:: Welcome to Undernet's #Userguide - About Us
Home Networking -
Written by Valcor
Fixing Insecure Proxies
Special thanks to the documents team for their
assistance, and ideas in furthering the document.
January 19th, 2004
- Home Networking
- Proxy and NAT Servers
- Securing your proxy/NAT server
- Undernet and Proxy Servers
- Useful sites
With the introduction of broadband internet in many homes, home networking has become very common throughout the world. With this growth has also come the growth of the number of computers in the home. With multiple computers now entering the home, many people start considering home networking to allow everybody access to the internet. With the requirement of giving everybody access to the internet, comes the requirement to install certain software on your 'main' computer. Hopefully this document will give you a guide into how to make that main computer a little more secure than just installing the default software, with the default settings.
- Home Networking
Home networking has become very simple now with the common installation of network cards (NICs) into many PCs, and the cost of networking equipment such as hubs has decreased. But connecting to the internet with the default settings of Windows (or any operating system) can be a security risk, and not only cause problems for you, but for those that fall prey to attacks from your PC when somebody sees it as an open toy Here are a couple of ideas you may want to think about when setting up your home network.
- Does the main computer need to have file and printer sharing enabled?
- Do your computers have the latest security updates from the provider?
- Do I have an up to date virus scanner?
- Am I using a good firewall?
Just answering those questions can get you on a good start to home networking. The next step is how to allow your home network to get to the internet. There are two main/common ways in which access can be gained. The first is via a Proxy Server, the other is via a NAT server/firewall. Both are discussed below.
Please note that Undernet does not endorse or favor any software or hardware used while connected to its servers. The following is provided solely to help users of Undernet IRC.
Go to Top
Proxy and NAT Servers
A Proxy Server is normally software that works on the main computer connected to the internet. It acts as a redirector for your traffic. It takes your requests for things like websites, goes and gets those web pages, then returns you the data. This is equivalent to having a middmiddle man to do your work. Here is a simple scenario...You're at home, watching TV, you feel hungry, but you don't want to get up...you call your kid brother to get you some food. He runs off, gets your food, and comes back (if you're lucky). In this case, your kid brother was acting like a proxy server. You asked him for something, he went and got it, and gave you the results (food).
There are many different types of proxy servers available on the internet. Some are free, some are free for a certain number of users, and others may cost a little bit of money. Your needs, and the money you want to spend, will determine which software/hardware you use. Below are a few examples of proxy servers.
WinGate, is a very common windows based proxy server, and a demo can be downloaded for free at www.wingate.com. The full home version starts at about $35 (US) for 3 users. Wingate, unfortunately, is one of the easier proxy servers to miss-configure, so I'll cover making it a little more secure a little later.
Proxy+ is a small, fairly easy to configure, is reliable, and it's free
Proxy+ for up to 3 users. The developerís website can be found at http://www.proxyplus.cz/. Configuring it is fairly simple, and only needs a few tweaks in some places to make certain options work, but it is very reliable.
AnalogX Proxy is another small, but fairly common proxy server, although it doesn't support some options, setup is a matter of clicking a few buttons. The program can be found at http://www.analogx.com
Microsoft Proxy is a designed as a business related proxy server, but it is occasionally used in the home. Setup is moderately easy, but there are costs involved, and certain server requirements exist.
Squid is a UNIX based proxy server and can be found at http://www.squid-cache.org/. Squid is free, open source software, and downloadable from many sites. Configuration may take a little bit of extra knowledge of the UNIX operating system, but there are many "how to", documents, and guides on the internet. Squid is not Windows compatible.
Sygate is a Windows based NAT server, which can be located at http://www.sygate.com/. There is a small charge involved to use it, and depending on the number of users, this can increase.
Another Windows solution is Winroute by Kerio. Winroute can be found at http://www.winroute.com and there is a fee depending on the number of users. It has a simple to use setup system, making it easy to use.
I've only covered a few proxy servers, but there are many about, and your personal preference will always be an ultimate decider in which you plan on using.
Network Address Translation (or NAT) is often used to make transparent proxies (in which the end user doesn't require much configuration for use). It is often used in UNIX type operating systems (such as Linux, or FreeBSD), but is also incorporated into some modem DSL/Cable routers including those provided by Linksys. NAT works slightly different than a proxy server, but the outcome is still the same. NAT takes your address from inside the network, adds an extra address (that of the server), and sends the request on. When the request gets back to the server, it strips its own address, and returns the data back to the computer that made the request. NAT servers can often be configured using software that comes on the operating system, for example IPChains, or IPTables.
Go to Top
Securing your Proxy/NAT server
Securing your home network is one of the most important things to do to protect your computer and its data. Undernet now takes actions against poorly configured proxy servers by banning the host on connection. This is done because a poorly configured system can allow others to use your computer for criminal acts such as denial of service (DoS) attacks without your knowledge, miss configured computers can allow criminals disrupt networks like Undernet or flood websites. More details about Undernet's policies on unsecured systems can be found at http://www.undernet.org/proxyscan.php. This site also has a few links on securing proxy servers.
The first step to making your proxy server secure is reading the manual. It is often packed with information on how to make things better and safer for your network. Below are instructions for few of the common proxy servers.ini basic setup:
1. Open Gatekeeper and log into Wingate as Administrator.
2. Double click on Policies, and double click on "Default Policies".
3. Select the right "Users can access services".
4. There will be one recipient there - "Everyone". Double click on this recipient.
5. Select the Location tab.
6. Select "Specify locations from where this recipient has rights".
7. Add the following IP addresses under Included locations: 127.0.0.1, and the first three numbers of your Wingate machine's network card followed by a .*
For example if your network card has IP address 192.168.0.1, then you would add 192.168.0.*. If you have more than one network card in the Wingate machine then add an entry for each one that will be requiring access to Wingate.
8. Hit OK, and remember to save changes.
Now only your LAN users can access any service in Wingate. This should stop users from outside being able to use your proxy server for harm.
Load up your browser, and go to http://:4400, for example http://192.168.0.1:4400 if your computer was setup to be IP 192.168.0.1. This will load the administratorís interface. Under the security options is a section called "list of insecure interfaces". Under this option, put the connection to the Internet. This should stop any connections to the server from the outside.
Make sure you specify in the IP address, the IP address of your internal network card. This should stop connections from outside your network.
Methods of enforcing Squid security can be found at http://www..squid-cache.org/Doc/FAQ/FAQ-10.html#ss10.2.
NAT is fairly easy to stop other users from abusing it. Instead of defining a forward all rule, just define a rule that only forwards your internal network, and drops all forwarding requests from outside sources. A guide on setting up NAT/Masq can be found at http://www.tldp.org/HOWTO/IP-Masquerade-HOWTO/index.html and is setup in a way that forwarding only occurs on your home network.
Go to Top
Home networks are as much susceptible to attacks as the networks of the government and business. Home networks are often targeted because the ability to turn collections of unsecured computers into a single attack from a single host. Don't become an unknowing accomplice to a criminal act! Installing a firewall will help further your security for proxy servers, and your home network in general by blocking unauthorized access to your network. Most firewalls can also let you know when someone is trying to connect to your computer and document break-in attempts. I'm only briefly mentioning on the topic of firewalls as there is another document on the Documents website about this subject. There are many different types of firewalls, again ranging in cost, and functionality. A couple of firewalls to consider are:
For those running Linux, or Unix type Operating systems...you should try checking out iptables or ipchains.
(Documents on using can be found on both the sites listed)
Go to Top
Undernet and Proxy Servers
Due to recent abuse caused by the use of 'open proxies', Undernet now runs a proxy scanner when you first connect to a server to detect insecure setups. As soon as a insecure proxy server is detected, it is immediately disconnected, and given a network wide ban (G:Line). If you are connected, and ever get disconnected with this message You can visit the Undernet's proxy scan webpage at: http://www.undernet.org/proxyscan.php or email the staff on firstname.lastname@example.org where volunteers will try to assist you.
Go to Top
Here are a few sites that may be useful in your quest to securing your home network.
Go to Top
Internet has now become a great part of our lives, even if we don't realize it. Using the internet at home is also becoming more and more important for everyday life. Making sure you're secure is important to protect you, your information, and other people from the effects of a bad setup. Reading the manual is a good start to securing things, but taking those extra steps make all the difference, from clicking a couple of extra buttons, to typing an extra line in your configuration.
The documents project site (www.user-com.undernet.org//documents) has a wealth of information, and the various help channels are manned by knowledgeable people who will do their best to assist you man the various help channels... If you have any comments/additions/corrections or suggestions for new documents or FAQs, you are encouraged to email email@example.com with your suggestions.
Go to Top
© 2004 Undernet User Committee FV04
This page was last updated January 19th, 2004
Return to main Documents Project page
1994 - 2012 - Copyright notice and contacts. Please read our Acceptable use policy There are currently 17104 online