Securing your network

Why should I do anything?

A small number of people take pleasure in breaching the security of networks. Some do this for fun, some for espionage (eg getting client lists), sabotage (deleting files) or advertising (eg spamming).

Hackers may get unauthorised access to your network. More importantly, they may be able to access other networks while appearing to be you. This could lead to you being blamed for the hacking. If this is serious, your ISP could close your account. One of the ways people can do this is using a proxy server such as WinGate.

How do I secure my network?

There are a number of methods of securing WinGate. These are simple to impliment and will take only a couple of minutes. There are two main ways to secure access.

Logically By setting up rules specifying who may or may not do certain things in WinGate. This method is more configurable.

Physically By binding a service to a specific interface, the service is simply not available from any other interface. E.g. by binding a service to your LAN adapter, you can easily prevent all access from the Internet. This method is faster and simpler.

You may also choose a mixture of these two methods, depending on your requirements for access. Here are some examples of some typical ways of securing your access.

Example

A small LAN using WinGate Lite or free version for net access, not running any servers that need to be accessed from the internet. This is by far the most common scenario.

Option 1

If all the services are using the default security arrangement as installed, then perform the following steps:

1. Open GateKeeper and log into WinGate as Administrator.

2. Double click on double click on "System Policies"

3. Select the right "Users can access services"

4. There will be one recipient there - "Everyone". Double click on this recipient.

5. Select the Location tab.

6. Select "Specify locations from where this recipient has rights"

7. Add the following IP addresses under Included locations: 127.0.0.1, and the first three number groups of your WinGate machine's network card followed by a .* - for example if your network card has IP address 192.168.0.1, then you would add 192.168.0.*. If you have more than one network card in the WinGate machine then add an entry for each card that requires access to WinGate.

8. Hit OK, and remember to save changes.

Now only your LAN users can access any service in WinGate. If some of your services are using their own rules rather than the global ones, you can perform this action for each recipient in those service-specific rules.

Option 2

The Lite version of WinGate cannot bind a service to more than one interface (WinGate 2.1 Pro can do it). In order to use option 2, binding services, then you need to create a separate service for each interface to which you need to bind. Minimum is 2 - the localhost interface, which is used for your second free user license, and the interface of your WinGate machine LAN card. For each LAN card in your machine, you need to create another service and bind it to that LAN card IP address.

To bind a service to an interface, do the following:

1. Open GateKeeper and log into WinGate as Administrator.

2. Double click on "Services" in the right hand pane.

3. Double click on the service you want to modify.

4. On the "Bindings" tab you see an option - "Specify interfaces connections will be accepted on" - enable this option

5. Ensure the Bound list contains only the interfaces you are binding to. Double click interfaces to move them between lists. Included interfaces should be your LAN card and 127.0.0.1 (localhost).

6. Click OK

Note - You cannot change the binding in the Remote Control Service in WinGate Lite.

What if I am running a server behind WinGate that requires public access?

We recommend that you do not run the Telnet proxy or SOCKS servers with public access. If you do, you will want to restrict what requests the server can perform. You could require users of these services to be authenticated if they connect from the Internet. This will prevent unauthorized use. Alternatively, you can specify where a user can connect to, or at what times.

For WWW, if say you are running a public WWW server behind WinGate, you can stipulate that Internet users can only connect to your public WWW server, and internal users can connect out.

General techniques and hints.

This first question is "Do I really need to allow access to this service from the Internet, and why?”. There are few situations where access from the Internet is required.

Situation	Recommendations / Suggestions
You may be running mail, WWW or other server on your LAN that requires access from the internet.	Have separate internal and external WWW proxies. Limit the external requests to the Non-proxy method. With mail servers, restrict the servers accessible with POP3, and limit the locations from where the SMTP server can be used.
You may require field staff to telnet into your Unix server from the field.	Require authentication with the Java client, or enter rules that only allow access from a known IP number, or limit the server that can be connected to.
You may have a requirement for some secure inter-office communication.	As above.

If none of these situations apply, you need to question why you would allow access from the internet to a service.

There are methods of specify different access rights depending on where a user accesses WinGate from. You can either create duplicate services bound to the different interfaces with different policies per service, or you can do it with a single service with location based policies.

E.g. POP3 service using service specific rules. Create two ‘everyone’ recipients - the first one is restricted by location, and must connect from your LAN. The second can connect from anywhere, but is restricted by request - say only allow connections to certain servers or ports.

Tips:

When securing your network, start with full restriction and add the required access. Don’t start with full access and add the required restrictions.

Full security can be as simple as always requiring Authentication. The logon client is served in a browser when required and it is simpler to require its use than to setup complex rules.

Most networks will only need to bind to localhost and the LAN card. This prevents all external access.

It is best to have a simple set of access regulations. Complex sets are harder to maintain or test.

A service may need special restrictions depending on the incoming interface. Adding a service for each interface (they can be on the same port) is often the simplest way to achieve this. You can then structure policies per interface, and have a descriptive name for the service. For instance: WWW (non-proxy) – external, WWW proxy – internal.

The most vulnerable services are SOCKS and Telnet. Ensure these are only available from your LAN.

It is very unlikely you will ever bind to a dialer profile.