?
Solved

Full config of a firewall - Win 2K home network

Posted on 2003-03-06
10
Medium Priority
?
181 Views
Last Modified: 2013-11-16
I have downloaded the CHX firewall and packet filtering application from their site (http://www.idrci.net), as suggested by several experts in other threads.

Now I have it, I just cant get it to do what I want.

Here's what I have:

 1 x Laptop (Win 2k Pro)
 2 x Deskop (Win 2k Pro)
 
 Speedtouch USB modem
 Lexmark Printer
 8 Port Switch

One of the desktop's is set up to be a file/print share and gateway. The other is a SQL / MySQL database server.

Everything was working fine using Windows filesharing and internet connection sharing (Speedtouch USB ADSL via BT Openworld). Since I installed the firewall, I just cant get the browsers to work on other PC's, no matter what I seem to edit in the filters list. I did once manage to get the PC's to be able to browse the network.

QUESTION:
How do I configure CHX to allow web and internal network trafic (auto IP addresses from internet connection sharing) from the two other computers, but stop pretty much everything else?

Once this part is up and running with no problems, I want to be able to turn on certain ports for other applications, such as MySQL, VNC, RealPlayer, IIS (possibly) etc.

I have uninstalled the firewall for now, so don't mind using a different one, if the job can be done for the same price... ie. nothing.

Obviously, I need to put some protection on to the gateway, so for a fast response I have stacked on some points.

I would like specific instructions on how to do this, as networking, just ain't my thang.

Any help greatly appreciated.

PS. I have had to remove Linux from one of the PC's in requirement of a 3 PC Windows based testing platform. The firewall was working fine with Redhat, and I will eventually return to it, so please don't suggest Linux!!
0
Comment
Question by:SamEdney
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
10 Comments
 
LVL 1

Expert Comment

by:quarkx
ID: 8085506
Hi,

On the system running ICS, disable TCP/UDP stateful options on the Internal network interface(right click/properties/un-check the stateful boxes).

On the external interface, leave the stateful options active. You can now build your IP security policy as you need. Follow the instructions in the online manual for prohibitive rule sets.

If you are not at ease with networking and security in general - I'd suggest you try other applications(zone alarm, kerio, etc).

HTH,

Q.
0
 
LVL 1

Author Comment

by:SamEdney
ID: 8087054
Thanks QuarkX.

What will I actually be disabling though?

I need this network to be secure, and opening any ports that are not absolutley necessary may be a problem. The data contained on the SQL database is quite sensitive.

The system running ICS is the external interface, isn't it?

If not, let me know what you mean please.

ZoneAlarm is fine, but the pop up options are not the best way to make a network secure. It gets far too anoying checking what you have and haven't allowed.

It would be great to have an application that just had a few wizards.

1. Gateway machine for LAN
2. Webserver on the internet using XXX services
3. Internal LAN webserver
4. Workstation on Internal LAN
5. Workstation with direct (modem etc) connection

After this, if you could turn on additional ports such as RealAudio etc, it would be a synch. Never mind. I guess complex jobs must be complex.
0
 
LVL 1

Accepted Solution

by:
quarkx earned 1800 total points
ID: 8087755
Hi,

The system running ICS has two network interfaces; one expose to the Net and the other to the internal network.

The stateful options in CHX can be enabled per interface; so what I meant was to disable TCP/UDP stateful options on the Internal Network card. (the UDP stateful option is what is blocking internal PCs )

Once this is done, you can build your security policy. For Instance on the external interface:
a) Allow In TCP to ports > 1023
b) Allow TCP Ports = 80,443,etc
c) Allow UDP from DNS port 53 to ports >1023
d) Deny TCP SYN to ports >1023

Remember that Allow is prohibitive meaning that once an Allow or combination of Allows are used, everything else gets dropped.

HTH,

Q.
0
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

 
LVL 1

Expert Comment

by:quarkx
ID: 8087816
I forgot.....

Your weak point - and where you should concentrate the most - is the web /sql server. This will most likely be the point of an eventual successful attack. Achieving a solid IP security is quite trivial (using CHX or any other flexible packet filter), but protecting from payload attacks is not.

Ideally, the web server should reside on the DMZ, since you must depart from the premises that it will be vulnerable sooner or later.

You should deploy either a host based web application firewall on the web server or at the gateway. These creatures are quite expensive though...You can start with Microsoft's free tool (I think it's called UrlScan) then look into real application firewalls for enhanced security.

HTH,

Q.
0
 
LVL 1

Author Comment

by:SamEdney
ID: 8088124
I will only need to access the MySQL server internally, over the LAN, as we are writing Windows applications to access it.

Due to security issues with Microsoft SQL server and IIS, we wont be using either now anyway.

I will remove all the filters, and start from scratch again.

Thanks for this so far QuarkX. I will give this all a try when I get back home tonight, and get back to you asap with my results.
0
 
LVL 1

Author Comment

by:SamEdney
ID: 8088135
Also... what is DMZ?

Is there a god guide to the terminology used in firewalls anywhere I could read up on?

Thanks again.
0
 
LVL 1

Author Comment

by:SamEdney
ID: 8088172
Also... what is DMZ?

Is there a god guide to the terminology used in firewalls anywhere I could read up on?

Thanks again.
0
 
LVL 1

Expert Comment

by:quarkx
ID: 8088219
DMZ is usually viewed as a physically and logically separate segment that serves as a hosting place for public services (web, mail, dns,etc).

In your case, if you add a third network card to your gateway box it would look like this:

Internet
|
|
WAN Nic
|
|
-----------DMZ Nic--------Web Server
|
|
LAN Nic

The idea is to protect the LAN from the DMZ servers, since we consider them hostile (in the event they get compromised)

As for a good guide to security terminology I'd recommend the extensive use of the Google encyclopedia. :-)

Q.
0
 
LVL 1

Expert Comment

by:quarkx
ID: 8088303
DMZ is usually viewed as a physically and logically separate segment that serves as a hosting place for public services (web, mail, dns,etc).

In your case, if you add a third network card to your gateway box it would look like this:

Internet
|
|
WAN Nic
|
|
-----------DMZ Nic--------Web Server
|
|
LAN Nic

The idea is to protect the LAN from the DMZ servers, since we consider them hostile (in the event they get compromised)

As for a good guide to security terminology I'd recommend the extensive use of the Google encyclopedia. :-)

Q.
0
 
LVL 1

Author Comment

by:SamEdney
ID: 8102035
Thanks QuarkX.

I can sleep easier knowing that my ports can not be probed.
0

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
In this video, Percona Director of Solution Engineering Jon Tobin discusses the function and features of Percona Server for MongoDB. How Percona can help Percona can help you determine if Percona Server for MongoDB is the right solution for …
In this video, Percona Solution Engineer Rick Golba discuss how (and why) you implement high availability in a database environment. To discuss how Percona Consulting can help with your design and architecture needs for your database and infrastr…
Suggested Courses
Course of the Month14 days, 14 hours left to enroll

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question