ICS Security
Other versions of this page are also available for the following:
.gif "A hyphen indicates that the information in this topic is not relevant for this platform, or that the platform does not support the API that is listed.")
.gif "A checkmark indicates that the information in this topic is relevant for this platform, and that any API listed is also supported on this platform.")
8/28/2008
If a default gateway has been instructed to assign addresses within the AutoIP range, a client may not be able to detect and synchronize with the gateway properly if that client also has addresses in the AutoIP range.
This occurs if the client requests to keep an address it already has and if that request is successful, the client does not update the default gateway information. As a result, the client cannot locate the default gateway to reach an external network. This is most likely to occur if a client is powered on before the gateway device is powered on.
To avoid this issue, the gateway must be powered on prior to powering up a client on a private network. Alternatively a separate subnet address, such as the default address 192.168.x.x, must be configured.
Internet Connection Sharing (ICS) allows multiple devices on a private or internal network to have access to a larger public or external network, typically the Internet. For more information about ICS, network address translation (NAT), Domain Name System (DNS) Proxy, Dynamic Host Configuration Protocol (DHCP) allocation and firewall, see the appropriate section of your documentation. Enabling ICS poses the risk that clients on the internal network now have connectivity to the external, more hostile, network.
Best Practices
Enable a firewall on your network device
For enterprise environments, Microsoft recommends a network firewall with intrusion protection, such as Microsoft Internet Security and Acceleration (ISA) Server. For more information, visit this Microsoft Web site.
For information about configuring the IP firewall to properly manage traffic destined for the internal network, see IP Firewall Reference.
Verify that services are only exposed on the appropriate interfaces
Services should only be only exposed on the interface for which they are configured. A service may be a security risk if it assumes that one public interface exists. However, if multiple interfaces exist, by default the service may be exposed on all interfaces.
Use the gateway logger to record messages of potential attacks
The gateway logger exposes functions that the firewall, autodial, and PPPoE modules can call into during system events. The gateway logger automatically writes all autodial and PPPoE-related events to the log. The firewall alerts the logger about each packet that it receives. The logger scans these packets and tries to determine if an attack, such as a port scan, has been initiated against the device. In the case of an attack, the logger records a message in the log file. For more information, see Gateway Logging.
Default Registry Settings
You should be aware of the registry settings that impact security. In the registry settings documentation you will find a Security Note for those values with security implications.
For ICS registry information, see ICS Registry Settings.
Ports
The following table shows the ports that ICS uses, for details see ICS Registry Settings.
| Port number | Registry values |
|---|---|
Defined by OEM |
InternalPort |
Defined by OEM |
Port |
3000 |
ReservedPortsEnd |
1025 |
ReservedPortsStart |
Additionally, to detect DHCP requests from clients on the network, the DHCP allocator monitors UDP port 67 of the local-area interface of the gateway device.
See Also
Concepts
Other Resources
Internet Connection Sharing
Enhancing the Security of a Device