Sygate Pro or Jetico & CHX-I (Snort)

Sygate Pro or Jetico & CHX-I (Snort & SnortSam)

Hi All,

I've recently been given Sygate Pro a tryout after a friend suggested I try it. However previously I've been using Jetico with CHX-I.

I'm trying to decided whether to pay for Sygate pro, or to revert back to jetico. It's not about the money, it's purely a case of which is better and more secure.

Cheers,

Sync.

 

As a former Sygate user of 3+ years, I would have recommended Sygate over a year ago. However, now I would strongly recommend Jetico for the simple fact that Sygate has had no signs of "development" over the last year or so, with the exception of a beta version that has long been overdue.

Sygate needs to get their priorities straight; and apparently home users are at the bottom of their list. They seem to be only focussing on Enterprise customers. Lack of "development" is what turned me away from Sygate.

Jetico seems to have a new release every 2 to 6 weeks, and already shows a lot of dedication and I see a bright future for JPF and soon as they start cleaning up some of the "minor, yet annoying" bugs. Jetico is still free at this point in time and would be very worthy of being an excellent paid version when it becomes more stable.

I would NOT recommend spending money on something that you've got to sit back and wonder if it is still in development or if it has been dropped. Save your money. If you're satisfied with Sygate, use the free version until they at least show some sign of development. As far as I'm concerned, the main purpose in paying for software is to aid in the future costs of development. And if there is no signs of development or has been for quite some time now...... well, I'm sure you get the picture.


- Dave

 

Just curious, why would your want to use Jetico and CHX-I in tandem. They both use SPI, even though Jetico doesn't do Psuedo ICMP SPI. (Not yet anyways!) That is double filtering at the packet level. Which can be problematic under a heavy load. It is better to use an app filter fw like Alertwall: http://www.sharewareplaza.com/AlertWall-Personal-Firewall-download_14231.html

Or ZA with inet filter turned off.

Cheers
DRI

 

I didn't use CHX-I for SPI, it was connected up to snort via SnortSam to provide IDS/IPS.

Besides my router (DG834) provides SPI.

 

OK, you didn't mention anything about Snortsam in your previous message. The title is, 'Sygate Pro or Jetico & CHX-I (Snort)'. Which any be run on any firewall. I thought the purpose of your posting was for better security? Unless , you were looking for some kind of application filter that CHX-I doesn't provide..

DRI

 

I already use process guard to provide application filtering.

My question is which is the better of two, from a firewall perspective, which one will provide a better IDS/IPS Solution.

Sorry if my original post was confusing.

 

Sygate is excellent if you dont have proxy or transparent proxy, the upgradable IDS signature combined with truly unique protection features like Anti Spoofing, stealth browsing etc makes it a good deal, the cons are that it is heavily due for an update and I am worried how commited Sygate is in bringing that up, their updates are far and less frequent than others and till date, they are yet to address the proxy issue.

 

I think I would choose Jetico over Sygate. In my experience, I have seen Sygate appear to allow packets in to listening ports whether they were ok'd or not. I ran CHX behind Sygate and saw those packets go thru to the CHX logs. This shouldn't be happening, and people at the Sygate forum don't seem to care either.

Why pay for something when there is something else just as good for free?

 

Buying a router (with NAT & SPI) for $30 to $50 will completely ease the stress caused by trying to secure a PC with software firewalls and so on. Then you don't have to worry about CPU and such, or certain applications clashing with other applications and causing conflicts.

You'd be quite surprised by the "peace of mind" a decent router can provide for you, not to mention the boost in system performance. That's my tip of the day; and everyday for that matter.

I switched over to Linux a few months ago and completely dropped Windows, speaking of "peace of mind" regarding viruses and such. I was completely blown away with the installation, hardware detection, and everything else for that matter. I can't believe just how intelligent Linux OS's really are compared to Windows. It's like comparing a Cadillac Escalade to a go-kart.

By the way, just in case anyone is curious, it was SuSE Linux Professional 9.3 that made the switch an amazing experience, not to mention a great learning experience as well.

Best of luck!

 

Hi Dave,

I already do have a router, a Netgear DG834, I think I may have mentioned it briefly in one of my earlier posts.

Routers normally only block ports, or allow ports but they lack the ability to tailor the rules for a specific application. In addition many routers have a default rule of allowing all outbound traffic.

 

I agree with Syncman9.

However, if one has a proper SPI hardware SPI firewall with plenty of configuration opportunities and CPU power, then what is the point of a CHX-I type packet filter?

CHX-I, afaik, does not allow for application specific flitering, or does it?

I think an application filter with a hardware SPI filter can be really good combination, if one likes such a setup.

If you see some added benefits in running app filter + CHX-I type packet software filter + hardware SPI router/firewall, then please explain that to the rest of us mere mortals.

Syncman, if you want applications specific rules, I think Jetico might be more up your alley.

However, be noted that at least one user has reported the latest Jetico build fully crashing his system (repeatable). I had the crash problem with an earlier build of Jetico and could not resolve it, so I gave up on Jetico (also, it was _really_ compliated to set up, even if one understands something about routing and firewalls).


best regards,
halcyon

 

Hi All,

I used CHX-I with SamSnort to provide IPS/IDS Protection, something which sygate also has built in. I use Process Guard to control which applications are allowed to run.

I don't use CHX-I for any other purpose, I had disabled all the SPI sections, as my router already performed that role.

I'm fast coming to the conclusion that there isn't much of a choice between them, it's down to personal preference.

 

HI all!

halcyon-

Unless on a DMZ, your router protects you from inbound SPI connections. I agree with you to some extent about having to run some sort of app filter+router combo, to provide an ok layer of security. But, having an SPI software firewall has a lot of benefits over just normal packet filter firewalls, by keeping track of connection states. Even outbound is important. Stateful packet inspection firewalls are more secure than basic packet filtering firewalls. Because stateful packet inspection digs deeper into the packet header information to determine the connection state between endpoints, it is better equipped to guard against unwanted or unauthorized access. Believe it or not, ther are a lot of security experts that are against app filtering. Because, it gives the illusion of protecting ones system based on a holy OS. If you look at all firewalls, they ALL have weaknesses and some strengths. I myself, only like to control the bandwidth on my system (what calls out/home) That is why I use ZAP with everything turned off, except app filtering with component control. not worried about the so called 'leak tests', that the majority seem to be playing the 'cat and mouse game' over....I like CHX-I because it boast nothing but providing strong SPI. Nothing more, nothing less...

Regards
Jazzie

 

But SPI isn't everything, it only stops malformed packets, packets with incorrect header information etc. etc.

Application filter again is only half the battle, since it doesn't stop buffer overflows or exploites of that nature.

An accurate set of rules provided per application locks down an application to certain ports, or IP addresses etc.

I guess a setup depends on an individual, but I consider mine pretty tight, probably a little OTT to be honest.

 

No it's not, but it is securer than normal packet filter firewalls. CHX-I is one of the best implementations of SPI in a software fw, that I have utilized. (Besides Check Point FW-1) Extremely light and powerful. And yes, it is allways up to individual!

That is why I use ZAP to manage bandwidth and what calls out. Not worried on what ports my trusted programs use. Because, if you had some sort of malware on your system, it can circumvent any type firewall... Depending on the malware!

Regards
Jazzie

 

Very true, which raises the question do I need a software firewall, wouldn't a good app manager do the job? since I have a SPI, NAT Firewall on my router. I use process guard, it could be argued that would be enough

However even with SPI & NAT some types of packets will still get though, which leads on to IDS/IPS.

I used to use Kerio and the IDS feature within that was always logging something or other when I was using P2P applications, but neither sygate pro or my previous setup of CHX-I with SnortSam logged anything but malformed pings. Maybe the IDS feature in Kerio doesn't work properly.

 

I have been using Sygate Personal Firewall Pro for awhile and it has successfuly ran and passed online firewall tests on my computer . It updates 1 every 2 week or so. Slow updates but good protection .

controlmind

 

Syncman9,

I have come to the conclusion that you are far too paranoid (for your own good) to even take the time to enjoy the Internet. You seem to be the type of person that will never be 100% satisfied with your security setup. Keep it simple!

Besides... unless you are running a banking server...



and then there was MasterCard... LOL

 

This seems to be the fate of most people that frequent here. (not putting anyone down for it) I have been guilty of this once or twice my self. But like you say Dave, not being satisfied with ones security set-up is an on going cat and mouse game as Jazzie1 stated. You can try one and feel some what comfortable with it, then you find some kind of draw-back with it. Either a memmory hog, or a feature missing that another has. Or, it doesn't seem to pass some sort of "leak test". So on and so forth.. I also keep it simple, because of the fact that ALL software fw's can be by-passed one way or another in a realisticly. So then you come down to your common sence and safe hex... If you hang out in the underground, are you safe with any set-up? If you read an occasional e-mail ot two and surf security sites all day are you in any kind of danger from malware or an intrustion attempt??

Cheers
DRI

 

I have to agree with you there.. I think for the majority of people here, this is or has become a hobby of sorts, at least it has in my case.. I can't speak for anyone else, but I suspect that for most they experiment with security software mostly because they enjoy doing so. Of course, someone is bound to disagree...

 

Hi All,

Dave you’re probably right to some degree, but I’m one of those people who enjoy playing with security software.
Although I’m sure some of it would be related to level of paranoia gained from looking around all these security sites on a fairly regular basis.

I comment on a lot of forums and I’ve seen all the problems that result from peeps with poor security and I guess I’ve probably taken it a bit far. However it’s also a hobby for me as well.

There is no truly safe setup, things can always be bypassed and it’s an ever changing playing field but I’d like to think that I have a setup which is pretty secure and thus will hopefully limit my chances of getting any problems.

 

I think you misread me.

A proper router with a thoroughly implemented SPI firewall will protect the computer from inbound and outbound network attempts, just as well as CHX-I (assuming equal level/accuracy of SPI implementation) OR even better.

That was my point.

In fact, I'd argue that a separate hardware SPI firewall would be even safer than CHX-I (assuming equal performance and level of SPI implemenation on both), because router is a self-contained "secure" application running zone (inside the router OS), where as a PC workstation is an insecure/open application execution zone (inside Windows environment).

Now, do not mistake this for me being critical (or somehow not liking CHX-I). On the contrary, I think it's great.

I'm just trying to simplify things for those who may be stacking one thing on top of another without necessarily benefiting from it.


Hence, an application filter + a SPI firewall (whether software on the workstation or hardware inside a seaparate router) should be enough for most of those, who don't need application specific port/address filtering and preventiont of most leak tests.

Best regards,
halcyon

PS I think the "being scared" criticism is also correct to some point. Still, this is a hobby just as any other. Also, i'd like to point out that if there was a single "install and forget it" type security application for firewalling/IDS/application net access control that "just worked" (TM), never failed, never crashed, never congested network bandwidth or required one to write a lot of filters, etc... I'd buy it in an instant and never look back. But such a best does not exists and probably never will.

 

No not mis-read, your SPI router (any type) does not filter spi outbound. Only inbound! That is the message I was trying to convey to you. (attempts, inbound and outbound is a different story........)

That is again your opinion...Routers can be circumvented as well.

Like I said earlier in my previous post(s), a software SPI firewall, filters traffic better and is securer than a normal packet filtering firewall.

That is what most people say or do! Playing the Merry-go-round of installing a new firewall every other day, like changing underwear, because they are dis-pleased with it's features/performance. Leak tests are only marketing techniques/ways of showing holes in the OS it's self! Under a good aimed hack, all of them would fail. I understand that if it is your hobby, than why not! But, when does it end? Or begin?

Not trying to force-feed CHX-I down anyones throat either, It is a good packet filtering firewall, which I tip my hat to......................

Regards
Jazzie

 

It's very true but your joe average person probably isn't really in line to be hacked by someone with that level of knowledge or ability. They are more likely to suffer from a virus/trojan or worm.

As halcyon already mentioned, there is no one single solution which fits all, or otherwise like halcyon, I'd have brought it.

As for where you begin or end, that I guess depends on the indivdual concerned.

 

That is strictly your opinion, which then, goes beyond the scope of a firewall!

Never detested that. I agree with that to some degree and extent.

I wasn't refering to myself, I was referring to the constant search for the 'holy grail of firewalls' when it doesn't exist! By, 'Where does IT end? Or Begin?'


Regards
Jazzie