Technology Integration Services by BrainWave Consulting Company, LLC - Because Good Technology Means Better Business


BrainWave Technology News

Home | Services | News | Search | Site Map | Feedback | Library | Document Archive | UltraTech KB

 

Network Basics


HOT LINKS

Why Security Is Important
Installing & Maintaining Windows Systems
Generating Diagnostics Logs

Home
Services
Vendors
Associations
Tech Providers
Other Links Document Archive
UltraTech KB

Last updated: 22 October 2006 ; Supplements this Knowledgebase Article.

Providing Internet Connectivity Through A Shared Connection

These days, there are many homes with more than one computer, and most of these computer users are going to want to all of their machines to share their Internet connectivity.  If you are one of these users, then following the guidelines below will enable you to configure a Windows-based (or predominantly Windows-based) network and share the Internet connection. This document focuses on connectivity via Hubs or Switches, as opposed to using cross-over cables between two systems.

Here is an overview of the issues covered in this document:

Go To Top


Choosing Your Internet Gateway

When deploying an Internet gateway for a Windows-based network, you have at least the following options:
Gateway Category Product Examples
NAT software ICS, RRAS, WinRoute Pro
Proxy software MSProxy, WinGate, WinProxy, AnalogX, Squid
 Broadband Router LinkSys, SMC, Netgear, D-Link
OS-based Firewall ISA, CheckPoint, Raptor
Hardware Appliance Nokia, Netscreen, Bivio, Pix, SonicWall, WatchGuard
 Open Source FW Linux/IPChains, Linux/IPTables, OpenBSD/PF

This list is loosely in order of increasing flexibility.  There are some exceptions as you will see in the rest of the document. Your choice of firewall or gateway equipment will depend on a wide variety of criteria, including cost, space, power consumption and configuration complexity.

Your basic consumer-level router/firewall appliance (generally referred to as a Broadband Router) will allow you to share one IP address from your ISP among up to 254 internal IP addresses of your choosing.

For most home users, this is more than adequate. However, if your ISP provides you with 2 or more external IPs, then these low-end appliances typically don't allow you to use any of the extra IP addresses.

Higher-end devices from Netscreen, SonicWall, WatchGuard and others, allow you to share any number of external IP addresses among any number of internal hosts. This can also be accomplished with some of the higher-end software products such as WinRoute, or any Linux/BSD solution.  These products also differ from the broadband routers in that they can regulate outbound traffic as well as inbound traffic, reducing the need to run a desktop firewall on each machine that resides behind the primary network firewall.

Go To Top


Routers, Hubs, Switches

Each of these devices plays a particular role in the formation of networks.

HUBS and SWITCHES allow systems to speak to each other and form a local area network. The difference between a hub and a switch is that all systems connected to a hub must share the bandwidth of the hub, and can see traffic destined for all systems on that hub. On the other hand, a switch provides dedicated bandwidth to each system and allows them to see only the traffic that is destined for them.  Think of a Hub as a walkie-talkie, and a Switch as a telephone.

A ROUTER is used to provide connectivity between two separate networks -- a common example being the connectivity between a LAN and the Internet.

A BRIDGE is a device that allows you to extend one network to encompass other systems that would normally be considered a separate network. As an example, most broadband (Cable/DSL) modems extend the ISP's network into your house -- until you stick a router/firewall between the modem and your LAN. Another example of a BRIDGE would be Wireless Access Points.

  •  HUB/SWITCH ....... Connects machines together to form a LAN.

  •  ROUTER ................ Connects two different networks together.

  •  BRIDGE ................. Allows two networks to act as a single network.

  •  BROUTER ............... Combines BRIDGE and ROUTER functionality.

Go To Top


IP Addressing Considerations

This subject is addressed at length here.

Go To Top


Internet Connectivity

Network Address Translation (NAT) will allow you to share one or more ISP-provided IP addresses for all of your systems to connect to the Internet (or another network). This can be done with hardware or software, as appropriate.

According to RFC 1918, the following addresses are available for private networks:

  •  192.168.#.#

  •  172.16.#.# - 172.31.#.#

  •  10.#.#.#

And here is the equipment you will need to get started:

  •  Two or more computers

  •  Network Cards for each system (wired or wireless)

  •  Extra Network Card for gateway system (unless using Router or Firewall Appliance)

  •  One Hub or Switch (or Router w/integrated switch)

  •  CAT5 (or better) for each wired system

  •  Extra CAT5 for connecting gateway device to ISP

  •  Wireless Access Point (optional)

The three diagrams below represent the most popular configurations for connecting a LAN to the Internet. In Diagram 1, the LAN is an extension of the ISP's network (bridged) and uses IP addresses provided by the ISP.  In Diagrams 2, 3 and 4, the local network is using the 172.30.50.x range of addresses.  Finally, Diagrams 5, outlines a site-to-site VPN between two offices.

 

Go To Top


 

LAN to Internet Connectivity via Hub and Cross-over CAT5 Cable

Diagram #1 Below -- Click on diagram to Enlarge

This configuration is not too common anymore as it relies on the ISP to provide multiple addresses via DHCP. It also puts your network right on the ISP's network, along with everyone else who is configured similarly. This is very unsafe, unless every machine on your network is locked down with a personal firewall. Generally, this is the least desirable configuration.

LAN to Internet Connectivity via Hub and Cross-over CAT5 Cable
LAN to Internet Connectivity via Hub and Cross-over CAT5 Cable -- Click to Enlarge

 

Go To Top


 

LAN to Internet Connectivity via NAT, Proxy or Firewall Software

Diagram #2 Below -- Click on diagram to Enlarge

This configuration is very common, and not very expensive as there are plenty of free NAT and Proxy products available.  Also, ICS is provided with Windows 98SE and higher. This option is great if you just want to get a number of machines online to surf and get email, but not as flexible if you want to host any services or games from your network (unless you go with Linux/BSD).  As a reminder, NAT does provide a layer of security for your network, but it is NOT a firewall.

The primary exception to this is WinRoute Pro, which rivals the higher end devices -- and enterprise firewall software firewalls in general -- in terms of flexibility and features, while costing far less than those other products. 

This category of Internet connectivity options also includes Linux and BSD-based firewalls which can be obtained for free. There are a number of Linux distributions that are firewall-only, such as IPCop, SmoothWall and Coyote Linux...

One drawback common to all the products in this diagram is that the machine sharing the connection must always be running.

LAN to Internet Connectivity via NAT, Proxy or Firewall Software
LAN to Internet Connectivity via NAT, Proxy or Firewall Software -- Click to Enlarge

 

Go To Top


 

LAN to Internet Connectivity via Firewall Appliance or Broadband Router
Diagram #3 Below -- Click on diagram to Enlarge

This configuration is becoming increasingly common as the price of broadband routers and higher-end firewall appliances come down in price.  Among the many benefits to these products is a small footprint, low power consumption, more extensive firewall protection, and the ability to host services from your LAN.

Be sure that any broadband router you consider has actual firewall features and not just NAT.

The higher-end firewall appliances also support VPN (Virtual Private Networks).  Their flexibility is only exceeded by the Open Source firewall products, but their size and power requirements can often offset their cost.  Great for small to medium offices.

LAN to Internet Connectivity via Firewall Appliance or Broadband Router
LAN to Internet Connectivity via Firewall Appliance or Broadband Router -- Click to Enlarge

 

Go To Top


 

LAN to Internet Connectivity with Active Directory Domains
Diagram #4 Below -- Click on diagram to Enlarge

This configuration is almost identical to those of #2 and #3, but with special emphasis on the DNS settings for an Active Directory domain. It is imperative that the server and clients in such a configuration be setup to point to the Active Directory server for DNS, and that the server be configured to use the ISP's DNS via forwarders (if at all).

LAN to Internet Connectivity with Active Directory Domains
LAN to Internet Connectivity with Active Directory Domains -- Click to Enlarge

 

Go To Top


 

Site-To-Site VPN Connectivity between two Offices
Diagram #5 Below -- Click on diagram to Enlarge

This configuration is not a typical Internet Connectivity diagram. Instead, it shows how you might connect two small offices together with a VPN, rather than using a dedicated leased line.

Look for a separate VPN document shortly...

Site-to-Site VPN Connectivity between two Offices
Site-To-Site VPN Connectivity between two Offices -- Click to Enlarge

 

 

Go To Top


Basic Security

The need for security on the Internet is not always understood or accepted. As such, it is addressed here in greater detail.

If you have a Windows machine as the gateway or router, be sure that you unbind NETBIOS from the external facing NIC (the NIC that is connected to your broadband modem, not the NIC which has and internal IP address).

In Windows 2000 and later, this can be found on the WINS tab, under "Advanced TCP/IP" properties:

select "Disable NetBIOS over TCP/IP"

Windows 2003, with Service Pack 1, provides additional tools such as the Security Configuration Wizard (SCW).

Go To Top


MULTIPLE PROTOCOLS

For the most part, the fewer protocols you install on your systems, the less you will expose yourself to certain network configuration issues. There are a few instances, however, where it can be useful.

Without some sort of NAT or Proxy between you and your ISP, your network is readily exposed to any of your neighbors who has a similar configuration (which will be many of them).

If you connect multiple machines to your ISP via a hub or a switch, but without a firewall/router, then you should consider installing a second protocol on your systems (e.g. IPX or NETBEUI) and then disable all file-sharing capabilities over TCP/IP.

In addition to disabling NetBIOS over TCP/IP, all Internet traffic to or from the following IP ports should be blocked by with a personal firewall:

TCP/UDP 135, 137-139, 445

All in all, it is still better to deploy a network router/firewall and go with a TCP/IP-only network.

Go To Top


PERSONAL FIREWALLS

Make use of Personal and/or Network firewalls, and be sure to configure Auditing and File/Share level permissions for all your resources.

Most broadband routers have firewalls that will only protect you from unknown inbound traffic. They won't, however, alert you to, or protect you from spyware or other apps that you've downloaded and knowingly or unwittingly installed. So, it is advisable that if you're not using a high-end firewall that can regulate traffic in both directions, that you install a personal firewall on your system(s).

Antivirus protection is a very important part of network security, and bears mentioning here, particularly since worms and trojans can be spread more quickly through a network than by stand-alone systems.

Go To Top


VPNs & REMOTE ACCESS

If you (or anyone else) need to have connectivity to your network from a remote location, you should consider the use of a VPN, rather than opening up your systems directly to the Internet. The easier you make it for someone to connect remotely, the easier it is for folks with a port scanners and too much idle time on their hands.

Go To Top


AUDITING & LOGGING

Auditing is a very important part of security, and should not be overlooked, even on a stand-alone, home system.

If your router software/hardware supports it, setup a SysLog server and process the messages from your router or firewall. It doesn't make any sense for you to have the info if you're not looking at it and taking any appropriate action.

Also, use strong passwords and change them frequently. Once every 45 days is reasonable. Don't use the same passwords on your network that you use on websites.

Periodically scan your own network with security tools to ensure that everything you want to have protected is still being protected adequately. If you decide to use external parties to probe your network, be sure that you use reputable organizations. Otherwise, they could use what they learn to cause you grief later.

Go To Top


The DMZ (Demilitarized Zone)

On a properly designed enterprise network, you will often find a DMZ in place. The purpose of a DMZ is to segment the network between heavily accessed, public boxes, and sensitive internal systems. Web, FTP, and Mail servers are commonly found in a DMZ, while Database and Middleware servers remain in the safety of the internal network.

A DMZ is generally separated from the Internal network using a firewall. You can use separate, discrete firewalls for each protected segment, or just use different interfaces on a single firewall. Both methods have their PROs and CONs.  Smaller environments are more apt to use a single firewall with multiple interfaces, than are larger organizations.

Most broadband routers/firewalls have a DMZ feature which allows you to place a single host completely outside the protection of the firewall. This is done for compatibility with games or other apps that might not be appreciative of the router's NAT functionality. This is very different from an enterprise-level DMZ, in that (with the router) there is absolutely no protection for the host in question.

Go To Top


Hosting Network Apps Through Firewalls

You'll also want to familiarize yourself with the ports of various applications and services, such that you can provide those services to machines running on your network behind NAT or firewalls.

Generally speaking, systems behind a NAT can initiate services of other systems with public IPs, but they cannot be the recipient of service requests without the use of Port Mapping or Port Forwarding. The more robust broadband routers and firewalls use a technique called Port Forwarding to allow a TCP or UDP port on your Public IP to be directed to a specific machine inside your network. This facilitates running an FTP or Web server behind a NAT, for example.

Essentially, port forwarding works as follows: You tell the firewall to accept traffic from specific ports on the external IP address, and pass it through to the same port number of a specific internal IP address.

Here's an example for allowing Remote Desktop (or Terminal Services) traffic into your network:

64.x.x.x:3389 mapped to 172.30.50.11:3389

If you have an application that you want to map to multiple clients on your LAN, you will need to map multiple external ports to internal ones.

64.x.x.x:3389 mapped to 172.30.50.11:3389
64.x.x.x:3390
mapped to 172.30.50.12:3389
64.x.x.x:3391
mapped to 172.30.50.13:3389
64.x.x.x:3392
mapped to 172.30.50.14:3389

The application in question must support choosing a port from the client side, or this won't work. Also, this type of functionality generally requires that you use static IP addresses or reserved DHCP addresses.


IDENTIFYING PORTS

You will need to identify which ports are needed for each application that you wish to support. For most common services, a google search (or the vendor of the application) will produce a fast answer.

Or, if you're feeling especially brave, you can open up all ports and log the traffic that is generated by the application.  Generally, this is NOT advisable, as it only takes a few moments of exposure for your system to be compromised.

Go To Top


Getting Your Own Domain

In order to set yourself up with a permanent name on the Internet, and facilitate email and web hosting, you can obtain your very own domain name.

Verisign is probably the most popular registrar (having purchased NetworkSolutions) but they are hardly the best in terms of service or price. Here are some other registrars which make it simple and easy to get a domain name, along with other hosting services, for a very good price:

Go To Top


Determine Your ISP-Provided IP Address

Use the following website to determine what your external IP address is at any time:

If you have a dynamic ISP-provided address, yet you wish to have an easy way to reach your systems from a remote network, you should make use of one of the many dynamic IP naming services:

Go To Top


Other Security Resources

Go To Top


Related Knowledgebase Articles

Go To Top


UltraTech -- Computer Solutions for Work and Play
Contact the WebMaster
Copyright (c) 1996-2007, BrainWave Consulting Company, LLC
All Rights Reserved
This site was last modified on August 12, 2007 at 08:00 PM
Technology Integration Services by BrainWave Consulting Company, LLC - Because Good Technology Means Better Business

Home | Services | News | Search | Site Map | Feedback | Library | Document Archive | UltraTech KB