Network Security software –
Sygate Personal Firewall 5.0 (SPF)
Lab Tutorial
SPF Introduction
Sygate Personal Firewall offers unparalleled protection against malicious intrusion attempts by hackers, script kiddies, and cracks. It has the combined power of bi-directional intrusion detection, vulnerability assessment, and extensive logging and forensics capabilities.
· Protects against Trojans, spyware, worms and other known & unknown threats
· Prevents unauthorized or malicious applications from bypassing the firewall
· Enables even inexperienced users to easily customize and fine-tune security policies
· Provides best of breed evidence logs for intrusion analysis
· Easiest-to-use PC firewall and still free for personal/home use
Download and Installation
SPF 5.0 is free for download and personal/home use. You can download it at http://soho.sygate.com/products/shield_ov.htm. (You’ll be redirected to download.com)
Same as any other windows application, the installation is quite simple. Double clicking the downloaded file, spf.exe, you can start up the installation. The steps you’ll go through are shown as follows.
After restarting your computer, you can see SPF icon in the system tray.
Un-installation is simple also. Select uninstall Sygate Personal Firewall from the program menu, and answer “yes” to the following dialog box. You need to restart your computer to fully uninstall it.
Features of SPF
Main Console
The main console of Sygate Personal Firewall provides constant, real-time updates on your computer's network traffic, application status, and security level. From the main console, you can navigate to anywhere else within the firewall.
Traffic History Graphs
The most noticeable feature of Sygate Personal Firewall is the set of Traffic History graphs that are located below the toolbar on the main console.
The Traffic History graphs produce a real time picture of the last two minutes of your traffic history. The graphs reload new information every second, providing instant data, as measured in bytes, regarding your incoming and outgoing network traffic. Additionally, the Attack History graph on the right side of the console provides information on attempted attacks against your machine.
Hide Broadcast Traffic: Below the Traffic History graphs are two checkboxes. The Hide Broadcast Traffic checkbox, if checked, will prevent broadcast traffic from being displayed in the Traffic History graphs. This will minimize the appearance of traffic by limiting the display to unicast traffic only.
Running Applications List
The Running Applications list, which is located below the traffic flow graphs, displays all applications and services that are currently accessing (or attempting to access) your network connection. The status of the applications is also displayed:
Icon
/Meaning
/ If an application has a status of "Allow", and is accessing your network connection, it is displayed as a normal icon./ If an application has a status of "Ask" and is accessing your network connection, it's icon will be displayed with a yellow question mark over it.
/ If an application is being blocked, its icon will be displayed with a red circle and cross mark over it.
/ If an icon is displayed with small blue dots over the lower-left or lower-right corners, then the application is receiving (left dot) or sending (right dot) traffic through your network connection.
You can change the size of the icons and the information displayed within the Running Applications field by right-clicking within the field and selecting the desired view from the list of options provided. Alternately, you can open the view menu at the top of the main console, and select the desired view from the list provided.
Logs
Understanding Logs
In Sygate Personal Firewall, a log is a record of information attempting to enter or exit you computer through your network connection. There are four separate logs that monitor different aspects of your network connection.
Logs are an important method for tracking your computer's activity and interaction with other computers and computer networks. They particularly useful in detecting potentially threatening activity, such as port scanning, that is aimed at your computer.
To view the different logs available in Sygate Personal Firewall, click on the Logs icon on the toolbar at the top of the main screen.
Click icon to view security log
OR click down arrow and select log type
There are four different log types in Sygate Personal Firewall: System Log, Security Log, Traffic Log, and Packet Log.
System Log
The System Log records all operational changes, such as the starting and stopping of services, detection of network applications, software configuration modifications, and software execution errors. The System Log is especially useful for troubleshooting Sygate Personal Firewall.
Traffic Log
The Traffic Log records every packet of information that enters or leaves a port on your computer.
Packet Log
The Packet Log captures every packet of data that enters or leaves a port on your computer. The Packet Log is disabled by default in Sygate Personal Firewall because of its size.
To enable the Packet Log, open the Options window by selecting Options... from the Tools menu. Click on the Log File tab and click the check box next to the text Enable Packet Log. Then click Apply.
Security Log
The Security Log records potentially threatening activity directed towards your computer, such as port scanning, or denial of service attacks.. The Security Log is probably the most important log file in Sygate Personal Firewall.
Back Tracing Hack Attempts and display hops information
From the Security Log file, click on the event you want to back trace so that the entire row is highlighted.
· Either right-click the row and select Back Trace from the pop-up window, or click the Action menu and select Back Trace.
· Sygate Personal Firewall will back trace the event information. The Back Trace Information window will open, displaying a trace route log.
· To view detailed information on the original IP address, click the Whois> button at the bottom of the Back Trace Information window. A drop panel appears, displaying detailed information about the owner of the IP Address from which the security event originated.
· Click the Whois< button again to hide the information.
Note: Back Tracing can be used in traffic log, and packet log also.
Setup Traffic Control Rules – Rule Configuration
To create a rule, you must first specify the kind of traffic that should be affected by the rule. There are several different characteristics of traffic, each of which you can use to specify the kind of traffic that you want to control. There are four different sections within the Advanced Rule Settings window where you can specify the characteristics of the traffic: General, Hosts, Ports and Protocols, Scheduling, and Applications.
Adding Rules
When you create a universal rule, first decide what effect you want the rule to have. Do you want to block all traffic when your screensaver is on? Would you like to allow all traffic from a particular source? Do you want to block UDP packets from a web site?
For Example: Suppose you want to block all the traffic from and to the IP range of 172.16.*.* to 172.31.*.* on TCP port 22 (SSH). Apply this rule from every day10PM to next morning 8AM
To begin, open the Tools menu at the top of the main console, and select Advanced Rules. The Advanced Rules window will open.
Click the Add button. The Advanced Rule Settings window opens. In General tab, you can name the rule.
In hosts tab, you can specify the IP range of the source hosts to be blocked.
In Ports and Protocols tab, you can figure out what kind of protocols will be restricted by this rule. In this case, we’re going to block all the TCP traffic on remote port 22.
In the scheduling tab, you can schedule the rule. We will apply it every day from 10 PM to next morning 8 AM.
In Application tab, if you don’t select any application, the rule will be applied to all applications.
Once you finish the configuration, you can go back to the Advanced Rules dialog box by clicking “OK”. The rule we just created will be listed here. A brief summary will be shown if you move your mouse on it.
Scan Your Computer to Test the Vulnerability
(which is an online service provided by Sygate)
SOS Vulnerability Assessment
Assessing your vulnerability to attack and testing your firewall are some of the most important things you can do to ensure that you are protected from possible intruders.
Click the Test button located on the main console of Sygate Personal Firewall, or select Test Your System Security from the Tools menu.
The Sygate® Technologies web page (http://scan.sygatetech.com/) will load, and the Sygate® Online Services scanner will scan your computer and attempt to determine your IP address, operating system, and web browser.
Six Different Scans
There are six different scans available through Sygate® Online Services, listed along the left side of the main scan page. To view a brief description of the scan, click the name once. The description will load on the right side of the screen.
To Scan
To utilize a scan, click on the name of the scan and then click the Scan Now button.
A brief document of frequently asked questions about Sygate® Online Services can also be accessed from the main scan page, by clicking link labeled Scan FAQ at the bottom, left hand side of the screen.
Quick scan
Quickscan is a brief, general scan that encompasses several scan processes. The Quickscan feature usually takes 40 seconds or less to accurately scan your computer’s ports, protocols, services, and possible Trojans. Quickscan will be recorded in Sygate Personal Firewall's Security Log.
Stealth scan
Stealth scan scans your computer using specialized stealthing techniques, which mimic portions of legitimate computer communication in order to detect the presence of a computer. The Stealth scan takes about 40 seconds to complete, and will most likely not be recorded in the Security log.
Trojan scan
The Trojan scan feature scans all of your computer’s 65,535 ports for active Trojan horse programs that you or someone else may have inadvertently downloaded onto your computer. The Trojan scan takes about 10 minutes to complete. A list of common Trojans is available on the Web site.
TCP scan
The TCP scan examines the 1,024 ports that are mainly reserved for TCP services, such as instant messaging services, to see if these ports are open to communication. Open ports indicate a dangerous security hole that can be exploited by malicious hackers.
SOS TCP scan will scan devices such as routers and proxies for users connecting to the Web site through such a device. The scan takes roughly 20 minutes to complete and is logged by Sygate Personal Firewall as a scan event in the Security log.
UDP scan
The UDP scan uses various methods and protocols to probe for open ports utilizing UDP. SOS UDP scan will scan devices such as routers and proxies for users connecting to the Web site through such a device. The scan takes about 10 minutes and should be logged in the Security log as a portscan from Sygate®.
ICMP scan
When an SOS scan has completed scanning a user’s computer, it will display a page with the results of the scan. If a user is running Sygate Personal Firewall, all scans should be blocked.