A cheap trick to keep intruders off your systems
You can never be too careful about Internet security. The number of sophisticated hacking tools available on the Internet these days is amazing (and sometimes frightening). For the most part, using these tools doesn't require much expertise in protocols and operating systems (OSs). This situation contrasts with the hacking environment of the late 1970s and early 1980s, when hackers needed a deep understanding of an OS to compromise it. Then, hackers wrote their own tools. Today, a 12-year-old can find the source code or executables for NewTear (Bonk), Teardrop, GetAdmin, and other Windows NT-based hacking tools and use those tools to wreak havoc on NT servers.
Because of this reality, viewing the Internet with a bit of trepidation is healthy for businesses, especially businesses that are considering plugging their corporate network in to it. When your company connects to the Internet, you must decide how to secure your network from intruders.
Most companies use a firewall, a device that sits between your internal network and the Internet and monitors communications between the two. A properly configured commercial firewall package is the best solution most organizations can choose to secure their network's Internet connection. When I consult with clients who want to connect their networks to the Internet, I always recommend a firewall first.
However, commercial firewalls cost more than some companies can justify spending. If you can't justify paying for a full-blown firewall, you can use Microsoft's Routing and Remote Access Service (RRASformerly Steelhead) to make your network more secure than it would be if it had no security mechanism in place. (For more information about RRAS, see "Related Articles in Windows NT Magazine.")
The Mantra of Internet Security
The most important principle to keep in mind when you consider Internet security is that you must minimize unsolicited inbound connections. Repeat Minimize unsolicited inbound connections to yourself daily; this phrase needs to be your mantra. You must allow some inbound connections, such as incoming email or responses to your users' Web page requests. But you want to keep out every other connection.
If you use an NT server as an Internet router, you can use RRAS as a packet filter for your internal network to keep out unwanted connections. Packet filtering is a basic firewall capability that lets you control which packets pass through your network interfaces. Packet filtering limits access to your NICs to packets with certain characteristics. RRAS lets you configure filters to allow or deny packets entry to your network based on the packets' source IP address or network, target IP address or network, protocol, or source or destination port. You can combine these criteria to tightly control what type of traffic passes through your router.
As an example, I'll build a set of rules that let internal users browse external Web sites but that restrict external users from browsing internal Web sites. To do this, I need to let users send Web site requests to external servers and let those servers' responses into my network. For my example, I'll use a nonroutable 10.x.x.x network as my internal network, as Figure 1 depicts, and I'll assume that all other IP addresses are external.
Installing RRAS
Before you install RRAS, you must set up an NT server as an Internet router. This process is complex. For a good walk-through of the process, see Mark Minasi, "Steelhead Swims into the Mainstream," August 1997. The only difference between the router setup in my example and the router setup in the Minasi article is the computers' Internet connection. The Minasi article discusses setting up an NT machine to route Internet traffic via a dial-up modem. The router in my example is a PC with two NICs. One NIC connects to the internal network, and the other connects directly to an Internet Web server.
After you set up an NT server to route your Internet traffic, you're ready to install RRAS on your system. If you don't already have Service Pack 3 (SP3) installed, install it. Then, download the RRAS installation executable MPRI386 (for Intel CPUs) or MPRALPHA (for Alphas) from http://www.microsoft.com/communications. Run the installation routine, and when RRAS Setup prompts you to select components to install, select the LAN routing option, as Screen 1 shows.
After you install RRAS, launch the Routing and RAS Admin program from the Start menu. Select Programs, Administrative Tools, then Start Router. Starting Routing and RAS Admin enables RRAS functionality on your system. To configure RRAS to start automatically in the future, select Control Panel, Services; double-click the Routing and Remote Access service; and select the Automatic option button.
Previous
Register
