Before we discuss the services and devices that are used to connect LANs and WANs to the Internet, we will first have a look at why we need such services. As you know, corporate LANs and WANs use private address ranges, and the Internet uses public address ranges. This means that every IP address on the Internet is unique, but the addresses used in corporate networks are repeatedly used. For example, the private class A network 10.0.0.0 can be used at both company A and company B, while both their networks need to be connected to the Internet.
In this context, there are two main types of connections: routed and translated. In a routed network, every IP address must be unique. If in the above example, both company A and B would have a routed connection to the Internet, their internal addresses would be advertised on the web, resulting in conflicting duplicate IP addresses. To avoid this, companies could register public addresses and use them for their internal hosts. However, this would be very expensive, and there are simply not enough available public IP addresses to make every corporate LAN/WAN part of the same WAN (the Internet). The solution to this is a translated connection which can be accomplished by using Network Address Translation (NAT).
Network Address Translation (NAT)
Network Address Translation (NAT) is used to translate public IP addresses to private and vice versa and is typically configured on access routers and firewalls that connect home and office networks to the Internet. These networks use IP addresses from the private address ranges and therefore cannot have a routed connection to the Internet. NAT translates network addresses, thus it operates at the Network layer (Layer 3) of the OSI model.
A common type of NAT is dynamic NAT, in which case the router maintains a list of internal addresses and a list of external addresses that are dynamically mapped to each other. When a client from an internal network communicates with a web server on the Internet, the NAT router will change the source IP address in the header of the IP packet. The source address is changed from internal client’s IP address to the public IP address of the router’s external interface. For the web server, the packets will appear to be coming from the NAT router, hence that is were it sends the replies with the requested data. The NAT router will in turn forward the replies to the client that initially made the request.
With static NAT, the router is configured with an address table. This table contains static entries that maps public address to local addresses. Static NAT entries are typically used when a web or mail server resides on the internal LAN. The clients and servers on each side of the router are not aware of the translating process and do not require any additional software. A NAT router is typically also a DCHP server and DNS Proxy for its internal clients. Besides using NAT on routers connected to the Internet, NAT is also used in corporate WANs when multiple LANs use the same IP subnet. NAT offers some security as well, because only a single public IP addresses needs to be visible to external hosts while the internal network addressing schema can remain hidden.
Instead of using a list of internal and external addresses, a single external address can be used by changing the source port, which is essentially part of the complete address known as socket (the combination of an IP address and a port number). This is also known as Port Address Translation (PAT).
A firewall is a hardware device or software application on a computer that protects private networks from unauthorized external intruders. A firewall filters both inbound and outbound traffic by checking if it meets certain criteria. The most common firewall operates at the Network layer and is known as a packet filter. The criteria for blocking or forwarding packets are typically source and destination addresses, and the TCP/UDP port numbers. For example, you can configure a packet filter, also known as access control list, on a router that connects to the Internet to allow port 25 for inbound and outbound SMTP traffic but deny port 110 to block POP3 traffic. Because packet filtering firewalls inspect only the header of packets it has little impact on network performance. Most operating systems and routers include a packet filter options and are therefore inexpensive to implement.
The following network diagram shows a simple firewall setup. All outbound and inbound traffic must be authorized by the firewall before it can pass. The firewall can be a dedicated hardware device with two network interfaces, or a computer with two NICs running firewall software. The latter is also known as a multi-homed firewall.
The higher in the OSI model a firewall operates the more advanced criteria it can use. Application layer firewalls are able to inspect traffic all the way up to layer 7 of the OSI model. This means they do not only inspect the header of a packet, but also the data payload, allowing you to set criteria for applications without allowing or denying them entirely. Another type of firewall is the circuit-level firewall, which operates at the Transport layer of the OSI model. This firewall checks if the TCP and UDP messages used to establish a connection meet certain criteria. Once a connection is established (i.e. the TCP handshake completed successfully), traffic can pass the firewall without further checking. A newer and more advanced type of firewall, stateful firewalls, can use more advanced criteria than simple packet filter firewalls, and they are aware of the state of connections. For example, if an internal client initiates a HTTP connection to a web server on the Internet, and the firewall blocks inbound HTTP traffic, it will still allow the HTTP reply to the client as the firewall will ‘know’ it is part of an established session.
The next network diagram shows a firewall configuration with a demilitarized zone (DMZ). The hosts in the DMZ are typically web servers, e-mail servers, and the alike, and are accessible for both internal and external users. This allows users on the Internet to access the servers without accessing the organization’s internal network. Although the servers in the DMZ can be accessed only through the firewall, security is less strict, and they are connected to the Internet, and therefore should be locked down and hardened.
Another common firewall configuration that creates a DMZ is the screened firewall shown in the following network diagram. This setup involves two firewalls of which the screening host is often a simple packet filter and the screened host a more advanced firewall. This is a more complicated and more expensive setup but can have a great impact on performance and security. The packet filter blocks the majority of invalid traffic and provides access to the servers in the DMZ, alleviating the workload for the screened firewall.
The word "proxy" can be defined as something or someone that impersonates some other thing or someone else. Or simply put: "something that acts on behalf of another". In the context interesting to us a proxy can be many things, the most common being the web proxy server. A proxy server is placed between the internal network and the Internet as depicted in the diagram below:
When a client from the internal network connects to an external resource and requests data, the proxy server pretends to be the client, retrieves the requested data, and passes it on to the client. This offers some level of protection because only the external public IP address of the proxy server is known on the external network. The main difference with NAT is that a proxy is requested to act on behalf of a client to make the actual request to the web server. With NAT, the web server is merely fooled by changing the addressing info of packets. Additionally, NAT is transparent, which means the client doesn't know anything about the translating. To use a proxy server however, the client application, such as a web browser, must support it.
Most proxy servers offer some sort of caching. For example if the proxy server in the previous diagram represents a web caching proxy, the proxy server could first check if the data an internal client requests, is previously requested by another. If that is the case, the proxy server would retrieve the data from its own hard disk instead of using the external connection. This can reduce traffic on expensive and relatively slow internet connections. Following are the most common type of proxies:
HTTP Proxy - besides providing an anonymous appearance on the web and acting as an intermediate for clients, it also caches web content requested by clients.
DNS Proxy - caches DNS lookups initiated by clients. When an internal client needs to know the IP address for a domain name, i.e. www.techexams.net, it will send the request to the DNS Proxy (i.e. a NAT router), which will forward it to DNS server on the Internet or retrieve the info from its cache if it the address has been requested previously.
WINS Proxy - works similar as a DNS Proxy except it forwards NETBIOS name lookups to a WINS server in a different subnet and is used only in Microsoft networks.
SOCKS Proxy , SOCKS is a protocol that works with TCP/IP (hence also with HTTP, FTP, POP3, SMTP, NNTP, etc.), and provides secure and transparent communication between a client and a proxy server.
A HTTP Proxy is often used in combination with a SOCKS proxy. The HTTP Proxy handles requests for web pages, and the SOCK proxy all other TCP/IP traffic, such as SMTP, POP3, and Telnet for example. Many companies today use proxy servers and virtually every ISP provides one to its subscribers. There are also many public proxy servers available. These are intended for anonymous surfing rather then for improving speed through caching.
Internet Connection Sharing (ICS) allows multiple computers to share single Internet connection and is included in several Windows versions. ICS is especially suitable for small home and small office networks. For example, in a small company with five employees who need regular access to the Internet, ICS would allow you to configure one client with a dial-up, cable or DSL connection, enable ICS, and share the connection between all five employees.
The computer with the shared internet connection must have at least two network interfaces: the shared public interface that is connected to the internet, and a private interface that is connected to the internal network. The computer with ICS enabled performs NAT, and acts as a DHCP server and DNS proxy for the other internal clients. This is at the same time a disadvantage of ICS there may already be a DHCP server in the LAN. Only IP addresses from the private IP Class C network 192.168.0.0 can be assigned to hosts in the internal network when using ICS. In Windows, ICS can be enabled on the Advanced tab of the Properties of the interface that connects to the Internet.
The technology of interconnecting web clients and servers, HTTP, and HTML, is also suitable for use in networks with a less public nature than the Internet. The first use is an Intranet, which is a small private piece of ‘Internet’ that is accessible only to users within the organization. It is a very suitable medium to keep employees up to date with information about both the organization and its systems. Typical examples of information you can find on an Intranet are employee directories, emergency evacuation procedures, internal job vacancies, employee of the month articles, and other more, and less, useful information. Additionally, the Intranet can be used to keep employees informed about security related information, such as virus alerts, incident response policies, and acceptable use policies.
In its most basic form, an Intranet is a web server running a website or web application and is accessible only to users with a web browser in the company’s LAN or WAN. The more advanced implementations of an Intranet often use separate servers for backend operations, such as database servers. Protecting the servers that make up the Intranet is no different from protecting the rest of the internal network; they should not be accessible to anyone outside the company. Authentication of Intranet users should preferably occur automatically by using a single sign-on system. This means that the same user credentials used to access the file servers, email, and shared printers, should be used to authenticate the user. A typical example of this is a Microsoft Windows domain with IIS as the web server.
An Extranet is similar to an Intranet, but is accessible by two or more parties. When two companies/partners need to communicate and collaborate a lot, they may benefit from connecting their networks together. Instead of creating a direct connection, which would be objectionable from a security perspective, they create a network that is accessible from both companies’ networks. Firewalls at the entrance points ensure the extranet serves as a buffer between the two companies, and prevent direct access between their networks while allowing them to collaborate and share information in a secure manner. The companies can create this network themselves, but can also introduce a third party to host and manage the extranet.
POTS / PSTN
POTS (Plain Old Telephone Service) and PSTN (Public Switched Telephone Network) refer to the standard telephone network. It is a circuit-switching network designed for analog transmission of ‘voice’ over copper wires. By using a modem, a computer can use the telephone line for transferring digital information. This dial-up connection has long been the most widely used method to connect to the Internet but has been replaced by faster methods such as DSL and cable Internet when those became available. A dial-up modem connection offers relatively slow transfer rates up to 56Kbps, in reality even less. Apart from the low transfer rates, there are several other disadvantages to using dial-up connections. Dial-up connections are established when needed, usually on demand. In other words, a dial-up connection is not permanent. It can take up to several minutes for a modem to establish a connection with a remote modem. Customers are charged per minute or second for dial-up connections, so unless it is used sporadically, it is usually less expensive to lease a permanent connection. Although dial-up Internet connections are still common, amongst mobile users with notebooks for example, they are mostly being replaced with high-speed broadband and wireless connections.
xDSL (Digital Subscriber Line)
DSL uses the standard copper telephone wires, often already installed in offices and homes, to provide a high-speed digital Internet connection. There are different types of DSL, of which Asynchronous Digital Subscriber Line (ADSL) is the most widely installed. ADSL allows the telephone wires to be used for the analog POTS system and digital data transfer simultaneously. The download speed for ADSL connections is much faster than the upload speed, which corresponds to the needs of most of the typical Internet users. Another type of DSL is Symmetric DSL (SDSL), which cannot share the physical medium with standard telephone communication and has a download speed equal to the upload speed. DSL connections are not available everywhere because of the distance limitations and incompatible POTS systems.
The actually transfer speed varies a lot per type of DSL connection, and depends a lot on the distance of the connection between the user and the provider's Central Office (CO). The CO is the location at which customers’ lines from a particular area are terminated and connected to a DSL Access Multiplexer (DSLAM). The DSLAMs are in turn connected to the telco/ISP’s backbone to provide access to the Internet and other telephone services. This is usually a high-speed ATM connection. The maximum distance of an ADSL connection to the CO is 18,000 feet (5,460 meters. This is the limit for most other types of DSL as well. The download speeds generally range from 1.544 Mbps to 8.448 Mbps depending on the distance to the CO. The upload speed usually ranges from 64 and 640 Kbps.
The ISP that offers the DSL service usually provides a DSL transceiver, commonly referred to as a DSL modem. This small box usually allows an Ethernet UTP or an USB connection directly to a PC, or to a hub, router, or switch to provide Internet access to an entire network. The DSL transceiver can also be integrated in a router or switch. In addition to providing Internet access to homes and offices, DSL can also be suitable for VPN connections between offices or for home workers remotely accessing the corporate network.
Broadband Cable (Cable modem)
The cable that has become so popular for receiving TV broadcasts turns out to be very suitable for an Internet connection as well. TV channels only take up 6 MHz each, which usually leaves several hundred MHz available. This additional space on cable allows for a permanent high-speed Internet connection. Information from the Internet travels through the cable as a single TV channel of 6 MHz. Upstream information requires just 2 MHz. Theoretically this can allows for download speeds of 5 Mbps, but in reality it usually ranges from 384Kbps to 1.5Mbps. The transmissions speeds do not depend on the distance of the connection, but since the medium is shared with other customers, they can vary a lot depending on how many users are connected in your area.
Just as with DSL, cable Internet requires a special transceiver at the customer’s premises. This cable modem translates the analog signal to digital information and vice versa. Together with the Cable Modem Termination System (CMTS) on the provider’s end, they allow to use the cable to receive and send information on frequencies not used by TV channels. Just like the DSLAM for DSL connections, the CMTS interconnects the customers’ cable connections to a single high-capacity Internet connection.
The incoming 75 ohm coaxial cable connect with an F-Type connector to the cable modem, which in turn provides one or more LAN interfaces, usually Ethernet or USB, which connect directly to a client, or a device such as a hub, switch, or wireless access router, to allow additional internal clients or entire networks to use the same connection. The cable modem is also equipped with connections for TV and radio for example.
Using satellites for Internet access may seem a bit futuristic, but in rural areas where DSL and cable Internet services are not available, using satellite Internet access can be a very good alternative to standard dial-up connections. The download speeds is typically around 500Kbps and the upload speed around 50Kbps, but this can vary per provider. Satellite Internet requires a dish of about the same size as those used for satellite TV reception. The customer’s dish communicates with the satellite, which in turn communicates with a large dish at the provider. IP multicasting, compression, and acceleration technology is implemented throughout the entire circuit to squeeze the most out of the connection.
Wireless Internet access is particularly useful for mobile users. With handheld devices becoming more advanced and increasingly popular, most of the major mobile telcos started offering wireless internet access in several ways. This is includes deploying WiFi hotspots in populated areas and locations such as airports and hotels. Organizations can use the same method to offer wireless access to the corporate network for mobile employees and indirectly provide them access to the Internet. Technologies such as GPRS and UMTS allow smartphones and other handhelds with Internet capabilities to access the Internet using the existing cell phone network.