Re: Suggest firewall for Win98se+ICS(dialup)+NAV

From: Biff (baabvyourheadoutayourass@hotmail.com)
Date: 08/18/02 

From: Biff <baabvyourheadoutayourass@hotmail.com>
Date: Sun, 18 Aug 2002 10:02:02 -0400

 Joseph V. Morris responds
>
> Let me confirm that I understand what you're talking about here. As I
> understand it, you're planning on using an old Win98SE box as an ICS
> gateway for a peer-to-peer LAN with two workstations behind it? You don't
> identify the two workstations' OS(s), I note. You are then proposing to
> use some sort of software firewall, e.g., SPF, as a network gateway
> installed on the old Win 98 SE box. Alternatively, perhaps BID. Whatever
> software firewall you select should be capable of at least using an
> authorized username and password (STRONG password) in order to ensure that
> some random individual doesn't simply go over to the gateway box and
> either disable the firewall or otherwise change its settings. There are
> to be NO internet-enabled applications (and preferably no other
> applications of any kind) on the gateway machine. There should be NO web
> server, mail server, news server, or FTP server running on the Win 98 SE
> box -- not now, not ever. If this is correct, then, yes, you've basically
> not only just established a crude hardware NAT router, but (perhaps more
> to the point) a hardware firewall appliance.

You've basically described my setup with a few minor differences. I downloaded
the free version of 98lite and have taken 98se down to the lowest level that
98lite will allow, i.e. no IE and no OE, messenger or any other app on a clean
install that would use the internet. File and print sharing is (of course)
disabled. I run two firewalls ZA+ and AtGuard, both password protected. ZA+
handles inbound from the internet and outbound from the gateway box. I use
AtGuard to handle all inbound from from the LAN because it is a rules based FW
and I can control what gets out from the LAN. The only two apps that have
internet access are my AV and AT, and I'm not sure if I even need those.

I have four other machines behind the gateway, two 98se boxes, one WinXP Pro
and one W2k. The W2k serves as a file and print server and is the only machine
that has file and print sharing enabled. Once again on that box I have two
firewalls installed for the same reasons mentioned above. I have configured ZAP
so that it cannot receive inbound from the gateway box and I have also set the
gateway box to not take inbound from the file and print server. I also have
internet access turned off in ZAP on that box as well and of course there is
STRONG password protection set for the machines that access it and in the
firewalls also. That machine and the XP box are logged on as user and not
admin. Once again the only two apps allowed out are my AV and At progs and
whenever I have to update them I have to change ZAP and AtGuard in both that
box and the gateway to allow internet access. When I'm done I have to change it
all back.

On the remaining machines I use ZAP and since I'm on dialup I have a prog
called Remote Disconection Utility so I can turn off the internet when I'm done
with it. To access the gateway and the file and print server I have a four way
KVM switch hooked up with the machine I use. I've been doing it this way for
about a year now with no problems. Do you see any security problems or mistakes
with that? I've always been curious to know what someone else might think.

Thanks

Biff

Relevant Pages

  • Re: login attempts
    ... > Every day i have on my win2000 iternet server a lots of wrong login ... Windows by default allows ... You also need a firewall. ... the internet, except for those ports you know you're using. ...
    (microsoft.public.win2000.security)
  • RE: ISA 2004 Firewall Client and ActiveSync 4.2
    ... at home in my WLAN all internet ... that killing my default gateway is not the way ... gateway and the appropriate DNS server entries. ... server internal IP then your client works as a secureNAT client and you're ...
    (microsoft.public.isa.clients)
  • Re: Firewall on a single NIC SBS2003 Standard edition
    ... Frank McCallister SBS MVP ... > " Well, if you're wanting to run the firewall on a single NIC, you aren't ... Don't ask the server to do *everything*, ... > internet traffic from the workstations don't have to go through the SBS. ...
    (microsoft.public.windows.server.sbs)
  • Re: Internet on nodes
    ... I stopped the Firewall in SBS and could upload ... print' from both the server and a WS. ... Was not able to connect to the internet on the WS. ...
    (microsoft.public.windows.server.sbs)
  • Re: 2 NICs Configuration Problem
    ... the server as Paul envisaged it. ... gateway (to the Internet through the NIC connected to the Sonicwall DMZ ... NICs should not have default gateways configured for both. ... DMZ ports of any firewall, is an alternative path that cause great ...
    (microsoft.public.windows.server.networking)