The UltraTech Zone

Integrating Life, Technology and Business with Andrew S. Baker...
Welcome to The UltraTech Zone Sign in | Join | Help
in
Home My Blog Forums Photos Resume Reading List External News Knowledgebase Consulting Mailing Lists Other Links

Providing Internet Connectivity Through A Shared Connection

Last post 08-10-2006, 9:29 PM by Logik!. 0 replies.
Sort Posts: Previous Next
  •  08-10-2006, 9:29 PM 358

    Providing Internet Connectivity Through A Shared Connection

    Providing Internet Connectivity Through A Shared Connection

    These days, there are many homes with more than one computer, and most of these computer users are going to want to all of their machines to share their Internet connectivity.  If you are one of these users, then following the guidelines below will enable you to configure a Windows-based (or predominantly Windows-based) network and share the Internet connection. This document focuses on connectivity via Hubs or Switches, as opposed to using cross-over cables between two systems.

    Here is an overview of the issues covered in this document:

    Go To Top


    Choosing Your Internet Gateway

    When deploying an Internet gateway for a Windows-based network, you have at least the following options:
     

    Gateway Category Product Examples
    NAT software ICS, RRAS, WinRoute Pro
    Proxy software MSProxy, WinGate, WinProxy, AnalogX, Squid
     Broadband Router LinkSys, SMC, Netgear, D-Link
    OS-based Firewall ISA, CheckPoint, Raptor
    Hardware Appliance Nokia, Netscreen, Bivio, Pix, SonicWall, WatchGuard
     Open Source FW Linux/IPChains, Linux/IPTables, OpenBSD/PF

    This list is loosely in order of increasing flexibility.  There are some exceptions as you will see in the rest of the document. Your choice of firewall or gateway equipment will depend on a wide variety of criteria, including cost, space, power consumption and configuration complexity.

    Your basic consumer-level router/firewall appliance (generally referred to as a Broadband Router) will allow you to share one IP address from your ISP among up to 254 internal IP addresses of your choosing.

    For most home users, this is more than adequate. However, if your ISP provides you with 2 or more external IPs, then these low-end appliances typically don't allow you to use any of the extra IP addresses.

    Higher-end devices from Netscreen, SonicWall, WatchGuard and others, allow you to share any number of external IP addresses among any number of internal hosts. This can also be accomplished with some of the higher-end software products such as WinRoute, or any Linux/BSD solution.  These products also differ from the broadband routers in that they can regulate outbound traffic as well as inbound traffic, reducing the need to run a desktop firewall on each machine that resides behind the primary network firewall.
     

    Go To Top


    Routers, Hubs, Switches

    Each of these devices plays a particular role in the formation of networks.

    HUBS and SWITCHES allow systems to speak to each other and form a local area network. The difference between a hub and a switch is that all systems connected to a hub must share the bandwidth of the hub, and can see traffic destined for all systems on that hub. On the other hand, a switch provides dedicated bandwidth to each system and allows them to see only the traffic that is destined for them.  Think of a Hub as a walkie-talkie, and a Switch as a telephone.

    A ROUTER is used to provide connectivity between two separate networks -- a common example being the connectivity between a LAN and the Internet.

    A BRIDGE is a device that allows you to extend one network to encompass other systems that would normally be considered a separate network. As an example, most broadband (Cable/DSL) modems extend the ISP's network into your house -- until you stick a router/firewall between the modem and your LAN. Another example of a BRIDGE would be Wireless Access Points.

    •  HUB/SWITCH ....... Connects machines together to form a LAN.
    •  ROUTER ................ Connects two different networks together.
    •  BRIDGE ................. Allows two networks to act as a single network.
    •  BROUTER ............... Combines BRIDGE and ROUTER functionality.

    Go To Top


    IP Addressing Considerations

    This subject is addressed at length here.
     

    Go To Top


    Internet Connectivity

    Network Address Translation (NAT) will allow you to share one or more ISP-provided IP addresses for all of your systems to connect to the Internet (or another network). This can be done with hardware or software, as appropriate.

    According to RFC 1918, the following addresses are available for private networks:

    •  192.168.#.#
    •  172.16.#.# - 172.31.#.#
    •  10.#.#.#

    And here is the equipment you will need to get started:

    •  Two or more computers

    •  Network Cards for each system (wired or wireless)

    •  Extra Network Card for gateway system (unless using Router or Firewall Appliance)

    •  One Hub or Switch (or Router w/integrated switch)

    •  CAT5 (or better) for each wired system

    •  Extra CAT5 for connecting gateway device to ISP

    •  Wireless Access Point (optional)

    The three diagrams below represent the most popular configurations for connecting a LAN to the Internet. In Diagram 1, the LAN is an extension of the ISP's network (bridged) and uses IP addresses provided by the ISP.  In Diagrams 2, 3 and 4, the local network is using the 172.30.50.x range of addresses.  Finally, Diagrams 5, outlines a site-to-site VPN between two offices.

    Go To Top


    LAN to Internet Connectivity via Hub and Cross-over CAT5 Cable

    Diagram #1 Below -- Click on diagram to Enlarge

    This configuration is not too common anymore as it relies on the ISP to provide multiple addresses via DHCP. It also puts your network right on the ISP's network, along with everyone else who is configured similarly. This is very unsafe, unless every machine on your network is locked down with a personal firewall. Generally, this is the least desirable configuration.

    LAN to Internet Connectivity via Hub and Cross-over CAT5 Cable
    LAN to Internet Connectivity via Hub and Cross-over CAT5 Cable -- Click to Enlarge

    Go To Top


    LAN to Internet Connectivity via NAT, Proxy or Firewall Software

    Diagram #2 Below -- Click on diagram to Enlarge

    This configuration is very common, and not very expensive as there are plenty of free NAT and Proxy products available.  Also, ICS is provided with Windows 98SE and higher. This option is great if you just want to get a number of machines online to surf and get email, but not as flexible if you want to host any services or games from your network (unless you go with Linux/BSD).  As a reminder, NAT does provide a layer of security for your network, but it is NOT a firewall.

    The primary exception to this is WinRoute Pro, which rivals the higher end devices -- and enterprise firewall software firewalls in general -- in terms of flexibility and features, while costing far less than those other products. 

    This category of Internet connectivity options also includes Linux and BSD-based firewalls which can be obtained for free. There are a number of Linux distributions that are firewall-only, such as IPCop, SmoothWall and Coyote Linux...

    One drawback common to all the products in this diagram is that the machine sharing the connection must always be running.

    LAN to Internet Connectivity via NAT, Proxy or Firewall Software
    LAN to Internet Connectivity via NAT, Proxy or Firewall Software -- Click to Enlarge

    Go To Top


    LAN to Internet Connectivity via Firewall Appliance or Broadband Router
    Diagram #3 Below -- Click on diagram to Enlarge

    This configuration is becoming increasingly common as the price of broadband routers and higher-end firewall appliances come down in price.  Among the many benefits to these products is a small footprint, low power consumption, more extensive firewall protection, and the ability to host services from your LAN.

    Be sure that any broadband router you consider has actual firewall features and not just NAT.

    The higher-end firewall appliances also support VPN (Virtual Private Networks).  Their flexibility is only exceeded by the Open Source firewall products, but their size and power requirements can often offset their cost.  Great for small to medium offices.

    LAN to Internet Connectivity via Firewall Appliance or Broadband Router
    LAN to Internet Connectivity via Firewall Appliance or Broadband Router -- Click to Enlarge

    Go To Top


    LAN to Internet Connectivity with Active Directory Domains
    Diagram #4 Below -- Click on diagram to Enlarge

    This configuration is almost identical to those of #2 and #3, but with special emphasis on the DNS settings for an Active Directory domain. It is imperative that the server and clients in such a configuration be setup to point to the Active Directory server for DNS, and that the server be configured to use the ISP's DNS via forwarders (if at all).

    LAN to Internet Connectivity with Active Directory Domains
    LAN to Internet Connectivity with Active Directory Domains -- Click to Enlarge

    Go To Top


    Site-To-Site VPN Connectivity between two Offices
    Diagram #5 Below -- Click on diagram to Enlarge

    This configuration is not a typical Internet Connectivity diagram. Instead, it shows how you might connect two small offices together with a VPN, rather than using a dedicated leased line.

    Look for a separate VPN document shortly...

    Site-to-Site VPN Connectivity between two Offices
    Site-To-Site VPN Connectivity between two Offices -- Click to Enlarge

    Go To Top


    Basic Security

    The need for security on the Internet is not always understood or accepted. As such, it is addressed here in greater detail.

    If you have a Windows machine as the gateway or router, be sure that you unbind NETBIOS from the external facing NIC (the NIC that is connected to your broadband modem, not the NIC which has and internal IP address).

    In Windows 2000 and later, this can be found on the WINS tab, under "Advanced TCP/IP" properties:

    select "Disable NetBIOS over TCP/IP"

    Windows 2003, with Service Pack 1, provides additional tools such as the Security Configuration Wizard (SCW).

    Go To Top


    MULTIPLE PROTOCOLS

    For the most part, the fewer protocols you install on your systems, the less you will expose yourself to certain network configuration issues. There are a few instances, however, where it can be useful.

    Without some sort of NAT or Proxy between you and your ISP, your network is readily exposed to any of your neighbors who has a similar configuration (which will be many of them).

    If you connect multiple machines to your ISP via a hub or a switch, but without a firewall/router, then you should consider installing a second protocol on your systems (e.g. IPX or NETBEUI) and then disable all file-sharing capabilities over TCP/IP.

    In addition to disabling NetBIOS over TCP/IP, all Internet traffic to or from the following IP ports should be blocked by with a personal firewall:

    TCP/UDP 135, 137-139, 445

    All in all, it is still better to deploy a network router/firewall and go with a TCP/IP-only network.

    Go To Top


    PERSONAL FIREWALLS

    Make use of Personal and/or Network firewalls, and be sure to configure Auditing and File/Share level permissions for all your resources.

    Most broadband routers have firewalls that will only protect you from unknown inbound traffic. They won't, however, alert you to, or protect you from spyware or other apps that you've downloaded and knowingly or unwittingly installed. So, it is advisable that if you're not using a high-end firewall that can regulate traffic in both directions, that you install a personal firewall on your system(s).

    Antivirus protection is a very important part of network security, and bears mentioning here, particularly since worms and trojans can be spread more quickly through a network than by stand-alone systems.

    Go To Top


    VPNs & REMOTE ACCESS

    If you (or anyone else) need to have connectivity to your network from a remote location, you should consider the use of a VPN, rather than opening up your systems directly to the Internet. The easier you make it for someone to connect remotely, the easier it is for folks with a port scanners and too much idle time on their hands.

    Go To Top


    AUDITING & LOGGING

    Auditing is a very important part of security, and should not be overlooked, even on a stand-alone, home system.

    If your router software/hardware supports it, setup a
    SysLog server and process the messages from your router or firewall. It doesn't make any sense for you to have the info if you're not looking at it and taking any appropriate action.

    Also, use strong passwords and change them frequently. Once every 45 days is reasonable. Don't use the same passwords on your network that you use on websites.

    Periodically
    scan your own network with security tools to ensure that everything you want to have protected is still being protected adequately. If you decide to use external parties to probe your network, be sure that you use reputable organizations. Otherwise, they could use what they learn to cause you grief later.
     

    Go To Top


    The DMZ (Demilitarized Zone)

    On a properly designed enterprise network, you will often find a DMZ in place. The purpose of a DMZ is to segment the network between heavily accessed, public boxes, and sensitive internal systems. Web, FTP, and Mail servers are commonly found in a DMZ, while Database and Middleware servers remain in the safety of the internal network.

    A DMZ is generally separated from the Internal network using a firewall. You can use separate, discrete firewalls for each protected segment, or just use different interfaces on a single firewall. Both methods have their PROs and CONs.  Smaller environments are more apt to use a single firewall with multiple interfaces, than are larger organizations.

    Most broadband routers/firewalls have a DMZ feature which allows you to place a single host completely outside the protection of the firewall. This is done for compatibility with games or other apps that might not be appreciative of the router's NAT functionality. This is very different from an enterprise-level DMZ, in that (with the router) there is absolutely no protection for the host in question.
     

    Go To Top


    Hosting Network Apps Through Firewalls

    You'll also want to familiarize yourself with the ports of various applications and services, such that you can provide those services to machines running on your network behind NAT or firewalls.

    Generally speaking, systems behind a NAT can initiate services of other systems with public IPs, but they cannot be the recipient of service requests without the use of Port Mapping or Port Forwarding. The more robust broadband routers and firewalls use a technique called Port Forwarding to allow a TCP or UDP port on your Public IP to be directed to a specific machine inside your network. This facilitates running an FTP or Web server behind a NAT, for example.

    Essentially, port forwarding works as follows: You tell the firewall to accept traffic from specific ports on the external IP address, and pass it through to the same port number of a specific internal IP address.

    Here's an example for allowing Remote Desktop (or Terminal Services) traffic into your network:

    64.x.x.x:3389 mapped to 172.30.50.11:3389

    If you have an application that you want to map to multiple clients on your LAN, you will need to map multiple external ports to internal ones.

    64.x.x.x:3389 mapped to 172.30.50.11:3389
    64.x.x.x:3390
    mapped to
    172.30.50.12:3389
    64.x.x.x:3391
    mapped to
    172.30.50.13:3389
    64.x.x.x:3392
    mapped to 172.30.50.14:3389

    The application in question must support choosing a port from the client side, or this won't work. Also, this type of functionality generally requires that you use static IP addresses or reserved DHCP addresses.


    IDENTIFYING PORTS

    You will need to identify which ports are needed for each application that you wish to support. For most common services, a google search (or the vendor of the application) will produce a fast answer.

    Or, if you're feeling especially brave, you can open up all ports and log the traffic that is generated by the application.  Generally, this is NOT advisable, as it only takes a few moments of exposure for your system to be compromised.

    Go To Top


    Getting Your Own Domain

    In order to set yourself up with a permanent name on the Internet, and facilitate email and web hosting, you can obtain your very own domain name.

    Verisign is probably the most popular registrar (having purchased NetworkSolutions) but they are hardly the best in terms of service or price. Here are some other registrars which make it simple and easy to get a domain name, along with other hosting services, for a very good price:

    Go To Top


    Determine Your ISP-Provided IP Address

    Use the following website to determine what your external IP address is at any time:

    If you have a dynamic ISP-provided address, yet you wish to have an easy way to reach your systems from a remote network, you should make use of one of the many dynamic IP naming services:

    Go To Top


    Other Security Resources

    Go To Top


    Related Knowledgebase Articles


    ASB: http://XeeSM.com/AndrewBaker
    Providing Competitive Advantage through Effective IT Leadership


    Talking Out Loud with ASB
View as RSS news feed in XML
Powered by Community Server (Personal Edition), by Telligent Systems