Summary: NATS, proxy servers, firewalls

Summary: NATS, proxy servers, firewalls

Post by David Rothma » Fri, 08 Oct 1999 04:00:00



I've posted some specific SOHO network and cable modem sharing
questions during the past 10 days.  I received many informative
responses and culled (with a little editing to make things flow better)
the most helpful and relevant (to me) parts into a reasonably cohesive
help file.  I thought others might find it useful, so here is a first
draft.  My thanks to all the people who answered my queries, and in
particular to George Marengo, John Navas, Eric Gisin, and Jeffrey
Rogers.

Please send any corrections, additions or flames my way.  There are no
guarantees everything in here is 100% accurate.

My original problem was how to SECURELY network 3 pc's (with full
print/file sharing between the machines) running Win98 se and share a
cable modem (using 2 nics in my gateway machine and 1 ip address from
my isp).

The discussion that followed was a primer in NATS, Proxy Servers &
firewalls.

NAT or a proxy server allow you to share an ip address between
multiple machines.  This does not necessarily imply any security.  If
your gateway device is using NAT or a proxy, it does not imply that
the gateway is anymore secure than it would be if those services were
not running. It does usually mean that the network behind is harder to
get to or attack, but even that is not always true.

As I said above NAT and proxy do not necessarily do anything for your
security.  The real two competing firewall technologies are packet
filtering and proxies.

NATS:

In general, NAT's are easier to set up and use than Proxy Servers
because you simply install it on the computer that is directly
connected to the cable modem.  Proxy Servers generally require
settings for each client computer.

All the PC NAT products do address/port mapping, and keep state
information that prevent incoming connections. This provides the same
protection as stateful packet filtering.

A NAT product should replace the tcp/ip stack on the PPP/NIC adapter
with it's own IP stack. That would protect the gateway machine.
Product documentation should indicate this, however many products dumb
it down for newbies.

NAT makes the machines _behind_ the server machine more secure
essentially because you use IP addresses that are reserved for use on
internal networks.

PROXY SERVERS:

Proxy Servers are used where you want tighter control of what the
client machines are allowed to do, or when you have many client
machines. The proxy lightens the load on the cable modem, assuming
that the clients tend to want to see the same content. With a NAT,
every request requires a retrieval through the cable modem.

FIREWALLS:

When building a firewall gateway, you are often looking to address two
problems.  (1) mapping your network into a limited number of public
addresses; and (2) providing security.

NAT addresses the first problem, and is generally used when you are
using a packet filtering firewall to provide the security.  Combined,
they solve both of the problems.

Proxy Servers can be used to solve both of the problems by themselves.

Most commercial gateway firewall products these days are a combination
of all of these. Proxy Servers can be highly secure, and let you look
into the application data of the packets, so you can do things like
rewrite mail headers, block urls, etc.  However, they can be somewhat
limiting because writing an intelligent, secure proxy for every
protocol/application is more than anyone can handle.  Most firewall
then use either packet filtering and NAT or packet filtering and a
generic proxy to cover the areas where they do not have a good proxy
written. Packet filtering/NAT also tends to have less overhead than
Proxy Servers.

SOME SPECIFIC PRODUCTS:

Sygate is a NAT, Winproxy is a proxy server.  Syshield, Conseal and AtGuard
are all personal firewalls.

ICS is a NAT program. It used to be called NAT 1000 and the company
was purchased by Microsoft.

Syphield, Conseal, and Atguard, are all PC Firewall products.  They are
designed to increase the security of one host by adding a packet
filter.  But, since these are designed as PC or host firewalls, they
do not address problem number 1, how to share an ip address.

WinProxy is a proxy, but not a firewall.  It can relay connections,
but it does nothing to improve the security of the box it is installed
on. It solves problem number 1, but not problem number 2.

SyGate/Syshield looks like the only product mentioned that is actually
designed to do what you want. Solve problem 1 and 2.  Any number of
commercial firewall products do this, Checkpoint FW-1, Axent Raptor,
NA Gauntlet, etc., but they are really designed to protect larger
networks, and are priced accordingly.  SyGate was designed to work in
conjunction with SyShield.  SyGate does the NAT and protects *clients*
on the internal network, but SyShield is the required component for
protecting the actual dual-homed server.

You might be able to use some combination of the PC firewall products
and WinProxy to accomplish the same thing.  Basically, use the PC
firewall to protect the box you have the proxy on, and use the proxy
to give your LAN access to the Internet.

But, basically, the two machines that are just on your inside network
should be safe to have file and print sharing on as long as your
gateway is secure.  Having file and print sharing turned on on the
gateway is probably a risk, but probably an acceptable one, provided
you have some sort of packet filter protecting it from connections
from machines other than the two on the inside network.

CONCLUSION:

There is no issue that I'm aware of, from a security perspective,
where you'd preferentially choose a NAT instead of a proxy or
vice-versa. A proxy allows you, the administrator, more control over
what is or isn't allowed onto your client computers, while a NAT
typically offers easier set up.

To some extent, NATS and proxy servers act as firewalls? , but it's
only true for the machines behind the NAT or Proxy server. It does not
in any way protect machine running the NAT/Proxy.

With that said, there _are_ products which combine the functions of a
NAT or Proxy (or both!) and a firewall. Sygate, for instance, offers
some sort of firewall protection for computer running Sygate.

A HOME GROWN SOLUTION:

Install and bind NetBEUI for File and Printer Sharing on both
computers.

In Windows 9x Control Panel -> Network:

1.  Make sure that both TCP/IP and NetBEUI are installed.  (There is
usually no need for IPX/SPX.  Unless you are running Novell you can
usually remove it.)

2.  If you want local networking, make sure that both Client for
Microsoft Networks, as well as File and Printer Sharing for Microsoft
Networks are installed.

3.  Double click on "TCP/IP -> [your network adapter]" and then
Bindings. Make sure that both Client for Microsoft Networks, and File
and Printer Sharing for Microsoft Networks, are UNchecked.  (Click No
if you get a dialog box warning you about no bindings.)

4.  Double click on "NetBEUI -> [your network adapter]" and then
Bindings. Make sure that both Client for Microsoft Networks, and File
and Printer Sharing for Microsoft Networks, are Checked.

This will ensure that your computer uses TCP/IP only for access to the
Internet, and that all local networking will use only NetBEUI.  Since
NetBEUI is not a routable protocol, none of your local traffic will go
out over the Internet, and nobody on the Internet will be able to
access your local network services.

For the typical casual user of the Internet, this is probably
sufficient. More serious users should consider a firewall.  This is
because there are other ways that you can be attacked; e.g., a trojan
that gets installed like a virus; denial of service attack; IP
spoofing; etc.

--

 
 
 

Summary: NATS, proxy servers, firewalls

Post by Sean Shann » Sat, 09 Oct 1999 04:00:00


You have mentioned 'WinProxy' multiple times in your article, but have
not specified which WinProxy,

I cannot speak for WinProxy by Lan-Projekt, but I can speak for
WinProxy by Ositis Software.  

WinProxy by Ositis Software is indead a proxy as well as a firewall.  

WinProxy v3.0 by Ositis Software is a classic proxy, transparent
proxy, or a NAT, as well as a firewall.

Sean Shannon
Ositis Software
Support Engineer
www.WinProxy.com

On Thu, 07 Oct 1999 11:45:07 GMT, "David Rothman"


>I've posted some specific SOHO network and cable modem sharing
>questions during the past 10 days.  I received many informative
>responses and culled (with a little editing to make things flow better)
>the most helpful and relevant (to me) parts into a reasonably cohesive
>help file.  I thought others might find it useful, so here is a first
>draft.  My thanks to all the people who answered my queries, and in
>particular to George Marengo, John Navas, Eric Gisin, and Jeffrey
>Rogers.

>Please send any corrections, additions or flames my way.  There are no
>guarantees everything in here is 100% accurate.

>My original problem was how to SECURELY network 3 pc's (with full
>print/file sharing between the machines) running Win98 se and share a
>cable modem (using 2 nics in my gateway machine and 1 ip address from
>my isp).

>The discussion that followed was a primer in NATS, Proxy Servers &
>firewalls.

>NAT or a proxy server allow you to share an ip address between
>multiple machines.  This does not necessarily imply any security.  If
>your gateway device is using NAT or a proxy, it does not imply that
>the gateway is anymore secure than it would be if those services were
>not running. It does usually mean that the network behind is harder to
>get to or attack, but even that is not always true.

>As I said above NAT and proxy do not necessarily do anything for your
>security.  The real two competing firewall technologies are packet
>filtering and proxies.

>NATS:

>In general, NAT's are easier to set up and use than Proxy Servers
>because you simply install it on the computer that is directly
>connected to the cable modem.  Proxy Servers generally require
>settings for each client computer.

>All the PC NAT products do address/port mapping, and keep state
>information that prevent incoming connections. This provides the same
>protection as stateful packet filtering.

>A NAT product should replace the tcp/ip stack on the PPP/NIC adapter
>with it's own IP stack. That would protect the gateway machine.
>Product documentation should indicate this, however many products dumb
>it down for newbies.

>NAT makes the machines _behind_ the server machine more secure
>essentially because you use IP addresses that are reserved for use on
>internal networks.

>PROXY SERVERS:

>Proxy Servers are used where you want tighter control of what the
>client machines are allowed to do, or when you have many client
>machines. The proxy lightens the load on the cable modem, assuming
>that the clients tend to want to see the same content. With a NAT,
>every request requires a retrieval through the cable modem.

>FIREWALLS:

>When building a firewall gateway, you are often looking to address two
>problems.  (1) mapping your network into a limited number of public
>addresses; and (2) providing security.

>NAT addresses the first problem, and is generally used when you are
>using a packet filtering firewall to provide the security.  Combined,
>they solve both of the problems.

>Proxy Servers can be used to solve both of the problems by themselves.

>Most commercial gateway firewall products these days are a combination
>of all of these. Proxy Servers can be highly secure, and let you look
>into the application data of the packets, so you can do things like
>rewrite mail headers, block urls, etc.  However, they can be somewhat
>limiting because writing an intelligent, secure proxy for every
>protocol/application is more than anyone can handle.  Most firewall
>then use either packet filtering and NAT or packet filtering and a
>generic proxy to cover the areas where they do not have a good proxy
>written. Packet filtering/NAT also tends to have less overhead than
>Proxy Servers.

>SOME SPECIFIC PRODUCTS:

>Sygate is a NAT, Winproxy is a proxy server.  Syshield, Conseal and AtGuard
>are all personal firewalls.

>ICS is a NAT program. It used to be called NAT 1000 and the company
>was purchased by Microsoft.

>Syphield, Conseal, and Atguard, are all PC Firewall products.  They are
>designed to increase the security of one host by adding a packet
>filter.  But, since these are designed as PC or host firewalls, they
>do not address problem number 1, how to share an ip address.

>WinProxy is a proxy, but not a firewall.  It can relay connections,
>but it does nothing to improve the security of the box it is installed
>on. It solves problem number 1, but not problem number 2.

>SyGate/Syshield looks like the only product mentioned that is actually
>designed to do what you want. Solve problem 1 and 2.  Any number of
>commercial firewall products do this, Checkpoint FW-1, Axent Raptor,
>NA Gauntlet, etc., but they are really designed to protect larger
>networks, and are priced accordingly.  SyGate was designed to work in
>conjunction with SyShield.  SyGate does the NAT and protects *clients*
>on the internal network, but SyShield is the required component for
>protecting the actual dual-homed server.

>You might be able to use some combination of the PC firewall products
>and WinProxy to accomplish the same thing.  Basically, use the PC
>firewall to protect the box you have the proxy on, and use the proxy
>to give your LAN access to the Internet.

>But, basically, the two machines that are just on your inside network
>should be safe to have file and print sharing on as long as your
>gateway is secure.  Having file and print sharing turned on on the
>gateway is probably a risk, but probably an acceptable one, provided
>you have some sort of packet filter protecting it from connections
>from machines other than the two on the inside network.

>CONCLUSION:

>There is no issue that I'm aware of, from a security perspective,
>where you'd preferentially choose a NAT instead of a proxy or
>vice-versa. A proxy allows you, the administrator, more control over
>what is or isn't allowed onto your client computers, while a NAT
>typically offers easier set up.

>To some extent, NATS and proxy servers act as firewalls? , but it's
>only true for the machines behind the NAT or Proxy server. It does not
>in any way protect machine running the NAT/Proxy.

>With that said, there _are_ products which combine the functions of a
>NAT or Proxy (or both!) and a firewall. Sygate, for instance, offers
>some sort of firewall protection for computer running Sygate.

>A HOME GROWN SOLUTION:

>Install and bind NetBEUI for File and Printer Sharing on both
>computers.

>In Windows 9x Control Panel -> Network:

>1.  Make sure that both TCP/IP and NetBEUI are installed.  (There is
>usually no need for IPX/SPX.  Unless you are running Novell you can
>usually remove it.)

>2.  If you want local networking, make sure that both Client for
>Microsoft Networks, as well as File and Printer Sharing for Microsoft
>Networks are installed.

>3.  Double click on "TCP/IP -> [your network adapter]" and then
>Bindings. Make sure that both Client for Microsoft Networks, and File
>and Printer Sharing for Microsoft Networks, are UNchecked.  (Click No
>if you get a dialog box warning you about no bindings.)

>4.  Double click on "NetBEUI -> [your network adapter]" and then
>Bindings. Make sure that both Client for Microsoft Networks, and File
>and Printer Sharing for Microsoft Networks, are Checked.

>This will ensure that your computer uses TCP/IP only for access to the
>Internet, and that all local networking will use only NetBEUI.  Since
>NetBEUI is not a routable protocol, none of your local traffic will go
>out over the Internet, and nobody on the Internet will be able to
>access your local network services.

>For the typical casual user of the Internet, this is probably
>sufficient. More serious users should consider a firewall.  This is
>because there are other ways that you can be attacked; e.g., a trojan
>that gets installed like a virus; denial of service attack; IP
>spoofing; etc.

>--


 
 
 

Summary: NATS, proxy servers, firewalls

Post by Sean Shann » Sat, 09 Oct 1999 04:00:00


You have mentioned 'WinProxy' multiple times in your article, but have
not specified which WinProxy,

I cannot speak for WinProxy by Lan-Projekt, but I can speak for
WinProxy by Ositis Software.  

WinProxy by Ositis Software is indead a proxy as well as a firewall.  

WinProxy v3.0 by Ositis Software is a classic proxy, transparent
proxy, or a NAT, as well as a firewall.

Sean Shannon
Ositis Software
Support Engineer
www.WinProxy.com

On Thu, 07 Oct 1999 11:45:07 GMT, "David Rothman"


>I've posted some specific SOHO network and cable modem sharing
>questions during the past 10 days.  I received many informative
>responses and culled (with a little editing to make things flow better)
>the most helpful and relevant (to me) parts into a reasonably cohesive
>help file.  I thought others might find it useful, so here is a first
>draft.  My thanks to all the people who answered my queries, and in
>particular to George Marengo, John Navas, Eric Gisin, and Jeffrey
>Rogers.

>Please send any corrections, additions or flames my way.  There are no
>guarantees everything in here is 100% accurate.

>My original problem was how to SECURELY network 3 pc's (with full
>print/file sharing between the machines) running Win98 se and share a
>cable modem (using 2 nics in my gateway machine and 1 ip address from
>my isp).

>The discussion that followed was a primer in NATS, Proxy Servers &
>firewalls.

>NAT or a proxy server allow you to share an ip address between
>multiple machines.  This does not necessarily imply any security.  If
>your gateway device is using NAT or a proxy, it does not imply that
>the gateway is anymore secure than it would be if those services were
>not running. It does usually mean that the network behind is harder to
>get to or attack, but even that is not always true.

>As I said above NAT and proxy do not necessarily do anything for your
>security.  The real two competing firewall technologies are packet
>filtering and proxies.

>NATS:

>In general, NAT's are easier to set up and use than Proxy Servers
>because you simply install it on the computer that is directly
>connected to the cable modem.  Proxy Servers generally require
>settings for each client computer.

>All the PC NAT products do address/port mapping, and keep state
>information that prevent incoming connections. This provides the same
>protection as stateful packet filtering.

>A NAT product should replace the tcp/ip stack on the PPP/NIC adapter
>with it's own IP stack. That would protect the gateway machine.
>Product documentation should indicate this, however many products dumb
>it down for newbies.

>NAT makes the machines _behind_ the server machine more secure
>essentially because you use IP addresses that are reserved for use on
>internal networks.

>PROXY SERVERS:

>Proxy Servers are used where you want tighter control of what the
>client machines are allowed to do, or when you have many client
>machines. The proxy lightens the load on the cable modem, assuming
>that the clients tend to want to see the same content. With a NAT,
>every request requires a retrieval through the cable modem.

>FIREWALLS:

>When building a firewall gateway, you are often looking to address two
>problems.  (1) mapping your network into a limited number of public
>addresses; and (2) providing security.

>NAT addresses the first problem, and is generally used when you are
>using a packet filtering firewall to provide the security.  Combined,
>they solve both of the problems.

>Proxy Servers can be used to solve both of the problems by themselves.

>Most commercial gateway firewall products these days are a combination
>of all of these. Proxy Servers can be highly secure, and let you look
>into the application data of the packets, so you can do things like
>rewrite mail headers, block urls, etc.  However, they can be somewhat
>limiting because writing an intelligent, secure proxy for every
>protocol/application is more than anyone can handle.  Most firewall
>then use either packet filtering and NAT or packet filtering and a
>generic proxy to cover the areas where they do not have a good proxy
>written. Packet filtering/NAT also tends to have less overhead than
>Proxy Servers.

>SOME SPECIFIC PRODUCTS:

>Sygate is a NAT, Winproxy is a proxy server.  Syshield, Conseal and AtGuard
>are all personal firewalls.

>ICS is a NAT program. It used to be called NAT 1000 and the company
>was purchased by Microsoft.

>Syphield, Conseal, and Atguard, are all PC Firewall products.  They are
>designed to increase the security of one host by adding a packet
>filter.  But, since these are designed as PC or host firewalls, they
>do not address problem number 1, how to share an ip address.

>WinProxy is a proxy, but not a firewall.  It can relay connections,
>but it does nothing to improve the security of the box it is installed
>on. It solves problem number 1, but not problem number 2.

>SyGate/Syshield looks like the only product mentioned that is actually
>designed to do what you want. Solve problem 1 and 2.  Any number of
>commercial firewall products do this, Checkpoint FW-1, Axent Raptor,
>NA Gauntlet, etc., but they are really designed to protect larger
>networks, and are priced accordingly.  SyGate was designed to work in
>conjunction with SyShield.  SyGate does the NAT and protects *clients*
>on the internal network, but SyShield is the required component for
>protecting the actual dual-homed server.

>You might be able to use some combination of the PC firewall products
>and WinProxy to accomplish the same thing.  Basically, use the PC
>firewall to protect the box you have the proxy on, and use the proxy
>to give your LAN access to the Internet.

>But, basically, the two machines that are just on your inside network
>should be safe to have file and print sharing on as long as your
>gateway is secure.  Having file and print sharing turned on on the
>gateway is probably a risk, but probably an acceptable one, provided
>you have some sort of packet filter protecting it from connections
>from machines other than the two on the inside network.

>CONCLUSION:

>There is no issue that I'm aware of, from a security perspective,
>where you'd preferentially choose a NAT instead of a proxy or
>vice-versa. A proxy allows you, the administrator, more control over
>what is or isn't allowed onto your client computers, while a NAT
>typically offers easier set up.

>To some extent, NATS and proxy servers act as firewalls? , but it's
>only true for the machines behind the NAT or Proxy server. It does not
>in any way protect machine running the NAT/Proxy.

>With that said, there _are_ products which combine the functions of a
>NAT or Proxy (or both!) and a firewall. Sygate, for instance, offers
>some sort of firewall protection for computer running Sygate.

>A HOME GROWN SOLUTION:

>Install and bind NetBEUI for File and Printer Sharing on both
>computers.

>In Windows 9x Control Panel -> Network:

>1.  Make sure that both TCP/IP and NetBEUI are installed.  (There is
>usually no need for IPX/SPX.  Unless you are running Novell you can
>usually remove it.)

>2.  If you want local networking, make sure that both Client for
>Microsoft Networks, as well as File and Printer Sharing for Microsoft
>Networks are installed.

>3.  Double click on "TCP/IP -> [your network adapter]" and then
>Bindings. Make sure that both Client for Microsoft Networks, and File
>and Printer Sharing for Microsoft Networks, are UNchecked.  (Click No
>if you get a dialog box warning you about no bindings.)

>4.  Double click on "NetBEUI -> [your network adapter]" and then
>Bindings. Make sure that both Client for Microsoft Networks, and File
>and Printer Sharing for Microsoft Networks, are Checked.

>This will ensure that your computer uses TCP/IP only for access to the
>Internet, and that all local networking will use only NetBEUI.  Since
>NetBEUI is not a routable protocol, none of your local traffic will go
>out over the Internet, and nobody on the Internet will be able to
>access your local network services.

>For the typical casual user of the Internet, this is probably
>sufficient. More serious users should consider a firewall.  This is
>because there are other ways that you can be attacked; e.g., a trojan
>that gets installed like a virus; denial of service attack; IP
>spoofing; etc.

>--

 
 
 

Summary: NATS, proxy servers, firewalls

Post by George Maren » Sat, 09 Oct 1999 04:00:00




Quote:>You have mentioned 'WinProxy' multiple times in your article, but have
>not specified which WinProxy,

>I cannot speak for WinProxy by Lan-Projekt, but I can speak for
>WinProxy by Ositis Software.  

>WinProxy by Ositis Software is indead a proxy as well as a firewall.  

>WinProxy v3.0 by Ositis Software is a classic proxy, transparent
>proxy, or a NAT, as well as a firewall.

>Sean Shannon
>Ositis Software
>Support Engineer
>www.WinProxy.com

Well Sean, maybe I just missed seeing it on your employers website,
or maybe I just don't understand how proxys work...

I understand that a proxy will protect computers that are located
on the LAN *behind* the proxy server, if for no other reason that
you use reserved private IPs for your internal LAN. However,
does WinProxy act as a firewall to protect the computer that it's
running on?

IOW, can you set up rules to allow or disallow inbound/outbound
connections based on IP and packet type, including connections
directly to the WinProxy server computer? Does it include
logging functionality?

It seems to me that the ability to allow or disallow connections on
any selected port is the bare minimum needed to call something
a firewall.

 
 
 

Summary: NATS, proxy servers, firewalls

Post by Sean Shann » Sat, 09 Oct 1999 04:00:00


First of all, I would like to appologize for accidentally posting my
message twice.

WinProxy v2.1 did not fully protect the computer that WinProxy was
installed on due to the fact that it soley resided in the Application
layer.

With WinProxy v3.0, it resides just above the Physical layer, thus, it
is now capable of blocking ports that get opened by the Operating
System itself.

Firewall
WinProxy offers a built-in firewall that protects all of the computers
on the local
network. The firewall ensures users don't have unwanted intruders
invading their
system or bombarding them with multiple requests that result in
"denial of service"
attacks. To accommodate a wide variety of user requirements, WinProxy
offers five
levels of built-in security that can be customized to the users'
needs. It also includes
preconfigured firewall settings for accommodating applications such as
NetMeeting,
MSN and AOL that are troublesome for other proxies or NATs.

    High: Provides the highest available security. Maximum security
from hacker
    attacks. Outgoing connections are limited to enabled WinProxy
protocols. All UDP
    ports are closed. Applications using UDP must go through the
proxy.

    Medium-High: Provides a high level of security, including maximum
security
    against hacker attacks. Outgoing TCP/IP connections are permitted,
except for file
    sharing. All UDP ports are closed. Applications using UDP must go
through the
    proxy.

    Medium (DEFAULT): Medium security is recommended for most users.
In
    addition to protecting against most hacker attacks, the medium
setting allows
    outgoing TCP/IP connections, except file sharing. Incoming and
outgoing UDP
    ports, except file sharing, are open.

    Medium-Low: This security level is the best choice for use with
games. It protects
    against most hacker attacks, but allows outgoing TCP/IP
connections, except file
    sharing. Incoming and outgoing UDP ports, except file sharing, are
open.

    Low: This setting is not generally recommended, but is available
for use with
    games where the medium-low setting does not work. Everything is
permitted
    through the firewall, with limited protection against hacker
attacks.

    WinProxy has been configured to accommodate the special needs of
online
    *. Games that WinProxy currently supports are shown at the
bottom of the
    Firewall settings screen. Advanced users have the option of
customizing the
    firewall to accommodate specific applications.

Yes, there is a built in loggin feature that will allow you to view
the live logging locally or remotely (within the LAN), or you can opt
to log directly to a file.





>>You have mentioned 'WinProxy' multiple times in your article, but have
>>not specified which WinProxy,

>>I cannot speak for WinProxy by Lan-Projekt, but I can speak for
>>WinProxy by Ositis Software.  

>>WinProxy by Ositis Software is indead a proxy as well as a firewall.  

>>WinProxy v3.0 by Ositis Software is a classic proxy, transparent
>>proxy, or a NAT, as well as a firewall.

>>Sean Shannon
>>Ositis Software
>>Support Engineer
>>www.WinProxy.com

>Well Sean, maybe I just missed seeing it on your employers website,
>or maybe I just don't understand how proxys work...

>I understand that a proxy will protect computers that are located
>on the LAN *behind* the proxy server, if for no other reason that
>you use reserved private IPs for your internal LAN. However,
>does WinProxy act as a firewall to protect the computer that it's
>running on?

>IOW, can you set up rules to allow or disallow inbound/outbound
>connections based on IP and packet type, including connections
>directly to the WinProxy server computer? Does it include
>logging functionality?

>It seems to me that the ability to allow or disallow connections on
>any selected port is the bare minimum needed to call something
>a firewall.

 
 
 

Summary: NATS, proxy servers, firewalls

Post by Mike Rembis » Sat, 09 Oct 1999 04:00:00


A very interesting and informative post.  We need more of this type of post
in the newsgroup.  I have a question though;  I tried following the
'quickie' setup at the end of the post.  I use SyGate + SyShield.  I found
that I could no longer communicate from the second computer to the Internet
when I followed step 3 and removed the Client for Microsoft Networks.  My
main computer with SyGate could communicate with the Internet and both
computers could communicate with each other on the LAN using NetBEUI but the
computer on the LAN could not communicate with the computer that runs
SyGate.  As soon as I rebound both TCP>{network cards}  to Client for
Microsoft Networks, it began working again.  Does SyGate need to use this
binding or did I screw up somewhere?  Or did I completely misunderstand?
Thank you for any advice...

--
Regards
Mike Rembisz

WebTek                               Direct:  336-727-1958
1800 Silas Creek Pky.     Corporate:  336-727-1997
Winston Salem, NC                 Fax:  336-727-1998
www.sci-tek.com           Email:  m...@sci-tek.com
Visit the Emerald Mall    www.emeraldmall.com

David Rothman <droth...@optonline.net> wrote in message

news:7J%K3.7807$GV2.12195928@news.optonline.net...
|
|
| I've posted some specific SOHO network and cable modem sharing
| questions during the past 10 days.  I received many informative
| responses and culled (with a little editing to make things flow better)
| the most helpful and relevant (to me) parts into a reasonably cohesive
| help file.  I thought others might find it useful, so here is a first
| draft.  My thanks to all the people who answered my queries, and in
| particular to George Marengo, John Navas, Eric Gisin, and Jeffrey
| Rogers.
|
| Please send any corrections, additions or flames my way.  There are no
| guarantees everything in here is 100% accurate.
|
|
| My original problem was how to SECURELY network 3 pc's (with full
| print/file sharing between the machines) running Win98 se and share a
| cable modem (using 2 nics in my gateway machine and 1 ip address from
| my isp).
|
| The discussion that followed was a primer in NATS, Proxy Servers &
| firewalls.
|
| >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
|
|
| NAT or a proxy server allow you to share an ip address between
| multiple machines.  This does not necessarily imply any security.  If
| your gateway device is using NAT or a proxy, it does not imply that
| the gateway is anymore secure than it would be if those services were
| not running. It does usually mean that the network behind is harder to
| get to or attack, but even that is not always true.
|
| As I said above NAT and proxy do not necessarily do anything for your
| security.  The real two competing firewall technologies are packet
| filtering and proxies.
|
|
| NATS:
|
| In general, NAT's are easier to set up and use than Proxy Servers
| because you simply install it on the computer that is directly
| connected to the cable modem.  Proxy Servers generally require
| settings for each client computer.
|
| All the PC NAT products do address/port mapping, and keep state
| information that prevent incoming connections. This provides the same
| protection as stateful packet filtering.
|
| A NAT product should replace the tcp/ip stack on the PPP/NIC adapter
| with it's own IP stack. That would protect the gateway machine.
| Product documentation should indicate this, however many products dumb
| it down for newbies.
|
| NAT makes the machines _behind_ the server machine more secure
| essentially because you use IP addresses that are reserved for use on
| internal networks.
|
|
| PROXY SERVERS:
|
| Proxy Servers are used where you want tighter control of what the
| client machines are allowed to do, or when you have many client
| machines. The proxy lightens the load on the cable modem, assuming
| that the clients tend to want to see the same content. With a NAT,
| every request requires a retrieval through the cable modem.
|
|
| FIREWALLS:
|
| When building a firewall gateway, you are often looking to address two
| problems.  (1) mapping your network into a limited number of public
| addresses; and (2) providing security.
|
| NAT addresses the first problem, and is generally used when you are
| using a packet filtering firewall to provide the security.  Combined,
| they solve both of the problems.
|
| Proxy Servers can be used to solve both of the problems by themselves.
|
| Most commercial gateway firewall products these days are a combination
| of all of these. Proxy Servers can be highly secure, and let you look
| into the application data of the packets, so you can do things like
| rewrite mail headers, block urls, etc.  However, they can be somewhat
| limiting because writing an intelligent, secure proxy for every
| protocol/application is more than anyone can handle.  Most firewall
| then use either packet filtering and NAT or packet filtering and a
| generic proxy to cover the areas where they do not have a good proxy
| written. Packet filtering/NAT also tends to have less overhead than
| Proxy Servers.
|
|
| SOME SPECIFIC PRODUCTS:
|
| Sygate is a NAT, Winproxy is a proxy server.  Syshield, Conseal and
AtGuard
| are all personal firewalls.
|
| ICS is a NAT program. It used to be called NAT 1000 and the company
| was purchased by Microsoft.
|
| Syphield, Conseal, and Atguard, are all PC Firewall products.  They are
| designed to increase the security of one host by adding a packet
| filter.  But, since these are designed as PC or host firewalls, they
| do not address problem number 1, how to share an ip address.
|
| WinProxy is a proxy, but not a firewall.  It can relay connections,
| but it does nothing to improve the security of the box it is installed
| on. It solves problem number 1, but not problem number 2.
|
| SyGate/Syshield looks like the only product mentioned that is actually
| designed to do what you want. Solve problem 1 and 2.  Any number of
| commercial firewall products do this, Checkpoint FW-1, Axent Raptor,
| NA Gauntlet, etc., but they are really designed to protect larger
| networks, and are priced accordingly.  SyGate was designed to work in
| conjunction with SyShield.  SyGate does the NAT and protects *clients*
| on the internal network, but SyShield is the required component for
| protecting the actual dual-homed server.
|
| You might be able to use some combination of the PC firewall products
| and WinProxy to accomplish the same thing.  Basically, use the PC
| firewall to protect the box you have the proxy on, and use the proxy
| to give your LAN access to the Internet.
|
| But, basically, the two machines that are just on your inside network
| should be safe to have file and print sharing on as long as your
| gateway is secure.  Having file and print sharing turned on on the
| gateway is probably a risk, but probably an acceptable one, provided
| you have some sort of packet filter protecting it from connections
| from machines other than the two on the inside network.
|
|
| CONCLUSION:
|
| There is no issue that I'm aware of, from a security perspective,
| where you'd preferentially choose a NAT instead of a proxy or
| vice-versa. A proxy allows you, the administrator, more control over
| what is or isn't allowed onto your client computers, while a NAT
| typically offers easier set up.
|
| To some extent, NATS and proxy servers act as firewalls? , but it's
| only true for the machines behind the NAT or Proxy server. It does not
| in any way protect machine running the NAT/Proxy.
|
| With that said, there _are_ products which combine the functions of a
| NAT or Proxy (or both!) and a firewall. Sygate, for instance, offers
| some sort of firewall protection for computer running Sygate.
|
|
| A HOME GROWN SOLUTION:
|
| Install and bind NetBEUI for File and Printer Sharing on both
| computers.
|
| In Windows 9x Control Panel -> Network:
|
| 1.  Make sure that both TCP/IP and NetBEUI are installed.  (There is
| usually no need for IPX/SPX.  Unless you are running Novell you can
| usually remove it.)
|
| 2.  If you want local networking, make sure that both Client for
| Microsoft Networks, as well as File and Printer Sharing for Microsoft
| Networks are installed.
|
| 3.  Double click on "TCP/IP -> [your network adapter]" and then
| Bindings. Make sure that both Client for Microsoft Networks, and File
| and Printer Sharing for Microsoft Networks, are UNchecked.  (Click No
| if you get a dialog box warning you about no bindings.)
|
| 4.  Double click on "NetBEUI -> [your network adapter]" and then
| Bindings. Make sure that both Client for Microsoft Networks, and File
| and Printer Sharing for Microsoft Networks, are Checked.
|
| This will ensure that your computer uses TCP/IP only for access to the
| Internet, and that all local networking will use only NetBEUI.  Since
| NetBEUI is not a routable protocol, none of your local traffic will go
| out over the Internet, and nobody on the Internet will be able to
| access your local network services.
|
| For the typical casual user of the Internet, this is probably
| sufficient. More serious users should consider a firewall.  This is
| because there are other ways that you can be attacked; e.g., a trojan
| that gets installed like a virus; denial of service attack; IP
| spoofing; etc.
|
|
|
|
|
| --
|
|
|
|
 
 
 

Summary: NATS, proxy servers, firewalls

Post by George Maren » Sun, 10 Oct 1999 04:00:00




Quote:>First of all, I would like to appologize for accidentally posting my
>message twice.

>WinProxy v2.1 did not fully protect the computer that WinProxy was
>installed on due to the fact that it soley resided in the Application
>layer.

>With WinProxy v3.0, it resides just above the Physical layer, thus, it
>is now capable of blocking ports that get opened by the Operating
>System itself.

>Firewall
>WinProxy offers a built-in firewall that protects all of the
>computers on the local network.

Sean, thank you for clarifying the new abilities in WinProxy v3.0.
I suggest that you bring it to the attention of whomever is handling
the web site because it's not at all clear that it really does
firewalling duties other than what any other proxy can handle.
 
 
 

Summary: NATS, proxy servers, firewalls

Post by RobertGraham.co » Sun, 10 Oct 1999 04:00:00


That's a pretty good write up. Some additions:

I've heard a lot of nice stuff about a package
called "winroute", which is a pretty good NAT. You
might want to list that.

Also, BlackICE Defender (from Network ICE, see .sig
below) fits under your firewall category, but really
belongs in a new category "intrusion detection
system". It analyzes the traffic, even that allowed
through the firewall, proxied, or translated. Much
like how anti-virus scans the hard disk, Defender
scans the network traffic. You might want to check
the list of 300 intrusions it detects at
http://www.networkice.com/advice/intrusions

--

Robert Graham

 
 
 

Summary: NATS, proxy servers, firewalls

Post by Keith Ledbette » Mon, 11 Oct 1999 04:00:00


Mike,

  isn't SyShield a "subset" of SyGate?  I thought that if you're running
SyGate in its "extended protection" mode, you've already got all of the
benefits of running SyShield.

Keith



Quote:> I use SyGate + SyShield.  

 
 
 

1. firewalls, proxy servers & NATS

Over the past few weeks, I've posted a few questions re:wanting to network 3
pc's (with full print/file sharing) and share a cable modem (using 2 nics
and 1 ip address from my isp) and the security issues involved.

I'm still not clear on some things and have some questions:

I understand a hardware solution (a router) is more secure than a software
solution:

1. Why is this so, or is the evidence solely anecdotal?

2. What software is typically needed to run in conjunction with a router
(say the umax ugate)?  In terms of security, do you still need to wrestle
with the NAT/proxy server decision, or does the router physically take care
of all that?

If you choose to go the software route:

1. Sygate, Conseal, ATguard, Winproxy, etc ....I assume these are all either
NAT's or Proxy servers.  Given I am looking for security from the shared CM,
but sharing ability on the local net, is there an advantage (ease of use,
robustness, comprehensiveness, ???) of a NAT vs a proxy server for use as a
firewall?  When would someone choose one over the other (assuming one
doesn't need a proxy server for just speed in reloading pages)?

2. How does or doesn't ICS tie in with all this?   Can I assume that the
programs listed above handle the CM sharing and print/file sharing and I
won't have to deal with ICS?

3. Has anyone been corrupted/violated when using only software protection
and what did u learn from the episode?

thanks in advance for any help, dave

2. High Density Hack on Aminet

3. Difference between Firewall, NAT, Proxy Server, etc.

4. Phaethon patch

5. NAT in firewall vs NAT in Proxy

6. Archive Viper 2150S

7. Setting up seperate Proxy/NAT machine as firewall?

8. Wanted: MNP or V.42bis software

9. Looking for a firewall that doesn't require NAT or proxies

10. Question about authentication of IIS Web server with ACE Server after NAT

11. anti-virus server & mail server/ uses same NAT

12. Updated Summary of Microsoft Security Bulletins - SQL Server Alert