Internet Connection Sharing Security

If a default gateway has been instructed to assign addresses within the AutoIP range, a client may not be able to detect and synchronize with the gateway properly if that client also has addresses in the AutoIP range. This occurs if the client requests to keep an address it already has and if that request is successful, the client does not update the default gateway information. As a result, the client cannot locate the default gateway to reach an external network. This is most likely to occur if a client is powered on before the gateway device is powered on. To avoid this issue, the gateway must be powered on prior to powering up a client on a private network. Alternatively a separate subnet address, such as the default address 192.168.x.x, must be configured.

Internet Connection Sharing (ICS) allows multiple devices on a private or internal network to have access to a larger public or external network, typically the Internet. For more information about ICS and its components, network address translation (NAT), Domain Name System (DNS) Proxy, Dynamic Host Configuration Protocol (DHCP) allocation and firewall, see the appropriate section of your documentation. Enabling ICS poses the risk that clients on the internal network now have connectivity to the external, more hostile, network.

Best Practices

Enable a firewall on your network device

For enterprise environments, Microsoft recommends a network firewall with intrusion protection, such as Microsoft Internet Security and Acceleration (ISA) Server. For more information, visit this Microsoft Web site.

For information about configuring the IP firewall to properly manage traffic destined for the internal network, see IP Firewall Reference.

Default Registry Settings

You should be aware of the registry settings that impact security. In the registry settings documentation you will find a Security Note for those values with security implications.

For ICS registry information, see Internet Connection Sharing Registry Settings.

Ports

The following table shows the ports that ICS uses, for details see Internet Connection Sharing Registry Settings.

Port number Registry values
Defined by OEM InternalPort
Defined by OEM Port
3000 ReservedPortsEnd
1025 ReservedPortsStart

See Also

Network Address Translation | Internet Connection Sharing Overview

 Last updated on Thursday, April 08, 2004

© 1992-2003 Microsoft Corporation. All rights reserved.