Connecting a LAN to the Internet

Connecting a LAN to the Internet

Reading: Ensure basic Internet connectivity

Ensure basic Internet connectivity

Inside this reading:

Internet Connection Models

Basic Firewall and Proxy Features

Types of ISP accounts

Summary

Internet Connection Models

Many businesses require an Internet connection as part of the standard network facilities required to operate effectively.Email, ordering supplies, electronic banking and Web research facilities are all now common business activities.

However, connecting your local business network to the Internet is not without risk. The Internet in the 21st Century is a place of hackers and viruses. Visible Internet hosts may receive thousands of hacking attempts each day as part of the ‘normal’ network traffic brought in by an Internet connection.

So what are the issues that should be considered in the design, installation and management of an Internet connection?

There are a range of Internet connection types available, each with their own costs and benefits. Every type of Internet connection will require an Internet Service Provider (ISP). An ISP is a network that you connect to, which inturn has another connection to other parts of the Internet. This is why the Internet is often referred to as ‘The Web’, a maze of interconnecting networks, each network paying for access to the other networks.

Internet Connection Hardware/Software

To connect a LAN to the Internet, a number of additional pieces of hardware and software are required. The type of network connection will determine the actual equipment used, but the following is required as a minimum:

  • IP LAN segment.
  • Valid IP address range
  • Gateway
  • WAN link

More complicated LAN Internet connections may require further equipment, but the above items will provide a ‘standard’ level of Internet connectivity.

IP LAN Segment.

For Internet connectivity, the local LAN segment must run as an IP network segment. Each machine must have an IP address. DHCP may be implemented to assist in the management of IP address allocation to computer hosts. DNS would also be present to allow client computers to use domain names to access resources instead of the numerical IP address.

Valid IP address range

IP addresses must be unique on a network – in other words, no two devices can have the same IP address. When connecting an entire LAN segment to the Internet, the organisation’s IP addressing scheme must be revised. For all of the computers on the LAN segment to be visible on the Internet, all must have valid IP addresses. To achieve this, an entire IP network (or subnet) range of addresses must be leased.

Most businesses do not go to the expense of leasing a new set of IP addresses to allow their computers access the Internet. Normally, only one valid IP address is required for the local network to have access to the Internet and the ISP would supply this address. This means that only a single host system would be visible on the Internet.

The valid IP address would then be given to the router gateway that connects the LAN to the Internet. It is this device that provides the Network Address Translation (NAT) service to computers on the LAN. NAT allows the local network segment to use private IP addresses, which are hidden from the internet. The local network’s IP addresses are then replaced by the one valid IP address (public) when the network traffic goes through the gateway to the Internet.

Gateway

A gateway is simply a device that links two different networks together. In the context of the IP network behaviour, the gateway has a special role. It is the device where any network traffic is sent that is addressed to a non-local host (one that is on a different IP network). The gateway device provides a link between the local LAN segment and the ISP’s network. Gateways, often implemented as routers, come in many forms. Common types of gateways are ADSL routers, Ethernet routers, Dialup routers and PC-based routers just to name a few.

The gateway must have network interfaces that match the WAN connection media to the ISP as well as the LAN connection media to the local network. So the purchase of an appropriate gateway is specific to the inter-network situation.

WAN Link

Normally the ISP that the local LAN connects to is physically remote from it. As a result, a Wide Area Network (WAN) link is required to join the networks. While standard dialup telephone lines provide this link for many home computers, higher speed ISDN and ADSL broadband connections are popular where available. While ADSL is quite common in metropolitan areas, ISDN still has a role for small businesses in many areas of NSW where ADSL is not available. Large businesses will use even higher speed links often implemented as a T1 connection. As with most capacity related services, it all comes down to cost.

Internet Connection Topologies

The term topology is related to the layout of the network. In the examples below the topologies are not meant to represent the physical layout in a particular office environment, but rather the network connections that exist between network components, where the device names given refer to their functions. In many cases, especially on the ISP side, a single piece of hardware may provide multiple routing interfaces instead of having racks of individual routers.

The most common types of Internet connection topologies are listed below.

Basic Internet Gateway with Leased IP address range.

A basic IP based LAN with an Internet gateway connecting it to an ISP is a simple network. Here the client’s gateway router is connected to the ISP’s router through an ADSL or ISDN segment. This network segment will normally hold a small two-IP-address subnet of public IP addresses, one address for each router ADSL/ISDN interface.

graphics 1710 basic ip f01 co gif

Figure 1: Diagram of basic internet gateway

In this example the local LAN administrator has arranged for both an ISP connection as well as a leased IP address range. Normally this will take the form of a subnet of an existing network range managed by the ISP. The domain of the local network would normally be registered and the DNS server linked to the parent DNS. The HTTP Servers on the client network could host a public company web site and a public email service. Because the client network is fully integrated in the Internet, they could use video streaming, voice over IP and all other Internet available facilities. The public IP addresses of the client network’s Gateway Router, DNS and Web-related servers would be static (fixed).

Basic Internet Gateway with NAT Server.

An Internet connection using Network Address Translation (NAT) is a common type of network used by business. This type of network is used where the client network requires only limited Internet access such as browsing.

All of the client computers linked to the gateway router running NAT will have a private, non-routable IP address. The NAT router substitutes its own public IP address in place of the private IP address of the internal network, every time a packet goes out from the client’s network to the Internet.

This will make these machines invisible to the Internet. As a result Internet based services such as Email and the client’s HTTP site must be hosted on the ISP’s servers, instead of being located within the client network. The client network will not normally have a domain name for their network as it only consists of one public IP address – that held by the ADSL interface of the gateway router.

graphics 1710 basic nat f02 co gif

Figure 2: Diagram of internet gateway with NAT server

This type of network minimises exposure to hacking attempts, as the client’s internal network is invisible to the Internet. However, it still allows for viruses to enter via email messages and downloaded files. The public IP addresses of the client network’s Gateway Router may be allocated as either dynamic or static.

Basic Internet Gateway with DMZ.

This type of network connection is a combination of the previous two. Here the client network leases a small public IP subnet, will have its own domain name, web sites, and email servers, while their local LAN segment is protected by the NAT router at a lower level. This model is normally used by businesses that require full Internet capabilities as well as the security of isolating their internal network segment.

graphics 1710 basic dmz f03 co gif

Figure 3: Diagram of internet gateway with DMZ

The De-Militarized Zone (DMZ) refers to a section of the network that has full Internet access but is partially protected by a firewall. Firewalls are discussed in the next section.

It is also possible to link other networks to any existing router in the client network. This would be achieved by providing the existing routers with an additional WAN interface leading to the other network. The public IP addresses of the client network DMZ’s Gateway Router, DNS and Web-related servers would be static (fixed).

Basic Firewall and Proxy Features

Firewalls

A firewall refers to a type of service that may be hosted on a variety of devices. Gateway routers can have firewalls, computers can have firewalls and dedicated firewall devices are also available. Importantly, a firewall protecting a network segment has two network interfaces. One network interface is connected to the unrestricted Internet and the other provides filtered network traffic for the internal client network.

A firewall examines all traffic wanting to enter the internal network. The network traffic is compared to a set of selection rules and if the traffic does not meet the requirements, is discarded. For example, a client Internet site may only want to allow incoming packets addressed to the HTTP server 203.34.200.150 using port 80. If that rule is set up in the firewall, all packets trying to pass the firewall that do not match that rule are discarded.

The reason that a network segment protected by a firewall is often referred to as a DMZ is that the firewall provides a degree of protection, while still allowing some amount of Internet traffic. The local network is not, however totally protected. Remember, the only way to be totally protected from the Internet is to disconnect your network from it!

When configuring a firewall, examine the types of services you want to provide to the Internet from the computers that hold visible public IP addresses. They may include services such as Email, HTTP, HTTPS, FTP, terminal services, etc. Each of these services will be available on a specific IP address and will send its traffic through a specific port number. The IP address will be the IP address of the computer hosting the service. The port number can be found from the software supplier of that service. Some port numbers are standard. HTTP traffic for example needs port 80 to be available. By matching your incoming traffic filter to your services you can secure your network.

graphics 1710 basic dos f04 co gif

Figure 4: Diagram showing best locations for firewall

If you are trying to protect the network from denial of service (DOS) attacks, then the firewall must be as close to the Internet source as possible. Some ISP’s can provide (at a cost) basic firewall filtering of traffic before it enters your network. If incoming traffic has to ‘bounce’ around the client network before being filtered at the destination computer (as many personal firewall products do), then it has already degraded your network service. This type of DOS attack is most effective against slow devices, such as routers and their WAN links.

Proxy Servers

Proxy servers are used as a traffic minimisation device. A proxy server is used as an intermediary. It takes requests for Internet data from a client computer, gets the data from the Internet site and keeps a local copy of that data for itself. The next time that data is requested, it will provide its local copy of the data instead of accessing the data from the original Internet site. This reduces Internet traffic in an environment where many users require access to the same data. By themselves, they do not provide any security, but can save large amounts of network traffic. Remember most ISP connections (especially ADSL and other broadband options) are charged by traffic volume.

Types of ISP accounts

There are many types of ISP accounts or plans available today. Tomorrow, there will be others. It is a constantly changing marketplace, with many similarities to the marketing of mobile phones.

There are a number of features that need to be considered when selecting the best type of account for a client. Most ISP plans are based on a recurring monthly fee. The amount charged will be depend upon the:

  • connection type and speed,
  • traffic and time allowances,
  • number of IP addresses,
  • value added services such as Email hosting or Web hosting.
Connection Type and Speed

One of the main determining factors of the monthly cost of an ISP connection relates to the network type and its speed. Different fee structures are used for Dialup plans, ADSL, ISDN or satellite. ADSL and ISDN will have a range of plans depending upon the different network speeds available.

When deciding on a type of network connection to use, check the following:

  • Availability: Not all network types are available at all locations.
  • Installation costs: ADSL, ISDN and Satellite plans will all have additional installation costs.
  • Reliability: Some of these connections are more reliable than others. ADSL for example may have some level of unavailability each day.
Traffic/Time allowances

The other main determining factor is the ISP’s allowance of network traffic or network time for your monthly fee. Many ISPs will differ in the amount of traffic or time the connection is allowed to use each month. Some ISP connections, such as ADSL are only interested in traffic volume, as ADSL is a permanently connected digital service. Dial-up ISP accounts mainly record time usage. ISDN ISP packages may record both time usage and network traffic.

Some ISPs charge additional monthly fees when the estimated traffic volume or time limits are exceeded. This can be very expensive! Others simply reduce the network speed for the balance of the month. This is a safer approach that is often referred to as an unlimited account.

Dial-up and ISDN accounts may have a duration of connection restriction with a set time limit before being forcibly disconnected with a minimum time before you can reconnect. Such a restriction may be unsuitable for businesses and a premium business account may need to be used.

Number of IP addresses

ISPs will normally provide one public IP address per connection by default. This IP address will be held by the computer’s dialup adapter, in the case of a modem connection and by the router if a network shares the connection. As shown in the Internet Connection Models shown previously, one address may or may not suit the client’s needs.

Additional IP addresses cost more. So examine the type of Internet connection that is required by the client carefully.

Value Added Services

There will be additional costs for email, Web hosting, traffic filtering or domain hosting services that the client network may require. Once again, evaluate the client’s requirements.

Summary

This learning pack has covered the basic methods of connecting a network to the Internet. There are many different ways in which to approach the implementation of Internet access from a local area network. However, the main goal of any system upgrade is that it meets the needs of the client. It is clear that the area of Internet connectivity will continually change as new technologies are released.

1710_reading.doc1

© State of New South Wales, Department of Education and Training 2006

Top View