Re: Suggest firewall for Win98se+ICS(dialup)+NAV

From: Joseph V. Morris (jvmorris@erols.com)
Date: 08/17/02 

From: "Joseph V. Morris" <jvmorris@erols.com>
Date: Sat, 17 Aug 2002 10:16:53 -0400

Diane,

"Diane" <diane.acap@mindspring.com> wrote in message
news:ajjq0o$odv$1@slb2.atl.mindspring.net...
. . . .
| 3) Attempting to determine what's practical for this type/size of setup.
| Many conflicting reviews, particularly about BID. . . .

A lot of people are writing outdated responses based on Steve Gibson's
animosity to earlier versions of BID (like, for example, the one _you_ are
currently using ;) ). BID 3.5 (or is it now called BIP?) from ISS is a
rather different beastie.

| . . . . Maybe I'm wrong, but I
| view my dedicated Win98se+ICS box as roughly in the same category as a
| hardware NAT router. . . .

Let me confirm that I understand what you're talking about here. As I
understand it, you're planning on using an old Win98SE box as an ICS
gateway for a peer-to-peer LAN with two workstations behind it? You don't
identify the two workstations' OS(s), I note. You are then proposing to
use some sort of software firewall, e.g., SPF, as a network gateway
installed on the old Win 98 SE box. Alternatively, perhaps BID. Whatever
software firewall you select should be capable of at least using an
authorized username and password (STRONG password) in order to ensure that
some random individual doesn't simply go over to the gateway box and
either disable the firewall or otherwise change its settings. There are
to be NO internet-enabled applications (and preferably no other
applications of any kind) on the gateway machine. There should be NO web
server, mail server, news server, or FTP server running on the Win 98 SE
box -- not now, not ever. If this is correct, then, yes, you've basically
not only just established a crude hardware NAT router, but (perhaps more
to the point) a hardware firewall appliance.

Furthermore, I assume you are using a simple hub to create the network.
As I assume you already know, you need to have the ICS _client_ software
installed and running on the two workstations.

If this is anywhere near correct, you have two things to consider -- ICS
and the peer-to-peer LAN itself. I think I've covered the ICS component
above. That leaves the LAN functionality to consider. First, you
obviously want to disable file and printer sharing (on the Win 98 SE
gateway box) through the Internet NIC/modem. That's a no-brainer.
However, I would also suggest that you _completely_ disable file and
printer sharing on the Win 98 SE gateway box; if it doesn't run any apps
whatsoever, then there's absolutely no reason why it should need to
'share' file or printers with the two workstations. However, you _may_
wish to maintain the capability to share files and printers between the
two 'client' workstations. If so, I would be extremely careful in how you
set up that sharing. Use strong password authentication and _only_ allow
the minimal privileges necessary. Depending on the workstations' OS(s), I
would further limit this 'sharing' to specific usernames and _only_ (the
other) workstation.

And, as mentioned in my earlier response, I would strongly recommend the
presence of some software firewall on the two client workstations. The
software firewall on the gateway machine provides no outbound application
control for anything originating from the two workstations. The biggest
threat you confront is some clueless user of one of the two workstations
installing (via floppy or download from the Internet) some truly dangerous
application. Then, the gateway firewall becomes largely meaningless. So,
on the client workstations, install some sort of PSF with
application-level control (at a minimum). Again, you want the capability
to LOCK down the firewalls on the two workstations to prevent some
clueless user from simply disabling the PSFs on the workstation(s) or
allowing some app that they've suddenly decided they simply can't live
without. This is THE DANGER. Again, the workstation PSFs should have
username and STRONG password authentication required to disable or
re-configure the PSF settings (and I'm doubtful that ZA (free) provides
this.)

| While it's far from perfect, I'm thinking that adding
| BID or Sygate along with NAV should give a reasonable level of security
for
| a small LAN. Maybe I'll unplug the keyboard & mouse to keep the users
away
| <g> I'm really wondering if this setup is as good/better/worse than
other
| choices (like a hardware NAT router) after the switch from dial-up to
cable
| is made. Of course the LAN workstations will have NAV too, but not
planning
| anything else at this point.

At that point, you should be reasonably 'good to go'. You might also want
to install some log analyzers on whatever PSF you install on the gateway
machine; and AV and AT software would not be a bad idea (especially if you
configure it to update regularly, run memory-resident, and run
pre-scheduled full-system scans from time to time).

That's about all I can think of at the moment. 

--
Regards,
    Joseph V. Morris
    jvmorris@erols.com
    ICQ #29438199

This is a NEWSGROUP message; except for privacy reasons, please respond
therein; an e-mail COPY is always appreciated, of course.
Almost all electrons used in the creation of this message were recycled.
No electrons used in the production of this message were harmed or
mistreated in any manner.

Relevant Pages

  • Re: Suggest firewall for Win98se+ICS(dialup)+NAV
    ... > gateway for a peer-to-peer LAN with two workstations behind it? ... > Whatever software firewall you select should be capable of at least using ... There are no apps at all on the box I'm building for the client ...
    (comp.security.firewalls)
  • Re: security without NAT?
    ... If workstations in a private network have set ... > up a gateway, but the gateway has no NAT-deamon running, are the ... > to see and attack theses workstations from outside? ...
    (freebsd-questions)
  • Re: Help! W2003 & LinkSys WRT54G & cant get shared Internet Connection
    ... Clients are setup for obtain DNS and DCHP automatically - I thought ... that would also assign a default gateway - but default gateway appears ... I tried it gateway set with the LinkSys static IP as that's what I ... > What do the workstations have set as their default gateway and are they ...
    (microsoft.public.windows.server.networking)
  • Re: Can see the LAN, but not the internet
    ... When you ping you get the "Just 'request timed out". ... As i mentioned before, when you use ipconfig/all "all the dns, gateway, ... subnet, etc is all the same except the ip for the individual workstations, ... > You're using DHCP, right? ...
    (microsoft.public.windowsxp.network_web)
  • Re: Many Installations of MSSQLSERVER.
    ... > target workstations by putting the workstations into an OU and/or ... > If these people's accounts are in the local Administrators or Power Users ... > you can install MSDE on workstation, or if you install the SQL server CD, ...
    (microsoft.public.windows.group_policy)