Distributed personal firewalls with centralized management

Personal firewalls are becoming more commonplace in enterprise networks. However, ensuring quality centralized management for these firewalls is a challenge when you roll out such technology. Sygate Technologies’ Sygate Enterprise Network is an admirable solution: a centrally managed distributed personal firewall product that you can integrate with and scale to a network of almost any size.

Sygate Enterprise Network has three components: Sygate Management Server, an Administration console, and distributed firewall clients. Sygate Management Server service runs on Windows 2000 or Windows NT, and the firewalls can run on Win2K, Windows Millennium Edition (Windows Me), NT, and Windows 9x. The service exchanges logging, alert, and configuration information with remote desktops’ firewalls and is the core of Sygate Enterprise Network. You can access Sygate Management Server’s Java-based Administration console through a Web browser.

Sygate Enterprise Network uses Sygate’s Web server that runs on any available port you define. Using this integrated mini–Web server avoids conflict with and reliance on other Web servers and their underlying security risks.

You can define firewall rules for ports and applications and apply the rules to groups and individuals. For example, you can set a personal firewall to a learning mode. When you do so, after an application initially launches, the firewall prompts the user about whether to allow access to the application. After the user responds, the mode creates a rule that specifies whether the application is a trusted application. The product lacks a checksum feature that would guarantee that an internal application hasn’t been modified. Leaving this feature out of the product leaves room for Trojan horses to gain outbound access and for 2-way communications to take place.

Sygate Enterprise Network requires either the Microsoft Data Engine (MSDE) or a Microsoft SQL Server 7.0 back end. I used MSDE, which Sygate Technologies ships on the Sygate Enterprise Network CD-ROM. In short, the product uses MSDE as a pseudo-SQL Server to store personal firewall configurations and other data on a Microsoft Access database. A cool feature of the product is that when you have multiple Sygate Management Servers running on the network and if they all use the same SQL database, then you can manage those servers under a single instance of the Administration console.

Sygate Management Server setup establishes a share point on the system to which clients can connect to install the personal firewall. Before setup copied the personal firewall to the network share point on my test system, I used Notepad to edit the file’s configurations for personal firewalls. (The file is similar to an.ini file.) The product’s documentation defines each section in the file.

After I installed the product, I opened the Java-based Administration console and pointed the browser to the Sygate Management Server’s machine name and port (http://adminserver:port). The interface has three sections: Admin, Provisioning, and Monitoring.

The Admin section let me adjust who can access each section of the Administration console. For example, I defined an account for myself and gave myself total control over the product’s administration. I then defined an administrator account and gave it access to Provisioning only (for configuring firewalls and managing users and groups). I defined another administrator account and gave it access only to the product’s Monitoring section.

You can also view logs from the Admin section. Sygate Enterprise Network’s logs are flat text files that display basic statistics graphically. The product’s Server log tracks Sygate Management Server activity, the HTTP Server log tracks access to the Web-based Administration console, and the UDP Server log tracks personal firewall status. However, Sygate Enterprise Network offers no tools for further analysis of this data. You can import the logs into another application for detailed analysis, but Sygate Technologies could improve its product by integrating a report-writer module into the log features.

You select the Server option in the Admin section to change Sygate Management Server parameters. Parameters include heartbeat, missed heartbeats before death, log file Time to Live (TTL), maximum number of alerts to keep, client thread number, and maximum client thread number. Heartbeats are status messages that each personal firewall broadcasts at regular intervals to the Sygate Management Server machine. Sygate Management Server also uses heartbeats to notify personal firewalls of configuration changes. For example, if an administrator changes a particular system's personal firewall settings, then at the next heartbeat, the Sygate Management Server instructs the personal firewall to load the new settings.

The Monitoring section of the Administration console offers onscreen displays of personal firewall traffic by user and makes up for some of the logging functions’ weaknesses. For example, the Monitoring screen displays a list of usernames in the upper left pane, the selected user's network traffic information in the upper middle pane, and the User List in the bottom left pane. An x beside a user's name indicates that the UDP Server has logged alerts for that user. I selected user genghis_khan, as Figure 1 shows, and the upper middle pane displayed alerts. I clicked Report to generate the alert-origin pie graph that Figure 1 shows in the right-hand pane. You can also generate graphs for alert type, alert direction, and alert local point.

You can control each personal firewall’s configurations from the Provisioning section of the Administration console. I had established a Lab Techs group at the Admin interface. Then, at Provisioning, I set the Lab Techs’ associated policy parameters for Group level control, as Figure 2 shows, to assign each member of the group the same policy settings. The product organizes firewall parameters into Security Level, Application Policy, Administrative Settings, and Email Notification Settings groups.

The Security Level parameters’ setting determines which ports to open for access, which IP addresses to trust, and which type of Internet Control Message Protocol (ICMP) traffic to accept. Sygate Enterprise Network has four security levels. You can configure the Low, Medium, and High levels at the Provisioning interface according to your company’s policies. However, you can’t modify the Ultra High level that blocks all incoming traffic.

Using Administrative Settings, I could set log format values, password protection requirements, and firewall startup procedures. I could also set the Ultra High security level to activate at specific times. You can use this setting to give only users you authorize access to specific machines after hours.

The Email Notification Settings let me define parameters for instructing Sygate Management Server to email security alert events when they occur. The Application Policy parameters govern which applications can access the network and whether the client or Sygate Management Server has control over those application definitions.

Help came in the form of two PDF files: one for the product’s administrator and one for the clients. I could also access online HTML-based Help from the Administration console. The documentation was helpful but lacked detail. For example, the online Help doesn’t describe what the logs track or what you might expect to see in the logs. However, I did find this information about logs in the PDF-based Help files. Neither set of Help files gave information about certain Provisioning parameters.

Overall, Sygate Enterprise Network is a good firewall and firewall management solution. The product is easy to set up and roll out, and the administrative interface is intuitive. The solution’s price of $60 per firewall, which includes unlimited Sygate Management Server installations, is affordable. The logging feature could use a more helpful interface for viewing and for sorting important entries. A checksum feature for detecting applications that have been tampered with would also improve the product. However, the ability to manage at the individual firewall or group level is useful for fulfilling the needs of diverse groups of employees. If you're looking for a scalable personal firewall solution at a great price, then Sygate Enterprise Network belongs on your shortlist.

Sygate Enterprise Network
Contact: Sygate Technologies • 510-742-2600
Web: http://www.sygate.com
Price: $60 per distributed personal firewall; includes unlimited Sygate Management Server installations
Decision Summary:
Pros: Centralized management; granular rule definitions; shared policy database; intuitive Web-based administration interface
Cons: Logging feature lacks analysis tools; documentation needs improvement; firewall can’t ensure that applications haven’t been modified