7.2 Building an enterprise network

Up to now, private IP addresses have been mentioned in passing, more by way of highlighting the fact that they exist, how to recognize them, and how to understand their limitations. In enterprise networks, it is unfeasible to supply every user with a separate direct connection to the Internet. It is normal to channel each user’s network connection to a gateway, and from here, a direct connection to the Internet exists.

The term gateway is generic. It simply means the device that is con- nected to both the internal network and the Internet. This can be either a computer or a stand-alone device. Both proxies and routers can function as

a gateway. A proxy would be in the form of software running on a com- puter, and a router being a stand-alone device. A router is always preferable to a proxy in every respect, apart from cost.

7.2.1 Routers

If you have inherited a network running a proxy server that is experiencing performance problems or on which users are finding it difficult to run cer- tain applications, then you should consider using a router instead of a proxy server.

Chapter 7

200 7.2 Building an enterprise network

A router is generally a piece of hardware. It performs minimal processing of packets. This means that a router can operate at speeds far exceeding those of a proxy server. It also steers packets in the right direction, instead of blindly sending them out to the next router up the chain. Furthermore, its presence is much more transparent to clients, and it has much higher resiliency.

If you look at the rear panel of a router, you will see several LAN con- nections: one marked WAN, a power lead, and possibly a serial connection. To wire one up, you connect the WAN port to the cable provided by your ISP. Each LAN port can be connected to a computer, or hub. You need to obtain the following information from your ISP:

What fixed IP address to use, or whether to obtain one via DHCP The IP address of the default gateway What subnet mask to use The primary and secondary DNS

Each computer behind the router must then set its default gateway and DNS servers to the IP address of the gateway and set the IP addresses to pri- vate addresses.

7.2.2 Firewalls

A good analogy for a firewall is a switchboard operator for a company. If an unsolicited salesperson rings, chances are the operator will not forward the call through; however, if an employee makes an outgoing call to the sales- person, the operator will not block the call. Calls made from employees within the company go through the switchboard, so the caller ID that appears on the recipient’s phone will be that of the switchboard rather than the direct line.

A firewall performs this function, only at very high speeds, either in soft- ware or hardware. It is possible to buy stand-alone firewalls, but every mod- ern router will contain some sort of firewall (sometimes referred to as packet filtering ). A firewall can also come in the guise of software.

In Administrative Tools → → → → Services, you will see the Internet Connection Firewall (ICF) service. You can press Start to enable this service. This will suffice to protect a single computer from the ravages of the Internet. There is no need to use this service if your local gateway uses a firewall.

7.2 Building an enterprise network 201

Proxies

Proxies should only be considered when you have no budget to develop a network or only two or three computers require an Internet connection. Proxies will slow down your Internet connection considerably.

First, if you expect to have multiple users sharing an Internet connec- tion, you will need something more than a dial-up connection. ISDN would be the minimum, with DSL being a preferred option. You will have already created your LAN, with one computer equipped with a DSL modem of some description. This computer runs the proxy server software.

All other computers on the network have to use this computer as a via point to request Web pages and so forth. This means that every Internet- connecting program needs to know the IP address of the proxy. In Internet Explorer, this is set from Tools → → → → Internet Options → → → → Connections → → → → LAN Set- tings → → → → Use a proxy server.

Proxies come in two flavors: application proxies and circuit-level proxies. Application proxies normally accept only one protocol, such as HTTP. Cir- cuit-level proxies can accept any protocol over IP. The most popular circuit- level proxy is known as SOCKS; a popular HTTP proxy is Wingate (www.wingate.com).

Some applications will only work with an HTTP proxy or SOCKS. It is generally a case of determining which applications you need to use and get- ting a proxy server to suit.

The SOCKS protocol is defined in RFC 1928. In order to use a SOCKS proxy, the client must first authenticate itself. This consists of an initial short (3-byte) negotiation followed by a vendor-specific subnegotiation. Once the client is authenticated, a packet to the outside world can be sent when preceded by a short (10-byte) header. This header includes the port and IP address of the destination. Responses are tagged with the same header, only reversed.

Network address translators

All gateways perform some sort of network address translation, or NAT. For simplicity’s sake, any device that implements NAT will also be referred to as

a NAT. A NAT rewrites the IP header of packets leaving the network with a new, public IP address. When the response packet returns, the NAT will have remembered what computer had originally issued the request and rewrite the IP header with the appropriate private IP address.

Chapter 7

202 7.2 Building an enterprise network

A proxy server, although it can provide HTTP requests that emanate from a different IP address than the source, is not considered to implement NAT. This is because the input is different from the output in more ways than just the IP address. More specifically, a proxy server expects a header in the data sent to it to indicate the destination host and port. True NAT devices do not require this identification. When configuring a computer to use a NAT, it is only necessary to change the gateway and DNS settings (under TCP/IP settings) to allow all applications to communicate transpar- ently through the NAT. With a proxy, there is no such global setting, and each application has to be configured independently.

NAT was developed by Cisco, but it is now an Internet standard (RFC 1631). Several different translations can be performed on network addresses, which can be used to provide more flexible gateways to the Inter- net. Not all gateway devices support the full range of NAT operations.

Static NAT is where every private IP address has its own corresponding public IP address. This means that each computer is distinguishable from the outside world, yet not necessarily accessible.

Dynamic NAT is where every private IP address is mapped to a unique public IP address, although not always the same one every time.

Overloading is the most common form of NAT (sometimes called port address translation ). It maps every private IP address to a single public IP, but differentiates the connections by placing them on different local ports (multiplexing).

Overlapping is used when two LANs with different subnets are joined together. Every private IP on one network is mapped to a unique private IP on the second network, and vice versa. Overlapping can be done by using static or dynamic NAT. The latter is a more complex undertaking.

When there is a mixture of public and private IP addresses on the stub domain (a private LAN), the NAT will not perform any translation on pub- lic IP addresses, but the packets still pass through the device.

As mentioned previously, a NAT needs to store information about what packets it has sent out, so that it can appropriately return the replies. In dynamic NAT, an IP address mapping cannot change midway through a TCP/IP session. Therefore, a NAT also needs to store which TCP/IP ses- sion is mapped to each IP address. Because a computer can theoretically maintain a TCP/IP session on each port, a network of 100 computers could maintain 6 million concurrent sessions.

7.3 Tunneling out of an enterprise network 203

The number of clients a router can process should be stated by the man- ufacturer; however, as a rough estimate, every entry in the NAT translation table is 160 bytes long; therefore a router with 2 Mb of RAM could handle about 12,000 sessions, which is more than enough for any office network.

A device that implements NAT will probably also include some sort of packet filtering and logging to compliment it. After all, what is the point of providing the ultimate network if the users spend all of their time browsing pornographic Web sites (unless of course you’re in that industry)? Filtering can block various destination addresses, port numbers, and so forth. Log- ging will record packets entering and leaving the router, but not the internal nonroutable traffic. On large networks, a packet analyzer will have diffi- culty recording the activities of 100 users who all decide to ghost their machines at once.

Note: Ghost is a product developed by Symantec that can replicate hard disks over a network http://www.symantec.com/ghost/ .

Even with its complexity, NAT eases system administration (e.g., if your server goes down, and you can’t get physical access to it). You can use the remote-access facility that comes standard on most routers to change the inbound mapping to point to the IP address of a server that you do have access to, and the problem will be solved, for Internet clients anyway.

In order to provide a backup Internet connection, you will require a sec- ond router. This router ensures that outgoing traffic to the backup ISP will

be appropriately mapped. Providing both routers are interconnected, when one ISP fails, the other router will take all of the traffic from the other, and will do so without any human intervention. This type of arrangement is known as a multihomed network . This is made possible because of the vari- ous ways routers interoperate. They use the interborder gateway protocol (IGBP) to talk to each other inside a LAN and the exterior gateway proto- col (EGP) to communicate with the ISP’s routers.

A piece of NAT software named Sygate is freely available, but hardware implementations are recommended