Machines with multiple interfaces are probably used
as "gateways" to the Internet, running proxy servers, routing,
SOCKS, NATs, or Microsoft's Internet Connection Sharing (ICS).
Such machines accept incoming traffic, processes/translates it,
then sends it out to the Internet.
Defender will monitor/firewall all incoming traffic,
even if it is destined to go back out again.
This is a philosophical question: do you a ship a product more
secure, but which causes some things to break? Most vendors
choose to ship their products in a completely insecure manner,
which reduces support calls when customers install them.
Network ICE has chosen a middle ground: the firewall is set
to "Cautious", which means that most things still work and
security is very good. On the other hand, security isn't perfect,
and some things (like gateways) will break. To improve security
(and break more things), customers can bump the firewall up
to "Paranoid". To make gateways work, choose one of the
options below.
- Trust
-
Configure the firewall to accept all traffic from the
machines behind the gateway. See knowledge base article
q000051 for more information.
- Disable monitoring on one NIC
-
You can disable all monitoring/firewalling on a NIC
completely. This may be a good choice for internal NICs.
See knowledge base article
q000023 for more information.
There are many gateway technologies. Here are some known issues
with some of them.
- Microsoft "Internet Connection Sharing (ICS)"
-
See knowledge base article
q000010 for more information.
- SOCKS server
-
SOCKS is frequently misconfigured to people on the
Internet to attack other machines on the Internet
through the gateway (making it appear as if the
attacks come from the SOCKS machine). The machine running
SOCKS should be increased to "Nervous" in order to block this,
or port 1080 should be blocked. This stops all machines
except for those in the Trusting list
to be blocked.
- proxy
-
The two methods above should allow proxies to work.
- routing
-
Routing is the only one of these technologies where
each machine is assigned an Internet-visible address.
All these other techniques assign a "private" address,
making it much more difficult for them to be reached from
the Internet. Installing Defender creates a firewall
that protects all the hosts behind the router. Again,
one of the techniques above should be used to allow
internal machines to access the Internet.
- NAT (Network Address Translation)
-
See knowledge base article
q000045 for more information.
