Reading: Ensure basic Internet connectivity

LO3: Test Security and Internet

Access

Inside this reading:

Internet Connection Models 2

Basic Firewall and Proxy Features 7
Types of ISP accounts 8
Summary 10

1710_reading.doc 1
© State of New South Wales, Department of Education and Training 2006
Reading: Ensure basic Internet connectivity

Internet Connection Models

Many businesses require an Internet connection as part of the standard
network facilities required to operate effectively. Email, ordering supplies,
electronic banking and Web research facilities are all now common business
activities.

However, connecting your local business network to the Internet is not

without risk. The Internet in the 21st Century is a place of hackers and
viruses. Visible Internet hosts may receive thousands of hacking attempts
each day as part of the ‘normal’ network traffic brought in by an Internet
connection.

So what are the issues that should be considered in the design, installation
and management of an Internet connection?

There are a range of Internet connection types available, each with their own
costs and benefits. Every type of Internet connection will require an Internet
Service Provider (ISP). An ISP is a network that you connect to, which
inturn has another connection to other parts of the Internet. This is why the
Internet is often referred to as ‘The Web’, a maze of interconnecting
networks, each network paying for access to the other networks.

Internet Connection Hardware/Software

To connect a LAN to the Internet, a number of additional pieces of hardware
and software are required. The type of network connection will determine
the actual equipment used, but the following is required as a minimum:
 IP LAN segment.
 Valid IP address range
 Gateway
 WAN link

More complicated LAN Internet connections may require further

equipment, but the above items will provide a ‘standard’ level of Internet
connectivity.

1710_reading.doc 2
© State of New South Wales, Department of Education and Training 2006
Reading: Ensure basic Internet connectivity
IP LAN Segment.

For Internet connectivity, the local LAN segment must run as an IP network
segment. Each machine must have an IP address. DHCP may be
implemented to assist in the management of IP address allocation to
computer hosts. DNS would also be present to allow client computers to use
domain names to access resources instead of the numerical IP address.

Valid IP address range

IP addresses must be unique on a network – in other words, no two devices
can have the same IP address. When connecting an entire LAN segment to
the Internet, the organisation’s IP addressing scheme must be revised. For
all of the computers on the LAN segment to be visible on the Internet, all
must have valid IP addresses. To achieve this, an entire IP network (or
subnet) range of addresses must be leased.

Most businesses do not go to the expense of leasing a new set of IP

addresses to allow their computers access the Internet. Normally, only one
valid IP address is required for the local network to have access to the
Internet and the ISP would supply this address. This means that only a
single host system would be visible on the Internet.

The valid IP address would then be given to the router gateway that
connects the LAN to the Internet. It is this device that provides the Network
Address Translation (NAT) service to computers on the LAN. NAT allows
the local network segment to use private IP addresses, which are hidden
from the internet. The local network’s IP addresses are then replaced by the
one valid IP address (public) when the network traffic goes through the
gateway to the Internet.

Gateway
A gateway is simply a device that links two different networks together. In
the context of the IP network behaviour, the gateway has a special role. It is
the device where any network traffic is sent that is addressed to a non-local
host (one that is on a different IP network). The gateway device provides a
link between the local LAN segment and the ISP’s network. Gateways,
often implemented as routers, come in many forms. Common types of
gateways are ADSL routers, Ethernet routers, Dialup routers and PC-based
routers just to name a few.

The gateway must have network interfaces that match the WAN connection
media to the ISP as well as the LAN connection media to the local network.
So the purchase of an appropriate gateway is specific to the inter-network
situation.

1710_reading.doc 3
© State of New South Wales, Department of Education and Training 2006
Reading: Ensure basic Internet connectivity
WAN Link

Normally the ISP that the local LAN connects to is physically remote from
it. As a result, a Wide Area Network (WAN) link is required to join the
networks. While standard dialup telephone lines provide this link for many
home computers, higher speed ISDN and ADSL broadband connections are
popular where available. While ADSL is quite common in metropolitan
areas, ISDN still has a role for small businesses in many areas of NSW
where ADSL is not available. Large businesses will use even higher speed
links often implemented as a T1 connection. As with most capacity related
services, it all comes down to cost.

Internet Connection Topologies

The term topology is related to the layout of the network. In the examples
below the topologies are not meant to represent the physical layout in a
particular office environment, but rather the network connections that exist
between network components, where the device names given refer to their
functions. In many cases, especially on the ISP side, a single piece of
hardware may provide multiple routing interfaces instead of having racks of
individual routers.

The most common types of Internet connection topologies are listed below.

Basic Internet Gateway with Leased IP address range.

A basic IP based LAN with an Internet gateway connecting it to an ISP is a

simple network. Here the client’s gateway router is connected to the ISP’s
router through an ADSL or ISDN segment. This network segment will
normally hold a small two-IP-address subnet of public IP addresses, one
address for each router ADSL/ISDN interface.

Figure 1: Diagram of basic internet gateway

1710_reading.doc 4
© State of New South Wales, Department of Education and Training 2006
Reading: Ensure basic Internet connectivity
In this example the local LAN administrator has arranged for both an ISP
connection as well as a leased IP address range. Normally this will take the
form of a subnet of an existing network range managed by the ISP. The
domain of the local network would normally be registered and the DNS
server linked to the parent DNS. The HTTP Servers on the client network
could host a public company web site and a public email service. Because
the client network is fully integrated in the Internet, they could use video
streaming, voice over IP and all other Internet available facilities. The
public IP addresses of the client network’s Gateway Router, DNS and Web-
related servers would be static (fixed).

Basic Internet Gateway with NAT Server.

An Internet connection using Network Address Translation (NAT) is a

common type of network used by business. This type of network is used
where the client network requires only limited Internet access such as
browsing.

All of the client computers linked to the gateway router running NAT will
have a private, non-routable IP address. The NAT router substitutes its own
public IP address in place of the private IP address of the internal network,
every time a packet goes out from the client’s network to the Internet.

This will make these machines invisible to the Internet. As a result Internet
based services such as Email and the client’s HTTP site must be hosted on
the ISP’s servers, instead of being located within the client network. The
client network will not normally have a domain name for their network as it
only consists of one public IP address – that held by the ADSL interface of
the gateway router.

Figure 2: Diagram of internet gateway with NAT server

1710_reading.doc 5
© State of New South Wales, Department of Education and Training 2006
Reading: Ensure basic Internet connectivity
This type of network minimises exposure to hacking attempts, as the client’s
internal network is invisible to the Internet. However, it still allows for
viruses to enter via email messages and downloaded files. The public IP
addresses of the client network’s Gateway Router may be allocated as either
dynamic or static.

Basic Internet Gateway with DMZ.

This type of network connection is a combination of the previous two. Here
the client network leases a small public IP subnet, will have its own domain
name, web sites, and email servers, while their local LAN segment is
protected by the NAT router at a lower level. This model is normally used
by businesses that require full Internet capabilities as well as the security of
isolating their internal network segment.

Figure 3: Diagram of internet gateway with DMZ

The De-Militarized Zone (DMZ) refers to a section of the network that has
full Internet access but is partially protected by a firewall. Firewalls are
discussed in the next section.

It is also possible to link other networks to any existing router in the client
network. This would be achieved by providing the existing routers with an
additional WAN interface leading to the other network. The public IP
addresses of the client network DMZ’s Gateway Router, DNS and Web-
related servers would be static (fixed).

1710_reading.doc 6
© State of New South Wales, Department of Education and Training 2006
Reading: Ensure basic Internet connectivity

Basic Firewall and Proxy Features

Firewalls
A firewall refers to a type of service that may be hosted on a variety of
devices. Gateway routers can have firewalls, computers can have firewalls
and dedicated firewall devices are also available. Importantly, a firewall
protecting a network segment has two network interfaces. One network
interface is connected to the unrestricted Internet and the other provides
filtered network traffic for the internal client network.

A firewall examines all traffic wanting to enter the internal network. The
network traffic is compared to a set of selection rules and if the traffic does
not meet the requirements, is discarded. For example, a client Internet site
may only want to allow incoming packets addressed to the HTTP server
203.34.200.150 using port 80. If that rule is set up in the firewall, all packets
trying to pass the firewall that do not match that rule are discarded.

The reason that a network segment protected by a firewall is often referred

to as a DMZ is that the firewall provides a degree of protection, while still
allowing some amount of Internet traffic. The local network is not,
however totally protected. Remember, the only way to be totally protected
from the Internet is to disconnect your network from it!

When configuring a firewall, examine the types of services you want to

provide to the Internet from the computers that hold visible public IP
addresses. They may include services such as Email, HTTP, HTTPS, FTP,
terminal services, etc. Each of these services will be available on a specific
IP address and will send its traffic through a specific port number. The IP
address will be the IP address of the computer hosting the service. The port
number can be found from the software supplier of that service. Some port
numbers are standard. HTTP traffic for example needs port 80 to be
available. By matching your incoming traffic filter to your services you can
secure your network.

1710_reading.doc 7
© State of New South Wales, Department of Education and Training 2006
Reading: Ensure basic Internet connectivity

Figure 4: Diagram showing best locations for firewall

If you are trying to protect the network from denial of service (DOS)
attacks, then the firewall must be as close to the Internet source as possible.
Some ISP’s can provide (at a cost) basic firewall filtering of traffic before it
enters your network. If incoming traffic has to ‘bounce’ around the client
network before being filtered at the destination computer (as many personal
firewall products do), then it has already degraded your network service.
This type of DOS attack is most effective against slow devices, such as
routers and their WAN links.

Proxy Servers
Proxy servers are used as a traffic minimisation device. A proxy server is
used as an intermediary. It takes requests for Internet data from a client
computer, gets the data from the Internet site and keeps a local copy of that
data for itself. The next time that data is requested, it will provide its local
copy of the data instead of accessing the data from the original Internet site.
This reduces Internet traffic in an environment where many users require
access to the same data. By themselves, they do not provide any security,
but can save large amounts of network traffic. Remember most ISP
connections (especially ADSL and other broadband options) are charged by
traffic volume.

Types of ISP accounts

There are many types of ISP accounts or plans available today. Tomorrow,
there will be others. It is a constantly changing marketplace, with many
similarities to the marketing of mobile phones.

1710_reading.doc 8
© State of New South Wales, Department of Education and Training 2006
Reading: Ensure basic Internet connectivity
There are a number of features that need to be considered when selecting the
best type of account for a client. Most ISP plans are based on a recurring
monthly fee. The amount charged will be depend upon the:
 connection type and speed,
 traffic and time allowances,
 number of IP addresses,
 value added services such as Email hosting or Web hosting.

Connection Type and Speed

One of the main determining factors of the monthly cost of an ISP

connection relates to the network type and its speed. Different fee structures
are used for Dialup plans, ADSL, ISDN or satellite. ADSL and ISDN will
have a range of plans depending upon the different network speeds
available.

When deciding on a type of network connection to use, check the following:

 Availability: Not all network types are available at all locations.
 Installation costs: ADSL, ISDN and Satellite plans will all have
additional installation costs.
 Reliability: Some of these connections are more reliable than others.
ADSL for example may have some level of unavailability each day.

Traffic/Time allowances
The other main determining factor is the ISP’s allowance of network traffic
or network time for your monthly fee. Many ISPs will differ in the amount
of traffic or time the connection is allowed to use each month. Some ISP
connections, such as ADSL are only interested in traffic volume, as ADSL
is a permanently connected digital service. Dial-up ISP accounts mainly
record time usage. ISDN ISP packages may record both time usage and
network traffic.

Some ISPs charge additional monthly fees when the estimated traffic
volume or time limits are exceeded. This can be very expensive! Others
simply reduce the network speed for the balance of the month. This is a
safer approach that is often referred to as an unlimited account.

Dial-up and ISDN accounts may have a duration of connection restriction

with a set time limit before being forcibly disconnected with a minimum
time before you can reconnect. Such a restriction may be unsuitable for
businesses and a premium business account may need to be used.

1710_reading.doc 9
© State of New South Wales, Department of Education and Training 2006
Reading: Ensure basic Internet connectivity
Number of IP addresses

ISPs will normally provide one public IP address per connection by default.
This IP address will be held by the computer’s dialup adapter, in the case of
a modem connection and by the router if a network shares the connection.
As shown in the Internet Connection Models shown previously, one address
may or may not suit the client’s needs.

Additional IP addresses cost more. So examine the type of Internet

connection that is required by the client carefully.

Value Added Services

There will be additional costs for email, Web hosting, traffic filtering or
domain hosting services that the client network may require. Once again,
evaluate the client’s requirements.

Summary
This learning pack has covered the basic methods of connecting a network
to the Internet. There are many different ways in which to approach the
implementation of Internet access from a local area network. However, the
main goal of any system upgrade is that it meets the needs of the client. It is
clear that the area of Internet connectivity will continually change as new
technologies are released.

1710_reading.doc 10
© State of New South Wales, Department of Education and Training 2006