Fixing Insecure Proxies

Introduction
With the introduction of broadband internet in many homes, home networking has become very common throughout the world. With this growth has also come the growth of the number of computers in the home. With multiple computers now entering the home, many people start considering home networking to allow everybody access to the internet. With the requirement of giving everybody access to the internet, comes the requirement to install certain software on your 'main' computer. Hopefully this document will give you a guide into how to make that main computer a little more secure than just installing the default software, with the default settings.

Home Networking
Home networking has become very simple now with the common installation of network cards (NICs) into many PCs, and the cost of networking equipment such as hubs has decreased. But connecting to the internet with the default settings of Windows (or any operating system) can be a security risk, and not only cause problems for you, but for those that fall prey to attacks from your PC when somebody sees it as an open toy Here are a couple of ideas you may want to think about when setting up your home network.


 * Does the main computer need to have file and printer sharing enabled?
 * Do your computers have the latest security updates from the provider?
 * Do I have an up to date virus scanner?
 * Am I using a good firewall?

Just answering those questions can get you on a good start to home networking. The next step is how to allow your home network to get to the internet. There are two main/common ways in which access can be gained. The first is via a Proxy Server, the other is via a NAT server/firewall. Both are discussed below.

Please note that DareNET does not endorse or favor any software or hardware used while connected to its servers. The following is provided solely to help users of DareNET.

Proxy
A Proxy Server is normally software that works on the main computer connected to the internet. It acts as a redirector for your traffic. It takes your requests for things like websites, goes and gets those web pages, then returns you the data. This is equivalent to having a middmiddle man to do your work. Here is a simple scenario...You're at home, watching TV, you feel hungry, but you don't want to get up...you call your kid brother to get you some food. He runs off, gets your food, and comes back (if you're lucky). In this case, your kid brother was acting like a proxy server. You asked him for something, he went and got it, and gave you the results (food).

There are many different types of proxy servers available on the internet. Some are free, some are free for a certain number of users, and others may cost a little bit of money. Your needs, and the money you want to spend, will determine which software/hardware you use. Below are a few examples of proxy servers.

WinGate
WinGate, is a very common windows based proxy server, and a demo can be downloaded for free at www.wingate.com. The full home version starts at about $35 (US) for 3 users. Wingate, unfortunately, is one of the easier proxy servers to miss-configure, so I'll cover making it a little more secure a little later.

Proxy+
Proxy+ is a small, fairly easy to configure, is reliable, and it's free Proxy+ for up to 3 users. The developer’s website can be found at http://www.proxyplus.cz/. Configuring it is fairly simple, and only needs a few tweaks in some places to make certain options work, but it is very reliable.

AnalogX
AnalogX Proxy is another small, but fairly common proxy server, although it doesn't support some options, setup is a matter of clicking a few buttons. The program can be found at http://www.analogx.com

Microsoft Proxy
Microsoft Proxy is a designed as a business related proxy server, but it is occasionally used in the home. Setup is moderately easy, but there are costs involved, and certain server requirements exist.

Squid
Squid is a UNIX based proxy server and can be found at http://www.squid-cache.org/. Squid is free, open source software, and downloadable from many sites. Configuration may take a little bit of extra knowledge of the UNIX operating system, but there are many "how to", documents, and guides on the internet. Squid is not Windows compatible.

Sygate
Sygate is a Windows based NAT server, which can be located at http://www.sygate.com/. There is a small charge involved to use it, and depending on the number of users, this can increase.

Winroute
Another Windows solution is Winroute by Kerio. Winroute can be found at http://www.winroute.com and there is a fee depending on the number of users. It has a simple to use setup system, making it easy to use.

I've only covered a few proxy servers, but there are many about, and your personal preference will always be an ultimate decider in which you plan on using.

NAT
Network Address Translation (or NAT) is often used to make transparent proxies (in which the end user doesn't require much configuration for use). It is often used in UNIX type operating systems (such as Linux, or FreeBSD), but is also incorporated into some modem DSL/Cable routers including those provided by Linksys. NAT works slightly different than a proxy server, but the outcome is still the same. NAT takes your address from inside the network, adds an extra address (that of the server), and sends the request on. When the request gets back to the server, it strips its own address, and returns the data back to the computer that made the request. NAT servers can often be configured using software that comes on the operating system, for example IPChains, or IPTables.

Securing your Proxy/NAT server
Securing your home network is one of the most important things to do to protect your computer and its data. DareNET now takes actions against poorly configured proxy servers by banning the host on connection. This is done because a poorly configured system can allow others to use your computer for criminal acts such as denial of service (DoS) attacks without your knowledge, miss configured computers can allow criminals disrupt networks like DareNET or flood websites.

The first step to making your proxy server secure is reading the manual. It is often packed with information on how to make things better and safer for your network. Below are instructions for few of the common proxy servers.ini basic setup:

Wingate
1. Open Gatekeeper and log into Wingate as Administrator.

2. Double click on Policies, and double click on "Default Policies".

3. Select the right "Users can access services".

4. There will be one recipient there - "Everyone". Double click on this recipient.

5. Select the Location tab.

6. Select "Specify locations from where this recipient has rights".

7. Add the following IP addresses under Included locations: 127.0.0.1, and the first three numbers of your Wingate machine's network card followed by a .* For example if your network card has IP address 192.168.0.1, then you would add 192.168.0.*. If you have more than one network card in the Wingate machine then add an entry for each one that will be requiring access to Wingate.

8. Hit OK, and remember to save changes.

Now only your LAN users can access any service in Wingate. This should stop users from outside being able to use your proxy server for harm.

Proxy+
Load up your browser, and go to http://:4400, for example http://192.168.0.1:4400 if your computer was setup to be IP 192.168.0.1. This will load the administrator’s interface. Under the security options is a section called "list of insecure interfaces". Under this option, put the connection to the Internet. This should stop any connections to the server from the outside.

AnalogX Proxy
Make sure you specify in the IP address, the IP address of your internal network card. This should stop connections from outside your network.

Squid
Methods of enforcing Squid security can be found at http://www..squid-cache.org/Doc/FAQ/FAQ-10.html#ss10.2.

NAT
NAT is fairly easy to stop other users from abusing it. Instead of defining a forward all rule, just define a rule that only forwards your internal network, and drops all forwarding requests from outside sources. A guide on setting up NAT/Masq can be found at http://www.tldp.org/HOWTO/IP-Masquerade-HOWTO/index.html and is setup in a way that forwarding only occurs on your home network.

Firewalls
Home networks are as much susceptible to attacks as the networks of the government and business. Home networks are often targeted because the ability to turn collections of unsecured computers into a single attack from a single host. Don't become an unknowing accomplice to a criminal act! Installing a firewall will help further your security for proxy servers, and your home network in general by blocking unauthorized access to your network. Most firewalls can also let you know when someone is trying to connect to your computer and document break-in attempts. I'm only briefly mentioning on the topic of firewalls as there is another document on the Documents website about this subject. There are many different types of firewalls, again ranging in cost, and functionality. A couple of firewalls to consider are:


 * Black Ice - This can be found at http://www.networkice.com
 * ZoneAlarm - This can be found at http://www.zonelabs.com
 * Shields Up! - This can be found at http://grc.com/su-firewalls.htm

For those running Linux, or Unix type Operating systems...you should try checking out iptables or ipchains.


 * iptables - http://www.netfilter.org
 * ipchains - http://netfilter.samba.org/ipchains/

(Documents on using can be found on both the sites listed)

DareNET and Proxy Servers
Due to recent abuse caused by the use of 'open proxies', DareNET now runs a proxy scanner when you first connect to a server to detect insecure setups. As soon as a insecure proxy server is detected, it is immediately disconnected, and given a network wide ban (G-line).

Useful Sites
Here are a few sites that may be useful in your quest to securing your home network.


 * http://www.wingate.com
 * http://www.cyberabuse.org
 * http://www.linuxdoc.org/HOWTO/
 * http://www.networkice.com
 * http://www.zonelabs.com
 * http://www.proxyplus.cz
 * http://grc.com/su-firewalls.htm
 * http://www.analogx.com
 * http://www.mcafee.com
 * http://www.symantec.com
 * http://www.antivirus.com
 * http://www.moosoft.com

Summary
Internet has now become a great part of our lives, even if we don't realize it. Using the internet at home is also becoming more and more important for everyday life. Making sure you're secure is important to protect you, your information, and other people from the effects of a bad setup. Reading the manual is a good start to securing things, but taking those extra steps make all the difference, from clicking a couple of extra buttons, to typing an extra line in your configuration.