Splitting the pipe fantastic
Hands-on: Securing and sharing a broadband connection
Maury Wright, Executive Editor

At the moment, broadband choices essentially amount to xDSL or cable. ADSL (Asymmetrical Digital Subscriber Line), the predominant xDSL technology, overlays data on the same pair of wires that delivers POTS (plain old telephone system) phone service. Cable modems allow groups of homes to share, in a LAN-like fashion, a two-way data stream that flows in the spare frequency spectrum of TV cable systems.

It's no surprise that consumers want these services. Data rates generally provide an order-of-magnitude improvement over POTS dial-up, at 56 kbits/sec, or even ISDN (Integrated Services Digital Network), at 64 or 128 kbits/sec. For streaming audio and video, and even for serious research and downloads, you need broadband.

When I converted from ISDN to my cable modem, however, I found the persistent nature of the connection even more valuable than the extra speed. Regardless of whether you use dial-up or broadband, bottlenecks elsewhere on the Net often limit performance more than your local connection speed. But the always-on connection finally made my home office equal or superior to an office workstation. No lengthy dial-in sequence to check email. No compiling a list of tasks to accomplish "when I go online later." If I need the Net, I use it.

I believe broadband connections are a necessity for the continued growth of the Internet, and that the service providers offering these resources had best recognize and nourish the opportunity. Today, the order and installation process is far too difficult, and providers have earned their spotty reputation for reliable service. Providers seem more concerned with short-term revenue than long-term success. They should focus on customer satisfaction, rather than marketing hype, to grow the subscriber base. And in addition to simplified installation and reliability, they must help ensure that users can safely connect one or more systems to the pipe.

Watch your back

Today, the burden for safe use of an always-on broadband connection falls squarely on the user's shoulders. Service providers not only offer no real protection for your system, but also provide virtually no useful advice. Users should take the responsibility seriously, because such connections typically use a static IP address, and their always-on nature makes these computers susceptible to attack. Hackers can obtain IP addresses from email or news-group postings, or simply scan address ranges for vulnerable systems.

Strictly speaking, an IP address alone doesn't give a hacker carte blanche with a system. But standard Windows 9x systems have notoriously weak security. Even if you turn off file- and printer-sharing, as most service providers recommend, your PC could still be vulnerable. Cracking tools that are freely available on the Net can easily defeat Windows password protection. A hacker could erase an unprotected hard disk, steal financial data, or commandeer your machine to launch illegal activity.

Before even discussing firewall or connection-sharing products that can add security, let's discuss what every user of Windows 9x and the Net should know and do.

The Windows installation program errs on the side of installing more things than you need. The original install, plus subsequent installation or configuration of Internet software, can leave you with more network protocols and services than you need.

The install program typically adds TCP/IP, NetBEUI (NetBIOS Extended User Interface), and IPX (Internetwork Packet Exchange) protocols anytime it gets a chance. TCP/IP is required for Internet access, and experienced users can use it to create a PC LAN. NetBEUI underlies simple Windows networks, which are much easier to install than TCP/IP-based networks. IPX is an alternative protocol used in Netware LANs, but its only use in most small LANs is to enable some multiplayer games that run across a network. Now, the fact that the protocols are copied to disk isn't so bad, since most of us have disk space to burn these days. The install program, however, also creates bindings between network services such as NetBIOS-based Windows file- and printer-sharing, transport protocols such as TCP/IP and NetBEUI, and hardware such as Ethernet or dial-up communication cards.

By default, the program binds everything to everything. In doing so, it creates system overhead. With 450-MHz machines now commonplace, many users won't notice the overhead, but you can potentially enhance system performance by better managing the situation. More significantly, the all-to-all binding opens the door for hackers, because it binds the insecure NetBIOS services to TCP/IP, exposing the NetBIOS ports at that machine's IP address to the Internet. Few users need to enable NetBIOS over TCP/IP. NetBIOS over NetBEUI allows a simple Windows-based PC network to share files and printers. And TCP/IP is necessary for Internet access. But the two need not be mixed—especially when bound to an Ethernet card that persistently links to the Internet via an ADSL or cable modem. For detailed instructions on cleaning up your system, see sidebar, "Un-binding."

To perform a basic test of system security, either before or after straightening out the protocol and binding situation, Windows PC users can turn to Gibson Research (www.grc.com). Gibson's interactive security test, called ShieldsUP!, will probe your system for security holes.

IP talk

Once the machine hooked to the Net is secure, you can safely share the high-speed connection. You can use a standard Ethernet LAN, one of the new home LANs (phoneline and wireless flavors are available), or even a direct serial connection.

Now, let's talk about IP addresses. Theoretically, multiple machines can share an IP address, so long as they don't connect to the Internet simultaneously. In practice, this scheme creates ongoing problems. Some hubs and modems, upon initial connection with another network node, logically associate an IP address with the globally unique Ethernet MAC (Media Access Controller) address that's hardwired into each Ethernet node. Should you subsequently use a different Ethernet node with the same IP address, the hub and/or cable modem may reject the connection until it gets reset via a power cycle.

Some broadband providers will allow you to pay for two, three, or even more IP addresses. With multiple IP addresses, you can connect an ADSL or cable modem directly to a LAN via a hub along with multiple PCs in a peer-to-peer fashion. In this case, you need an IP address for each system that needs access to the Internet. Service providers like this concept, of course, because they generate revenue for providing nothing more than the added IP addresses.

You could also use either a dedicated router or a PC and operating system with routing capability. But a basic router still requires dedicated IP addresses for each system that lies behind the router.

LOCKDOWN (top): To secure a system with an always-on Internet connection, you must unbind the Client for Microsoft Networks, and file and printer sharing, from TCP/IP. FIGURE 1 (bottom): A NAT gateway hides multiple private IP addresses behind a single public IP address.

So, you need a gateway—either a hardware device or software on a PC—with a globally unique public address that can connect to multiple PCs and hide their private IP addresses (Figure 1, above). Moreover, you need to transparently relay data packets through the gateway to the correct private address on the LAN. You need an address translator.

The network industry has developed two techniques for handling such translation tasks—proxy servers and NAT (Network Address Translation). Both can be combined with other network functions such as routers and security firewalls. But they differ in how they process data packets.

Simultaneous translation

NAT works at a very low level in the ISO (International Standards Organization) OSI (Open Systems Interconnection) seven-layer network model—essentially below the TCP/IP (layers 4 and 3) transport and network layers. A NAT engine intercepts traffic headed for the TCP/IP stack and, on the fly, modifies the address headers on inbound and outbound data packets. For example, the engine changes the source address on outbound packets from the requesting node's private IP address and port number to the gateway's public IP address and port number (see www.grc.com/su-ports.htm for a basic description of IP addresses and ports).

The engine maintains a table of outbound address requests. When an incoming packet arrives, the NAT engine checks the table to see which private destination address is awaiting that packet. The NAT Page (www.uq.net.au/~zzdmacka/the-nat-page/natinformation.html) offers more complex examples of NAT.

Conversely, proxy servers operate at the application layer (layer 7 in the network model) and are sometimes referred to as application-layer proxy servers. A proxy server uses two separate network connections to satisfy a transaction. In our example, the proxy server has a connection to a private-address node and a connection to the Internet. Say the node requests a web page. The proxy server responds to the node while concurrently performing an address translation and issuing the request for the web page through the Net connection. The proxy server then copies data packets from one network connection to the other. Proxy servers also regularly cache web pages locally.

In reality, the address-translation mechanism in both NAT- and proxy-server-based products is more complex than these simplified descriptions. As the Internet has evolved, applications such as tunneling, VPNs (Virtual Private Networks), and streaming audio and video have for various reasons placed packet addresses into the data payload. A good NAT or proxy product must be able to intercept those addresses as well, so make sure any product you deploy supports the specific applications you plan to use.

Alternatives

The combination of a NAT engine or proxy server with a router or gateway (either software or hardware) suits most SOHO (small office home office) installations. Windows NT and Linux can provide the same capabilities, but they may be beyond the technical reach—and in the case of Windows NT, the price range—of consumers. For enthusiasts, there's no better choice than Linux, because it's free. Linux documentation typically refers to NAT as IP Masquerading, but it's the same technology. An old 486-based system would be plenty powerful to serve as the NAT gateway under Linux. But the Linux approach isn't for the typical user, at least not today (see www.trylinuxsd.com for a fairly detailed account of configuring such a Linux sys tem). Most SOHO applications will best be served by one of the new low-cost dedicated router/hub products, or by NAT or proxy-server software that runs under Windows 9x.

A software-based NAT or proxy-server package clearly provides the cheapest approach to sharing a broadband link. Arguably, today NAT is free. Microsoft has included basic NAT capability, which it calls Internet Connection Sharing, in Windows 98 SE (Second Edition). I haven't tested this, but if your systems already include Windows 98 SE, it's probably worth a shot. Given Microsoft's checkered security record, I would definitely head to Gibson's ShieldsUP! site to immediately test such an implementation. I've shied away from Windows 98 SE because of instability reports that appear unrelated to the Internet Connection Sharing feature, but as usual, the Microsoft implementation won't match the overall feature set of third-party sharing products.

NAT vs proxy

With a proxy server you have to install client software on each client machine plus the proxy server on the gateway machine. You also must configure each Internet application with the proxy-server settings. With NAT-based products, you only need to set the private IP address in the TCP/IP settings on the gateway machine. And even the installation on the gateway machine is simpler than with proxy installations.

Thus I believe that a NAT product is the best choice for most home LANs. Businesses may have to think harder. If a LAN of more than a few systems shares one connection, features such as web caching start to have a positive impact on overall performance. Moreover, proxy servers generally offer additional capabilities, such as managing and documenting users' Internet access, or blocking spam and banner ads.

WinGate from Deerfield.Com is perhaps the best-known proxy package. It's free for networks that include only the gateway machine and one client, but costs $39.95 for a three-user license and $69.95 for a six-user license.

I used WinGate to share an ISDN dial-up link several years ago and found the configuration task difficult and discouraging. Having said that, the software performed solidly once installed, and several new releases have undoubtedly simplified the installation. Still, I decided to look elsewhere when I sought to share my cable modem. Sybergen introduced me to NAT and SyGate. With SyGate, my most difficult, or at least time-consuming, task was opening the gateway computer and installing the second Ethernet adapter.

Any proxy or NAT software requires two separate hardware devices to share an Internet connection with a LAN: the connection to the Internet (typically a dedicated Ethernet link to your ADSL or cable modem) and the network interface (which could be Ethernet or perhaps some new home LAN product).

With plug-and-play and the PCI bus, installing the dual interfaces shouldn't be a struggle. I've read that it's a good idea to use a different brand of Ethernet card in each slot. Presumably Windows can confuse the two if they are identical short of their unique MAC identifiers. I've never experienced this problem, but I'd err on the side of caution.

Also remember my earlier warnings about Windows networking settings. When you add a network card, you may end up with extra protocols and bindings all over again. You won't need NetBIOS over TCP/IP for any adapter. I have TCP/IP bound to both Ethernet adapters in my gateway system, and NetBEUI is only bound to the adapter that connects my client systems.

Assuming the gateway machine is already capable of Internet access, or better yet connected as you perform the installation, SyGate finds the connection and truly performs a one-touch install in about a minute. The documentation provides explicit instructions on how to set the private IP addresses, both on the gateway machine and the client machines.

For my home office, SyGate seems to offer everything I need. It sells for $39.95 for a three-user license or $69.95 for a six-user license. You can use a blacklist to prohibit any network node from accessing certain web sites, or a whitelist to specify sites that are permissible. The program can log all client-system activity. Plus, SyGate supports most popular applications, including VPNs. I'm supposed to install a VPN direct to our corporate intranet shortly. Check our web site (www.commvergemag.com) for my report on whether SyGate supports VPNs as seamlessly as the company claims.

Safekeeping

Like most other Internet-sharing software, SyGate also claims to be a firewall, offering security protection to the machines behind the gateway. Generally, any product that does address translation protects client machines relatively well because the private IP addresses can't be accessed from the Internet. Moreover, as the software processes packets, it generally won't pass incoming packets unless the source address matches with the destination address of an outgoing request. SyGate lets you drop or increase the level of security, and you may need to lower your defenses for applications such as locally hosting a web server.

While I'm happy with SyGate, I might consider other products were I to start over today. The latest release of a traditional proxy-based package called WinProxy, from Ositis, looks very attractive. It costs $59.95 for three users and $99.95 for five. WinProxy maintains all of the advantages of a proxy server, but the latest release adds NAT capability. I haven't tried it, but it appears to be very easy to install in a NAT configuration, yet much more configurable as your needs or skills allow. Deerfield claims its WinGate product will add such capabilities in a Q1 release. Avirt is another popular proxy package that's also being bundled with some home LAN products. And the Nat Page (www.uq.net.au/~zzdmacka/the-nat-page/nat_windows.html) includes a long list of NAT packages. CV