6. If you are running a Proxy server
A proxy server is one method for sharing your Internet connection. The pros and cons of this method are described here. There are many different vendors of proxy software, but perhaps the most well-known is Qbik’s WinGate.
The 2.x versions of WinGate are infamous for the security problems that they can cause. The problem is not that the program is bad, but that it is easily misconfigured.
The 3.x versions of WinGate use a different technology that makes them function more like a NAT-based router, and can be more secure than the 2.x versions. The 3.x Home version uses only the newer NAT-like method, and can’t be misconfigured. But the 3.x Standard and Pro versions allow the user to also use the older, pure proxy-based method, that can be misconfigured like the 2.x version.
The following “how-to” information applies to primarily to WinGate 2.x, 3.x Standard and Pro versions. But the precautions are applicable to any proxy server that requires that you set your Internet applications (web browser, email, etc.) to use a proxy, and should work for the newer 4.x and 5.x versions of WinGate:
Point 1: Don’t enable any more proxy services than necessary
Web browsing requires only an HTTP or WWW service. Once you have an HTTP service successfully running, you can use the WinGate help files to enable more services. Unless you have fairly sophisticated needs you probably won’t need to enable anything beyond the following services (in addition to the HTTP/WWW service you’ve already enabled):
- POP3 Proxy service – For incoming email.
- SMTP mapping service – For outgoing email.
- NNTP mapping service – For newsgroup access.
- RealAudio Proxy service- if you use this service.
- VDOLive Proxy service- if you use this service.
Installation of the following services is not recommended unless you know what you are doing.
Improper configuration of these services can open your system (and your ISP’s network) to unauthorized users, cause problems for your ISP, or both! The services with a high capability of damage are indicated with a .
- FTP Proxy service – Needed if you run an FTP server to transfer files between your computer and Web site, or maybe if you are using some FTP client programs.
(Note! You don’t need to enable this service to FTP files to your computer using your Web browser.)If you do enable this service, don’t allow anonymous FTP unless you really need to!
- Telnet Proxy service – allows connection to another computer to run programs and access files.
This service also allows users to Telnet to your computer. However, you need to be running a Telnet service on your computer and Windows 95/98 does not provide one.If you do enable this service, require anyone Telneting into your computer to have their own password!
- DNS service – Needed only if you want to run a DNS server on your LAN. WinGate recommends that you install a DNS server for any of four reasons:
1) You want to use SOCKS4 to access FTP or Gopher or HTTPS URLs in a browser.
2) You want to run some other SOCKS4 capable software.
3) You have a large LAN and you want name resolution for the machines on your LAN.
4) You want to be able to refer to ‘wingate’ in your client setup.
I recommend not installing this service.
- DHCP service – This service automatically assigns IP addresses to machines on your network. You must have a separate LAN, i.e. two NICs in the machine connected to the cable modem, and you must properly configure this service.
If you don’t follow the two musts above, expect to hear from your ISP, either before or after they disconnect you for interfering with the DHCP servers that they use to run their network!
The basic rule of keeping things as simple as possible will serve you well and keep your network protected.
Point 2: Control where the Proxy can be accessed from
To take care of point two, follow the “Option 1” directions on the WinGate security page. What this will do is set WinGate so that it only allows service to requests from computers that are on the local (192.168.0.*) subnet.
If you don’t secure your site, unknown users will be able to access your proxy server for HTTP/WWW service. Although you might not think this level of service would be harmful, remember that lots of different things (Javascript, Java applets, multimedia files) can be transferred using the HTTP protocol. Even if this does no harm, do you really want your proxy server to be serving users you don’t even know, coming from who knows where?
Point 3: Shut it off when you’re not using it.
WinGate defaults to starting up every time you boot your machine. It runs as a service, not a program, so you won’t see it in the Windows Task bar or even in the “Close Program” dialog box. The latest version (2.1d as of this writing) puts up a Pop-Up when it starts, but earlier versions don’t announce they’ve started.
If you don’t want WinGate to start when you boot your system, create a Windows shortcut to the “Stop WinGate Engine” icon that you’ll find in the
C:\Windows\Start Menu\Programs\Wingate 2.1 folder and move it to the
C:\Windows\Start Menu\Programs\StartUp folder.
If you’ve done this properly, you’ll see a “WinGate Stopped” dialog box pop up when you boot the system. You can then start WinGate when you want to via the “Start WinGate Engine” icon in the Start Menu (contained in the Programs\Wingate 2.1 folder).
If you’re comfortable editing the Windows Registry, you can delete the “WinGate Service” key in the registry branch:
My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\RunServices
NOTE! Improperly editing the Registry can leave your computer inoperable!
You may want to export that branch of the registry before you delete the key. That way, you’ll be able to restore the WinGate auto-start key to the Registry by just double clicking on the exported file.
Point 4: Set up and Check the logs.
When you installed WinGate you let it install a logging service. The logs are located at:
C:\Program Files\Wingate\Logs
If you have properly secured your site, then when you read the logs (Notepad or Wordpad work fine) you should see service requests only from IP addresses or computer names that are in your network. If you see entries from any other addresses, then unknown people are accessing your proxy server. You should shut off the offending service or just shut down WinGate until you can correct the problem.
If you’ve followed the process I’ve outlined, you really won’t need to check your logs, since your site is properly secured. But if you enable more services, it’s a good idea to check the logs occasionally to make sure no unauthorized people are accessing your system.