http://kb.deerfield.com/index.cfm?a=1146&k=1&CFID=738181&CFTOKEN=45233400 Securing your WinGate installation against an Internet based attack There have been increasing amounts of publicity concerning unauthorized use of proxy/firewall's to perform illicit activities which may be attributable to a firewall user. A number of these instances have involved the use of WinGate. This page is an information page to inform you of the issues, and how to defend against abuse of your systems. --- Why should I do anything? --- Unfortunately there are people who spend a great deal of time looking for a way to bypass security measures used by ISP's to thwart spammers (people who send large volumes of unsolicited mail to large numbers of email addresses). One way to bypass ISP security is to appear to be a valid ISP client. This can be done through proxy software, such as WinGate, if it is not securely configured. You need to ensure that your proxy server is secure from unauthorized use. --- How do I do it? --- There are two main ways to secure access: 1. Logically, by rule. This involves setting up rules as to who may or may not do certain things in WinGate. 2. Physically. By binding a service to a specific interface. This makes the service unavailable from any other interface. By binding a service to your LAN adapter, you can easily block all access from the Internet. You may also choose a mixture of these two methods, depending on your requirements for access. Example: A small LAN using WinGate Lite or free version for net access. Not running any servers that need to be accessed from the internet. This is by far the most common scenario. Option 1 If all the services are using the default security arrangement as installed, then perform the following steps. 1. Open GateKeeper and log into WinGate as Administrator. 2. Double click on Policies, and double click on "Default Policies" 3. Select the right "Users can access services" 4. There will be one recipient there - "Everyone". Double click on this recipient. 5. Select the Location tab. 6. Select "Specify locations from where this recipient has rights" 7. Add the following IP addresses under Included locations: 127.0.0.1, and the first three numbers of your WinGate machine's network card followed by a .* - for example if your network card has IP address 192.168.0.1, then you would add 192.168.0.*. If you have more than one network card in the WinGate machine then add an entry for each one that will be requiring access to WinGate. 8. Hit OK, and remember to save changes. Now only your LAN users can access any service in WinGate. If some of your services are using their own rules rather than the global ones, you can perform this action for each recipient in those service-specific rules. Alternative method using option 2. Because the Lite version of WinGate cannot bind a service to more than one interface (WinGate 2.1 Pro can do it), in order to use option 2, of binding services, then you need to create a separate service for each interface you need to bind to. Minimum is 2 - the localhost interface, which is used for your second free user license, and the interface of your WinGate machine LAN card. For each LAN card in your machine you need to create another service and bind it to that LAN card IP address. To bind a service to an interface do the following: 1. Open GateKeeper and log into WinGate as Administrator. 2. Double click on "Services" in the right hand pane. 3. Double click on the service you want to modify. 4. The "General" tab you see in front of you has an option on it - "Bind to specific interface" - enable this option, and type in the address of the interface you are binding to. The interface address is the IP address of a LAN card in your WinGate machine, or 127.0.0.1 for the free user (localhost). Note - You cannot change the binding in the Remote Control Service in WinGate Lite. What if I am running a server behind WinGate that requires public access? We recommend that you do not run Telnet or SOCKS servers with public access. If you do, you will want to restrict what requests the server will perform. You could require users of these services to be authenticated if they connect from the internet. This will ensure no unauthorized use. Otherwise you can specify where a user can connect to, or at what times. For WWW, if say you are running a WWW server behind WinGate, you can stipulate that internet users can only connect to your internal WWW server, and internal users can connect out. --General techniques and hints.-- This first question is "Do I really need to allow access to this service from the Internet, and Why?". Basically the reasons to require access from the internet are relatively few. You may be running mail, WWW or other servers on your LAN that require access from the internet. You may require field staff to telnet into your Unix server from the field. You may have a requirement for some secure inter-office communication. If none of these apply, you need to seriously question why you would allow access from the internet to a service. There are ways and means to specify different access rights depending on where a user accesses WinGate from. You can either create duplicate services bound to the different interfaces with different policies per service, or you can do it with a single service, with location based policies. E.g. POP3 service using service specific rules. Create two recipients called everyone - the first one is restricted by location, and must connect from your LAN. The second can connect from anywhere, but is restricted by request - say only allow connections to certain servers or ports.