Qbik Helpsys

Prev (Firewall) Next (IP Blackhole) Up (Extended Networking Services)
Skip to user comments Add a comment

Port Security

The ENS driver allows you to create filters that can by used to control connections to and from WinGate through the ENS firewall. Each filter can be made to allow, deny, or redirect traffic depending on how it is configured. These security filters can based on a number of factors found in each connection:

  1. Connection types

    The ENS driver defines 5 different types of connections that can be received by WinGate network interfaces. The connection types are defined according to a number of factors. These include the WinGate network interface the connection was received on, the WinGate usage classification of the interface, and the details in the actual packet of data received. When configuring a port security filter, you are required to choose what connection type the filter will apply to.

    Read more about ENS connection types

  2. Protocol and Application port

    Each filter can be configured to filter traffic based on the protocol being used (TCP or UDP) and the port specified in the packet. Within each filter, you can select either a single port or a range of ports that will be filtered.

Port Security tab

The Port Security tab found in the Extended Network Driver properties of the WinGate Management console, shows all the port security filters that have been created for a particular connection type (as explained above).

You can add, edit, or remove port security filters for each connection type from this configuration as required.

Note

When you bind a WinGate network service to an interface/port combination that is usually blocked by the firewall, WinGate will offer to create a filter (hole) in the firewall for you (We recommend allowing it to be created for you). When you unbind or delete the service the hole will be automatically blocked again by the firewall.

To create a port security filter:

  1. Open the WinGate Management console.
  2. Navigate to Control Panel > Extended Networking and open the Extended Network Driver properties.
  3. Select the Port Security tab. From the Connection type drop down menu, select the connection type you wish to create a filter for.
  4. From the Protocol menu, select whether this will be for TCP or UDP connections.
  5. Click the Add button to open the Port Range Configuration.
  6. In the Port range specification section, enter a description for this filter that will easily identify its purpose.
  7. Select the ENS connection type that will be affected by the security filter. This will already be selected for you when you chose the connection type on the Port Security configuration in step 3.
  8. Select the appropriate protocol (either TCP or UDP) that this filter will cover. Again this will automatically be set from the choice you selected in step 4.
  9. Specify the appropriate ports (port range) that is influenced with this filter.
  10. Under the Action section, select an action to take when a packet uses this port. You can choose: Allow, Drop, or Redirect Packet to IP address (for example a Web server running behind WinGate).
  11. Click OK , the newly created filter should now appear in the ENS Port security configuration screen.

Options

checkbox Use SYN cookies

This allows WinGate to control a session of packets before they are allowed to even enter the port, by keeping track of valid Ack requests from a host on the Internet so that bogus packets (which can be used in a SynFlood type of network attack) will have less chance to penetrate WinGates defenses.

This option is not ticked by default to allow for maximum application session compatibility, and should only be implemented by administrators who are experienced with TCP session mechanisms.

checkbox Notify on access

With this option ticked, when the specified range is accessed, there will be notification in the WinGate NAT log located at Control Panel > Logging in the WinGate Management console.

checkbox Cloak connection failures

This option is ticked by default. What this means is when a would be attacker is scanning the WinGate server to find vulnerable ports, WinGate will disguise the ports status  so it will be overlooked by the port scanner.

Note

When a port (or range of ports) is open, WinGate will allow any packets on that port to be further processed by the TCP/IP protocol stack, which will then pass it on to the operating system or application if everything is correct. Even if nothing is listening on that port, the operating system will normally respond to a connection request with a TCP RST packet (connection refused).

If the operating system responds with a TCP RST packet and you have Cloak connection failures selected, then WinGate will intercept the TCP RST packet and discard it.

This means that if you open up a range of ports but no application is listening (e.g. web or mail server) then there will be NO response (as opposed to the operating system explicitly telling the client that nothing is listening here via the TCP RST packet). Port scanners will not see or hear anything from that port.

If there is something listening however, then you would be able to connect to it, since you have that port range opened up.

Use default timeouts

Use the standard default time out values as these generally never need to be altered. Setting packets to never time out is considered dangerous and not recommended.

©2012 Qbik New Zealand Limited

Community content

  1. no comments yet...

Download helpfile

You can use basic Full-Text Searches against the page title and body to find matching articles. Use the following search modifiers to refine your query:

  • event management (no quotes) will find all pages containing the words "event" OR "management"
  • "event management" (with quotes) will find all pages containing the phrase "event management"
  • +event -management will find all pages containing the word "event", AND NOT the word "management"