Wireless networks based on the IEEE 802.11 stndard have several options for
security. Obviously, you do not want to put up a wireless network and have your
neighbor able to share your printers and network connections.
There are several mechanisms for security in these networks:
Each network is configured to have a unique identifier (Severance_Home in the
above example) so that it is possible for multiple access points and multiple
wireless networks to operate in the same area independently. Client computers
can disover and associate with the desired wireless network.
- Each network can have a password. However, the 802.11 standard did not
specify how passwords were to work, so each vendor developed their own
password mechanism. With the password capability enabled, you may find that
you have to stick with a single vendor's wireless networking equipment.
- The packets can also be encrypted so that it is not possible for an
evesdropper to "sniff" the network traffic and find the contents
of the packets. There are differing levels of encryption, with a 56-bit
encryption and a 128-bit encryption key. While the 128-bit keys are much
harder to crack than the 56-bit keys, for home use either should be
sufficient.
- Some base stations can be configured so that they will only talk to
certain wireless cards. Each wireless network card (like Ethernet) has a
unique 48-bit serial number installed by the manufacturer. As the owner of
the base station, you can simply enter the serial numbers of the wireless
NICs that you are willing to support. In some ways, this approach is better
than a password because it is vendor neutral. But not all base stations
support this facility.
In this configuration screen for the Apple Airport Base Station, the wireless
portion of the sample network is configured not to use the password and
encryption so as to maximize the interoperability with different vendor's
equipment.
Running an Ad Hoc Network
So far, we have covered the layout of a wireless network using an access point.
It is possible to have a network without an access point. This is called an Ad.
Hoc. network. In this type of network, the wireless cards work together to
essentially operate so the computers "appear" to be connected using an
Ethernet hub. Files and printers can be shared, but additional work must be done
if you want to share an Internet connection.
While the majority of the wireless network cards are built for portable
computers, it is also possible to use wireless networking to connect a desktop
computer to the network. In most cases using wireless with a desktop computer,
the you install a vendor-provided adapter which allows a PCMCIA adapter to be
installed into a desktop computer and then you use a standard PCMCIA wireless
card. A few vendors have a separate wireless network adapter for the desktop
computer, but it is the exception.
If you want to share an Internet connection in an ad hoc. wireless network, you
must perform the network gateway function in one of the computers which has both
a wireless connection and a connection to the Internet. This workstation must be
powered on and run Internet connection sharing software such as Sygate, WinRoute,
or others. While this configuration can work well, most people find it well
worth the cost of purchasing a low-cost hardware access-point instead of using a
workstation as a gateway.
Wireless Networking Technology - An Overivew
There are two basic sources of wireless networking technology available in the
market today. The earliest commercial wireless network technology grew out of
specialized commercial applications such as inventory control in a large
department store or warehouse. Employees would walk around with a wireless wand
with a bar code reader effortlessly uploading instantaneous inventory
information. These wireless technologies typically used unregulated frequency
ranges used by wireless telephones (900Mhz).
Because the data rates for the typical application did not need to be very
high, relatively simple protocols were developed and used. Most of the
engineering focus was on keeping the power requirements very low for small
battery-powered hand-held units.
The more recent source of wireless network technology came from military
research which was converted to civilian purposes. Wireless data connections in
military applications had several goals: (1) relatively high data rates, (2)
reliability in the face of enemy attempts to jam signals, (3) the transmissions
should be difficult to monitor, and (4) it should be difficult even to detect
that a trasmission is occuring.
These requirements lead to a set of technolgies called "spread
spectrum" communications which operate at 2.4Ghz and 5Ghz. Instead of
picking particular frequency range and using high power levels to send as much
data as possible using that frequency, the spread spectrum approach takes a much
wider frequency band and sends the data using many different frequencies at
relatively low power. Further, based on agreement between the sender and
receiver, the frequencies can be changed several times per second in what would
appear to be a random pattern. The two most common approaches were called Frequency
Hopping and Direct Sequence.
In Frequency Hopping Spread Spectrum (FHSS), the bandwidth is divided into
channels (the 2.4Ghz range is divided into 79 channels in the US). Once a
wireless connection is established, the receiver and transmitter agree on one of
several frequency hopping patterns. Based on the current channel and a simple
mathematical calaulation, both the receiver and transmitter jump to the next
channel in the sequence at the same time. Unless you know the proper calculation
to make, an evesedropper would have a difficult time following the
communication.
While the original goal of changing frequencies was to evade detection (the
military obviously used far more than 79 channels), having multiple sequences
means that interference among different groups of receivers and transmitters is
reduced. As a mater of fact, it is possible to deploy a number of base stations
with overlapping coverage ares, and have a wireless network card associate
itself with the base station with the strongest signal. In this way, a network
of base stations operate much like a cellular telephone network, handing mobile
base stations off from one to the other.
In Direct Sequence Spread Spectrum (DSSS) the frequency range is divided into
fewer channels. Instead of transmisttion at high power and moving quickly from
one channel to another, the data is "spread out" oin a predefined
pattern with a power level so low that the signal appears to be background
noise. The only way to reconstruct the data was to know the subtle patterns in
the background noise. To make a simple analogy, it is like hearing an AM radio
station which is too far away. It all sounds like static, but there is enough of
a pattern to the static that you know that people are talking but you cannot
discern what they are saying. In DSS, the circuitry in the network cards knows
the exact pattern in the "static" and reconstructs the data. Again, a
feature that was originally designed to evade detection results in a wireless
network technology that is tolerant of interference from other sources such as a
wireless phone, microwave oven, or unlicensed equipment operating in the same
frequency range.
In the late 1990's, there was a great deal of debate as to which of the
technologies was superior with excellent arguments for all of the technologies.
But the debate was resolved (for now) as low-cost equipment from Lucent and
Apple came out using IEEE 802.11 DSSS technology. In order to be compatible with
the existing (and growing) installed user base, nearly all new wireless
networking products came out supporting the DSSS technology.
Another factor which caused DSSS to be more broadly accepted was the
throughput. Originally, both DSSS and FHSS operated at 1Mbps. Many people felt
that the minimum acceptible bandwidth was 10Mbps (as fast as Ethernet). It
turned out that it was easier to push DSSS technology to 11Mbps than the FHSS
technology because of the way the FCC set the rules for the use of the 2.4Ghz
unlicensed frequency range. The FHSS community pushed to have the FCC rules
relaxed to boost the performance of FHSS, but by the time it was resolved DSSS
had a strong foothold in the consumer market.
The FHSS approach still has a distinct advantage when there is a high density
of access points and mobile workstations. Even though the speed of an individual
FHSS connection is slower, if there are many simultaneous connections, FHSS will
make better overall use of the frequency.
Conclusion
Wireless networking is the ultimate expression of home networking. It frees you
from your "computer dungeon" and allows you to be productive in more
pleasant surroundings. The market for wireless equipment has settles down and a
wide range of interopreable products exist based on the IEEE 802.11 Direct
Sequence Spread Spectrum (DSS) technology. You can easily purchase a kit with
several network cards and an access point and build a nice wireless network as
an add-on to your existing network.
-------------------------------------------------------------------------------------------------------------------------------------------------------
Using Your Network
While the first thought when you install a network is typically to share an
Internet connection, there are a number of other ways you can use your network.
Once you get used to file and printer sharing, you will begin to wonder how you
got along without the network. In this chapter, we will cover the more common
uses of home networking and some less common uses of home networking:
- Printer Sharing
- File Sharing
- Multi-Player Video Gaming
- Virtual Private Networking (typically used to connect to a company network
from home or on the road)
In this chapter, we will focus on networking between Windows operating systems
because that is the large percentage of the installed user base. We address some
of the issues for non-Windows operating sections in a separate section.
Setting up computers to share printers and files
Before we can share the printers and files, we must make sure to install all of
the proper software. While some steps can be eliminated for some of your
computers, the simplest approach is to perform the following steps on all of the
computers in your network (except perhaps your NAT gateway).
First install the network components NetBEUI, Client for Microsoft
Networks and File and printer sharing for Microsoft Networks
using the network control panel. If they are not installed, use the Add
button and find them under the Microsoft sections for Protocols, Clients,
and Services respectively. During the installation, you may be
prompted for the operating system disks and have to reboot the computer.
- Next set the computer name and the workgroup. The workgroup should be the
same for all of the computers in your home. The computer name must be unique
for each computer.
- Under the third tab, set Share Level Control. This means that each
resource (printer or files) will be shared based on a unique password for
the resource. The other approach, User level access control, requires
an NT Domain - which is well beyond the scope of this book. Domain style
control of resources is very effective for larger organizations, but is
generally too cumbersome for home use.
- Next, back in the network control panel under File and Print Sharing,
check the box to indicate that you wish to share your files and printers.
This does not actually share your printers and files, it just makes sure
that the necessary software is loaded so that files and printers can be
shared.
- Also in the network control panel, change the setting for Primary
Network Logon change the setting to Client for Microsoft Networks.
This will cause a network login screen to come up after Windows is booted at
which point you enter an account, leave the password blank, and press OK.
If you press Cancel or Escape you will not be logged in and
Network Neighborhood may not work.
These steps should make your computer ready to share and use resources across
the network. The actual sharing and use of files is relatively simple compared
to the preparation steps above.
Just as a short note, the MacOS operating system is automatically
pre-configured to "do the right thing" in most cases. There is really
no analog for these steps on a MacOS system :).
Sharing a Printer
Once you have installed the proper software and configured your network login,
you can share printers or files. First, we will examine the steps necessary to
share the printer.
- First you set the printer up on one computer using a USB or Parallel
connection. Install all of the proper device drivers according to the
manufacturer's directions. Make sure that the printer works by printing a
test page.
To share the printer, go into Settings | Printers, then right-click
on the desired printer and bring up the Sharing dialog. Within the
sharing dialog, you give the printer a share name (usually the default is
sufficient) and optionally give the printer a password. In a home network
situation, it is pretty safe to share printers without using a password.
When the printer has been successfully shared, the printer icon is changed so
that a small hand is added to the icon. This way you can tell at a glance which
objects are shared and which objects are not shared. Once you have installed the
proper software and successfully logged into the network on the client computer,
the steps are so simple that they are almost intuitive.
Browse the Network Neighborhood. If you see the name of the server
computer, then you are in great shape. Otherwise, take a look at the tips
and tricks section for some more sophisticated diagnostics and approaches.
Click on the name of the computer. You should be shown all of the shares -
the icon will tell you if the share is a printer or a file system.
- When you click on the printer icon, you will be asked as to whether or not
you want to install the printer. If you say "yes", the printer
will be installed. Part of the printer installation installs the necessary
printer drivers over the network so you should not have to use the printer
driver disk.
Once this is complete, you should be able to print from the client system as if
the printer were locally attached.
Sharing Files
In general, unless you have special security concerns, it is a good idea to
share all the disk drives on all of the computers. You should assign a password
to the disk drive shares. You can use the same password for all of the shares
and just make sure that family members all know the password. This way if an
intruder is able to gain access to your LAN, then they will not be able to
access any data without the password.
There is great convenience to being able to access any file on the home
network from any other computer. Especially if you are running around doing
"technical support" or helping someone with their homework, needing a
file that is two floors away.
Again, the steps to share and mount a drive are very simple. First we start on
the computer which will be sharing out the actual drive or directory. Assuming
that you already have the proper file sharing software installed and configured
as described above, you simply navigate to the drive that you want to share,
right click on the drive or directory and select the Sharing option. Much
like the printer, you give the share a name (again the default is usually fine)
and a password. With file sharing, you should always use a password. Generally
you will want to choose the Full option to allow Read/Write unless you
have a specific unique situation. You will be prompted for the password a second
time to verify the password.
It is actually not necessary to do anything special on the system which is
going to read the data from the share. You simply navigate down through the
Network Neighborhood, through the computer and down to the drive. The first time
you enter a share you will need to know the password. But from that point
forward until you reboot, your computer will remember the password.
You can navigate the network drive just like a normal drive. You can open and
save files from the shared drive as if it were local. You may need to develop
the skill of jumping to the Network Neighborhood in the Save or Open dialogs,
but it does not take long before it is second nature.
In some situations, you might want to "mount" a network drive and give
it a permanent letter. Some software prefers to deal with a drive letter as
compared to navigating down through the network neighborhood. This is
accomplished by navigating to the drive through network neighborhood to the
shared disk. To map the drive, you right-click on the drive and select Map
Network Drive. The system brings up a dialog box where you can choose a free
drive letter and a check box indicating whether this mapping is just until the
system is rebooted or whether you want this drive mapping to happen each time
the system comes up.
Typically it is not necessary to map every drive on every computer to a logical
drive letter. It is so simple to navigate through the network neighborhood that
mapping a drive letter adds little value. Three examples when mapped network
drives can be handy are as follows:
- When you have a place where you store downloaded material that is
reusable. For example, you can download one copy of a web browser and
install it on several machines. This also can be true for plug-ins such as
Adobe Acrobat or RealPlayer.
- If you have an MP3 collection, instead of putting the media on every
computer, simply keep a single copy on the computer with the largest hard
disk which stays on all of the time and mount it on the other computers as a
pseudo-drive.
- If you want to schedule a backup to happen late at night you will need to
have a mapped disk drive to use for the backup.
After you have your network for a while you will certainly find other more
interesting uses for your network drives.
Network Backups
Backing up your computer is one of those things which very few people do well.
The hardware is expensive, the tapes are expensive, and it takes a long time to
run a backup.
With a network, however you can make very simple and convenient backups from
one disk to another. The best approach is to purchase a separate large (can be
slow) hard drive and install it in one of your computers and share the drive
cross the network. This drive can be used to back up all of the computers in the
home network. While it would be a good idea to back that disk drive up to tape
from time to time, at least with the disk (for about $100), you have two copies
of the data on all of the computers on your network.
Windows-98 has a basic scheduling capability built-into the operating system
so the backups can be run late at night in an automated fashion. There are two
basic ways to set up an automated backup:
- Create a batch file which simply does an XCOPY of the important
data from the local disk to a subdirectory on the network drive. You create
a batch file for each computer and schedule it to run late at night and you
have a simple backup solution. This approach has the advantage that the
backup data is readily browsable (i.e. you don't have to do a restore), but
the disadvantages are that there is no compression and there is no simple
way to keep some history over time.
- You can use the backup program provided by Windows-98 to do a more
rigorous backup and enforce a schedule of full dumps and incremental dumps.
While this is more complex and the data must be restored, it allows you to
have a view of your data over time.
A Network Printer
Some newer printers can be purchased with a network adapter built into the
printer. You can also purchase an external unit which connects a printer to the
network. Given the ease of using a computer to connect your printer to the
network, using a network attached printer is not commonly done in smaller
networks. There are two basic ways to connect a printer directly to the network.
- Purchase a printer (typically HP) with an Ethernet connection. The most
common product is called JetDirect. You simply connect the printer to
the network and install the JetDirect software on each of the client
workstations. Then each workstation can print directly to the network
printer.
- Purchase a separate unit which has a network connection and a printer
connection. The cost of these units is becoming increasingly affordable.
These units appear as servers in Network Neighborhood. Each port on
the unit appears as a virtual printer. Clicking on the port installs the
printer on the client system.
Having a network printer is very convenient if you do not want to leave a
computer on all the time and use several different computers around the house.
The key is to weigh the costs of a network attached printer to the benefits that
you see.
Sharing Files under NT
If you are installing an NT system, you must make several decisions during
installation which cannot be changed without reinstallation. So you should know
the ultimate configuration before you install NT. NT Server is designed to
operate in very large networks. When you manage a very large network you take a
very different view of server configuration. Techniques used for enterprise
networks generally are not ideal for small networks.
In the Microsoft vernacular, these two approaches are called Workgroup
networking and Domain networking. Domain-style networking is designed for
larger networks and centralizes much of the security configuration. Each user
has an account on a Primary Domain Controller - passwords and account
configuration are all stored on the domain controller computers. Workgroup-style
networking allows each workstation to have its own security configuration. In
the examples above, we were using workgroup style networking when we add a
specific password to each shared drive and printer. If we were using domain
style networking, we would have provided a list of users who were permitted to
access the resource and the domain controller would have authenticated the users
and given access to the resource.
Do use domain-style networking you must have an NT server, so all of the
examples in the book are shown for the more typical workgroup-style networking
which is typical in Windows non-server environments.
If you install an NT system and want it to interoperate well with your other
workgroup systems, you should install it as a Stand-Alone Server instead
of a Domain Controller. In the network control panel, you can install the
NetBEUI software and configure the system with a workgroup and system
name. Then the server can interoperate with the rest of the workgroup-style
network clients.
The only other difference in setting up an NT server is how you set up access
to the network drives. The simplest approach is to share drives without any
passwords - but that gives poor security. A safer approach is to create a user
account and password using the NT Server administration tools. Then the drivers
and printers can be shared by All Users. This way, any user with a valid
account and password can access the drives.
When mounting disks or printers from and NT server on a non-NT system such as
Windows-98, the account and password come from two different places. First, the
account is what you type into the initial Windows Networking login dialog
when the system comes up. When you attempt to access the share over the network,
you will be prompted for the password. To keep things simple, typically you
would assign the same password to both the NT account and the shared files and
printers on your non-NT systems.
In Windows-2000 and beyond, domain-style networking has been improved and
extended and is called Windows Directory Services. Like NT domains,
Directory Services centralizes much of the security configuration and is
somewhat complicated for home use.
Solving File Sharing Problems
One of the most frustrating problems is when you are sure that you have set up
network sharing properly but Network Neighborhood seems not to work. This
section shows some techniques which you might try to get this to work:
- Check basic network connectivity. The ping command is an excellent
tool if you know the IP addresses of the systems.
- Make sure that all of the proper software is installed and configured as
described above
- Make sure that you set the identity in the network control panel and set
the check boxes that indicate that you want to allow others to access your
printers and files. Make sure that your computers have the same workgroup
name and have different computer names.
- Make sure that Primary Network Logon is set to Client for Microsoft
Networks on all of the systems and the systems have been rebooted.
- Make sure that you are actually logging in (no password required) at the
Microsoft Networking login screen.
- Make sure that you actually have something shared. Computers which do not
share a drive or printer will not show up in the Network Neighborhood.
If you follow the steps above and the computer still does not appear in Network
Neighborhood, it is possible to access the computer without using Network
Neighborhood. Right click on the Network Neighborhood and launch Find
Computer. Type in the computer name of the other computer. If the computer
is functioning and connected to the network, you will be able to browse the
computer. If you can find the computer this way, you know that it is functioning
properly. If you can find and browse the computer, but it does not appear in
Network Neighborhood, the problem is usually related to the login process.
If the login process seems counterintuitive, it is because Windows is trying
to automatically handle the fact that there is a "local login" and a
"network login". Windows-98 is trying to automate and coordinate both
processes. If you end up with passwords that are causing problems, you can clear
out all accounts and password by removing all of the files with the suffix
"*.pwl" from the C:\WINDOWS subdirectory and reboot the
computers. Make sure to log in with an account name and blank password when
prompted for the Microsoft Network login. If during the log-in process, you are
prompted for a Windows Login (a smaller window), use the same account name with
a blank password.
File and Printer Sharing on Non-Windows Systems
This section provides some pointers as to where to get started and what to
expect which trying to do file and printer sharing with other operating systems.
- Apple computers have had excellent peer-to-peer networking for many years.
It is very easy to setup and use. There is software available for MacOS to
allow Apple computers to access files and printers on Microsoft Systems, but
it typically only supports PostScript printers. Windows NT Server has
services for Macintosh which allows Macintosh clients to connect to NT files
and printers. Macintosh Services for NT works with any Windows compatible
printer. With MacOSX, there is a set of tools UNIX tool called samba
which allow some interactions with Windows Operating systems.
- Unix systems such as FreeBSD and LinUX have a set of tools to provide file
space and shared printer space for both Apple and Windows client computers.
Because UNIX is a server operating system, its support for accessing shared
drives and printers on Windows is typically somewhat limited.
If you have set up your own LinUX system then you are probably sophisticated
enough to turn on file sharing without much more help.
Multi-Player Gaming
While video game consoles are still very popular with younger children,
increasingly adult game players are using personal computers for their gaming.
Personal computer performance can be upgraded much more readily than a dedicated
game console. PC games are faster, more graphically intensive, and can operate
trivially in a multi-player mode.
Games can be played across a local area network or across the Internet or a
combination of both. It turns out that multiplayer games actually use a very
small amount of network bandwidth so computers can quickly and easily exchange
the information even over relatively slow networks.
Depending on the age of the computer game, it may use one of two network
protocols to comunicate:
- Older games will tend to use the Novell IPX protocol.
- Newer games and games which run over the Internet will use the TCP/IP
protocol.
For games which use the TCP/IP protocol, there should be no additional setup
once the computers are set up to surf the web and use the Internet for other
applications. When using TCP/IP between the computers, you will typically have
to enter the domain name (gaming.msn.com) or IP address (192.168.1.10) of the
master game server.
If you are playing on your LAN, you have a good reason to use fixed IP
addresses rather than dynamically assigned IP addresses distributed via DHCP.
Generally, one system must act as a "master" system and the other
systems will connect to that system. Unless you using a server across the
Internet, you bring up one copy of the game as a master and then put the IP
address of the master system into each of the client systems which are running
the game.
IPX is not an Internet protocol so it only runs over the local area network but
it has two advantages that led early multi-player games to choose IPX.
- IPX ran well in a DOS (not Windows) environment. On early computers, it
took every bit of performance to run the game so many games ran only under
DOS.
- IPX did not take a great deal of memory or CPU resources
- IPX has a way to "discover" network resource (just like Network
Neighborhood). So you don't have to assign or know the network configuration
numbers to establish a connection between the master game and the client
games.
Some games support both protocols so you can use each for its best use.
When you are running games which use IPX in a Windows environment, you must
install the IPX protocol under Settings | Control Panel | Network Settings .
You can find the protocol under the Microsoft protocols. Once installed, IPX
needs no additional configuration.
You may encounter a strange situation when mixing different versions of IPX
across different operating systems. It turns out that because the basic Ethernet
protocol evolved over time, there are several "variants" of the
protocol. Most mainstream protocols such as TCP/IP or NetBEUI choose the
standard Ethernet protocol format. Novell actually supports more than one
variant of the underlying Ethernet protocol. Example variants of the Ethernet
protocol are: Ethernet II, 802.2, and 802.3. We won't delve into the (very
insteresting) history of how these variants occured. All you need to know is
that all of your IXP/Novell configurations must use the same underlying
format. So if you are mixing DOS and Windows, or mixing different versions of
the protocol, and you are having problems making connections, check the
underlying Ethernet format for each of the systems.
Virtual Private Networks
Virtual Private Networks (VPNs) are a way to decribe the act of creating a
"new" network using the underlying capabilities of an existing
network. One major application of VPN technology is to produce a corporate
Intranet using a number of connections to the public Internet rather than direct
connections using leased lines. There are obvious security concerns wihch must
be solved to keep folks on the Internet from having access to corporate servers
or data as it crosses the Internet. But two short high speed connections to the
Internet can cost far less than one long connection between two corporate
routers.
There are three basic concepts which allow a VPN to use the public Internet
to implement a VPN:
- Encapsulation
- Tunneling
- Encryption
In a traditional Intranet, locations are connected by a long-distance leased
line connected to routers at each location. When data needs to be transmitted
from one location to another, the data is simply copied from one local area
network, sent across the leased line, and then copied onto the local area
network at the destination. Because the leased line is dedicated, typically no
encryption is necessary.
In a VPN environment the process to move data from one location to another is
quite different. The routers are replaced by VPN-capable routers. When a packet
needs to be moved to the remote location, it is copied off the local area
network and encrypted. Then the data is placed in TCP/IP packets (encapsulation)
and sent across the Internet to the destination VPN router. At the destination,
the data is reassembled as necessary, then decrypted and copied onto the local
area network at the destination. This concept of encapsulating data in another
protocol and sending it across the net is called tunneling. In a way the
data is sent from the source to the destination through a "tunnel".
The net result is the same whether a VPN or Leased line is used to move the
data. There may be cost and performance differences between the two approaches.
Usually the VPN is less expensive, but sometimes, VPN gives better performance
than a leased line solution.
Using a VPN From A Single Computer
While this technology allows two geogprahically distributed local area networks
to appear to be connected, the more common scenario that you will use in daily
life as a business traveller or as a telecommuter is connecting a single
computer to the VPN so that you can access your corporate network in a secure
and convienent manner. This is usually done by running VPN software in your
computer. While there are a number of different technologies used to implement
VPN's, Microsoft included a basic VPN client in all of its operating systems
since Windows-95. Many VPN routers will support the Microsoft variant of VPN
because client software is readily available under Windows operating systems.
Once the VPN adapter is installed on your computer, al of the VPN processing is
done in software on your computer. The data is encrypted, encapsulated, and
broken into packets in software in your computer. Then the packets are sent to
the corporate VPN system across the Internet where they are decrypted and
reassembled, and copied onto the local area network on the destination LAN. This
allows you to operate as if you were directly connected to the corporate LAN,
reading E-Mail, acessing files, and other operations.
Security is paramount to all VPN operation. There is the obvious password and
account which gives you access to the VPN. Many companies add some type of
external randomly generated security keys from a vendor such as SecureID (www.securid.com).
These external security keys generate continuously changing random numbers. Each
user has their own SecureID which is generating the same number sequence as the
SecurID system is generating on the corporate LAN. You will only be granted
access if you can enter the number displayed on your SecurID and it matches the
number generated at the corporate LAN.
You can make use of your VPN, you must install and condifure the PN software for
your computer. If you are using the Microsoft VPN adapter, it is available as an
adapter in the network control panel. It makes sense that the VPN
software appears to be a "virtual" network card. The VPN adapter is
acting as a network card, accepting data packets and sending them to the VPN
gateway.
In addition to installing the software, you will also have to configurae a
few options for your particular VPN. Because VPN technology is evolving rapidly
and there are many different protocols, software suites, and configuration
options for each VPN, the best bet is to get help (or at least detailed
instructions) from your corporate IT department.
Once configured properly, VPN is very easy to use, securre, and cost
effective. While it is out of the scope of this book, you can set up your own
VPN using a combination of the VPN software in Windows-98 and the VPN server
software included in NT 4.0 and NT 2000. Building the remote end of a VPN using
Windows 2000 is actually quite straightforward.
Conclusion
In addition to Internet connection sharing, printer sharing and file sharing are
an important benefit of a home network. Using workgroup style networking under
Microsoft windows operating systems is realatively easy to configure and very
convenient to use.
------------------------------------------------------------------------------------------------------------------------------------------------------
Network Security for Your Home
One of the most commonly asked questions once your home network is connected to
the Internet is the level of security risk. Many people have sensitive
information such as their banking, stock portfolio, and other information stored
on their computer and are concerned about being "hacked" by someone
connecting in through the Internet.
Before we look into the issues and techniques to improve security in your
home network we should first take a short look at "why" we should
worry about security. There are three basic types of security threats to worry
about:
- There is some person or organization who is trying to break in and steal
something in particular from you. They may want your Swiss bank
account numbers or your business records or someone might have hired a
private investigator to get your E-Mail records. On the average, this is not
a typical situation and your problems are out of the scope of this chapter.
- There is some individual or group who breaks security as a hobby. In their
spare time, they look for unprotected systems, and (mostly for fun) they
break into those systems. Typically these people are not interested in the
typical home computer system unless you have a web or file server connected
via a high speed link. If you have a large, unprotected server, these folks
will quickly find your system and use your system to exchange vast amounts
of (typically illegally obtained) material through your system.
- There is an organized group who is breaking into systems as part of some
planned preparation for an attack. These individuals might even be related
to a government effort.
While this list seems very frightening at first, in reality, there is a very
small chance that anyone really cares about attacking you. If you are
Microsoft, the US Whitehouse, or some other high profile site, then you need
professional security staff who understand these issues in great detail. But if
you are the average Internet user then this chapter will cover most of the
security issues pertinent to you.
For the hundreds of millions of normal people, we must be vigilant, but in
general, we do not have to worry about protracted focused attacks on our
networks. In a sense, if you take normal precautions, the random hacker will
simply move on to the next home network. In home security, the first step is
simply to make sure that your doors and windows are locked when you are not
home. A lazy burglar will simply move on looking for a house which has doors
which are not locked.
The techniques that we will describe in this chapter include:
- Virus and worm protection
- Personal firewalls
- Network firewalls
Your security plan can be some combination of these techniques. We also will
look at the nature of security problems in an Internet environment.
Viruses and Worms
A "virus" is any type of malicious software which attempts to
replicate itself onto as many systems as possible. A simple virus is propagated
by user actions such as saving files or copying information to a floppy. A
"worm" is a type of virus that both infects a computer, and then tries
to actively propagate itself by using the network.
It is possible to get infected with a virus even if your computer is not
connected to the Internet. Your computer can be infected by inserting an
infected floppy disk or CD-ROM, or by installing some infected software. Once a
computer is infected, the virus may be passed on through files, floppy disks or
CD-ROM's that are written by that computer.
With the advent of the Internet and E-Mail attachment, the number of viruses
has blossomed with well over 50,000 different viruses with many variants of each
virus.
Just as an example, we can look at one particular worm-type virus called the QAZ.worm.
This virus affects the notepad application on Microsoft Windows systems.
It renames notepad.exe to note.exe and replaces notepad.exe
with the virus. The virus is automatically started when the system boots up and
it continuously scans your local area network for writable drives so that it can
place the virus on those systems as well. Also, while it is running, it sends a
packet to the IP address 202.106.185.107 every few minutes. While no one knows
the exact purpose of the packet, it is believed that the virus may allow the
creators of the virus to use it as a "back-door" to extract other
information from your system or make alterations to your system. Given the
nature of this virus, it is good that it does not propogate very quickly.
Fortunately, there are excellent tools for virus protection from an number of
software vendors. The safest approach is to install a virus protection package
on each of your computers. While some firewall packages offer virus protection
for incoming data, they do not protect from viruses which may be carried on
disks or other media. It is also very important to update your virus definitions
from time to time as new viruses come out.
There are a number of basic steps that you can take to reduce you chances of
getting a virus or worm:
- Run virus checking software and update the virus tables every 30-60 days.
- Simply delete E-Mail from folks that you do not know. Never open an
attachment that you were not expecting, regardless of how interesting the
subject line may be. E-Mail attachment viruses change so often that even
virus checking software has a hard time keeping up to date.
- Only download and install software from known and trusted sources.
Software should be downloaded from the vendor site or one of the larger
repository sites such as www.downloads.com.
While viruses and worms are an annoying aspect of exchanging information,
because so many computers have virus checking software, most viruses are quickly
eliminated and do not spread too far. And if people could resist clicking on
E-Mail attachments with silly titles there would be even fewer viruses to worry
about.
The leading providers of virus detection software such as www.mcafee.com
often have excellent on-line sites with extensive virus and worm information.
Firewalls
In a home networking situation, there are two types of "firewall"
technologies which are available for use. The basic purpose of a firewall to
look at all network traffic and make a decision as to whether or not the traffic
should be accepted or ignored. A normal gateway (or router) simply forwards data
based on the address of the data without looking at the contents of the data.
Firewalls were first deployed in business situations where attaching the
corporate network directly to the Internet would be a profound security risk.
The purpose of the firewall was to block all traffic except that traffic which
the business felt was appropriate. For example, many corporate firewalls block
all incoming traffic (from the Internet) except E-Mail traffic to one computer
on the corporate LAN.
Firewalls can also be used to block outgoing data as well. Many companies did
not want their employees having wide open access to the web from their desk. The
company would configure it so that only a certain group of employees were
allowed to browse Internet sites beyond the corporate intranet. As we begin to
connect homes to the Internet, we increasingly find that we need to adopt these
security techniques used in the business sector.
Personal Firewalls
For home use, a new technology has recently appeared called a personal
firewall. Instead of running on a gateway system, the personal firewall runs
on each computer that is connected to the network. A personal firewall can also
be used if there is only one computer connected via dial-up modem.
A personal firewall operates somewhat differently than a typical corporate
firewall. Because there are very few services running which need to respond to
incoming connections, a personal firewall usually shuts off all incoming access
except for file and printer sharing. Because it is running on your workstation,
it looks very closely at outgoing connections as each application is executed.
The personal firewall will prompt to make sure that you are willing to allow
this particular application to connect to the Internet. Once you approve each
application, the personal firewall will remember to allow that application to
make connections without your approval from that point forward.
This way, you can detect when applications are making network connections for
the first time. This will allow you to catch Trojan horse viruses which make
outgoing connections from your computer. You will also be notified when a
software package is registering you via the network or if your screensaver is
making network connections. This ability to be notified and approve outgoing
network connections is a unique aspect of a personal firewall.
Personal firewalls will also notice when another computer is sending you data
using an unexpected protocol. Again, because this is a workstation and not a
server, nearly all unsolicited network traffic can safely be ignored.
When you first install a personal firewall, you will find that it is very
talkative, as it learns the applications which use the network. But very
quickly, the personal firewall has seen everything once and you are alerted to
any new activity and given the chance to approve it. After the first few weeks,
do not be so quick to approve new activity unless you are using some new
application such as a media player, online game, or chat program.
The examples in this section used a very popular personal firewall called ZoneAlarm
which is available at no charge for personal use available from www.zonelabs.com.
There are a number of other popular personal firewall packages that you may want
to choose from.
Network Terminology - What is a Port?
Before you move into the detailed configuration of your home network with
respect to security, there are a few more network terms which we need to cover
so you can understand all of the configuration issues.
Earlier in the book, we learned that each computer has an IP address such as
192.168.1.10. For each address, we can have any number of connections. We
glossed over the concept of ports at the time, but now as we begin to
consider security, you will have to understand the notion of ports. By
controlling access to various ports, we can limit what intruders are capable of
doing.
The IP address, port, and connection values work together in a hierarchy as
follows:
- The IP address is used to identify all of the data destined for that
particular computer. IP addresses are 32-bit numbers and are generally shown
in "dotted" form such as 192.168.1.10.
- Within the IP address, each packet of data is destined for a particular
port. The port is used to select which application the data is destined for.
A computer can be used for file transfer, web surfing, E-Mail, file sharing,
media playing, and many other purposes. Each of these uses is done on a
separate port. Port numbers are small integer numbers. For example, E-Mail (smtp)
is sent across port 25, while web traffic (http) is sent across port 80.
Many number of the ports below 512 are reserved for existing well known
applications.
- Within each port, there is a connection for the particular
"instance" of an application. If you both a Netscape and Internet
Explorer browser open, they will both be using the http (Hypertext Transport
Protocol) port but each browser will be using a different connection within
the port.
The Mail Application Protocol
In addition to a port number, each application also has a "protocol"
which operates on the ports. Examples of protocols include Simple Mail
Transfer Protocol (SMTP) which operates on port 25 and the Hypertext
Transport Protocol (HTTP) which operates on port 80. The protocol determines
the "rules of the road" when communicating across a particular port.
You can find documents which describe many of the different application
protocols at the web site for the Internet Engineering Task Force (www.ietf.org).
You are looking for documents called Requests for Comments (RFCs). For
example the mail transfer protocol is described in RFC-2821 (originally
published as RFC-821).
Here is an excerpt from RFC-821 to give you a sense of how this type of
document reads:
The first step in the procedure is the MAIL command. The
<reverse-path> contains the source mailbox.
MAIL <SP> FROM:<reverse-path> <CRLF>
This command tells the SMTP-receiver that a new mail
transaction is starting and to reset all its state tables and
buffers, including any recipients or mail data. It gives the
reverse-path which can be used to report errors. If accepted,
the receiver-SMTP returns a 250 OK reply.
These protocols are intended to allow applications to communicate with one
another so that data can be exchanged. Having a standard for an application
level protocol allows electronic mail software from thousands of different
vendors to interoperate. In network terms, the program which is initiating the
connection is called the client and the program which is receiving the
connection is called the server.
We "Hack" a Mail Server
It is possible to replace the mail sending program (client) with a client
program intent on causing damage or some other form of annoyance. In this
example, we can actually use the commonly available Windows telnet
program to connect to port 25 and interact using the SMTP protocol. When you
open a connection to port 25 instead of the normal telnet application port, the
interaction is quite different and completely governed by the SMTP protocol.
When the connection is first made, instead of seeing the standard login page
which is typical of telnet, we are greeted by a "welcome to sendmail"
message with some version information. Having read the standard for mail
interaction (RFC-821), we realize the first step in sending a message is to send
the MAIL FROM line. We type in the message as described in the
specification, and get the specified response (a 250 OK message) indicating that
our command was in the proper format. We could easily continue and enter all of
the commands required by RFC-821 and cause an E-Mail to be sent.
Now at this point, you should be thinking that this is a good way to forge
E-Mail. Obviously, there is no check to see if the E-Mail address is truly
valid. We could have forged "president@whitehouse.gov" or
"bill@microsoft.com" without any problem. The bad news is that you
would be exactly right in terms of how easily you can forge E-Mail. But the good
news is that this is the "oldest trick in the book" - so while this
mail system was "trusting" the from address, it records a great deal
of other information about the session to allow you to be tracked down quite
easily if you use this approach to forge mail.
But given how easily addresses can be forged, you should never completely
trust the from address in an E-Mail message. You should never send an
E-Mail reply to any message from "the system administrator" or
"your bank" with any personal or sensitive information such as your
password or account numbers. That is another one of the oldest tricks in the
book.
Errors in Application Protocols
Not all security problems are misuses of the standard features in an application
protocol. Sometimes there are flaws in the implementation of the
"receiver" program (also called the server). A client program with
malicious intent can take advantages of the flaws in the server programs to
break security. These flaws fall into two categories:
- Actual bugs in the programs. A programmer writing the server program
forgot to check something in their code and some very specific sequence of
interactions causes the program to grant some type of inappropriate access.
- The programmer left a back-door into the program. A back-door is an
undocumented feature which allows the original programmer or perhaps
technical support staff to do some special action on the server. Most
typically, the original purpose of a back-door is testing rather than
malicious intent. However, there are many examples where back-door features
were left in software even after it was distributed for production.
Both bugs and back-door problems are generally fixed with new releases or
patches from the original vendor of the software. These security holes depend on
the version of the software and the operating system. This is a good reason to
keep your operating system and software up-to-date.
The classic example of this type of security problem is the Internet Worm.
While the term "worm" is a generic term in security, there is one
particular worm that is so significant that we call it "The Internet
Worm".
The Internet Worm was developed by a graduate student in Computer Science at
Cornell named Robert Morris Jr. in November of 1988. While there are many
conflicting accounts of how and why the worm was released, it ultimately
infected many of the computers on the Internet and made them crash or run very
slowly for about 3 days. Even though what Robert Morris Jr. did was wrong, it
made it very clear that security and vigilance was a necessary part of having a
large shared network of computers.
The worm itself was very simple because it took advantage of several very
well known flaws in the implementations of mail servers and several other
applications. The flaws had been known for many years, but back in 1988 those
who were aware of the problems felt a sense of responsibility not to exploit
those problems. The Internet Worm simply demonstrated that we had to write safe
and secure software and when there was a known problem, we had to fix it quickly
and effectively.
There is an organization called the Computer Emergency Response Team
(CERT) which was founded in 1988 which is charged by the government to monitor
network and software security issues and insure that the integrity of the
network is maintained. Generally, CERT is viewed as the highest authority in
security matters which affect the Internet . You can visit the CERT web site at www.cert.org.
Network Configuration
There are a number of steps which can be taken to improve your network security
which do not require the purchase of additional software. The configurations
which you can do depend on the operating system which you are using.
The most common way to share files and printers between computers running
Microsoft operating systems is NetBEUI (Netbios Extended User Interface). this
protocol is designed to work well in networks will a relatively small number of
computers. It is possible to send NetBEUI packets natively on your local area
network as well as to send those packets encapsulated in the TCP/IP protocol.
NetBEUI packets cannot pass across the Internet but TCP/IP packets can cross the
Internet. On your local area network you can use either protocol.
One simple way to protect people on the Internet from trying to access your
shared files and printers is to disable the connection between TCP/IP and
NetBEUI. This is done in Windows-98 under Start | Settings | Control Panel |
Network. Then make sure to remove any bindings between NetBEUI and your
dialup adapter.
Then you will alter the settings on both of your TCP/IP components as well. For
both the dial-up and LAN TCP/IP, find the tab labeled Bindings and
uncheck all of the file and printer sharing bindings. You may get a pop-up box
complaining about the lack of bindings but it can be ignored. You must remove
these bindings for all of the other computers on your local area network as
well. Once all of the computers have been rebooted, you can share files and
printers across the LAN, but they will not be accessible from the Internet. If
you have problems browsing the network, you should recheck these values on all
of the computers on the network. As new cards are installed or there are major
changes to the network components, these values may have been automatically
reset.
Because Windows NT 4.0 Server is designed to operate directly connected as an
Internet server, it has basic firewall capabilities built right into the
operating system as a way to protect the system from intruders. To access the
configuration screen, from the NT 4.0 network control panel, you access TCP/IP
Properties | Advanced | Enable Security | Configure. From this screen, you
can selectively permit or deny the various ports for the various protocols. The
configuration shown is a very "trusting" configuration for a server
connected to a local area network. For a web server, you might want to shut down
all access except via port 80 TCP to allow the http (web server) protocol to be
accepted.
Gateway Firewalls
If you are running Network Address Translation (NAT) for you home network,
then you already have a modicum of firewall protection. Because NAT maintains a
table of network connections created as each outbound connection is made,
incoming data is generally not forwarded. Some NAT gateways have the capability
of routing a single incoming port to one computer. This is typically used to
route port 80 (http) to your home web server. While this is not a true firewall,
it provides a significant level of security. If your NAT gateway is a hardware
system, then it will probably not need any additional protection.
If you are running a software NAT gateway you may want to take some additional
steps to secure that system. One thing that you will learn is that sometimes the
best security requires additional hardware. One of the most important things to
do to secure a software NAT gateway is to run it on a separate box. Given that
the network translation is not a significant performance load, you can typically
use an older computer with no performance problems. One key is to make sure that
the gateway system is not running any file sharing software. The configuration
shown above has a stand alone NAT gateway which only has the minimal software
installed on it, which allows port 80 (http) to be passed through to the home
web server. It would be nice to also run the web server on a separate system
using a server-class operating system configured to ignore all IP traffic except
for port 80. It is also possible to run a personal firewall on the web server.
Because the web server is behind the gateway, you can use file and printer
sharing between the web server and the other PC's in your home.
TODO: Linksys Hardware Configuration Example
You can also purchase a dedicated firewall router unit which has firewall
capabilities in addition to network address translation. As the gateway
technology is improved (both hardware and software), one should expect to see
vendors adding more firewall technology to their gateways, to the point where it
will be hard to find a distinction between an gateway, firewall, and even virus
protection.
Conclusion
You can run your home network for many years without any real security incidents
without taking any special precautions. Users who want an increased level of
security can install virus scanning software and a personal firewall at a very
low cost. Both of these tools are very simple to install and use and provide
nearly all of the security necessary for most installations.
When you install a dedicated server with a permanent IP address, your
security concerns are increased. A dedicated server with free disk space and a
high speed connection is a valuable asset to the "less principled"
elements on the Internet. By breaking into your server, they gain access to
resources and can use your server to attack other computer systems while
protecting their identity.
If you have a dedicated server, the simplest approach is to install a
hardware gateway/firewall which can suppress all the network ports except for
the approved ports. You should run an operating system such as Windows NT
Server, Windows 2000, Mac OS X, LinUX, or other flavor of UNIX on the dedicated
server. These operating systems have much better capabilities for protecting
themselves while performing their functions.
------------------------------------------------------------------------------------------------------------------------------------------------------
Content Filtering
The web has a wide range of material ranging from educational and informative to
vulgar and disgusting. People have a number of different motivations as to why
they might desire to limit the ability of the users of their network to view
particular content.
- The connection is in a public place.
- A computer is being used by children.
It is important to note that the idea of filtering Internet content is the
subject of heated debate both within and outside the legal system. This section
will completely ignore these legal issues and focus on the technology used to do
the filtering and how it might be deployed in a home network.
It is also very important to note that like Internet security, there is
really no Internet filtering approach which cannot be ultimately defeated. There
is the well-worn joke about the parent who purchases filtering software and
hands it to their 13-year-old child and tells them to install and configure the
software.
A large corporation can have strong content filtering, but it requires very
powerful and complex software as well as a team of highly trained individuals
who essentially act as investigators in regards to possible violations. It is
not likely that you will have the time or talent in a home network situation to
accomplish that level of control.
So as we look for solutions for the home network, we look for solutions which
give the best "bang for the buck". The good news is that content
filtering can help, especially for children who have not yet become technically
savvy in terms of reconfiguring computer environments or have decided to make it
their hobby to defeat the content filtering. During our testing, it was
surprisingly simple to defeat some of the content filtering software which we
tested. You should do some research and read some reviews before picking any
content filtering solution. A good source for reviews of hardware and software
is www.zdnet.com.
Interacting with your children
So, all in all, while content filtering can be a good part of your home network,
do not depend on it completely. Maintaining an open dialog with children,
setting guidelines, and in a sense treating their network access as though there
was no content filtering is a good approach.
Here are a few guidelines that you probably should agree to:
- You should discuss what your children are doing with the Internet - tell
them to show you what they are doing.
- Children cannot use the Internet in a locked room - you have the right to
walk in and peer over their shoulder once in a while. If you walk in and the
child is busily shutting down windows, then you should know why.
- Interactive activities such as E-Mail and chat should be carefully
monitored. The safest sapproach is to simply block them altogether until you
feel the child has adequate maturity or go with a filtered Internet Service
Provider such as America OnLine.
- Children should never reveal their identity in any way. They should not
even reveal any aspects of their identity. They might think that telling
someone the state that they live in or their age is harmless, but someone
intent on discovering infomation on a fellow chat-room participant can make
good use of any shred of truthful infomation.
- Explain to the children why there are rules and what you are concerned at
a level that they will understand.
Hopefully as you set rules for Internet access and then maintain an active
dialog with your children about the Internet, it will fit in with the overall
pattern of interacting with your children. As the child matures and has better
judgement, the rules should be changed to reflect the increased maturity.
Techniques for filtering Internet content
For home use there are four basic approaches which are used. We will discuss
each of these in turn.
- Purchase your Internet Service from a provider who provides filtered
content.
- Connect the home network to the Internet through a Proxy gateway and run
filtering software on the proxy system.
- Use the Microsoft built-in capabilities for filtering.
- Install standalone filter software on each of the computers for which
filtering is desired. This allows you to separately configure different
computers with different access levels.
Filtered Internet Service Providers
By purchasing service from a filtered Internet Service Provider, the
configuration is not stored on our computers and as such is harder to defeat. In
a way, your connection is not to the "real" Internet, but to an
Intranet which ultimately terminates at the Internet Service provider. The
Internet Service Provider operates some number of firewall systems which allow
you to view Internet content based on the configuration of each firewall. The
ISP has trained staff who monitor and configure the firewalls in terms of
possible new content.
This approach operates much like a corporate Intranet and is very difficult
to defeat. The ISP can monitor and control every E-Mail, every word in a chat
room, every search in a search engine, and every web page which is accessed.
The shortcoming to this approach is that for it to be undefeatable it must
use a dial-up connection. In a cable modem or DSL connection, it is still
possible to do filtering, but it is much more like the stand-alone approach
described below.
There is quite a range of filtered ISP's but most have a very small market
share. Some configure their filters based on broad catgories and others filter
based on the values of some group. You should look closely at any possible
filtered ISP to understand the way that they are making their choices. One site
which has a good list of family-friendly resources including filtered ISPs is
www.smartparent.com.
America Online is both the most popular ISP and provides excellent filtering
services as well. America Online allows each account to have several screen
names. Each screen name can be granted a different level of access ranging from
Kids Only (12 and under), Young Teen (13-15), and Mature Teen(16-17). A parent
can set their child's screen name appropriately, and only give the child the
password to their screen name. One advantage of AOL is that E-Mail and Chat
rooms are carefully configured and monitored in addition to the basic web
content.
The major shortcoming in this appraoch is that it works best over a dial-up
connection. A further weakness in this approach is the fact that a technically
savvy user can simply disconnect from the filtered ISP and reconnect using a
free or low cost ISP other than the filtered ISP.
Access through a Proxy
You can perform your own filtering by using a software proxy solution which
filters all access to the Internet from your own home. A good product in this
area is WinProxy (www.winproxy.com). WinProxy is a bit challenging to set up,
but properly configured solves many of the problems of home networking including
content filtering.
When you use a proxy solution, you can use a dedicated computer or one of the
other computers in the home. It is important to remember that when someone has
physical access to the Proxy system they can defeat any security or filtering
policies enforced by the proxy system. While you can take steps to enhance
security by using a server quaility operating system such as NT Server, you
should never assume that any measure is unbreakable.
Built-In Filtering Capabilities
From Windows-98 and later, Microsoft has significant filtering capabilities
built into the operating system and the browser. There is a Content tab
under Internet Options. Some of the stand-alone filtering capabilities
described below actually provide user-friendly interfaces to these configuration
features.
If you enable the content advisor, the default ratings will be very
conservative. You will have to place a password on the content advisor so that
only you will be able to alter the settings. The default ratings for content are
controlled by a third party non-profit company called the Internet Content
Rating Association (www.rsac.org). This company provides ways for sites to
become rated.
The problem with the content advisor is that it operates based on actively
rating sites. In the default configuration it will not allow you to view sites
that have not been rated. It turns out that very few sites have actually been
rated. There is an option under the General tab which allows users to
view "unrated sites" but that opens up browsing to millions of sites
which are not rated but "unsavory".
Another built-in feature is the support of PICS (Platform Independent Content
Specification). PICS is a standard which has been proposed as a way of labelling
content. You can read more about PICS at http://www.w3.org/PICS/. The
unfortunate shortcoming of the PICS approach is that it also requires active
rating of content.
Both the Internet Content Advisor and its PICS capability allow for new files
of rating information to be downloaded to update the configuration.
But both of these approaches unfortunately depend on the voluntary rating of
sites which causes a "chicken-and-egg" problem. Because neither
provides an adequate solution, no users ever turn the feature on and leave it
on. Since no users use the features, the web site providers can safely ignore
any ratings for their site. Because the sites will not rate themselves, we need
third-party rating services who typically charge for their rating services.
Stand-alone filter software
Other than using AOL as your ISP, stand-alone content filters provided by third
party providers are the most common content filtering solution. Popular examples
of this software are NetNanny (www.netnanny.com), CyberSitter (www.solidoak.com),
and Internet Guard Dog (www.mcafee.com). Not all local filtering software has
the same level of quality and security. You should do a small amount of research
by reading some magazine reviews before selecting your particular product. You
should not expect to find good freeware for this particular problem. Part of the
problem is that the service which updates the access list is more important than
the software itself. Some of the products even have annual fees to maintain your
access to the rating service.
The content filtering software is installed on each local workstation and
configured separately. The parent configures the content categories which are
viewable at that particular workstation and sets a password on the software to
lock the configuration.
Once configured, the software watches all accesses to the Internet both
through browsers and other means. Consulting its local configuration file, it
approves or disproves each site and acts accordingly. Some software informs the
user that the site is prohibited and other software quietly redirects the user
to a "safe" site.
The implementation of the software can be as simple as a local web proxy
server or as complex as to monitor the contents of non-web connections.
Conclusion
There are many solutions to providing some form of filtered content for your
family. America Online is an excellent solution in a pure dial-up environment
with its Parental Controls. For a parent who is not very technically savvy
(footnote: of course if you have read this far in the book you have become
technically savvy so this does not apply to you) using America Online is a good
approach if you are concerned with content filtering.
Local filtering solutions such as CyberSitter are probably the best solution
for a multi-computer home network because they work regardless of your ISP.
Local filtering can be used over dialup, DSL, and cable modem and will not
impact the overall performance of your connection. Make sure to read reviews of
this type of software because of it is poorly implemented and can easily be
defeated.
But the overall point which is most important is that no matter how hard you
try, a willfull 13 year-old child who is computer savvy will break through any
filtering that you can install. You cannot use content filtering to
"solve" a problem with a child who is out of hand. At the point where
the child has decided to wage a war on their content filtering software, it will
be over surprisingly quickly. At that point the only choice is to remove
physical access to the computer.
But the good news is that you can install filtering software on a computer
for pre-teens and expect that they won't stumble on unsavory sites in their
random surfing of the Internet. But even with filtering software, you still need
to make sure to educate your children on the proper use of the Internet and then
maintain communication with them as they use the Internet.
------------------------------------------------------------------------------------------------------------------------------------------------------
Home Internet Choices
Sharing an Internet connection is one of the main motivations of building a
home network. Typically when a single computer is connected to the Internet,
there are long periods while the connection is idle. This pattern of heavy use
and idle periods means that four or five computers can use a single Internet
connection and all five computers seem to have sole use of the connection. But
before we show how to share an internet connection we first will review the
myriad of connection options available for your home Internet connection.
Generally, which choice you have will depend on where you live. The list of
available options includes:
- Analog Telephone Modem
- ISDN Networking
- Cable Modem
- DSL - Digital Subscriber Loop
- Fixed Wireless
- Satellite
- Cellular phone based services
Each of these choices gives you a different price and performance value. If you
are lucky and have a choice of different technologies, this chapter will help
you gain some understanding of these technologies so that you can make the best
choice.
If you are in a hurry, and just want to know which service to choose, feel free
to skip to the conclusion of this chapter, we won't be offended. But if there is
a little telecommunications engineer inside of you waiting to get out, read on.
Analog Modem
In the beginnings of home networking in the 1970's there were no data
connections into the home. So the solution was to find a way that telephones
could be used to transfer data. The solution to this problem is a Modem (short
for modulator-demodulator). The idea was to turn data (0's and 1's) into sound,
send the sound through a telephone connection and convert the sound back to data
at the far end.
To better understand how the analog modems work, we can examine an early
modem.
Picture of an Early Modem (010)
When a modem initial connects and the speaker is turned on, you hear a series
of tones. These tones are used so that the calling modems can determine the type
of of the receiving modem. Each tone is sent for a few seconds and the receiving
modem responds to its particular tone and a connection is established. Most
modern modems can communicate with a wide range of older modems. It can take
nearly a minute until the sending modem "guesses" the right tone of an
older receiving modem.
This works well, but telephones have limited fidelity when it comes to the
quality of sound which is transmitted from one phone to the other. Because
phones are intended to portray human voice, they are limited to a frequency
range of 3000 Hz. This is why modems are limited to 2400 baud. Using
sophisticated digital signal processing, we can send up to 56000 bits per second
through this audio channel. Unfortunately, achieving this maximum rate depends
on a very clean telephone line and good connection.
Figure of POTS (020)
Even with these limitations, standard telephone modems are by far the most
common Internet connection from homes. The nominal cost for a phone line is
$16.00 and the cost of Internet service is about $20.00 for a total cost of
$36.00 per month.
ISDN
Plain old telephone service (POTS) dates back to the origins of the telephone
at the beginning of the twentieth century. In the 1970's (Rich check this one),
the telephone companies began to design the new "telephone service" to
replace plain old telephone service. This new service was called
"Integrated Services Digital Network" or ISDN. Instead of sending
sound, ISDN deals with data. The basic ISDN service provided two 64kbit data
channels and one 16kbit signaling channel. Each of the data channels could carry
a digitized phone conversation.
The ISDN connection essentially extended the functionality of the telephone
company switching equipment into the home. Each of the data channels can either
carry a phone conversation or a data connection. To carry a phone conversation,
the sound was digitized by special "packet telephones" which were to
be installed in the customer's homes. The architecture of ISDN envisioned a
wider range of digital telephony "gadgets" - but unfortunately, that
never really came to pass. Some people would claim that ISDN was priced too high
while others might feel that in 1980, we did not yet possess enough technology
to develop and manufacture packet telephones at a reasonable price. Regardless
of the reasons, ISDN was not readily available until the mid-1990's and by then,
the Internet revolution had occurred when data connections were "packet
oriented" rather than "connection oriented".
In many locations, because of limitations of ADSL or Cable Modems, ISDN is
the only option to go faster than a telephone modem without resorting to
wireless. Even thought ISDN is somewhat past the peak of its technology curve,
there are two basic solutions to use ISDN in a home network.
- An ISDN modem communicates with the computer throught a serial port
or as a built-in card - in this case, the ISDN modem operates much the same
as a normal modem. Windows-98 has built-in support for ISDN modems.
- The ISDN line can also be connected to an ISDN router which is
stand-alone unit. A typical ISDN router will have a connection for the ISDN
phone line, two POTS connections, and several Ethernet ports.
Most ISDN modems and ISDN routers have connections to support standard telephone
equipment. Each if the 64Kb connections is assigned a telephone number - by
plugging in a standard telephone equipment.
When you pick up an analog phone and dial another phone, the ISDN modem or
router actually is generating the dial-tone that you hear in the handset. As you
press keys, the router interprets the tones and once you have dialed the phone
number it requests a connection over the 16Kb control channel. When the
connection is established, the router is notified on the control channel and
digitized sound begins to flow over one of the 64Kb channels. The ISDN router
converts the sounds to and from digital form and acts as a bridge between the
analog handset and the digital connection to the telephone company. When calling
from an ISDN connected phone, you can dial any other phone. If the
destination phone is connected via a POTS connection, the phone company makes
the necessary conversions between analog and digital.
Picture of the ISDN router and analog phone
When you have an ISDN modem or router in your home, many of the functions
that were formerly done in the telephone company central office are actually
done in your ISDN equipment. This allows significant flexibility in several
ways.
When the ISDN router or ISDN modem is used for data, at least one of the 64Kb
connections is dialed to your Internet Service Provider (who also has an ISDN
connection). This connection is a direct digital connection which yeilds an
error-free 64Kbs. Generally, the PPP (Point-to-Point) protocols operates over
this connection. PPP handes both the initial authentication and the data
transfer over the link.
There are two ways to get up to 128Kb/sec on your Internet connection.
- Using Bonding, when the connection is made, both lines are dialed
at the same time and "bonded" to form a 128Kb/sec connection. A
simple way to thing of this is to imaging that every other bit is sent down
the other conection and then the bits are re-interleaved at the other end.
The resulting stream is 128Kb/sec through the modem
- With Multi-Link PPP, both connections are dialed separately (they
can even dial different ISPs) and as data packets arrive, one is sent down
one channel and the next is sent down the other channel. During busy use,
like during a file transfer this also will yield 128Kb/sec.
While bonding might seem like the ideal aproach, it is used less often than
multi-link PPP for the following reasons:
- Internet service providers prefer that you only make the second connection
when your traffic exceds a predetermined threshold and then drop the second
connection when your traffic drops. This way they do not have to have two
lines for every single customer. So some ISPs simply do not allow bonding.
- With Multi-Link PPP, the second connection can be dropped if needed. This
happens when you pick up an analog phone connected to the router and make a
call or when there is an incoming call. This works quite nicely because the
ISDN equipment can communicate with the phone company using the 16Kb channel
without disturbing the data being transferred over the two 64Kb connections.
As a matter of fact, you could dial a call and get a busy signal, and hang
up the phone without ever affecting the data flowing on a 64Kb channel.
Bonding is typically used when ISDN is used for a full-time connection, rather
than an on-demand dial-up situation.
With one ISDN connection into your home, you get the following:
- Two phone numbers which can be used with standard analog telephone
equipment
- A data connection which operates at either 64Kb or 128KB/sec (typically
based on traffic usage)
- An internet connection which connects in about 3 seconds (depending on
your ISP) so it feels like it is always on
- Multilink capabilities so that when you want to use the phone, your data
connection just slows down a little bit
Some people order ISDN and use it as their only phone connection. The only
limitation to this approach is that when the ISDN router loses power, you cannot
make analog telephone calls. So if you are considering an ISDN as your sole
connection to the phone company make sure to keep it on an uninterruptable power
supply which can operate the unit for several days. Another approach is to have
one standard phone line and a second ISDN line. While this is somewhat costly,
you end up with three phone numbers in your home and the POTS line is powered by
the phone company.
One of the primary downsides of using ISDN is the cost. An ISDN line may cost
about $50 per month (they are more expensive than POTS). In addition, your
Internet Service Provider may charge a premium to allow you to use ISDN - it is
typical to pay $30 or more to an ISP for unlimited ISDN service. This takes the
overall cost to use ISDN to nearly $80.00 per month.
TODO: SPIDS and Ordering and Synchronous (always transmistting zeros)
Cable Modem
In the mid 1990's, cable television companies began to experiment with and
deploy networking solutions based on the CATV connections into many urban and
suburban homes. Unlike POTS and ISDN, cable modems were developed from the
ground up to do packet-oriented data networking. The basic idea was to dedicate
one or more television channels to data networking.
A cable modem connection is permanently on - the service includes your
internet connection, so no fees are necessary for the ISP. Often you can
purchase a service which wil allow you to have a web or file server permanently
connected to the net in your home. It is the closest thing to having a
connection which functions like a local area network which is connected via a
high-speed link.
While this seems simple and clever, there are a number of challenges which
must be faced to use CATV for data networking. The first challenge is the fact
that cable television distribution had always been designed to be a broadcast
from an origination point (called the "head-end") to the subscribers.
In order to keep from running thosands of individual cable connections from each
house to the head-end, the cable system is designed as a multi-level tree.
Between the head-end and the subscriber, the signal is split several times. Each
time it is split, the signal is cleaned-up, adjusted and amplified. A cable
company needed to spend signiifcant effort making sure that their amplifiers
were properly adjusted to insure that each subscriber had a high-quality signal.
While this seems complex enough, using this structure to implement two-way
high-speed data communications is very challenging. The first task is to convert
the cable plant to be a two-way system. In a two-way system, the amplifiers must
take a subset of the channels coming back from the subscriber's homes and
pass that channel back up the tree. At a minimum, this requires the replacement
of all the amplifiers in the cable television system. Furthermore, it is
necessary to make sure that the cable system is very carefully adjusted and
monitored. A bad signal or badly tuned amplifier in a one-way system may affect
as few as ten homes. On the other hand, when there is a bad signal in the uplink
channel, it corrupts the channel as it is propogated up the cable system.
Once the cable plant has been upgraded to allow one or more television
channels to be two-way, there is still the detail as to how we move network data
across television channels. At its most basic, a cable modem is indeed a
"modem" - that is that the data is converted from digital to analog
(in this case video rather than audio) before being transmitted over an analog
medium. In a way, the cable modem in your home is a small "television
station". Once the basic conversion from digital to analog has handles, we
also must arbitrate between the different cable modems so that only one cable
modem transmits at any given moment. If two cable modems transmit at the same
time, their signals would collide and no data would be transmitted. The
collision might even produce noise on other channels on the cable - so two cable
modems transmitting at the same time could cause your neighbor to see a bad
signal while watching their soccer game.
This arbitration is resolved using a protocol called "token bus".
No station is allowed to transmit until it has been told that it has permission
- the permission is the "token" - if you have the token, you can
transmit, otherwise you must hold onto your data and remain silent. The network
insures that the token will be fairly passed around, so that even under heavy
load from several modems, each modem will have an opportunity to transmit many
times per second.
All this technical detail, is not meant to scare you from using cable modems
- a well-built and well-maintained two-way cable system provides extremely high
reliability. But the idea is to give you some idea as to the significant
engineering which goes making a cable modem work. And perhaps when the technical
support person from the cable company fixes your connection, you can tell them
an extra-special special "thank you".
You should feel fortunate if cable modems are in your area. They provide high
speed, always-on service for somewhere between $30 and $50. If you consider the
cost of an ISP and a second phone line, a cable modem provides a much better
experience at about the same cost.
ADSL - Asynchronous Digital Subscriber Loop
ADSL is a telephone company technology - it was designed much more recently than
ISDN and designed to operate in a world which assumes the Internet, demands high
speed, and assumes that the data connection is always on. Like cable modems,
ADSL was designed to operate on wiring which is already connected to your house.
In the case of ADSL, this wiring is the existing telephone connection. Unlike
the cable system, your telephone connection is a dedicated pair of copper wires
which run from your home back to the telephone company - these wires terminate
in a building called the "central office".
By running all of the wires all the way back to the central office, the
telephone company can deploy new services to your home simply by changing the
equipment which your wires are plugged into (and changing how much you are
billed each month). In the above example, homes A and B have POTS, while C has
ISDN, and D has ADSL. Of course, C and D need special equipment to make use of
their advanced services.
While having a direct connection from your home to the phone office is a
seeming advantage when deploying network services, making ADSL work has taken a
significant amount of effort because of the limitations of a long, unshielded
pair of copper wires when used for data communications. The copper wiring
installed in most of the country to support POTS is effectively long speaker
wire. An analog telephone is basically a microphone and a speaker.
As we move data across these copper wires, as the speeds increase, the wires
become radio antennae. The signals begin to "leak out" of the wires -
this has two bad side effects - with too much leakage, a high frequency signal
which is sent through the wires does not come out the other end because it has
all leaked out. The second problem is where all this leakage goes after it leaks
out of the wires. It end up in all of the other nearby wires causing
interference.
The speed at which data can be transmitted using telephone-style copper pairs
of wires depends on two factors: (1) the quality of the wiring and (2) the
length of the wires. As such ADSL is not available in every single home in an
area - and the farther away from the central office one gets, the slower the
maximum data rate that you will get. That is why you must provide your precise
street address when ordering ADSL - they are computing the distance and looking
up how your home is wired to the central office.
Distance (feet) Maximum Speed (upstream+downstream)
18000 1.544 Mbps
9000 6.1 Mbps
Generally, to be conservative, most ADSL installations will operate at 768Kbps
(about 1/2 of 1.54 Mbps) downstream and somewhere between 128-384Kbps upstream.
It is not generally practical to get ADSL if you are farther than 18000 feet
from the central office without adding apmplifiers. And it is difficult to add
the amplifiers because they must be installed in a way that no segment is
greater than 18000 feet.
Even if your neighborhood has brand new wiring and is less than a mile from
the central office, not all central offices have the apropriate equipment
installed in the central office. But hopefully over time (much like ISDN) as
demand (and revenue) for ADSL increases, it will be more widely available.
One of the slickest engineering achievements in ADSL is the fact that a
single copper pair can both be used as POTS line and as an ADSL line at
the same time. This is done using different frequencies for the POTS signal and
the ADSL signal. The POTS signal is sound and operates at below 5Khz. The ADSL
data is modulated so that it starts well above the voice signals. Both signals
are combined onto the wire and at the receiving end, a simple analog filter (an
inductor and a capacitor) is used to separate the signals.
Another advantage of ADSL over ISDN is the fact that ADSL is always on -
because ADSL is oriented towards Internet-style traffic and not continuous
synchronous data (like ISDN), if you are not sending or receiving any data using
ADSL, no data is being forwarded. In a sense, this makes ADSL, less resource
intensive for the phone company than ISDN. In most cases, your ADSL service
includes the Internet connectivity, so there is no need to pay an extra $20 per
month for Internet service.
In most locations, ADSL services ranges from $30 to $60 depending of
competition and the options that you choose.
Fixed Wireless
Fixed high speed wireless solutions are available is a small number of
communities. These services typically are using the 2.4Ghz or 5.4Ghz
frequencies. These frequencies are unlicensed, but equipment operating in these
frequencies must follow certain power rules and tolerate interference from other
equipment operating in the same frequency. These solutions can provide from 0.5
- 20Mb/sec connectivity at a cost comparable to DSL or cable modem.
It will take some time to see if fixed wireless expands beyond its core
markets of:
- Suburban areas with a high density of hi-tech workers
- Rural areas with moderate population density which are not suitable for
Cable Television.
Ultimately, fixed wireless may be viable as a long-term direct competitor to
cable modem and DSL. Wireless has the advantage that it has fewer legal barriers
than DSL or cable based solutions but it will be a challenge for it to scale in
terms of bandwidth in highly populated areas. If you have access to fixed
wireless in your community, you should take a close look at it.
Satellite
Satellite based services come in two forms:
- One-way with telephone company return
- Two-way satellite service
With the first option, the data coming to your home comes in through the
satellite dish at high speed. The data that you send to the network si carried
over a telephone or other land-based technology. This solution improves
performance on web surfing and downloads, but does not allow you to have any
type of server in your home and does not improve the performance of any type of
upload of information.
The two-way satellite based services are problemtic but coming up on the
horizon. These services have extremely large up-front costs (see how much the
last rocket lanugh sold for on ebay!). Once two-way satelite is well-deployed,
they will be a true competitor for DSL and cable modems if they can be cost
effectively deployed. These systems have the potential for nearly universal
geographic coverage and should be a boon to rural environments.
Cellular Services
Cellular services fall into two basic categoories:
- Analog-style connection oriented access
- CDPD - Cellular Digital Packet Data
It has been possible to use a cellular telephone to make a "call" and
transfer data similar to an analog modem. Initially this was limited to 2400bps,
but with improving technology and digital phones, the speeds are approaching
56kbps. The cost of using this type of service is usually based on the minutes
of used charged at the cellular rate in your cellular plan. There may be a
monthly charge to allow data services in some pricing plans. This approach has
very complete coverage, but it is not really practical when compared to a
standard telephone line for home use.
A more exciting cellular technology is Cellular Digital Packet Data (CDPD).
In CDPD, data is transmitted as packets in unused channels in the cellular
telephone spectrum. Because CDPD is packet based, it can tolerate increased
latency and moderate data loss. This allows the cellular network to give
"best effort" delivery of data, knowing that if some data is lost,
higher level network protocols will be able to retransmit or otherwise recover
from the lost data.
Ultimately by providing "best effort" delivery, CDPD should be able
to provide higher bandwidth at a lower cost. However most CDPD service coverage
is concentrated in the major metropolitan areas. There are efforts (especially
in Japan and Finland) to significantly increase the performance of this type of
access. Once the bandwidth increases, this service may become a strong overall
competitor to the cable, DSL, satellite, and fixed wireless solutions. Because
CDPD is tied to the cellular infrastructure, its deployment will tend to be in
moderately dense population areas and along well-travelled highways. But as the
cellular telephone usage increases in general, more infrastructure capable of
delivering CDPD services will be deployed.
Conclusion
Your Internet connection choices range from the mundane to the exotic. It
would be nice if everything were simple and all these technologies were
available to every consumer. In the short run, you simply need to assess which
technologies are avialable for your home and pick the best one for your needs.
The "classic" choices are a standard telephone line, DSL
connection, or a cable modem. Fixed Wireless and two-way satellite are a more
exotic but very intriguing solution. ISDN is a good choice if the cost is
relatively low. One way cable may be a good fit in some situations - it is a
reasonable compromise if the price is competitive - especially in rural areas.
A good place to research internet service choices is the web site www.isp.com.
Another good source of information is to talk to your neighbors and others who
have tried the various services.
Now that we have data into our home, we will explore how to distribute it
around the home.
------------------------------------------------------------------------------------------------------------------------------------------------------
Basic Networking Technology
In this chapter, we will familiarize you with some basic TCP/IP networking
terminology, technology, and tools. While knowing the material in this chapter
won't automatically qualify you for a new career in network suystem
administration, you will bemuch closer to your new career. If you would like to
learn much more about this topic, see the excellent O'Reilly book by Craig Hunt
titled TCP/IP Network Administration.
You may find that this chapter is a bit daunting when it delves into binary
numbers, but we recommend that you read it once from end to end to get a sense
of the issues. As we actually build home networks later in the book, we will be
referring back to this information. Some of the harder concepts in this chapter
will make much more sense when viewed in the context of a real example.
To Do
- Command table at the end of the chapter
- Make sure to add a troubleshooting tutorial someewhere (ping big packets)
- Check on the .0 convention - is this prohibited - or just avoided like the
plague?
Starting with the Numbers
The Internet runs a networking protocol called "Internet Protocol"
which is usually referred to as "IP". This protocol allows millions of
computers to interoperate in a standard way using the large global Internet. For
this to work, each computer connected directly to the Internet must have a
unique number, much like your telephone has a telephone number. Not only must
the numbers be unique, but the numbers must indicate "where" the
computer is connected to the network.
Telephone numbers are a good analogy - for example, consider the following
telephone number:
+ 41-22-76-74101
For those of you, not familiar with international phone numbers, the
"41" indicates that this phone number is in Switzerland. The
"22" indicates that the phone number is in the city of Geneva. Now
imagine if you wanted to call that number from 517-694-0981 (517 = Michigan 694
= Holt, Michigan). When the local phone company in Holt, MI sees the
international call, all it must do is look at the prefix of the number to know
that this call is destined for Switzerland. But in Holt, Michigan, there is no
need to understand the city code. As the telephone connection is set up, at some
point it gets close enough to look beyond at the country code and look at the
city code. And once in the city, the remaining numbers are used to find the area
within the city and then the precise telephone location.
This concept that the farther that you are from a destination, the less
detail you know is a very important one in IP and the Internet. About this
point, you are probably thinking, "I have been on the Internet for years
now and I never even knew that my computer had a unique number!". That
would be because the numbers are assigned automatically for most dial-up
connections. About the only time you might encounter the numbers would be when
you were connected at work. And even then, if the numbers needed changing, a
mystical creature called the "network adminstrator" would appear from
the mist, change your numbers, and disappear back into the mist telling you
never to change those numbers or some untold fate would befall you.
But as you become the network administrator for your home, you will need to
know these numbers and know them well. But by the end of this chapter, you might
actually think that the job of a network administrator might just be a little
fun. Of course it is all fun until your family starts paging you when the
connection is not working.... But I digress.
IP Addresses
Each computer which is directly connected to the Internet is assigned a unique
address which includes information about where the computer is connected to the
Internet. The addresses are 32-bit numbers which are generally displayed in the
following form:
35.8.2.41
where each of the four numbers represents an 8-bit value from 0-255.
Connecting a Local Area Network to the Internet
While most of you have your home connection through a modem, it is simpler to
learn about IP addresses in a local area network (LAN) configuration. Once we
understand the configuration on a LAN, we will examine how the PPP/modem
connection is configured.
The IP protocol was designed to connect all the computers on a particular LAN
segment to the Internet by attaching a single piece of equipment to the network.
This equipment is called a "gateway" or "router", because it
acts as a gateway between the computers on the local network and the Internet.
Its purpose is to intelligently "route" data between the LAN and the
Internet.
For a workstation to be properly configured to use the TCP/IP protocol to
connect to the Internet it must be aware of the following information:
- The workstation's own IP address
- The IP address of the gateway to the rest of the Internet
- The set of IP addresses which are are on the LAN (i.e. data to these
systems does not have to pass through the gateway)
- The IP addres of the Domain Name Server (DNS). This system maintains a
list of human-readible domain names (www.ford.com) and the mapping of those
names to IP addresses. This allows us to refer to a computer with an name
that is easier to use. It also allows the owner of a system like
www.ford.com to move the system, changing the IP address of the system while
maintaining the same domain name.
To look at an example, we will use the utility winipcfg which is
available under Windows-95/98. At the end of this chapter, there is a table
showing the commands to use for other operating systems to perform the network
diagnostic functions throughout this chapter. Looking at the output for winipcfg,
we quickly can pick out the workstation's IP address, the gateway address, and
the Domain Name Server (DNS) address. The only field which is less-than-obvious
is the Subnet Mask.
The Subnet Mask is used to answer the question as to which IP
addresses are connected to the local area network and which addresses are
connected to the Internet on the other side of the gateway. It would have been
much simpler if the display looked like:
LAN Attached Addresses:
192.168.1.*
Using a wild-card would let us know that address which match the first three
numbers are local, and any address where the first three numbers do not match
must be on the other side of the gateway. In actuality, this is exactly
what a subnet mask of 255.255.255.0 indicates. When the first three
numbers match, the workstation is local, when they do not match, the packets
must be routed through the gateway.
The following table gives some example subnet mask values and their impact:
Mask Value Local addresses
255.255.255.0 When the first three numbers match
255.255.0.0 When the first two numbers match
255.0.0.0 When the first number matches
255.255.255.248 See below
You might actually make it quite a ways before you encountered a more complex
subnet mask value such as 255.255.255.248, but this netmask is common when using
a cable modem. It allows a total of 6 address on the local network. To
understand this subnet mask value, we must delve a little deeper. And in the
process we will learn why it is called "subnet mask" in the first
place.
We mentioned above that IP adresses were 32-bit numbers commonly displayed in
the "dotted" format (192.168.1.20) where each of the numbers
represented eight bits was in the range of 0-255. The following table shows some
numbers and their corresponding bit patterns:
Number Bit Patterns
255 11111111
254 11111110
252 11111100
248 11111000
240 11110000
224 11100000
192 11000000
128 10000000
So a netmask of 255.255.224.0 would look as follows in bits:
11111111 11111111 11100000 00000000
The general pattern is that starting at the left, there is some number of one
bits followed by the remainder of the bits being zero. The above might be called
a "19-bit subnet mask" because the top 19 bits are ones followed by 13
bits of zero.
Subnet masks are used to compare the destination comptuter's IP address with our
IP address. We only compare the positions where there are ones in the netmask.
Here are some address comparisons with a netmask of 255.255.0.0:
Address After Netmask
Source 192.168.1.20 192.168.0.0
Destination 35.8.2.41 35.8.0.0
--> This is an Internet address and must
be sent through the gateway
Source 192.168.1.20 192.168.0.0
Destination 192.168.200.7 192.168.0.0
--> These is a local address and does not
need to use a gateway
In addition to detemining which addresses are local and which addresses must
be accessed through the gateway, the subnet mask also implicitly defines the
maximum number of computers which can have unique IP addresses on a single local
network. In an earlier example:
IP Address: 192.168.1.20
Subnet Mask: 255.255.255.0
The local area network can have addresses in the range of 0-255. The
".255" (all ones) address should never be used because it is a
"broadcast address", and one of the addresses should be used for the
gateway address (typically the ".1" address) so there are 253 possible
workstation IP addresses for this network segment. The following is a table with
netmasks and network sizes:
Netmasks Network Size
255.255.255.248 6 addresses
255.255.255.240 14 addresses
255.255.255.0 253 addresses
255.255.0.0 253*255 addresses
255.0.0.0 253*255*255 addresses
This may all seem much more complex than necessary, but if you are comfortable
in base-2, it is not too hard to understand. There are a number of "subnet
address calculators" on the Internet in the case that you encounter a
subnet such as 255.255.255.248. Here is a common example worked out in complete
detail:
The netmask indicates which addresses are on the local network by indicating
which bits must not change and which bits are allowed to change. Given that the
top 29 bits of the netmask are ones, the only bits which can change and have the
address still remain on the local network are the last three bits. Your ISP will
give you the netmask value and at least one address on "your" network.
This address might be the gateway address, a workstation address or both. But
given any one address on the LAN, we can calculate the range of addresses which
are local to the LAN. After converting the known address to base-2, we simply
set the bottom three bits to all to zero to find the "lowest address"
on the LAN and then set the bottom three bits all to one to find the
"highest address" on the LAN. Remember that the "highest"
address should never be used because it is broadcast address. As a result the
range of addresses on this LAN is 163.21.44.184 - 163.21.44.190.
So, in our simple network example, we can label all of the elements in our
network. In this example, the domain name server (DNS) address and the gateway
are the same, but this does not have to be the case. The DNS server can be an
address on the local network, or an address connected to the Internet. In this
case, the gateway is acting as the DNS server in addition to being the
gateway/router.
Having the gateway and DNS address the same is very common on home networks
because both hardware and software gateways support both services. On a
corporate LAN, these two numbers would almost certainly be different.
Managing IP Addresses
Now that we have an understanding of the three main addresses used to configure
a workstation and place it both on the local area network and the Internet, it
is time to take a look at how we manage these IP addresses. There are three
basic ways that IP addresses are managed:
- Automatically using Point-to-Point Protocol (PPP) - When a single computer
(or home gateway) dials up an Internet Service Provider (ISP), part of the
dial-up process assigns your connection an address from their network. Each
time you dial-up, you may get a completely different address.
- Manually - In a home network where multiple computers will be connected to
the Internet, you can write all the addresses down in a simple text document
or spreadsheet. You must enter the IP address and other onfiguration
manually on every system connected in the house.
- Automatically using the Dynamic Host Configuration protocol (DHCP) - This
requires a system on the local area network to be configured to serve
addresses. Each system on the network (other than the DHCP server) is
configured to request their address while it is booting up and starting
TCP/IP.
You can access the screen shown above for both your dialup
"adapter" as well as the "Ethernet adapter". Windows will
generally warn you strongly against using anything other than dynamic addresses
on any dial-up adapter because PPP will override and of your fixed settings. On
the LAN adapters however, you can choose a static address or a dynamic address
via DHCP. But you should only chose dynamic if you know that there is a DHCP
server avaialable.
DHCP Configuration
There are four typical ways to use a DHCP server:
- You use a home gateway unit such as an Apple Airport, 3Com LanModem, or
LinkSys unit. These units generally will perform DHCP, DNS, gateway routing,
and Network Address Translation (see next chapter).
- You use a software gateway such as WinRoute or Sygate. These
programs generally perform the same functionality as the hardware units
described above.
- You have a cable modem or DSL with an Ethernet connection. Your ISP runs a
DHCP server and will provide you with your configuration information on
startup.
- You run a Windows-2000 server or Linux server where you have explicitly
configured a DHCP server.
In any event, if you have a DHCP server, then the management of the IP addresses
on the workstations attached to your network is quite simple. They all are set
to obtain their addresses dynamically and the rest is up to the DHCP server.
When these computers boot up, they send out a special broadcast packet
(Reverse Address Resolution Protocol or RARP) on the LAN which effectively asks
the question, "What is my address information?". If there is a DHCP
server running, the server responds with the proper IP address, netmask,
gateway, and DNS server. These values are set for the workstation and used until
the workstation is rebooted.
When the DHCP server gives a workstation an IP address, it is called a
"lease" because the address is only good for a limited time which can
range from hours to days. If you look at the output of the Windows utility winipcfg,
you can see the address of the DHCP server which was used to configure this
workstation and the expiration time on the "lease" for this
configuration.
It is the workstation's responsiblity to "renew" their lease on the
IP address sometime before the lease expires. If the lease is not renewed by the
expiration time, the address is placed back into a pool of addresses to be given
to the next computer which makes a request for an IP address. One advantage of
this approach is that if a computer is rebooted before the lease expires, it
will be given the same address by the DHCP server.
You can force the workstation to release its IP address lease using the Release
button on winipcfg and you can renew the lease using the Renew
button. It is not necessary to release the address before you renew it.
Releasing and renewing your address is a good way to test that your DHCP server
is actually working properly. If the DHCP server is not present and there is no
response to the RARP request, you may get a garbage address when DHCP
times out.
When a computer goes to sleep under Windows-98 and wakes back up, it
re-obtains its IP address and network configuration using DHCP protocol. If the
lease has not expired, it is given the same addres that it had before it went to
sleep.
DHCP is very convienent because it allows any computer to be connected to the
LAN without requiring any specific configuration. For example, a portable
computer configured to use DHCP can be seamlessly moved between your office
network and your home network. The DHCP server on each network provides the
workstation with the right information it needs for each of the different
networking environments.
It is possible for a network to handle both static and dynamic addresses at
the same time. Because DHCP gives out addresses in a particular range, you can
reserve a portion of your subnet for static addresses and another portion of the
subnet for DHCP configured addresses. This way, you have the best of both worlds
- you can assign fixed addresses to your home gateways and your servers, while
using dynamic addreses for the user workstations and any portable computers that
you might use.
In looking at the winipcfg output, we have covered nearly all of the
fields in the screen. The fields in the top half of the output (Node Type,
NetBIOS Scope, WINS Proxy, and NetBIOS Resolution) are all related to file
sharing over the LAN and will not be covered here. The Adapter Address is
the "serial number" of the LAN card. We will examine these
"adapter addresses" next.
Ethernet Addresses
The Internet Protocol (IP) can operate across a wide range of local area
networks including: Ethernet, Token-Ring, Fiber Distributed Data Interface (FDDI),
Asynchronous Transfer Mode (ATM), and others. By far the most common local area
network technology we will see in the home is the Ethernet network. So in this
book, we will ignore all other LAN technologies and focus on Ethernet.
In the winipcfg output, we can see the adapter address for an
Ethernet connection, this number is the serial number of the Ethernet card in
the system. These Ethernet card serial numbers are 48-bit numbers with the top
24 bits used to indicate a manufacturer identifier. The bottom 24 bits are the
serial number of the card within the particular manufacturer. These addresses
are typcally written as a series of six hexadecimal numbers:
00-A0-24-A6-B4-4B
These Eithernet addresses are used to move data across the local area network.
Each packet must have a source and destination address to move across the
network. An address of FF-FF-FF-FF-FF-FF (all ones) is used as a
broadcast address, meaning that the packet is received by all of the
workstations on the local area network.
The Internet Protocol (IP) and Ethernet work together. IP is used to move
data acoss many different types of media, whereas Ethernet is used to move the
IP data across a single local area network. For every workstation on Ethernet
using IP, there is both an Ethernet address and an IP address. Each computer
must maintain a table of the mapping from the IP addresses to Ethernet
addresses. This table is called the ARP-table because the protocol used
to discover new IP address is is called the Address Resolution Protocol
(ARP). When a workstation wants to communicate with an IP address across the
Ethernet, it sends out an Ethernet broadcast ARP request. Sincle all of the
workstations on the LAN receive the ARP, they each check to see if they match
the desired IP address - if so, they reply and the originating workstation
updates their ARP table.
Once an entry is in the ARP table, when your workstations wants to send a
packet to an IP address, it knows the correct Ethernet address to use. On most
systems, there is a command to interact with your workstation's ARP table called
arp. In Windows systems, simply type te command arp -a in a
command window to dump the contents of the ARP table.
Point-to-Point Protocol Connections
PPP connections are both very simple and somewhat complex at the same time.
Because PPP is so well integrated into Windows and Macintosh operating systems,
all we really need to know is a phone number, account and password and the rest
is magic. This section looks a little deeper into how PPP operates in terms of
its network configuration.
When PPP dials the modem, for the first few seconds, there is a bunch of
housekeeping which must be done. First the connection must be authenticated.
Once the authentication is done, the ISP tells your workstation which address
values your workstation is to use.
When we look at the winipcfg output for the PPP Adapter once
the connection is up, we can examine the settings which your ISP has assigned to
your workstation. The IP address and subnet mask are addresses which make sense
on the ISP's local area network. These values are only used for this particular
dial-up session.
The Adapter Address is not really an Ethernet address in this case -
it is just a way for Windows to keep track of multiple network connections.
Looking at these particular values, addresses with a 35.*.*.* value will be
sent out on the "local network" while other addresses will be sent to
the gateway address.
How IP Works
While you will probably never run a nationwide IP backbone, it can sometimes
help to understand how packets move across the country and around the world. A
simple tool to send a single packet across the IP network is called ping.
This can be used to test basic connectivity between two systems.
C:\WINDOWS>ping 137.138.28.228
Pinging 137.138.28.228 with 32 bytes of data:
Reply from 137.138.28.228: bytes=32 time=280ms TTL=115
Reply from 137.138.28.228: bytes=32 time=310ms TTL=115
Request timed out.
Reply from 137.138.28.228: bytes=32 time=279ms TTL=115
Ping statistics for 137.138.28.228:
Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),
Approximate round trip times in milli-seconds:
Minimum = 279ms, Maximum = 310ms, Average = 217ms
C:\WINDOWS>
For each packet, ping tracks the round-trip time, and reports the Time to
Live (TTL) value which we will examine more closely in a moment.
If we expand the "Internet cloud" a bit, we see the Internet made up
as a series of network routers connected using various media ranging from leased
telephone connections to dedicated fiber optic connections. Each packet finds a
path from the source to the destination depending on the performance of each
connection and the load on each of the routers. Two packets sent one right after
another may take completely different routes through the network although this
is not typical.
We can see the route a packet actually takes through the network using the tracert
command:
C:\WINDOWS>tracert 137.138.28.228
Tracing route to webr.cern.ch [137.138.28.228]
over a maximum of 30 hops:
1 2 ms 1 ms 1 ms COMPAQ_5630 [192.168.1.1]
2 152 ms 157 ms 144 ms ppp-gw-9-188.net.msu.edu [35.9.9.188]
3 162 ms 153 ms 176 ms cc-rtr-ve10.net.msu.edu [35.9.10.1]
4 159 ms 157 ms 151 ms g2-0-0.msu4.mich.net [35.9.82.98]
5 154 ms 155 ms 152 ms atm1-0x18.michnet8.mich.net [198.108.23.30]
6 154 ms 155 ms 154 ms s2-0-3c0x10.mtu.mich.net [198.108.23.237]
7 165 ms 170 ms 161 ms abilene-clev.mich.net [192.122.183.10]
8 169 ms 169 ms 169 ms ipls-clev.abilene.ucaid.edu [198.32.8.25]
9 316 ms 204 ms 229 ms cern-abilene.cern.ch [192.65.184.190]
10 335 ms 288 ms 300 ms cernh9-pos100.cern.ch [192.65.184.34]
11 * 320 ms 343 ms cgate2.cern.ch [192.65.185.1]
12 290 ms 291 ms 283 ms cgate1-dmz.cern.ch [192.65.184.65]
13 355 ms 373 ms 284 ms b513-b-rca86-1-gb0.cern.ch [128.141.211.1]
14 327 ms 319 ms 305 ms b513-c-rca86-1-bb1.cern.ch [194.12.131.6]
15 327 ms 319 ms 287 ms webr.cern.ch [137.138.28.228]
Trace complete.
C:\WINDOWS>
From this output, you can see that there are a total of 15 hops from the source
to the destination.
Finding the path through the Internet works by placing special values in the Time-To-Live
(TTL) field. The TTL field is normally set to 128 in every packet. Each time a
packet crosses a router or is delayed for a second inside of a router, this
number is decreased by one. Once the TTL value goes to zero, the packet is not
forwarded any further and an error message is sent back to the sending host. The
original purpose of this field is to keep data from being forwarded forever when
there is no path from the source to the destination.
To learn the path, tracert first sends out a packet with a TTL of one,
and then gets the error message returned after the first hop. Then a packet is
sent out with a TTL of two, and the error message is returned. This pattern
continues until tracert has effectively found the path from the source to
the destination.
This command can be quite useful in debugging network connectivity - if a
packet is getting part of the way from the source to the destination, a ping
or other command will simply fail. The tracert command will show how far
the packet is getting before it gets lost. This command also allows you to track
the packet as it passes through any of your local gateways and onto the
Internet.
Transmission Control Protocol (TCP)
In each of the above examples, we see packets which were lost. This is a
critical aspect of the design of the IP protocol. Part of the reason that the
Internet has effectively scaled to millions of hosts is the fact that IP allows
packets to be lost. When a system sends a packet across the Internet, the
Internet does not guarantee its delivery. Packets can be lost for any number of
reasons: A link is too busy, a router is rebooted, the routing path is changed
at just the wrong moment, or a leased line has a failure. If any of these
happen, the Internet simply loses the packets and expects that the source and
destination computers to cope with the loss.
However, usually we want to move data across the Internet and know that it
actually arrived in one piece. Reliable delivery of data from a source to a
destination is accomplished by the Trasnmission Control Protocol (TCP).
TCP operates on top of IP and adds value to the IP protocol. Typically when we
don't want to get into detail, we refer to TCP and IP together as TCP/IP.
The TCP protocol is very complex and robust, but its overall operation is
quite simple. When one host sends data to another over TCP, the source host
retains the data in its memory until it has received a positive acknowlegement
from the destination system. If no acknowledgement has been received after a
period of time, the data is re-sent. If the data has been resent too many times,
the connection is terminated.
In addition to buffering and resending data, TCP also make sure data arrives
in order. This is done by storing any out of order information on the the
destination system until all the data has arrived. Then the data is put back
into order and sent to the application.
When a web browser retrieves data using the Hypertext Transport Protocol
(HTTP) or File Transfer protocol (FTP), the data is actually sent across the
network using TCP and IP. FTP and HTTP are examples of application level
protocols which make use of the TCP reliable connections.
A good analogy for IP is the postal system. You can place a bunch of letters
in the mailbox addressed to the same location. Some time later, the letters are
delivered at the destination in any order with one or more of the letters
getting lost (once in a great while). TCP is much more like the telephone system
- you make a connection and it just works smoothly until you are done. Sound
goes in and comes out in the same order. Nothing is lost (not counting cell
phones), and about the only thing that goes wrong is that the connection is
terminated if there is a problem.
A View from a Gateway
So far, we have concentrated on the view from a workstation in terms of how to
get our data to destination hosts on the Internet. Now we will take a brief look
at a gateway (also called a router).
A gateway is a system which has more than one network connection and can forward
data among their network connections. The simplest case is a gateway with two
connections. Each connection has an IP address which makes sense on the local
area network to which it is connected and is properly configured with a netmask
and a gateway for that network.
The gateway must know which subnets are available on which interface. The
table which contains this information is called the route table. This
table can be dumped using the netstat command under Windows:
C:\WINDOWS>netstat -rn
Active Routes:
Network Address Netmask Gateway Address Interface Metric
0.0.0.0 0.0.0.0 35.9.9.188 35.9.9.188 1 (1)
35.0.0.0 255.0.0.0 35.9.9.188 35.9.9.188 1 (2)
35.9.9.188 255.255.255.255 127.0.0.1 127.0.0.1 1 (3)
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1 (4)
192.168.1.0 255.255.255.0 192.168.1.1 192.168.1.1 2 (5)
192.168.1.1 255.255.255.255 127.0.0.1 127.0.0.1 1 (6)
This table looks somewhat daunting, but with all the knowlege that we now have
in this chapter, we can work our way through it. When a packet arrives on any
network interface, the table is read from the bottom to the top. Each packet is
destined for one of three interfaces: the dial-up modem connection (35.9.9.188),
the local area network connection (192.168.1.1), or the gateway itself
(127.0.0.1). The network address and netmask are used to see if the destination
address matches this particular "row" in the table. If there is a
match between the destination address and the network address after the netmask
is applied to both, then the packet is send out the specified interface.
Working from the bottom to the top the rows have the following meaning:
- Row 6 means that if the destination matches 192.168.1.1 exactly, the
packet is destined for this computer (the gateway)
- Row 5 means that any packets with a destination address of the form
192.168.1.* are to be sent out to the local area network using the Ethernet
interface.
- Row 4 says that any address 127.*.*.* is local to this computer.
- Row 3 says that if the destination is 35.9.9.188, then it is destined for
this computer. Remember that this computer has two network interfaces.
- Row 2 says that any address of the form 35.*.*.* is sent out the PPP
connection.
- Row 1 says that if none of the other rows have matched the destination
address (for example if the destination was 62.145.22.33), send the packet
out the PPP connection.
Several rows were removed from the table to keep it simple. When you print this
table out on your computer, you may find some rows with network addresses
starting with 224 or network addresses containing 255. The 224 addresses are for
multicast traffic and the 255 addresses are for IP broadcast traffic.
This table is easily extended for gateways with more than two interfaces.
Essentially the table lists all of the subnets which are to be sent to which
interface, and then in the first row indicates where to send packets which don't
match any of the rules.
Conclusion
You can go quite a long way in home networking without having to know every
concept presented in this chapter. But it does help when diagnosing a problem to
be able to read the outputs of the tools which allow you to explore the network
configuration.
The Internet is successful in a large part due to the clever design of the
TCP and IP protocols.
- Each computer needs a very small amount of information to connect to the
network.
- The IP protocol does not have to guarantee reliability for data. This
allows the Internet to move data quickly and cheaply using a "best
effort" model.
- The TCP protocol adds sequencing and retransmission on top of IP so that
data can be moved reliably between applications.
Once your computer network is properly setup, it will run with little or no
maintenance and you will begin to forget that you ever needed the information in
this chapter. Most of the routine aspects of network configuration can be
completely automated with the proper hardware or software. But when things break
down, that is when you will come back to this chapter and read it very
carefully.
------------------------------------------------------------------------------------------------------------------------------------------------------
Wiring Your Home
Now we will explore putting together the basic hardware necessary to make a
network throughout your home. We will start with the most basic connection -
twisted pair Ethernet. In later chapters, we will explore more exotic
technologies such as wireless or phone-line networking.
Ethernet networking is generally the least expensive, fastest, and least
trouble free connection if you can run the wires to the locations where you want
to use your computers. Even if you have support for wireless computing in your
home, you will probably still use Ethernet for a few of the computers in your
home.
TODO: This is what I wanted to say in this chapter, but somehow it seems
to be missing something. perhaps it is too much or too little detail here and
there. - Chuck
Ethernet Cabling and Network Hardware
There
are two basic forms of Ethernet cabling - Coax cable and twisted pair. Since the
mid-1990's, the industry has gone completely to the twisted pair approach. The
original Ethernet design from the 1960's consisted of a single cable which was
connected along the back of each computer. The cable looked like the typical
cable used for cable television today. When a computer sent data out to the
network, all of the computers "saw" all of the data going across the
network. Much like a two lane road, there were "traffic rules" about
when you could "jump on" to the network and when you had to wait to
let traffic pass by.
While this approach was simple and allowed a single long cable to be fed
along the back of many computers, simplifying wiring costs, it did not work very
well when one person disconnected the cable, effectively removing half of the
computers from the network.
Twisted pair wiring and network hubs solved the problems of Coax cable Ethernet.
In twisted pair, the computers are wired in a star configuration. Each computer
had a dedicated connection back to the hub and when one computer was
disconnected or had a problem, the rest of the network was unaffected. But
because Ethernet was well established and the protocols which used Ethernet
depended heavily on a broadcast medium, inside the hubs all of the ports were
electrically connected together. One many hubs with activity lights, all of the
lights seem to blink at the same time. This is because the traffic is being sent
out on all of the ports at the same time. This means that a 10Mb/sec hub can
only move 10Mb/sec total regardless of the number of computers connected to the
hub. Hubs are still widely used in many low-traffic situations such as a home or
small office when there are less than 10 computer systems connected to a
network.
The next major step in the evolution of network equipment was the switch.
Because the Ethernet protocol assigns a unique network address to each network
card, it was possible for a switch to automatically "learn" which
computer systems were located on which ports. When a switch first comes up, it
acts like a hub, copying all incoming data to all the ports at the same time.
But as the data is transmitted, the switch looks at the source address of each
packet of data and makes a note which port it received the data. When a packet
arrives for that workstation, the switch only copies the data to the proper
port. Once a switch has identified which workstation(s) are on which port, the
data is only copied to the appropriate port. This means that a 10Mb/sec switch
with 8 ports is capable of up to four simultaneous data transfers at the same
time for a total of 40Mb/sec overall. Some traffic (such as ARP packets -
described previously) are special broadcast packets which are copied to all the
connections of a switch. Switches work very well in networks from 5-250
computers because much more aggregate traffic can be moved through a switch.
Switches are generally reasonably priced and have very good performance. In very
large networks, their primary limitation has to do with how they handle
broadcast traffic.
Switches have an added advantage in that most switches allow you to mix and
match between different speed Ethernet equipment. The most common application of
this is to use a combination of 10Mb/sec and 100Mb/sec Ethernet equipment in the
home. Because switches are making dynamic connections for each packet, two
100Mb/sec computers can be moving data at 100Mb/sec, while two 10Mb/sec
computers move data at the slower rate. A switch can even slow down the data,
allowing data to be transparently moved between a 100Mb/sec computer and a
10Mb/sec computer.
In a home network environment a switch is generally preferable unless the
cost gets too high. The price of an 8-port switch is pretty reasonable, but
16-port switches become more expensive because their typical application is in a
business environment.
Network Design
It is
possible to connect a number of hubs and switches together to form your network.
This can allow you some flexibility in wiring. For example, you can run one wire
to a room, and using a hub within the room you can conect several computers to
your home network. Using multiple hubs is called cascading. Cascading is
made much simpler when your hub has an uplink port. Most of the ports on
your hub are wired in the standard manner to connect to a workstation. One some
hubs, one of the ports is wired both as a normal port and as an uplink port. You
cannot plug a cable into both the uplink port and the corresponding workstation
port at the same time. The five port hub pictured here can either function as a
hub for five workstations or as a hub for four workstations with an uplink.
This diagram shows three four port hubs properly connected together with the
maximum number of workstations attached to each hub. The top hub (root) has two
workstations connected and uses two of its workstation ports up provide uplink
connections for the lower hubs. Its uplink connection is not used. The two lower
hubs, each have three workstations connected and their uplink port connects to
the top hub. The workstation port port associated with the uplink port is not
connected to anything.
When cascading hubs together, you cannot connect beyond three levels from the
"root" hub to the end hub. The previous figure shows a two-level
cascade. While this seems to be a somewhat limiting factor, with three levels of
24-port hubs, you can have over 10,000 computers. Also, switches do not have any
"cascading" limitation like hubs. Because of this, you can think of
any port on a switch as at "level zero" in terms of cascading.
In a hub, the only difference between a normal port and an uplink port
is simply which signals are routed to which connectors in the cable. So
"port 1" and the uplink port are the same port with slightly different
wiring configurations. As a matter of fact, if you do not have an uplink port,
you can use a normal port on the hub to make the uplink connection, but the
cable must be a special cross-over cable or a cross-over adapter must be
used. But most seasoned network professionals tend to avoid cross-over cables
like the plague. The problem happens when your identical looking cross-over
cable ends up in a box with a bunch of normal cables. For this reason, many
cross-over cables are made out of red cable or specially marked in some other
way.
The most common use of a cross-over cable is to create a network with exactly
two computers and no hub. You cannot use a normal straight-through cable to
connect two computers directly to each other. A crossover cable allows a direct
connection. This is typically done when two people want to create a temporary
network for the purpose of playing multi-person video games. You can also
purchase cross-over adapters which connect two normal cables together to produce
a cross-over cable. That way you never have to purchase any of the (dreaded)
cross-over cables.
Cable Length
Because of the underlying protocol used to control the traffic on an Ethernet
network, it is necessary to limit the overall "distance" covered by a
single Ethernet network consisting of hubs. No network should be more than 70
meters in "diameter". To compute the diameter of the network simply
add up the individual lengths of the cables which data would have to pass
through as it moves between the two "farthest away" workstations. In a
simple network with one root hub, this simply means that no cable run can be
greater than 70 meters. In the two level cascaded diagram you would have to add
four cable lengths together and keep the total distance under 70 meters. Luckily
in most homes, this is not much of a concern because the size of the home limits
the overall cable length. If for some reason, you need to go beyond 70 meters,
similar to the cascading rules, each time you encounter a switch, you can set
the "accumulated distance" back to zero.
The actual rules for building Ethernet networks are complex and when
completely describe take up a book with hundreds of pages. In this book, we
distill those rules into "rules-of-thumb" which should be sufficient
to build a reliable home network. To design a large network for a business with
hundreds of workstations, you should consult a book such as XXX-XXX-XXXX.
Building Twisted Pair Ethernet Cables
For your fist few Ethernet cables you should buy good quality cables so you know
that your cables are not causing technical problems. However, you should not be
afraid of building your own cables once you gain some experience. And in the
next section, we will talk about completely wiring your home - having the
ability to build a cable is an important skill when wiring your home.
Building a cable
is easier and cheaper than you think. First you will need some supplies and
equipment.
- You can purchase Category-5 cable and crimp-on cable ends from many home
improvement stores, electrical supply stores, or via mail-order.
- The tool to crimp on the cable ends is relatively inexpensive and will
cost around $10-$15 to purchase.
You may want to check the author's website (www.homenetworkguys.com) for
some links to where you can purchase tools and supplies for wiring.
The following are the basic steps to install a crimp-on end to a Category-5
cable:
- Cut the cable to the proper length.
- Gently score the outer sheath to remove about 3/4 of an inch of the outer
sheath.
- Untwist the exposed wires.
- The goal of the next step is to arrange the wires from left to right in
the proper order and very flat so they can be inserted into the crimp-on
cable end. The order from left to right is orange-white, orange,
green-white, blue, blue-white, green, brown-white, and brown. There are
two different "standard" wire orders called EIA-568A and EIA-568B.
This parcicular order EIA-568B which is somewhat more common. the ordering
youchose does not really matter as long as you use the same approach on both
ends of the cable. While this order may seem strange, it makes some
sense to think of it from the center out, where the blue-white/blue pair are
the center. As you place the wires in order keep them very flat and very
tightly packed so they can easily slide into the crimp-on connector.
- Once you have them in the right order, held very tightly, trim the exposed
wired to 1/2 of an inch. Without letting go of the wire, slide the crimp-on
connector on so the wires so that the connectors are facing you, the cable
is pointed upwards, and the orange-white wire is to your left.
- Press the wires firmly into the connector, making sure that the wires stay
in the proper order. The connectors are designed so that it properly aligns
the wires as long as the wrier are in the proper order.
- Once the wires are pressed into place, you should take a final look to
make sure that everything is in order. The cable sheath should be inserted
approximately 1/4 inch into the connector. The connectors are designed so
that you can lok at them from every angle to make sure the wires have been
inserted properly.
- Once the final inspection is complete, Simply insert the connector into
the crimeper and crimp the connector. most crimpers have an automatic stop
so you cannot overcrimp the connector.
- Again, you shold examine the connector closely to make sure that the wires
are properly lined up.
Once you have assembled both ends of the cable, you should test the cable in a
known configuration to make sure that it works properly. A very simple test is
to replace a known cable with your new cable and make sure that everything
continues to work.
Cable testers range in cost from $50 to several thousand dollars. For a home
network you can get by with the lowest price cable tester. The low pricer
testers simply test that the poper wires are connected to the right pins. The
more expensive testers can certify a cable as capable of handling data up to a
certain speed.
If you would like a more polished look for your cables, you can purchase
"plug boots" for each end of your cable. You slide the boot onto the
cable before you terminate the connector. Once the connector is attached, the
boot is slid over the connector and held in place with a small drop of glue.
This way your cables can look exactly the same as the cables you purchase in a
store.
Once you gain confidence building Cat-5 cables, it actually is fun and not
too difficult. If you take your time you will probably find that your very first
cable will work.
Wiring A Wall Jack
Once you have built confidence in your cable-building ability, you may want to
wire all or part of your home. The simplest approach is to run long cables
throughout your home to some common location and plug thecables into a hub. You
pull the cable between the locations and terminate the ends with the standard
male crimp-on connectors.
At some point, you may want a more polished appearance with some type of
Cat-5 wall jack. Then you can run a short cable from the wall jack to the
computer. To be even more "professional", you may want to run all the
cables to a central location in a patch panel and then run patch cables from the
patch panel to the hub or switch.
The only additional skill beyond wiring cables that is needed is the ability
to string write through your home and the ability to wire Cat-5 jacks. like
building cables, wiring jacks is relatively simple once you know the basics.
- Jacks are somewhat more expensive than cable ends. You can easily spend $5
or more for each jack. Fewer stores stock jacks so you may have to order
them mail order or shop around a bit. One nice solution is a modular jack
system where you can put different combinations of jacks into standard
openings in wall plates. Levitron (www.levitron.com) is one of the leading
vendors for modular jack systems.
- You will also need a punch-down tool to push the wires into the jacks. If
you will be terminating more than five jacks it would be a good idea to
purchase a spring loaded punch down tool with a automatic cutting blade for
about $50.00.
There are actually two different types of punch-down systems. The older system
is a "66-type" was used for phone systems and Category-3 wiring. The
newr system used for Category-5 wiring is the "110-type". Most likely
you will not encounter anything other than the 110 type equipment.
Most types of
wall jacks will actually have a color coding so you know which wires from the
Category-5 bundles are to go to which terminal. The steps to wire a jack as
shown above are as follows:
- Carefully score the outer jacket of the cable and remove about 1.5 inches
of the outer sheath.
- Figure out where each pair must be terminated in the jack. Untwist a pair
of wires, place each wire in the terminal and punch the wire down. If you
have an automatic cutter, it will automatically trim off the excess wire at
the same time. You want to maintain the twists in the wire as much as
possible, untwisting only in the last 1/4 inch if possible. Also make sure
that the wries are placed so that the sheath will be properly crimped into
any type of strain relief. In the figure above, all of the wires have been
punched down but not yet trimmed so that you can see the detail.
- Continue to punch down the remaining wires, keeping the wires twisted as
long as possible.
- Trim off any extra wire if you did not use a punch down tool with a
cutter.
- Install any strain releif as necessary.
- Install the jack in the wall.
Like any other component cabling that you build, your newly wired wall jack must
be tested as well. You can use the cable tester with a cable that is known to be
good plugged into your jack. Since all of the cables, wall jacks, and connectors
are wired "straight-through", you can test them at any point and in
any combination using the same tester.
Working with Category-5 Cable
In this section, we discuss what you may want to do when wiring your home to
provide a complete home network. We won't cover cutting holes in your walls,
installing outlet boxes, or fishing wires through walls. What we will cover is
the basics of pulling data wire and some general rules which you should follow
as you string wire throughout your house.
In many ways, ategory-5 cable is pretty rugged and you do not have to treat
it with kid gloves. But here are a few basc rules to follow as you run wire
throughout your house:
- Category-5 cable is designed to be pulled through relatively long conduit
so it has pretty good tensile strength. You can pull pretty hard without
damaging it. However depending on why you have to pull hard, you may be
damaging the cable.
- Category-5 cable does not to be bent around very tight corners. A good
rule of thumb is to keep a 6-8 inch radius on all cable bends. Generally if
you bend the cable to agressively it will tend to fail at the higher bit
rates such as 100Mb/sec. Sometimes while you are pulling the cable, it will
get tangled in a knot. If you pull too hard, you can end up crimping the
cable which can cause problems.
- You should not use a standard staple gun to attach Category-5 cable to
your walls and studs. A staple gun can also squeeze the cable too tight and
cause problems. A better approach is to use a special cable stapler or to
use a hammer and wrie staples. But with the hammer you must make sure that
the staple only "gently" touches the wire. Another approach is to
use a nylon wire-tie around the wire and then stapling the "tail
end" of the wire tie.
- You will want to avoid cable television wiring, power wiring, flouresent
lights as much as possible. You mill not be able to avoid these sources of
interference completely - but whenever possible, have your data cable simply
cross these sources at a 90-degree angle so as to minimize the interference.
- When you purchase your cable, consider purchasing cable in a
"self-feed" box or on a spool. You may have purchase somewhat more
than you need, but the convienence of being able to feed your cable without
tangling is very helpful. Usually you have to purchase 1000 feet of cable to
get a spool or pull box. But by purchasing extra cable, you can leave plenty
of exceess cable on each end of your cable pull without feeling too bad.
These rules can be summed up in a single basic idea: Category-5 cable is
happiest when you treat it gently during installation. For that reason, you need
to take our time working thr cable through and around your walls, plumbing, and
furniture. It is often quite helpful to have a helper who can make sure that the
cable does not get tangled as it is fed out.
Wiring a Home Under Construction
It is much simpler to wire a new home while ist is being constructed. You can
have a home with flexible data and entertainment network capibilities in every
room.
Some builders are even providing home wiring as an option in many new homes.
Home data wiring is often done by companies who specialize in home security,
home theater, and whole house audio. A rough estimate for a professionally
installed home data network is about $150.00 per network connection.
Some professional installers will suggest "structured home wiring".
Most structured wiring consists of some combination of Category-5 cables and
coax cable. The Category-5 cable can be used for data, telephone, security,
low-voltage power, and home automation. The coax can be used for Cable
television and satellite television. Either technology could be used for
whole-house audio or video. A typical structured home wiring solution consists
of two Catgory-5 cables and two RG6 Coax Cables. Some wiring even includes two
fiber optic cables as well. the key idea is to install the wiring once and then
upgrade the equipment in the basement and the equipment in each all outlet as
your needs change.
If you are considering structured wiring, the biggest concern is the cost of
the equipment to connect to the cables, both now and in the future.
An approach
that we prefer is to emulate the approach used in most commercial buildings.
Commercial installations prefer conduit for wiring because it offers the
ultimate in long-term flexibility. Conduit also allows you to build only the
capabilities that you need and no more. You can install a low-cost cabling
solution now, use it for ten years. Then when some new technology becomes
available and is inexpensive, you can remove your first solution and put in the
new technology using the same condut.
Depending on a number of factors, a conduit solution may actually be
significantly cheaper than a structured wiring solution even if it is installed
by a professional. There is a very effective flexible plastic conduit that is
very easy to install. Professional electricians laughingly call this "smurf-conduit"
because of its blue color. But it has a number of signifcant advantages over
wire installed directly in the walls.
When installing cable or conduit in a new home, there are a number of
important things to keep track of:
- Make sure to contact a building inspector. In most localities, the local
building inspector treats phone, entertainment, and data networking as
low-voltage and so the electrical inspector will not need to inspect the
actual wiring. However whenever you are drilling holes through floors and
installing equipment in the walls, there may be codes that you have to
follow. For example in some locations you must "fire-caulk" any
opening between floors.
- You will need to coordinate with your builder. If you install conduit, the
the actual CATV and telephone installation mat be done much later.
As you plan where to put outlet boxes and conduit runs, try to think about
future applications. Some of the locations that you might not think of right
away include:
- Above the kitchen cabinets - remote speakers, cable TV, or even a smart
refrigerator.
- In a master bathroom
- Inside closets - a closet might be a good place to put a shared printer
- Inside cabinets
And make sure that each time you have a data jack that there is power nearby.
While low voltage power solutions seem promising, most standard equipment will
need standard household power for quite a qhile. Once you have set out to
install conduit, you should use conduit for all of your connections (telephone
and CATV). This gives you ultimate flexibility for future deployment as your
wiring needs change over time.
Conclusion
In this chapter, we have examined a number of different possibilities for wiring
a home. Building cables and installing wiring for data network is not
technically challenging once you get the hang of it. By following a few simple
rules, you should be able to design and build a full-featured home network.
------------------------------------------------------------------------------------------------------------------------------------------------------
Phone Line and Power Line Networking
If your home is already built, and you don't feel like climbing around in the
attic, cutting holes in your walls, and fishing wires through walls, you may
find it more practical to use the existing wiring in your home to build your
home network.
You can do data networking over your existing phone lines or over the power
lines in your home. These protocols share the existing wiring in your home and
coexist peacefully with the current uses of your wiring.
Using One Wire for Two Purposes
Both of these protocols can share the physical wiring by adding a
"modulated" signal on the existing wiring. By modulating data at a
relatively high frequency (Mhz) the data signals "pass right by" the
normal signals on the wires. Power signals operate at 60Hz and voice telephony
operates from 0-6000Hz (the range of human hearing). The data signals are at
such a high frequency that they are not anywhere near a frequency that you would
notice in the form of a hum or other form of interference.
While this may seem daunting, it happens all of the time in Cable Television.
One cable with carries over 100 channels of information. Each channel is
modulated to use a different frequency range on the cable and so they do not
interfere with one another. Your television simply must tune to the right
frequency to extract the desired signal.
Phone line and power-line wiring use the same approach. When sending data,
they modulate it up to a high frequency and send it across the cable. The
receiving network cards are tuned to the frequency so they get the signal. At
the same time, your telephone responds to a much lower frequency so the
high-frequency data passes right by. Similarly in power line networking, your
hairdryer is "tuned" to 60Hz and so the high frequency data is
completely ignored by the hair dryer.
Now of course, there are very significant technical details to make these
protocols work reliably under a wide range of network conditions and wiring
configurations. It has taken many years of research into both technologies to
arrive at well-engineered standards which work reliably.
Early on, there were a number of competing "standards" for this
type of technology, forcing you to purchase all of your equipment from one
vendor. Thankfully in recent years, most of the vendors have chosen to conform
to standards which makes the equipment from different vendors interoperable.
Standards are very critical to networking equipment because they protect your
investment over time. A standard means that if you purchase your network cards
from one vendor and a home gateway from another vendor they will work together.
Installing Telephone Line Networking Technology
The physical topology for telephone wiring is to take single pair of wires and
run to each wall outlet. At some point, the wires are all connected together.
There is no "hub" for the wires, they are physically connected
together on a terminal block or the wires are twisted together. In some homes,
the wires simply run from one plug to the next through the walls. In other
homes, the wires are all run back to a central location and connected. The home
wiring is also phycically connected to the wire which runs to the telephone
company.
This approach makes it quite easy to add another phone extension or wire a new
jack. It is also why you can hear a conversation when you pick up any phone. On
the other hand, if you have two phone numbers for your home, they will be wired
on separate pairs. Most phone jacks are wired with at least four wires (two
pairs) and are capable of supporting two phone numbers in one jack if wired
properly. Because phone line networking depends on the wires being phyiscally
connected, all of your phone line network equipment should connect to "line
1" or "line 2". Unless you do something special, you will be
using "line 1" for your phone line networking. If, for some strange
reason, you have a reason to use two separate phone lines for phone line
networking, you will need some sort of hardware or software gateway to make them
appear as a single network.
To use the phone line for data networking, you must install a network adapter
which supports the phone-line protocols such as the Intel AnyPoint Home
Network Card. These cards install in the exact same manner as an Ethernet
card, but their connector is a telephone line connector. Some of the adapters
will connect to your computer using a USB port and others will be built-in PCI
cards. You use a standard telephone cable to connect the adapter to the
telephone outlet.
If you want to use a phone and computer at the same location, you can use a
simple phone-line jack doubler. Some of the phone line network equipment
provides a "loop through" telephone jack so you don't have to run a
wire all the way back to the phone jack at the wall to connect the telephone,
modem, or fax machine.
You will install the proper device drivers for the network equipment
following the manufacturer instructions. Once the computers are rebooted, you
should have basic network connectivity between the computers with the ability to
share files and printers. At this point, there is absolutely no relationship
between your phones and your computers. It is like you have a basic two-station
Ethernet network - except for the fact that you did not have to run any new
wires.
Sharing an Internet connection in a phone line networking environment is not
really that different from sharing an Internet eonnection in a standard Ethernet
environment, you have several options:
- Have one computer act as the Internet gateway. You install a phone line
network card and either an Ethernet card or modem (depending on your
Internet service). Then you can run a software network gateway such as
Sygate (www.sygate.com), WinRoute (www.winroute.com), Windows Internet
Connection Sharing (ICS), or other products. The software will manage
forwarding packets between your phone line network and the Internet. Some
phone line connectivity kits will include connection sharing software and
instructions for its setup.
- You can purchase a bridge to connect your phone line network to your
Ethernet network and connect any number of Internet connection sharing
solutions (hardware or software) to the Ethernet portion of your network.
If you are sharing a connection using a modem, the connection may seem a bit
strange at first. You will actually have to make two connections to the phone
jack. One for the phone line networking and another for the modem.
Phone Line Networking Technology
Phone line networking has become increasingly sphisticated over time. Most
vendors comply to a standard called the HomePNA (Home Phone Line Architecture -
www.homepna.org) specification. This specification is also an approved
international recommendation G.989.1 (Phoneline Networking Transceivers -
Foundation) . There are HomePNA compliant products from a number of vendors,
ranging from network cards, to print servers to home gateways. There are two
versions of HomePNA - Version 1.0 which runs at 1Mbps and Version 2.0 which runs
at 10Mbps. The Version 2.0 equipment is upwards compatible with the earlier
equipment.
HomePNA choses a frequency that is high enough that it does not interfere
with the frequencies used by Digital Subscriber Loop (DSL) Internet service. It
is possible for standard telephone service (POTS), DSL, and HomePNA to coexist
on the same wiring without interference.
The HomePNA protocol essentially is an Ethernet-style protocol with
adaptations to the physical, electrical, and modulation requirements necessary
to operate on telephone lines. There are several advantages to this approach.
First, many higher level network protocols, TCP/IP, Microsoft File and Print
Sharing, and Novell Netware, all are highly adapted to operate well in an
Ethernet environment. Because of Ethernet's beginnings as a single wire ptorocol,
Ethernet protocols are well adapted for the phone line wiring environment. A
second advantage to using the Ethernet protocol as the basis for HomePNA is that
it is possible to develop a bridge which transparently converts from one
physical media (phone line) to another physical media (10BaseT - or twisted pair
Ethernet).
One of the flaws of early phone-line networking was that it was difficult to
use a mix of standard Ethernet equipment and phone line networking equipment.
Now vendors have developed a relatively inexpensive bridge which has a HomePNA
port and an Ethernet port on the back. These bridge units tie the two networks
together to make them appear as a single network. With this bridge, you can use
Ethernet (even 100Mb/sec Ethernet) in your "main computer room" and
connect the rest of the house using phone line networking. This way you can have
the best of both worlds.
The advantages of phone line networking include:
- Uses existing wiring in your home for data while allowing you to continue
using the telephone
- Cabling is very inexpensive and readily available
The disadvantages and limitations of phone line networking include:
- The network adapters are more expensive - on the order of $100 as compared
to an inexpensive Ethernet adapter for less than $10. However as phone line
networking catches on, and the manufacturing volumes go up, it is quite
reasonable to expect that phone line networking adapters will drop in price.
- You will have to purchase extra equipment to bridge between any standard
Ethernet and your phone line networking equipment.
- The total phone wire wire length in your home needs to be less than 1000
feet. For most homes less than 10,000 square feet this is not a problem.
- The protocol can support up to 50 computers - again for most homes, this
is not a problem.
It is important to note that the HomePNA protocol was designed to solve the
problem of home networking and as such, may not work well in a small to medium
sized business environment.
With the standardization of the phone-line network protocols, and the strong
support from a wide range of vendors, phone line networking is a good bet for
exsiting homes which you do not want to rewire. But make sure that you look
closely at what it will take to share your Internet connection or interoperate
with an existing Ethernet network.
Power Line Networking
The adoption rate for power line networking is not as rapid as phone line
networking. While the basic idea of modulating the data at a high frequency is
the same, power line networking faces several challenges:
- The voltages and amperages present at a wall plug are much higher so the
physical equipment to connect to the power lines must be more rugged than
for telephone lines.
- While the basic frequency of AC current is 50-60Hz, equipment such as
flourescent light fixtures and microwave ovens cause a wide range of higher
frequencies to be present in the power line, potentially causing
interference with the data transmissions.
While these are interesting challenges, they have been solved in the current
generation of power line based network equipment. Like phone line networking
there is an industry association which is promoting a standardized approach to
power line technology across multiple vendors. You can get a good overview of
the standards and products for power line networking at the HomePlug Powerline
Alliance (www.homeplug.com) page.
The primary advantages of power line networking are:
- There are a lot or power outlets in the typical home
- Everywhere there is a data outlet, you have power (and vice vesa :) )
- If you imagine some ultimate "future home" where data networking
is simply assumed for every single gadget in the home, a single connector
which includes both power and data is preferable to having to run two
completely different types of wires to every location.
- Some locations such as a warehouse or other commercial space may have very
little phone or network wiring.
So while power line has not made a great impact in the home network arena to
date, it has some very attractive features and shows great potential.
Conclusion
Both phone line and power line networking have the benefit of allowing you to
build a network with no "new wires". The cost of the network adapters
for these "more exotic" technologies will be somewhat higher than a
"tried and true" Ethernet solution. But the cost will be far
lower than the cost of hiring a carpenter to cut holes in your walls for
Ethernet.
Phone line networking is becoming a relatively mature market with the release
of HomePNA 2.0 with the accompanying support from the hardware vendors. By
adding a HomePNA to Ethernet bridge, you can create a nicely integrated home
network using both technologies where appropriate.
Power line networking has some definite advantages over phone line
networking, but power line networking has had a much slower acceptance in the
market place. However, there may be some applications for which power line
networking is the only practical solution.
If your network connection is via DSL or a Cable modem, you may have a very
simple option available to you. Some services will allow you to purchase
additional IP addresses to your home for a small increase in your overall
monthly fee (about $5.00 per address). They may be able to give you up to some
small number (say 4) total addresses for your home.
Given that we will only get one IP address from our Internet Service Provider,
we will have to assign IP addresses to the other computers in the network. We
will add special hardware and/or software to make these computers
"seem" to be directly connected, their addresses are not truly global
IP addresses.
To gain an understanding of how NAT works, we first must delve a little more
deeply into the TCP/IP protocol. While we think of connections as being between
two computers, each with an IP address, in actuality there can be many
connections between pairs of computers. Each connection is identified by the IP
Address, port number, and connection number. The port number
is a way that different applications communicate with the proper peer
application on a remote system. For example web traffic moves over port 80 while
E-mail is moved across port 25. For this NAT discussion, we will ignore the port
number and concentrate on the IP address and the connection number.
When NAT is used, we assign local addresses to our computers on our internal
LAN. Those computers don't actually "know" that they are not connected
to the Internet. The are configured with an IP address, subnet mask, and gateway
address that makes sense on the local area network. When they make a connection
to an address such as 184.21.99.17 that is not on their LAN, they simply forward
the packet to the gateway address. Normally, the gateway simply copies the
packet to the other connection and off it goes across the Internet. However when
NAT is used, the packets which come into the gateway are routed to the NAT
software.
Another way to access the Internet when you are using non-routed network
addresses is to use a World-Wide-Web proxy server. Using a proxy server only
allows access to the world-wide web across the gateway. The proxy protocol is
built-into most browsers as an option. There must be a computer with an Internet
connection which is running the web proxy server software. Each client on the
local network must be configured to use the proxy server and told which server
(on the local network) to use for which protocols.
Once a client is configured to use a proxy, instead of directly connecting to a
destination computer (www.ford.com), it sends a request to the "proxy"
server which includes the entire URL which is being requested (http://www.ford.com/cars).
When the proxy software sees this request, it makes the connection to
www.ford.com, and retrieves the document using the standard Hypertext Transport
Protocol (HTTP). When the data has been retrieved, the proxy system forwards a
copy of the data to the originating workstation. This pattern is done repeatedly
for every URL or file transfer performed by the browser.
If we click on the Advanced button, we can configure the DHCP server and
domain name server for the system. We can set the range of DHCP addresses which
we will provide to clients. By limiting this range somewhat, we can also have
static addresses on the LAN outside the range of 20-50. These static addresses
can still use the gateway to connect to the Internet. We can also specify a
Domain Name Server (always a numeric address). In the case of a dialup
connection, this will be generally set as part of the PPP initialization.
However if your Internet connection is a cable modem or other technology, you
may have to hand-enter an address for the DNS server.
The typical base station operates as a gateway between a wired Ethernet and the
wireless network. Because the IEEE 802.11 is based on Ethernet (also known as
IEEE 802.3), it is possible for the base station to transparently bridge packets
between the Ethernet and wireless portions of the network. Some base stations
are also capable of running a complete Network Address Translation (NAT)
engine providing and mapping dynamic addresses for the wireless workstations and
allowing the wireless network to share a single IP address on the wired network.
As with any NAT implpementation, most standard Internet applications (such as
web browsing) work fine while printer and file sharing can be problematic at
times.
In this screen, we are configuring how the gateway connects to the rest of the
network. Because this home already has a home Internet gateway (192.168.1.1)
which is running NAT and DHCP for the home, we simply point the Airport at that
gateway for Internet connectivity. These values are very important because they
are used as part of the values configured for the wireless workstations via DHCP.
The wireless workstations need to know the DNS, gateway, and network mask values
for the rest of the network.