is displayed as shown in the following table Table7 Firewall Application Access Status If you click If you check Your Personal Remember my Firewall will answer box Yes No Ask you if you want to allow the application No No Block the application this time and in the future ask you if you want to allow the application If you select e Yes and tell the Personal Firewall to remember your answer you are no longer prompted This application is allowed to have access to the network u
75. her information see Setting up Advanced Rules Enable DoS protection By default this option is enabled on the Personal Firewall This option causes the Personal Firewall to check incoming traffic for known Denial of Service DoS attack patterns DoS attacks are characterized by an explicit attempt by an intruder to prevent legitimate users of a service from using that service Anti Application Hijacking By default this option is enabled on the Personal Firewall This option causes the Personal Firewall to check for malicious applications that work by interjecting DLLs and Windows hooks into Windows applications and to block those malicious applications when found Block Universal Plug and Play UPnP Traffic By default this option is enabled in the Personal Firewall This option causes the Personal Firewall to look for and block UPnP traffic to counter the vulnerabilities that are introduced by this operating system feature The first vulnerability could enable an attacker to gain complete control over an affected system while the second vulnerability could enable an attacker to either prevent an affected system from providing useful service or utilize multiple users systems in a distributed denial of service attack against a single target Users can disable this feature when using applications that require the UPnP protocol to operate Automatically block attacker s IP address for second s By default this option 1s enabled
76. her or not a computer can gain access to a network For example a firewall rule may state Port 80 is allowed Fragmented Packets A packet that is broken into smaller pieces to send the packet more efficiently through an organization s network or Internet When Allow Fragmented Packets is enabled the Firewall automatically allows the fragmented packets See also packet H hijack A type of attack where an intruder takes control of an existing communication session between a server and a legitimate user who has connected and authenticated with the server The intruder can monitor the session passively recording the transfer of sensitive information such as passwords and code Another type of hijacking involves an active attack done by forcing the user offline with a Denial of Service attack and taking over the session The intruder begins acting like the user executing commands and sending information to the server Host Integrity The ability to define enforce and restore the security of clients in order to secure enterprise networks and data Host Integrity rules can be set up to verify that clients attempting network access are running antivirus software patches and hot fixes and other application criteria This is a feature of Sygate Secure Enterprise See also Sygate Enforcer Host Integrity Remediation A feature that allows an automatic system update if needed Working together with the Sygate Enforcer Host Integrity rul
77. ield and enter a size in kilobytes of the maximum size for the log file 2 Click OK To Set Log Days 1 Click the appropriate Save Log File for the Past field for the log you want to configure 2 Enter a numbet of days 3 Click OK 53 Sygate Personal Firewall Pro User Guide To Clear the Log To clear a log from the Log File tab Click Clear Logs for the log you want to clear To Enable the Security Log 4 Click Enable Security Log to enable this choice Select a maximum file size 512 Kb is the default setting Enter a number of days for which the Personal Firewall should save the log file entries Click OK To Enable the System Log 4 Click Enable System Log to enable this choice Select a maximum file size 512 Kb is the default setting Enter a number of days for which the Personal Firewall should save the log file entries Click OK To Enable the Traffic Log 1 2 4 Click Enable Traffic Log to enable this choice Select a maximum file size 512 Kb is the default setting Enter a number of days for which the Personal Firewall should save the log file entries Click OK To Enable the Packet Log Click Enable Full Packet Logging to enable this choice Select a maximum file size 1024 Kb is the default setting Enter a number of days for which the Personal Firewall should save the log file entries Click OK 54 Chapter 8 Configuring Advanced Rules for
78. ine e Reed 36 To Set Advanced Com our HOt iv uie ie tieu eee etara tie erbe lu bra clade fe eee 36 TodnableSchedulitim siae feeit icis ed QURE Geld rette n eq erp RUE 38 Reviewing and Changing the Permission Status of an Application 38 Whatis Access Statis sisiane nia rub ba fux i Rod E one Rr Cek i iio ect AD ON d 38 To Change the Status Or am App CA On s uec c uino corabbae coe esee deiade Pf 40 Chapter 7 Setting Up Protection by Configuration Changes ess 41 How to Change Configuration Options vas sptataisiecessisdentatvtasdoraronaseneisvvnasscsauvsandasvtentsaaveesens 41 Review of General Configuration Options a desc ieequegivipte dedu iv on beste topi 42 SVS tEAM Oi cael besito Datek totu die ivan Mau neta uec tail che lbid iraia 42 Sygate Personal Firewall SOEVICenanee iate ttn apte tli bigis Pig E Cp 43 Screensaver Mode cont antedatese o Dai e AELA UA Le i Cn EA C AN AA CE c 43 Hide Notification Messages eei ated tne dd a pU a EU QUE AER Ap a ERG 43 Password PeotecHofr sse tnatadpie ice adatti esi edo wi en EU dE tru 43 Sharing Piles and Foldetsaoiace pede thi al EH NR AERE Rt DISHES 44 Network Neiohborhood DOLI ies qood bas E tobehato sf oA tenet oe diac hald 44 Setting Detailed Security CODD ia ocefivasten tu Wdbpasbalotsbrdo db aieo enia Un Erayifuis 45 Enable Intrusion Detection System ses innn eA eati fa ih Dae bbb SL 45 Ehableandg MAC SBIgERE bestie i tate dai a Eat opt altu Unda oto 46 E able POPE SGA de eeLiOtisa
79. infect your computer files Table 6 Pop up Remember My Answer Check Remember my Status Assigned answet box Ask I Changed My Mind What if you change your mind about an application after you have allowed it or blocked it Simply go to the main console of the Personal Firewall right click on the application s icon in the Running Applications field and click the desired status Allow Ask or Block from the menu that appeats 30 Getting Around Changed Application Pop up Occasionally you might see a pop up such as the one pictured below Sygate Personal Firewall Pro 10 13 2003 12 39 51 Microsoft Telnet Client has changed since the last time you used it This could happen if you have updated it recently Click Detail to see more information Do you want to allow it to access the network What Does This Mean The application listed on the pop up message is trying to access your network connection Although the Personal Firewall recognizes the name of the application something about the application has changed since the last time the Personal Firewall encountered it This could be because you have upgraded the product recently The Personal Firewall uses an MD5 checksum to determine the legitimacy of an application An upgraded version might not pass the checksum test since a new build or new version of the application is likely to have a different checksum value On the other hand if you hav
80. ion service ot operating system The information is used to track the operations performed Isass exe A Local Secutity Authority Service Executable and Server DLL on the Windows operating system It is a Windows secutity mechanism used to verify user logins M MAC address A vendor hardware address that identifies computers servers routers ot other network devices See also Anti MAC Spoofing 105 Sygate Personal Firewall Pro User Guide MAC Spoofing Intruders use a technique called MAC media access control spoofing to hack into a victim s computer by using the MAC address of another computer to send an ARP Address Resolution Protocol response packet to the victim even though the victim did not send an ARP request The victim host renews the internal ARP table using the malicious ARP response packet See also Anti MAC Spoofing mapisp32 exe Microsoft Windows Messaging Subsystem Spooler allows mail applications to use a standard Messaging Application Program Interface MAPT to access messages addresses and transport services MD5 hash A one way function that produces a unique 128 bit value MD5 hashing transforms information and produces a value that it cannot be changed back into its original form This method is used for encrypted authentication for example verifying passwords or authenticating applications mstask exe The Task Scheduler engine used by the Windows operating system multicast Sending a messag
81. ith your computer If this happens enable ICMP using the Advanced Rule editor 1 From the Main Menu click Tools Advanced Rules You may have to click OK on a warning message before entering the Editor Click Add This will bring up a new rule template Give the rule a name such as Allow ICMP and then click Allow this traffic Click the Ports and Protocols tab and select ICMP from the dialog box You will get another list of options from which to choose Click Echo Reply 0 and Echo Request 8 Click OK to exit this rule Click OK to exit the Advanced Rule editor 98 Glossary A access point A network connection that allows a computer or user to connect to an enterprise network Virtual Private Networks VPNs wireless communications and Remote Access Setvice RAS dial up connections are examples of access points See also end point wireless access point wireless AP Active Directory A Microsoft Windows directory service that maintains information about objects connected a network on a server called the Microsoft Windows 2000 Active Directory setver Active Directory makes it so network users can log on once to use resources fot which they have been granted access anywhere on the network See also directory server LDAP Active Response The ability to automatically block the IP address of a known intruder for a specific amount of time The amount of time that the Sygate Personal Firewall blocks the IP a
82. l be in effect see To Enable Scheduling below To Enable Scheduling You can also set times for which the advanced configurations take effect This scheduling lets you set up the application restrictions to be in effect either during a specific time period ot excluding a specific time period using the list boxes on this screen 1 Click Enable Scheduling below the Ports section on the Advanced Application Configuration screen 2 Click either During the period below or Excluding the period below 3 Select a Beginning Month Day Hour and Minutes from the appropriate list boxes 4 Enter a duration in units of Days Hours and or Minutes 5 Click OK to set scheduling restrictions Reviewing and Changing the Permission Status of an Application Depending on the type of control that the Personal Firewall is under you may ot may not be able to change an application s access status e What is access status e How do I change an application s access status What is Access Status Access Status is a set of rules that governs how many rights an application has in terms of having access your network connection or modem Depending on what status is assigned to an application or service and how much configuration you apply to it an application can either gain access to your network any time under certain conditions with your permission ot be blocked from gaining access to the network altogether The Personal Firewall provides t
83. logs to view Icons for the System Log When you open the System Log icons are displayed at the left side of the first column These are graphical representations of the kind of event logged on each line and they provide an easy way to scan the System Log for possible system errors Table 17 Icons for the Personal Firewall System Log con Description Error e Information Personal Firewall System Log Parameters and Description The Event Log is a data sheet where each row represents a logged event and the columns display information regarding the event The columns are 84 Monitoring Your System Logs Table 18 Personal Firewall System Log Parameters and Description Name of Parameter Description Time The date and time that the event has been logged The type of event represents an Error Warning or Information An Error log indicates a problem with the source a Warning log indicates a potential problem and an Information log provides information about an event involving the Personal Firewall ID The ID assigned to the event by the Personal Firewall Summary Summary description of the event Description and Data Fields for the System Log Below the rows of logged events are the Description and Data fields When you click on an event row the entire row is highlighted A description of the event such as Install WsProcessSensor successful appears in the Description field Viewing the System L
84. lt exe L1 E LAPLINK Core Com 14 500 320 c program files laplink goldMaplink exe lt T gt Select All Clear Al Rule Summary This rule will block both incoming and outgoing traffic from to all hosts on all ports and protocols This rule will be applied to all network interface cards The rule will take effect every day at 12 004M and last for 1 hour 1 To select an application to be affected by this rule click the box next to its name under the FileName column You can select all applications in the table by clicking the Select All button To browse for applications that are not displayed in the table click Browse and select the application from its directory 2 You can choose to display only the applications that you have selected to be controlled by this rule by clicking Display selected applications only The Rule Summary at the bottom of the window provides a description of the rule and what traffic it will affect on your system 63 Sygate Personal Firewall Pro User Guide 64 Appendix A Monitoring Your System Logs This appendix describes how you can monitor your system by using the logs that are present in the Personal Firewall It begins with an overview of logs describes how to export logs and then describes each log concluding with a section on back tracing logged events The following topics are included e Understanding Logs e Exporting Logs e Viewing Logs
85. ltiple IP addresses assighed foia single INI Ce asd ate tut ea tug tesis tiic Puta c soda ditur 92 What should I do if I am having trouble with Network Shares 92 Firewall Protection Against Attacks Viruses Trojans sse 94 Does the Firewall protect against viruses and Trojans sse 94 After updating one of my applications the Firewall shows a major attack Loe awed Trojan ranun dubitatio ovitatibucntiedi athlon dna itiens 94 Does the Firewall do Stateful Packet Inspection oiueita pubbl dioere tasche 94 Firewall and Internet Connection Sharing VPNs and Networking cece 95 Is the Personal Firewall compatible with Microsoft s Internet Connection Sio BCS epocha reo deerit is pedes tede Peu e d 95 How do I configure the Personal Firewall to work with ICS sss 95 When the Test button is clicked the Personal Firewall starts the Internet Connection Wizard WHY usur etus ia innate UR A a E UR A ain 96 How do I set up the Personal Firewall to work with my CheckPoint VPN client WA TG udo maet quiu pM qs T T eot SUAE 96 What should I do if experiencing a slow or non existent connection after installing the Personal Firewall aas etii re bri tbc EA Wn S ans 97 vi Table Of Contents Should I Allow the win32 kernel core or ntkernel component What about GMP es as eer eese t tort retiro reet eere pee RU SERE 98 irre qe M 99 vil Table Of Contents
86. m and the program is automatically terminated The Personal Firewall specifies the location of the Trojans but does not delete them from your computer After updating one of my applications the Firewall shows a major attack Do I have a Trojan Upgrading any program will change the MD5 checksum a value that the Personal Firewall uses to verify the integrity of each application on your computer When the Personal Firewall sees that the executable for an application has been changed it logs this in the Security Log with a severity of Major If you have updated the software yourself then there is probably no Trojan attached to it Howevet if you have not updated the software and you receive this message you should block the application and install a virus scanner using the latest signatures to remove this Trojan Does the Firewall do Stateful Packet Inspection Yes the Personal Firewall does Stateful Packet Inspection on every Remote TCP connection The Personal Firewall also uses an algorithm to check Remote UDP and DHCP traffic to make sure that the communication is secure 94 Troubleshooting Sygate Personal Firewall Pro Firewall and Internet Connection Sharing VPNs and Networking The usual questions that come up in this area include Is the Personal Firewall compatible with Microsoft s Internet Connection Sharing ICS Yes it is How do configure the Personal Firewall to work with ICS To configure the Pers
87. mart DNS Allows a Domain Name Server DNS client to resolve a domain name from a DNS server while providing protection against DNS attacks from the network This option blocks all Domain Name Server DNS traffic except outgoing DNS requests and the corresponding reply If the client computer sends out a DNS request and another computer responds within five seconds the communication is allowed All other DNS packets are dropped Smart DNS does not block any packets blocking is done by the normal security rule set Smart WINS Allows Windows Internet Naming Service WINS requests only if they were solicited If the traffic was not requested the WINS reply is blocked sniffing The process of actively capturing datagram and packet information from a selected network Sniffing acquires all network traffic regardless of where the packets are addressed source IP address The IP address from which the traffic originated See also IP address source port The port number on which the traffic originated See also port spoofing A technique used by an intruder to gain unauthorized network access to a computer system or network by forging known network credentials IP spoofing is a common method for intruders to gain unauthorized network access to a computer systems or network Stealth Mode Browsing An option that detects all HTTP traffic on port 80 from a web browser and removes information such as the browser name and version the operating sys
88. n a fixed size buffer Buffer overflow attacks occur when an intruder is able to send data in excess of a fixed size application buffer and the application does not check to ensure this doesn t happen By overflowing a buffer with executable code an intruder can cause an application to perform unexpected and often malicious actions using the same privileges the application has been granted 100 Glossary C client A computer or program that uses shared resources from another computer called a setvet computers A personal computer laptop or workstation where users perform their work In an enterprise environment computers are connected together over a network D Data Encryption Standard DES An algorithm for protecting data using private enctyption keys DES CBC is the Cipher Block Chaining CBC mode of DES a stronger form of encryption which applies an exclusive OR to each block of data with the previous block and then encrypts the data using the DES encryption key 3DES or Triple DES is the strongest form of encryption where each data block is enctypted three times with different keys See also encryption demilitarized zone DMZ A security measure used by a company that can host Internet setvices and has devices accessible to the Internet the DMZ is an area between the Internet and the internal network that prevents unauthorized access to the internal corporate network using a firewall or gateway Denial of Servic
89. n use as many sections as necessary to specify the conditions and characteristics time of day type of traffic port number that will cause the rule to take effect as well as the effect the rule will have The more information and characteristics that you enter in the Advanced Rule Settings dialog box the more specific the rule will be Note that each tab that contains specified information conttibutes to the functioning of a rule Advanced Rules Provide a Name Specify Allow or Block The General tab is used to provide a name for the rule you ate creating as well as the effect that the rule will have allowing or blocking traffic DEPT ETT Rule Settings General Hosts Ports and Protocols Scheduling Applications Rule Description Action Block this traffic Allow this traffic Advanced Settings Apply Rule to Network Interface Al network interface cards Apply this rule during Screensaver Mode Both on and off m v C Record this traffic in Packet Log Rule Summary This rule will block both incoming and outgoing traffic from to all hosts on all ports and protocols This rule will be applied to all network interface cards 1 First enter a rule description This will also function as the name of the rule and it should indicate qualities of the rule For instance Rule1 may not be a very good name for a rule but Block After 10 PM would be assuming the
90. n window is displayed Information appears regarding the backtracing of the IP addresses that the log event data visited before arriving at your computer s front door Back Trace Information xj Trace route Hop Time ms LIP address lA lt 10 207 33 111 1 2 3 lt 10 140 174 169 53 4 30 129 250 122 225 5 21 129 250 122 105 B 10 129 250 28 254 10 129 250 2 197 8 10 208 50 172 109 E 10 208 50 169 141 Whois The Trace Route field provides details on each hop made by the data packet that was logged by the Personal Firewall A hop is a transition point usually a router that a packet of information travels through at as it makes its way from one computer to another on a public network such as the Internet 86 Monitoring Your System Logs _ IY F F gt Hop6 Hop5 Hop4 Hop3 Hop2 Hop1 Hacker s Computer routers on public network Your Computer Backtracing is the process of following a data packet backwards discovering which routers the data took in order to reach your computer In the case of a Security Log entry you can trace a data packet used in an attack attempt Each router that a data packet passes through has an IP address which is provided in the Trace Route field Whols Clicking the WhoIs button prompts the Personal Firewall to pull up detailed information on each hop logged in the Trace Route field The information is displayed in a drop down Detail Inf
91. nce of your IT department 32 Getting Around Why Did I get a Security Notification Security notifications are designed to let you know the status of your security You will see a secutity notification fot one of two reasons e Blocked Application Notification An application that has been launched from your machine has been blocked in accordance with rules that you have set e Security Alert Notification There has been an attack launched against your machine and this notification will either simply inform you of the situation or provide instructions on how to deal with it Blocked Application Notification You may see notification messages above your system tray icon from time to time They indicate that your system has blocked traffic that you have specified as not trusted Please note that if you are operating under Block All mode you will see these messages quite often On the other hand if you are operating in Allow All mode you won t see any notifications at all e Application Internet Explorer has been blocked File name is IEXPLORE EXE Do not show this window again If these notifications start annoying you you can either click Do not show this window again or you can disable these messages altogether in the Options window under the General Tab Security Alert Notification You may see notification messages above your system tray icon from time to time There are two types of notification messag
92. ness of the Personal Firewall 25 Sygate Personal Firewall Pro User Guide Table 5 Firewall Menus Menu Menu choices The View menu gives users the option to alter the display of software programs in the Running Applications field These programs are applications that are currently accessing or attempting to access the network connection e Large Icons Displays 32x32 icons in the field Each icon represents a software application or a system service e Small Icons Displays 16x16 icons Both the large and small icon displays provide the full name of the application below the icon itself and the icons are displayed in a corkboard fashion List Provides small icon representations with the icons displayed in a standard list Applications Details Provides not only a list of all running applications but also useful information on the version number and location path of each application Connection Details Provides further information on the type of connection being made by an each application accessing the network adapter as well as the protocol local and remote ports and IP addresses being used the application path and mote Hide Windows Services Toggles the display of Windows Services in the Running Applications field Hide Broadcast Traffic Togoles the display of broadcast traffic in the Running Applications field Managed Personal Firewall Links to the Sygate Technologie
93. ng the Permission Status of an Application What if you did not directly try to open Internet Explorer Perhaps you clicked on a link to a web site in an email In such a case it is probably safe to click Yes and allow Internet Explorer to access the network What if you didn t open any program or click on any link and a program suddenly tries to access yout network connection Again there could be a number of different reasons Howevet if you haven t opened any programs that use the application listed on the pop up message or can t see any reason why that application should try to access your network connection it is always safest to click No This might indicate the presence of a Trojan horse on your computer something that needs to be checked immediately 28 Getting Around Detail Clicking the Detail button expands the pop up box providing further details on the connection the application is attempting to establish Information such as the file name version and path are provided Look at these items to make sure that they match the description of the application that you normally use The details section should also indicate the location to which the file was attempting to connect either local meaning that it was trying to connect to your computer or remote meaning that the application was attempting to connect to an outside destination Additionally the local and remote port numbers and IP addresses should be provid
94. nning processes It usually takes 20 seconds or less to accurately scan your computer s ports protocols services and possible Trojans The results are recorded in the Personal Firewall s Security log Performing a Stealth Scan The Stealth scan scans your computer using specialized stealthing techniques which mimic portions of legitimate computer communication to detect the presence of a computer The Stealth scan takes about 20 seconds to complete and is most likely not recorded in the Security log Performing a Trojan Scan The Trojan scan feature scans all of your computer s 65 535 ports for active Trojan horse programs that you or someone else may have inadvertently downloaded The Trojan scan takes about 10 minutes to complete A list of common Trojans is available on the Web site Performing a TCP Scan The TCP scan examines the 1 024 ports that are mainly reserved for TCP services such as instant messaging services to see if these ports are open to communication Open ports can indicate a dangerous security hole that can be exploited by malicious hackers It scans ports on your computer that are connected to devices such as routers and proxies for usets connecting to the Web site through such a device The scan takes about 20 minutes to complete and is logged by the Personal Firewall as a scan event in the Security log Performing a UDP Scan The UDP scan uses various methods and protocols to probe for open ports utilizing UDP
95. ntil you change its access status The application now has a status of Allow e Yes but do not elect to have the Personal Firewall remember your answer then every time this application attempts to gain access to the network you are asked each time whether or not the application is allowed or denied access This application now has a status of Ask e No and tell the Personal Firewall to remember your answer you are no longer prompted This application is systematically denied access to the network unless you change its access status This application now has a status of Block 39 Sygate Personal Firewall Pro User Guide No but do not elect to have the Personal Firewall remember your answet then every time this application attempts to gain access to the network you are asked each time whether or not the application is allowed or denied access This application now has a status of Ask If you change your mind about the access status of an application you can change its status from the Applications List To Change the Status of an Application 1 2 3 4 5 Open the Applications List Click on the File Name of the appropriate application until the row is highlighted Right click on the highlighted row Click the appropriate access status Allow Ask or Block from the list Click OK to close the Applications List 40 Chapter 7 Setting Up Protection by Configuration Changes This chapter provides details how to
96. o determine all the hops between your computer and an intruder on another computer 66 Monitoring Your System Logs Exporting Logs Logs can be exported and saved in different locations You may want to do this to save space but 1s it mote likely that you do this to import them into a tool such as Microsoft Excel Logs ate an excellent tool for analyzing the traffic and the security incidents on your computet 1 To export a log file open the log in the Log Viewer 2 Open the File menu and select Export 3 In the Save As window select the location for the log file We recommend giving it an appropriate name incorporating the date and type of log file Security Traffic etc 4 Click Save 67 Sygate Personal Firewall Pro User Guide Viewing Logs You can view the following types of logs for the Personal Firewall Security The Security log for the Personal Firewall records DoS attacks port scans executable file alterations Trojan horse attacks and host integrity Traffic The Traffic log for the Personal Firewall is a record of Personal Firewall netwotk traffic Packet The Packet log for the Personal Firewall captures data packets for the Personal Firewall network traffic System The System log for the Personal Firewall only deals with the operation of the Personal Firewall To view logs on the Personal Firewall Click the Logs icon on the toolbar OR Click Tools Logs OR
97. o if I am having trouble with Network Shares In order to share files and printers or to access mapped drives with the Personal Firewall you must allow this feature for your inside NIC To do this 1 From the Main Menu click Tools Options Network Neighborhood 2 Enable both network settings for your inside NIC by clicking Allow to browse Network Neighborhood files and printer s and by clicking Allow others to share my files and printer s 3 From the Main Menu click Tools Options Security 4 Becertain that Enable driver level protection and NetBIOS Protection are disabled The default for these settings is enabled 5 From the Main Menu click Tools Applications or click the Applications button 6 Setthe following applications to Allow in the Running Applications list o mpstv O kernel o ntoskrnl O svchost o NetBeui also possibly set these applications to Allow 92 Troubleshooting Sygate Personal Firewall Pro tcpsvcs nwlnkipx sys ndisuio sys ssdpstv 93 Sygate Personal Firewall Pro User Guide Firewall Protection Against Attacks Viruses Trojans The usual questions that come up in this area include Does the Firewall protect against viruses and Trojans The Personal Firewall does not check for viruses but it works well with virus scanning software Programs that access the network are checked for Trojans If one 1s found the netwotk access is blocked to that Trojan progra
98. ocols This rule will be applied to all network interface cards The rule will take effect every day at 12 00AM and last for 1 hour 2 Decide if you want the schedule to take place during a certain time period or outside of a certain time period Click either During or Excluding 3 Select a month day and beginning time from the list boxes or leave the default settings which will apply the rule schedule to all day every day all year 4 If you have a beginning time enter a duration for the rule s effect 5 The Rule Summary field at the bottom of the General tab provides a summary of the rule s functionality Click OK to set the rule or click on another tab to further specify rule conditions and properties 62 Configuring Advanced Rules for Security Advanced Rules Specifying Applications You can specify applications that will be affected by advanced rules The Applications tab provides a list of all applications that have accessed your network connection Advanced Rule Settings General Hosts Ports and Protocols Scheduling Applications Applications C Display selected applications only FileN ame Version Path O Norton Antivirus 7 60 00 926 c program files navnt ityscan exe L1 4 Windows Explorer 5 00 2800 1 c windows explorer exe L1 Interet Explorer 6 00 2800 1 c program files internet explorer iexplore L1 o Windows Update Au 5 4 3790 14 c windows system32 wuauc
99. og Events by Date 1 To filter the log events by date click the View menu in the Log Viewer window 2 Select which events you would like to view from the list Table 19 Viewing Personal Firewall System Log Events by Date Events Displays for 1 Day Logs the events recorded on the current day 2 Day the events recorded over the past 2 days Logs 3 Day the events recorded over the last 3 days including the current day Logs 1 Week the events recorded over the past 7 days Logs 2 Week the events recorded over the past 14 days Logs 1 Month the events recorded over the last 30 days Logs Show All all System Log events Logs 3 The log automatically displays the requested events 85 Sygate Personal Firewall Pro User Guide Back Tracing Logged Events on the Personal Firewall Back tracing enables you to pinpoint the source of data from a logged event Like retracing a criminal s path at a crime scene back tracing shows the exact steps that incoming traffic has made before reaching your computer and being logged by the Personal Firewall The option to back trace a log event is available in both the Security and Traffic logs To Backtrace a Log Event 1 In an open log file click on an event until it is highlighted 2 Right click on the highlighted event A pop up window prompts you to BackTrace 3 Click on the BackTrace option The Personal Firewall begins back tracing the event The BackTrace Informatio
100. on see 81 Packer Decode and Packet Dump for the Packet Log surat ices ihn 82 pack Tracino Packet Los EVENTS axoouesften dateien naa fo dcin 82 Viewing the Packet Log Events by Date bientot edita opina Ur dravifuifur 83 Viewing the Systeri LOG aan podido Ebo tah n Aie dbi Ed ia oA bs EA aa 84 Miewing the Systemi der isse denen tede gr ibdobdo a Ra SA b c eed 84 Tcons for the System DOE acies teta eei iata ete opp demos nv cda 84 Personal Firewall System Log Parameters and Description sss 84 Description and Data Fields for the System Oe sconces age medi ede eR deed 85 Viewing the System Log Events by DAbei oue eb e DN san e Quite f deer e hatt 85 Back Tracing Logged Events on the Personal Firewall eiit aeter 86 ToBa ckiracea EO EOD oeque sib r ede Qa ND do Quis aque UN 86 MB S nd bd btt ec etree E RS PL IUS URN RITU TRES 87 Appendix B More About Default Values eese eee nene 89 Defaults A Summary of Rules and Settings sit accastutibitume arat e Celta oar 89 Default Rules and Settings for the Personal Firewall acie tede tid c sie 89 Appendix C Troubleshooting Sygate Personal Firewall Pro 91 Firewall Configuration Usage and Software Expiration esses 92 Can I continue using the product after the end of the upgrade protector Period etnies aca e a toes ii atia abri lue etie erai lesioni 92 Will the Firewall work on a computer that has mu
101. onal Firewall to work with ICS all operating systems should be set as follows 1 From the Main Menu click Tools Applications or click the Applications button 2 Setthe following applications to Allow in the Running Applications list O O O O O Kernel LSA Shell Generic Host Process Application Layer Gateway Service for Windows XP NCIS User mode I O Driver Based on the particular operating system in use set the following applications to Allow e For Windows 98 ME O O ICSHAREP VXD ICSMGR EXE NDIS NetBeui IPX if used Kernel e For Windows 2000 O O O LSASS EXE TCP IP NDIS 95 Sygate Personal Firewall Pro User Guide o NetBeui o IPX if used o Kernel e For Windows XP o LSASS EXE o ALG EXE o NDIS o Kernel When the Test button is clicked the Personal Firewall starts the Internet Connection Wizard Why The Firewall service uses the Windows System Account for access Because each user account in Windows can have different settings sometimes the Windows System Account does not have the same Internet Explorer settings In this case you must manually set up the Internet Connection Wizard after clicking on one of the Firewalls built in links How do set up the Personal Firewall to work with my CheckPoint VPN client software To allow CheckPoint s VPN client to wotk with the Personal Firewall take the following steps in order Stop taking steps when t
102. ormation panel Please note that the information displayed does not guarantee that you have discovered who the hacker actually is The final hop s IP address lists the owner of the router that the hackers connected through and not necessarily the hackers themselves Back Trace Information xj Trace route Hop Time m IP address 1 10 10 0 0 190 2 lt 10 207 33 111 1 3 lt 10 140 174 169 53 4 lt 10 129 250 122 225 5 lt 10 129 250 122 105 6 lt 10 123 250 28 222 10 123 250 2 73 8 10 129 250 9 78 x x x Whois Detail infomation of 10 0 0 190 IANA RESERVED 5 Internet Assigned Numbers Authority Information Sciences Institute University of Southern California 4676 Admiralty Way Suite 330 Marina del Rey C4 90292 6695 Netname RESERVED 10 Netblock 10 0 0 0 10 255 255 255 Coordinator 87 Sygate Personal Firewall Pro User Guide You can cut and paste the information in the Detail information field by pressing Control C to copy the information to the Windows clipboard and then pasting it Control V into an e mail message to your system administrator for example asking about a particular site that connects to your computet Please note that the information provided in the Detail Information panel should be used responsibly It is not advisable to contact persons listed in the Detail Information field unless you are experiencing a high number of security logs in which t
103. ost if not all Windows applications use DLLs to run and each application uses specific DLLs Often several applications will access the same DLL However some hackers try to disguise malicious code or applications as DLLs and use them to hack computers Most DLLs have a file extension of dll exe drv or fon Enabling DLL authentication means that you allow the Personal Firewall to determine which DLLs are used by which trusted applications and to store that information The Personal Firewall then blocks applications that are using DLLs that are not associated with a trusted application or DLLs that are associated with a trusted application and that have changed Note that this may take place if you download a patch to an application that modifies that application s DLL in which case you ate prompted to approve or reject using this changed DLL Because this option can interfere with the functioning of Windows applications it is recommended that only users who have a firm understanding of Windows and DLLs enable this feature Automatically allow all known DLLs By default this option is enabled in the Personal Firewall This option will automatically allow DLL modules that are commonly loaded by the network application without prompting the user Disabling this feature will cause the engine to prompt for permission on all new DLLs that are loaded and may cause very frequent prompting when using a complex network application such a
104. otocol driver to exit the network surreptitiously R registration code An alphanumeric value that must be specified during the installation of the Sygate Personal Firewall Pro remote IP address The IP address of the computer to which information is being transmitted remote port A port on another computer attempting to transmit information over a network connection restoration See Host Integrity remediation 107 Sygate Personal Firewall Pro User Guide rule See Advanced Rule firewall rule Simple Rule Running Applications list Located below the traffic flow graphs a list of all applications and services that are currently accessing or attempting to access a Firewalls network connection The status of the applications is also displayed S Schedule An Advanced Rule that allows for triggering an event at certain times of the day security alerts A sound or notification indicating that the Sygate Personal Firewall has detected an attack against the client computer server A computer on a network that manages network resources for one or more clients setvice A netwotk port a UDP port an IP protocol type or an ICMP type setvices exe Services and Controller application a standard controller that manages many Windows services severity A mechanism for Sygate Personal Firewall logging system that indicates how critical an event is Severity ranges from 0 to 15 where 0 is the most critical and 15 is l
105. pendix C Troubleshooting Sygate Personal Firewall Pro This section is designed to help you to understand some of the areas that are sometimes causes of confusion It includes questions and answers on e Firewall Configuration Usage and Software Expiration e Firewall Protection Against Attacks Viruses Trojans e Firewall and Internet Connection Sharing VPNs and Networking For the most up to date information go to the Sygate Forums http forums sygate com vb forumdisplay php s amp forumid 35 91 Sygate Personal Firewall Pro User Guide Firewall Configuration Usage and Software Expiration The usual questions that come up in this area include Can continue using the product after the end of the upgrade protection period As with most software the Personal Firewall will never stop functioning once it has been registered Purchasing the Upgrade Option gives you free updates and upgrades for a year which includes updates to the Intrusion Detection signatures and upgrades to the Personal Firewall software Will the Firewall work on a computer that has multiple IP addresses assigned to a single NIC The Personal Firewall cannot detect your network card if you are running Windows NT 4 0 Windows 2000 or Windows XP AND if you have multiple IP addresses assigned to one of more of the network adapters You will need to remove the other IP address if you want to run the Personal Firewall software What should I d
106. quire information or gain access Because the intruder appears to be someone else if a reply is sent it goes to the spoofed address not the intruder s address See also Anti IP Spoofing IPS See Intrusion Prevention System IPS L LDAP See Lightweight Directory Access Protocol LDAP library See signature library System Library custom library Lightweight Directory Access Protocol LDAP A standard directory access protocol for searching and updating information directories containing for example email addresses phone numbers and computer names and addresses LDAP is the primary protocol used to access directory servers such as Active Directory See also Active Directory directory server local IP address From the perspective of the Firewall the IP address of the computer the user is working on See also IP address local port From the perspective of the Sygate Personal Firewall the port on the computer being used for this connection See also port Log Dampener An option that causes the Sygate Personal Firewall to log only one event if multiple similar events happen in a relatively short time frame This protects the Firewall from being inundated by hundreds ot thousands of events happening at the same time in a DoS attack For example if a thousand packets are received in one second the Firewall logs that the event happened a thousand times See also logs logs Files that store information generated by an applicat
107. rewall System Log Parameters and Description sss 85 Viewing Personal Firewall System Log Events by Date u eee nes 85 vili Preface This chapter introduces the Sygate Personal Firewall Pro It provides e Whats New e Related Documentation e Intended Audience e Technical Support Preface to Help for Sygate Personal Firewall Pro This manual aids you in the installation and use of the Sygate Personal Firewall Pro the Personal Firewall Getting Help Select Start Programs Sygate Personal Firewall Sygate Personal Firewall Pro The Personal Firewall starts and displays the user interface You can then choose Help Help topics from the menu bar click the Help button or press F1 Help The online help system appears It provides all the information needed to use the Personal Firewall All information in this help system is also available in the 5 5 Sygate Personal Firewall Pro User Guide in Adobe s PDF format for easy printing You can download the Sygate Personal Firewall Pro User Guide from the Sygate Technologies web site at http smb sygate com Sygate Personal Firewall Pro User Guide What s in this Guide This document the Sygate Personal Firewall Pro User Guide describes how to install and use the Firewall softwate For late breaking news about known problems with this release refer to the Readme txt file that is included with this software Wha
108. rewall traces the event information The Back Trace Information window is displayed with a trace route log 72 Monitoring Your System Logs 3 To view detailed information on the original IP address click the Whois gt gt button at the bottom of the Back Trace Information window A drop panel appears displaying detailed information about the owner of the IP Address from which the security event originated 4 Click the Whois lt lt button again to hide the information For further information on Back Tracing see Back Tracing Filtering the Log Events by Severity in the Security Log 1 In the Security log you can filter the events that you are viewing by the severity level of the attack 2 Inthe Log Viewer open the Filter menu 3 Select Severity The Severity window appeats 4 Place check marks in each box next to the severity level s that you want to view You have the following options o Critical o Major o Minot o Information You can view more than one type of event at once The Log Viewer is automatically reloaded Filtering the Log Events by Date in the Security Log To filter the log events by date 1 Click the Filter menu in the Log Viewer window 2 Select which events you want to view from the list Table 10 Viewing Personal Firewall Security Log Events by Date Events Displays for 1Day Logs theevents recorded on the current day 2 Day the events recorded over the past 2 days
109. rity Enhancement Enable Intrusion Detection System Enable anti MAC spoofing Enable portscan detection C Enable anti IP spoofing Enable driver level protection Enable Q5 fingerprint masquerading C Enable stealth mode browsing NetBIOS Protection Enable DoS detection Block Universal Plug and Play traffic Automatically block attackers IP address for second s C Block all traffic while the service is not loaded C Enable DLL authentication Reset all fingerprints for all applications roma allu a u Known L Smart Traffic Handling Enable smart DNS Enable smart DHCP C Enable smart WINS Enable Intrusion Detection System By default this option is enabled in the Personal Firewall This feature provides you with alerts when another user attempts to compromise your system Intrusion detection on the Firewall actually enables a combination of both an intrusion detection system IDS and an intrusion prevention system IPS The end result is a system that analyzes network packets and compares them with both known attacks and known patterns of attack and then blocks those attacks One of the key capabilities of the Intrusion Prevention System is its capability to do deep packet Inspection More details appear here 45 Sygate Personal Firewall Pro User Guide About Sygate s Intrusion Detection and Prevention System Sygate s Intrusion Detection SID detects inapproptiate and incorrect activity It is a host b
110. rmissions that you allow it whether it can access your Internet connection if it can access that connection without asking you first or if it is blocked from accessing the Internet or netwotk altogether You can change the status of applications from the Running Applications field by right clicking on an application s icon and selecting the desired status Table 4 Running Applications Field Status Description Icon appears normal with no marks Icon appears with a small yellow question mark Icon appears with a red circle and cross out mark Additionally application icons will display a small blue dot on lower left hand or right hand corner to indicate if it is receiving left hand or sending right hand traffic amp Internet Explorer You can hide the display of system services by clicking Hide Windows Services above the Running Applications field There are a number of services running at any given time and since they are often crucial to the operation of your computer you most likely want to allow them You will see pop ups that ask you if you want to allow these services to run It is generally fine to allow them and you can allow them permanently without worry The Personal Firewall will block the services or applications if anything within the application s executable file changes For instance if you download a Trojan horse or an email virus that affects a service or application the Personal Firewall will noti
111. rride all other schedules and configurations that have been set for each application 55 Sygate Personal Firewall Pro User Guide Rules in the Advanced Rules window will apply to all applications unless they are specifically tied to an individual application Overview of Creating Advanced Rules When you create an Advanced Rule first decide what effect you want the rule to have Do you want to block all traffic when your screensaver is on Would you like to allow all traffic from a particular source Do you want to block UDP packets from a web site 1 To begin open the Tools menu at the top of the main console and click Advanced Rules The Advanced Rules dialog box will open with an informational warning click to view image about their priority Once you have created rules they will appear in the main list Y Advanced Rules Description gt 2 Click Add The Advanced Rule Settings dialog box opens at the General tab 3 Enter a descriptive name for your rule on this tab and then specify the conditions for it on the other tabs To create a rule you must first specify the kind of traffic and the conditions that must exist for the rule to take effect There are five different sections within the Advanced Rule Settings dialog box where you can specify the characteristics of the traffic General Hosts 56 Configuring Advanced Rules for Security Ports and Protocols Scheduling and Applications You ca
112. rule had some sott of function that did block traffic after 10 PM 2 Second decide the main action of the rule do you want to block traffic or allow traffic 57 Sygate Personal Firewall Pro User Guide Next choose which network interface card this rule will apply to If you have multiple network cards select one from the list box or select All network interface cards to apply the rule to every card Decide if this rule will be influenced by the activation of your computer s screensaver if applicable o On The rule will be activated only when the screensaver is on This is a great feature if you want to block all traffic and all ports while you computer is idle o Off This rule will be activated only if the screen saver is off and all other conditions are satisfied Both On and Off This rule is unaffected by the screensavet Click Recotd this traffic in Packet Log if you want traffic affected by this rule to be entered in the Packet Log The Rule Summary field at the bottom of the General tab provides a summary of the rule s functionality Click OK to set the rule or click on another tab to further specify rule conditions and properties 58 Configuring Advanced Rules for Security Advanced Rules Specify a Source The Hosts tab is where you can specify the source IP address MAC address or Subnet range of traffic that you want to block or allow Advanced Rule Settings TUTEERT
113. s Web site to show the corporate version of the Firewall Sygate Security Agent Easy Internet Sharing Links to the Sygate Technologies Web site to show Sygate s Home Networking product line Register Brings up a registration screen so that you can register your copy of the Firewall Help Topics Opens the Personal Firewall online help files About Opens the About screen 26 Getting Around Toolbar Buttons The buttons located below the menu provide shortcuts that can be used to quickly block all applications change your application profiles access the logs test your Personal Firewall using the Sygate Technologies Web site or view the Help file f Sygate Personal Firewall Pro File Security Tools View Help zi Z 3 Block All Applications Logs Security Test Help Understanding Pop Up Messages This section goes over the range of Personal Firewall pop up messages that may appear including security notifications and warning messages and describes how the Personal Firewall responds to potential problems Why Did I Get a Pop Up Message An application related pop up message will occur for one of the following reasons 1 An application that the Personal Firewall has never seen before or that has been assigned the status of Ask is trying to access your network connection 2 An application that normally accesses your network connection has changed possibly because of a product up
114. s an Internet browser Reset all fingerprints for all applications By default this option is enabled in the Personal Firewall If you want to erase all application fingerprints click this button It clears the Personal Firewall s memory of all application fingerprints The result is that each time you use an application that uses the network you are prompted through a pop up message to Allow or Block that application s activity 49 Sygate Personal Firewall Pro User Guide Smart Traffic Handling Enable smart DNS By default this option is enabled in the Personal Firewall Smart DNS is a feature that blocks all DNS traffic except for outgoing DNS requests and the corresponding reply This means that if your computer sends out a DNS request and another computer responds within five seconds the communication will be allowed All other DNS packets will be dropped If you disable this feature please note that you will need to manually allow DNS name resolution by creating an advanced rule that allows UDP traffic for remote port 53 Enable smart DHCP By default this option is enabled in the Personal Firewall Smart DHCP is a feature that allows only outgoing DHCP requests and incoming DHCP replies and only for network cards that allow DHCP Should you choose to disable this feature and need to use DHCP you must create an advanced rule for UDP packets on remote ports 67 and 68 Enable smart WINS By default this op
115. s an indicator of a CGI program attack Each packet is evaluated for a specific pattern such as a string in a single packet If a match occurs the attack is blocked Denial of Service Intrusion Detection and Prevention Syegate s Denial of Service DoS Intrusion Detection and Prevention system identifies attacks in which users or organizations are deprived of the services or a resource that they would normally expect to have available It identifies known attacks based on multiple packets regardless of port number or type of Internet Protocol IP which is a limitation of signature based Intrusion Detection and Prevention systems Sygate s DoS Intrusion Detection and Prevention system is automatically enabled when you install the product Enable anti MAC spoofing By default this option is enabled on the Personal Firewall Some hackers use MAC spoofing to attempt to hijack a communication session between two computers in order to hack one of the machines MAC media access control addresses are hardware addresses that identify computers servers routers etc When Computer A wishes to communicate with Computer B it may send an ARP Address Resolution Protocol packet to the computer 46 Setting Up Protection by Configuration Changes The anti MAC spoofing feature allows incoming and outgoing ARP traffic only if an ARP request was made to that specific host It blocks all other unexpected ARP traffic and logs it in the securi
116. s the Personal Firewall Disabling Password Protection You can choose to disable passwotd protection by making no entry in the New Password field and confirming that in the Confirm New Password field The tab will show that passwotd protection has been disabled Password Protection Password Protection Disabled Enable password protection can protect your security Set P d setting being changed by others either mistakenly or poc BESWEI maliciously Shortcut to the Software the System Tray Icon Once installed the Personal Firewall displays a small icon in O your system tray located on the right end of your task bar consisting of two arrows The arrows represent system traffic the upward pointing arrow is outgoing traffic the downward pointing arrow is incoming traffic These arrows give you a real time update of your computer s traffic flow You might not see a constant icon appearance for more than a few seconds especially if you frequently use the Internet or your network connection 15 Sygate Personal Firewall Pro User Guide The colors of the arrows are always changing as is the traffic flow on your computer For most users it should be sufficient to remember the following points about the colors of the icon Table 1 System Tray Icon colors If the color of the arrow i then is traffic is being blocked by the Personal Firewall traffic is flowing uninterrupted by the Personal
117. s traffic that is allowed and traffic that is blocked The green lines and bars indicate traffic that is allowed to pass through and the red coloring indicates traffic that is being blocked by the Personal Firewall Additionally the Attack History graph on the right side of the console provides information on attempted attacks against your machine Broadcast Traffic Broadcast traffic is network traffic that is sent to evety computer in a particular subnet and thus is not directed specifically to your computer If you do not want to see this traffic you can remove it from this graphical view by choosing to Hide Broadcast Traffic You will then only see unicast traffic in this graph which is traffic that directed specifically to your computet e Click Hide Broadcast Traffic below the Traffic History graphs to make this traffic no longer appear in the Traffic History graphs 22 Getting Around e Click Hide Broadcast Traffic to clear this setting which causes broadcast traffic to appear Running Applications Field The Running Applications Field provides a list of all applications and system services that are currently running on the your system The display of application names can be changed through the View menu or by right clicking in the Running Applications field and selecting the desired view from the menu that appears You can also view the status of the applications An application s status refers to the pe
118. ss id 2572 Description Back Orifice 2000 International Version w low encryption Process has been terminated Current log file size 3 KB Maximum size 512 KB For information on reading a Security Log start with the Records 9 Filter 1 day Severity Critical Major Minor Infor Understanding Logs 17 Sygate Personal Firewall Pro User Guide Using the System Tray Icon You can easily configure basic aspects of the Personal Firewall without even opening the main console By right clicking on the System Tray Icon you can change your security level view Help or log files or even disable the Personal Firewall Table 2 System Tray Icon Menu Option What It will do for you Sygate Personal Opens the Personal Firewall main console Firewall Blocks all network traffic Block All Provides your pre chosen list of security Normal policies and applies them Allow All Allows all network traffic This setting should be used for troubleshooting only Opens the Applications List For more on Applications the Applications List see Setting Up Protection Based on Application Opens the Firewall Logs For mote on Logs start with Monitoring Your System Logs Opens the Options dialog box where you can make detailed choices about yout security For more information see Setting Up Protection by Configuration Changes Options Opens the Advanced Rules dialog box where you
119. ss to a network or computer system Sygate s IDS operates on every machine in an enterprise on which the Sygate Personal Firewall is installed by analyzing network packets targeted at the network node and comparing them with signature database entries An IDS helps identify attacks and probes by monitoring traffic for attack signatures that represent hostile activity See also Intrusion Prevention System IPS Intrusion Prevention System IPS A device or software used to prevent intruders from accessing systems from malicious or suspicious activity This is contrast to an Intrusion Detection System IDS which merely detects and notifies Sygate Personal Firewall is both an IDS and an IPS product since the Firewall includes both an IDS and firewall functionality making it capable of not only detecting but also blocking an attack See also Intrusion Detection System IDS IP address A 32 bit address used to identify a node on a network Each node on the network must be assigned a unique address in dotted decimal notation such as 125 132 42 7 See also local IP address remote IP address IP fragmentation A packet that has been split into two or more packets The Sygate Personal Firewall supports IP fragmentation the ability to receive ot send incomplete packets over the network See also packets Fragmented Packets 104 Glossary IP spoofing IP spoofing is a process where an intruder uses an IP address of another computer to ac
120. standard menu with the following options File Security Tools View and Help Table 5 Firewall Menus Menu Menu choices Close Closes the Personal Firewall main console Exit Personal Firewall Disables the Personal Firewall effectively turning off security on your machine Block All Blocks all network traffic on your machine Normal Blocks only selective traffic This is the default configuration and is a prudent choice Allow All Permits all network traffic to flow on your machine This is almost as non secure as exiting the Personal Firewall and is not recommended It should be used for troubleshooting only Applications Opens the Applications List Logs Opens the Logs Options Opens the Options dialog box which contains many security options including email alerts Network Neighborhood browsing rights and log file configuration Advanced Rules Opens the Advanced Rules dialog box where you can set very specific rules for the implementation of security on your Personal Firewall Update Signature Updates intrusion prevention signatures Automatically Start Service This toggle setting sets whether the Personal Firewall will be launched automatically when your machine is booted Hide System Tray Icon This toggle setting hides the System Tray Icon from view If it is checked the icon is hidden Test Your Firewall Opens the Sygate Technologies scan site allowing you to test the effective
121. t s New for the Firewall This release of the Personal Firewall has a variety of new and enhanced features Among them e Provides Deep Packet Inspection The Personal Firewall provides further enhanced intrusion detection and prevention capabilities including alerts when another user attempts to compromise your system The end result is a system that analyzes network packets and compares them with known attacks and known behavioral patterns of attack and then intelligently blocks the malicious attacks e Denial of Service DoS Protection This enables the Personal Firewall to monitor and block incoming traffic with known Denial of Service DoS attack patterns DoS attacks are characterized by an explicit attempt by an intruder to prevent legitimate users of a service from using that service by flooding a service with illegitimate traffic This feature can be enabled or disabled e Trojan Detection and Protection Trojan protection is enhanced to identify block and terminate the process of more types of Trojan attacks e Universal Plug and Play UPnP Protection The Personal Firewall has a new option that protects computers from UPnP exploits This feature can be enabled or disabled e Log Dampener Feature The Personal Firewall adds new logging flexibility and performance enhancement features including the option to selectively enable or disable the security logs system logs traffic logs and full packet logs e Smart WIN
122. tely enabled This computer will be able to browse and share any allocated resource within the network such as files and printers The settings in the Network Neighborhood section apply to the network displayed in the Network Interface list box Network Neighborhood Settings 1 Select the network from the Network Interface list box 2 Decide if you wish to browse other computers on the network and if you wish to allow other users on the selected network to browse your computer Under the Network Neighborhood Settings section select the appropriate check boxes O Select the Allow to browse Network Neighborhood files and printer s option to browse other files and printers on the selected network This allows you to access other files on your network If you disable this you cannot copy files from network locations 44 Setting Up Protection by Configuration Changes o Select the Allow others to share my files and printer s to allow other users of the selected netwotk to browse yout files and printer s 3 Click OK Setting Detailed Security Options The Security tab offers a way to enable and disable some of the more complex security options As such this tab provides both power and complexity You should test settings made here before propagating them to other computers to make certain that they work as you intend Options General Network Neighborhood Security E Mail Notification Log Updates Secu
123. tem and the reference web page It will stop web sites from knowing which operating system and browser you are using Stealth Mode Browsing may cause some web sites not to function properly because it removes the browser signature called the HTTP_USER_AGENT from the HTTP request header and replaces it with a generic signature subnet Portions of a TCP IP network used to increase the bandwidth on the network by subdividing the network into portions or segments All IP addresses within a subnet use the same first three sets of numbers such as 192 168 1 in 192 168 1 180 and 192 168 1 170 indicating they are on the same network A subnet is See also subnet mask subnet mask A value that allows a network to be subdivided and provides for more complex address assignments The subnet mask format is nnn nnn nnn nnn such as 255 255 255 0 svchost exe Generic Host Process for Win32 Services a generic host process for services that are run from dynamic link libraries DLLs It checks the services portion of the registry to create a list of services it needs to load Multiple instances of Svchost exe may be running at the same time 109 Sygate Personal Firewall Pro User Guide Sygate Endpoint Enforcement The ability of the Sygate Security Agent to execute Host Integrity rules independent of the Sygate Enforcer The Agent can take an action if the Host Integrity rules fail block access to the enterprise network by switching to a quaran
124. tess are listed in the Source Host and Source MAC columns whereas the recipient s IP number and MAC address are listed in the Destination Host and Destination MAC sections 7 Click a different log name if you wish to view a different log 8 Click Refresh or press F5 to update the log that you are viewing 69 Sygate Personal Firewall Pro User Guide Viewing the Security Log The Security Log records potentially threatening activity directed towards your computer such as port scanning or denial of service attacks The Security Log is probably the most important log file in the Personal Firewall Viewing the Security Log To view the Security Log on the Personal Firewall 1 Click the down arrow near the Logs icon on the toolbar and then choose Security Log OR Click Tools Logs Security Log OR Right click the Tool Bar icon and then click Logs Security Log You can also click the down atrow next to the Logs icon to choose a different log The most recently viewed log appears by default but you can choose any of the logs to view 2 From the View list select Local View the default setting or Source View You can select how you view local and remote IP addresses or names o Ifyou select Local View from the View list then Remote Host Remote MAC Local Host and Local MAC information appear The Remote Host and Remote MAC always represent the IP address and MAC addtess of the attempted attacker whereas
125. thout the enterprise management features See also Sygate Security Agent Sygate Secure Enterprise A software suite that includes the Sygate Management Server one or more Sygate Security Agents the Sygate Event Logger and optionally one or more Sygate Enforcers It protects wireless VPN and wireless connected laptops workstations and servers with firewall intrusion detection and policy enforcement See also Sygate Security Agent Sygate Enforcer Sygate Event Logger Sygate Management Server Sygate Security Agent Software component that enforces rule based security on devices whether remote or behind a corporate firewall using security policies defined on the Sygate Management Server Also referred to as the Agent in Sygate documentation The Agent must be installed on every device before it can connect to the enterprise network The Agent can detect identify and block known Trojans and Denial of Service attacks and also protects against new or unknown attacks by blocking applications and traffic that violates a defined set of security policies Port scans are also detected and logged to alert users and system administrators of potential attacks while maintaining system security 110 Glossary synchronization Refers to automatically keeping directory servers up to date with the user database including synchronizing between LDAP Active Directory and NT Domain System administrators can specify how often to synchronize the
126. tically check for signature updates and download e New versions Automatically check for download and install new versions of Sygate Personal Firewall Pro Note that you can also do this manually from the same screen click Check Now e Signature Updates Automatically check for download and install new Intrusion Detection signatures Note that you can also do this manually from the Main Menu click Tools Update Signature 52 Setting Up Protection by Configuration Changes Logging Security Events on Your System The Log File tab provides a central location to manage the logs for the Personal Firewall You can determine the standard log size for each log as well as specify how many days of entries are recorded in each log For more information on logs and how they work see Monitoring Your System Logs You can also toggle whether or not logs are kept for each type of log 1 Options General Network Neighborhood Security E Mail Notification Log Updates Enable Security Log Maximum log file size is BE KB Save log file for the past 30 Clear Logs Enable System Log Maximum log file size is Save log file for the past W Clear Logs Enable Traffic Log Maximum log file size is Save log file for the past Clear Logs C Enable Full Packet Logging Maximum log file size is Save log file for the past To Set Log Size 1 Click the appropriate Maximum Log File Size f
127. tine location and then initiate the appropriate restorative action Sygate Enforcer A software component that allows only remote and wireless clients running the Sygate Security Agent and complying with Host Integrity rules to gain access to the enterprise network Sygate Enforcers can secure various places on the netwotk to protect entry through a VPN server wireless LAN and to safeguard servers When a client attempts to access the enterprise network the Enforcer requests the unique ID assigned to the Agent to verify that it is a legitimate client The policy of the particular client is verified and Host Integrity rules are checked before allowing access to the network If a client does not satisfy the Enforcer s qualifications and a rule fails the Enforcer can monitor and log certain events block certain usets if the Host Integrity rules fail display a popup message or quarantine the computer in a restricted area until the software is updated Sygate Management Server A centralized point of control over all Sygate Security Agents that enables network administrators to define and distribute security policies collect logs and maintain the integrity of the corporate network Also referred to as the Management Server in Sygate documentation See also Sygate Secutity Agent Sygate Personal Firewall A host based firewall whereby the users define their own security policies including many of the capabilities of Sygate Security Agent but wi
128. tion is disabled in the Personal Firewall It allows Windows Internet Naming Service WINS requests only if they were solicited If the traffic was not requested the WINS reply is blocked 50 Setting Up Protection by Configuration Changes Setting Up Email Notification of Security Events The E Mail Notification tab provides you with the option to automatically notify a specified recipient via email of any attacks against your computer 1 Options General Network Neighborhood Security E Mail Notification Log Updates O Do Not Notify Notify Immediately O After Every Minute s From To itsecurity yourcompany com Ce psmith yourcompany com Subject Security alert SMTP Server Address 10 0 3 12 My E Mail Server Requires Authentication Authentication Server Address 10 0 3 20 User Name psmith Password 9 9999999990909090990909090009 Test E Mail Notification To Activate E Mail Notification 1 Fitst select the frequency of notification You have three choices Selecting Do Not Notify will disable the email notification option Select Notify Immediately to have an email sent immediately following an attack on your computer Alternately you can select to have an email sent at regular intervals following an attack by selecting the After Every X Minute s dial 2 Enter an email address in the From address field This can be your
129. ty log Enable port scan detection By default this option is enabled on the Personal Firewall Port scanning is a popular method that hackers use to determine which of your computer s ports ate open to communication Ports are dynamically blocked by the Personal Firewall and are therefore protected from hacking attempts This feature detects if someone is scanning your ports and notifies you If disabled the Personal Firewall does not detect scans or notify you of them but still protects your ports from hacking attempts Enable anti IP spoofing By default this option is disabled on the Personal Firewall IP spoofing is a process used by hackers to hijack a communication session between two computers which we will call Computers A and B A hacker can send a data packet that causes Computer A to drop the communication Then pretending to be Computer A the hacker can communicate with Computer B thus hijacking a communication session and attempting to attack Computer B Anti IP spoofing foils most IP spoofing attempts by randomizing the sequence numbers of each communication packet preventing a hacker from anticipating a packet and intercepting it Itis recommended that you enable this option along with Enable OS fingerprint masquerading Enable driver level protection By default this option is already enabled on the Personal Firewall This feature when enabled blocks protocol drivers from accessing the network unless the user gives
130. uration parameters from a DHCP server DHCP lets a system administrator supervise and distribute IP addresses from a central point in the network E encryption The use of an algorithm to convert typically sensitive data into a form that is unreadable except by authorized users See also Communications Channel Encryption endpoint Any network device that connects to the enterprise network and runs network based applications Network devices can include laptops desktop computers servers and PDAs See also access point 102 Glossary F filtering logs Viewing selected information from logged information For example a filter can be set up so that you can view only blocked traffic critical information or logged events occurring during the past day See also logs firewall Hardware software or a combination of both that is used to prevent unauthorized Internet usets from accessing a private network All information entering or leaving the network must pass through the firewall which examines the information packets and blocks those which do not meet the security criteria The Sygate Personal Firewall Allows Blocks or Asks whether incoming traffic is allowed to access an organization s network or resources By using firewall rules the Firewall can systematically allow block and ask incoming traffic from specific IP addresses and ports See also firewall rule firewall rule A stipulation that helps to determine whet
131. virus software See also virus application authentication Authenticating an application that is running on the network by taking the entire binary of the application and doing an MD5 hash and comparing it with the application fingerprint stored on Sygate Personal Firewall If the application was changed it may not be authenticated depending on the rules the Firewall is using See also application control application fingerprint DLL authentication MD5 hash application control Applications and what versions of the particular application can either be allowed or disallowed via security policies application fingerprint A 128 bit number that is generated by performing an MD5 hash of an entire application packet It is unique for each application If the application is changed in any way the application fingerprint changes authorization The process of granting or denying access to a specific network resource or domain based on the user s identity B backtrace A way of using ICMP to determine all the hops between your computer and an intruder on another computer See also Internet Control Message Protocol ICMP broadcast Sending a packet to everybody on the network See also multicast unicast buffer overflow Applications set aside areas of memoty or buffers for use as storage frequently setting aside a finite amount of memoty for a buffer A buffer overflow exists when an application attempts to store more data than can fit i
132. w this is the default Local MAC MAC address of the local computer only appears in Local View this is the default Source Host Name of the source computer only appears in Source View Source MAC MAC address of the source computer only appears in Source View Destination IP address of the destination computer only appears in Source View Host Destination MAC address of the destination computer only appears in Source View MAC Application Name of the application associated with the attack Name User Name The User or Computer client that sent or received the traffic Domain Domain of the user Location The Location Office Home VPN etc that was in effect at the time of the attack Occurrences Number of occurrences of the attack method Begin Time The time the attack began End Time Time that the attack ended Description and Data Fields for the Security Log Below the rows of logged events are the Description and Data fields When you click on an event row the entire row is highlighted A description of the event such as Somebody is scanning your computer with 13 attempts appears in the Description field Back Tracing Hack Attempts for the Security Log 1 From the Traffic Log file click on the event you want to back trace so that the entire row is highlighted 2 Hither right click the row and select Back Trace from the pop up window ot click the Action menu and select Back Trace The Personal Fi
Download Pdf Manuals
Related Search