PureBytes Links
Trading Reference Links
|
> What I don't understand is why are people attempting to
> add additional firewall protection on top of Sygate? What is
> Sygate lacking that encourages this?
Here's my understanding, which I think is accurate but I don't
guarantee it:
Sygate is not a firewall. It's a NAT -- a Network Address Translator
that fools the clients into thinking they're directly connected to
the net. That's its primary functionality. It shares a single
connection (modem, DSL, cable, whatever) among several systems.
I believe a NAT like Sygate provides quite a bit of protection for
the clients, since their IP address are not visible to the outside
world. E.g. nobody can ping directly to one of my Sygate clients
because they literally can't see that address.
However, Sygate provides very little protection to the Sygate server.
Some people running Sygate in its "enhanced security" mode claim
their ports (as tested by grc.com and similar sites) are totally
"stealthed" and invisible to attack. I don't know how they do that,
because my system, running Sygate with enhanced security, was wide
open until I made the changes recommended on grc.com. "Wide open" in
this case meant that ANY outsider could read ANY file on my disks --
grc.com listed my directory to prove it. I'm not certain but I think
they might be able to CHANGE files too.
Think that might be a problem?
Furthermore, if a hacker finds a way into your Sygate server system,
the clients are no longer protected -- because he can worm his way
through your LAN to any system connected to the server.
Those simple kinds of security issues can be addressed with a few
simple changes to your networking. But they don't protect you from
active attack by hackers. Even if you close all your ports as
grc.com describes, you may still be susceptable to other attacks like
DoS (denial of service) and other problems.
Also, Sygate & similar products provide NO protection against attacks
from "inside" -- Trojans that try to "phone home" to send the
mothership your credit card numbers, bank account numbers, etc.
A good and properly configured firewall will detect, block, and warn
you of attacks from outside. Most of them also detect and block
unauthorized action from inside. With a properly configured firewall
you are nearly invulnerable to attack.
The trick is the "properly configured" part. Configuring a fireall
can be a real headache. It's an ongoing job as you add new apps,
etc, that need to be granted permission. Some of them (e.g.
BlackIce) are pretty automated and figure things out "intelligently"
on their own. But this often results in false alarms because the
"intelligent" agent isn't as intelligent as you'd like.
It's a shame that millions of people have to worry about this and
expend countless hours and $$ to protect themselves from a bunch of
destructive, thieving sociopaths. But that's life on the Net.
Gary
|