Share via


ICS Security (Windows Embedded CE 6.0)

1/6/2010

If a default gateway has been instructed to assign addresses within the AutoIP range, a client may not be able to detect and synchronize with the gateway properly if that client also has addresses in the AutoIP range.

This occurs if the client requests to keep an address it already has and if that request is successful, the client does not update the default gateway information. As a result, the client cannot locate the default gateway to reach an external network. This is most likely to occur if a client is powered on before the gateway device is powered on.

To avoid this issue, the gateway must be powered on prior to powering up a client on a private network. Alternatively a separate subnet address, such as the default address 192.168.x.x, must be configured.

Internet Connection Sharing (ICS) allows multiple devices on a private or internal network to have access to a larger public or external network, typically the Internet. For more information about ICS, network address translation (NAT), Domain Name System (DNS) Proxy, Dynamic Host Configuration Protocol (DHCP) allocation and firewall, see the appropriate section of your documentation. Enabling ICS poses the risk that clients on the internal network now have connectivity to the external, more hostile, network.

Best Practices

Enable a firewall on your network device

For enterprise environments, Microsoft recommends a network firewall with intrusion protection, such as Microsoft Internet Security and Acceleration (ISA) Server. For more information, visit this Microsoft Web site.

For information about configuring the IP firewall to properly manage traffic destined for the internal network, see IP Firewall Reference.

Verify that services are only exposed on the appropriate interfaces

Services should only be only exposed on the interface for which they are configured. A service may be a security risk if it assumes that one public interface exists. However, if multiple interfaces exist, by default the service may be exposed on all interfaces.

Use the gateway logger to record messages of potential attacks

The gateway logger exposes functions that the firewall, autodial, and PPPoE modules can call into during system events. The gateway logger automatically writes all autodial and PPPoE-related events to the log. The firewall alerts the logger about each packet that it receives. The logger scans these packets and tries to determine if an attack, such as a port scan, has been initiated against the device. In the case of an attack, the logger records a message in the log file. For more information, see Gateway Logging.

Default Registry Settings

You should be aware of the registry settings that impact security. In the registry settings documentation you will find a Security Note for those values with security implications.

For ICS registry information, see ICS Registry Settings.

Ports

The following table shows the ports that ICS uses, for details see ICS Registry Settings.

Port number Registry values

Defined by OEM

InternalPort

Defined by OEM

Port

3000

ReservedPortsEnd

1025

ReservedPortsStart

Additionally, to detect DHCP requests from clients on the network, the DHCP allocator monitors UDP port 67 of the local-area interface of the gateway device.

See Also

Concepts

Network Address Translation

Other Resources

Internet Connection Sharing
Enhancing the Security of a Device