Re: Perhaps off-topic WinGate Proxy

["Rodney van den Oever" <roever () nse simac nl>]

> Does anyone have information on security risks posed by WinGate.  Are
> there any special precautions that should be taken on the machine that
> is the WinGate server?
>
> Any information  would be appreciated.
>
> Thanks,
> Dave Olsen

1. Only run it on a machine with two interfaces so you can isolate your internal LAN and create a DMZ.

2. Make sure you bind the proxies only to the internal interface, e.g. 192.168.1.1. Don't use the default '0.0.0.0', 
because this allows anyone from the outside to connect to the telnet proxy or use the http-proxy with the HTTP CONNECT 
option like:

# telnet wingate 80
CONNECT intranet.domain.com:23 HTTP/1.0 <cr>
<cr>

3. Only install the options you really need and delete unnecessary proxies afterwards. You probably need the DNS-, 
SMTP-, WWW (HTTP/FTP)- and maybe NNTP-proxy. Activate web-caching to save some bandwidth.

4. Always use a seperate exterior router and apply filters to it. Don't allow anyone to setup connections to the 
WinGate proxy apart from E-mail (SMTP). Make sure the router-platform you choose understands 'established' sessions, 
like a Livingston (Lucent) or Cisco router.

5. If possible, use an internal router to also limit connections from the WinGate server to your internal systems, e.g. 
only allow SMTP to/from the internal mailserver, only allow outgoing HTTP. Allow DNS (UDP/TCP 53) between the WinGate 
server and your internal mailserver.

--
Rodney van den Oever / 0x06 3547CA1 / PGP Key ID 0x0A6CCE53
And Jesus said unto them, 'And whom do you say that I am?' And they
replied, 'You are the eschatological manifestation of the kerygma of our
being, the ontological foundation of the context of our very selfhood
revealed.' And Jesus said, 'What?' (source unknown).