Personal Firewalls Tests: Sygate

By Seán Boran

April 23, 2001 - This article is a part of a series of tests on Personal Firewalls/Intrusions Detection Systems. Refer to ¹ for an introduction to Personal Firewalls, risks, tips on "hardening" your Windows even without a firewall, a feature comparison and a summary of analyses.

This report focuses on the Sygate Personal Firewall.

April 23, 2001: This report was extensively updated after tests of the new, vastly improved Version 4.

Security Effectiveness Tests

Key criteria in choosing a personal firewall are:

1. Effectiveness of security protection: penetration, Trojans, controlling leaks, denial of service.
2. Effectiveness of intrusion detection: few false positives, alerting of dangerous attacks.
3. Effectiveness of reaction: discovering identity of attacker, blocking attacks, ease of use.
4. User interface: ease of use, instructiveness, simplicity, quality of online help. Can rules be easily added/removed/checked? Does the interface suit the way you use your PC? Do you understand the questions the software asks and what it is doing?
5. Price: how much are you willing to pay initially, and each year for support/updates?

How did we test firewall/intrusion detection effectiveness?

• Ping and accessing shares to and from the test host.
• A powerful, well-known "remote control" Trojan (Netbus Pro v2.1) ³ was installed on the system on a nonstandard port (to make detection more difficult), the Netbus server started and attempts made to connect from a remote system.
• An nmap ² scan was run, to check that incoming ports were effectively blocked. With no firewall installed, the test PC (NT4 SP5) presented nmap the following (nmap -sT -P0 -O IP_ADDR):

Port State Service
7/tcp open echo
9/tcp open discard
13/tcp open daytime
17/tcp open qotd
19/tcp open chargen
135/tcp open loc-srv
139/tcp open netbios-ssn

Sygate Personal Firewall

We start off with an excerpt from the Sygate Personal Firewall Website ⁴:

Sygate Personal Firewall protects your Windows-based PCs and servers with five customizable security-level settings providing multiple security layers to your Internet connected computer. Sygate Personal Firewall allows or denies every incoming or outgoing Internet packet based on your security-level settings (ports, protocols, IP address, time-of-day, application). It can also link Internet access privileges with specific application programs and allow or block applications from accessing the Internet.

Features

The Sygate Firewall costs $39.95, including 1 year of updates it costs $45.95. It's free for personal use. Originally we tested V2.1 (build 468) on NT4 SP5, we have also tested the newer V4.0 (build 460) on Win2k.

• Supports Windows 95/98/ME and NT4 or 2000.
• Interactive Learning Mode: Prompts the user if any unauthorized applications are trying to access the Internet.
• Installation is easy.
• Email notification of alerts.
• Trusted addresses and ranges may also be added per application.
• Applications: applications which try to access the network are added to the trusted or blocked list, according to the answer the user gives when  prompted.
• Security Schedule: All internet traffic can be blocked at certain times (e.g. at night) or when the screen saver is enabled.
• The configuration can be password protected.
• Centralized management [5]: The Sygate Enterprise Network allows centralised (remote) management via a tool that consists of an SQL backend (Oracle, MS-SQL, Microsoft Data Engine etc.), a NT service and a Java-based interface to the management service. The admin can define "provisions" (i.e. policies), for every PF user or by groups of users. These policies can be pushed to the clients quickly because the PF polls the management service often, letting it knows it is alive. If there are updates, it can instruct the PF to apply the new policies.
• Other tests:
  • Leaking information outbound over standard ports: all protocols will remain blocked by the filter engine until they are by the application detection module. i.e. the user must approve and applications usage of network ports.
  • Masquerading as a trusted or standard program: replacing a trusted program by a trojan was detected by Sygate, even with the exact same name and path. It is unknown whether a cryptographic hash, or weaker mechanisms such as size or CRC is used to identify applications.
  • Granting Access during logon: unknown application traffic is blocked during logon.

Security Effectiveness

• Outgoing ping and access to shares was allowed, incoming blocked.
• The Netbus server could be started without an alert, however when an attempt was made to remotely connect to the Netbus server (to simulate an attacker taking remote control), Sygate prompted the user to accept or deny the connection, citing the application executable path, port and source IP address. A "details" window even allows viewing of the IP packet details! The user must decide if the Netbus server is allowed to connect to the network (Yes or No) and can optionally "remember the answer", in which case an appropriate permanent firewall rule is created.
  The procedure is quite good, except that ut would be useful if Sygate recognizes actual trojans and remote control programs such as Netbus and warn the user of the risks of such programs. The non-expert user might be tempted to say "Yes" if the alert message is not understandable.
  Successive subsequent attempts to connect to Netbus were blocked, even though I didn't ask Sygate to remember the "No" I selected. This means that Sygate denies access for the current login session, which may be useful.
• An nmap scan identified no open ports and was not able to detect the OS version. When scanned for open ports, Sygate silently logs attempts to connect to non-active ports and flashes the Tray Icon red. When nmap tries to connect to active network ports, the standard alert box (described in the Netbus test above) pops up. Unfortunately there is no way for the user to block all packets from the attacker, an alert will pop up for each active port.

Advantages

• Useful for both beginner, advanced and corporate user.
• Corporate options: see management tools.
• Comprehensive logging: security, system, traffic, packet logs.
• Security Schedule: All internet traffic can be blocked at certain times (e.g. at night) or when the screen saver is enabled. 
• The 'running applications' window shows what applications are using which ports to communicate with local or remote systems.

Disadvantages

1. Logging: configuration changes are not noted in the system log.
2. GUI: main window not resizable.
3. Protection
   • There is no way to specify rules that apply to all applications, for example deny all outgoing real audio, allow all outgoing SSH (no matter which SSH program is used).
   • Trusted addresses cannot be configured for all applications, it must be done on a per application basis.
4. Alert dialog:
   • Offer options to either block all traffic from this address, or trust all traffic from this address.
   • During an attack, the tray icon flashes red. It would be useful if the hint displayed when the mouse hovers over the tray icon changed from "Sygate Personal Firewall" to something like "Alert info: system being scanned by IP XXXX" (and the level of the alert would also be indicated).
   • During an attack, if the user double clicks on the tray icon, the firewall configuration screen is shown, but with no obvious way for the user to block the attacker or get more details. He/she has to know to go hunting in the logs->security log or logs->traffic log.
   • The security log window is quite good, it allows a traceroute and "whois" to be run on attack sources. However, it would also be useful to have an option to block all packets from this source. The same applies to the traffic log.
5. One reader had written in to say that on Win98, Sygate can slow down the Internet performance considerably.

Summary

Sygate version 4 is a comprehensive personal firewall, vastly improved on the previous v2 (which was rough on the edges). One of the best firewall tested so far.

References

1. Personal Firewalls/Intrusion Detection Systems (The base reference for this article).
   pf_main20001023.html
   
2. Nmap
   http://www.insecure.org/nmap
   
3. Netbus Pro: Remote control program often used as an attack tool to control remote PCs.
   http://netbus.nu/
   
4. Sygate Technologies
   http://www.sygate.com/products/shield_ov.htm
   
5. Sygate Enterprise Network
   http://www.sygate.com/products/sms_ov.htm

About the Author

Seán Boran (sean at boran.com) is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.

Change history [Doc id: 524 pf_sygate20001112.html]

22.Nov.00 Price: It's free for personal use.
08.Jan'01 Update www.boran.com/security/sp/changelog/pf_sygate20001112_08jan2001.html
22.Jan'01 Update: www.boran.com/security/sp/changelog/pf_sygate20001112_26jan2001.html
23.Apr'01 Complete rewrite after release of Version 4. www.boran.com/security/sp/changelog/pf_sygate20001112_26jan2001.html
30.Apr'01 Minor fix (apps are recognised by MD5 hash)
17.Aug'01 Speed problems feedback.