This graphic shows a network that shares an Internet connection through ICS. This machine acts as a NAT gateway for the other machines and allows them to reach the Internet.
In this case, the ICS machine has two network adapters. The first is connected to the Internet, and could be a modem, router or any other WAN device. This adapter will be configured to get its address through DHCP. The second adapter is a standard Ethernet interface and is used to connect the machine to the internal LAN. This adapter will be configured to use a static address. This is needed since other machines on the LAN will refer to the ICS machine, using its IP address whenever
performing name resolution.
The other machines on the LAN will be configured to get their IP addresses through DHCP, but with a difference. You will need to manually override the DNS settings of these machines and to enter the address of the ICS machine. In the example above the two client machines, "x" and "y", have dynamic IP addresses but will use 192.168.0.1 as their DNS server. At this point you can install TreeWalk (BIND-PE) onto the ICS machine. After the installation, reboot the machine and then be sure to
reboot any client machines. After this, you'll be able to surf the Internet from either the ICS or the client machines, but the name resolution for the entire LAN will be performed by TreeWalk (BIND-PE) on the ICS computer.
The advantage of this type of configuration is that there will be less traffic on the LAN due to the fact that all the DNS work will be carried on by a single machine. The DNS cache will have more hits since every request from other LAN computers will be cached by the central DNS, then returned to any machine requesting the same address, or host. Image and text from the creators of TreeWalk.
TreeWalk (BIND-PE) includes some fun-to-use tools, like the Check Config Tool, in addition to hyper-driving your browsers. This is similar to NetInfo, the command-line tool offered as a free download on the Free Ware page at the BIND-PE and ICS site.
More documentation and configuration examples are available from the TreeWalk web site.
These pages are intended as a guide to assist those who are integrating TreeWalk (BIND-PE) into a similar LAN. The computer running the ICS/TreeWalk (BIND-PE) combination is the HOST here, and networked machines are referred to as the CLIENTS. The next pages depict File and Printer Sharing using NetBIOS over TCP/IP (or NetBT) in addition to Internet Connection Sharing and IPSec, for a fully functional, secure network.
The LAN is operated in stealth mode through packet filtering and firewall software installed on the HOST, and uses a software firewall installed on each CLIENT. The CLIENT firewalls are mostly used for outbound connection monitoring. All logging is done with CHX-I, but more on that later!
Any questions regarding all other TreeWalk (BIND-PE) configurations should be asked through the newsgroup at grc.com, hosted by Steve Gibson (the Gibson Research Corporation). Be on your best behavior when you visit Steve's place! He also has many excellent pages at his grc.com website.
This is the HOST ICS NIC for the HOST computer.
Text added to this image by the author states: This Network Adapter carries the ICS load for the local network on the computer which has TreeWalk (BIND-PE) installed. Referred to in these pages as the HOST computer for the LAN.
Here, the Internet Protocol (TCP/IP) check box must have a check mark in it. If the other two check boxes are checked, you will be sharing Files and Printers over the Internet and this is not recommended! You may optionally check the check box at the bottom of the sheet to show an icon in the taskbar that appears when you are connected to the Internet. Click the Properties button to proceed to the next step.
This Properties Sheet also displays a tab named the General tab. This can be somewhat confusing as there is also a General tab on the previous sheet. This one gives the default settings installed by TreeWalk (BIND-PE). The top radio button for Obtain an IP address is enabled and it is used in this configuration to allow DHCP, to automate the configuration of computers using TCP/IP.
The fourth and last radio button is also enabled by the TreeWalk (BIND-PE) installation. It shows two text boxes that contain the IP addresses of the local DNS server that is now the TreeWalk (BIND-PE) local host (in the first box), and lists what was previously placed there as the Preferred (or Primary) DNS server for your ISP, as an Alternate (in the second box). So, the 127.0.0.1 (Preferred DNS server) is the address of your Local Host, which is the TreeWalk (BIND-PE)/ICS computer.
The box below it shows the ISP's DNS server as the Alternate DNS server. In this case, it is 24.69.255.196, which is also the DHCP connection for the local ISP here, and which used to be in the Preferred DNS server box.
It is important to note, that if you attempt to alter the 127.0.0.1 address, Windows will not let you re-enter it, as it is reserved for a loop back address. If you do try to change this and you get the error message, you must stop the TreeWalk (BIND-PE) service, uninstall TreeWalk (BIND-PE) and reboot your computer. Then you will need to re-install TreeWalk (BIND-PE) and reboot again to re-instate 127.0.0.1 as the Preferred DNS server. Hint: don't mess with it! Note: If
you are running TreeWalk (BIND-PE) on a CLIENT computer in your LAN, then you should list 192.168.0.1 as an Alternate DNS server in its Ethernet Adapter's TCP/IP Properties sheet. CLIENT machines normally require only one NIC for inclusion into an ICS LAN.
The tab shown here lists DHCP Enabled only, as the ISP here uses it. Some folks may need to manually insert static addressing. In the Default gateways box is your local ISP's Gateway address. Here, it is the 24.78.204.1 address.
The DNS tab of the HOST ICS NIC shows the DNS server addresses, in order of use. Note the check mark beside Register this connection's addresses in DNS. You will find here that TreeWalk (BIND-PE) will mimic the Primary and Alternate DNS servers that were listed on the Internet Protocol (TCP/IP) Properties Sheet. As well as on that sheet, it is important to note that if an attempt to alter the 127.0.0.1 address is made, Windows will not let you re-enter it, because the system has reserved
it for a loop back address. Again, if you do try to change this and you receive the error message, you must stop the TreeWalk (BIND-PE) service, uninstall TreeWalk (BIND-PE) and reboot your computer.
After that, you will need to re-install TreeWalk (BIND-PE) and reboot again to re-instate 127.0.0.1 as the preferred DNS server. This advice will never be repeated in these pages again, so you must remember this important note! You may also include alternate DNS servers on this tab, but add them to the bottom of the list. To the right of this text box are two arrow buttons for re-arranging the listed addresses. Be careful not to select the first entry of 127.0.0.1 for editing or
for removal. So don't forget that you may manually alter the other NICs on your network, but this one is best left to TreeWalk (BIND-PE)! Sheesh! That sounds like a warning!
This tab has several other settings or text boxes that are left as default settings which Windows 2000 Pro has installed upon setup. Unless you require changing them, leave these settings and their accompanying boxes alone too!
On the WINS tab, the Enable NetBIOS over TCP/IP radio button is manually disabled by selecting the "Disable" button. When you make the changes from the default settings you will be notified that there is no WINS address entered. Ignore this and move on.
For all intents and purposes here, this tab is moot. IPSec is not used directly. It is accessed via CHX-I Packet Filters which is used for its excellent GUI and logging capabilities. More on that later. Click OK to return to the previous sheet for HOST ICS NIC Properties.
Upon returning to HOST ICS NIC Properties from the previous sheet, choose the Sharing tab and confirm that there's a check mark in place here. If you need to add one, then you may have to wait a short time for Windows 2000 to complete the assignment when we're done with this sheet. Select the Settings button and move along.
Some care should be taken to provide only those network Applications and Services that you need. This shows those that are check marked for this system, which are Internet Explorer on the Applications tab, and FTP Server, Internet Mail Server (SMTP) and Post-office Protocol Version 3 (POP3) for the Services tab. If you don't need them, then don't enable them.
You're all done with this Network Interface Card's settings. Click OK until you return to the Network and Dial-up Connections applet window. You may have to wait while Windows 2000 Professional assigns these setting changes. Simply place your mouse over the applet and wait until the hourglass goes away and feel free to reboot if prompted!
This is the HOST LAN NIC for the HOST computer.
The text placed within this graphic states: This network adapter carries the NetBIOS over TCP/IP (NetBT), which is necessary for File and Printer Sharing over the LAN, and Internet Connection Sharing (ICS) from the HOST ICS NIC.
With the second Ethernet Adapter that is required for the TreeWalk (BIND-PE) and ICS computer, these three settings will need to be checked and in place for the network to function as intended here. You may optionally check the Show icon in taskbar when connected box. Click the Properties button and proceed.
This is where the HOST LAN NIC adapter differs from the last and is more conducive to a CLIENT computer's interface settings. Two of these text boxes can be left empty and the adapter must be pointed to the server adapter on the TreeWalk (BIND-PE) and ICS machine, or the HOST ICS NIC in this scenario. Alternate DNS servers and Default gateways are not required for this particular setup, but may be required for other systems.
The Use the following IP address button must be enabled to display the IP address of 192.168.0.1 and a Subnet mask of 255.255.255.0 but the Default gateway should be left empty. The Use the following DNS server addresses button must also be enabled, to indicate the Preferred DNS server address of 127.0.0.1, the Local Host address.
Note: If you are running TreeWalk (BIND-PE) on a CLIENT computer in your LAN, then you will have 192.168.0.1 as the Preferred DNS server in it's Ethernet Adapter's TCP/IP Properties sheet. CLIENT machines require only one interface for inclusion into an ICS network.
Choose the Advanced button to proceed.
The IP addresses text box shows the lone IP address listed as 192.168.0.1 and also gives 255.255.255.0 for the Subnet mask. The Interface metric value is 1 here.
This tab should have these settings in place: The DNS server addresses, in order of use should read 127.0.0.1, the button for Append primary and connection specific DNS suffixes should be enabled, and the Register this connection's addresses in DNS should have a check mark entered.
On the WINS tab, the Enable NetBIOS over TCP/IP radio button is manually enabled and other settings are turned off.
This system does not use a host file or a LMHOSTS file, or WINS, and works fine without them. Browsing speed is at it's fastest this way according to test results. But, if you must use any of them, you may not notice the impact. Testing will tell!
When you make the changes from the default settings you will be notified that there is no WINS address entered. Ignore this by selecting the appropriate button and move along!
Again, IPSec is not used directly here but is accessed via CHX-I Packet Filter which is used for its excellent snap-in and logging capabilities, but through the HOST ICS NIC. However, there'll be more on that later. Click OK to return to the previous sheet for the HOST LAN NIC Properties.
If this box is checked, you've screwed up - uncheck the lone box and go back to the start of these tutorial instruction pages and review your work thus far!
There should be no Internet Connection Sharing enabled for any of the local adapters.
The only card that should have it enabled is the HOST ICS NIC. If the Settings button is greyed out, as it should be, then you're all done with this adapter's settings too. Click OK until you return to the Network and Dial-up Connections applet window.
You may have to wait while Windows 2000 Professional assigns these setting changes. Simply place your mouse over the applet and wait until the hourglass goes away. Feel free to reboot if prompted. Then, it's on to the CLIENT computers' configurations!
This represents the LAN adapter for each CLIENT computer, as shown in the Network and Dial-up Connections Applet.
Just like it is on the General tab of the HOST LAN NIC on the TreeWalk (BIND-PE) and ICS computer, these three settings will need to be checked and in place for the network to function as intended here. You may optionally check the Show icon in taskbar when connected box. Click the Properties button and carry on - it's getting easier now!
The Obtain an IP address automatically button must be enabled here, for all CLIENT boxes. The Use the following DNS server addresses button must also be enabled, to indicate the Preferred DNS server address of 192.168.0.1 which is the address for the HOST LAN NIC. It may be best to leave the Alternate DNS server text box empty too, if you don't absolutely need any entries there! We'll expand on that later. Read the image descriptor file for a bit more info there or choose the Advanced button to proceed.
On all CLIENT computers in this LAN, the IP Settings Tab is set to use DHCP Enabled in the IP address text box. The Interface metric value is 1, as shown here.
This tab should have these settings in place for all CLIENT LAN NICs: The DNS server addresses, in order of use should read 192.168.0.1, the button for Append primary and connection specific DNS suffixes should be enabled, there is a check mark beside Append parent suffixes of the primary DNS suffix, and the Register this connection's addresses in DNS has a check mark entered there as well.
On the WINS tab, the Enable NetBIOS over TCP/IP radio button is manually enabled and other settings are turned off. This system does not use a host file or a LMHOSTS file, or WINS, and works fine without them. Browsing speed is at it's fastest this way according to test results. But, if you must use any of them, you may not notice the impact.
When you make the changes from the default settings you will be notified that there is no WINS address entered. Ignore this by selecting the appropriate button and move along!
Again, IPSec is not used directly here but is accessed via CHX-I Packet Filters through the HOST ICS NIC. And yes, there will still be more on that later. But let's go to the next page to see what's in IPSec's properties anyhow.
IPSec (or IPSEC) is excellent, but difficult to set rules for and what you see is what you get for a GUI (Graphical User Interface) and that's another reason why CHX-I is used here. Okay, okay - more on that later!
Click the OK buttons to return to CLIENT LAN NIC Properties and then you're almost done setting up your first CLIENT to use TreeWalk (BIND-PE)! Finally, click OK until you return to the Network and Dial-up Connections Applet window. You may have to wait while Windows 2000 Professional assigns these setting changes. Simply place your mouse over the applet and wait until the hourglass goes away. Feel free to reboot if prompted.
All browsers should have similar settings available to what the empty properties sheet from Internet Explorer 6 SP1 shows. Right-click your IE desktop icon, choose Properties, then the Connections tab, and finally LAN Settings, to check this sheet. This setup does not use any proxies, does not Automatically detect settings and doesn't allow to Use automatic configuration scripts. Replicate these settings for all browsers in your LAN. After this, we're ready to take on some firewalls! Yee Haw (elation)!
This section and the next three images quickly address CLIENT software firewall installations of Zone Alarm. The HOST's CHX-I Packet Filter and Kerio Firewall combination works so well that firewalls are not even required on the local computers.
Because some folks like to use them here for outbound connection monitoring, the following considerations should be noted first, before a more adaptable HOST security scenario is discussed in more detail. Kerio's firewall is used on all machines in this LAN, without any hint of problems, and is reviewed next.
Regrettably, extensive testing proved that the excellent Zone Alarm firewall would just not play well with ICS. It also caused problems with TreeWalk (BIND-PE), so a more suitable replacement was needed. Several options were considered, and CHX-I and Kerio's firewall were the inevitable choice. As cumbersome as ZA proved to be, it is still an excellent Personal Firewall - just not so in this environ. The (next) CHX-I/Kerio arrangement works incredibly well here, so for all general
purposes, this is deemed the best, and simplest solution. Future testing may involve the use of the CHX-I Firewall, in replacement of Kerio, with the CHX-I Packet Filter.
The first image displays that all permissions are given for TreeWalk (BIND-PE), and presents the GUI (Graphical User Interface) used for version 2.x. Local and Internet access is granted for both the Allow connect and Allow server columns for the named.exe program. Because the application is so highly trusted, you may even place a check mark in the Pass Lock option! There are two more Zone Alarm images on this page to be discussed.
The second image reflects that both Local and Internet Security sliders are set to Low, and the Block local servers and Block Internet servers check boxes are unchecked. This is the only way that Zone Alarm would work with the TreeWalk (BIND-PE)/ICS combination. The result was that many ports remained in a "Closed" state, but were visible to the Internet. This proved to be the case with the newer 3.x version as well, as shown below.
The final picture on this page mimics the preceding image of the Zone Alarm CLIENT Security Settings, but for the version 3.x GUI (Graphical User Interface). Internet Zone Security and Trusted Zone Security levels were required to be set to Low for this firewall to work properly with TreeWalk (BIND-PE) and ICS here too.
Now we can progress towards the heart of this network's security, the HOST's packet filter and firewall combination that was chosen because it integrates flawlessly with TreeWalk (BIND-PE) and everything else on this LAN. Even if TreeWalk (BIND-PE) is not used, your network will be invisible to other computers on the Internet. This is proven through extensive port scanning that is documented on the site where, at the time of this writing, there are links to two recently added pages of
scanner documentation, with more to follow.
Shown here is the About screen for the HOST computer's installation of the Kerio Personal Firewall Engine Version 2.1.4 and the systray icon menu for KPF2. The version 2.1.5 release is virtually the same firewall with some important bug fixes, and is the version in use at the time of this edit.
Choosing Administration from the icon's right-click menu will take you to the Kerio Personal Firewall Administration sheet which first displays the Firewall Tab, as depicted on the next page.
KPF2 was integrated into this system because it uses Stateful Packet Inspection, has good logging capabilities and offers excellent flexibility for this particular setup.
Selecting Administration from the systray icon's right click menu invokes the Firewall tab of the Kerio Personal Firewall sheets. There should be a check mark in the box beside Firewall Enabled and the slider should be in the center position so that Ask Me First is displayed. Click the Advanced button to go straight to the Firewall Configuration sheet, but first we're going to have a look at the Miscellaneous (next).
The first three of the four check boxes should be marked. Enabling the third box will keep you informed of any bug-fixes or patches that may be required later.
The Firewall Configuration Files buttons are for saving or loading exactly those types of files. Very convenient!
Return to the Firewall tab from here and select the Advanced button to get to the Firewall Configuration tab sheet. We're done with this one now!
The default install of KPF2 required additional rules for TreeWalk (BIND-PE). They are moved to the top of the rule set listed here, and described on the proceeding pages. You may need to customize your own rules.
This is where you would Add, Insert, Edit, and Delete rules that you may need to write for your system. The Local Host (or localhost) rule is highlighted and the Edit button is clicked to deploy a typical Filter rule sheet, as shown next.
This rule was moved to the top of the Filter Rule list after creation. Click OK to process the rule.
The existing DNS rule, installed by default by Kerio, was modified with these changes and positioned at the top of the list, under the LocalHost rule in this case. Click OK to process any rule.
This tab is of paramount interest! No modifications were needed here to allow complete LAN functionality for this system, but you can easily add an extra layer of security to it by dedicating static addresses for each machine. This is done in both the firewall application and in the TCP/IP Properties sheet for each unit in the network. You can click Apply and proceed to the Miscellaneous tab after making any changes you need or want to make at this time.
This tab also is of great interest. There must be a check mark in the Is Running on Internet Gateway check box. This setting is vital but reduces 'Stealth' capabilities so that some ports show as Closed, which is acceptable. However, CHX-I re-instates stealth, which will be demonstrated here later. Remember to click Apply to save any changes and then open the last tab, the Application's MD5 tab.
Now, even if you only use Kerio for your system's protection, you will be okay, if you practice Safe Computing!
The last tab simply lists all programs that connect through KPF2. There's only one more thing to check out in Kerio, then its onward to CHX-I, which will really button the security up tight.
Make sure to check the box at the top for Check MD5 Signature to enable this excellent feature.
A double-click of the systray icon invokes this excellent utility, which also gives access to logs etc. This concludes the Kerio pages here, so next is a favorite part of the TreeWalk (BIND-PE) and ICS setup (next to TreeWalk (BIND-PE) of course): CHX-I Packet Filters. Finally!
Just like it says: CHX-I. No Compromise. Just Security. Boy, they sure got that right!
NOTE: The filters offered for download from this site are to be used as examples only and must be customized if implemented.
October, 2003: The newest release from IDRCI (Internet Development Research Center) does, indeed, look very good. The new CHX-I Packet Filter (version 2.6) works as well as ever with Kerio Personal Firewall (version 2.1.5), and the downloadable filter set offered on the CHX-I Packet Filter and Internet Connection Sharing page of the site. With both products running simultaneously, and with both logging away very happily, their coexistence with ICS (Internet Connection Sharing) will give you excellent security for your file and printer sharing network. With the Kerio firewall turned off, CHX-I Packet Filter v2.6 still returns a 100% stealth report from several of the popular online scanners. Those results will be shared shortly. Meanwhile, use the October 2, 2003 link to the right of this page (under CHX-I UPDATES) and grab yourself a copy! Don't forget to register with IDRCI to support them in their cause. CHX-I Packet Filter is still FREE for home use.
Corporate usage of CHX-I products is limited to a 30 day evaluation period. CHX-I products are free for personal use but require registration for future updates and access to the online support area.
It is suggested to acquire all available files from the site, and to study their excellent documentation. These files are available through the link provided for the CHX-I Downloads Page.
Please browse the site and register in support of the great job they're doing at IDRCI. The software is free for home users, and they have an excellent support team.
NOTE: The filters offered for download from this site are to be used as examples only and must be customized if implemented.
After installing CHX-I, the CHX-I Packet Filter Management.msc was accessible through the Program file group and a desktop icon. You can download this example Filter Set . This .zip file is 1,136 bytes in size.
This filter set was developed in concert with a few modifications from the IDRCI Dev Team and some experimentation with sample sets that were obtained from them. It was not integrated here until the set was assessed by the CHX-I technicians who then gave the confirmation to proceed.
Port scanning and testing on this system resulted in one additional security filter to block access to a few Trojan exploits, just in case. Another filter was devised to test the system's vulnerabilities in a Peer-To-Peer Network. These filter rules and the customized TreeWalk (BIND-PE) filter are included in the ZIP file contents and are further illustrated on the next three pages.
The TreeWalk (BIND-PE) Properties sheet depicted here displays the Filter Properties tab. Continue to the next filter shown on the next page.
The ***DENY TROJANS Properties sheet illustrated here displays the Filter Properties tab. This rule requires updating and is only an example. The third and final sample on the next page is interesting to note, attesting to the security of this system.
Please realize here that this filter is entirely of the author's own design. The CHX-I staff or anyone else has not had anything to do with this particular TEST filter, nor has any other person advised on how to write it. The writer chose this testbed solely for the purpose of checking the security of this system in a risk environment. And it worked!
No one is condoning the use of this filter by distributing it, but it is included in the filter set for anyone who may feel the need to qualify these claims of what this security package can do when properly configured. The filter may be easily disabled by right-clicking the filter's description in the GUI (Graphical User Interface) so that it may be retained for reference purposes only. Alternatively, it can be deleted in similar fashion.
This image is from Steve Gibson's Domain Name System Benchmark and Research Utility. Dubbed DNSRU, this excellent freeware tool provides benchmarks for the name cache installed by TreeWalk (BIND-PE). Generally, it is used in concert with nstest.exe, a similarly-purposed and fine batch tool created by the TreeWalk (BIND-PE) crew. The nstest creation is available from the TreeWalk (BIND-PE) site.
CLIENT benchmarks are available that closely replicate the 127.0.0.1 results above. If you are using CHX-I Packet Filter(s), you will require a similar filter to the one shown on the Typical DNSRU Filter page. Similarly, for DNSRU to bypass the Kerio Firewall you will need a filter rule like the one shown on the KPF - DNSRU Filter Rule page.
This cool tool is still in a beta stage at the time of this writing. A copy of it is generally available through the GRC.com newsgroups, which Steve Gibson also generously provides at news.grc.com. A BIG THANKS to him for allowing the use of his Ngs and the vast array of essential tools that he provides.
One example of six separate port scans is shown here. All scans directed against this system reported similar results:
Five other popular on-line port scanners all reported this system as 100% stealth. The LAN has also been rigorously scanned from remote locations and is invisible to the Internet.
The above image shows the result of a Basic Port Scan from dslreports.com and it states: Conclusion - Final Score: 0; ** best result (I got no reaction at all from this IP).
Results were emailed back to the tester. For more extensive data, see the Scan Results page.
A typical DNSRU Properties sheet for the CHX-I Packet Filter depicted here displays the Filter Properties tab. You will need the proper address.
This DNSRU Filter Rule allows the operation of Steve Gibson's DNS Research Utility to bypass the Kerio Personal Firewall. Click OK to process the rule if Kerio hasn't done this for you already, and you're done. This is the final page of this series.
