OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Bronek Kozicki (brokRUBIKON.PL)
Date: Thu Apr 05 2001 - 04:32:38 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    > I am looking for a way to bind services to only
    > specific IP numbers on a multihomed NT machines (NT4 and 2000).
    >
    > the idea is to have two interfaces on the NT box one for administration
    > purposes and one for production.

    You have good idea, keep reading.

    For first - you may (and in most situations - should) unbind NetBIOS from
    front-end interface:
    - in WinNT4 go to Network, Bidings, all adapters, unbind WINS Client from
    front-end adapter
    - in Win2K go to Network Properties, select front-end adapter, uncheck
    Client for MSNet, uncheck Sharing for MSNet, select TCP/IP Properties,
    Advanced, WINS, disable NetBIOS over TCP/IP.

    Most other services will bind to ports on all adapters available at the time
    of their startup. IMHO best way to block them from accepting connections is
    to use TCP/IP filtering:
    - WinNT4 go to Network, Protocols, TCP/IP Properties, Advanced, check Enable
    Security and configure;
    - Win2K Network Properties, select front-end adapter, TCP/IP Properties,
    Advanced, Options, TCP/IP filtering properties.

    When configuring TCP/IP filtering keep in mind: it does not allow to disable
    ICMP (IP protocol 1 is always allowed, even if not listed) and filtering
    does not understand direction of TCP traffic (which makes problematic
    configuration for FTP data). That is, you should configure server to accept
    only requests on selected ports on front-end interface, according to
    services you want to serve "to all" (like TCP 80 etc.) If you want to
    receive DNS answers on front-end you should allow UDP 53. On back-end
    there's (usually) no reason to block any traffic, so you may just permit all
    UDP/TCP ports on this adapter.

    You may also want to use some kind of Personal Firewall (like
    http://www.tinysoftware.com/pwall.php ) to "enable" specific
    programs/services to bind to specific ports. But I do not think it should be
    used on production systems.

    Also, it's always good to have firewall between front-end interface and the
    world, as well as some network IDS/sniffer. Do not use the same network
    device (hub, switch) to serve connections on back-end and front-end adapter.

    Hope this helps, regards

    B.