Re: Internet sharing in Windows 2000

From: Q (Q@nospam.net)
Date: 03/01/03

• Next message: Peter Clark: "Re: Encrypted File Recovery"
• Previous message: Ace Fekay [MVP]: "Re: Ports to close on firewall in an Active Directory Environment"
• In reply to: Fernando Ronci: "Internet sharing in Windows 2000"
• Next in thread: Karl Levinson [x y] mvp: "Re: Internet sharing in Windows 2000"
• Reply: Karl Levinson [x y] mvp: "Re: Internet sharing in Windows 2000"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: "Q" <Q@nospam.net>
Date: Sat, 1 Mar 2003 12:18:51 -0500

"Fernando Ronci" <fernandoronci@hotmail.com> wrote in message
news:OvgiX5$3CHA.2300@TK2MSFTNGP11.phx.gbl...
> Hi,
>
> I need to install a Windows 2000 server as an internet gateway. My
question
> is:
> Are Windows 2000's native mechanisms for Internet Sharing secure enough to
> protect internal workstations from outsiders or should I install a third
> party firewall product ? If the latter, what product is recommended ?
>
Hi,

The NAT functionality of w2k server is more than adequate for small networks
in terms of functionality. However, NAT (or Internet Sharing) should be
treated as a "routing" function rather than a security one.
W2K has built in packet filtering at several layers (either via IPSEC
policies or via the RRAS administrative interface).
Correctly configured, the packet filtering should offer the necessary
security for a) the w2k NAT box and b) the network behind it.(although the
flexibility of the w2k pf is rather limited and there are no log
facilities). This "necessary security" refers to protecting the fw box and
the network behind it from direct external attacks. All other aspects of
your network security should be dealt with using third party applications:
IDS, AV, Distributed Firewalls, sound policies and user education, etc.

If you want an alternative for w2k packet filtering to complement your NAT,
then I'd suggest you have a look at chx
(http://www.idrci.net/doc/manual/index.html)

Cheers,

Q.

---

• Next message: Peter Clark: "Re: Encrypted File Recovery"
• Previous message: Ace Fekay [MVP]: "Re: Ports to close on firewall in an Active Directory Environment"
• In reply to: Fernando Ronci: "Internet sharing in Windows 2000"
• Next in thread: Karl Levinson [x y] mvp: "Re: Internet sharing in Windows 2000"
• Reply: Karl Levinson [x y] mvp: "Re: Internet sharing in Windows 2000"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Newsgroup filtering with host server software ... you cannot plug in to the customers network you can still get at your ... the internet before it hit my inbox. ... Practical UNIX and Internet Security Practical UNIX and Internet ... (comp.security.firewalls) Re: Using a Linksys router, should I also use Zonealarm? Internet Acceptable Use Policy ... my browser's access to the Internet is restricted. ... I thought it was the company's firewall extending a slap on my ... > public internet to access corporate network. ... > NAT is Network Address Translation. ... (microsoft.public.security) Re: Internet sharing in Windows 2000 ... NAT (or Internet Sharing) should be ... > the network behind it from direct external attacks. ... If you use Windows 2000 in this manner, ... (microsoft.public.win2000.security) RE: can ping but not browse ... I have stopped the firewall. ... # are safed from all (security) hazards. ... firewall/bastion host to the internet ... # internet and to an internal network, ... (Fedora) Re: netbios vuln ... > finally is it just the author of the article (who is not a security ... <<blah, blah, blah>> ... network protocols and services on thoses OSes such that, by default, ... nearly every such machine with an Internet connection will be ... (Incidents)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(11)