A cheap trick to keep intruders off your systems

You can never be too careful about Internet security. The number of sophisticated hacking tools available on the Internet these days is amazing (and sometimes frightening). For the most part, using these tools doesn't require much expertise in protocols and operating systems (OSs). This situation contrasts with the hacking environment of the late 1970s and early 1980s, when hackers needed a deep understanding of an OS to compromise it. Then, hackers wrote their own tools. Today, a 12-year-old can find the source code or executables for NewTear (Bonk), Teardrop, GetAdmin, and other Windows NT-based hacking tools and use those tools to wreak havoc on NT servers.

Because of this reality, viewing the Internet with a bit of trepidation is healthy for businesses, especially businesses that are considering plugging their corporate network in to it. When your company connects to the Internet, you must decide how to secure your network from intruders.

Most companies use a firewall, a device that sits between your internal network and the Internet and monitors communications between the two. A properly configured commercial firewall package is the best solution most organizations can choose to secure their network's Internet connection. When I consult with clients who want to connect their networks to the Internet, I always recommend a firewall first.

However, commercial firewalls cost more than some companies can justify spending. If you can't justify paying for a full-blown firewall, you can use Microsoft's Routing and Remote Access Service (RRAS­formerly Steelhead) to make your network more secure than it would be if it had no security mechanism in place. (For more information about RRAS, see "Related Articles in Windows NT Magazine.")

The Mantra of Internet Security
The most important principle to keep in mind when you consider Internet security is that you must minimize unsolicited inbound connections. Repeat Minimize unsolicited inbound connections to yourself daily; this phrase needs to be your mantra. You must allow some inbound connections, such as incoming email or responses to your users' Web page requests. But you want to keep out every other connection.

If you use an NT server as an Internet router, you can use RRAS as a packet filter for your internal network to keep out unwanted connections. Packet filtering is a basic firewall capability that lets you control which packets pass through your network interfaces. Packet filtering limits access to your NICs to packets with certain characteristics. RRAS lets you configure filters to allow or deny packets entry to your network based on the packets' source IP address or network, target IP address or network, protocol, or source or destination port. You can combine these criteria to tightly control what type of traffic passes through your router.

As an example, I'll build a set of rules that let internal users browse external Web sites but that restrict external users from browsing internal Web sites. To do this, I need to let users send Web site requests to external servers and let those servers' responses into my network. For my example, I'll use a nonroutable 10.x.x.x network as my internal network, as Figure 1 depicts, and I'll assume that all other IP addresses are external.

Installing RRAS
Before you install RRAS, you must set up an NT server as an Internet router. This process is complex. For a good walk-through of the process, see Mark Minasi, "Steelhead Swims into the Mainstream," August 1997. The only difference between the router setup in my example and the router setup in the Minasi article is the computers' Internet connection. The Minasi article discusses setting up an NT machine to route Internet traffic via a dial-up modem. The router in my example is a PC with two NICs. One NIC connects to the internal network, and the other connects directly to an Internet Web server.

After you set up an NT server to route your Internet traffic, you're ready to install RRAS on your system. If you don't already have Service Pack 3 (SP3) installed, install it. Then, download the RRAS installation executable MPRI386 (for Intel CPUs) or MPRALPHA (for Alphas) from http://www.microsoft.com/communications. Run the installation routine, and when RRAS Setup prompts you to select components to install, select the LAN routing option, as Screen 1 shows.

After you install RRAS, launch the Routing and RAS Admin program from the Start menu. Select Programs, Administrative Tools, then Start Router. Starting Routing and RAS Admin enables RRAS functionality on your system. To configure RRAS to start automatically in the future, select Control Panel, Services; double-click the Routing and Remote Access service; and select the Automatic option button.

   Prev. page   [1] 2     next page



You must log on before posting a comment.

If you don't have a username & password, please register now.

Reader Comments

Thanks for printing Douglas Toombs’ “Poor Man’s Firewall” (December 1998). However, I’m a bit confused: I thought that a packet from a host holding a 10.x.x.x address couldn’t be routed across the Internet. I can understand how to use Routing and Remote Access Service (RRAS) to filter outbound requests in the way the author describes, but I don’t understand how the packets find their way back to the firewall host if the return address is in the form 10.x.x.x. Unless RRAS uses some form of Network Address Translator (NAT), surely the process won’t work. If the example used a subnet of the 172.16.0.10 address range for the internal network, I could see it working.<br> --Clive Foster<br><br>

<i>You noticed something several people pointed out to me that I should have emphasized in the article. The 10.x.x.x network is nonroutable as far as the public Internet is concerned. The same Request for Comments (RFC) that mentions that fact also defines the 172.16.x.x range as a nonroutable block. My article presents a template to build a basic packet filter between two nonroutable networks—–all you need to do is plug in your valid, routable addresses in the appropriate locations, and you will be all set.<br> --Douglas Toombs</i>

Clive Foster- August 06, 1999

Microsoft takes network security seriously, and for this reason we discourage the use of routing filters as the sole means of addressing network security. Although Windows NT RRAS filters provide a modicum of protection, they are not a substitute for a true firewall. Routing packet filters are intended to prevent packet forwarding to undesirable locations. This function is different from the function dynamic packet filters provide in true firewalls. Microsoft Proxy Server is a pragmatic and economical means to enhance network security, optimize network performance, and increase management control of Internet access. Proxy Server is the only Microsoft product you should use to ensure firewall-level security. To learn more about Proxy Server’s firewall capabilities and to get a trial copy, visit http:// microsoft.com/proxy.<br> --The Windows NT Communications Team

The Windows NT Communications Team- August 06, 1999

I read the sidebar “Common-Sense Security Suggestions” in “Poor Man’s Firewall.” The author mentions a recent compromise to Microsoft FrontPage. I’ve searched the FrontPage Web site and Microsoft’s security bulletins but can find nothing. I’m concerned because I’m bringing an IIS 4.0 Web site online and plan to use FrontPage 98 to let departments edit and maintain the Web site. Do you have any information about this compromise that you can pass along.<br>--Stan George<br><br>

<i>The mainstream media and the security alerts from Microsoft have not addressed FrontPage extension exploits. However, the news that FrontPage server extensions running on an NT or UNIX server can leave open a number of vulnerabilities seems to be common knowledge among hackers. For example, I recently downloaded a scanning tool that specifically scans blocks of IP addresses for FrontPage server extensions (among other things). Depending on your security configuration, a significant problem is the readability of .pwd files on your FrontPage-enabled servers. If you’re familiar with FrontPage, you’re probably aware that these files store passwords for specific user accounts with assigned permissions on a FrontPage Web server. Apparently, if your security isn’t configured properly, anyone can read these files and decrypt them with the appropriate tools. I recommend you search old usenet posts via Deja News for more information.<br>--Douglas Toombs</i>

Stan George- August 06, 1999

In “Common-Sense Security Suggestions” in “Poor Man’s Firewall,” the author mentions a recent compromise of the WinGate proxy server. However, the author doesn’t describe what that compromise is. Can you help me?<br> --Chris Falsone<br><br>

<i>For further information about WinGate vulnerabilities, check the CERT Web site at http://www.cert.org/vul_notes/VN-98.03.WinGate.html.<br>--Douglas Toombs</i>

Chris Falsone- August 06, 1999

“Poor Man’s Firewall” includes a table of popular destination ports. Where can I get some information about what source ports I should use for Post Office Protocol 3 (POP3), Simple Mail Transfer Protocol (SMTP), Network News Transfer Protocol (NNTP), File Transfer Protocol (FTP), Internet Control Message Protocol (ICMP) ping requests, and so forth. The table’s footnote says that the source ports range between 1024 to 65,535. How do I configure source ports? For example, do I need to configure a specific port number for incoming SMTP mail, or can the source port be anything between 1024 and 65,535?<br> --Richard La Bella<br><br> <i>For a comprehensive list of well-known ports, try RFC 1700 at ftp://ftp.isi.edu/in-notes/rfc1700.txt. For protocols that can have a source port anywhere from 1024 to 65,535, all you need to do is leave the source port information blank when defining a filter. In effect, this setting will ignore that criterion when applying the filter, allowing any value through. More robust firewall solutions such as Raptor (http://www.raptor.com) will let you specifically define a range of possible source ports.<br> --Douglas Toombs</i>

Richard La Bella- August 06, 1999

I read Douglas Toombs' "Poor Man's Firewall" (December 1998). The article references Mark Minasi's "Steelhead Swims into the Mainstream" (August 1997), which states, "Each machine must have a separate and distinct, honest-to-goodness Internet address. Don't make up addresses, and don't use the non-routable addresses." However, "Poor Man's Firewall" references 10.x.x.x addresses. <br><br>

I'm trying to set up RRAS for Web and email access on my network. I have a Windows NT server running DHCP with a scope of 192.168.1.x. The server has two NICs in it--­one for my LAN and one plugged into my Digital Subscriber Line (DSL) router via a crossover cable. I can surf the Web from my NT server, but I can't get my LAN machines to go outside. I can ping the second NIC from my workstation, but I can't ping the router. Is my configuration doomed because I'm using 192.168.1.x addresses?

Dudley Wells- August 02, 2000

<i>Unfortunately, the configuration you've described won't work. Here's why: When your workstation tries to access a Web site (e.g., http://www.microsoft.com), it presents itself and says, "Hello, my address is 192.168.1.x, and I'd like you to give me a copy of your home page." Then, the Web server sends a copy of the home page to the address you've specified. <br><br>

The problem results because the 192.168.x.x range is considered "nonroutable"--­that is, no Internet routers will pass any traffic to those addresses whatsoever. So, even if the server running http://www.microsoft.com tries to send you its home page, the information won't get out onto the public Internet. <br><br>

For this configuration, you need Microsoft Proxy Server. It will work well for your configuration, and (unlike other Microsoft products) it's not priced per user. <br><br>

--­Douglas Toombs </i>

Douglas Toombs- August 02, 2000

 
 

ADS BY GOOGLE