Results 1 to 4 of 4

Thread: Wampserver behind ZoneAlarm Internet Security Suite

  1. #1
    enoza Guest

    Default Wampserver behind ZoneAlarm Internet Security Suite

    Hi,

    One of the PC's in our home WLAN is hosting a Wampserver 2.0 (Apache v.2.2.6 and PHP v.5.2.5). Changing to ZoneAlarm Internet Security Suite as firewall for three of our PC's, the one with the webserver included - has resulted in facing some challenges....!

    For the two 'ordinary' PC's no problems at all, but the one with the webserver has caused a lot of thinking and searching - without any solution so far.
    I have no experience with a webserver behind a ZoneAlarm, so I hope someone can help me with the configuring of it.
    I have tried to search the right solution, but haven't found a resulting match so far.

    Thanks,

    Eno

    Operating System:Windows XP Home Edition
    Software Version:7.0
    Product Name:ZoneAlarm Internet Security Suite

  2. #2
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: Wampserver behind ZoneAlarm Internet Security Suite

    I have no experience with this either!

    OK.
    is this just a server for your lan or for the internet?
    For specific IPs of the web or lan or is this an open server to all on the internet?
    Is this just a http server or is this an email or a ftp server?
    Is the server placed in the DMZ of the hardware firewall or not?
    A router in front of the lan or a commercial firewall in front of the lan?
    Type of internet connection- dsl or cable?
    Sharing with the other PC of your lan or no sharing?
    Will the server allow connections to be made from PC/servers of the internet?
    Have you implimented any Expert rules or have made any changes as of yet? What are these changes?

    Oldsod.
    Best regards.
    oldsod

  3. #3
    enoza Guest

    Default Re: Wampserver behind ZoneAlarm Internet Security Suite

    Thanks,

    here are the answers to your questions:

    "Is this just a server for your lan or for the internet?"
    *For the Internet.

    "For specific IPs of the web or lan or is this an open server to all on the internet?"
    *Open server to all on the Internet.

    "Is this just a http server or is this an email or a ftp server?"
    *A http server, so far.

    "Is the server placed in the DMZ of the hardware firewall or not?"
    *Not.

    "A router in front of the lan or a commercial firewall in front of the lan?"
    *A router.

    "Type of internet connection- dsl or cable?"
    *dsl

    "Sharing with the other PC of your lan or no sharing?"
    *Sharing

    "Will the server allow connections to be made from PC/servers of the internet?"
    *Yes, will allow connections from the Internet.

    "Have you implimented any Expert rules or have made any changes as of yet? What are these changes?"
    *No Expert rules for the time being. The Apache HTTP Server is given access to the trusted and the internet zones, and can act as a server both in the trusted and the internet zones.

  4. #4
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: Wampserver behind ZoneAlarm Internet Security Suite

    Considering all local PC will share with the server does present some security issues.
    The PC with the server should have a statically assigned IP from the dhcp server (your router) and that PC' s MAC should be locked in the router. This will make it easier for configuring than if these are dynamically assigned.
    This should be applied to the other PCs of the LAN as well.
    Since this is a server to the internet, the server PC must be allowed an open port to the internet- for one it will be port 80 (http) and even perhaps a few more (refer to the manual of the server software or with the kb). This open port must also be applied to the router itself and the ZA (and including any other neccessary ports).
    If it possible, in the router itself, to only allow the open(ed) ports for the particular server PC involved, then this would be ideal.
    The router should now be allowed to reply to pings to allow incoming internet connections.

    The IPs of each of the sharing PC must be added to the Zones of the Firewall as Trusted (also forcing the need for statically assigned IPs).
    The server's IP must be also added as Trusted in the Zones of each of the participating PCs. This will allow for the sharing between themselves.

    The MAC of the router and the MAC of the PCs can be added in the Gateway option found inside the Expert rules of the firewall . This will help eliminate ARP spoofing and possible intruders.
    As will also enabling the arp protection option.

    Broadcast and multicast must be allowed for both the trusted and internet security zones.

    Usually only echo reply (icmp type 0) incoming and echo request (type 8) outgoing is needed for pings; Destination unreachable (icmp type 3) both incoming and outgoing for the internet address is unavailable message; and time exceeded incoming (type 11) is needed for tracert. This is all that is needed for a home user.
    However for a internet server this does not work. For a server it must be expanded; echo reply for both incoming and outgoing and echo request for both incoming and outgoing plus time exceeded for both incoming and outgoing. This will allow for servers/pc to contact the server by tracerts and pings.

    Allowing the required icmp in the appropriate trusted and internet security zones should be sufficent for allowances of the icmp.

    The server's ZA will basically allow open ports with just the server checks, but the open port can be allowed in the zones security - probably the http port (80) and any other which are involved.
    Or it can be refined in the expert of the firewall and still further refined in the expert of the program (found in the right click of the application and inside the options).

    Besides the local network and internet configuration, the dns must be added as trusted in the zones. Again this can be added to the application particular expert rules and to the expert of the firewall.

    I would suggest to set the alert and logging to maximum sensitivity and for increased size of the retained logs - not only to see what is blocked and needs to be adjusted, but also for possible security breaches. Any loss of connection or blocked connections can be traced to the ip (source and destination), port (local and remote), direction of the connection and to the protcol. that is involved.

    There now maybe some additional window components now requiring trusted or internet server rights for the server/local connection to the server to function properly. This could include but not limited to the explorer.exe, rundll32.exe, winlogon.exe, userinit.exe, services.exe, lsass.exe, and of course the svchost.exe (which should already have trusted server rights).

    Oldsod.
    Best regards.
    oldsod

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •