Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Full config of a firewall - Win 2K home network

Posted on 2003-03-06
10
Medium Priority
?
186 Views
Last Modified: 2013-11-16
I have downloaded the CHX firewall and packet filtering application from their site (http://www.idrci.net), as suggested by several experts in other threads.

Now I have it, I just cant get it to do what I want.

Here's what I have:

 1 x Laptop (Win 2k Pro)
 2 x Deskop (Win 2k Pro)
 
 Speedtouch USB modem
 Lexmark Printer
 8 Port Switch

One of the desktop's is set up to be a file/print share and gateway. The other is a SQL / MySQL database server.

Everything was working fine using Windows filesharing and internet connection sharing (Speedtouch USB ADSL via BT Openworld). Since I installed the firewall, I just cant get the browsers to work on other PC's, no matter what I seem to edit in the filters list. I did once manage to get the PC's to be able to browse the network.

QUESTION:
How do I configure CHX to allow web and internal network trafic (auto IP addresses from internet connection sharing) from the two other computers, but stop pretty much everything else?

Once this part is up and running with no problems, I want to be able to turn on certain ports for other applications, such as MySQL, VNC, RealPlayer, IIS (possibly) etc.

I have uninstalled the firewall for now, so don't mind using a different one, if the job can be done for the same price... ie. nothing.

Obviously, I need to put some protection on to the gateway, so for a fast response I have stacked on some points.

I would like specific instructions on how to do this, as networking, just ain't my thang.

Any help greatly appreciated.

PS. I have had to remove Linux from one of the PC's in requirement of a 3 PC Windows based testing platform. The firewall was working fine with Redhat, and I will eventually return to it, so please don't suggest Linux!!
0
Comment
Question by:SamEdney
  • 5
  • 5
10 Comments
 
LVL 1

Expert Comment

by:quarkx
ID: 8085506
Hi,

On the system running ICS, disable TCP/UDP stateful options on the Internal network interface(right click/properties/un-check the stateful boxes).

On the external interface, leave the stateful options active. You can now build your IP security policy as you need. Follow the instructions in the online manual for prohibitive rule sets.

If you are not at ease with networking and security in general - I'd suggest you try other applications(zone alarm, kerio, etc).

HTH,

Q.
0
 
LVL 1

Author Comment

by:SamEdney
ID: 8087054
Thanks QuarkX.

What will I actually be disabling though?

I need this network to be secure, and opening any ports that are not absolutley necessary may be a problem. The data contained on the SQL database is quite sensitive.

The system running ICS is the external interface, isn't it?

If not, let me know what you mean please.

ZoneAlarm is fine, but the pop up options are not the best way to make a network secure. It gets far too anoying checking what you have and haven't allowed.

It would be great to have an application that just had a few wizards.

1. Gateway machine for LAN
2. Webserver on the internet using XXX services
3. Internal LAN webserver
4. Workstation on Internal LAN
5. Workstation with direct (modem etc) connection

After this, if you could turn on additional ports such as RealAudio etc, it would be a synch. Never mind. I guess complex jobs must be complex.
0
 
LVL 1

Accepted Solution

by:
quarkx earned 1800 total points
ID: 8087755
Hi,

The system running ICS has two network interfaces; one expose to the Net and the other to the internal network.

The stateful options in CHX can be enabled per interface; so what I meant was to disable TCP/UDP stateful options on the Internal Network card. (the UDP stateful option is what is blocking internal PCs )

Once this is done, you can build your security policy. For Instance on the external interface:
a) Allow In TCP to ports > 1023
b) Allow TCP Ports = 80,443,etc
c) Allow UDP from DNS port 53 to ports >1023
d) Deny TCP SYN to ports >1023

Remember that Allow is prohibitive meaning that once an Allow or combination of Allows are used, everything else gets dropped.

HTH,

Q.
0
The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

 
LVL 1

Expert Comment

by:quarkx
ID: 8087816
I forgot.....

Your weak point - and where you should concentrate the most - is the web /sql server. This will most likely be the point of an eventual successful attack. Achieving a solid IP security is quite trivial (using CHX or any other flexible packet filter), but protecting from payload attacks is not.

Ideally, the web server should reside on the DMZ, since you must depart from the premises that it will be vulnerable sooner or later.

You should deploy either a host based web application firewall on the web server or at the gateway. These creatures are quite expensive though...You can start with Microsoft's free tool (I think it's called UrlScan) then look into real application firewalls for enhanced security.

HTH,

Q.
0
 
LVL 1

Author Comment

by:SamEdney
ID: 8088124
I will only need to access the MySQL server internally, over the LAN, as we are writing Windows applications to access it.

Due to security issues with Microsoft SQL server and IIS, we wont be using either now anyway.

I will remove all the filters, and start from scratch again.

Thanks for this so far QuarkX. I will give this all a try when I get back home tonight, and get back to you asap with my results.
0
 
LVL 1

Author Comment

by:SamEdney
ID: 8088135
Also... what is DMZ?

Is there a god guide to the terminology used in firewalls anywhere I could read up on?

Thanks again.
0
 
LVL 1

Author Comment

by:SamEdney
ID: 8088172
Also... what is DMZ?

Is there a god guide to the terminology used in firewalls anywhere I could read up on?

Thanks again.
0
 
LVL 1

Expert Comment

by:quarkx
ID: 8088219
DMZ is usually viewed as a physically and logically separate segment that serves as a hosting place for public services (web, mail, dns,etc).

In your case, if you add a third network card to your gateway box it would look like this:

Internet
|
|
WAN Nic
|
|
-----------DMZ Nic--------Web Server
|
|
LAN Nic

The idea is to protect the LAN from the DMZ servers, since we consider them hostile (in the event they get compromised)

As for a good guide to security terminology I'd recommend the extensive use of the Google encyclopedia. :-)

Q.
0
 
LVL 1

Expert Comment

by:quarkx
ID: 8088303
DMZ is usually viewed as a physically and logically separate segment that serves as a hosting place for public services (web, mail, dns,etc).

In your case, if you add a third network card to your gateway box it would look like this:

Internet
|
|
WAN Nic
|
|
-----------DMZ Nic--------Web Server
|
|
LAN Nic

The idea is to protect the LAN from the DMZ servers, since we consider them hostile (in the event they get compromised)

As for a good guide to security terminology I'd recommend the extensive use of the Google encyclopedia. :-)

Q.
0
 
LVL 1

Author Comment

by:SamEdney
ID: 8102035
Thanks QuarkX.

I can sleep easier knowing that my ports can not be probed.
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Whether it be Exchange Server Crash Issues, Dirty Shutdown Errors or Failed to mount error, Stellar Phoenix Mailbox Exchange Recovery has always got your back. With the help of its easy to understand user interface and 3 simple steps recovery proced…
Suggested Courses

581 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question