SMS lets you configure rules to enable or disable DHCP, DNS, NetBIOS, OS masquerading and shunning attackers. The process is simple. When we ran an NMAP probe with OS masquerading enabled, for example, the software identified the system as a Red Hat Linux station to trick attackers into trying Linux attacks against a Windows workstation. This feature will mislead script kiddies performing scans for hosts, but it won't guarantee complete security.
The server software provides two methods for establishing trusted applications: manual input or client-learned. Every time a client with a learning-enabled policy launches a new Internet program, it reports the file name, version number and MD5 hash to the server. You can then add the appropriate applications to the trusted list. In test environments, new applications can be added to the approved application list automatically, or the management server can send you an e-mail when a user runs a previously undiscovered application.
Application discovery is important in the initial configuration and testing phases of deployment. We had one big complaint about the way the product accomplishes this. The server cannot dictate the components' MD5 hashes. Instead, these hashes are computed on the end node. Although this technique makes diverse environments easier to administer, it also necessitates installation on clean systems. If you install the firewall on a system that's already compromised, the firewall won't catch the Trojan. You can, however, dictate and require the executable's hash to come from the server. In other words, you can require iexplore.exe to have a certain MD5 hash, but the system DLL hashes cannot be centrally defined. Integrated antivirus and intrusion-detection support should catch any stragglers.
Sygate's is also the only product that lets you create multiple policies based on the user's location or tasks. For example, you can have one policy for local users, another for those connecting via VPN, and a third policy for wireless users. You can set policies based on MAC (Media Access Control) addresses, IP addresses, network adapters, VPN adapters, applications and time of day.
Sygate's report generation isn't as robust as ISS's: You can't drill too deeply into Sygate's graphs. Each rule, for example, can be assigned a severity on a scale from zero to 15. We created a rule that said running telnet.exe would produce a critical flag. After executing telnet on a client machine, we sorted the security log by severity. Our telnet violation appeared at the top. You can create line, bar and pie charts showing IPs, protocols, time, application or severity of attacks, but you can't take the reporting much further.