Last updated:
22 October 2006;
Supplements this
Knowledgebase Article.
Providing Internet Connectivity
Through A Shared Connection
These days, there are many homes with more than one
computer, and most of these computer users are going to want to all of their
machines to share their Internet connectivity. If you are one of these
users, then following the guidelines below will enable you to configure a Windows-based (or
predominantly Windows-based) network and share the Internet connection.
This document focuses on connectivity via Hubs or Switches, as opposed to
using cross-over cables between two systems.
Here is an overview of the issues covered in
this document:
When deploying an Internet
gateway for a Windows-based network, you have at least the following
options:
| Gateway Category |
Product Examples |
| NAT software |
ICS,
RRAS,
WinRoute Pro |
| Proxy software |
MSProxy,
WinGate,
WinProxy,
AnalogX,
Squid |
| Broadband Router |
LinkSys,
SMC,
Netgear,
D-Link |
| OS-based Firewall |
ISA,
CheckPoint,
Raptor |
| Hardware
Appliance |
Nokia,
Netscreen,
Bivio,
Pix,
SonicWall,
WatchGuard |
| Open Source FW |
Linux/IPChains,
Linux/IPTables,
OpenBSD/PF |
This list is loosely in order of increasing
flexibility. There are some exceptions as you will see in the rest of the
document. Your choice of firewall or gateway
equipment will depend on a wide variety of criteria, including cost,
space, power consumption and configuration complexity.
Your basic consumer-level router/firewall
appliance (generally referred to as a Broadband Router) will allow you to share
one IP address from your ISP among up to 254
internal IP addresses of your choosing.
For most home users, this is
more than adequate. However, if your ISP provides you with
2 or more external IPs, then these low-end appliances typically don't
allow you to use any of the extra IP addresses.
Higher-end devices from
Netscreen, SonicWall, WatchGuard and others, allow you to share any
number of external IP addresses among any number of internal hosts. This can also
be accomplished with some of the higher-end software products such as
WinRoute, or any Linux/BSD solution. These products also differ from
the broadband routers in that they can regulate outbound traffic as well as
inbound traffic, reducing the need to run a desktop firewall on each machine
that resides behind the primary network firewall.
Each of these devices plays a particular
role in the formation of networks.
HUBS and SWITCHES allow systems
to speak to each other and form a local area network. The difference
between a hub and a switch is that all systems connected to a hub must
share the bandwidth of the hub, and can see traffic destined for all
systems on that hub. On the other hand, a switch provides dedicated bandwidth to each
system and allows them to see only the traffic that is destined for
them. Think of a Hub as a walkie-talkie, and a Switch as a telephone.
A
ROUTER is used to provide connectivity between two
separate networks -- a common example being the connectivity between a
LAN and the Internet.
A BRIDGE is a device that allows you to extend
one network to encompass other systems that would normally be
considered a separate network. As an example, most broadband (Cable/DSL)
modems extend the ISP's network into your house -- until you stick a
router/firewall between the modem and your LAN. Another example of a
BRIDGE would be Wireless Access Points.
-
HUB/SWITCH
....... Connects machines together to form a LAN.
-
ROUTER ................ Connects two
different networks together.
-
BRIDGE .................
Allows two networks to act as a single network.
-
BROUTER ............... Combines BRIDGE and ROUTER functionality.
This subject is addressed at length
here.
Network Address Translation (NAT) will allow you to share one or more
ISP-provided IP addresses for all
of your systems to connect to the Internet (or another network). This can
be done with hardware or software, as appropriate.
According to
RFC 1918, the following addresses are available for private networks:
-
192.168.#.#
-
172.16.#.# - 172.31.#.#
-
10.#.#.#
And here is the equipment you will need to get
started:
-
Two or more computers
-
Network Cards for each system
(wired or wireless)
-
Extra
Network Card for gateway system (unless using Router or Firewall Appliance)
-
One Hub or Switch (or Router w/integrated switch)
-
CAT5
(or better) for each
wired system
-
Extra CAT5 for connecting gateway device to ISP
-
Wireless
Access Point (optional)
The three diagrams below represent the most
popular configurations for connecting a LAN to the Internet. In
Diagram 1, the LAN is an extension of the ISP's network
(bridged) and uses IP addresses provided by the ISP. In
Diagrams 2, 3 and
4, the local
network is using the 172.30.50.x range of
addresses. Finally, Diagrams 5, outlines a
site-to-site VPN between two offices.
LAN to Internet Connectivity via Hub and Cross-over
CAT5 Cable
Diagram #1 Below -- Click on diagram to Enlarge
This configuration is not too common anymore as it relies on the
ISP to provide multiple addresses via DHCP. It also puts your network right on
the ISP's network, along with everyone else who is configured similarly. This is
very unsafe, unless every machine on your network is locked down with a personal
firewall. Generally, this is the least desirable configuration.
LAN to Internet Connectivity via Hub and Cross-over
CAT5 Cable
LAN to
Internet Connectivity via NAT, Proxy or Firewall Software
Diagram #2 Below -- Click on diagram to Enlarge
This configuration is very common, and not very expensive as
there are plenty of free NAT and Proxy products available. Also, ICS is
provided with Windows 98SE and higher. This option is great if you just want to
get a number of machines online to surf and get email, but not as flexible if
you want to host any services or games from your network (unless you go with
Linux/BSD). As a reminder,
NAT does provide a layer of security for your network, but it is NOT a firewall.
The primary exception to this is WinRoute Pro, which rivals the
higher end devices -- and enterprise firewall software firewalls in general -- in terms of flexibility and
features, while costing far less than those other products.
This category of Internet connectivity options also
includes Linux and BSD-based firewalls which can be obtained for free. There
are a number of Linux distributions that are firewall-only, such as
IPCop,
SmoothWall and
Coyote Linux... One drawback common to
all the products in this diagram is that the machine sharing the connection must
always be running. LAN to
Internet Connectivity via NAT, Proxy or Firewall Software
LAN to Internet Connectivity via Firewall Appliance or
Broadband Router
Diagram #3 Below -- Click on diagram to Enlarge
This configuration is becoming increasingly common as the price
of broadband routers and higher-end firewall appliances come down in price.
Among the many benefits to these products is a small footprint, low power
consumption, more extensive firewall protection, and the ability to host
services from your LAN. Be sure that any
broadband router you consider has actual firewall features and not just NAT.
The higher-end firewall appliances also support VPN (Virtual
Private Networks). Their flexibility is only exceeded by the Open Source
firewall products, but their size and power requirements can often offset their
cost. Great for small to medium offices.
LAN to Internet Connectivity via Firewall Appliance or
Broadband Router
LAN to Internet Connectivity with Active Directory Domains
Diagram #4 Below -- Click on diagram to Enlarge
This configuration is almost identical to those of #2 and #3, but
with special emphasis on the DNS settings for an Active Directory domain. It is
imperative that the server and clients in such a configuration be setup to point
to the Active Directory server for DNS, and that the server be configured to use
the ISP's DNS via forwarders (if at all).
LAN to Internet Connectivity with Active Directory Domains
Site-To-Site VPN
Connectivity
between two Offices
Diagram #5 Below -- Click on diagram to Enlarge
This configuration is not a typical Internet Connectivity
diagram. Instead, it shows how you might connect two small offices together with
a VPN, rather than using a dedicated leased line.
Look for a separate VPN document shortly...
Site-to-Site VPN Connectivity between two Offices
The need for security on the Internet is not
always understood or accepted. As such, it is addressed
here in greater detail.
If you have a
Windows machine as the gateway or router, be sure that you unbind NETBIOS
from the external facing NIC (the NIC that is connected to your broadband
modem, not the NIC which has and internal IP address).
In Windows
2000 and later, this can be found on the WINS tab, under "Advanced TCP/IP"
properties:
select "Disable NetBIOS over TCP/IP"
Windows 2003, with Service Pack 1, provides
additional tools such as the
Security Configuration Wizard (SCW).
MULTIPLE PROTOCOLS
For the
most part, the fewer protocols you install on your systems, the less you
will expose yourself to certain network configuration issues. There are a
few instances, however, where it can be useful.
Without some sort
of NAT or Proxy between you and your ISP, your network is readily exposed
to any of your neighbors who has a similar configuration (which will
be many of them).
If you connect multiple machines to your ISP via a
hub or a switch, but without a firewall/router, then you should
consider installing a second protocol on your systems (e.g. IPX or
NETBEUI) and then disable all file-sharing capabilities over TCP/IP.
In addition to disabling
NetBIOS over TCP/IP, all Internet traffic
to or from the following IP ports should be blocked by with a personal
firewall:
TCP/UDP 135, 137-139, 445
All in all, it is still
better to deploy a network router/firewall and go with a TCP/IP-only
network.
PERSONAL FIREWALLS
Make use of Personal and/or
Network firewalls, and be sure to configure Auditing and File/Share level
permissions for all your resources.
Most broadband routers have
firewalls that will only protect you from unknown inbound traffic. They
won't, however, alert you to, or protect you from
spyware or other
apps that you've downloaded and knowingly or unwittingly installed. So,
it is advisable that if you're not using a high-end firewall that can
regulate traffic in both directions, that you install a personal
firewall on your system(s).
Antivirus protection is a very important
part of network security, and bears mentioning here, particularly since
worms and trojans can be spread more quickly through a network than by
stand-alone systems.
VPNs & REMOTE ACCESS
If you (or
anyone else) need to have connectivity to your network from a remote
location, you should consider the use of a VPN, rather than opening up
your systems directly to the Internet. The easier you make it for
someone to connect remotely, the easier it is for folks with a port
scanners and too much idle time on their hands.
AUDITING &
LOGGING
Auditing is a very important part of security, and should
not be overlooked, even on a stand-alone, home system.
If your router
software/hardware supports it, setup a
SysLog server and process the
messages from your router or firewall. It doesn't make any sense for you
to have the info if you're not looking at it and taking any
appropriate action.
Also, use strong passwords and change them
frequently. Once every 45 days is reasonable. Don't use the same
passwords on your network that you use on websites.
Periodically
scan
your own network with security tools to ensure that everything you want
to have protected is still being protected adequately. If you decide to
use external parties to probe your network, be sure that you use
reputable organizations. Otherwise, they could use what they learn to
cause you grief later.
On a properly designed enterprise
network, you will often find
a DMZ in place. The purpose of a DMZ is
to segment the network between heavily accessed, public boxes, and
sensitive internal systems. Web, FTP, and Mail servers are commonly found
in a DMZ, while Database and Middleware servers remain in the safety
of the internal network.
A DMZ is generally separated from the
Internal network using a firewall. You can use separate, discrete
firewalls for each protected segment, or just use different interfaces on
a single firewall. Both methods have their PROs and CONs. Smaller
environments are more apt to use a single firewall with multiple interfaces,
than are larger organizations.
Most
broadband routers/firewalls have a DMZ feature which allows you to place
a single host completely outside the protection of the firewall. This is
done for compatibility with games or other apps that might not be
appreciative of the router's NAT functionality. This is very different
from an enterprise-level DMZ, in that (with the router) there is
absolutely no protection for the host in question.
You'll also
want to familiarize yourself with the ports of various applications and
services, such that you can provide those services to machines running on
your network behind NAT or firewalls.
Generally speaking, systems
behind a NAT can initiate services of other systems with public IPs, but
they cannot be the recipient of service requests without the use of
Port Mapping or Port Forwarding. The more robust broadband routers and
firewalls use a technique called Port Forwarding to allow a TCP or UDP
port on your Public IP to be directed to a specific machine inside
your network. This facilitates running an FTP or Web server behind a NAT,
for example.
Essentially, port forwarding works as follows: You
tell the firewall to accept traffic from specific ports on the external
IP address, and pass it through to the same port number of a specific
internal IP address.
Here's an example for allowing Remote Desktop
(or Terminal Services) traffic into your network:
64.x.x.x:3389
mapped to
172.30.50.11:3389
If you have an application that you want to map to
multiple clients on your LAN, you will need to map multiple external
ports to internal ones.
64.x.x.x:3389
mapped to
172.30.50.11:3389
64.x.x.x:3390 mapped to
172.30.50.12:3389
64.x.x.x:3391 mapped to
172.30.50.13:3389
64.x.x.x:3392 mapped to
172.30.50.14:3389
The
application in question must support choosing a port from the client side, or
this won't work. Also, this type of functionality generally requires that
you use static IP addresses or reserved DHCP addresses.
IDENTIFYING
PORTS
You will need to identify which ports are needed for each
application that you wish to support. For most common services, a
google
search (or the vendor of the application) will produce a fast answer.
Or, if you're feeling especially brave, you can open up all ports and
log the traffic that is generated by the application. Generally, this
is NOT advisable, as it only takes a few moments of exposure for your system to
be compromised.
In order to set yourself up with a permanent name on the
Internet, and facilitate email and web hosting, you can obtain your very own
domain name.
Verisign is probably the most popular registrar (having
purchased NetworkSolutions) but they are hardly the best in terms of service
or price. Here are some other registrars which make it simple and easy to
get a domain name, along with other hosting services, for a very good price:
Use the following website to determine what your external
IP address is at any time:
If you have a dynamic ISP-provided address, yet you wish
to have an easy way to reach your systems from a remote network, you should
make use of one of the many dynamic IP naming services:
Related Knowledgebase Articles
|
