Wireless networks based on the IEEE 802.11 stndard have several options for
security. Obviously, you do not want to put up a wireless network and have your
neighbor able to share your printers and network connections.
There are several mechanisms for security in these networks:
Each network is configured to have a unique identifier (Severance_Home in the
above example) so that it is possible for multiple access points and multiple
wireless networks to operate in the same area independently. Client computers
can disover and associate with the desired wireless network.
- Each network can have a password. However, the 802.11 standard did not
specify how passwords were to work, so each vendor developed their own
password mechanism. With the password capability enabled, you may find that
you have to stick with a single vendor's wireless networking equipment.
- The packets can also be encrypted so that it is not possible for an
evesdropper to "sniff" the network traffic and find the contents
of the packets. There are differing levels of encryption, with a 56-bit
encryption and a 128-bit encryption key. While the 128-bit keys are much
harder to crack than the 56-bit keys, for home use either should be
sufficient.
- Some base stations can be configured so that they will only talk to
certain wireless cards. Each wireless network card (like Ethernet) has a
unique 48-bit serial number installed by the manufacturer. As the owner of
the base station, you can simply enter the serial numbers of the wireless
NICs that you are willing to support. In some ways, this approach is better
than a password because it is vendor neutral. But not all base stations
support this facility.
In this configuration screen for the Apple Airport Base Station, the wireless
portion of the sample network is configured not to use the password and
encryption so as to maximize the interoperability with different vendor's
equipment.
Running an Ad Hoc Network
So far, we have covered the layout of a wireless network using an access point.
It is possible to have a network without an access point. This is called an Ad.
Hoc. network. In this type of network, the wireless cards work together to
essentially operate so the computers "appear" to be connected using an
Ethernet hub. Files and printers can be shared, but additional work must be done
if you want to share an Internet connection.
While the majority of the wireless network cards are built for portable
computers, it is also possible to use wireless networking to connect a desktop
computer to the network. In most cases using wireless with a desktop computer,
the you install a vendor-provided adapter which allows a PCMCIA adapter to be
installed into a desktop computer and then you use a standard PCMCIA wireless
card. A few vendors have a separate wireless network adapter for the desktop
computer, but it is the exception.
If you want to share an Internet connection in an ad hoc. wireless network, you
must perform the network gateway function in one of the computers which has both
a wireless connection and a connection to the Internet. This workstation must be
powered on and run Internet connection sharing software such as Sygate, WinRoute,
or others. While this configuration can work well, most people find it well
worth the cost of purchasing a low-cost hardware access-point instead of using a
workstation as a gateway.
Wireless Networking Technology - An Overivew
There are two basic sources of wireless networking technology available in the
market today. The earliest commercial wireless network technology grew out of
specialized commercial applications such as inventory control in a large
department store or warehouse. Employees would walk around with a wireless wand
with a bar code reader effortlessly uploading instantaneous inventory
information. These wireless technologies typically used unregulated frequency
ranges used by wireless telephones (900Mhz).
Because the data rates for the typical application did not need to be very
high, relatively simple protocols were developed and used. Most of the
engineering focus was on keeping the power requirements very low for small
battery-powered hand-held units.
The more recent source of wireless network technology came from military
research which was converted to civilian purposes. Wireless data connections in
military applications had several goals: (1) relatively high data rates, (2)
reliability in the face of enemy attempts to jam signals, (3) the transmissions
should be difficult to monitor, and (4) it should be difficult even to detect
that a trasmission is occuring.
These requirements lead to a set of technolgies called "spread
spectrum" communications which operate at 2.4Ghz and 5Ghz. Instead of
picking particular frequency range and using high power levels to send as much
data as possible using that frequency, the spread spectrum approach takes a much
wider frequency band and sends the data using many different frequencies at
relatively low power. Further, based on agreement between the sender and
receiver, the frequencies can be changed several times per second in what would
appear to be a random pattern. The two most common approaches were called Frequency
Hopping and Direct Sequence.
In Frequency Hopping Spread Spectrum (FHSS), the bandwidth is divided into
channels (the 2.4Ghz range is divided into 79 channels in the US). Once a
wireless connection is established, the receiver and transmitter agree on one of
several frequency hopping patterns. Based on the current channel and a simple
mathematical calaulation, both the receiver and transmitter jump to the next
channel in the sequence at the same time. Unless you know the proper calculation
to make, an evesedropper would have a difficult time following the
communication.
While the original goal of changing frequencies was to evade detection (the
military obviously used far more than 79 channels), having multiple sequences
means that interference among different groups of receivers and transmitters is
reduced. As a mater of fact, it is possible to deploy a number of base stations
with overlapping coverage ares, and have a wireless network card associate
itself with the base station with the strongest signal. In this way, a network
of base stations operate much like a cellular telephone network, handing mobile
base stations off from one to the other.
In Direct Sequence Spread Spectrum (DSSS) the frequency range is divided into
fewer channels. Instead of transmisttion at high power and moving quickly from
one channel to another, the data is "spread out" oin a predefined
pattern with a power level so low that the signal appears to be background
noise. The only way to reconstruct the data was to know the subtle patterns in
the background noise. To make a simple analogy, it is like hearing an AM radio
station which is too far away. It all sounds like static, but there is enough of
a pattern to the static that you know that people are talking but you cannot
discern what they are saying. In DSS, the circuitry in the network cards knows
the exact pattern in the "static" and reconstructs the data. Again, a
feature that was originally designed to evade detection results in a wireless
network technology that is tolerant of interference from other sources such as a
wireless phone, microwave oven, or unlicensed equipment operating in the same
frequency range.
In the late 1990's, there was a great deal of debate as to which of the
technologies was superior with excellent arguments for all of the technologies.
But the debate was resolved (for now) as low-cost equipment from Lucent and
Apple came out using IEEE 802.11 DSSS technology. In order to be compatible with
the existing (and growing) installed user base, nearly all new wireless
networking products came out supporting the DSSS technology.
Another factor which caused DSSS to be more broadly accepted was the
throughput. Originally, both DSSS and FHSS operated at 1Mbps. Many people felt
that the minimum acceptible bandwidth was 10Mbps (as fast as Ethernet). It
turned out that it was easier to push DSSS technology to 11Mbps than the FHSS
technology because of the way the FCC set the rules for the use of the 2.4Ghz
unlicensed frequency range. The FHSS community pushed to have the FCC rules
relaxed to boost the performance of FHSS, but by the time it was resolved DSSS
had a strong foothold in the consumer market.
The FHSS approach still has a distinct advantage when there is a high density
of access points and mobile workstations. Even though the speed of an individual
FHSS connection is slower, if there are many simultaneous connections, FHSS will
make better overall use of the frequency.
Conclusion
Wireless networking is the ultimate expression of home networking. It frees you
from your "computer dungeon" and allows you to be productive in more
pleasant surroundings. The market for wireless equipment has settles down and a
wide range of interopreable products exist based on the IEEE 802.11 Direct
Sequence Spread Spectrum (DSS) technology. You can easily purchase a kit with
several network cards and an access point and build a nice wireless network as
an add-on to your existing network.
-------------------------------------------------------------------------------------------------------------------------------------------------------
Using Your Network
While the first thought when you install a network is typically to share an
Internet connection, there are a number of other ways you can use your network.
Once you get used to file and printer sharing, you will begin to wonder how you
got along without the network. In this chapter, we will cover the more common
uses of home networking and some less common uses of home networking:
- Printer Sharing
- File Sharing
- Multi-Player Video Gaming
- Virtual Private Networking (typically used to connect to a company network
from home or on the road)
In this chapter, we will focus on networking between Windows operating systems
because that is the large percentage of the installed user base. We address some
of the issues for non-Windows operating sections in a separate section.
Setting up computers to share printers and files
Before we can share the printers and files, we must make sure to install all of
the proper software. While some steps can be eliminated for some of your
computers, the simplest approach is to perform the following steps on all of the
computers in your network (except perhaps your NAT gateway).
First install the network components NetBEUI, Client for Microsoft
Networks and File and printer sharing for Microsoft Networks
using the network control panel. If they are not installed, use the Add
button and find them under the Microsoft sections for Protocols, Clients,
and Services respectively. During the installation, you may be
prompted for the operating system disks and have to reboot the computer.
- Next set the computer name and the workgroup. The workgroup should be the
same for all of the computers in your home. The computer name must be unique
for each computer.
- Under the third tab, set Share Level Control. This means that each
resource (printer or files) will be shared based on a unique password for
the resource. The other approach, User level access control, requires
an NT Domain - which is well beyond the scope of this book. Domain style
control of resources is very effective for larger organizations, but is
generally too cumbersome for home use.
- Next, back in the network control panel under File and Print Sharing,
check the box to indicate that you wish to share your files and printers.
This does not actually share your printers and files, it just makes sure
that the necessary software is loaded so that files and printers can be
shared.
- Also in the network control panel, change the setting for Primary
Network Logon change the setting to Client for Microsoft Networks.
This will cause a network login screen to come up after Windows is booted at
which point you enter an account, leave the password blank, and press OK.
If you press Cancel or Escape you will not be logged in and
Network Neighborhood may not work.
These steps should make your computer ready to share and use resources across
the network. The actual sharing and use of files is relatively simple compared
to the preparation steps above.
Just as a short note, the MacOS operating system is automatically
pre-configured to "do the right thing" in most cases. There is really
no analog for these steps on a MacOS system :).
Sharing a Printer
Once you have installed the proper software and configured your network login,
you can share printers or files. First, we will examine the steps necessary to
share the printer.
- First you set the printer up on one computer using a USB or Parallel
connection. Install all of the proper device drivers according to the
manufacturer's directions. Make sure that the printer works by printing a
test page.
To share the printer, go into Settings | Printers, then right-click
on the desired printer and bring up the Sharing dialog. Within the
sharing dialog, you give the printer a share name (usually the default is
sufficient) and optionally give the printer a password. In a home network
situation, it is pretty safe to share printers without using a password.
When the printer has been successfully shared, the printer icon is changed so
that a small hand is added to the icon. This way you can tell at a glance which
objects are shared and which objects are not shared. Once you have installed the
proper software and successfully logged into the network on the client computer,
the steps are so simple that they are almost intuitive.
Browse the Network Neighborhood. If you see the name of the server
computer, then you are in great shape. Otherwise, take a look at the tips
and tricks section for some more sophisticated diagnostics and approaches.
Click on the name of the computer. You should be shown all of the shares -
the icon will tell you if the share is a printer or a file system.
- When you click on the printer icon, you will be asked as to whether or not
you want to install the printer. If you say "yes", the printer
will be installed. Part of the printer installation installs the necessary
printer drivers over the network so you should not have to use the printer
driver disk.
Once this is complete, you should be able to print from the client system as if
the printer were locally attached.
Sharing Files
In general, unless you have special security concerns, it is a good idea to
share all the disk drives on all of the computers. You should assign a password
to the disk drive shares. You can use the same password for all of the shares
and just make sure that family members all know the password. This way if an
intruder is able to gain access to your LAN, then they will not be able to
access any data without the password.
There is great convenience to being able to access any file on the home
network from any other computer. Especially if you are running around doing
"technical support" or helping someone with their homework, needing a
file that is two floors away.
Again, the steps to share and mount a drive are very simple. First we start on
the computer which will be sharing out the actual drive or directory. Assuming
that you already have the proper file sharing software installed and configured
as described above, you simply navigate to the drive that you want to share,
right click on the drive or directory and select the Sharing option. Much
like the printer, you give the share a name (again the default is usually fine)
and a password. With file sharing, you should always use a password. Generally
you will want to choose the Full option to allow Read/Write unless you
have a specific unique situation. You will be prompted for the password a second
time to verify the password.
It is actually not necessary to do anything special on the system which is
going to read the data from the share. You simply navigate down through the
Network Neighborhood, through the computer and down to the drive. The first time
you enter a share you will need to know the password. But from that point
forward until you reboot, your computer will remember the password.
You can navigate the network drive just like a normal drive. You can open and
save files from the shared drive as if it were local. You may need to develop
the skill of jumping to the Network Neighborhood in the Save or Open dialogs,
but it does not take long before it is second nature.
In some situations, you might want to "mount" a network drive and give
it a permanent letter. Some software prefers to deal with a drive letter as
compared to navigating down through the network neighborhood. This is
accomplished by navigating to the drive through network neighborhood to the
shared disk. To map the drive, you right-click on the drive and select Map
Network Drive. The system brings up a dialog box where you can choose a free
drive letter and a check box indicating whether this mapping is just until the
system is rebooted or whether you want this drive mapping to happen each time
the system comes up.
Typically it is not necessary to map every drive on every computer to a logical
drive letter. It is so simple to navigate through the network neighborhood that
mapping a drive letter adds little value. Three examples when mapped network
drives can be handy are as follows:
- When you have a place where you store downloaded material that is
reusable. For example, you can download one copy of a web browser and
install it on several machines. This also can be true for plug-ins such as
Adobe Acrobat or RealPlayer.
- If you have an MP3 collection, instead of putting the media on every
computer, simply keep a single copy on the computer with the largest hard
disk which stays on all of the time and mount it on the other computers as a
pseudo-drive.
- If you want to schedule a backup to happen late at night you will need to
have a mapped disk drive to use for the backup.
After you have your network for a while you will certainly find other more
interesting uses for your network drives.
Network Backups
Backing up your computer is one of those things which very few people do well.
The hardware is expensive, the tapes are expensive, and it takes a long time to
run a backup.
With a network, however you can make very simple and convenient backups from
one disk to another. The best approach is to purchase a separate large (can be
slow) hard drive and install it in one of your computers and share the drive
cross the network. This drive can be used to back up all of the computers in the
home network. While it would be a good idea to back that disk drive up to tape
from time to time, at least with the disk (for about $100), you have two copies
of the data on all of the computers on your network.
Windows-98 has a basic scheduling capability built-into the operating system
so the backups can be run late at night in an automated fashion. There are two
basic ways to set up an automated backup:
- Create a batch file which simply does an XCOPY of the important
data from the local disk to a subdirectory on the network drive. You create
a batch file for each computer and schedule it to run late at night and you
have a simple backup solution. This approach has the advantage that the
backup data is readily browsable (i.e. you don't have to do a restore), but
the disadvantages are that there is no compression and there is no simple
way to keep some history over time.
- You can use the backup program provided by Windows-98 to do a more
rigorous backup and enforce a schedule of full dumps and incremental dumps.
While this is more complex and the data must be restored, it allows you to
have a view of your data over time.
A Network Printer
Some newer printers can be purchased with a network adapter built into the
printer. You can also purchase an external unit which connects a printer to the
network. Given the ease of using a computer to connect your printer to the
network, using a network attached printer is not commonly done in smaller
networks. There are two basic ways to connect a printer directly to the network.
- Purchase a printer (typically HP) with an Ethernet connection. The most
common product is called JetDirect. You simply connect the printer to
the network and install the JetDirect software on each of the client
workstations. Then each workstation can print directly to the network
printer.
- Purchase a separate unit which has a network connection and a printer
connection. The cost of these units is becoming increasingly affordable.
These units appear as servers in Network Neighborhood. Each port on
the unit appears as a virtual printer. Clicking on the port installs the
printer on the client system.
Having a network printer is very convenient if you do not want to leave a
computer on all the time and use several different computers around the house.
The key is to weigh the costs of a network attached printer to the benefits that
you see.
Sharing Files under NT
If you are installing an NT system, you must make several decisions during
installation which cannot be changed without reinstallation. So you should know
the ultimate configuration before you install NT. NT Server is designed to
operate in very large networks. When you manage a very large network you take a
very different view of server configuration. Techniques used for enterprise
networks generally are not ideal for small networks.
In the Microsoft vernacular, these two approaches are called Workgroup
networking and Domain networking. Domain-style networking is designed for
larger networks and centralizes much of the security configuration. Each user
has an account on a Primary Domain Controller - passwords and account
configuration are all stored on the domain controller computers. Workgroup-style
networking allows each workstation to have its own security configuration. In
the examples above, we were using workgroup style networking when we add a
specific password to each shared drive and printer. If we were using domain
style networking, we would have provided a list of users who were permitted to
access the resource and the domain controller would have authenticated the users
and given access to the resource.
Do use domain-style networking you must have an NT server, so all of the
examples in the book are shown for the more typical workgroup-style networking
which is typical in Windows non-server environments.
If you install an NT system and want it to interoperate well with your other
workgroup systems, you should install it as a Stand-Alone Server instead
of a Domain Controller. In the network control panel, you can install the
NetBEUI software and configure the system with a workgroup and system
name. Then the server can interoperate with the rest of the workgroup-style
network clients.
The only other difference in setting up an NT server is how you set up access
to the network drives. The simplest approach is to share drives without any
passwords - but that gives poor security. A safer approach is to create a user
account and password using the NT Server administration tools. Then the drivers
and printers can be shared by All Users. This way, any user with a valid
account and password can access the drives.
When mounting disks or printers from and NT server on a non-NT system such as
Windows-98, the account and password come from two different places. First, the
account is what you type into the initial Windows Networking login dialog
when the system comes up. When you attempt to access the share over the network,
you will be prompted for the password. To keep things simple, typically you
would assign the same password to both the NT account and the shared files and
printers on your non-NT systems.
In Windows-2000 and beyond, domain-style networking has been improved and
extended and is called Windows Directory Services. Like NT domains,
Directory Services centralizes much of the security configuration and is
somewhat complicated for home use.
Solving File Sharing Problems
One of the most frustrating problems is when you are sure that you have set up
network sharing properly but Network Neighborhood seems not to work. This
section shows some techniques which you might try to get this to work:
- Check basic network connectivity. The ping command is an excellent
tool if you know the IP addresses of the systems.
- Make sure that all of the proper software is installed and configured as
described above
- Make sure that you set the identity in the network control panel and set
the check boxes that indicate that you want to allow others to access your
printers and files. Make sure that your computers have the same workgroup
name and have different computer names.
- Make sure that Primary Network Logon is set to Client for Microsoft
Networks on all of the systems and the systems have been rebooted.
- Make sure that you are actually logging in (no password required) at the
Microsoft Networking login screen.
- Make sure that you actually have something shared. Computers which do not
share a drive or printer will not show up in the Network Neighborhood.
If you follow the steps above and the computer still does not appear in Network
Neighborhood, it is possible to access the computer without using Network
Neighborhood. Right click on the Network Neighborhood and launch Find
Computer. Type in the computer name of the other computer. If the computer
is functioning and connected to the network, you will be able to browse the
computer. If you can find the computer this way, you know that it is functioning
properly. If you can find and browse the computer, but it does not appear in
Network Neighborhood, the problem is usually related to the login process.
If the login process seems counterintuitive, it is because Windows is trying
to automatically handle the fact that there is a "local login" and a
"network login". Windows-98 is trying to automate and coordinate both
processes. If you end up with passwords that are causing problems, you can clear
out all accounts and password by removing all of the files with the suffix
"*.pwl" from the C:\WINDOWS subdirectory and reboot the
computers. Make sure to log in with an account name and blank password when
prompted for the Microsoft Network login. If during the log-in process, you are
prompted for a Windows Login (a smaller window), use the same account name with
a blank password.
File and Printer Sharing on Non-Windows Systems
This section provides some pointers as to where to get started and what to
expect which trying to do file and printer sharing with other operating systems.
- Apple computers have had excellent peer-to-peer networking for many years.
It is very easy to setup and use. There is software available for MacOS to
allow Apple computers to access files and printers on Microsoft Systems, but
it typically only supports PostScript printers. Windows NT Server has
services for Macintosh which allows Macintosh clients to connect to NT files
and printers. Macintosh Services for NT works with any Windows compatible
printer. With MacOSX, there is a set of tools UNIX tool called samba
which allow some interactions with Windows Operating systems.
- Unix systems such as FreeBSD and LinUX have a set of tools to provide file
space and shared printer space for both Apple and Windows client computers.
Because UNIX is a server operating system, its support for accessing shared
drives and printers on Windows is typically somewhat limited.
If you have set up your own LinUX system then you are probably sophisticated
enough to turn on file sharing without much more help.
Multi-Player Gaming
While video game consoles are still very popular with younger children,
increasingly adult game players are using personal computers for their gaming.
Personal computer performance can be upgraded much more readily than a dedicated
game console. PC games are faster, more graphically intensive, and can operate
trivially in a multi-player mode.
Games can be played across a local area network or across the Internet or a
combination of both. It turns out that multiplayer games actually use a very
small amount of network bandwidth so computers can quickly and easily exchange
the information even over relatively slow networks.
Depending on the age of the computer game, it may use one of two network
protocols to comunicate:
- Older games will tend to use the Novell IPX protocol.
- Newer games and games which run over the Internet will use the TCP/IP
protocol.
For games which use the TCP/IP protocol, there should be no additional setup
once the computers are set up to surf the web and use the Internet for other
applications. When using TCP/IP between the computers, you will typically have
to enter the domain name (gaming.msn.com) or IP address (192.168.1.10) of the
master game server.
If you are playing on your LAN, you have a good reason to use fixed IP
addresses rather than dynamically assigned IP addresses distributed via DHCP.
Generally, one system must act as a "master" system and the other
systems will connect to that system. Unless you using a server across the
Internet, you bring up one copy of the game as a master and then put the IP
address of the master system into each of the client systems which are running
the game.
IPX is not an Internet protocol so it only runs over the local area network but
it has two advantages that led early multi-player games to choose IPX.
- IPX ran well in a DOS (not Windows) environment. On early computers, it
took every bit of performance to run the game so many games ran only under
DOS.
- IPX did not take a great deal of memory or CPU resources
- IPX has a way to "discover" network resource (just like Network
Neighborhood). So you don't have to assign or know the network configuration
numbers to establish a connection between the master game and the client
games.
Some games support both protocols so you can use each for its best use.
When you are running games which use IPX in a Windows environment, you must
install the IPX protocol under Settings | Control Panel | Network Settings .
You can find the protocol under the Microsoft protocols. Once installed, IPX
needs no additional configuration.
You may encounter a strange situation when mixing different versions of IPX
across different operating systems. It turns out that because the basic Ethernet
protocol evolved over time, there are several "variants" of the
protocol. Most mainstream protocols such as TCP/IP or NetBEUI choose the
standard Ethernet protocol format. Novell actually supports more than one
variant of the underlying Ethernet protocol. Example variants of the Ethernet
protocol are: Ethernet II, 802.2, and 802.3. We won't delve into the (very
insteresting) history of how these variants occured. All you need to know is
that all of your IXP/Novell configurations must use the same underlying
format. So if you are mixing DOS and Windows, or mixing different versions of
the protocol, and you are having problems making connections, check the
underlying Ethernet format for each of the systems.
Virtual Private Networks
Virtual Private Networks (VPNs) are a way to decribe the act of creating a
"new" network using the underlying capabilities of an existing
network. One major application of VPN technology is to produce a corporate
Intranet using a number of connections to the public Internet rather than direct
connections using leased lines. There are obvious security concerns wihch must
be solved to keep folks on the Internet from having access to corporate servers
or data as it crosses the Internet. But two short high speed connections to the
Internet can cost far less than one long connection between two corporate
routers.
There are three basic concepts which allow a VPN to use the public Internet
to implement a VPN:
- Encapsulation
- Tunneling
- Encryption
In a traditional Intranet, locations are connected by a long-distance leased
line connected to routers at each location. When data needs to be transmitted
from one location to another, the data is simply copied from one local area
network, sent across the leased line, and then copied onto the local area
network at the destination. Because the leased line is dedicated, typically no
encryption is necessary.
In a VPN environment the process to move data from one location to another is
quite different. The routers are replaced by VPN-capable routers. When a packet
needs to be moved to the remote location, it is copied off the local area
network and encrypted. Then the data is placed in TCP/IP packets (encapsulation)
and sent across the Internet to the destination VPN router. At the destination,
the data is reassembled as necessary, then decrypted and copied onto the local
area network at the destination. This concept of encapsulating data in another
protocol and sending it across the net is called tunneling. In a way the
data is sent from the source to the destination through a "tunnel".
The net result is the same whether a VPN or Leased line is used to move the
data. There may be cost and performance differences between the two approaches.
Usually the VPN is less expensive, but sometimes, VPN gives better performance
than a leased line solution.
Using a VPN From A Single Computer
While this technology allows two geogprahically distributed local area networks
to appear to be connected, the more common scenario that you will use in daily
life as a business traveller or as a telecommuter is connecting a single
computer to the VPN so that you can access your corporate network in a secure
and convienent manner. This is usually done by running VPN software in your
computer. While there are a number of different technologies used to implement
VPN's, Microsoft included a basic VPN client in all of its operating systems
since Windows-95. Many VPN routers will support the Microsoft variant of VPN
because client software is readily available under Windows operating systems.
Once the VPN adapter is installed on your computer, al of the VPN processing is
done in software on your computer. The data is encrypted, encapsulated, and
broken into packets in software in your computer. Then the packets are sent to
the corporate VPN system across the Internet where they are decrypted and
reassembled, and copied onto the local area network on the destination LAN. This
allows you to operate as if you were directly connected to the corporate LAN,
reading E-Mail, acessing files, and other operations.
Security is paramount to all VPN operation. There is the obvious password and
account which gives you access to the VPN. Many companies add some type of
external randomly generated security keys from a vendor such as SecureID (www.securid.com).
These external security keys generate continuously changing random numbers. Each
user has their own SecureID which is generating the same number sequence as the
SecurID system is generating on the corporate LAN. You will only be granted
access if you can enter the number displayed on your SecurID and it matches the
number generated at the corporate LAN.
You can make use of your VPN, you must install and condifure the PN software for
your computer. If you are using the Microsoft VPN adapter, it is available as an
adapter in the network control panel. It makes sense that the VPN
software appears to be a "virtual" network card. The VPN adapter is
acting as a network card, accepting data packets and sending them to the VPN
gateway.
In addition to installing the software, you will also have to configurae a
few options for your particular VPN. Because VPN technology is evolving rapidly
and there are many different protocols, software suites, and configuration
options for each VPN, the best bet is to get help (or at least detailed
instructions) from your corporate IT department.
Once configured properly, VPN is very easy to use, securre, and cost
effective. While it is out of the scope of this book, you can set up your own
VPN using a combination of the VPN software in Windows-98 and the VPN server
software included in NT 4.0 and NT 2000. Building the remote end of a VPN using
Windows 2000 is actually quite straightforward.
Conclusion
In addition to Internet connection sharing, printer sharing and file sharing are
an important benefit of a home network. Using workgroup style networking under
Microsoft windows operating systems is realatively easy to configure and very
convenient to use.
------------------------------------------------------------------------------------------------------------------------------------------------------
Network Security for Your Home
One of the most commonly asked questions once your home network is connected to
the Internet is the level of security risk. Many people have sensitive
information such as their banking, stock portfolio, and other information stored
on their computer and are concerned about being "hacked" by someone
connecting in through the Internet.
Before we look into the issues and techniques to improve security in your
home network we should first take a short look at "why" we should
worry about security. There are three basic types of security threats to worry
about:
- There is some person or organization who is trying to break in and steal
something in particular from you. They may want your Swiss bank
account numbers or your business records or someone might have hired a
private investigator to get your E-Mail records. On the average, this is not
a typical situation and your problems are out of the scope of this chapter.
- There is some individual or group who breaks security as a hobby. In their
spare time, they look for unprotected systems, and (mostly for fun) they
break into those systems. Typically these people are not interested in the
typical home computer system unless you have a web or file server connected
via a high speed link. If you have a large, unprotected server, these folks
will quickly find your system and use your system to exchange vast amounts
of (typically illegally obtained) material through your system.
- There is an organized group who is breaking into systems as part of some
planned preparation for an attack. These individuals might even be related
to a government effort.
While this list seems very frightening at first, in reality, there is a very
small chance that anyone really cares about attacking you. If you are
Microsoft, the US Whitehouse, or some other high profile site, then you need
professional security staff who understand these issues in great detail. But if
you are the average Internet user then this chapter will cover most of the
security issues pertinent to you.
For the hundreds of millions of normal people, we must be vigilant, but in
general, we do not have to worry about protracted focused attacks on our
networks. In a sense, if you take normal precautions, the random hacker will
simply move on to the next home network. In home security, the first step is
simply to make sure that your doors and windows are locked when you are not
home. A lazy burglar will simply move on looking for a house which has doors
which are not locked.
The techniques that we will describe in this chapter include:
- Virus and worm protection
- Personal firewalls
- Network firewalls
Your security plan can be some combination of these techniques. We also will
look at the nature of security problems in an Internet environment.
Viruses and Worms
A "virus" is any type of malicious software which attempts to
replicate itself onto as many systems as possible. A simple virus is propagated
by user actions such as saving files or copying information to a floppy. A
"worm" is a type of virus that both infects a computer, and then tries
to actively propagate itself by using the network.
It is possible to get infected with a virus even if your computer is not
connected to the Internet. Your computer can be infected by inserting an
infected floppy disk or CD-ROM, or by installing some infected software. Once a
computer is infected, the virus may be passed on through files, floppy disks or
CD-ROM's that are written by that computer.
With the advent of the Internet and E-Mail attachment, the number of viruses
has blossomed with well over 50,000 different viruses with many variants of each
virus.
Just as an example, we can look at one particular worm-type virus called the QAZ.worm.
This virus affects the notepad application on Microsoft Windows systems.
It renames notepad.exe to note.exe and replaces notepad.exe
with the virus. The virus is automatically started when the system boots up and
it continuously scans your local area network for writable drives so that it can
place the virus on those systems as well. Also, while it is running, it sends a
packet to the IP address 202.106.185.107 every few minutes. While no one knows
the exact purpose of the packet, it is believed that the virus may allow the
creators of the virus to use it as a "back-door" to extract other
information from your system or make alterations to your system. Given the
nature of this virus, it is good that it does not propogate very quickly.
Fortunately, there are excellent tools for virus protection from an number of
software vendors. The safest approach is to install a virus protection package
on each of your computers. While some firewall packages offer virus protection
for incoming data, they do not protect from viruses which may be carried on
disks or other media. It is also very important to update your virus definitions
from time to time as new viruses come out.
There are a number of basic steps that you can take to reduce you chances of
getting a virus or worm:
- Run virus checking software and update the virus tables every 30-60 days.
- Simply delete E-Mail from folks that you do not know. Never open an
attachment that you were not expecting, regardless of how interesting the
subject line may be. E-Mail attachment viruses change so often that even
virus checking software has a hard time keeping up to date.
- Only download and install software from known and trusted sources.
Software should be downloaded from the vendor site or one of the larger
repository sites such as www.downloads.com.
While viruses and worms are an annoying aspect of exchanging information,
because so many computers have virus checking software, most viruses are quickly
eliminated and do not spread too far. And if people could resist clicking on
E-Mail attachments with silly titles there would be even fewer viruses to worry
about.
The leading providers of virus detection software such as www.mcafee.com
often have excellent on-line sites with extensive virus and worm information.
Firewalls
In a home networking situation, there are two types of "firewall"
technologies which are available for use. The basic purpose of a firewall to
look at all network traffic and make a decision as to whether or not the traffic
should be accepted or ignored. A normal gateway (or router) simply forwards data
based on the address of the data without looking at the contents of the data.
Firewalls were first deployed in business situations where attaching the
corporate network directly to the Internet would be a profound security risk.
The purpose of the firewall was to block all traffic except that traffic which
the business felt was appropriate. For example, many corporate firewalls block
all incoming traffic (from the Internet) except E-Mail traffic to one computer
on the corporate LAN.
Firewalls can also be used to block outgoing data as well. Many companies did
not want their employees having wide open access to the web from their desk. The
company would configure it so that only a certain group of employees were
allowed to browse Internet sites beyond the corporate intranet. As we begin to
connect homes to the Internet, we increasingly find that we need to adopt these
security techniques used in the business sector.
Personal Firewalls
For home use, a new technology has recently appeared called a personal
firewall. Instead of running on a gateway system, the personal firewall runs
on each computer that is connected to the network. A personal firewall can also
be used if there is only one computer connected via dial-up modem.
A personal firewall operates somewhat differently than a typical corporate
firewall. Because there are very few services running which need to respond to
incoming connections, a personal firewall usually shuts off all incoming access
except for file and printer sharing. Because it is running on your workstation,
it looks very closely at outgoing connections as each application is executed.
The personal firewall will prompt to make sure that you are willing to allow
this particular application to connect to the Internet. Once you approve each
application, the personal firewall will remember to allow that application to
make connections without your approval from that point forward.
This way, you can detect when applications are making network connections for
the first time. This will allow you to catch Trojan horse viruses which make
outgoing connections from your computer. You will also be notified when a
software package is registering you via the network or if your screensaver is
making network connections. This ability to be notified and approve outgoing
network connections is a unique aspect of a personal firewall.
Personal firewalls will also notice when another computer is sending you data
using an unexpected protocol. Again, because this is a workstation and not a
server, nearly all unsolicited network traffic can safely be ignored.
When you first install a personal firewall, you will find that it is very
talkative, as it learns the applications which use the network. But very
quickly, the personal firewall has seen everything once and you are alerted to
any new activity and given the chance to approve it. After the first few weeks,
do not be so quick to approve new activity unless you are using some new
application such as a media player, online game, or chat program.
The examples in this section used a very popular personal firewall called ZoneAlarm
which is available at no charge for personal use available from www.zonelabs.com.
There are a number of other popular personal firewall packages that you may want
to choose from.
Network Terminology - What is a Port?
Before you move into the detailed configuration of your home network with
respect to security, there are a few more network terms which we need to cover
so you can understand all of the configuration issues.
Earlier in the book, we learned that each computer has an IP address such as
192.168.1.10. For each address, we can have any number of connections. We
glossed over the concept of ports at the time, but now as we begin to
consider security, you will have to understand the notion of ports. By
controlling access to various ports, we can limit what intruders are capable of
doing.
The IP address, port, and connection values work together in a hierarchy as
follows:
- The IP address is used to identify all of the data destined for that
particular computer. IP addresses are 32-bit numbers and are generally shown
in "dotted" form such as 192.168.1.10.
- Within the IP address, each packet of data is destined for a particular
port. The port is used to select which application the data is destined for.
A computer can be used for file transfer, web surfing, E-Mail, file sharing,
media playing, and many other purposes. Each of these uses is done on a
separate port. Port numbers are small integer numbers. For example, E-Mail (smtp)
is sent across port 25, while web traffic (http) is sent across port 80.
Many number of the ports below 512 are reserved for existing well known
applications.
- Within each port, there is a connection for the particular
"instance" of an application. If you both a Netscape and Internet
Explorer browser open, they will both be using the http (Hypertext Transport
Protocol) port but each browser will be using a different connection within
the port.
The Mail Application Protocol
In addition to a port number, each application also has a "protocol"
which operates on the ports. Examples of protocols include Simple Mail
Transfer Protocol (SMTP) which operates on port 25 and the Hypertext
Transport Protocol (HTTP) which operates on port 80. The protocol determines
the "rules of the road" when communicating across a particular port.
You can find documents which describe many of the different application
protocols at the web site for the Internet Engineering Task Force (www.ietf.org).
You are looking for documents called Requests for Comments (RFCs). For
example the mail transfer protocol is described in RFC-2821 (originally
published as RFC-821).
Here is an excerpt from RFC-821 to give you a sense of how this type of
document reads:
The first step in the procedure is the MAIL command. The
<reverse-path> contains the source mailbox.
MAIL <SP> FROM:<reverse-path> <CRLF>
This command tells the SMTP-receiver that a new mail
transaction is starting and to reset all its state tables and
buffers, including any recipients or mail data. It gives the
reverse-path which can be used to report errors. If accepted,
the receiver-SMTP returns a 250 OK reply.
These protocols are intended to allow applications to communicate with one
another so that data can be exchanged. Having a standard for an application
level protocol allows electronic mail software from thousands of different
vendors to interoperate. In network terms, the program which is initiating the
connection is called the client and the program which is receiving the
connection is called the server.
We "Hack" a Mail Server
It is possible to replace the mail sending program (client) with a client
program intent on causing damage or some other form of annoyance. In this
example, we can actually use the commonly available Windows telnet
program to connect to port 25 and interact using the SMTP protocol. When you
open a connection to port 25 instead of the normal telnet application port, the
interaction is quite different and completely governed by the SMTP protocol.
When the connection is first made, instead of seeing the standard login page
which is typical of telnet, we are greeted by a "welcome to sendmail"
message with some version information. Having read the standard for mail
interaction (RFC-821), we realize the first step in sending a message is to send
the MAIL FROM line. We type in the message as described in the
specification, and get the specified response (a 250 OK message) indicating that
our command was in the proper format. We could easily continue and enter all of
the commands required by RFC-821 and cause an E-Mail to be sent.
Now at this point, you should be thinking that this is a good way to forge
E-Mail. Obviously, there is no check to see if the E-Mail address is truly
valid. We could have forged "president@whitehouse.gov" or
"bill@microsoft.com" without any problem. The bad news is that you
would be exactly right in terms of how easily you can forge E-Mail. But the good
news is that this is the "oldest trick in the book" - so while this
mail system was "trusting" the from address, it records a great deal
of other information about the session to allow you to be tracked down quite
easily if you use this approach to forge mail.
But given how easily addresses can be forged, you should never completely
trust the from address in an E-Mail message. You should never send an
E-Mail reply to any message from "the system administrator" or
"your bank" with any personal or sensitive information such as your
password or account numbers. That is another one of the oldest tricks in the
book.
Errors in Application Protocols
Not all security problems are misuses of the standard features in an application
protocol. Sometimes there are flaws in the implementation of the
"receiver" program (also called the server). A client program with
malicious intent can take advantages of the flaws in the server programs to
break security. These flaws fall into two categories:
- Actual bugs in the programs. A programmer writing the server program
forgot to check something in their code and some very specific sequence of
interactions causes the program to grant some type of inappropriate access.
- The programmer left a back-door into the program. A back-door is an
undocumented feature which allows the original programmer or perhaps
technical support staff to do some special action on the server. Most
typically, the original purpose of a back-door is testing rather than
malicious intent. However, there are many examples where back-door features
were left in software even after it was distributed for production.
Both bugs and back-door problems are generally fixed with new releases or
patches from the original vendor of the software. These security holes depend on
the version of the software and the operating system. This is a good reason to
keep your operating system and software up-to-date.
The classic example of this type of security problem is the Internet Worm.
While the term "worm" is a generic term in security, there is one
particular worm that is so significant that we call it "The Internet
Worm".
The Internet Worm was developed by a graduate student in Computer Science at
Cornell named Robert Morris Jr. in November of 1988. While there are many
conflicting accounts of how and why the worm was released, it ultimately
infected many of the computers on the Internet and made them crash or run very
slowly for about 3 days. Even though what Robert Morris Jr. did was wrong, it
made it very clear that security and vigilance was a necessary part of having a
large shared network of computers.
The worm itself was very simple because it took advantage of several very
well known flaws in the implementations of mail servers and several other
applications. The flaws had been known for many years, but back in 1988 those
who were aware of the problems felt a sense of responsibility not to exploit
those problems. The Internet Worm simply demonstrated that we had to write safe
and secure software and when there was a known problem, we had to fix it quickly
and effectively.
There is an organization called the Computer Emergency Response Team
(CERT) which was founded in 1988 which is charged by the government to monitor
network and software security issues and insure that the integrity of the
network is maintained. Generally, CERT is viewed as the highest authority in
security matters which affect the Internet . You can visit the CERT web site at www.cert.org.
Network Configuration
There are a number of steps which can be taken to improve your network security
which do not require the purchase of additional software. The configurations
which you can do depend on the operating system which you are using.
The most common way to share files and printers between computers running
Microsoft operating systems is NetBEUI (Netbios Extended User Interface). this
protocol is designed to work well in networks will a relatively small number of
computers. It is possible to send NetBEUI packets natively on your local area
network as well as to send those packets encapsulated in the TCP/IP protocol.
NetBEUI packets cannot pass across the Internet but TCP/IP packets can cross the
Internet. On your local area network you can use either protocol.
One simple way to protect people on the Internet from trying to access your
shared files and printers is to disable the connection between TCP/IP and
NetBEUI. This is done in Windows-98 under Start | Settings | Control Panel |
Network. Then make sure to remove any bindings between NetBEUI and your
dialup adapter.
Then you will alter the settings on both of your TCP/IP components as well. For
both the dial-up and LAN TCP/IP, find the tab labeled Bindings and
uncheck all of the file and printer sharing bindings. You may get a pop-up box
complaining about the lack of bindings but it can be ignored. You must remove
these bindings for all of the other computers on your local area network as
well. Once all of the computers have been rebooted, you can share files and
printers across the LAN, but they will not be accessible from the Internet. If
you have problems browsing the network, you should recheck these values on all
of the computers on the network. As new cards are installed or there are major
changes to the network components, these values may have been automatically
reset.
Because Windows NT 4.0 Server is designed to operate directly connected as an
Internet server, it has basic firewall capabilities built right into the
operating system as a way to protect the system from intruders. To access the
configuration screen, from the NT 4.0 network control panel, you access TCP/IP
Properties | Advanced | Enable Security | Configure. From this screen, you
can selectively permit or deny the various ports for the various protocols. The
configuration shown is a very "trusting" configuration for a server
connected to a local area network. For a web server, you might want to shut down
all access except via port 80 TCP to allow the http (web server) protocol to be
accepted.
Gateway Firewalls
If you are running Network Address Translation (NAT) for you home network,
then you already have a modicum of firewall protection. Because NAT maintains a
table of network connections created as each outbound connection is made,
incoming data is generally not forwarded. Some NAT gateways have the capability
of routing a single incoming port to one computer. This is typically used to
route port 80 (http) to your home web server. While this is not a true firewall,
it provides a significant level of security. If your NAT gateway is a hardware
system, then it will probably not need any additional protection.
If you are running a software NAT gateway you may want to take some additional
steps to secure that system. One thing that you will learn is that sometimes the
best security requires additional hardware. One of the most important things to
do to secure a software NAT gateway is to run it on a separate box. Given that
the network translation is not a significant performance load, you can typically
use an older computer with no performance problems. One key is to make sure that
the gateway system is not running any file sharing software. The configuration
shown above has a stand alone NAT gateway which only has the minimal software
installed on it, which allows port 80 (http) to be passed through to the home
web server. It would be nice to also run the web server on a separate system
using a server-class operating system configured to ignore all IP traffic except
for port 80. It is also possible to run a personal firewall on the web server.
Because the web server is behind the gateway, you can use file and printer
sharing between the web server and the other PC's in your home.
TODO: Linksys Hardware Configuration Example
You can also purchase a dedicated firewall router unit which has firewall
capabilities in addition to network address translation. As the gateway
technology is improved (both hardware and software), one should expect to see
vendors adding more firewall technology to their gateways, to the point where it
will be hard to find a distinction between an gateway, firewall, and even virus
protection.
Conclusion
You can run your home network for many years without any real security incidents
without taking any special precautions. Users who want an increased level of
security can install virus scanning software and a personal firewall at a very
low cost. Both of these tools are very simple to install and use and provide
nearly all of the security necessary for most installations.
When you install a dedicated server with a permanent IP address, your
security concerns are increased. A dedicated server with free disk space and a
high speed connection is a valuable asset to the "less principled"
elements on the Internet. By breaking into your server, they gain access to
resources and can use your server to attack other computer systems while
protecting their identity.
If you have a dedicated server, the simplest approach is to install a
hardware gateway/firewall which can suppress all the network ports except for
the approved ports. You should run an operating system such as Windows NT
Server, Windows 2000, Mac OS X, LinUX, or other flavor of UNIX on the dedicated
server. These operating systems have much better capabilities for protecting
themselves while performing their functions.
------------------------------------------------------------------------------------------------------------------------------------------------------
Content Filtering
The web has a wide range of material ranging from educational and informative to
vulgar and disgusting. People have a number of different motivations as to why
they might desire to limit the ability of the users of their network to view
particular content.
- The connection is in a public place.
- A computer is being used by children.
It is important to note that the idea of filtering Internet content is the
subject of heated debate both within and outside the legal system. This section
will completely ignore these legal issues and focus on the technology used to do
the filtering and how it might be deployed in a home network.
It is also very important to note that like Internet security, there is
really no Internet filtering approach which cannot be ultimately defeated. There
is the well-worn joke about the parent who purchases filtering software and
hands it to their 13-year-old child and tells them to install and configure the
software.
A large corporation can have strong content filtering, but it requires very
powerful and complex software as well as a team of highly trained individuals
who essentially act as investigators in regards to possible violations. It is
not likely that you will have the time or talent in a home network situation to
accomplish that level of control.
So as we look for solutions for the home network, we look for solutions which
give the best "bang for the buck". The good news is that content
filtering can help, especially for children who have not yet become technically
savvy in terms of reconfiguring computer environments or have decided to make it
their hobby to defeat the content filtering. During our testing, it was
surprisingly simple to defeat some of the content filtering software which we
tested. You should do some research and read some reviews before picking any
content filtering solution. A good source for reviews of hardware and software
is www.zdnet.com.
Interacting with your children
So, all in all, while content filtering can be a good part of your home network,
do not depend on it completely. Maintaining an open dialog with children,
setting guidelines, and in a sense treating their network access as though there
was no content filtering is a good approach.
Here are a few guidelines that you probably should agree to:
- You should discuss what your children are doing with the Internet - tell
them to show you what they are doing.
- Children cannot use the Internet in a locked room - you have the right to
walk in and peer over their shoulder once in a while. If you walk in and the
child is busily shutting down windows, then you should know why.
- Interactive activities such as E-Mail and chat should be carefully
monitored. The safest sapproach is to simply block them altogether until you
feel the child has adequate maturity or go with a filtered Internet Service
Provider such as America OnLine.
- Children should never reveal their identity in any way. They should not
even reveal any aspects of their identity. They might think that telling
someone the state that they live in or their age is harmless, but someone
intent on discovering infomation on a fellow chat-room participant can make
good use of any shred of truthful infomation.
- Explain to the children why there are rules and what you are concerned at
a level that they will understand.
Hopefully as you set rules for Internet access and then maintain an active
dialog with your children about the Internet, it will fit in with the overall
pattern of interacting with your children. As the child matures and has better
judgement, the rules should be changed to reflect the increased maturity.
Techniques for filtering Internet content
For home use there are four basic approaches which are used. We will discuss
each of these in turn.
- Purchase your Internet Service from a provider who provides filtered
content.
- Connect the home network to the Internet through a Proxy gateway and run
filtering software on the proxy system.
- Use the Microsoft built-in capabilities for filtering.
- Install standalone filter software on each of the computers for which
filtering is desired. This allows you to separately configure different
computers with different access levels.
Filtered Internet Service Providers
By purchasing service from a filtered Internet Service Provider, the
configuration is not stored on our computers and as such is harder to defeat. In
a way, your connection is not to the "real" Internet, but to an
Intranet which ultimately terminates at the Internet Service provider. The
Internet Service Provider operates some number of firewall systems which allow
you to view Internet content based on the configuration of each firewall. The
ISP has trained staff who monitor and configure the firewalls in terms of
possible new content.
This approach operates much like a corporate Intranet and is very difficult
to defeat. The ISP can monitor and control every E-Mail, every word in a chat
room, every search in a search engine, and every web page which is accessed.
The shortcoming to this approach is that for it to be undefeatable it must
use a dial-up connection. In a cable modem or DSL connection, it is still
possible to do filtering, but it is much more like the stand-alone approach
described below.
There is quite a range of filtered ISP's but most have a very small market
share. Some configure their filters based on broad catgories and others filter
based on the values of some group. You should look closely at any possible
filtered ISP to understand the way that they are making their choices. One site
which has a good list of family-friendly resources including filtered ISPs is
www.smartparent.com.
America Online is both the most popular ISP and provides excellent filtering
services as well. America Online allows each account to have several screen
names. Each screen name can be granted a different level of access ranging from
Kids Only (12 and under), Young Teen (13-15), and Mature Teen(16-17). A parent
can set their child's screen name appropriately, and only give the child the
password to their screen name. One advantage of AOL is that E-Mail and Chat
rooms are carefully configured and monitored in addition to the basic web
content.
The major shortcoming in this appraoch is that it works best over a dial-up
connection. A further weakness in this approach is the fact that a technically
savvy user can simply disconnect from the filtered ISP and reconnect using a
free or low cost ISP other than the filtered ISP.
Access through a Proxy
You can perform your own filtering by using a software proxy solution which
filters all access to the Internet from your own home. A good product in this
area is WinProxy (www.winproxy.com). WinProxy is a bit challenging to set up,
but properly configured solves many of the problems of home networking including
content filtering.
When you use a proxy solution, you can use a dedicated computer or one of the
other computers in the home. It is important to remember that when someone has
physical access to the Proxy system they can defeat any security or filtering
policies enforced by the proxy system. While you can take steps to enhance
security by using a server quaility operating system such as NT Server, you
should never assume that any measure is unbreakable.
Built-In Filtering Capabilities
From Windows-98 and later, Microsoft has significant filtering capabilities
built into the operating system and the browser. There is a Content tab
under Internet Options. Some of the stand-alone filtering capabilities
described below actually provide user-friendly interfaces to these configuration
features.
If you enable the content advisor, the default ratings will be very
conservative. You will have to place a password on the content advisor so that
only you will be able to alter the settings. The default ratings for content are
controlled by a third party non-profit company called the Internet Content
Rating Association (www.rsac.org). This company provides ways for sites to
become rated.
The problem with the content advisor is that it operates based on actively
rating sites. In the default configuration it will not allow you to view sites
that have not been rated. It turns out that very few sites have actually been
rated. There is an option under the General tab which allows users to
view "unrated sites" but that opens up browsing to millions of sites
which are not rated but "unsavory".
Another built-in feature is the support of PICS (Platform Independent Content
Specification). PICS is a standard which has been proposed as a way of labelling
content. You can read more about PICS at http://www.w3.org/PICS/. The
unfortunate shortcoming of the PICS approach is that it also requires active
rating of content.
Both the Internet Content Advisor and its PICS capability allow for new files
of rating information to be downloaded to update the configuration.
But both of these approaches unfortunately depend on the voluntary rating of
sites which causes a "chicken-and-egg" problem. Because neither
provides an adequate solution, no users ever turn the feature on and leave it
on. Since no users use the features, the web site providers can safely ignore
any ratings for their site. Because the sites will not rate themselves, we need
third-party rating services who typically charge for their rating services.
Stand-alone filter software
Other than using AOL as your ISP, stand-alone content filters provided by third
party providers are the most common content filtering solution. Popular examples
of this software are NetNanny (www.netnanny.com), CyberSitter (www.solidoak.com),
and Internet Guard Dog (www.mcafee.com). Not all local filtering software has
the same level of quality and security. You should do a small amount of research
by reading some magazine reviews before selecting your particular product. You
should not expect to find good freeware for this particular problem. Part of the
problem is that the service which updates the access list is more important than
the software itself. Some of the products even have annual fees to maintain your
access to the rating service.
The content filtering software is installed on each local workstation and
configured separately. The parent configures the content categories which are
viewable at that particular workstation and sets a password on the software to
lock the configuration.
Once configured, the software watches all accesses to the Internet both
through browsers and other means. Consulting its local configuration file, it
approves or disproves each site and acts accordingly. Some software informs the
user that the site is prohibited and other software quietly redirects the user
to a "safe" site.
The implementation of the software can be as simple as a local web proxy
server or as complex as to monitor the contents of non-web connections.
Conclusion
There are many solutions to providing some form of filtered content for your
family. America Online is an excellent solution in a pure dial-up environment
with its Parental Controls. For a parent who is not very technically savvy
(footnote: of course if you have read this far in the book you have become
technically savvy so this does not apply to you) using America Online is a good
approach if you are concerned with content filtering.
Local filtering solutions such as CyberSitter are probably the best solution
for a multi-computer home network because they work regardless of your ISP.
Local filtering can be used over dialup, DSL, and cable modem and will not
impact the overall performance of your connection. Make sure to read reviews of
this type of software because of it is poorly implemented and can easily be
defeated.
But the overall point which is most important is that no matter how hard you
try, a willfull 13 year-old child who is computer savvy will break through any
filtering that you can install. You cannot use content filtering to
"solve" a problem with a child who is out of hand. At the point where
the child has decided to wage a war on their content filtering software, it will
be over surprisingly quickly. At that point the only choice is to remove
physical access to the computer.
But the good news is that you can install filtering software on a computer
for pre-teens and expect that they won't stumble on unsavory sites in their
random surfing of the Internet. But even with filtering software, you still need
to make sure to educate your children on the proper use of the Internet and then
maintain communication with them as they use the Internet.
------------------------------------------------------------------------------------------------------------------------------------------------------
Home Internet Choices
Sharing an Internet connection is one of the main motivations of building a
home network. Typically when a single computer is connected to the Internet,
there are long periods while the connection is idle. This pattern of heavy use
and idle periods means that four or five computers can use a single Internet
connection and all five computers seem to have sole use of the connection. But
before we show how to share an internet connection we first will review the
myriad of connection options available for your home Internet connection.
Generally, which choice you have will depend on where you live. The list of
available options includes:
- Analog Telephone Modem
- ISDN Networking
- Cable Modem
- DSL - Digital Subscriber Loop
- Fixed Wireless
- Satellite
- Cellular phone based services
Each of these choices gives you a different price and performance value. If you
are lucky and have a choice of different technologies, this chapter will help
you gain some understanding of these technologies so that you can make the best
choice.
If you are in a hurry, and just want to know which service to choose, feel free
to skip to the conclusion of this chapter, we won't be offended. But if there is
a little telecommunications engineer inside of you waiting to get out, read on.
Analog Modem
In the beginnings of home networking in the 1970's there were no data
connections into the home. So the solution was to find a way that telephones
could be used to transfer data. The solution to this problem is a Modem (short
for modulator-demodulator). The idea was to turn data (0's and 1's) into sound,
send the sound through a telephone connection and convert the sound back to data
at the far end.
To better understand how the analog modems work, we can examine an early
modem.
Picture of an Early Modem (010)
When a modem initial connects and the speaker is turned on, you hear a series
of tones. These tones are used so that the calling modems can determine the type
of of the receiving modem. Each tone is sent for a few seconds and the receiving
modem responds to its particular tone and a connection is established. Most
modern modems can communicate with a wide range of older modems. It can take
nearly a minute until the sending modem "guesses" the right tone of an
older receiving modem.
This works well, but telephones have limited fidelity when it comes to the
quality of sound which is transmitted from one phone to the other. Because
phones are intended to portray human voice, they are limited to a frequency
range of 3000 Hz. This is why modems are limited to 2400 baud. Using
sophisticated digital signal processing, we can send up to 56000 bits per second
through this audio channel. Unfortunately, achieving this maximum rate depends
on a very clean telephone line and good connection.
Figure of POTS (020)
Even with these limitations, standard telephone modems are by far the most
common Internet connection from homes. The nominal cost for a phone line is
$16.00 and the cost of Internet service is about $20.00 for a total cost of
$36.00 per month.
ISDN
Plain old telephone service (POTS) dates back to the origins of the telephone
at the beginning of the twentieth century. In the 1970's (Rich check this one),
the telephone companies began to design the new "telephone service" to
replace plain old telephone service. This new service was called
"Integrated Services Digital Network" or ISDN. Instead of sending
sound, ISDN deals with data. The basic ISDN service provided two 64kbit data
channels and one 16kbit signaling channel. Each of the data channels could carry
a digitized phone conversation.
The ISDN connection essentially extended the functionality of the telephone
company switching equipment into the home. Each of the data channels can either
carry a phone conversation or a data connection. To carry a phone conversation,
the sound was digitized by special "packet telephones" which were to
be installed in the customer's homes. The architecture of ISDN envisioned a
wider range of digital telephony "gadgets" - but unfortunately, that
never really came to pass. Some people would claim that ISDN was priced too high
while others might feel that in 1980, we did not yet possess enough technology
to develop and manufacture packet telephones at a reasonable price. Regardless
of the reasons, ISDN was not readily available until the mid-1990's and by then,
the Internet revolution had occurred when data connections were "packet
oriented" rather than "connection oriented".
In many locations, because of limitations of ADSL or Cable Modems, ISDN is
the only option to go faster than a telephone modem without resorting to
wireless. Even thought ISDN is somewhat past the peak of its technology curve,
there are two basic solutions to use ISDN in a home network.
- An ISDN modem communicates with the computer throught a serial port
or as a built-in card - in this case, the ISDN modem operates much the same
as a normal modem. Windows-98 has built-in support for ISDN modems.
- The ISDN line can also be connected to an ISDN router which is
stand-alone unit. A typical ISDN router will have a connection for the ISDN
phone line, two POTS connections, and several Ethernet ports.
Most ISDN modems and ISDN routers have connections to support standard telephone
equipment. Each if the 64Kb connections is assigned a telephone number - by
plugging in a standard telephone equipment.
When you pick up an analog phone and dial another phone, the ISDN modem or
router actually is generating the dial-tone that you hear in the handset. As you
press keys, the router interprets the tones and once you have dialed the phone
number it requests a connection over the 16Kb control channel. When the
connection is established, the router is notified on the control channel and
digitized sound begins to flow over one of the 64Kb channels. The ISDN router
converts the sounds to and from digital form and acts as a bridge between the
analog handset and the digital connection to the telephone company. When calling
from an ISDN connected phone, you can dial any other phone. If the
destination phone is connected via a POTS connection, the phone company makes
the necessary conversions between analog and digital.
Picture of the ISDN router and analog phone
When you have an ISDN modem or router in your home, many of the functions
that were formerly done in the telephone company central office are actually
done in your ISDN equipment. This allows significant flexibility in several
ways.
When the ISDN router or ISDN modem is used for data, at least one of the 64Kb
connections is dialed to your Internet Service Provider (who also has an ISDN
connection). This connection is a direct digital connection which yeilds an
error-free 64Kbs. Generally, the PPP (Point-to-Point) protocols operates over
this connection. PPP handes both the initial authentication and the data
transfer over the link.
There are two ways to get up to 128Kb/sec on your Internet connection.
- Using Bonding, when the connection is made, both lines are dialed
at the same time and "bonded" to form a 128Kb/sec connection. A
simple way to thing of this is to imaging that every other bit is sent down
the other conection and then the bits are re-interleaved at the other end.
The resulting stream is 128Kb/sec through the modem
- With Multi-Link PPP, both connections are dialed separately (they
can even dial different ISPs) and as data packets arrive, one is sent down
one channel and the next is sent down the other channel. During busy use,
like during a file transfer this also will yield 128Kb/sec.
While bonding might seem like the ideal aproach, it is used less often than
multi-link PPP for the following reasons:
- Internet service providers prefer that you only make the second connection
when your traffic exceds a predetermined threshold and then drop the second
connection when your traffic drops. This way they do not have to have two
lines for every single customer. So some ISPs simply do not allow bonding.
- With Multi-Link PPP, the second connection can be dropped if needed. This
happens when you pick up an analog phone connected to the router and make a
call or when there is an incoming call. This works quite nicely because the
ISDN equipment can communicate with the phone company using the 16Kb channel
without disturbing the data being transferred over the two 64Kb connections.
As a matter of fact, you could dial a call and get a busy signal, and hang
up the phone without ever affecting the data flowing on a 64Kb channel.
Bonding is typically used when ISDN is used for a full-time connection, rather
than an on-demand dial-up situation.
With one ISDN connection into your home, you get the following:
- Two phone numbers which can be used with standard analog telephone
equipment
- A data connection which operates at either 64Kb or 128KB/sec (typically
based on traffic usage)
- An internet connection which connects in about 3 seconds (depending on
your ISP) so it feels like it is always on
- Multilink capabilities so that when you want to use the phone, your data
connection just slows down a little bit
Some people order ISDN and use it as their only phone connection. The only
limitation to this approach is that when the ISDN router loses power, you cannot
make analog telephone calls. So if you are considering an ISDN as your sole
connection to the phone company make sure to keep it on an uninterruptable power
supply which can operate the unit for several days. Another approach is to have
one standard phone line and a second ISDN line. While this is somewhat costly,
you end up with three phone numbers in your home and the POTS line is powered by
the phone company.
One of the primary downsides of using ISDN is the cost. An ISDN line may cost
about $50 per month (they are more expensive than POTS). In addition, your
Internet Service Provider may charge a premium to allow you to use ISDN - it is
typical to pay $30 or more to an ISP for unlimited ISDN service. This takes the
overall cost to use ISDN to nearly $80.00 per month.
TODO: SPIDS and Ordering and Synchronous (always transmistting zeros)
Cable Modem
In the mid 1990's, cable television companies began to experiment with and
deploy networking solutions based on the CATV connections into many urban and
suburban homes. Unlike POTS and ISDN, cable modems were developed from the
ground up to do packet-oriented data networking. The basic idea was to dedicate
one or more television channels to data networking.
A cable modem connection is permanently on - the service includes your
internet connection, so no fees are necessary for the ISP. Often you can
purchase a service which wil allow you to have a web or file server permanently
connected to the net in your home. It is the closest thing to having a
connection which functions like a local area network which is connected via a
high-speed link.
While this seems simple and clever, there are a number of challenges which
must be faced to use CATV for data networking. The first challenge is the fact
that cable television distribution had always been designed to be a broadcast
from an origination point (called the "head-end") to the subscribers.
In order to keep from running thosands of individual cable connections from each
house to the head-end, the cable system is designed as a multi-level tree.
Between the head-end and the subscriber, the signal is split several times. Each
time it is split, the signal is cleaned-up, adjusted and amplified. A cable
company needed to spend signiifcant effort making sure that their amplifiers
were properly adjusted to insure that each subscriber had a high-quality signal.
While this seems complex enough, using this structure to implement two-way
high-speed data communications is very challenging. The first task is to convert
the cable plant to be a two-way system. In a two-way system, the amplifiers must
take a subset of the channels coming back from the subscriber's homes and
pass that channel back up the tree. At a minimum, this requires the replacement
of all the amplifiers in the cable television system. Furthermore, it is
necessary to make sure that the cable system is very carefully adjusted and
monitored. A bad signal or badly tuned amplifier in a one-way system may affect
as few as ten homes. On the other hand, when there is a bad signal in the uplink
channel, it corrupts the channel as it is propogated up the cable system.
Once the cable plant has been upgraded to allow one or more television
channels to be two-way, there is still the detail as to how we move network data
across television channels. At its most basic, a cable modem is indeed a
"modem" - that is that the data is converted from digital to analog
(in this case video rather than audio) before being transmitted over an analog
medium. In a way, the cable modem in your home is a small "television
station". Once the basic conversion from digital to analog has handles, we
also must arbitrate between the different cable modems so that only one cable
modem transmits at any given moment. If two cable modems transmit at the same
time, their signals would collide and no data would be transmitted. The
collision might even produce noise on other channels on the cable - so two cable
modems transmitting at the same time could cause your neighbor to see a bad
signal while watching their soccer game.
This arbitration is resolved using a protocol called "token bus".
No station is allowed to transmit until it has been told that it has permission
- the permission is the "token" - if you have the token, you can
transmit, otherwise you must hold onto your data and remain silent. The network
insures that the token will be fairly passed around, so that even under heavy
load from several modems, each modem will have an opportunity to transmit many
times per second.
All this technical detail, is not meant to scare you from using cable modems
- a well-built and well-maintained two-way cable system provides extremely high
reliability. But the idea is to give you some idea as to the significant
engineering which goes making a cable modem work. And perhaps when the technical
support person from the cable company fixes your connection, you can tell them
an extra-special special "thank you".
You should feel fortunate if cable modems are in your area. They provide high
speed, always-on service for somewhere between $30 and $50. If you consider the
cost of an ISP and a second phone line, a cable modem provides a much better
experience at about the same cost.
ADSL - Asynchronous Digital Subscriber Loop
ADSL is a telephone company technology - it was designed much more recently than
ISDN and designed to operate in a world which assumes the Internet, demands high
speed, and assumes that the data connection is always on. Like cable modems,
ADSL was designed to operate on wiring which is already connected to your house.
In the case of ADSL, this wiring is the existing telephone connection. Unlike
the cable system, your telephone connection is a dedicated pair of copper wires
which run from your home back to the telephone company - these wires terminate
in a building called the "central office".
By running all of the wires all the way back to the central office, the
telephone company can deploy new services to your home simply by changing the
equipment which your wires are plugged into (and changing how much you are
billed each month). In the above example, homes A and B have POTS, while C has
ISD
If your network connection is via DSL or a Cable modem, you may have a very
simple option available to you. Some services will allow you to purchase
additional IP addresses to your home for a small increase in your overall
monthly fee (about $5.00 per address). They may be able to give you up to some
small number (say 4) total addresses for your home.
Given that we will only get one IP address from our Internet Service Provider,
we will have to assign IP addresses to the other computers in the network. We
will add special hardware and/or software to make these computers
"seem" to be directly connected, their addresses are not truly global
IP addresses.
To gain an understanding of how NAT works, we first must delve a little more
deeply into the TCP/IP protocol. While we think of connections as being between
two computers, each with an IP address, in actuality there can be many
connections between pairs of computers. Each connection is identified by the IP
Address, port number, and connection number. The port number
is a way that different applications communicate with the proper peer
application on a remote system. For example web traffic moves over port 80 while
E-mail is moved across port 25. For this NAT discussion, we will ignore the port
number and concentrate on the IP address and the connection number.
When NAT is used, we assign local addresses to our computers on our internal
LAN. Those computers don't actually "know" that they are not connected
to the Internet. The are configured with an IP address, subnet mask, and gateway
address that makes sense on the local area network. When they make a connection
to an address such as 184.21.99.17 that is not on their LAN, they simply forward
the packet to the gateway address. Normally, the gateway simply copies the
packet to the other connection and off it goes across the Internet. However when
NAT is used, the packets which come into the gateway are routed to the NAT
software.
Another way to access the Internet when you are using non-routed network
addresses is to use a World-Wide-Web proxy server. Using a proxy server only
allows access to the world-wide web across the gateway. The proxy protocol is
built-into most browsers as an option. There must be a computer with an Internet
connection which is running the web proxy server software. Each client on the
local network must be configured to use the proxy server and told which server
(on the local network) to use for which protocols.
Once a client is configured to use a proxy, instead of directly connecting to a
destination computer (www.ford.com), it sends a request to the "proxy"
server which includes the entire URL which is being requested (http://www.ford.com/cars).
When the proxy software sees this request, it makes the connection to
www.ford.com, and retrieves the document using the standard Hypertext Transport
Protocol (HTTP). When the data has been retrieved, the proxy system forwards a
copy of the data to the originating workstation. This pattern is done repeatedly
for every URL or file transfer performed by the browser.
If we click on the Advanced button, we can configure the DHCP server and
domain name server for the system. We can set the range of DHCP addresses which
we will provide to clients. By limiting this range somewhat, we can also have
static addresses on the LAN outside the range of 20-50. These static addresses
can still use the gateway to connect to the Internet. We can also specify a
Domain Name Server (always a numeric address). In the case of a dialup
connection, this will be generally set as part of the PPP initialization.
However if your Internet connection is a cable modem or other technology, you
may have to hand-enter an address for the DNS server.
The typical base station operates as a gateway between a wired Ethernet and the
wireless network. Because the IEEE 802.11 is based on Ethernet (also known as
IEEE 802.3), it is possible for the base station to transparently bridge packets
between the Ethernet and wireless portions of the network. Some base stations
are also capable of running a complete Network Address Translation (NAT)
engine providing and mapping dynamic addresses for the wireless workstations and
allowing the wireless network to share a single IP address on the wired network.
As with any NAT implpementation, most standard Internet applications (such as
web browsing) work fine while printer and file sharing can be problematic at
times.
In this screen, we are configuring how the gateway connects to the rest of the
network. Because this home already has a home Internet gateway (192.168.1.1)
which is running NAT and DHCP for the home, we simply point the Airport at that
gateway for Internet connectivity. These values are very important because they
are used as part of the values configured for the wireless workstations via DHCP.
The wireless workstations need to know the DNS, gateway, and network mask values
for the rest of the network.