Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Windows Net Apps :: secure~1.txt

How to secure your WinGate installation from abuse





How to secure your WinGate installation from abuse

Internet security and WinGate

There has been increasing amounts of press and publicity concerning
unauthorized use of proxy/firewalls to perform illicit activities which
may be attributable to a firewall user. A number of these instances have
involved the use of WinGate. This page is an information source to tell
users of the issues, and how they can defend themselves against abuse of
their systems.

Why should I do anything?

There are unfortunately people out there who spend a great deal of time
looking for a way to bypass security measures used increasingly by ISPs
to thwart spammers - people who send large volumes of unsolicited mail
to large numbers of email addresses. One way to bypass ISP security for
sending mail is to appear to be a valid ISP client. This can be done
through proxy software such as WinGate, if it is not securely
configured.

So. In general, in order to stop people doing things that may be
attributed to you, which could result in things like you getting your
account shut down, you should ensure that your proxy server installation
is secure from unauthorized use.

How do I do it?

There are a number of methods of securing WinGate, which should not take
you longer than a couple of minutes to implement.

There are two main ways to secure access.

  1.Logically, by rule. This involves setting up rules as to who may or
    may not do certain things in WinGate.

  2.Physically. By binding a service to a specific interface (see
    below), that service is simply not available from any other
    interface, so by binding a service to your LAN adapter, you can
    easily block all access from the Internet.

You may also choose a mixture of these two methods, depending on your
requirements for access. Here are some examples of some typical ways of
securing your access.

Example: A small LAN using WinGate Lite or free version for net access.
Not running any servers that need to be accessed from the internet.

This is by far the most common scenario.

Option 1

If all the services are using the default security arrangement as installed, then
perform the following steps.

  1.Open GateKeeper and log into WinGate as Administrator.
  2.Double click on Policies, and double click on "Default Policies"
  3.Select the right "Users can access services"
  4.There will be one recipient there - "Everyone". Double click on this
     recipient.
  5.Select the Location tab.
  6.Select "Specify locations from where this recipient has rights"
  7.Add the following IP addresses under Included locations: 127.0.0.1,
     and the first three numbers of your WinGate machine's network card
     followed by a .* - for example if your network card has IP address
     192.168.0.1, then you would add 192.168.0.*. If you have more than
     one network card in the WinGate machine then add an entry for each
     one that will be requiring access to WinGate.
  8.Hit OK, and remember to save changes.

Now only your LAN users can access any service in WinGate. If some of
your services are using their own rules rather than the global ones, you
can perform this action for each recipient in those service-specific
rules.

Alternative method using option 2.

Because the Lite version of WinGate cannot bind a service to more than
one interface (WinGate 2.1 Pro can do it), in order to use option 2, of
binding services, then you need to create a separate service for each
interface you need to bind to. Minimum is 2 - the localhost interface,
which is used for your second free user license, and the interface of
your WinGate machine LAN card. For each LAN card in your machine you
need to create another service and bind it to that LAN card IP address.

To bind a service to an interface do the following:

  1.Open GateKeeper and log into WinGate as Administrator.
  2.Double click on "Services" in the right hand pane.
  3.Double click on the service you want to modify.
  4.The "General" tab you see in front of you has an option on it -
    "Bind to specific interface" - enable this option, and type in the
    address of the interface you are binding to. The interface address
    is the IP address of a LAN card in your WinGate machine, or
    127.0.0.1 for the free user (localhost).

Note - You cannot change the binding in the Remote Control Service in
WinGate Lite.

What if I am running a server behind WinGate that requires
public access?

We recommend that you do not run Telnet or SOCKS servers with public
access. If you do, you will want to restrict what requests the server
will perform. You could require users of these services to be
authenticated if they connect from the internet. This will ensure no
unauthorized use. Otherwise you can specify where a user can connect to,
or at what times.

For WWW, if say you are running a WWW server behind WinGate, you can
stipulate that internet users can only connect to your internal WWW
server, and internal users can connect out.

General techniques and hints.

This first question is "Do I really need to allow access to this service
from the Internet, and Why?". Basically the reasons to require access
from the internet are relatively few.

  1.You may be running mail, WWW or other servers on your LAN that
     require access from the internet.
  2.You may require field staff to telnet into your Unix server from the field.
  3.You may have a requirement for some secure inter-office
     communication.

If none of these apply, you need to seriously question why you would allow
access from the internet to a service.

There are ways and means to specify different access rights depending on
where a user accesses WinGate from. You can either create duplicate
services bound to the different interfaces with different policies per
service, or you can do it with a single service, with location based
policies.

E.G. POP3 service using service specific rules. Create two recipients
called everyone - the first one is restricted by location, and must
connect from your LAN. The second can connect from anywhere, but is
restricted by request - say only allow connections to certain servers or
ports.

More help is at hand.

The help documentation that comes with WinGate has more information on
security, and you can always find help in the users forum and the
support list.



TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH