Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > NFR Wizards> 1998

NFR Wizards Archive: Re: Perhaps off-topic WinGate Proxy

Re: Perhaps off-topic WinGate Proxy

Rodney van den Oever (roevernse.simac.nl)
Fri, 27 Nov 1998 23:10:56 +0100

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Next message: David Kennedy CISSP: "Re: 3COM Security Advisory"
Previous message: Joseph S D Yao: "Re: more junior level FireWall lists?"
In reply to: Don Tuer: "more junior level FireWall lists?"

>Does anyone have information on security risks posed by WinGate. Are
>there any special precautions that should be taken on the machine that
>is the WinGate server?
>
>Any information would be appreciated.
>
>Thanks,
>Dave Olsen

1. Only run it on a machine with two interfaces so you can isolate your internal LAN and create a DMZ.

2. Make sure you bind the proxies only to the internal interface, e.g. 192.168.1.1. Don't use the default '0.0.0.0', because this allows anyone from the outside to connect to the telnet proxy or use the http-proxy with the HTTP CONNECT option like:

# telnet wingate 80
CONNECT intranet.domain.com:23 HTTP/1.0 <cr>
<cr>

3. Only install the options you really need and delete unnecessary proxies afterwards. You probably need the DNS-, SMTP-, WWW (HTTP/FTP)- and maybe NNTP-proxy. Activate web-caching to save some bandwidth.

4. Always use a seperate exterior router and apply filters to it. Don't allow anyone to setup connections to the WinGate proxy apart from E-mail (SMTP). Make sure the router-platform you choose understands 'established' sessions, like a Livingston (Lucent) or Cisco router.

5. If possible, use an internal router to also limit connections from the WinGate server to your internal systems, e.g. only allow SMTP to/from the internal mailserver, only allow outgoing HTTP. Allow DNS (UDP/TCP 53) between the WinGate server and your internal mailserver.

--
Rodney van den Oever / 0x06 3547CA1 / PGP Key ID 0x0A6CCE53
And Jesus said unto them, 'And whom do you say that I am?' And they
replied, 'You are the eschatological manifestation of the kerygma of our
being, the ontological foundation of the context of our very selfhood
revealed.' And Jesus said, 'What?' (source unknown).

Next message: David Kennedy CISSP: "Re: 3COM Security Advisory"
Previous message: Joseph S D Yao: "Re: more junior level FireWall lists?"
In reply to: Don Tuer: "more junior level FireWall lists?"

This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:12:04 CDT