Internet Connection Sharing Security
If a default gateway has been instructed to assign addresses within the AutoIP range, a client may not be able to detect and synchronize with the gateway properly if that client also has addresses in the AutoIP range. This occurs if the client requests to keep an address it already has and if that request is successful, the client does not update the default gateway information. As a result, the client cannot locate the default gateway to reach an external network. This is most likely to occur if a client is powered on before the gateway device is powered on. To avoid this issue, the gateway must be powered on prior to powering up a client on a private network. Alternatively a separate subnet address, such as the default address 192.168.x.x, must be configured.
Internet Connection Sharing (ICS) allows multiple devices on a private or internal network to have access to a larger public or external network, typically the Internet. For more information about ICS and its components, network address translation (NAT), Domain Name System (DNS) Proxy, Dynamic Host Configuration Protocol (DHCP) allocation and firewall, see the appropriate section of your documentation. Enabling ICS poses the risk that clients on the internal network now have connectivity to the external, more hostile, network.
Best Practices
Enable a firewall on your network device
For enterprise environments, Microsoft recommends a network firewall with intrusion protection, such as Microsoft Internet Security and Acceleration (ISA) Server. For more information, visit this Microsoft Web site.
For information about configuring the IP firewall to properly manage traffic destined for the internal network, see IP Firewall Reference.
Default Registry Settings
You should be aware of the registry settings that impact security. In the registry settings documentation you will find a Security Note for those values with security implications.
For ICS registry information, see Internet Connection Sharing Registry Settings.
Ports
The following table shows the ports that ICS uses, for details see Internet Connection Sharing Registry Settings.
| Port number | Registry values |
|---|---|
| Defined by OEM | InternalPort |
| Defined by OEM | Port |
| 3000 | ReservedPortsEnd |
| 1025 | ReservedPortsStart |
See Also
Network Address Translation | Internet Connection Sharing Overview
Last updated on Thursday, April 08, 2004
© 1992-2003 Microsoft Corporation. All rights reserved.