HP Compaq t5710, User Manual

Page 1: ...HP Sygate Security Agent 4 0 User Guide Documentation Build 1004 Published May 1 2005 ...

Page 2: ... own patents or pending patent applications trademarks copyrights and other intellectual property rights covering the subject matter of this document Furnishing of this documentation does not in any way grant you a license to any patents trademarks copyrights or other intellectual property of Sygate Technologies Inc Sygate Sygate Secure Enterprise and the Sygate S Logo are registered trademarks or...

Page 3: ...he System Tray Icon 8 What the System Tray Icon Tells You 8 What Does the Flashing System Tray Icon Mean 10 The System Tray Icon Menu 10 Enabling Password Protection 11 Chapter 3 Testing Your System s Vulnerability 13 Scanning Your System 13 Types of Scans 14 Quick Scans 14 Stealth Scans 14 Trojan Scans 14 TCP Scans 14 UDP Scans 14 ICMP Scans 15 Chapter 4 Working With Rules 17 About Rules 17 Using...

Page 4: ...Tab 25 Display selected applications only 25 Applications 25 Select All 25 Clear All 25 Browse 26 Rule Summary field 26 Chapter 5 Monitoring and Logging 27 Types of Logs 27 Viewing Logs 28 Security Log 28 Icons for the Security Log 28 Security Log Parameters and Description 29 Description and Data Fields for the Security Log 30 Traffic Log 30 Icons for the Traffic Log 31 Traffic Log Parameters and...

Page 5: ...nter s 42 Allow others to share my files and printer s 42 Security Tab 42 Enable Intrusion Prevention System 42 Enable port scan detection 43 Enable driver level protection 43 Enable stealth mode browsing 43 Enable DoS detection 43 Block Universal Plug and Play Traffic 43 Automatically block attacker s IP address for second s 44 Block all traffic while the service is not loaded 44 Allow initial tr...

Page 6: ...er Address 48 My E Mail Server Requires Authentication 48 Authentication Server Address 48 User Name Password 48 Test E Mail Notification 48 Log Tab 48 Enable Log 49 Maximum log file size is KB 49 Save log file for the past days 49 Clear Logs 49 Glossary 51 Index 65 vi ...

Page 7: ...Tray Icon Menu 11 Table 5 Security Log Icons 29 Table 6 Security Log Parameters and Description 29 Table 7 Traffic Log Icons 31 Table 8 Traffic Log Parameters and Description 31 Table 9 Packet Log Icons 33 Table 10 Packet Log Parameters and Description 33 Table 11 System Log Icons 34 Table 12 System Log Parameters and Description 34 vii ...

Page 8: ...HP Sygate Security Agent User Guide List of Figures Figure 1 Main Console 4 Figure 2 Traffic History Graph 5 Figure 3 Security Log 30 viii ...

Page 9: ...p may not have been included with the Agent HP Sygate Policy Editor User Guide online Help Describes how to modify a security policy for the HP Sygate Security Agent using the HP Sygate Policy Editor You can access the User Guide after you install the Policy Editor On the Start menu click All Programs Sygate Policy Editor Help Intended Audience This documentation is written for system administrato...

Page 10: ...hp com support web site 2 From the drop down menu select the country and language and click the double arrow 3 On the Support Drivers page under Or Select a product category click Desktops Workstations 4 Click Thin Clients and then the specific product Note You can also click the Contact HP link for additional contact and resources links x ...

Page 11: ...ugh your network connection The Agent uses security settings to detect and identify common attacks send e mail messages after an attack display customizable pop up messages and accomplish other related security tasks Modifying the Security Policy The security policy that the Agent uses to protect the embedded device is stored in the policy file You can modify the policy file adding new rules and c...

Page 12: ...en you open the Policy Editor the default policy file s advanced rules and options appear To open the Policy Editor On the image building system click Start All Programs Sygate HP Sygate Policy Editor For more information on using the Policy Editor On the image building system click Start All Programs Sygate Policy Editor Help 2 ...

Page 13: ...ick it and click HP Sygate Security Agent Start menu Click Start All Programs Sygate HP Sygate Security Agent Any method opens the main console or the main screen that is the control center for the Agent Option Alert You can only open the Agent if you have logged on using an Administrator account Users with a User account only see the system tray icon on the taskbar although the Agent is still pro...

Page 14: ...and toolbar The toolbar buttons can be used to quickly access logs view the Help file or test your system Traffic History Graphs Below the toolbar are the Traffic History graphs The Traffic History graphs produce a real time picture of the last two minutes of your traffic history The graphs reload new information every second providing instant data as measured in bytes about your incoming and outg...

Page 15: ... network traffic that is sent to every device in a particular subnet and thus is not directed specifically to your device If you do not want to see this traffic you can remove it from this graphical view by clicking Hide Broadcast Traffic You will then only see unicast traffic in this graph which is traffic that directed specifically to your device To redisplay broadcast traffic click to clear Hid...

Page 16: ...s field on the main console It provides a real time update of your Agent s communication status The Message Console is by default hidden To show or hide the Message Console 1 Below the Running Applications field click Show Message Console The Message Console appears 2 To hide the Message Console from view click Hide Message Console The Message Console collapses so that only the Show Message Consol...

Page 17: ...led for the Agent Automatically Start Service Not enabled for the Agent Test Your System Security Opens the Sygate Technologies scan site so you can test the effectiveness of the Agent Disable Enable Sygate Security Agent Disables and reenables the Agent The Agent is running but not protecting your system while it is disabled View The View menu gives users the option to alter the display of softwa...

Page 18: ...ion profiles access the logs test your Agent using the Sygate Technologies web site or view the Help file Using the System Tray Icon Once installed the Agent displays a small icon in your system tray located on the right hand side of your taskbar which you can double click to open the Agent or right click to see a menu of commands The icon consists of two arrows that represent system traffic the u...

Page 19: ... Agent is in Alert Mode This means that an attempted attack against your device has been recorded in your Security Log To make the icon stop flashing double click the icon The Security Log will open displaying a new log entry The Agent is in Block All mode Incoming traffic is flowing uninterrupted there is no outgoing traffic Both incoming and outgoing traffic are flowing uninterrupted There is no...

Page 20: ...rt mode which is caused by an attack recorded in the Security Log When you point your mouse over the flashing icon a tooltip appears above the icon describing the type of attack The icon stops flashing after one minute For users with an Administrator account you can also stop the icon from flashing by opening the Security Log The System Tray Icon Menu You can easily configure basic aspects of the ...

Page 21: ...gate Security Agent Disables and reenables the Agent The Agent is running but not protecting your system while it is disabled Help Topics Opens the online Help system About Opens the About dialog box providing information on your version of the Agent Exit Sygate Agent Stops the Agent from running You need to restart the Agent to protect your system Enabling Password Protection You can set your Age...

Page 22: ...ou can disable password protection by making no entry in the New Password field and confirming that in the Confirm New Password field 4 To have the Agent prompt you for a password before exiting the Agent on the General tab click Ask password while exiting 5 Click OK to confirm or click Cancel to discard your changes 12 ...

Page 23: ...an more effectively set the various options on your Agent to protect your device from attack To scan your system 1 Do one of the following o On the toolbar click the Security Test button o On the Tools menu click Test Your System Security o In your Internet browser window open the Sygate Technologies web page http scan sygate com directly 2 On the web page click Scan Now The Sygate Online Services...

Page 24: ... complete and is most likely not recorded in the Security Log Trojan Scans The Trojan scan feature scans all of your device s 65 535 ports for active Trojan horse programs that you or someone else may have inadvertently downloaded The Trojan scan takes about 10 minutes to complete A list of common Trojans is available on the web site TCP Scans The TCP scan examines the 1 024 ports that are mainly ...

Page 25: ...ough such a device The scan takes about 10 minutes and should be logged in the Security Log as a port scan from Sygate ICMP Scans When an ICMP scan has completed scanning a user s device it displays a page with the results of the scan If a user is running the Agent all scans are blocked 15 ...

Page 26: ...HP Sygate Security Agent User Guide 16 ...

Page 27: ... Each rule specifies the conditions and characteristics such as the time of day type of traffic and port number that must exist for the rule to take effect as well as the effect the rule has For example a security rule may state that Port 80 is allowed The Agent supports advanced rules which exhibit complex relationships between applications IP addresses and services For example an advanced rule m...

Page 28: ...nd either click the check box for the application you want to allow or block or click the Browse button to locate it 5 To create a rule with the default settings click OK Or to change these settings on the other tabs including General Hosts Ports and Protocols Scheduling and Applications These five tabs on the Advanced Rule Settings dialog box provide additional settings for traffic for each rule ...

Page 29: ...ral Tab The General tab is used to provide a name for the rule you are creating as well as the effect that the rule will have allowing or blocking traffic Rule Description Functions as the name of the rule and it should indicate qualities of the rule For instance Rule1 may not be a very good name for a rule but Block After 1 AM would be Block this traffic Denies traffic specified by the rule from ...

Page 30: ...l be activated only when the screensaver is on Enable this if you want to block all traffic and all ports while you device is idle o Off This rule will be activated only if the screensaver is off and all other conditions are satisfied o Both On and Off This rule is unaffected by the screensaver Record this traffic in Packet Log Records traffic affected by this rule in the Packet Log Rule Summary f...

Page 31: ...he IP address or address range of the traffic Subnet Applies rule to the subnet address and subnet mask of the traffic Rule Summary field Provides a summary of the rule s functionality Ports and Protocols Tab The Ports and Protocols tab provides an area to specify which ports and protocols if any should be affected by the traffic specified in the rule 21 ...

Page 32: ...st boxes for the both local and remote ports If you do not enter or select a port number then all ports will be affected by the rule If you enter a port number for the local port entry but not for the remote port entry then the local port you entered and ALL remote ports will be affected by the rule Then select which traffic direction should be affected by the rule UDP Displays two port list boxes...

Page 33: ...select which traffic direction should be affected by the rule IP Type Displays a list of IP protocol types displayed on the lower half of the Ports and Protocols tab Traffic Direction Specifies the traffic direction either Incoming Outgoing or Both Rule Summary field Provides a description of the rule and what traffic it affects on your system Scheduling Tab The Scheduling tab provides a way for y...

Page 34: ...heduling to take place outside of a certain time period Beginning At Specifies the time that the scheduling begins including a month day hours and minutes You can also leave the default settings which apply the schedule all day every day all year Duration If you have specified a beginning time specifies how long the rule will be in effect Rule Summary field Provides a summary of the rule s functio...

Page 35: ...n Display selected applications only Displays only the applications that you have selected to be controlled by this rule Applications Lists the traffic coming in and out of all ports and protocols To select an application to be affected by this rule click the box next to its name under the FileName column Select All Selects all applications in the table Clear All Clears all applications in the tab...

Page 36: ...ent User Guide Browse Opens the Open dialog box so you can search for applications that are not displayed in the table Rule Summary field Provides a description of the rule and what traffic it will affect on your system 26 ...

Page 37: ...icularly useful in detecting potentially threatening activity such as port scanning that is aimed at your device They also help you troubleshoot connectivity problems or possible network attacks The Agent s logs can also do back tracing which enables you to use ICMP to determine all the hops between your device and an intruder on another computer Types of Logs On the Agent you can view four types ...

Page 38: ... dialog box click the View menu and click either Local View the default setting or Source View Depending on whether you choose the local view or source view you can view various options which vary between each log 4 In the View menu click a different log name if you wish 5 Click Refresh or press F5 to update the log that you are viewing 6 Click File Exit to close the log Security Log The Security ...

Page 39: ...nd therefore are already present they are considered outgoing Still other attacks are unknown in direction they include Active Response or application executable changed Protocol Type of protocol UDP TCP and ICMP Remote Host Name of the remote computer only appears in Local View this is the default Remote MAC MAC address of the remote device If outside the subnet it is the MAC address of the route...

Page 40: ...ccurrences Number of occurrences of the attack method Begin Time Time the attack began End Time Time the attack ended Description and Data Fields for the Security Log Below the rows of logged events are the Description and Data fields When you click an event row the entire row is highlighted A description of the event such as Somebody is scanning your device with 13 attempts appears in the Descrip...

Page 41: ... events are Table 8 Traffic Log Parameters and Description Name of Parameter Description Time The exact date and time that the event was logged Action Action taken by the Agent Blocked or Allowed Severity The severity of the traffic set to 10 Direction Direction that the traffic was traveling in incoming or outgoing Protocol Type of protocol UDP TCP and ICMP Remote Host Name of the remote computer...

Page 42: ...nd ICMP code used on the destination computer only appears in Source View Application Name Name of the application associated with the attack User Login name of the user Domain Domain of the user Security Security level for the Agent set to either Block All or Normal Location The Location Office Home VPN etc that was in effect at the time of the attack Occurrences Number of packets each piece of t...

Page 43: ...ppears in Local View this is the default Remote Port Port on the remote host that sent received the traffic only appears in Local View this is the default Local Host IP Address of the local computer only appears in Local View this is the default Local Port Port used on the Agent device for this packet only appears in Local View this is the default Source Host Name of the source computer only appea...

Page 44: ...troubleshooting the Agent Icons for the System Log When you open the System Log icons are displayed at the left side of the first column These are graphical representations of the kind of event logged on each line and they provide an easy way to scan the System Log for possible system errors Table 11 System Log Icons Icon Description Error Warning Information System Log Parameters and Description ...

Page 45: ...ck Options 2 Click the Log tab 3 Click the appropriate log check box to enable it 4 Click the appropriate Maximum Log File Size is field and enter a size in kilobytes of the maximum size for the log file 256 KB is the default setting 5 Click OK To set the number of days to save the log 1 On the Tools menu click Options 2 Click the Log tab 3 Click the appropriate log check box to enable it 4 Click ...

Page 46: ...ering which routers the data took to reach your device In the case of a Security Log entry you can trace a data packet used in an attack attempt Each router that a data packet passes through has an IP address which is provided in the Trace Route field You can back trace a logged event in the Security Traffic and System logs To back trace a logged event 1 Open the log file and click an event so tha...

Page 47: ...g Ctrl C to copy the information into the Clipboard It is not advisable to contact persons listed in the Detail information panel unless you are experiencing a high number of security logs in which the attacks originate from one particular IP address 6 Click OK to return to the Log Viewer dialog box Saving Logs The contents of the logs can be saved to different locations You may want to do this to...

Page 48: ... for the application or service you want to unblock Blocked traffic is specified as Blocked in the Action column 3 On the Action menu click Stop Active Response to block the selected application or click Stop All Active Response if you want to unblock all blocked traffic 4 When the Active Response dialog box appears click OK 38 ...

Page 49: ...e of the following On the Tools menu click Options Right click the system tray icon and click Options In any log on the File menu click Options The Options dialog box consists of the following tabs o General tab o Network Neighborhood tab o Security tab o E Mail Notification tab o Log tab 2 On any tab click OK to apply all changes that you have made in the Options dialog box General Tab The broade...

Page 50: ...ity level returns to the previously assigned level Hide all notification messages Causes the Agent to not display any notification messages It also disables the Beep before notify Hide blocking notification and Hide application popup check boxes By default this option is not checked Beep before notify Allows audio announcement first before system tray notification messages appear Hide blocking not...

Page 51: ... seconds by default Click Yes to allow the application click No to block it If you do not respond to the message within 15 seconds the Agent blocks the application from accessing the device Set Password Opens the Password dialog box so that you can set password protection This prohibits other users to access your Agent and possibly change your settings If enabled password protection prompts you to...

Page 52: ...nter s Allows other users of the selected network to browse your device Security Tab The Security tab offers a way to enable and disable some of the more complex security options You should test settings made here before propagating them to other devices to make certain that they work as you intend Enable Intrusion Prevention System Provides you with alerts when another user attempts to compromise...

Page 53: ...abled on the Agent Enable stealth mode browsing Stealth mode describes a computer that is hidden from web servers while on a network A computer on the Internet for instance if in stealth mode cannot be detected by port scans or communication attempts such as ping By default this option is disabled on the Agent Enable DoS detection Causes the Agent to check incoming traffic for known Denial of Serv...

Page 54: ...n Allows the Agent to determine which DLLs are used by which trusted applications and to store that information The Agent then blocks applications that are using DLLs that are not associated with a trusted application or DLLs that are associated with a trusted application and that have changed Note that this may take place if you download a patch to an application that modifies that application s ...

Page 55: ...will call Computers A and B A hacker can send a data packet that causes Computer A to drop the communication Then pretending to be Computer A the hacker can communicate with Computer B thus hijacking a communication session and attempting to attack Computer B Anti IP spoofing foils most IP spoofing attempts by randomizing the sequence numbers of each communication packet preventing a hacker from a...

Page 56: ...ication will be allowed All other DNS packets will be dropped If you disable this feature please note that you will need to manually allow DNS name resolution by creating an advanced rule that allows UDP traffic for remote port 53 By default this option is enabled in the Agent Enable smart DHCP Allows only outgoing DHCP requests and incoming DHCP replies and only for network cards that allow DHCP ...

Page 57: ...device After Every Minutes Sends an e mail message at regular intervals following an attack the intervals specified in the After Every Minute s dial From Specifies an e mail address for the person sending the message This can be your personal e mail address or another e mail address To Specifies a recipient email address This can be an administrator s email address or your email address if you are...

Page 58: ...Specifies the address of the authentication server User Name Password Specifies your username and password for the authentication server in the appropriate fields Test E Mail Notification Sends a test message to the e mail address that you specified in the To and Subject fields Log Tab The Log tab provides a central location to manage the logs for the Agent You can determine the standard log size ...

Page 59: ...og is not enabled by default Maximum log file size is KB Specifies the maximum size for the log file in kilobytes The default setting is either 512 KB or 1024 KB Save log file for the past days For the log you want to configure specifies the number of days to save the log Clear Logs Clears the selected log 49 ...

Page 60: ...HP Sygate Security Agent User Guide 50 ...

Page 61: ...twork adapter Advanced rule A rule that can be added on an Agent to enforce a security policy Advanced Rules can exhibit complex relationships between applications IP addresses and services See also firewall rule simple rule Agent A device running HP Sygate Security Agent software is also called an Agent device Anti IP Spoofing An advanced setting that prevents an intruder from taking advantage of...

Page 62: ...cation is changed in any way the application fingerprint changes See also application authentication authentication The process by which a system identifies an individual or a computer to make sure that the user or computer is who they claim to be authorization The process of granting or denying access to a specific network resource or domain based on the user s identity B backtrace A way of using...

Page 63: ...the Agent to check for incoming traffic using known Denial of Service DoS techniques DES See Data Encryption Standard DES destination IP address The IP address of the computer that is receiving packets of information destination port The port of the computer that is receiving packets of information DHCP See Dynamic Host Configuration Protocol DHCP directory server Software that manages users accou...

Page 64: ...pending on the rule set the protocol driver is allowed blocked or a pop up message displays See also protocol driver blocking Dynamic Host Configuration Protocol DHCP A TCP IP protocol that provides dynamic configuration of host IP addresses and enables individual computers on an IP network to extract configuration parameters from a DHCP server DHCP lets a system administrator supervise and distri...

Page 65: ...wall rule may state Port 80 is allowed G groups All users and computers on an enterprise network are organized into groups with similar security needs and settings Computer and Users Groups are created and maintained by a system administrator on the Sygate Management Server A group cannot be edited unless it is locked or checked out first making it so only one administrator can make changes to it ...

Page 66: ... a Sygate Management Server This file defines aspects of server administration including the default log server port numbers administrator console timeout encrypted web console communication and console access Other initialization files are SetAid ini for Agent installation settings and AutoLocation method and SyLink xml specifying Agent administrative details such as client vs server control and ...

Page 67: ...n access Because the intruder appears to be someone else if a reply is sent it goes to the spoofed address not the intruder s address See also Anti IP Spoofing IPS See Intrusion Prevention System IPS L LDAP See Lightweight Directory Access Protocol LDAP library See signature library System Library custom library Lightweight Directory Access Protocol LDAP A standard directory access protocol for se...

Page 68: ... packet See also Anti MAC Spoofing multicast Sending a message simultaneously to more than one destination on a network See also broadcast unicast N NetBIOS protection An option on the Management Server that blocks all communication from computers located outside a client s local subnet range NetBIOS traffic is blocked on UDP ports 88 137 and 138 and TCP ports 135 139 445 and 1026 See also subnet ...

Page 69: ... numbered from 0 to 65535 Ports 0 to 1024 are reserved for use by certain privileged services See also Authentication port local port remote port source port port scan A method that hackers use to determine which computer s ports are open to communication It is done by sending messages to computer ports to locate points of vulnerability Although it can be a precursor to an intrusion attempt port s...

Page 70: ...of the applications is also displayed S Schedule An Advanced Rule that allows for triggering an event at certain times of the day security alerts A sound or notification indicating that the Agent has detected an attack against the client computer security policy A combination of all the security rules and settings that have been applied to a specific group to protect an enterprise s computing inte...

Page 71: ...ds to allow for an incoming DHCP response If a Sygate Security Agent does not send a DHCP request to a DHCP server then Smart DHCP does not allow the packet Smart DHCP does not block packets It simply allows the packet if a DHCP request was made Any other DHCP blocking or allowing is done by the normal security rule set See also Dynamic Host Configuration Protocol DHCP Smart DNS Allows a Domain Na...

Page 72: ... subnet mask subnet mask A value that allows a network to be subdivided and provides for more complex address assignments The subnet mask format is nnn nnn nnn nnn such as 255 255 255 0 sweeping The process that Sygate uses to eliminate old log files on the database See also logs Sygate Security Agent Software component that enforces rule based security on devices whether remote or behind a corpor...

Page 73: ... it is sent to the correct destination trigger An event that causes a rule to take effect When creating rules you can assign specific triggers which cause Agents to react in a specific way and actions which specify what to do when the trigger takes place For example you can block all traffic originating from a certain IP address or block traffic during certain hours of the day Triggers can be link...

Page 74: ...ranted access to the network See also enforcement virtual private network VPN vulnerability scan An attempt to use security attacks to detect security weaknesses in a computer The Sygate Security Agent includes a Test button that assesses an Agent s vulnerability to attack It requires a public IP address See also port scan W WINS Short for Windows Internet Naming Service a system that determines t...

Page 75: ...ication tab 46 G General tab advanced rules 19 options 39 H Hosts tab 20 L Log tab 48 logs Active Response stopping 37 back tracing 36 clearing 35 defined 27 enabling 35 exporting 37 maximum size 48 Packet Log 33 Security Log 28 System Log 34 Traffic Log 30 viewing 28 M menu commands 6 N Network Neighborhood tab 41 O options creating 39 defined 1 39 P password protection enabling 11 39 Policy Edit...

Page 76: ... 13 17 39 S scanning your system 13 Scheduling tab 23 security options creating 39 defined 1 39 security policies creating 1 defined 1 Security tab 42 settings advanced rules 17 options 39 starting the Agent 3 system tray icon menu commands 8 starting the Agent 3 T testing your system 13 toolbar 6 66 ...