RE: Making a W2K with Internet Connection Sharing secure

["Harold McMurtry" <h.mcmurtry () ergogroup com>]

I just recently set up internet connection sharing on a windows 2000
server similar to what you're asking to do. When I set up ICS windows
changed the IP address of that nic to something like 169.0.0.1. 
If you create a DHCP scope to assign all your clients addresses starting
at 169.0.0.2 ( or whatever your nic address is), that's the first step.
Second step is set the gateway to 169.0.0.1 in the scope (again this is
whatever the ip address is on your nic), finally, set either the dns
server to be the ISP dns server in your DHCP scope, or configure your
windows 2000 server to resolve dns queries for the clients and configure
the dhcp scope for the dns server to be your windows 2000 server address
169.0.0.1.
You'll get some protection here because your systems are being natted
but your windows 2000 server is open. You can remove two services from
the internet nic- file and print sharing and Microsoft client to
increase security somewhat. The last thing to do would be to start
filtering packets like someone previously pointed out.

Btw. I agree with the others that setting up a linux firewall is more
secure and easier in the long run to manage.
Harold


-----Original Message-----
From: dave [mailto:dave () REMOVETHIS netmedic net] 
Sent: Saturday, January 11, 2003 6:40 PM
To: mike () moorecomputing net; ssgill () gilltechnologies com;
security-basics () securityfocus com
Subject: RE: Making a W2K with Internet Connection Sharing secure

Sarbjit,


Actually you could use TCP/IP Filtering it is only turned on or off for
all
adapters, the settings per-adapter is unique to that adapter.

For more granular control you can download PktFilter from
http://www.hsc.fr/ressources/outils/index.html.en
You can thank Jean-Baptiste Marchand for that free tool it is fairly
easy to
set up and use.  

 

Dave Kleiman
dave () netmedic net
www.netmedic.net

 


-----Original Message-----
From: Mike Moore [mailto:mike () moorecomputing net] 
Sent: Thursday, January 09, 2003 22:04
To: ssgill () gilltechnologies com; security-basics () securityfocus com
Subject: RE: Making a W2K with Internet Connection Sharing secure

If you can come up with a very low end pc take a look at www.ipcop.org .
It's a free Linux firewall that is very good in my opinion. They have a
great mailing list for support. Then go here
http://www.ipcop.org/cgi-bin/twiki/view/IPCop/IPCopDGHowto for Dan's
Guardian a URL filtering application that works with IPCop. Then the W2K
server and all workstations are protected. Just a thought.

Mike

> -----Original Message-----
> From: Sarbjit Singh Gill [mailto:ssgill () starhub net sg] 
> Sent: Tuesday, January 07, 2003 10:06 PM
> To: security-basics () securityfocus com
> Subject: Making a W2K with Internet Connection Sharing secure
>
>
> Greetings,
>
> I am a part of a group of volunnteers who help with 
> teaching underprivileged kids in orphanages.
>
> we had some donation of softwares from Microsoft and 
> hardware from HP and DSL connectivity from a local 
> telco.
>
> The setup looks something like this :
> DSL modem connected to a multi homed Windows 2000 
> Server. The W2K box is then sharing the ADSL 
> connection via Internet Connection Sharing to the LAN 
> made up of 10-25 PC running W98,WME and W2K Pro.
>
> I need somekind of proxy/NAT/firewalling  and URL 
> filtering capabilities on the W2K. They have to be 
> free. We are sourcing for some netscreen stuff but do 
> not know when it will come in. 
>
> I can't use IP filtering in W2k as it affects all 
> adapters. The LAN PCs use the server as a DC for 
> policies and authentication. 
>
> Right now the W2K server is connected to the internet 
> with no security whatsoever.
>
> Thanks in advance.
>
> Gill
>
>
> Sarbjit Singh Gill
> ssgill () gilltechnologies com 
>
> Powered by Gee! - Wireless Access Anywhere

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.438 / Virus Database: 246 - Release Date: 1/7/2003