Some Security Considerations
Overview
The security of your local system can be considerably enhanced simply by changing a few settings. The changes listed here affect only your external connections to the Internet, and won't affect the operation of your local network. More advanced security capabilities are discussed in Chapter three.
The Physical Setup
WinProxy-and the computer on which it's installed-should be the only physical connection to the Internet. The point is to force all traffic between your network and the Internet to pass through WinProxy, including traffic you don't even know about.
Beware of cable and DSL modems that connect to a hub rather than to a network card. We don't recommend this topology. With such a setup, no product-not even WinProxy-can fully protect your system. While the modem itself may provide some protection, you can't be sure: the protective capabilities of these modems varies widely. Besides, no modem provides the same protection as a firewall, and many provide none at all. This setup leaves your network wide open to attack from unauthorized persons outside your network.
We can't say it strongly enough: do not use cable and DSL modems that connect to a hub. Move the connection from the hub to the WinProxy computer. It's pretty easy to do. If you need assistance, we provide instructions on the tech support section of our website.
NOTE:The only difference between a network component that connects to a hub and one that connects to a network card is the connector's pin order. There are only two pin orders. To move your modem over, use a cross-over cable instead of a regular cable-that's all there is to it. If your WinProxy computer has only a single network card, then you'll need to add a second network card.
If you have more than one subnet behind your firewall, we recommend that you do not use the WinProxy machine to route between the subnets. Use a router or multi-homed NT machine behind the firewall to route between your subnets.
Network Designations and Drivers
The most important designation you'll make when installing WinProxy is the distinction between the internal and external network connections. The two are treated quite differently. If you inadvertently designate your Internet connection as internal rather than external, everybody on the Internet can enjoy the same access to your network as you do! Needless to say, this is not a desirable situation. Your Internet connection must be designated as an external connection. You can double-check to be sure you've done this at WinProxy\Settings\Gen-eral\Internal IP.
You'll also want to check on the installation of the WinProxy Transparent Proxy drivers, which allow regulation of your external network connection at a system level instead of an application level. If for some reason these drivers don't load, you'll still have WinProxy's application-level firewall-one of the best around-but it's not as strong and inclusive as a system-level firewall.
Look under WinProxy\Help\About WinProxy. If the Transparent Proxy drivers are loaded, the version number will be reported. If they are not loaded, WinProxy reports that "Transparent Proxy and NAT are not loaded." The best thing to do at this point is to reinstall WinProxy (there's no need to uninstall first). When you reinstall, built-in WinProxy routines will help to fix any problems with the NAT drivers.
A setting within WinProxy accomplishes the same task. If you set your Client Access to "Classic Proxy" under WinProxy\Advanced Settings\Client Access Method, you'll disable the system-level firewall. With this setting, WinProxy 3.0 and above will be just the same as WinProxy 2.1 (including the excellent 2.1 application-level firewall), but without the new system-level firewall. If you set WinProxy to "Client Proxy only," you'll then see that "Transparent Proxy and NAT are disabled" under WinProxy\Help\About WinProxy.
NOTE:An application level firewall takes cares of its own doings on network connections, but cannot prevent other applications from opening their own ports and waiting for connections on your proxy machine. These other connections are not visible to the application-level firewall, and can be invisible to the user as well.
A system-level firewall can prevent other applications on your computer from opening and using ports, including the file- and printer-sharing ports that Windows otherwise opens.
WinProxy Program Settings
Establish the WinProxy firewall setting at Medium or higher (WinProxy\Advanced Settings\Firewall). Medium is the default setting. If you need custom settings, allowing for special apps or games, start with a medium or higher setting before you go to custom settings.
USER'S CHECKPOINT:As soon as you define a custom filter (or enable a pre-defined filter) under the firewall settings, the slider bar for the firewall disappears. It's replaced with a Custom Security description. It does make a difference where you start, though. If you've already defined some filters, examine the filter list. You'll see a system entry indicating the base Security setting, such as "High Security Level," or "Medium Security Level."
If you do set up your own filters on the WinProxy firewall, pay careful attention to the port ranges. WinProxy puts the lowest and highest possible numbers in those boxes before your start. If you're not careful, it's easy to forget to change that second number. Instead of opening a few ports, as you intend, you'll open tens of thousands! If more than one person has access to the filter settings, it's a good idea to look through them once in a while.
Do not set up or enable anything labeled "incoming" unless you're certain you need to do so. When enabling an incoming port, you're setting up a listening port on your external network connection. Anybody on the Internet can connect to that port whenever they want. The only reason to set up an incoming port is to purposely allow people on the Internet to reach a server behind your firewall.
SECURITY ALERT:Three protocols-HTTP, FTP and Mail-contain individual "incoming proxy" settings. Any mapped port configured as an incoming mapped port is likewise a potential security problem.
Other Settings on the WinProxy Machine
You can have file and printer sharing enabled on the internal network connection, but do not do so on the external connection. WinProxy can prevent access on these ports when all other settings are correct, but just in case you should disable file and printer sharing and the NetBEUI protocol on your external connection. To do so:
- Look at the settings in Control Panel/Network. If you see a protocol line which shows NetBEUI>Dial-Up Adapter (or NetBEUI with the network card connected to your cable modem), remove it. If you're using AOL as a provider, remove any protocol line showing NetBEUI>AOL Adapter.
- Highlight the entry TCP/IP^Dial-Up Adapter (or TCP/IP^AOL Adapter if using AOL as your provider). If you have a cable modem, highlight the entry for TCP/IP with the network card connected to your cable modem). Click Properties, and then choose the Bindings Tab. Uncheck the box titled Client for Microsoft Networks. Uncheck the box File and Printer Sharing. When you click OK, Windows complains about the lack of bindings; when it politely asks if you want to choose one, choose No. Restart the computer for the changes to take effect.
If you're running NT on your WinProxy computer, make sure that "IP forwarding" is disabled. Just as with file and printer sharing, other WinProxy firewall settings will prevent access because of IP forwarding-but its better to be safe in case it slips your mind while making configuration changes at a later date.
SECURITY ALERT:Ifyou run browsers on the WinProxy machine, we recommend (a) setting them to run through the proxy, and (b) using the Classic Proxy method (configure the browser to use a proxy, and use the WinProxy internal IP address as the proxy address). Running a browser in other configurations could expose you to a known or future browser security problem. It's a good idea to set any Internet application on the WinProxy machine to use the Classic Proxy whenever possible.
Anti-Virus
If Anti-Virus scanning is important to you, make sure you don't have the "NAT Only" option selected under Win-Proxy\Advanced Settings\Client Access. The anti-virus scanner will work on HTTP, FTP and Mail files-but only when they are visible in the main ConnectionView screen.
Interested in the reason why? It's because Anti-Virus works only on connections that pass through the application level (i.e., Cproxy (i.e., Classic Proxy) and Tproxy (Transparent Proxy) connections, which are visible in the ConnectionView screen when its up). NAT connections, by their very nature, don't pass through the application level. They're thus never visible in ConnectionView and won't be scanned.
Bottom line: if you can't see it, the Anti-Virus can't either-and it won't be scanned.
General Security
Use a non-routable network address for your local network. WinProxy will work with any network address as long as the internal/external addresses are on different networks. However, using a non-routable address for your local network adds extra security for free.
NOTE:IP addresses are routable across large and diverse networks-that's what makes the Internet work. There are some pre-defined IP address groups that Internet routers intentionally toss away instead of passing on. These groups work fine within a local network, but cannot be directly accessed across the Internet. Using addresses from one of these groups-such as 10.x.x.x or 192.168.x.x-is an easy way to give your local computers more security.
A Final Word on Security
Security is built into WinProxy and remains one of the most important objectives at Ositis Software. You'l notice throughout this guide that we offer many tips to enhance your network's security.
