WinGate security configuration

preliminary
(if you have suggestions or questions, please email them to me at alan@ajw.com
as I get questions [and time] I'll add them to this document)

author: Alan Jay Weiner (alan@ajw.com)

This document describes WinGate security; disabling proxy access from the Internet, preventing outside unauthorized access to a WinGate server, and preventing an unauthorized user from "bouncing" off that machine to cause problems elsewhere.

 

It is imperative that your WinGate setup be secure!

Due to problems with outside users cracking through insecure proxy servers and causing problems on MediaOne and other servers, MediaOne will shut off service to anyone running an insecure proxy server!

 

WinGate is a "proxy server" - it allows a single machine, connected to the Internet, to act on behalf of other machines on a local LAN. This allows all the LAN machines access to the Internet, albeit slightly slower and in a somewhat controlled fashion.

For more information about WinGate, see http://www.deerfield.com or http://www.wingate.net

Another document discussing WinGate security is at http://www.wingate.net/secure-wingate.htm. It discusses this same information, but also covers using "rules-based" security.


The problem:

Just as other machines on the LAN can connect to the WinGate server, so can machines out on the Internet. This may be desirable or undesirable, depending on what service is being used. If you're running a web or mail server, outside machines must be able to connect to it! On the other hand, such services as telnet or SOCKS should not have unrestricted access. Both of these services allow connecting to the WinGate machine, then connecting from that machine to a third - where a low-life may create havoc.
Recently, MediaOne was "Klined" from Undernet. Undernet is one of the IRC (Internet Relay Chat) services; a number of servers which allow IRC users (using IRC client software) to chat in "real time" - like a party-line. There are a number of other IRC services too. (some chats are "free-for-alls" others are moderated - many are sexually-oriented, but there are chats on many other topics too.) "Klining" a user (or ISP) prevents that user (or any using that ISP) from connecting to the Undernet servers.
IRC servers will Kline a user because they've been either flooding the IRC servers (sending a tremendous amount of data) or causing some form of intentional mischief. If the individual user can't be identified, the IRC services will simply Kline the entire ISP's domain - so noone from that ISP can connect to the IRC servers.


WinGate's security holes:

Two services provided by WinGate are especially prone to abuse by unauthorized users. Several other services are less troublesome, but should also be protected from outside use.

Telnet (port 23) allows connecting to the WinGate machine and further connecting to another machine. The WinGate telnet has no security built in - anyone allowed access then has complete telnet control.

SOCKS (port 1080) is designed to allow software to traverse a firewall (WinGate acts as a firewall). "SOCKS-ified" software can connect to WinGate and direct it to send and receive as if the machine were itself connected to the Internet. This is quite useful inside the LAN, but rather dangerous if the SOCKS proxy (within WinGate) can be accessed from machines outside the LAN - from the Internet.

This scenario happened to me - I just happened to notice a spurious connection from a machine in Canada - it was "relaying" off my SOCKS proxy and the user was causing flooding problems on Undernet. I was fortunate in that I happened to notice it, and was able to both contact Undernet (and explain what happened) and reconfigure my WinGate so that it couldn't happen again.

You should also protect the following services:

NNTP (port 119) - (newsgroup server) allowing outside access through your proxy server allows someone to post messages to MediaOne's private newsgroups (express.*) and allows posting messages as if they were from you.

SMTP (port 25) could be used to relay mail - allowing spammers to go through your machine; pretending they're you and/or using MediaOne's mail server. If you're running your own mail server, you'll need to allow access to port 25; be sure your mail server is secure - don't allow it to relay mail from unknown users.


Configuring WinGate services:

Each service may be individually configured - enabled, disabled, access to that service may be restricted in various means, etc.
WinGate is configured by using Gatekeeper. To start Gatekeeper:

First, log into Gatekeeper, the control program for WinGate. You will see a two-pane window.
click here to see Gatekeeper's screen

Either double-click the "services" selection, or click the plus-sign to its left. Gatekeeper will display all the services.
click here to see Gatekeeper's screen with services open

After configuring the services, click the diskette icon to save that configuration.


Disabling a WinGate service:

Since I had no need of telnet, I simply disabled it. This prevents its use from inside or outside the LAN.

This is telnet's configuration screen:

To disable telnet entirely, simply uncheck the box labeled "Accept connections on port"
Then select OK. On the main Gatekeeper screen, the service will be marked with a white X in a red circle to indicate it's entirely disabled.


Binding a service to a network card:

When a service is bound to a network card, that service will only work with machines on that segment of the LAN. Since the WinGate machine has (or should have!) two network cards - one for the LAN, the other for the cablemodem - binding a service to the LAN-connected card will prevent its use from the Internet. This is what I did for SOCKS.

This is SOCKS' configuration screen:

to bind the SOCKS service to the local LAN, check the "bind to specific interface" box and enter that machine's IP address (on your LAN) into the box to the right. (here I've entered 192.168.0.1)

 


Several folks have emailed with questions:

What is the security issue with telnet and SOCKS? Do you think it might be specific to Windows, or to any operating system?

Both telnet and SOCKS allow connecting one machine to another, then making a connection from that machine to a third - usually it's to do real work, but it makes the first machine appear to be the second; an Evil Entity becomes anonymous - worse, becomes you. When the guy from Canada had connected to my machine then to Undernet, the Undernet folks thought that I was the one causing the problems - when I went on-line to them and told an irc-cop what was happening, the first question was "why are you flooding our servers?" The only IP address they could get was to my machine.

WinGate allows users to log in to it before using it; I haven't worked with that end of things because I've got the 'lite' version (just an administrator and guest account) And logging in is a nuisance... :)

These services can be a problem with any operating system, although WinGate defaults to a more-open configuration than it should, and its got the telnet proxy built-in - and there's no password protection on it, so unless you're validating users by some means (WinGate passwords, specific IP addresses, etc) then it's easy for anyone to abuse it.

Is there any reason why simply deleting the telnet service isn't recommended? (It's easy enough to recreate it.)

No problem - you can simply delete it and recreate it if you ever want it.

 


Return to my home page

Send email to me at: alan@ajw.com
Copyright 1997 Alan Jay Weiner