Firewall/Configuration

We have an NT/SBS network using local IP addressing (10.0.0.?) and a Pipeline 75 ISDN router with built-in firewall giving us 24-hour internet access.
In spite of using NAT and having the firewall supposedly not allowing inbound WWW traffic, it appears we acquired CODE RED.  I d/l the patch and the symptoms of infection went away.
We don't have any need for anyone to come in to our system from outside (no OWA, no web hosting, etc).
Does anyone have experience in configuring the firewall on this router?  Can you make some suggestions for keeping people out while not hindering people from getting out?
LVL 23
slink9Asked:
Who is Participating?
 
SysExpertConnect With a Mentor Commented:
http://www.cert.org/tech_tips/home_networks.html Firewall and secrity for home and offices
Test firewall ports  and port blocking http://grc.com/

I hope this helps !
0
 
geoffrynCommented:
Have you done a scan of your network from the outside?  Is HTTP open?  DOes the Proxy part of SBS actually have a real address on it or is the Ascend doing NAT?
0
 
SysExpertCommented:
Do you need to run IIS, if not turn it off, along with any other unused services.
First rule of Microsoft, disable ALL unused services !!
The default installs so much unused junk !!

I hope this helps !
0
Cloud Class® Course: CompTIA Healthcare IT Tech

This course will help prep you to earn the CompTIA Healthcare IT Technician certification showing that you have the knowledge and skills needed to succeed in installing, managing, and troubleshooting IT systems in medical and clinical settings.

 
slink9Author Commented:
The Pipeline is doing the NAT.  The local addresses are 10.0.0.? handled by SBS.
I have never done much on security (which could be why we ended up with this thing in the first place) since I thought there was no way in because of the config of the network.  I guess I know differently now.
Can you post some links that provide beginner guidance on scanning from the outside, what ports to check, etc?
0
 
slink9Author Commented:
We have an intranet which uses IIS.  I have SQL Server enabled and plan to eventually use it, but we have a dula P2/400 with 512 meg in it so performance is not an issue.  I will try that site and report back.
0
 
slink9Author Commented:
Okay.  Port 80 is open according to that web site.
I can't find out how to close it using either the SCM Connect Manager software of the Pipeline Console.  Who would happen to know how to close it on a Pipeline 50 or 75?
0
 
geoffrynCommented:
This tells you how to turn the port mapping on, you should be able to disable it the same way.

https://support.lucent.com/cgi-bin/gx.cgi/GUIDGX-{6949ce8f-d22f-11d2-a303-00c04f72f8ac}/Product/pipe75/General/Technical_Notes/plco0032.html
0
 
slink9Author Commented:
It didn't load.  Can you post a synopsis?
0
 
slink9Author Commented:
I found something about enabling port 80.  It didn't say anything about inbound versus outbound.  I am about ready to call in the pros on this one just to get it done.
0
 
geoffrynCommented:
Telnet or Console into the Ascend.  Then.

Configure Static Mappings for a Web Server

Go to the following menus and make the selections indicated below:
Main Edit Menu
Ethernet
NAT...
Static Mappings
Static Map 02
Valid = Yes
Dst Port # = 80  (enter the port number based on what traffic you want to allow through. Port 80 is World Wide Web access)
Protocol = TCP  (possibly UDP or TCP depending, on port #)
Loc Port # = 80  (same as the Dst port)
Loc Address = 192.168.100.102/24  (IP address of the web server on the private network)

You should be able to delete the static mapping for port 80 in the static mappings.

0
 
slink9Author Commented:
That is the same info I had found.  There is nothing there enabling it.  It's apparently enabled by default.  I thought I could leave it as NO and put in Port 80 to disable it.  That didn't go, either.  Next suggestion ...
0
 
slink9Author Commented:
What I had found was at http://www.stic.net/TECH/ISDN/lucentPipelineAdvancedNAT.html.  It si the same, right?
0
 
geoffrynCommented:
How could it forward to you web server without a entry?  How would it know which IP to forward to?  Any chance you could send me the ip at geoffryn@qwest.net?
0
 
slink9Author Commented:
I had rather not send the IP address.  We have had enough problems so far.  I have passed this on to one of our local computer techs.  Maybe he can figure out how to fix it.  The interesting thing is that TELNET, pop3 and some other functions have been turned off.  I wish I knew how they git turned off.  Maybe I could turn off incoming HTTP also.
0
 
geoffrynCommented:
By default if you are using NAT, there should be no services allowed inbound.  Someone had to configure this. Did you set up the Ascend?
0
 
slink9Author Commented:
My tech contact finally showed me the right setting.  It is one or two levels up above the settings I was already looking at.  That is a setting that I believe I made under the tutelage of one of the ascend techs.  I will make the change tomorrow morning and see if it works.  If so, I will request a points split on this question.  That only leaves me with 25 points, but more will be coming soon.
0
 
slink9Author Commented:
Avtually the tech showed me the same link.  He doesn'y know how to fix this either.  I was thinking that I could use the redirect (which is not set up now) to send it to a non-existent port, but grc.com still says that I have port 80 open.  Any more ideas?
0
 
geoffrynCommented:
Is it redirecting to your IIS server?  Where is is going?
0
 
slink9Author Commented:
It is automatically redirecting to the IIS server when the ip address is entered in a web browser.  It was when I had nothing in the redirect section and the 10.0.0 address of the server in the Def Server spot.
I don't know if it is still doing that but the web site tells me that port 80 is open.  I can't visit that ip address because it is the source IP address.  I will try that from home if I can remember to.
0
 
geoffrynCommented:
A decent port scanner should be able to tell you if the port is open on IIS or Apache or some hardware based HTTP server.
0
 
slink9Author Commented:
Hardware or software?  If software can you give me a link?  I had found some shareware before I got called away to do something else.  I will take a look again and see what I can find.
0
 
geoffrynCommented:
Software is fine.  I like SuperScanner.  You can find it at www.foundstone.com
0
 
slink9Author Commented:
I saw FoundScan but that is a service that they offer for a fee.  I am trying to find something which is either freeware, shareware, or that I can purchase for a one-time fee.  I downloaded a program called Port Detective but it won't connect to their servers, therefore it won't run.  Any other suggestions?
0
 
SysExpertCommented:
Here's one that's free.


 SNORT:
 http://www.w2knews.com/rd/rd.cfm?id=052101TB-SNORT


I hope this helps !
0
 
SysExpertCommented:
ALso

    Linux      Security software:  Nmap also has an NT version !!

 - nmap (www.insecure.org/nmap ) lets you scan for vulnerabilities on a network. Also ge nmapfe (X front end for nmap)

I  hope this helps !
0
 
geoffrynCommented:
0
 
slink9Author Commented:
I was unable to find an NT version of NMap.  Do you have a direct link to it?
0
 
slink9Author Commented:
I like SuperScan also.  I scanned our local server IP address and it verified that port 80 is open.  It doesn't matter that it is open if our router won't let anyone reach it, though.  I am going to try to get in from home this weekend.  I also came across the docs for the Pipeline so I will look through them this weekend if I can and try to find out how to turn off that port.  Thanks.
0
 
SysExpertCommented:
Sorry- You have to compile it yourself for win32 !!

see :

http://www.insecure.org/nmap/nmap_portability.html

I'll keep on looking !
0
 
SysExpertCommented:
Here we go,
ttp://www.gfi.com/languard/lantools-ps.htm
http://www.jpsoft.dk/uk/freeware.html  Local port scanner and other nice utilities

That should help you !
0
 
andyalderCommented:
Bear in mind that lots of these routers have IIS imbedded within them for management so the router can get infected with Code Red II and then infect the internal hosts without any forwarding setup to internal hosts.

 www.nwfusion.com/news/2001/0808codereddsl.html
0
 
andyalderCommented:
If you telnet to it on port 80 and press return a couple of times you might get an error message telling you what OS/webserver combination is listening to that port, or http://www.netcraft.com/sslwhats/ can tell you if you enter <IP address>:80 .
0
 
slink9Author Commented:
No imbedded IIS.  I have a good program for looking at the ports, but still haven't found a way to stop port 80 at the router.  I looked over the docs this weekend and didn't see any helpful suggestions.  The question still remains - how do I close port 80 at the router?  I want outgoing but no incoming.  Is other software required?  Does anyone out there have an "in" with Lucent who can find this out?
0
 
slink9Author Commented:
I finally found it.  It was a rather easy fix.
In the User's Guide there is a section called SETTING UP PIPELINE SECURITY.  Imagine that.
grc.com now reports all ports as stealth.  I changed

Ethernet > Answer Profile
Profile Reqd = Yes

Outgoing does not appear to be affected while there should be no incoming capabilities.  I still won't give the IP address because that is just a challenge to get around this security.  Thanks for the help.

I am going to request a points split between Sysexpert and geoffryn.
0
 
modderCommented:
Hi slink,

I've reduced the points to 50 but I think you know how it works so I won't post the whole manual here...... happy point-splitting.... :-)

modder
Community Support Admin
0
 
slink9Author Commented:
Look for points split entry, geoffryn
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.