I assume you have a working a local area network, and you know how to connect your local network to the internet, using a router. Get Winroute from Tiny Software. There's a 30 free trail period, after which you can buy a license for private use for as little as $ 30. It's well worth it. Install Winroute on the gateway computer.
Please refer to Firewalls for an introduction on the firewall techniques mentioned in this page.
Remember that your gateway machine will have two 'interfaces. 1 'interface' will be the network card that connects the gateway machine to the rest of your LAN, the other interface will connect the gateway to the internet, to your internet provider This WAN interface can be a dial-in connection over a telephone modem, over ADSL, etc. It can also be a second network card that is connected to a cable modem.
Winroute runs on Windows NT and Windows 98 and their relatives (95, ME, 2000, ...). Minimum requirements : if your machine can run Windows, it can run Winroute with it An early Pentium at 90-133 Mhz and 32MB RAM will do.
TCP/IP on the WAN interface (and Dail-up networking when applicable) will need to be configured according to your ISP's instructions. The LAN interface of the gateway is part of your network, and will be configured to match the addressing/subnetting in your local network.
The machine where the routing and firewall software is running, is accessible from 'outside', from the internet. It should therefore be configured to make intrusion attempts difficult. Some points to consider are :
When installed, Winroute starts automatically when you boot into Windows. Open Winroute Administration by right-clicking the WinRoute icon in the system tray. Check Help : 'Get it Up and Running' if you need any help configuring network or setting up the router. It's all explained really well. Next, from the Settings menu, choose Interface Table and activate 'NAT' - network address translation - on the WAN interface.
That's all there is to it. You're connected to the internet by means of a router, and the IP Masquerading is an effective firewall against any incoming connection if the addresses on your LAN are not routable. You may want to add some more firewall measures, but basically, you're set.
For more, select 'Advanced' from the Settings menu You can configure additional NAT rules, but in a simple home network to internet situation, this is not really necessary.
You can now configure the firewall further to add more security on top of the network address translation. The main purpose is to :
The Settings : Security menu offers a dialog window where you can set a few simple rules
Under this heading, Winroute lets you set rules for incoming and outgoing connections This is your second line of defense, after the network address translation. Rules can be set on each interface separately, or be made to apply to all interfaces Here's where you need to know what kind of communication with the world outside your local network needs, so that you can consider what to allow or prohibit.
Typically, a home network does not require any incoming connections, ie connections initiated by a system outside the LAN. So, on the WAN interface, regarding incoming connections, it's safe to say 'deny all' Without this rule, your network behind the firewall is still protected by the network address translation, but the gateway itself has a public address that can be routed to. Denying incoming connections to the WAN interface takes care of that.
Winroute lets you indicate whether a TCP filtering rule should apply 'when establishing a connection' or 'for established connections' (or both). To deny incoming connections, you set
Incoming : Deny : TCP : Source = all addresses all ports, Destination = all addresses all ports - when establishing a connection.
This will prohibit TCP connections set up by a host outside your network, but will allow incoming TCP packets on connections initiated by the hosts on your network.
An office or business may be running services that need to be accessible from outside the firewall, typically a mail server, maybe a web server. In this case it's best to block everything except that what needs to be open, and be very specific about that. If you only expect incoming connections from certain addresses, address ranges, etc, allow only those, and deny all others. Allow only connections to the ports that your services are listening to.
The way to do this in Winroute is by a list of rules. Rules in Winroute are read top to bottom; if a matching rule is found, it is implemented, and the following rules lower down the list are not checked. You should thus be careful about the order of the rules. Last rule should be 'Deny packets from any host to any host', so that, if no applicable 'permit' rule is found higher up the list, the packet is dropped.
To allow access to a web server inside the firewall, you'd allow all hosts access to -web server IP address - , port 80 (web servers typically listen on port 80). To allow your internet provider's mail server to send mail to your private mail server inside your firewall, allow -ISP mail server IP address - access to -your mail server IP address - , on port 25. And so on. More examples can be found in Winroute's help file. You may need to do port mapping as well - see further.
For detailed security configuration, see Firewal Rules
You may be reluctant to set rules on outgoing connections for fear of not being able to surf the net, send mail, or play online games anymore. However, denying unauthorized outgoing connections is the only way to protect against trojans, spyware and other applications that may be setting up connections behind your back.
The approach here would be, again, to deny everything, but make exceptions where you deem it necessary. One type of exception may be to allow communication with a specific host or hosts (by IP address, group of addresses, IP-range, etc. This is in case you need to be able to communicate with specific machines outside the firewall. If your network uses your ISP's web proxy to surf the web, all you need is a connection to that web proxy's address, typically to port 8080, to have access to the web.
Usually, however, you'll just want to allow certain types of activity : web browsing, email, and so on. This can be achieved by allowing outgoing connections to all hosts, but for a specific TCP port, in casu the 'wellknown port' for that service : eg web browsing = connect to a web server on port 80, FTP server = port 20 and 21, etc. When you end the list with 'TCP : deny all hosts to all hosts', any outgoing connection to another port that those mentioned (80, 20, 21) will be denied.
Rules by address and rules by port can be combined to specify things even further. You can for instance deny outgoing connections to 240.14.1.128 - port 80, and (in the next line) allow all outgoing to port 80. This would allow web browsing, except to the web site with IP address 240.14.1.128. You can thus block specific web sites without making web browsing totally impossible.
Another example : If you use a mail client (Pegasus, Outlook Express, Eudora, ) you'll probably have a mail account on your internet provider's mail server. When using POP (Post Office Protocol), it is the mail client that connects to the provider's mail server. This is clearly a communication that you need to allow. You can specify that any host (on your network) is allowed to connect to the IP address of your ISP's POP server, on port 110. You can add multiple POP servers if the users on your network have email accounts with different providers.
As all packets will be matched against all rules until the firewall software finds a rule it can apply, it is important to
Winroute lets you specify rules for incoming/outgoing connections per network interface. As we're primarily discussing access to the internet from a local area network, we've set the rules on the WAN interface of the gateway, governing the communication between the gateway machine and the internet. Setting rules on the LAN interface does not make sense in a case like this, except to control the communication between the gateway itself and the hosts on the LAN Communication between the hosts (among each other) is not routed by WinRoute, they can find each other based on the IP address, so the rules would't apply anyway
A router can also be used to connect sub nets with each other. In that case it may be interesting to specify rules per interface, so that a security policy about communication between the sub nets can be implemented.
It is common to group machines that need to allow public access in their own sub net, apart from the private network. This is sometimes called the DMZ, Demilitarized Zone. It can be seen as a no man's land between the public internet and the private LAN. In that case, the machines in the DMZ can have routable addresses that are directly accessible from the internet, so no need for portmapping. The DMZ is accessible from your network through a router, with a firewall From the outside, the internet, access to the DMZ does not imply access to the private sub net(s), where you can still use private addresses (to take advantage of NAT protection) and more restrictive rules for incoming and outgoing connections.
You can, for all interfaces, indicate that they can only accept connections from a given address, a predefined collection of addresses, an address range, a sub net etc. For instance, you can set that the LAN interface only accepts communication from the IP addresses on your LAN (what else ?) Or that the WAN interface only allows communication from the address of your other office's gateway.
The point here is that you may have a number of public IP addresses for hosts on your network. In the packet filtering rules, these addresses will be allowed more than just any host on the internet Address Spoofing (IP spoofing) uses that fact to break through the packet filter firewall : the 'break in connection' is set up with a fake IP address, preferably one that is trusted y the firewall, like one your public addresses.
However, if you set that on the WAN interface, the IP addresses from your LAN should not be allowed, this trick won't work.
If a service on your network needs to be accessible by an incoming connection (mail server ? distributed database ? web server), you have a problem. Even if you allow the incoming connections (see Filtering), a server outside the firewall can not locate the IP address of your web server, mail server etc if its on a machine with an unroutable address. The thing to do is then to export the port that the service listens to. Choose port mapping from the settings menu, and fill in the form "Listen to' (protocol), (port number), forward to (address of the machine where the service is running, port number). Piece of cake.
Usually it is safer to have the machine(s) that have open ports, put in a separate LAN (different IP range, a different sub net) that is made accessible to computers of 1st LAN via the router. Port mapping is, in away, like punching small holes in your firewall, so it's best that these holes lead to a separate network, away from eg your domain controller, your file server with confidential files, ... The sub net with the publicly accessible machines is often called the Demilitarized Zone (DMZ), accessible from both the internal network and the internet, but so that connections from the internet to the DMZ can not be passed on to the internal network.
From the settings menu, you can additionally choose to run a Web Proxy server - not really necessary for security if you have already set up NAT, but even so, it can reduce traffic through page caching and thus improve performance.
From the settings menu, you can also opt to run a DHCP server or a mail server. This falls beyond the scope of this paper as it has nothing to do with firewalls. One thing to look into is the DNS forwarder. You may need to configure this to keep the domain name service functioning.
Setting up all these rules may be rather complicated, keeping in mind that you don't want to allow anything that could give unwanted access to your computer or network, while you also don't want to deny anything that you actually need.
Some personal firewalls therefore let you decide case by case. Eg the first time you start Internet Explorer to surf the web, this firewall will ask you 'allow Internet Explore to connect to the internet ?' In this case, you'll say yes, you may choose to indicate that you will always allow it so there's no need to ask it again, and from now on, Internet Explorer can connect to the internet while other programs can not (until you allow it'. Zone Alarm is such a firewall. Microsofts built-in Windows Firewall also works this way.
This looks like a very good idea. Downside : they are not routers, so you can not use it to connect a local network to the internet. They are meant to protect one single personal computer.
More important, what would you answer if the firewall asks 'Allow WinConnect to connect to the internet ? ' How would you know ? Is WinConnect a perfectly legit program ? maybe it's even necessary for your Windows network or for your mail program, and you definitely don't want to screw that up? Or is it a trojan that just arrived, hidden in that interesting attachment that you just opened, and now trying to set up a connection to inform the outside wold that it has arrived and is now waiting to be used ?
On the other hand, this type of firewall can be interesting to have if you know your system a bit, so that you can judge accurately what should be allowed and what not for the things you usually do. And when are playing with new software, it may be good to be notified if the program you've just downloaded and installed is trying to set up a connection while you thought it was just another screensaver. But then again, a well configured firewall (of the classic type, with NAT and rules etc) should block such connections attempts anyway. So, again, from the top