HP COMPAQ T5730, COMPAQ T5710, COMPAQ T5700 User Manual

HP Sygate Security Agent 4.0

User Guide

Documentation Build 1004

Published: May 1, 2005

No part of this document may be reproduced or transmitted in any form or by any means, electronic, mechanical, or otherwise, without prior written permission of Sygate Technologies, Inc. Information in this document is subject to change without notice and does not constitute any commitment on the part of Sygate Technologies, Inc. Sygate Technologies, Inc. may own patents or pending patent applications, trademarks, copyrights, and other intellectual property rights covering the subject matter of this document. Furnishing of this documentation does not in any way grant you a license to any patents, trademarks, copyrights, or other intellectual property of Sygate Technologies, Inc.

Sygate, Sygate Secure Enterprise, and the Sygate ‘S’ Logo are registered trademarks or trademarks of Sygate Technologies, Inc. Microsoft and Windows are registered trademarks of Microsoft Corporation.

All other companies and product names referenced herein may be trademarks or registered trademarks of their respective holders.

Preface...................................................................................................... ix

Related Documentation ..........................................................................................................ix

Intended Audience...................................................................................................................ix

Technical Support ..................................................................................................................... x

Chapter 1. Overview of the Agent ............................................................................. 1

Modifying the Security Policy.................................................................................................. 1

Using the Policy Editor....................................................................................................... 1

Chapter 2. Getting Around........................................................................................3

Starting the Agent .....................................................................................................................3

Navigating the Main Console.................................................................................................. 3

Menus and Toolbar Buttons .............................................................................................. 4

Traffic History Graphs .......................................................................................................4

Broadcast Traffic............................................................................................................5

Running Applications Field................................................................................................ 5

Message Console.................................................................................................................. 6

Status Bar .............................................................................................................................. 6

Using the Menus and the Toolbar.......................................................................................... 6

Toolbar Buttons...................................................................................................................8

Using the System Tray Icon..................................................................................................... 8

What the System Tray Icon Tells You.............................................................................. 8

What Does the Flashing System Tray Icon Mean?.......................................................10

The System Tray Icon Menu............................................................................................ 10

Enabling Password Protection.............................................................................................. 11

Chapter 3. Testing Your System’s Vulnerability..................................................... 13

Scanning Your System............................................................................................................13

Types of Scans......................................................................................................................... 14

Quick Scans ........................................................................................................................ 14

Stealth Scans .......................................................................................................................14

Trojan Scans ....................................................................................................................... 14

TCP Scans...........................................................................................................................14

UDP Scans.......................................................................................................................... 14

ICMP Scans ........................................................................................................................ 15

Chapter 4. Working With Rules .............................................................................. 17

About Rules .............................................................................................................................17

Using Rules to Protect Your System.................................................................................... 17

Setting Up Advanced Rules ...................................................................................................17

General Tab .............................................................................................................................19

Rule Description ................................................................................................................19

Block this traffic................................................................................................................. 19

Allow this traffic ................................................................................................................19

Apply Rule to Network Interface.................................................................................... 20

Apply this rule during Screensaver Mode ...................................................................... 20

Record this traffic in “Packet Log”................................................................................. 20

iii

HP Sygate Security Agent User Guide

Rule Summary field ...........................................................................................................20

Hosts Tab.................................................................................................................................20

All addresses .......................................................................................................................21

MAC addresses...................................................................................................................21

IP Address(es) .................................................................................................................... 21

Subnet..................................................................................................................................21

Rule Summary field ...........................................................................................................21

Ports and Protocols Tab ........................................................................................................21

Protocol...............................................................................................................................22

All Protocols .................................................................................................................22

TCP ...............................................................................................................................22

UDP ...............................................................................................................................22

ICMP.............................................................................................................................. 23

IP Type ..........................................................................................................................23

Traffic Direction................................................................................................................ 23

Rule Summary field ...........................................................................................................23

Scheduling Tab ........................................................................................................................ 23

Enable Scheduling ............................................................................................................. 24

During the period below .............................................................................................24

Excluding the period below........................................................................................24

Beginning At....................................................................................................................... 24

Duration.............................................................................................................................. 24

Rule Summary field ...........................................................................................................24

Applications Tab ..................................................................................................................... 25

Display selected applications only................................................................................... 25

Applications........................................................................................................................ 25

Select All..............................................................................................................................25

Clear All...............................................................................................................................25

Browse.................................................................................................................................26

Rule Summary field ...........................................................................................................26

Chapter 5. Monitoring and Logging....................................................................... 27

Types of Logs .......................................................................................................................... 27

Viewing Logs ...........................................................................................................................28

Security Log .............................................................................................................................28

Icons for the Security Log ..........................................................................................28

Security Log Parameters and Description ................................................................29

Description and Data Fields for the Security Log................................................... 30

Traffic Log ...............................................................................................................................30

Icons for the Traffic Log ............................................................................................31

Traffic Log Parameters and Description .................................................................. 31

Description and Data Fields for the Traffic Log.....................................................32

Packet Log................................................................................................................................33

Icons for the Packet Log.............................................................................................33

Packet Log Parameters and Description................................................................... 33

Packet Decode and Packet Dump for the Packet Log...........................................34

System Log...............................................................................................................................34

Icons for the System Log............................................................................................ 34

Table Of Contents

System Log Parameters and Description..................................................................34

Description and Data Fields for the System Log .................................................... 35

Enabling and Clearing Logs...................................................................................................35

Back Tracing Logged Events.................................................................................................36

Saving Logs .............................................................................................................................. 37

Stopping an Active Response................................................................................................37

Chapter 6. Configuring the Agent’s Settings .......................................................... 39

General Tab .............................................................................................................................39

Automatically load HP Sygate Agent service at startup ...............................................40

Block Network Neighborhood traffic while in screensaver mode.............................40

Hide all notification messages.......................................................................................... 40

Beep before notify .............................................................................................................40

Hide blocking notification................................................................................................ 40

Hide application popup ....................................................................................................41

Set Password....................................................................................................................... 41

Ask password while exiting ..............................................................................................41

Network Neighborhood Tab ................................................................................................41

Network Interface .............................................................................................................42

Allow to browse Network Neighborhood files and printer(s)....................................42

Allow others to share my files and printer(s).................................................................42

Security Tab .............................................................................................................................42

Enable Intrusion Prevention System .............................................................................. 42

Enable port scan detection...............................................................................................43

Enable driver level protection.......................................................................................... 43

Enable stealth mode browsing......................................................................................... 43

Enable DoS detection .......................................................................................................43

Block Universal Plug and Play Traffic............................................................................43

Automatically block attacker’s IP address for... second(s) ..........................................44

Block all traffic while the service is not loaded .............................................................44

Allow initial traffic........................................................................................................44

Enable DLL authentication.............................................................................................. 44

Reset all fingerprints for all applications ........................................................................ 44

Automatically allow all known DLLs........................................................................ 45

Enable anti-MAC spoofing .............................................................................................. 45

Enable anti-IP spoofing....................................................................................................45

Enable OS fingerprint masquerading .............................................................................45

NetBIOS protection..........................................................................................................45

Anti-Application Hijacking ..............................................................................................46

Allow Token Ring Traffic ................................................................................................46

Enable smart DNS ............................................................................................................46

Enable smart DHCP ......................................................................................................... 46

Enable smart WINS .......................................................................................................... 46

E-Mail Notification Tab......................................................................................................... 46

Do Not Notify ................................................................................................................... 47

Notify Immediately............................................................................................................47

After Every . . . Minutes ..................................................................................................47

From:.............................................................................................................................. 47

HP Sygate Security Agent User Guide

To: ...............................................................................................................................47

Cc: ...............................................................................................................................48

Subject:........................................................................................................................... 48

SMTP Server Address:.................................................................................................48

My E-Mail Server Requires Authentication...................................................................48

Authentication Server Address:.................................................................................. 48

User Name/Password: ................................................................................................48

Test E-Mail Notification...................................................................................................48

Log Tab .................................................................................................................................... 48

Enable ... Log .....................................................................................................................49

Maximum log file size is ... KB........................................................................................ 49

Save log file for the past ... days.......................................................................................49

Clear Logs ...........................................................................................................................49

Glossary .................................................................................................... 51

Index ........................................................................................................65

Table Of Contents

List of Tables

Table 1. Menus............................................................................................................................... 7

Table 2. System Tray Icon Colors............................................................................................... 9

Table 3. System Tray Icon Appearance...................................................................................... 9

Table 4. System Tray Icon Menu ..............................................................................................11

Table 5. Security Log Icons........................................................................................................29

Table 6. Security Log Parameters and Description ................................................................29

Table 7. Traffic Log Icons..........................................................................................................31

Table 8. Traffic Log Parameters and Description .................................................................. 31

Table 9. Packet Log Icons.......................................................................................................... 33

Table 10. Packet Log Parameters and Description................................................................... 33

Table 11. System Log Icons .........................................................................................................34

Table 12. System Log Parameters and Description..................................................................34

vii

HP Sygate Security Agent User Guide

List of Figures

Figure 1. Main Console.................................................................................................................. 4

Figure 2. Traffic History Graph.................................................................................................... 5

Figure 3. Security Log...................................................................................................................30

viii

Preface

This document, the HP Sygate Security Agent User Guide, describes how to distribute, install, and use the HP Sygate Standalone Agent (the Agent).

For late-breaking news about known problems with this release, refer to the Readme.txt file that is included with this software.

Intended Audience

This documentation is written for system administrators and end users of the Agent software.

This documentation assumes that the user is familiar with the basic functioning of Windows operating systems and standard Windows items, such as buttons, menus, toolbars, windows, and so forth. Furthermore, this guide assumes that the user has an Internet connection, whether through a local area network, DSL connection, dial-up modem, wireless access point, or other connection method.

HP Sygate Security Agent User Guide

Technical Support

HP provides a variety of service and support programs.

To contact HP:

1. Locate the www.hp.com/support web site.

2. From the drop-down menu, select the country and language and click the double

arrow.

3. On the Support & Drivers page, under Or Select a product category, click

Desktops & Workstations.

4. Click Thin Clients and then the specific product.

Note: You can also click the Contact HP link for additional contact and resources links.

Chapter 1. Overview of the Agent

The HP Sygate Security Agent (the Agent) is security software that is installed on embedded devices, such as ATMs and thin clients, that run the Windows XP Embedded operating system. Once installed, the Agent provides a customizable firewall that protects the device from intrusion and misuse, whether malicious or unintentional. It detects and identifies known Trojans, port scans, and other common attacks, and in response, selectively allows or blocks traffic, or various networking services, applications, ports, and components.

The Agent uses a customizable security policy, which includes security rules and security settings, to protect an individual device from network traffic that can cause harm. The Agent uses security rules to determine whether your device either blocks or allows an incoming or outgoing application or service from gaining access through your network connection. The Agent uses security settings to detect and identify common attacks, send e-mail messages after an attack, display customizable pop-up messages, and accomplish other related security tasks.

Modifying the Security Policy

The security policy that the Agent uses to protect the embedded device is stored in the policy file. You can modify the policy file, adding new rules and changing security settings.

If you are a system administrator, you can modify the security policy on your system and then deploy the settings in the policy file to each device where the Agent immediately applies them. To modify the security policy, you use the Policy Editor.

Using the Policy Editor

The Policy Editor is a separate tool from the Agent that you install on a separate system.

To install the Policy Editor:

1. From the Sygate FTP site, download the Policy Editor installer package,

PolicyEditorInstaller.exe, to the image-building system.

2. Follow the instructions when prompted for your agreement to the license agreement,

location of the software on your hard drive, and so on.

HP Sygate Security Agent User Guide

When you install Policy Editor, the default policy file is automatically installed with it. When you open the Policy Editor, the default policy file’s advanced rules and options appear.

To open the Policy Editor:

• On the image-building system, click Start|All Programs|Sygate|HP Sygate

Policy Editor.

For more information on using the Policy Editor:

• On the image-building system, click Start|All Programs|Sygate|Policy Editor

Help.

Chapter 2. Getting Around

This chapter describes the tools that you use in getting around in the Agent.

Starting the Agent

The Agent is designed to start automatically when you turn on your device, protecting you immediately. To configure your Agent or review logs of potential attacks on your Agent, you open the Agent first.

You can open the Agent in two ways:

• System tray icon—Double-click the icon on the right side of the taskbar, or

right-click it and click HP Sygate Security Agent.

• Start menu—Click Start|All Programs|Sygate|HP Sygate Security Agent.

Any method opens the main console, or the main screen that is the control center for the Agent.

Option Alert: You can only open the Agent if you have logged on using an

Administrator account. Users with a User account only see the system tray icon on the taskbar, although the Agent is still protecting the device.

Navigating the Main Console

Once you open the Agent, you see the main console. The main console provides real-time network traffic updates, online status, and links to logs, Help files, and access to various rules and options.

HP Sygate Security Agent User Guide

Figure 1. Main Console

The Agent interface is resizable, so you can view it as a full-screen or part-screen image.

Menus and Toolbar Buttons

The top of the screen displays a standard menu and toolbar. The toolbar buttons can be used to quickly access logs, view the Help file, or test your system.

Traffic History Graphs

Below the toolbar are the Traffic History graphs.

The Traffic History graphs produce a real-time picture of the last two minutes of your traffic history. The graphs reload new information every second, providing instant data, as measured in bytes, about your incoming and outgoing network traffic.

Getting Around

Figure 2. Traffic History Graph

The Traffic History graphs are broken into three sections. On the left side of the graphs section are the Incoming and Outgoing Traffic History graphs. These provide a visual assessment of the current traffic that is entering and leaving your device through a network interface. This includes traffic that is allowed and traffic that is blocked. The green lines and bars indicate traffic that is allowed to pass through, and the red coloring indicates traffic that is being blocked by the Agent.

Additionally, the Attack History graph on the right side of the console provides information on attempted attacks against your machine.

Broadcast Traffic

Broadcast traffic is network traffic that is sent to every device in a particular subnet, and thus is not directed specifically to your device. If you do not want to see this traffic, you can remove it from this graphical view by clicking Hide Broadcast Traffic. You will then only see “unicast” traffic in this graph, which is traffic that directed specifically to your device. To redisplay broadcast traffic, click to clear Hide Broadcast Traffic.

Running Applications Field

The Running Applications field provides a list of all applications and system services that are currently running on your system.

An application icon displays a small blue dot on lower left-hand or right-hand corner to indicate if it is receiving (left-hand) or sending (right-hand) traffic.

You can hide the display of system services by clicking Hide Windows Services above the Running Applications field. There are a number of services running at any given time, and

HP Sygate Security Agent User Guide

since they are often crucial to the operation of your device, you most likely want to allow them.

To change the display of application names, either click the View menu or right-click the Running Applications field and select the desired view.

You can stop an application or service from running by right-clicking the application in the Running Applications field and clicking Terminate.

Message Console

The Message Console of the Agent is located below the Running Applications field on the main console. It provides a real-time update of your Agent’s communication status.

The Message Console is, by default, hidden.

To show or hide the Message Console:

1. Below the Running Applications field, click Show Message Console. The Message

Console appears.

2. To hide the Message Console from view, click Hide Message Console.

The Message Console collapses so that only the Show Message Console button is apparent.

Status Bar

The Status Bar, located along the bottom of the Agent main console, provides the user with the current location profile information.

Using the Menus and the Toolbar

The top of the Agent screen displays a standard menu with the following options: File, Security, Tools, View, and Help.

Table 1. Menus

Menu Menu choices

• Close—Closes the Agent main console.

File

• Exit Sygate Agent—Exits the Agent, effectively turning off security on

your machine.

• Block All—Blocks all network traffic on your machine. If you use this

command but then want to unblock the traffic, click the system tray icon

Security

on the taskbar and click Normal.

• Normal—Blocks only selective traffic. This is the default configuration,

and is a prudent choice.

• Logs—Opens the Logs.

• Options—Opens the Options dialog box, which contains many security

options, including email alerts, Network Neighborhood browsing rights, and log file configuration.

Getting Around

Tools

View

• Advanced Rules—Opens the Advanced Rules dialog box, where you can

set very specific rules for implementing security on your Agent.

• Update Signature—Not enabled for the Agent.

• Automatically Start Service—Not enabled for the Agent.

• Test Your System Security—Opens the Sygate Technologies scan site so

you can test the effectiveness of the Agent.

• Disable/Enable Sygate Security Agent—Disables and reenables the

Agent. The Agent is running but not protecting your system while it is disabled.

The View menu gives users the option to alter the display of software programs in the Running Applications field:

• Large Icons—Displays 32x32 icons in the field. Each icon represents a

software application or a system service.

• Small Icons—Displays 16x16 icons.

Both the large and small icon displays provide the full name of the application below the icon itself, and the icons are displayed in a “corkboard” fashion.

• List—Provides small icon representations, with the icons displayed in a

standard list.

• Applications Details—Provides not only a list of all running applications,

but also useful information on the version number and location path of each application.

HP Sygate Security Agent User Guide

Table 1. Menus

Menu Menu choices

• Connection Details—Provides further information on the type of

connection being made by an each application accessing the network adapter, as well as the protocol, local and remote ports and IP addresses being used, the application path, and more.

• Hide Windows Services—Toggles the display of Windows Services in

the Running Applications field.

• Hide Broadcast Traffic—Toggles the display of broadcast traffic in the

Running Applications field.

Help

• Help Topics...—Opens the Agent online Help files.

• About—Opens the About screen.

Toolbar Buttons

The buttons located below the menu provide shortcuts that can be used to quickly block all applications, change your application profiles, access the logs, test your Agent using the Sygate Technologies web site, or view the Help file.

Using the System Tray Icon

Once installed, the Agent displays a small icon in your system tray (located on the right-hand side of your taskbar), which you can double-click to open the Agent or right-click to see a menu of commands.

The icon arrow is outgoing traffic; the downward-pointing arrow is incoming traffic.

These arrows give you a real-time update of your device’s traffic flow. You might not see a constant icon appearance for more than a few seconds, especially if you frequently use the Internet or your network connection.

consists of two arrows that represent system traffic: the upward-pointing

What the System Tray Icon Tells You

The colors of the arrows are always changing (as is the traffic flow on your device). For most users, it should be sufficient to remember the following points about the colors of the icon.

Table 2. System Tray Icon Colors

Getting Around

If the color of the

arrow is...

...then...

RED ...traffic is being blocked by the Agent.

BLUE ...traffic is flowing uninterrupted by the Agent

GRAY ...no traffic is flowing in that direction.

The following table illustrates the different appearances that the system tray icon may have, and what they mean.

Table 3. System Tray Icon Appearance

Icon Description

The Agent is in Alert Mode. This means that an attempted attack against your device has been recorded in your Security Log. To make the icon stop flashing, double-click the icon. The Security Log will open, displaying a new log entry.

The Agent is in Block All mode.

Incoming traffic is flowing uninterrupted; there is no outgoing traffic.

Both incoming and outgoing traffic are flowing uninterrupted.

There is no incoming traffic; outgoing traffic is flowing uninterrupted.

Incoming traffic is blocked; outgoing traffic is flowing uninterrupted.

Incoming traffic is blocked; there is no outgoing traffic.

HP Sygate Security Agent User Guide

Table 3. System Tray Icon Appearance

Icon Description

Both incoming and outgoing traffic are blocked.

There is no incoming traffic; outgoing traffic is blocked.

Incoming traffic is flowing uninterrupted; outgoing traffic is blocked.

No traffic is flowing in either direction.

Both incoming and outgoing traffic flows uninterrupted; the Agent is disabled.

What Does the Flashing System Tray Icon Mean?

The system tray icon sometimes flashes on and off. This means that the Agent is in Alert mode, which is caused by an attack recorded in the Security Log. When you point your mouse over the flashing icon, a tooltip appears above the icon describing the type of attack . The icon stops flashing after one minute. For users with an Administrator account, you can also stop the icon from flashing by opening the Security Log.

The System Tray Icon Menu

You can easily configure basic aspects of the Agent without even opening the main console. By right-clicking the system tray icon, you can change your security level, view Help or log files, or disable the Agent. You can roll your mouse over the system tray icon to see your current security level.

The system tray icon includes the following right-click commands.

Table 4. System Tray Icon Menu

Menu Option Description

Getting Around

HP Sygate Security Agent

Block All

Normal

Logs Opens the Agent logs.

Options... Opens the Options dialog box, where you can configure the settings

Advanced Rules Opens the Advanced Rules dialog box, where you can write specific

Disable/Enable Sygate Security Agent

Opens the Agent’s main console.

Blocks all network traffic.

Provides your preconfigured list of advanced rules and applies them.

for the Agent.

rules for allowing or blocking network access.

Disables and reenables the Agent. The Agent is running but not protecting your system while it is disabled.

Help Topics... Opens the online Help system.

About... Opens the About dialog box, providing information on your version of

the Agent.

Exit Sygate Agent

Stops the Agent from running. You need to restart the Agent to protect your system.

Enabling Password Protection

You can set your Agent to require a password prior to making any security changes, and to require a password before exiting the Agent.

To enable password protection:

1. Click the Tools|Options|General tab.

2. Click the Set Password... button at the bottom right of the dialog box. The

following Password dialog box appears.

HP Sygate Security Agent User Guide

3. Enter your new password in the New Password and Confirm New Password

fields.

Note: You can disable password protection by making no entry in the New Password field and confirming that in the Confirm New Password field.

4. To have the Agent prompt you for a password before exiting the Agent, on the

General tab, click Ask password while exiting.

5. Click OK to confirm or click Cancel to discard your changes.

Chapter 3. Testing Your System’s Vulnerability

This chapter describes ways to test the vulnerability of your system to outside threats by scanning your system. The test is available directly from Sygate using an online connection.

Scanning Your System

Assessing your vulnerability to an attack is one of the most important steps that you can take to ensure that your device is protected from possible intruders. With what you learn from this battery of tests, you can more effectively set the various options on your Agent to protect your device from attack.

To scan your system:

1. Do one of the following:

o On the toolbar, click the Security Test button.

o On the Tools menu, click Test Your System Security. o In your Internet browser window, open the Sygate Technologies web page

http://scan.sygate.com) directly.

(

2. On the web page, click Scan Now. The Sygate Online Services scanner scans your

computer and attempts to determine your IP address, operating system, web browser, and other information about your system.

3. For a specific type of scan, click one of the following web pages:

Quick Scan

Stealth Scan

o o Trojan Scan o

TCP Scan

+ 53 hidden pages

HP COMPAQ T5730, COMPAQ T5710, COMPAQ T5700 User Manual

Table of Contents

Preface

Related Documentation

Intended Audience

Technical Support

Modifying the Security Policy

Starting the Agent

Navigating the Main Console

Using the Menus and the Toolbar

Enabling Password Protection

Scanning Your System