HP Sygate Security Agent 4.
Copyright Information Copyright© 2003-2005 by Sygate Technologies, Inc. All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means, electronic, mechanical, or otherwise, without prior written permission of Sygate Technologies, Inc. Information in this document is subject to change without notice and does not constitute any commitment on the part of Sygate Technologies, Inc. Sygate Technologies, Inc.
Table of Contents Preface ...................................................................................................... ix Related Documentation .......................................................................................................... ix Intended Audience................................................................................................................... ix Technical Support ..............................................................................................
HP Sygate Security Agent User Guide Rule Summary field ........................................................................................................... 20 Hosts Tab ................................................................................................................................. 20 All addresses ....................................................................................................................... 21 MAC addresses.....................................................
Table Of Contents System Log Parameters and Description.................................................................. 34 Description and Data Fields for the System Log .................................................... 35 Enabling and Clearing Logs................................................................................................... 35 Back Tracing Logged Events................................................................................................. 36 Saving Logs ................
HP Sygate Security Agent User Guide To: ............................................................................................................................... 47 Cc: ............................................................................................................................... 48 Subject:........................................................................................................................... 48 SMTP Server Address:...................................................
Table Of Contents List of Tables Table 1. Table 2. Table 3. Table 4. Table 5. Table 6. Table 7. Table 8. Table 9. Table 10. Table 11. Table 12. Menus...............................................................................................................................7 System Tray Icon Colors............................................................................................... 9 System Tray Icon Appearance....................................................................................
HP Sygate Security Agent User Guide List of Figures Figure 1. Figure 2. Figure 3. viii Main Console .................................................................................................................. 4 Traffic History Graph.................................................................................................... 5 Security Log...................................................................................................................
Preface This document, the HP Sygate Security Agent User Guide, describes how to distribute, install, and use the HP Sygate Standalone Agent (the Agent). For late-breaking news about known problems with this release, refer to the Readme.txt file that is included with this software. Related Documentation • HP Sygate Security Agent User Guide (online Help)—The online Help is a subset of information in this document. Click Start|All Programs|Sygate|HP Sygate Security Agent.
HP Sygate Security Agent User Guide Technical Support HP provides a variety of service and support programs. To contact HP: 1. Locate the www.hp.com/support web site. 2. From the drop-down menu, select the country and language and click the double arrow. 3. On the Support & Drivers page, under Or Select a product category, click Desktops & Workstations. 4. Click Thin Clients and then the specific product. Note: You can also click the Contact HP link for additional contact and resources links.
Chapter 1. Overview of the Agent The HP Sygate Security Agent (the Agent) is security software that is installed on embedded devices, such as ATMs and thin clients, that run the Windows XP Embedded operating system. Once installed, the Agent provides a customizable firewall that protects the device from intrusion and misuse, whether malicious or unintentional.
HP Sygate Security Agent User Guide When you install Policy Editor, the default policy file is automatically installed with it. When you open the Policy Editor, the default policy file’s advanced rules and options appear. To open the Policy Editor: • On the image-building system, click Start|All Programs|Sygate|HP Sygate Policy Editor. For more information on using the Policy Editor: • 2 On the image-building system, click Start|All Programs|Sygate|Policy Editor Help.
Chapter 2. Getting Around This chapter describes the tools that you use in getting around in the Agent. Starting the Agent The Agent is designed to start automatically when you turn on your device, protecting you immediately. To configure your Agent or review logs of potential attacks on your Agent, you open the Agent first. You can open the Agent in two ways: • System tray icon—Double-click the icon on the right side of the taskbar, or right-click it and click HP Sygate Security Agent.
HP Sygate Security Agent User Guide Figure 1. Main Console The Agent interface is resizable, so you can view it as a full-screen or part-screen image. Menus and Toolbar Buttons The top of the screen displays a standard menu and toolbar. The toolbar buttons can be used to quickly access logs, view the Help file, or test your system. Traffic History Graphs Below the toolbar are the Traffic History graphs. The Traffic History graphs produce a real-time picture of the last two minutes of your traffic history.
Getting Around Figure 2. Traffic History Graph The Traffic History graphs are broken into three sections. On the left side of the graphs section are the Incoming and Outgoing Traffic History graphs. These provide a visual assessment of the current traffic that is entering and leaving your device through a network interface. This includes traffic that is allowed and traffic that is blocked.
HP Sygate Security Agent User Guide since they are often crucial to the operation of your device, you most likely want to allow them. To change the display of application names, either click the View menu or right-click the Running Applications field and select the desired view. You can stop an application or service from running by right-clicking the application in the Running Applications field and clicking Terminate.
Getting Around Table 1. Menu File Menus Menu choices • Close—Closes the Agent main console. • Exit Sygate Agent—Exits the Agent, effectively turning off security on your machine. • Block All—Blocks all network traffic on your machine. If you use this command but then want to unblock the traffic, click the system tray icon on the taskbar and click Normal. • Normal—Blocks only selective traffic. This is the default configuration, and is a prudent choice. • Logs—Opens the Logs.
HP Sygate Security Agent User Guide Table 1. Menu Help Menus Menu choices • Connection Details—Provides further information on the type of connection being made by an each application accessing the network adapter, as well as the protocol, local and remote ports and IP addresses being used, the application path, and more. • Hide Windows Services—Toggles the display of Windows Services in the Running Applications field.
Getting Around Table 2. System Tray Icon Colors If the color of the arrow is... ...then... RED ...traffic is being blocked by the Agent. BLUE ...traffic is flowing uninterrupted by the Agent GRAY ...no traffic is flowing in that direction. The following table illustrates the different appearances that the system tray icon may have, and what they mean. Table 3. Icon System Tray Icon Appearance Description The Agent is in Alert Mode.
HP Sygate Security Agent User Guide Table 3. Icon System Tray Icon Appearance Description Both incoming and outgoing traffic are blocked. There is no incoming traffic; outgoing traffic is blocked. Incoming traffic is flowing uninterrupted; outgoing traffic is blocked. No traffic is flowing in either direction. Both incoming and outgoing traffic flows uninterrupted; the Agent is disabled. What Does the Flashing System Tray Icon Mean? The system tray icon sometimes flashes on and off.
Getting Around Table 4. System Tray Icon Menu Menu Option Description HP Sygate Security Agent Opens the Agent’s main console. Block All Blocks all network traffic. Normal Provides your preconfigured list of advanced rules and applies them. Logs Opens the Agent logs. Options... Opens the Options dialog box, where you can configure the settings for the Agent. Advanced Rules Opens the Advanced Rules dialog box, where you can write specific rules for allowing or blocking network access.
HP Sygate Security Agent User Guide 3. Enter your new password in the New Password and Confirm New Password fields. Note: You can disable password protection by making no entry in the New Password field and confirming that in the Confirm New Password field. 4. To have the Agent prompt you for a password before exiting the Agent, on the General tab, click Ask password while exiting. 5. Click OK to confirm or click Cancel to discard your changes.
Chapter 3. Testing Your System’s Vulnerability This chapter describes ways to test the vulnerability of your system to outside threats by scanning your system. The test is available directly from Sygate using an online connection. Scanning Your System Assessing your vulnerability to an attack is one of the most important steps that you can take to ensure that your device is protected from possible intruders.
HP Sygate Security Agent User Guide o UDP Scan o ICMP Scan 4. Click Scan Now. A brief document of frequently asked questions about Sygate Online Services is also available from the main scan page. Click Scan FAQ at the bottom left side of the screen. Types of Scans On the Sygate Technologies web site, you can choose from one of the following types of scans. Quick Scans The Quick Scan is a brief, general scan that encompasses several scanning processes.
Testing Your System's Vulnerability and proxies for users connecting to the web site through such a device. The scan takes about 10 minutes and should be logged in the Security Log as a port scan from Sygate. ICMP Scans When an ICMP scan has completed scanning a user’s device, it displays a page with the results of the scan. If a user is running the Agent, all scans are blocked.
HP Sygate Security Agent User Guide 16
Chapter 4. Working With Rules This chapter describes how to protect your system by creating security rules for applications that you have running on your system. About Rules A firewall is hardware, software, or a combination of both that is used to prevent unauthorized Internet users from accessing a private network. All information entering or leaving the network must pass through the firewall, which examines the information packets and blocks those that do not meet the security criteria.
HP Sygate Security Agent User Guide To set up an advanced rule: 1. On the Tools menu, click Advanced Rules. The Advanced Rules dialog box opens. 2. Click Add. The Advanced Rule Settings dialog box opens with the General tab displayed. 3. Enter a name for the rule in the Rule Description text box, and click Block this traffic or Allow this traffic. 4. Click the Applications tab, and either click the check box for the application you want to allow or block, or click the Browse button to locate it. 5.
Working With Rules Rules are applied in the order they are listed. For example, if a rule that blocks all traffic is listed first, followed by a rule that allows all traffic, the Agent blocks all traffic at all times. 7. To enable a rule on the Agent, make sure the check mark appears in the Description column. General Tab The General tab is used to provide a name for the rule you are creating, as well as the effect that the rule will have (allowing or blocking traffic).
HP Sygate Security Agent User Guide Apply Rule to Network Interface Specifies which network interface card this rule will apply to. If you have multiple network cards, select one from the list box, or select All network interface cards to apply the rule to every card. Apply this rule during Screensaver Mode Activates the rule even if your device’s screensaver is on (if applicable). o On—The rule will be activated only when the screensaver is on.
Working With Rules All addresses Applies rule to all addresses. MAC addresses Applies rule to the MAC address of the traffic. IP Address(es) Applies rule to the IP address or address range of the traffic. Subnet Applies rule to the subnet address and subnet mask of the traffic. Rule Summary field Provides a summary of the rule’s functionality.
HP Sygate Security Agent User Guide Protocol Specifies a protocol for the rule. All Protocols Applies to all protocols on all ports, for both incoming and outgoing traffic. TCP Displays two more list boxes in which you can specify which ports (remote and/or local) should be affected by the rule. You can type the port numbers or select the port type from the list boxes for the both local and remote ports. If you do not enter or select a port number, then all ports will be affected by the rule.
Working With Rules all ports will be affected by the rule. If you enter a port number for the local port entry, but not for the remote port entry, then the local port you entered and ALL remote ports will be affected by the rule. Then, select which traffic direction should be affected by the rule. ICMP Displays a list of ICMP types. Select the types of ICMP that you wish allow or block by placing a check next to them. Then select which traffic direction should be affected by the rule.
HP Sygate Security Agent User Guide Enable Scheduling Enables the scheduling feature. During the period below Enables scheduling to take place during a certain time period. Excluding the period below Enables scheduling to take place outside of a certain time period. Beginning At Specifies the time that the scheduling begins, including a month, day, hours, and minutes. You can also leave the default settings, which apply the schedule all day, every day, all year.
Working With Rules Applications Tab You can specify applications that will be affected by advanced rules. The Applications tab provides a list of all applications that have accessed your network connection. Display selected applications only Displays only the applications that you have selected to be controlled by this rule. Applications Lists the traffic coming in and out of all ports and protocols.
HP Sygate Security Agent User Guide Browse Opens the Open dialog box so you can search for applications that are not displayed in the table. Rule Summary field Provides a description of the rule and what traffic it will affect on your system.
Chapter 5. Monitoring and Logging This chapter describes how you can monitor your system by using the logs that are present in the Agent. It begins with an overview of logs, their types, and the tasks you can do with logs, such as back tracing logged events. The Agent’s logs are an important method for tracking your device’s activity and interaction with other devices and networks.
HP Sygate Security Agent User Guide Viewing Logs To view logs on the Agent: 1. Do one of the following: o Click Tools|Logs. o On the toolbar, click the drop-down arrow next to the Logs icon. Note: Click the Logs icon to display the most recently viewed log. 2. Click one of the following log types: Security Log, Traffic Log, Packet Log, or System Log. Each log opens the Log Viewer dialog box.
Monitoring and Logging Table 5. Icon Security Log Icons Description Critical attack Major attack Minor attack Information Security Log Parameters and Description The columns for logged events are: Table 6.
HP Sygate Security Agent User Guide Table 6. Security Log Parameters and Description Name of Parameter MAC Description Application Name Name of the application associated with the attack User Name User or Computer client that sent or received the traffic Domain Domain of the user Security Security level for the Agent, set to either Block All or Normal.
Monitoring and Logging Icons for the Traffic Log When you open a Traffic Log, icons are displayed at the left side of the first column. They are graphical representations of the kind of traffic logged on each line and provide an easy way to scan the Traffic Log. Traffic Log includes information about incoming and outgoing traffic. Table 7.
HP Sygate Security Agent User Guide Table 8.
Monitoring and Logging Packet Log The Packet Log captures every packet of data that enters or leaves a port on your device. The Packet Log is disabled by default in the Agent because of its potentially large size. You must enable the Packet Log first. Icons for the Packet Log There is only one icon displayed in the Packet Log. It indicates the capturing of raw data packets. Table 9.
HP Sygate Security Agent User Guide Packet Decode and Packet Dump for the Packet Log Below the Log Viewer are two additional data fields that provide further detail regarding the selected event. In the Packet Log, these fields are labeled Packet Decode, which provides data on the type of packet logged, and Packet Dump, which records the actual data packet.
Monitoring and Logging Description and Data Fields for the System Log Below the rows of logged events are the Description and Data fields. When you click on an event row, the entire row is highlighted. A description of the event, such as “Install WsProcessSensor successful....,” appears in the Description field. Enabling and Clearing Logs The Security, Traffic, and System Logs are enabled by default. You must enable the Packet Log before you can view the contents.
HP Sygate Security Agent User Guide Back Tracing Logged Events Back tracing enables you to pinpoint the source of data from a logged event. Like retracing a criminal’s path at a crime scene, back tracing shows the exact steps that incoming traffic has made before reaching your device and being logged by the Agent. Back tracing is the process of following a data packet backwards, discovering which routers the data took to reach your device.
Monitoring and Logging The Trace route field provides details, such as IP address, on each hop made by the data packet that was logged by the Agent. A hop is a transition point, usually a router, that a packet of information travels through at as it makes its way from one computer to another on a public network, such as the Internet. 4. To view detailed information on each hop, click the WhoIs>> button.
HP Sygate Security Agent User Guide To stop an active response: 1. On the main console, click Tools|Logs|Security. 2. Select the row for the application or service you want to unblock. Blocked traffic is specified as Blocked in the Action column. 3. On the Action menu, click Stop Active Response to block the selected application, or click Stop All Active Response if you want to unblock all blocked traffic. 4. When the Active Response dialog box appears, click OK.
Chapter 6. Configuring the Agent’s Settings You can set and import security options for the Agent, including e-mail notification of attacks, customizable pop-up messages, heartbeat settings, log file configuration, file sharing options, computer control settings, and advanced security measures such as Smart DHCP and Anti-MAC spoofing. To configure the Agent: 1. Do one of the following: • On the Tools menu, click Options. • Right-click the system tray icon and click Options.
HP Sygate Security Agent User Guide Automatically load HP Sygate Agent service at startup Automatically launches the Agent at startup. Block Network Neighborhood traffic while in screensaver mode Automatically sets your security level to Block All when your device’s screensaver is activated. As soon as the device is used again, the security level returns to the previously assigned level. Hide all notification messages Causes the Agent to not display any notification messages.
Configuring the Agent's Settings Hide application popup Hides a dialog box that appears when you open an application that has been modified since you first installed it. For example, if Internet Explorer 5.0 was installed on the device and then you install Internet Explorer 6.0, the device assumes that Internet Explorer 6.0 is a new application with no associated rule to allow it. You can use the dialog box to allow or block the modified application. The pop-up message appears for 15 seconds, by default.
HP Sygate Security Agent User Guide Network Interface Specifies the network you want to access. Allow to browse Network Neighborhood files and printer(s) Enables you to browse other computers, devices, and printers on the selected network. This allows you to access other files on your network. If you disable this, you cannot copy files from network locations. Allow others to share my files and printer(s) Allows other users of the selected network to browse your device.
Configuring the Agent's Settings analyzes network packets and compares them with both known attacks and known patterns of attack, and then blocks those attacks. One of the key capabilities of the Intrusion Prevention System is its capability to do deep packet Inspection. By default, this option is enabled on the Agent. Enable port scan detection Detects if someone is scanning your ports, and notifies you.
HP Sygate Security Agent User Guide Automatically block attacker’s IP address for... second(s) Blocks all communication from a source host once an attack has been detected. For instance, if the Agent detects a DoS attack originating from a certain IP address, the Agent will block any and all traffic from that IP for the duration specified in the seconds field. By default, this option is enabled in the Agent.
Configuring the Agent's Settings Automatically allow all known DLLs Automatically allows DLL modules that are commonly loaded by the network application. Disabling this feature will cause the engine to prompt for permission on all new DLLs that are loaded, and may cause very frequent prompting when using a complex network application, such as an Internet browser. By default, this option is enabled in the Agent.
HP Sygate Security Agent User Guide rule specifically allowing access to that server. By default, this option is disabled on the Agent. Anti-Application Hijacking Causes the Agent to check for malicious applications that work by interjecting DLLs and Windows hooks into Windows applications, and to block those malicious applications when found. By default, this option is disabled on the Agent. Allow Token Ring Traffic Allows Agents connecting through a token ring adapter to access the corporate network.
Configuring the Agent's Settings The first three options set the frequency of the message. Do Not Notify Disables the e-mail notification option. Notify Immediately Sends an e-mail message immediately following an attack on your device. After Every . . . Minutes Sends an e-mail message at regular intervals following an attack, the intervals specified in the After Every ... Minute(s) dial. From: Specifies an e-mail address for the person sending the message.
HP Sygate Security Agent User Guide Cc: Specifies an e-mail address to send a courtesy copy of each email message. Subject: Describes the subject of the e-mail message. SMTP Server Address: Specifies your SMTP Server Address. My E-Mail Server Requires Authentication Specifies whether your e-mail server requires authentication. Authentication Server Address: Specifies the address of the authentication server.
Configuring the Agent's Settings Enable ... Log Enables the Security, Traffic, System, and Packet Logs. The Packet Log is not enabled by default. Maximum log file size is ... KB Specifies the maximum size for the log file in kilobytes. The default setting is either 512 KB or 1024 KB. Save log file for the past ... days For the log you want to configure, specifies the number of days to save the log. Clear Logs Clears the selected log.
HP Sygate Security Agent User Guide 50
Glossary A access point: A network connection that allows a computer or user to connect to an enterprise network. Virtual Private Networks (VPNs), wireless communications, and Remote Access Service (RAS) dial-up connections are examples of access points. See also end point, wireless access point (wireless AP). Active Response: The ability to automatically block the IP address of a known intruder for a specific amount of time.
HP Sygate Security Agent User Guide antivirus: Software and technology that is used to detect malicious computer applications, prevent them from infecting a system, and clean files or applications that are infected with computer viruses. Sygate software works together with, but does not include, antivirus software.
Glossary C client: A device or program that uses shared resources from another computer, called a server. In the context of the Agent, client refers to a Sygate Security Agent running on a device that reports to a server. computers: A personal computer, laptop, or workstation on which users perform work. In an enterprise environment, computers are connected together over a network.
HP Sygate Security Agent User Guide DLL fingerprint: A 128-bit number that is generated by performing an MD5 hash of an entire DLL packet. It is unique for each DLL. The MD5 hash or fingerprint of each DLL is stored on the Sygate Security Agent and forwarded to the Sygate Management Server. If the DLL is changed in any way, the DLL fingerprint changes. See also DLL, DLL authentication, MD5 hash. domain: A group of computers that are part of a network and share a common directory database.
Glossary F filtering logs: Viewing selected information from logged information. For example, a filter can be set up so that you can view only blocked traffic, critical information, or logged events occurring during the past day. See also logs. firewall: Hardware, software, or a combination of both that is used to prevent unauthorized Internet users from accessing a private network.
HP Sygate Security Agent User Guide icon: A small visual image displayed on a computer screen to represent an application, a command, an object, or to indicate status. On the Sygate Management Server, icons show when Agents are online and represent groups, users, and computers. Icons shown on screens in Sygate software are also used to display status. For example, in the Sygate Secure Agent interface, blinking blue lights indicate incoming and outgoing traffic. IDS: See Intrusion Detection System (IDS).
Glossary Intrusion Prevention System (IPS): A device or software used to prevent intruders from accessing systems from malicious or suspicious activity. This is contrast to an Intrusion Detection System (IDS), which merely detects and notifies. Sygate Security Agent is both an IDS and an IPS product since the Agent includes both an IDS and firewall functionality making it capable of not only detecting but also blocking an attack. See also Intrusion Detection System (IDS).
HP Sygate Security Agent User Guide logs: Files that store information generated by an application, service, or operating system. The information is used to track the operations performed. Sygate Secure Enterprise provides extensive logging capabilities that track events such as security violations, changes to security policies, network traffic, client connections, and administrator activities.
Glossary O OS Fingerprint Masquerading: An option that keeps programs from detecting the operating system of a computer running the Agent. When OS Fingerprint Masquerading is enabled, the Agent modifies TCP/IP packets so it is not possible to determine its operating system. outbound traffic: Traffic that was initiated from the local computer. See also inbound traffic. P packet: A unit of data sent over a network.
HP Sygate Security Agent User Guide Profile Serial Number: A number that the Policy Editor automatically generates every time an Agent’s security policy changes. A system administrator can check the serial number on the Help|About menu of the Agent to verify that an Agent is running an up-to-date security policy. protocol driver blocking: A security measure that blocks malicious applications from using their own protocol driver to exit the network surreptitiously.
Glossary signature library: A set of IDS signatures. Sygate provides a library of known signatures in the System Library, which can be kept up-to-date by downloading the latest version from the Sygate Technologies web site to your Sygate Management Server. Administrators can also specify new attack signatures of their own choosing in custom libraries. See also System Library. silent mode: The ability to hide the Sygate Security Agent user interface from the end user.
HP Sygate Security Agent User Guide spoofing: A technique used by an intruder to gain unauthorized network access to a computer system or network by forging known network credentials. IP spoofing is a common method for intruders to gain unauthorized network access to a computer systems or network. Stealth Mode Browsing: An option that detects all HTTP traffic on port 80 from a web browser and removes information such as the browser name and version, the operating system, and the reference web page.
Glossary System Library: A Sygate library containing preconfigured IDS signatures to help detect and prevent known attacks. System administrators can use the System Library or create custom IDS signatures to be included in custom IDS signature libraries on the Sygate Management Server. The System Library is shown using a blue icon in the interface. Sygate periodically posts an updated System Library for download on the Sygate web site. See also custom library, signature library.
HP Sygate Security Agent User Guide User Datagram Protocol (UDP): A communications protocol for the Internet network layer, transport layer, and session layer that uses the Internet Protocol (IP) when sending a datagram message from one computer to another. UDP does not guarantee reliable communication or provide validated sequencing of the packets.
Index A Active Response 37 advanced rules creating 17 defined 17 Agent configuring 39 opening 3 allowing traffic 17, 19 Applications tab 25 B blocking traffic 17, 19 C L Log tab 48 logs Active Response, stopping 37 back tracing 36 clearing 35 defined 27 enabling 35 exporting 37 maximum size 48 Packet Log 33 Security Log 28 System Log 34 Traffic Log 30 viewing 28 M configuring the Agent 39 E menu commands 6 N E-Mail Notification tab 46 G General tab advanced rules 19 options 39 H Hosts tab 20 Net
HP Sygate Security Agent User Guide policy file 1 Ports and Protocols tab 21 protecting your system 13, 17, 39 S scanning your system 13 Scheduling tab 23 security options creating 39 defined 1, 39 security policies creating 1 defined 1 66 Security tab 42 settings advanced rules 17 options 39 starting the Agent 3 system tray icon menu commands 8 starting the Agent 3 T testing your system 13 toolbar 6
