|
If you can't
get ADSL there are now plenty of other options. British Telecom's (BT's)
prices for leased lines are slowly dropping, to a point where they may
become more economical in some situations, especially in central London,
where £1000 a month is enough to supply a 2Mb line. A few years ago you'd
have paid not far short of that for a 64K link.
There are cable modems
too, and flat rate telephone deals, including BT's SurfTime offerings,
which some ISPs will allow you to combine with a network dial-up account.
This will give you all the access you can eat at a fixed price, which,
although probably still too much for some, compares very favourably with
leased line prices.
So, whether you're a
small company that wants to put internet access on every desk, or just
someone with a couple of computers at home that you want to link together,
connecting your whole network to the web is a much more realistic
proposition than it's been in the past.
And while you've always
been able to do just that with a dial-up connection, it's been something
of a grey area for many ISPs. Now, however, with the ethernet
variant of ADSL and other permanent connections, suppliers are falling
over themselves to encourage you to connect all your systems.
However, as with so many
things to do with the internet, there are lots of different ways you can
do it, so we're going to look at some of them here, and explain the
different decisions you'll need to make when you connect your network to
the web.
What do you want to
do?
Before you rush ahead and
configure all your systems, you really need to sit down and work out what
you're hoping to achieve when you connect all your computers.
Do you simply want to
provide access to the web for all the systems? Or will people want video
conferencing using tools like Netmeeting? What about running a virtual
network, linking yours with a remote office, for example, or with home
workers? Do you need to run your own servers, for services like web access
and email, or will you rely on applications hosted at the ISP to cover
those for you?
All these things will
affect the way you set up your network, and what you will be able to do
with it. Choosing the right offering from an ISP is essential if you want
to get everything working in just the way you need, without exposing
yourself to any unnecessary security risks.
Broadly speaking, there
are three different ways that your computer network can be connected to
the rest of the world: you can have a non-routed connection; a routed
connection with Network Address Translation (NAT); or a routed
connection without NAT.
A non-routed connection
is, essentially, a single IP address assigned to you by your ISP, either
permanently or dynamically, changing each time you connect. Ordinary
dial-up internet is a non-routed connection, as are single-user ADSL
solutions.
With a routed connection,
the link, whether via modem, leased line, ADSL or wireless, is a conduit,
along which traffic passes to and from all the systems on your network.
Effectively, your network becomes a part of the network to which it's
connected at the other end.
NAT allows systems on a
network to be assigned addresses that aren't necessarily the ones by which
they're accessed from the rest of the internet. For example, regardless of
which computer is being used at this office, when they connect to the
outside world, the address is translated and they appear to be using the
same system.
At the moment, the main
reason NAT is being deployed with always-on connections is to conserve IP
addresses - by using NAT, a number of systems can be given addresses in
the private ranges.
NAT a lot of people
know that!
One of the misconceptions
about NAT is that it's some sort of firewall. It's not - or it doesn't
have to be.
NAT translates one
network address to another, but there are a number of different ways that
can be done. When NAT is performing a 1:1 translation, it's just as if all
the systems on the network are connected to the internet. The only
difference is that all the traffic coming in and out is redirected through
the NAT unit which can perform other filtering, acting as a firewall if
necessary.
Or it could monitor a
group of web servers, for example, and direct web requests to a specific
system, based on time of day, load or other factors.
However, when most people
talk about NAT they really have in mind the set-up that you'll find, for
example, on ADSL connections. Here the mapping is not so simple; it's a
one to many translation. That means that multiple systems will appear to
be connected from the same address. For example, take a look on IRC and
you'll see that all the HomeChoice customers appear to be connected using
the machine smtp.homechoice.co.uk.
With this kind of
translation, there are certain things that you just can't do, at least,
not without the assistance of the people operating the NAT system. You
can't, for example, run a web server that internet users can access.
The web server usually
listens on port 80, and as there's only one external address, only one
server can be connected out of potentially thousands of machines. You
could, of course, have port 81 on the NAT system routing to your computer,
port 82 to a neighbour's, and so on. But it means you'll need to include
port numbers in URLs, and lots of people will be confused.
In short, unless NAT is
running in 1:1 mode, or you control the translation, there are many things
you can't do. Anything that requires your PC to listen on a specific port
won't be possible. This means, for example, that you can't make full use
of some programs - DCC connections via IRC won't work, nor will some
options in chat programs like NetMeeting or ICQ.
If you're concerned about
these issues, ask ISPs whether the connection you are signing up for uses
NAT. If it does, the chances are that you won't be able to do everything
you want.
Protect and survive
One of the most
irritating aspects of having a permanent web connection is vulnerability.
When your computer is always online, there are people who will attempt to
scan for vulnerabilities, and exploit the ones that they find. On a
typical NAT connection, they're less likely to be able to find them, since
many of the vulnerable ports on systems aren't available via the NAT
router.
But don't ever assume
that because there is some form of NAT, your computers are secure; if
you're using 1:1 NAT, for instance, it may simply be passing all the
traffic through to your systems and that could include, for example, some
of the currently popular attacks on FTP servers.
Anyone connecting their
network to the rest of the world should really be considering using some
sort of firewall, either in the form of software or hardware.
If you're serious about
security, then the best solution is a dedicated computer acting as a
firewall. You can either buy one off the shelf, using systems such as the
Sonicwall range, or configure a Linux or Unix box to do the job for you.
But remember that, while
it may be tempting to go for the cheap option, pressing a spare PC into
service - and you can see how to do some of it in the walkthroughs -
anything with a complex operating system is itself potentially vulnerable. |
