Solved

Firewall/Configuration

Posted on 2001-08-09
36
221 Views
Last Modified: 2013-12-19
We have an NT/SBS network using local IP addressing (10.0.0.?) and a Pipeline 75 ISDN router with built-in firewall giving us 24-hour internet access.
In spite of using NAT and having the firewall supposedly not allowing inbound WWW traffic, it appears we acquired CODE RED.  I d/l the patch and the symptoms of infection went away.
We don't have any need for anyone to come in to our system from outside (no OWA, no web hosting, etc).
Does anyone have experience in configuring the firewall on this router?  Can you make some suggestions for keeping people out while not hindering people from getting out?
0
Comment
Question by:slink9
  • 18
  • 9
  • 6
  • +2
36 Comments
 
LVL 11

Expert Comment

by:geoffryn
Comment Utility
Have you done a scan of your network from the outside?  Is HTTP open?  DOes the Proxy part of SBS actually have a real address on it or is the Ascend doing NAT?
0
 
LVL 63

Expert Comment

by:SysExpert
Comment Utility
Do you need to run IIS, if not turn it off, along with any other unused services.
First rule of Microsoft, disable ALL unused services !!
The default installs so much unused junk !!

I hope this helps !
0
 
LVL 23

Author Comment

by:slink9
Comment Utility
The Pipeline is doing the NAT.  The local addresses are 10.0.0.? handled by SBS.
I have never done much on security (which could be why we ended up with this thing in the first place) since I thought there was no way in because of the config of the network.  I guess I know differently now.
Can you post some links that provide beginner guidance on scanning from the outside, what ports to check, etc?
0
 
LVL 63

Accepted Solution

by:
SysExpert earned 50 total points
Comment Utility
http://www.cert.org/tech_tips/home_networks.html Firewall and secrity for home and offices
Test firewall ports  and port blocking http://grc.com/

I hope this helps !
0
 
LVL 23

Author Comment

by:slink9
Comment Utility
We have an intranet which uses IIS.  I have SQL Server enabled and plan to eventually use it, but we have a dula P2/400 with 512 meg in it so performance is not an issue.  I will try that site and report back.
0
 
LVL 23

Author Comment

by:slink9
Comment Utility
Okay.  Port 80 is open according to that web site.
I can't find out how to close it using either the SCM Connect Manager software of the Pipeline Console.  Who would happen to know how to close it on a Pipeline 50 or 75?
0
 
LVL 11

Expert Comment

by:geoffryn
Comment Utility
This tells you how to turn the port mapping on, you should be able to disable it the same way.

https://support.lucent.com/cgi-bin/gx.cgi/GUIDGX-{6949ce8f-d22f-11d2-a303-00c04f72f8ac}/Product/pipe75/General/Technical_Notes/plco0032.html
0
 
LVL 23

Author Comment

by:slink9
Comment Utility
It didn't load.  Can you post a synopsis?
0
 
LVL 23

Author Comment

by:slink9
Comment Utility
I found something about enabling port 80.  It didn't say anything about inbound versus outbound.  I am about ready to call in the pros on this one just to get it done.
0
 
LVL 11

Expert Comment

by:geoffryn
Comment Utility
Telnet or Console into the Ascend.  Then.

Configure Static Mappings for a Web Server

Go to the following menus and make the selections indicated below:
Main Edit Menu
Ethernet
NAT...
Static Mappings
Static Map 02
Valid = Yes
Dst Port # = 80  (enter the port number based on what traffic you want to allow through. Port 80 is World Wide Web access)
Protocol = TCP  (possibly UDP or TCP depending, on port #)
Loc Port # = 80  (same as the Dst port)
Loc Address = 192.168.100.102/24  (IP address of the web server on the private network)

You should be able to delete the static mapping for port 80 in the static mappings.

0
 
LVL 23

Author Comment

by:slink9
Comment Utility
That is the same info I had found.  There is nothing there enabling it.  It's apparently enabled by default.  I thought I could leave it as NO and put in Port 80 to disable it.  That didn't go, either.  Next suggestion ...
0
 
LVL 23

Author Comment

by:slink9
Comment Utility
What I had found was at http://www.stic.net/TECH/ISDN/lucentPipelineAdvancedNAT.html.  It si the same, right?
0
 
LVL 11

Expert Comment

by:geoffryn
Comment Utility
How could it forward to you web server without a entry?  How would it know which IP to forward to?  Any chance you could send me the ip at geoffryn@qwest.net?
0
 
LVL 23

Author Comment

by:slink9
Comment Utility
I had rather not send the IP address.  We have had enough problems so far.  I have passed this on to one of our local computer techs.  Maybe he can figure out how to fix it.  The interesting thing is that TELNET, pop3 and some other functions have been turned off.  I wish I knew how they git turned off.  Maybe I could turn off incoming HTTP also.
0
 
LVL 11

Expert Comment

by:geoffryn
Comment Utility
By default if you are using NAT, there should be no services allowed inbound.  Someone had to configure this. Did you set up the Ascend?
0
 
LVL 23

Author Comment

by:slink9
Comment Utility
My tech contact finally showed me the right setting.  It is one or two levels up above the settings I was already looking at.  That is a setting that I believe I made under the tutelage of one of the ascend techs.  I will make the change tomorrow morning and see if it works.  If so, I will request a points split on this question.  That only leaves me with 25 points, but more will be coming soon.
0
 
LVL 23

Author Comment

by:slink9
Comment Utility
Avtually the tech showed me the same link.  He doesn'y know how to fix this either.  I was thinking that I could use the redirect (which is not set up now) to send it to a non-existent port, but grc.com still says that I have port 80 open.  Any more ideas?
0
 
LVL 11

Expert Comment

by:geoffryn
Comment Utility
Is it redirecting to your IIS server?  Where is is going?
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 23

Author Comment

by:slink9
Comment Utility
It is automatically redirecting to the IIS server when the ip address is entered in a web browser.  It was when I had nothing in the redirect section and the 10.0.0 address of the server in the Def Server spot.
I don't know if it is still doing that but the web site tells me that port 80 is open.  I can't visit that ip address because it is the source IP address.  I will try that from home if I can remember to.
0
 
LVL 11

Expert Comment

by:geoffryn
Comment Utility
A decent port scanner should be able to tell you if the port is open on IIS or Apache or some hardware based HTTP server.
0
 
LVL 23

Author Comment

by:slink9
Comment Utility
Hardware or software?  If software can you give me a link?  I had found some shareware before I got called away to do something else.  I will take a look again and see what I can find.
0
 
LVL 11

Expert Comment

by:geoffryn
Comment Utility
Software is fine.  I like SuperScanner.  You can find it at www.foundstone.com
0
 
LVL 23

Author Comment

by:slink9
Comment Utility
I saw FoundScan but that is a service that they offer for a fee.  I am trying to find something which is either freeware, shareware, or that I can purchase for a one-time fee.  I downloaded a program called Port Detective but it won't connect to their servers, therefore it won't run.  Any other suggestions?
0
 
LVL 63

Expert Comment

by:SysExpert
Comment Utility
Here's one that's free.


 SNORT:
 http://www.w2knews.com/rd/rd.cfm?id=052101TB-SNORT


I hope this helps !
0
 
LVL 63

Expert Comment

by:SysExpert
Comment Utility
ALso

    Linux      Security software:  Nmap also has an NT version !!

 - nmap (www.insecure.org/nmap ) lets you scan for vulnerabilities on a network. Also ge nmapfe (X front end for nmap)

I  hope this helps !
0
 
LVL 11

Expert Comment

by:geoffryn
Comment Utility
0
 
LVL 23

Author Comment

by:slink9
Comment Utility
I was unable to find an NT version of NMap.  Do you have a direct link to it?
0
 
LVL 23

Author Comment

by:slink9
Comment Utility
I like SuperScan also.  I scanned our local server IP address and it verified that port 80 is open.  It doesn't matter that it is open if our router won't let anyone reach it, though.  I am going to try to get in from home this weekend.  I also came across the docs for the Pipeline so I will look through them this weekend if I can and try to find out how to turn off that port.  Thanks.
0
 
LVL 63

Expert Comment

by:SysExpert
Comment Utility
Sorry- You have to compile it yourself for win32 !!

see :

http://www.insecure.org/nmap/nmap_portability.html

I'll keep on looking !
0
 
LVL 63

Expert Comment

by:SysExpert
Comment Utility
Here we go,
ttp://www.gfi.com/languard/lantools-ps.htm
http://www.jpsoft.dk/uk/freeware.html  Local port scanner and other nice utilities

That should help you !
0
 
LVL 55

Expert Comment

by:andyalder
Comment Utility
Bear in mind that lots of these routers have IIS imbedded within them for management so the router can get infected with Code Red II and then infect the internal hosts without any forwarding setup to internal hosts.

 www.nwfusion.com/news/2001/0808codereddsl.html
0
 
LVL 55

Expert Comment

by:andyalder
Comment Utility
If you telnet to it on port 80 and press return a couple of times you might get an error message telling you what OS/webserver combination is listening to that port, or http://www.netcraft.com/sslwhats/ can tell you if you enter <IP address>:80 .
0
 
LVL 23

Author Comment

by:slink9
Comment Utility
No imbedded IIS.  I have a good program for looking at the ports, but still haven't found a way to stop port 80 at the router.  I looked over the docs this weekend and didn't see any helpful suggestions.  The question still remains - how do I close port 80 at the router?  I want outgoing but no incoming.  Is other software required?  Does anyone out there have an "in" with Lucent who can find this out?
0
 
LVL 23

Author Comment

by:slink9
Comment Utility
I finally found it.  It was a rather easy fix.
In the User's Guide there is a section called SETTING UP PIPELINE SECURITY.  Imagine that.
grc.com now reports all ports as stealth.  I changed

Ethernet > Answer Profile
Profile Reqd = Yes

Outgoing does not appear to be affected while there should be no incoming capabilities.  I still won't give the IP address because that is just a challenge to get around this security.  Thanks for the help.

I am going to request a points split between Sysexpert and geoffryn.
0
 
LVL 3

Expert Comment

by:modder
Comment Utility
Hi slink,

I've reduced the points to 50 but I think you know how it works so I won't post the whole manual here...... happy point-splitting.... :-)

modder
Community Support Admin
0
 
LVL 23

Author Comment

by:slink9
Comment Utility
Look for points split entry, geoffryn
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

A brief overview to explain gateways, default gateways and static routes OR NO - you CANNOT have two default gateways on the same server, PC or other Windows-based network device. In simple terms a gateway is formed when a computer such as a serv…
FIPS stands for the Federal Information Processing Standardisation and FIPS 140-2 is a collection of standards that are generically associated with hardware and software cryptography. In most cases, people can refer to this as the method of encrypti…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now