computertips
Previous posts
Sharing an Internet Connection Through SoftwareTightening Security on a Router
Configuring a Router or Residential Gateway
Sharing an Internet Connection Through Hardware
Adding a Direct Internet Connection to Your LAN
Adding Firewall Protection
Configuring a Broadband Connection
Using Direct Internet Connections on a LAN
Connecting Your Network to the Internet
Sharing an Internet Connection
Friends
mercredi 30 janvier 2008
Sharing an Internet Connection Through Software
You don't have to invest in a dedicated router or residential gateway to share a single Internet connection and simultaneously protect your network. Using Internet Connection Sharing, you can turn a single computer with an active Internet connection into the functional equivalent of a router. The connected computer acts as the ICS host and shares its Internet connection. All other computers on the network route their Internet traffic through the ICS host computer.
ICS is most effective with high-speed (cable or DSL) connections, although it works acceptably with dial-up Internet connections. To share a broadband connection, the ICS host computer must have separate network adapters for the Internet connection and the LAN connection. The single biggest drawback of ICS, of course, is that the shared connection is available only if the ICS host computer is turned on.
Although ICS is included as a feature in Windows 98 Second Edition, Windows Me, and Windows 2000, we strongly recommend that you use a computer running Windows XP (Home Edition or Professional) as your ICS host. The security and usability features of this version of ICS are head and shoulders above those found in earlier versions of Windows. Most notably, the Internet Connection Firewall, found only in Windows XP, is tightly integrated with ICS and adds a measure of security that is unmatched in earlier versions.
NOTE
--------------------------------------------------------------------------------
The Network Setup Wizard, which runs from CD or floppy disk to set up ICS on client computers, does not work with Windows 95 or Windows 3.1. If computers running either of these operating systems are present on your network, you must configure the networking components manually to take advantage of an ICS host.
Do not use ICS on any network that includes a Windows 2000 Server (or Windows .NET Server) domain controller or any other computers running a DNS server, DHCP server, or Internet gateway. In addition, if any computers on the network are configured with static IP addresses, you may need to reconfigure them to be in the private address range that is automatically assigned by ICS.
Using ICS does not expose your computer to any security risks different from those that you should be concerned about on a computer that is directly connected to the Internet. If you're using the original release of Windows XP, however, be certain you install the security patches referred to in two Microsoft Security Bulletins: MS01-54, "Invalid Universal Plug and Play Request can Disrupt System Operation" (http://www.microsoft.com/technet/security/bulletin/MS01-054.asp) and MS01-059, "Unchecked Buffer in Universal Plug and Play can Lead to System Compromise" (http://www.microsoft.com/technet/security/bulletin/MS01-059.asp). These patches, which are also included in Windows XP Service Pack 1, fix serious security holes that could allow an attacker to exploit a weakness in the Universal Plug and Play service and shut down your computer or install a Trojan horse program. Note that any client machines that were set up on ICS by using this early release of Windows XP will also need to be patched; see the referenced bulletins for access to those patches.
You don't have to invest in a dedicated router or residential gateway to share a single Internet connection and simultaneously protect your network. Using Internet Connection Sharing, you can turn a single computer with an active Internet connection into the functional equivalent of a router. The connected computer acts as the ICS host and shares its Internet connection. All other computers on the network route their Internet traffic through the ICS host computer.
ICS is most effective with high-speed (cable or DSL) connections, although it works acceptably with dial-up Internet connections. To share a broadband connection, the ICS host computer must have separate network adapters for the Internet connection and the LAN connection. The single biggest drawback of ICS, of course, is that the shared connection is available only if the ICS host computer is turned on.
Although ICS is included as a feature in Windows 98 Second Edition, Windows Me, and Windows 2000, we strongly recommend that you use a computer running Windows XP (Home Edition or Professional) as your ICS host. The security and usability features of this version of ICS are head and shoulders above those found in earlier versions of Windows. Most notably, the Internet Connection Firewall, found only in Windows XP, is tightly integrated with ICS and adds a measure of security that is unmatched in earlier versions.
NOTE
--------------------------------------------------------------------------------
The Network Setup Wizard, which runs from CD or floppy disk to set up ICS on client computers, does not work with Windows 95 or Windows 3.1. If computers running either of these operating systems are present on your network, you must configure the networking components manually to take advantage of an ICS host.
Do not use ICS on any network that includes a Windows 2000 Server (or Windows .NET Server) domain controller or any other computers running a DNS server, DHCP server, or Internet gateway. In addition, if any computers on the network are configured with static IP addresses, you may need to reconfigure them to be in the private address range that is automatically assigned by ICS.
Using ICS does not expose your computer to any security risks different from those that you should be concerned about on a computer that is directly connected to the Internet. If you're using the original release of Windows XP, however, be certain you install the security patches referred to in two Microsoft Security Bulletins: MS01-54, "Invalid Universal Plug and Play Request can Disrupt System Operation" (http://www.microsoft.com/technet/security/bulletin/MS01-054.asp) and MS01-059, "Unchecked Buffer in Universal Plug and Play can Lead to System Compromise" (http://www.microsoft.com/technet/security/bulletin/MS01-059.asp). These patches, which are also included in Windows XP Service Pack 1, fix serious security holes that could allow an attacker to exploit a weakness in the Universal Plug and Play service and shut down your computer or install a Trojan horse program. Note that any client machines that were set up on ICS by using this early release of Windows XP will also need to be patched; see the referenced bulletins for access to those patches.
Libellés : Connection, Internet, Sharing, Software, Through
Tightening Security on a Router
Adding a router to your network isn't a panacea. Simple NAT and packet-filtering capabilities can provide a baseline level of security for your network, but don't underestimate the resourcefulness and tenacity of outside attackers. A determined intruder who figures out that you're using a specific type of router can craft an attack against the router and may succeed if you aren't thorough in your preparation. To increase the security of the network, follow these tips:
Set a strong password for the router. Out of the box, every router uses a simple default password, and you can bet that every one of those default passwords is on a list that would-be attackers try right away.
Disable remote administration capabilities. Many routers allow you to connect to the router's configuration utility from inside your local network or from the outside. To block a major avenue of attack, disable the capability to manage the router from the Internet.
Configure how the router responds to unsolicited outside traffic. If you're running a server inside your network, forwarding specific ports to the IP address of the computer running the server software, you need to allow outside access to the computer. But you should disable all other unsolicited outside traffic. In particular, if you can configure the router to discard Internet Control Message Protocol (ICMP) packets from the Internet, you should do so. This step prevents outsiders from "pinging" your network and determining that the IP address exists. It also prevents an entire class of attacks that use malformed ICMP packets to cause havoc to the network.
Enable firewall or antivirus features, if available. Some routers integrate with specific antivirus and personal firewall programs. Linksys routers, for instance, work with the ZoneAlarm Pro personal firewall and Trend Micro's PC-Cillin antivirus software. Using this capability, you can enforce a security policy that allows Internet access through the router only to computers that are running either or both of these programs. Figure 15-6 shows the configuration options for this feature on an 8-port Linksys router. (Note that in this example the software does not run on the router itself, only on the client computers. Hardware firewalls that include built-in antivirus software are available, but they typically cost far more than a router intended for use on a home or small business network.)
Figure 15-6. Some routers for home networks, like this Linksys model, allow you to enforce security policies requiring antivirus or personal firewall software.
Carefully configure advanced firewall options. Every router is different. Depending on the specific capabilities of your router, you may be able to block specific incoming ports or block access to particular ports by time of day. The latter capability can be especially useful if you want to prevent kids from browsing the Web after 10:00 PM, for instance.
CAUTION
--------------------------------------------------------------------------------
Many routers include an option to place one or more computers on the local network in a DMZ—an acronym from the military term demilitarized zone. Putting a computer in this zone bypasses the router, giving it direct access to the Internet. Using this option may be the only way to make some types of connections, such as those used in multiplayer games. Just be aware that bypassing the router also gives outsiders unfiltered access to the computer in the DMZ. If you must use this option, we recommend enabling it only when you need it, and removing the local computer from the DMZ when it's no longer required.
Adding a router to your network isn't a panacea. Simple NAT and packet-filtering capabilities can provide a baseline level of security for your network, but don't underestimate the resourcefulness and tenacity of outside attackers. A determined intruder who figures out that you're using a specific type of router can craft an attack against the router and may succeed if you aren't thorough in your preparation. To increase the security of the network, follow these tips:
Set a strong password for the router. Out of the box, every router uses a simple default password, and you can bet that every one of those default passwords is on a list that would-be attackers try right away.
Disable remote administration capabilities. Many routers allow you to connect to the router's configuration utility from inside your local network or from the outside. To block a major avenue of attack, disable the capability to manage the router from the Internet.
Configure how the router responds to unsolicited outside traffic. If you're running a server inside your network, forwarding specific ports to the IP address of the computer running the server software, you need to allow outside access to the computer. But you should disable all other unsolicited outside traffic. In particular, if you can configure the router to discard Internet Control Message Protocol (ICMP) packets from the Internet, you should do so. This step prevents outsiders from "pinging" your network and determining that the IP address exists. It also prevents an entire class of attacks that use malformed ICMP packets to cause havoc to the network.
Enable firewall or antivirus features, if available. Some routers integrate with specific antivirus and personal firewall programs. Linksys routers, for instance, work with the ZoneAlarm Pro personal firewall and Trend Micro's PC-Cillin antivirus software. Using this capability, you can enforce a security policy that allows Internet access through the router only to computers that are running either or both of these programs. Figure 15-6 shows the configuration options for this feature on an 8-port Linksys router. (Note that in this example the software does not run on the router itself, only on the client computers. Hardware firewalls that include built-in antivirus software are available, but they typically cost far more than a router intended for use on a home or small business network.)
Figure 15-6. Some routers for home networks, like this Linksys model, allow you to enforce security policies requiring antivirus or personal firewall software.
Carefully configure advanced firewall options. Every router is different. Depending on the specific capabilities of your router, you may be able to block specific incoming ports or block access to particular ports by time of day. The latter capability can be especially useful if you want to prevent kids from browsing the Web after 10:00 PM, for instance.
CAUTION
--------------------------------------------------------------------------------
Many routers include an option to place one or more computers on the local network in a DMZ—an acronym from the military term demilitarized zone. Putting a computer in this zone bypasses the router, giving it direct access to the Internet. Using this option may be the only way to make some types of connections, such as those used in multiplayer games. Just be aware that bypassing the router also gives outsiders unfiltered access to the computer in the DMZ. If you must use this option, we recommend enabling it only when you need it, and removing the local computer from the DMZ when it's no longer required.
Libellés : Router, Security, Tightening
Configuring a Router or Residential Gateway
Connecting a router to your network isn't a particularly difficult task. First plug your cable or DSL modem into the WAN port on the router; then plug the hub or switch that connects computers on your local network into the LAN port on the router. (If your router includes an integrated hub or switch, you can plug computers on your network directly into the LAN ports on the router.)
Most routers include a configuration utility, typically accessed through a Web-based interface. With the popular Linksys BEFSR41 and BEFSR81 routers, for instance, you load the configuration page shown in Figure 15-5 by typing the URL http://192.168.1.1 and entering the default password, admin.
Figure 15-5. Most routers, like this Linksys model, use a Web-based configuration utility.
The first step is to establish your Internet connection. If you normally acquire an IP address automatically through DHCP, choose this option for your router. Depending on your ISP, you might need to supply a fixed IP address, enter the addresses of DNS servers, or both. You might also have to perform additional steps, such as setting up a PPP Over Ethernet (PPPoE) logon for the router or changing the MAC (media access control) address of your router so that it matches the MAC address of your primary computer.
Troubleshooting
--------------------------------------------------------------------------------
You can't connect to the configuration page for your router
When setting up a router, you need to supply its IP address, typically by typing it into the Address bar of Internet Explorer. If your computer and the router have IP addresses on different subnets, you'll be unable to connect. Your computer should acquire an IP address automatically from the DHCP server on the router. This option will fail if the router's DHCP capabilities have been previously disabled, or if another DHCP server is running elsewhere on the network. Try any of these strategies to solve the problem:
Disconnect all other computers from the network, leaving only the LAN connection for your computer and the WAN connection enabled. Make sure your computer is set to acquire an IP address automatically and try again.
Operate the router's reset switch to apply the default settings. This should enable the DHCP capabilities again.
If all else fails, assign a temporary static IP address to your computer. Make sure this address is on the same subnet as the router, and specify the router's IP address as the gateway. For instance, if the router's address is 192.168.1.1, assign your computer the address 192.168.1.2, with a subnet mask of 255.255.255.0 and a gateway of 192.168.1.1.
Next set up the router's internal DHCP server. When this feature is enabled, the router responds to requests for an IP address from computers on your local network. You can typically specify a range of private IP addresses. Depending on the router, you may be able to map specific IP addresses to specific MAC addresses so that each computer on your network always receives the same IP address when connecting to the network.
Finally, close the configuration utility and configure each computer on the network to acquire an IP address automatically. (For computers running Windows XP, you should use the Network Setup Wizard for this task.) After confirming that the router is doing its job, you can set up advanced features, such as packet filtering and port forwarding.
INSIDEOUT
--------------------------------------------------------------------------------
Bypass ISP restrictions on servers
Some routers allow you to create virtual servers inside your network, passing specific ports through the router to a designated IP address. This capability can be a useful (but potentially dangerous) way to get around the blocks that many Internet service providers place on Web and FTP servers. You might want to run a personal Web server on which you can share photos with other family members, but access from the outside will fail if your ISP blocks port 80, the standard port used by Web servers. The solution is to configure the Web server to use a port that isn't blocked, such as 8080, and then use the router's port-forwarding features to pass all outside traffic on port 8080 directly to the IP address of the computer running the Web server. Anyone making a connection to the server will need to specify the public IP address of the router, followed by a colon and the port number. If you choose this option, be certain that you update the Web server software regularly with the latest security patches. And don't try to use this "under the radar" capability for a high-volume Web site unless you're prepared for a confrontation with your ISP.
Connecting a router to your network isn't a particularly difficult task. First plug your cable or DSL modem into the WAN port on the router; then plug the hub or switch that connects computers on your local network into the LAN port on the router. (If your router includes an integrated hub or switch, you can plug computers on your network directly into the LAN ports on the router.)
Most routers include a configuration utility, typically accessed through a Web-based interface. With the popular Linksys BEFSR41 and BEFSR81 routers, for instance, you load the configuration page shown in Figure 15-5 by typing the URL http://192.168.1.1 and entering the default password, admin.
Figure 15-5. Most routers, like this Linksys model, use a Web-based configuration utility.
The first step is to establish your Internet connection. If you normally acquire an IP address automatically through DHCP, choose this option for your router. Depending on your ISP, you might need to supply a fixed IP address, enter the addresses of DNS servers, or both. You might also have to perform additional steps, such as setting up a PPP Over Ethernet (PPPoE) logon for the router or changing the MAC (media access control) address of your router so that it matches the MAC address of your primary computer.
Troubleshooting
--------------------------------------------------------------------------------
You can't connect to the configuration page for your router
When setting up a router, you need to supply its IP address, typically by typing it into the Address bar of Internet Explorer. If your computer and the router have IP addresses on different subnets, you'll be unable to connect. Your computer should acquire an IP address automatically from the DHCP server on the router. This option will fail if the router's DHCP capabilities have been previously disabled, or if another DHCP server is running elsewhere on the network. Try any of these strategies to solve the problem:
Disconnect all other computers from the network, leaving only the LAN connection for your computer and the WAN connection enabled. Make sure your computer is set to acquire an IP address automatically and try again.
Operate the router's reset switch to apply the default settings. This should enable the DHCP capabilities again.
If all else fails, assign a temporary static IP address to your computer. Make sure this address is on the same subnet as the router, and specify the router's IP address as the gateway. For instance, if the router's address is 192.168.1.1, assign your computer the address 192.168.1.2, with a subnet mask of 255.255.255.0 and a gateway of 192.168.1.1.
Next set up the router's internal DHCP server. When this feature is enabled, the router responds to requests for an IP address from computers on your local network. You can typically specify a range of private IP addresses. Depending on the router, you may be able to map specific IP addresses to specific MAC addresses so that each computer on your network always receives the same IP address when connecting to the network.
Finally, close the configuration utility and configure each computer on the network to acquire an IP address automatically. (For computers running Windows XP, you should use the Network Setup Wizard for this task.) After confirming that the router is doing its job, you can set up advanced features, such as packet filtering and port forwarding.
INSIDEOUT
--------------------------------------------------------------------------------
Bypass ISP restrictions on servers
Some routers allow you to create virtual servers inside your network, passing specific ports through the router to a designated IP address. This capability can be a useful (but potentially dangerous) way to get around the blocks that many Internet service providers place on Web and FTP servers. You might want to run a personal Web server on which you can share photos with other family members, but access from the outside will fail if your ISP blocks port 80, the standard port used by Web servers. The solution is to configure the Web server to use a port that isn't blocked, such as 8080, and then use the router's port-forwarding features to pass all outside traffic on port 8080 directly to the IP address of the computer running the Web server. Anyone making a connection to the server will need to specify the public IP address of the router, followed by a colon and the port number. If you choose this option, be certain that you update the Web server software regularly with the latest security patches. And don't try to use this "under the radar" capability for a high-volume Web site unless you're prepared for a confrontation with your ISP.
Libellés : Configuring, Gateway, Residential, Router
Sharing an Internet Connection Through Hardware
The single most effective way to protect your local network from outside intruders is to place a barrier between the Internet and your LAN. Although businesses can justify sinking thousands of dollars into sophisticated hardware firewalls, you can protect your home or small business network for a fraction of that amount by installing a simple hardware router (sometimes referred to as a residential gateway). This piece of hardware sits between your network and your Internet connection (usually an external DSL or cable modem, although you can also use a conventional modem in this configuration). To the outside world, this gateway device looks like just another computer, although it's considerably more secure because it does not have any running programs or disk storage that can be attacked. Because it's always on, any computer can access the Internet at any time through the gateway device.
NOTE
--------------------------------------------------------------------------------
What's the difference between a router and a residential gateway? Very little, at least for today. A router is designed primarily for computer networks; its role is to sit at the edge of the network and serve as the secure interface between a local network and the rest of the world. Most products currently sold as residential gateways are nothing more than routers aimed at home users. Someday, residential gateways may take on more ambitious assignments and live up to their high-falutin' name by integrating video, telephony, and home control systems with PC-based home networks. For now, though, you can consider the terms essentially interchangeable.
Routers and residential gateways typically use NAT to assign private IP addresses to computers on your network, although you can also assign static IP addresses that are within the IANA-approved private IP address ranges.
INSIDEOUT
--------------------------------------------------------------------------------
Mix and match IP addresses
By default, most routers have DHCP enabled, allowing the router to dynamically assign IP addresses to computers on your network. This removes some of the hassles of administering a network, but it also creates problems if you want to allow certain ports to pass through the router and be sent directly to a specific local computer. If you power down the local computer for a few days, it may acquire a new address the next time it's turned on. To work around this problem, you can assign static IP addresses to one or more computers on your network. Be sure the addresses are in the same range and on the same subnet as those assigned dynamically by your router, and be sure to exclude the fixed addresses from the list used by the router's DHCP server.
Despite what you may read in some advertising literature, a router is not the same as a firewall. A basic router is designed to do exactly what its name implies: route packets between networks. An increasing number of routers sold for use in home and small business networks incorporate features typically found in firewalls, such as packet filtering, port blocking, and NAT. By making the individual computers on your network essentially invisible to the outside world, the router accomplishes one of the key tasks of a firewall; but your network will be much more secure if you combine this hardware solution with a software firewall. (See Blocking Attacks with a Firewall, for more details on the additional layers of protection you can expect.)
Why Your Router Should Be UPnP-Compatible
--------------------------------------------------------------------------------
When you go shopping for a router or residential gateway, you'll encounter a wide variety of options, from simple one-port routers to pricey devices that incorporate software firewalls and virtual private network (VPN) technology. For any router that you intend to use with computers running Windows XP, we recommend that you study the specifications carefully and make certain it supports the Universal Plug and Play (UPnP) standard. The first generation of UPnP routers (including firmware upgrades to add UPnP support to older routers) hit the streets in early 2002. Many hardware makers have been deliberately cautious about introducing this capability, especially after the announcement of a serious security problem with UPnP in the initial release of Windows XP. Linksys (http://www.linksys.com) and D-Link (http://www.dlink.com) were among the first companies to release UPnP-compatible routers. By the time you read this, other manufacturers will no doubt have followed suit.
A router that supports UPnP can offer a variety of features designed to streamline administrative tasks. With UPnP, for instance, other computers on the network can automatically sense that the router is available and configure their Internet connections without any effort on your part. Administrators can also use UPnP features to configure and manage the router without having to remeG15tnmber specific IP addresses or load custom software.
The most important benefit of UPnP, however, is its support for NAT traversal. With a router or residential gateway that doesn't support UPnP, the use of private addresses makes it impossible for communications programs like Remote Assistance to establish a connection. Likewise, the use of NAT makes it impossible for Windows Messenger users to communicate using audio or video features. With UPnP, the router understands how to work seamlessly with private network addresses and can maintain these connections properly.
If you have an older router that doesn't work properly with these types of applications, you may want to replace it with a newer, UPnP-compatible device. Before you go to that trouble, though, be sure to check with the hardware manufacturer. You may be pleasantly surprised to find that UPnP features are available with a simple firmware upgrade.
The single most effective way to protect your local network from outside intruders is to place a barrier between the Internet and your LAN. Although businesses can justify sinking thousands of dollars into sophisticated hardware firewalls, you can protect your home or small business network for a fraction of that amount by installing a simple hardware router (sometimes referred to as a residential gateway). This piece of hardware sits between your network and your Internet connection (usually an external DSL or cable modem, although you can also use a conventional modem in this configuration). To the outside world, this gateway device looks like just another computer, although it's considerably more secure because it does not have any running programs or disk storage that can be attacked. Because it's always on, any computer can access the Internet at any time through the gateway device.
NOTE
--------------------------------------------------------------------------------
What's the difference between a router and a residential gateway? Very little, at least for today. A router is designed primarily for computer networks; its role is to sit at the edge of the network and serve as the secure interface between a local network and the rest of the world. Most products currently sold as residential gateways are nothing more than routers aimed at home users. Someday, residential gateways may take on more ambitious assignments and live up to their high-falutin' name by integrating video, telephony, and home control systems with PC-based home networks. For now, though, you can consider the terms essentially interchangeable.
Routers and residential gateways typically use NAT to assign private IP addresses to computers on your network, although you can also assign static IP addresses that are within the IANA-approved private IP address ranges.
INSIDEOUT
--------------------------------------------------------------------------------
Mix and match IP addresses
By default, most routers have DHCP enabled, allowing the router to dynamically assign IP addresses to computers on your network. This removes some of the hassles of administering a network, but it also creates problems if you want to allow certain ports to pass through the router and be sent directly to a specific local computer. If you power down the local computer for a few days, it may acquire a new address the next time it's turned on. To work around this problem, you can assign static IP addresses to one or more computers on your network. Be sure the addresses are in the same range and on the same subnet as those assigned dynamically by your router, and be sure to exclude the fixed addresses from the list used by the router's DHCP server.
Despite what you may read in some advertising literature, a router is not the same as a firewall. A basic router is designed to do exactly what its name implies: route packets between networks. An increasing number of routers sold for use in home and small business networks incorporate features typically found in firewalls, such as packet filtering, port blocking, and NAT. By making the individual computers on your network essentially invisible to the outside world, the router accomplishes one of the key tasks of a firewall; but your network will be much more secure if you combine this hardware solution with a software firewall. (See Blocking Attacks with a Firewall, for more details on the additional layers of protection you can expect.)
Why Your Router Should Be UPnP-Compatible
--------------------------------------------------------------------------------
When you go shopping for a router or residential gateway, you'll encounter a wide variety of options, from simple one-port routers to pricey devices that incorporate software firewalls and virtual private network (VPN) technology. For any router that you intend to use with computers running Windows XP, we recommend that you study the specifications carefully and make certain it supports the Universal Plug and Play (UPnP) standard. The first generation of UPnP routers (including firmware upgrades to add UPnP support to older routers) hit the streets in early 2002. Many hardware makers have been deliberately cautious about introducing this capability, especially after the announcement of a serious security problem with UPnP in the initial release of Windows XP. Linksys (http://www.linksys.com) and D-Link (http://www.dlink.com) were among the first companies to release UPnP-compatible routers. By the time you read this, other manufacturers will no doubt have followed suit.
A router that supports UPnP can offer a variety of features designed to streamline administrative tasks. With UPnP, for instance, other computers on the network can automatically sense that the router is available and configure their Internet connections without any effort on your part. Administrators can also use UPnP features to configure and manage the router without having to remeG15tnmber specific IP addresses or load custom software.
The most important benefit of UPnP, however, is its support for NAT traversal. With a router or residential gateway that doesn't support UPnP, the use of private addresses makes it impossible for communications programs like Remote Assistance to establish a connection. Likewise, the use of NAT makes it impossible for Windows Messenger users to communicate using audio or video features. With UPnP, the router understands how to work seamlessly with private network addresses and can maintain these connections properly.
If you have an older router that doesn't work properly with these types of applications, you may want to replace it with a newer, UPnP-compatible device. Before you go to that trouble, though, be sure to check with the hardware manufacturer. You may be pleasantly surprised to find that UPnP features are available with a simple firmware upgrade.
Libellés : Connection, Hardware, Internet, Sharing, Through
Adding a Direct Internet Connection to Your LAN
Safely sharing an Internet connection requires at least a slight investment in extra hardware. Routers and residential gateways cost more than simple network hubs or switches. The less expensive Internet Connection Sharing option requires that you install a second Ethernet adapter on the computer that will serve as the ICS host. Windows users with a broadband connection and a very tight budget might be tempted to cut corners by plugging a cable or DSL modem directly into the network hub or switch. In this configuration, every user acquires an IP address directly from the ISP and uses the same Ethernet adapter to communicate over the Internet and across the local network.
Without additional precautions, this configuration is horrendously insecure. An intruder who breaks in to any computer on the network has access to the entire network. In Windows XP, the Network Setup Wizard first delivers a warning message (shown in Figure 15-4, earlier in this chapter) and then enables the Internet Connection Firewall. This solution eliminates the threat of outside attack; unfortunately, it also blocks communication with other computers on your LAN. If you insist on using this configuration, you should employ one of the following options to protect yourself:
Disable ICF and install a third-party firewall. (You'll find a list of firewall programs in "Choosing a Third-Party Personal Firewall".) Unlike the bare-bones ICF, a full-featured firewall product typically allows you to define security zones. Configured properly, the firewall should allow you to freely exchange data among computers on the local network while blocking all unsolicited inbound traffic on the Internet connection.
Disable file and printer sharing on the TCP/IP protocol for each computer on your network and instead enable sharing over the NetBEUI or IPX/SPX protocol. (This procedure is documented fully in Protocols and Other Software Components.) By using a protocol other than TCP/IP for local network traffic, you can leave ICF enabled, keeping your Internet connection protected while still sharing files and other resources.
Safely sharing an Internet connection requires at least a slight investment in extra hardware. Routers and residential gateways cost more than simple network hubs or switches. The less expensive Internet Connection Sharing option requires that you install a second Ethernet adapter on the computer that will serve as the ICS host. Windows users with a broadband connection and a very tight budget might be tempted to cut corners by plugging a cable or DSL modem directly into the network hub or switch. In this configuration, every user acquires an IP address directly from the ISP and uses the same Ethernet adapter to communicate over the Internet and across the local network.
Without additional precautions, this configuration is horrendously insecure. An intruder who breaks in to any computer on the network has access to the entire network. In Windows XP, the Network Setup Wizard first delivers a warning message (shown in Figure 15-4, earlier in this chapter) and then enables the Internet Connection Firewall. This solution eliminates the threat of outside attack; unfortunately, it also blocks communication with other computers on your LAN. If you insist on using this configuration, you should employ one of the following options to protect yourself:
Disable ICF and install a third-party firewall. (You'll find a list of firewall programs in "Choosing a Third-Party Personal Firewall".) Unlike the bare-bones ICF, a full-featured firewall product typically allows you to define security zones. Configured properly, the firewall should allow you to freely exchange data among computers on the local network while blocking all unsolicited inbound traffic on the Internet connection.
Disable file and printer sharing on the TCP/IP protocol for each computer on your network and instead enable sharing over the NetBEUI or IPX/SPX protocol. (This procedure is documented fully in Protocols and Other Software Components.) By using a protocol other than TCP/IP for local network traffic, you can leave ICF enabled, keeping your Internet connection protected while still sharing files and other resources.
Libellés : Adding, Connection, Direct, Internet, LAN
Adding Firewall Protection
After disabling file and printer sharing services, your next responsibility is to install a personal firewall to block unsolicited inbound traffic on the Internet connection. In Windows 2000, you must use a third-party product for this task because the operating system doesn't include any firewall features. In Windows XP, you can use a third-party product, but you remain perfectly secure with the help of the built-in ICF. We explain the ins and outs of firewalls in Blocking Attacks with a Firewall, so we won't repeat those details here. In this section, we focus instead on how to work around some of the occasionally confusing choices that the Windows XP Network Setup Wizard offers when you add an Internet connection to your LAN.
To start the wizard, open the Network Connections folder and choose File, Network Setup Wizard. After you click through its two introductory screens, the wizard displays the dialog box shown in Figure 15-2. The first two options assume that you're sharing an Internet connection over your network using either a hardware router or a computer running Internet Connection Sharing software. As we explain later in this chapter, this is indeed the safest and simplest way to add Internet access to a LAN.
Figure 15-2. If your computer is connected directly to the Internet and a LAN, choose the Other option.
If your computer has both a direct physical connection to the Internet and a LAN connection, choose the Other option and click Next. In the Other Internet Connection Methods dialog box, shown in Figure 15-3, select the top choice, This Computer Connects To The Internet Directly Or Through An Internet Hub, and click Next to continue.
Figure 15-3. If other network users are not accessing the Internet through your computer, choose the top option from this list.
The wizard next presents a list of available network connections, making its best guess as to which one represents the connection to the Internet. Confirm that the Internet connection is selected (in the example shown here, we've made identification easier by giving each network connection a descriptive name) and click Next to continue.
Before completing its task, the wizard displays the dire warning shown in Figure 15-4.
Figure 15-4. If your Internet connection is firewalled and you're confident that no other network computers have Internet access, you can proceed despite this warning.
Although the warning is generally accurate, you may safely disregard it and continue if you meet either or both of the following conditions:
You are certain that no other computer on your network has an active Internet connection or that all other Internet connections are protected by a firewall.
You have disabled the TCP/IP protocol on your LAN connection and are using a non-routable protocol such as IPX/SPX or NetBEUI.
If there is any chance that another computer on your network can connect to the Internet without the protection of a firewall, you run the risk that an intruder can break in to that computer and then access resources on your computer using your TCP/IP-based LAN connection. If you're confident this can't happen, click Next and finish the wizard. After prompting you for the computer and workgroup names, the wizard enables the ICF on the Internet connection but leaves the network connection open so that you can share resources across your local network.
After disabling file and printer sharing services, your next responsibility is to install a personal firewall to block unsolicited inbound traffic on the Internet connection. In Windows 2000, you must use a third-party product for this task because the operating system doesn't include any firewall features. In Windows XP, you can use a third-party product, but you remain perfectly secure with the help of the built-in ICF. We explain the ins and outs of firewalls in Blocking Attacks with a Firewall, so we won't repeat those details here. In this section, we focus instead on how to work around some of the occasionally confusing choices that the Windows XP Network Setup Wizard offers when you add an Internet connection to your LAN.
To start the wizard, open the Network Connections folder and choose File, Network Setup Wizard. After you click through its two introductory screens, the wizard displays the dialog box shown in Figure 15-2. The first two options assume that you're sharing an Internet connection over your network using either a hardware router or a computer running Internet Connection Sharing software. As we explain later in this chapter, this is indeed the safest and simplest way to add Internet access to a LAN.
Figure 15-2. If your computer is connected directly to the Internet and a LAN, choose the Other option.
If your computer has both a direct physical connection to the Internet and a LAN connection, choose the Other option and click Next. In the Other Internet Connection Methods dialog box, shown in Figure 15-3, select the top choice, This Computer Connects To The Internet Directly Or Through An Internet Hub, and click Next to continue.
Figure 15-3. If other network users are not accessing the Internet through your computer, choose the top option from this list.
The wizard next presents a list of available network connections, making its best guess as to which one represents the connection to the Internet. Confirm that the Internet connection is selected (in the example shown here, we've made identification easier by giving each network connection a descriptive name) and click Next to continue.
Before completing its task, the wizard displays the dire warning shown in Figure 15-4.
Figure 15-4. If your Internet connection is firewalled and you're confident that no other network computers have Internet access, you can proceed despite this warning.
Although the warning is generally accurate, you may safely disregard it and continue if you meet either or both of the following conditions:
You are certain that no other computer on your network has an active Internet connection or that all other Internet connections are protected by a firewall.
You have disabled the TCP/IP protocol on your LAN connection and are using a non-routable protocol such as IPX/SPX or NetBEUI.
If there is any chance that another computer on your network can connect to the Internet without the protection of a firewall, you run the risk that an intruder can break in to that computer and then access resources on your computer using your TCP/IP-based LAN connection. If you're confident this can't happen, click Next and finish the wizard. After prompting you for the computer and workgroup names, the wizard enables the ICF on the Internet connection but leaves the network connection open so that you can share resources across your local network.
Libellés : Adding, Firewall, Protection
Configuring a Broadband Connection
With broadband connections, the task of preventing anonymous intruders from browsing shared folders and other resources on your LAN is trickier. In this configuration, you have two Ethernet adapters—one providing connectivity to your LAN, the other connecting you to the Internet. Windows automatically enables file and printer sharing on all Ethernet connections, and even the Network Setup Wizard in Windows XP does not disable sharing. Thus, your first priority should be to shut down this service on the Internet connection, while leaving it in place on the LAN connection. To do so, follow these steps:
Open the Network Connections folder (Windows XP) or the Network And Dial-Up Connections folder (Windows 2000). You should see at least two Local Area Connection icons.
Right-click the icon for your Internet connection and choose Properties from the shortcut menu.
INSIDEOUT
--------------------------------------------------------------------------------
Tell your connections apart
When you have two or more network connections, how can you tell which is which? Windows isn't much help—it applies the generic label Local Area Connection for each one, tacking a number onto the end of the name for the second and subsequent connections. If the network adapter and the IP address don't give you enough information, try this easy shortcut: Right-click one icon and choose Disable from the shortcut menu. Leaving the other icon enabled, try to connect to a Web page. If you see an error message in your browser window, you know that the disabled icon belongs to your Internet connection and the other one goes with your local network. If the page appears, the roles are reversed. Armed with this information, right-click each icon in turn and choose Rename; then enter a descriptive label for each one so that you won't have to go through this rigmarole the next time you visit the Network Connections folder!
On the General tab, clear the check box to the left of File And Printer Sharing For Microsoft Networks.
Click OK to save your changes.
With broadband connections, the task of preventing anonymous intruders from browsing shared folders and other resources on your LAN is trickier. In this configuration, you have two Ethernet adapters—one providing connectivity to your LAN, the other connecting you to the Internet. Windows automatically enables file and printer sharing on all Ethernet connections, and even the Network Setup Wizard in Windows XP does not disable sharing. Thus, your first priority should be to shut down this service on the Internet connection, while leaving it in place on the LAN connection. To do so, follow these steps:
Open the Network Connections folder (Windows XP) or the Network And Dial-Up Connections folder (Windows 2000). You should see at least two Local Area Connection icons.
Right-click the icon for your Internet connection and choose Properties from the shortcut menu.
INSIDEOUT
--------------------------------------------------------------------------------
Tell your connections apart
When you have two or more network connections, how can you tell which is which? Windows isn't much help—it applies the generic label Local Area Connection for each one, tacking a number onto the end of the name for the second and subsequent connections. If the network adapter and the IP address don't give you enough information, try this easy shortcut: Right-click one icon and choose Disable from the shortcut menu. Leaving the other icon enabled, try to connect to a Web page. If you see an error message in your browser window, you know that the disabled icon belongs to your Internet connection and the other one goes with your local network. If the page appears, the roles are reversed. Armed with this information, right-click each icon in turn and choose Rename; then enter a descriptive label for each one so that you won't have to go through this rigmarole the next time you visit the Network Connections folder!
On the General tab, clear the check box to the left of File And Printer Sharing For Microsoft Networks.
Click OK to save your changes.
Libellés : Broadband, Configuring, Connection
Funny Blogs
Blogger Roll
Free Software
