The Port security tab in the ENS configuration in WinGate is where you can configure and customize how it will handle the use of application ports in the WinGate Firewall. While it may look like being a simple matter of allowing or preventing ports to be opened or closed there are a number of advanced features that will allow greater control of how traffic is handled through WinGate.

Default Action.

Configuring any setting under the Port Security Tab applies to all Network Interfaces. What this means is that for any interface/protocol (Tcp/Udp) combination you can set a default action for all interfaces/packets.

(To understand how WinGate treats interfaces and Private versus External Ip addresses please click here)

It is recommended that the defaults be kept as these generally provide the safest approach to defending WinGate from network attacks.

Suggested Default Interface Action

External - TCP/UDP Default Action - Deny

Internal - TCP/UDP Default Action - Allow

The security filters included with WinGate port security tab allow you to open close ports depending on Applications that require access through WinGate both to and from the Internet.

These security filters work by:

• Providing maximum protection from attacks originating from the Internet.(by denying all LAN-bound packets arriving on the external interface)
• Providing maximum flexibility for Internet users on your LAN (by allowing all Internet-bound packets from your LAN out).

The security filters can be set by doing the following:

1. Open the ENS properties in GateKeeper on the WinGate machine
2. Open the Port Security tab.
3. Click the Add button.
   
   In the Port Range Configuration:
   
4. Select the type of connection that will be affected by the security filter (Connections. to/from etc), and the appropriate protocol (either Tcp or Udp).
5. Specify the appropriate port (port range) that is influenced with this filter and a description that will easily identify its purpose.
6. Select an action to take when a packet uses this port either Allow, Drop, or redirect the packet to another IP address (for example a Web server running behind WinGate)

In simple terms the Use Syn cookies option, allows the WinGate to control a session of packets before they are allowed to even enter the port by keeping track of valid Ack requests from a host on the Internet, so that bogus packets (which can be used in a Network attack called a SynFlood type of attack) will have less chance to penetrate WinGate’s defences.
This option is not ticked by default to allow for maximum application session compatibility and should only be implemented by administrators who are experienced with TCP session mechanisms.

Under Options

• Use standard time out values is the default settings and these are generally never need to be altered.
  Setting packets to never time out is considered dangerous and not recommended.
• If the Notify when this range is accessed then it will display in the Firewall tab in Gatekeeper.
  
• The Cloak connection failures option is ticked by default. What this means in simple terms is that when a would be attacker is scanning the WinGate server to find vunerable ports, WinGate will disguise the port’s status by so it will be overlooked by the port scanner. For an explanation on port cloaking, please to the WinGate helpfile.