Network Lab: VoIP

VoIP

VoIP, or Voice Over IP to give it it's full name, is basically telephony services over the public Internet using TCP/IP. A conventional telephone will have a wired connection to a local telephone switch and will generate a switched connection over the public telephone network. In a VoIP connection, the connection is converted to TCP/IP and then made across the Internet.

VoIP can be used just like a conventional telephone service, so it can be used to connect to other VoIP phones, conventional phones on the PSTN, or POTS (Plain Old Telephone Service), and Mobiles, as shown below. VoIP telephones can be physical phones, that look just like conventional telephones, or they can be 'soft' phones that reside as software on a PC. The PC used in this way requires a sound card with speakers and a microphone, which can be in the form of a headset or VoIP telephone connected to a soundcard or via USB.

One huge benefit VoIP provides is that for some connections there is no cost for calls made. These connections are normally those made to the same network, i.e., another user of the same VoIP service as the originator with call charges incurred when crossing to other networks such as the PSTN or Mobile networks. Charges may also be incurred when connected from one VoIP provider to another. Typically providers will offer quantities of times for monthly fees, in much the same way as fixed fee mobile phone contracts.

Although VoIP has been around for a few years with products such as NetMeeting or MSN, where the remote user had to have the same application as the caller had, there are still issues concerning implementations of the services available which can result in incompatibilties between some providers implementations of VoIP services. The IETF (Internet Engineering Task Force) has been involved in developing a standard for VoIP called SIP (Session Initiated Protocol), which is becoming the accepted protocol for Internet telephony.

VoIP Providers

SIP-based providers:

• Sipgate

  Provides a geographical telephone number based on conventional UK dialling codes.

• Voiptalk

• Vonage

• Call 1899

• Global Village

  Requires a Zoom Router or ATA to operate!

Non SIP Providers:

• Skype

  Skype is an extremely popular VoIP service that uses a proprietry protocol based around P2P technology.

VoIP Hardware

VoIP is an extremely versatile application. It can be used via an application on a PC, thru' a VoIP phone, or even a conventional telephone connected either to a SIP-enabled router or an Analogue Telephone Adapter, or ATA. Some routers are also available that provide an RJ11 socket so that a conventional phone can be connected directly to the router, although an adapter may also need to be used if the telephone has a standard 'BT' or RJ12 plug. Some of these hardware solutions are shown in the diag below.

If you are a Skype user it is possible to obtain phones and routers that are compatible with the Skype service.

VoIP Software

Some VoIP providers supply their own software (Skype especially, as their software is proprietry) but one application that is often recommended is X-Lite.

X-Lite can be at first look complicated to set-up due to the number of options but in reality there are only two areas of configuration that are need to be set up. These are the Network and SIP Proxy setups. The following screendumps show these areas and the settings that are required. The screendumps are for a Sipgate account.

X-Lite Network Setup

Most of the settings on this page can be left at default with just the Firewall IP address being set. Note, this will need to be set to the IP address of the local Network gateway, not the address shown here:

X-Lite SIP Proxy Setup

This screen should reflect the settings required to connect to the VoIP provider. Again, the details shown are for a Sipgate account. The appropriate information will need to be entered for the VoIP provider being used.

VoIP and Firewalls

NAT and software firewalls can cause some disruption to VoIP due to the number of ports that some software requires. Simple NAT found on most domestic Routers does not really cause much disruption but more intelligent security may require some incoming ports to be forwarded to the PC running the software. In some extreme cases, it may be necessary to place the PC as a DMZ host however the risk of doing this cannot be underestimated. If a software firewall is used on a PC, then it may be necessary to configure some rules on that in order to allow VoIP services.

The Skype client generates a random port for it's communication when it is installed and this port may need to be forwarded thru' any firewalls. X-Lite, OTOH, utilizes a number of ports for the SIP (UDP 5060) protocol as well as for the RTP (udp 8000) and RTCP (UDP 8001) protocols used for transporting the audio and video over the network and again, these may need to be forwarded thru' any firewalls or NAT devices that are installed. Other ports above 8001 may also be required.

Additionally, if a STUN (Simple Traversal of UDP Through NAT) server is used there may also be a need to allow the ports necessary for this service as well, these being UDP and TCP port 3478, although some providers such as Sipgate run their STUN server on UDP port 10000. The purpose of a STUN server is to allow STUN aware clients to determine the ports used by the NAT device that it resides behind as well as the type of NAT that is in use by that device.

Further Reading

• Voip-Info.org
• Voip.org.uk
• Voipuser.org
• Fcc.gov

Network Lab: Connecting an Xbox to Your Cable Connection

Connecting an Xbox to Your Cable Connection

Microsoft's Xbox system is an awesome games console in it's own right but hook it up to your Network via it's inbuilt network interface and you too can have fun beating up or shooting folks from anywhere, or maybe just outbraking them into the Goddards hairpin at Donnington. All from the comfort of your own home:-) Ordinarily, a subscription to Microsoft's XBox-Live service is required for on-line gaming with the XBox, but it is possible to use third party systems such as XBConnect and Gamespy, both of which require another PC to be on the same network as the XBox which then, in effect, becomes a proxy for the XBox.

The Physical Connection

But enough of frivolities. Before we can do any of the above your Xbox needs to be connected to either your Cable Modem or your network. The network interface on the Xbox is a conventional DTE 10BaseT interface so can be connected to your broadband network in the same manner as any PC. In other words, a straight CAT5 cable is normally all that is required, although if you are just connecting to a NIC on a PC, then a x-over cable will be necessary. The following diagrams show scenarios for Xboxes where either a straight cable is needed or a x-over cable is necessary.

Scenarios where a straight cable is required to connect an Xbox include connecting direct to external Cable Modems, connecting to Routers and connecting to Hubs:

Scenarios where a x-over cable are required include connecting to some Set Top Boxes (this is usually indicated near the connector on the STB) and where a PC is used as a Gateway machine and no hub or switch is used in the network:

It is also possible to use a wireless connection with an XBox through the use of an Ethernet/802.11x adapter such as an SMC SMC2670W Ethernet/Wireless Adapter or Linksys WET11. This would then allow your XBox to use your existing Wireless Network.

MAC Addressing

If your XBox is connected directly to a Cable Modem or STB there is a need for the Cable Modem or STB to know the MAC address of the Xbox. The MAC address of a device is a 12 digit hexadecimal number that is unique to each ethernet device and NTL configure their cable modems and STBs to only connect to devices whose MAC addresses are known. With an Cable Modem there is a maximum number of two MAC addresses that the Modem can talk to, whereas with an STB the maximum number is five.

With an external Modem, all that is needed to connect an XBox to the modem is that the Modem and PC require switching off and the RJ45 cable removed from the PC and then connected to the XBox. Once done, switch on the Cable Modem and wait for it to synchronize with the Head-end. Finally, switch the XBox on and assuming that your XBox Live set-up is for DHCP, it will obtain an IP address from NTL.

For an STB, you need to configure the MAC address of the XBox via the 'start.ntl' URL, where the MAC can be registered as a device.

It is also possible to clone the MAC address of an exisiting cable connected device via the XBox Live set-up, which will allow use of the XBox without having to switch off modems or add MAC addresses to the STB.

Note: If your XBox resides on your LAN, behind a router or Gateway PC, then the MAC address issues discussed above are irrelevant!

IP Addressing

More often than not your XBox will just need to use DHCP in order to get an address (this is most important when connecting direct to a Cable Modem or STB) but in the instance where a DHCP server is not available, it is possible to set a fixed IP Address via the Xbox Live set-up. This address must be compatible with your existing IP Network addressing and the XBox's default gateway needs to be set as your network's gateway address.

For example, consider a network with a couple of PCs behind a Linksys Router. By default, the Linksys Router will have an address of 192.168.1.1, and the PCs, if using DHCP, will have 192.168.1.100 and 192.168.1.101 respectively. In this scenario, the XBox would get an address via DHCP but if there was a decision to fix it's address, then it also would need an address on the 192.168.1.x network and it's default gateway would be 192.168.1.1. When setting the address on the XBox be aware of existing addreses on the network and avoid use of addresses in any DHCP range used. For the Linksys in our example, this would mean addresses 192.168.1.100 to 192.168.1.149, inclusive.

Some XBox Links

• The Official MS XBox Site

• The Unofficial XBox FAQ

• Xbox 365

• X-Box Addict

• Team Xbox

Network Lab: Netgear ME102 Wireless Access Point

Netgear ME102 Wireless Access Point

Netgear's ME102 802.11b Access Point is a fairly innocuous piece of kit, it being a small Netgear-blue slab with a couple of small LEDs on the the top to show that both power is on and that the wireless service is available. It also features a couple of small antenna. The rear of the unit has sockets for power, an ethernet connection and a USB port for access to the AP's management console.

Basic Setup of the ME102

The ME102 acts as a MAC-level bridge. What this means is that it does not have any concept of TCP/IP or any applications running over TCP/IP so when connected to a network, any devices that connect via wireless can communicate directly with that network, assuming the TCP/IP settings are correct. If there is a DHCP server on the network then any wireless clients will be able to get an IP address from that server, via the ME102. Because of this, the only set-up required for the ME102 to work is to plug in the power supply and connect the ethernet connection to the network using a straight RJ45 cable (supplied with the unit). In order to manage or monitor the ME102, however, it is necessary to use the supplied management software. Two versions are supplied, one that connects via USB to the console and one that can be used across the local network.

Accessing the ME102 USB Management Console

Before considering managing the AP, the necessary connections need to be made. The following diagram shows the ME102 in a typical network where it has a connection to the Router/switch via Ethernet and a connection via USB to one of the networked PCs. Note that the USB connection does not have be permanantly connected for the ME102 to function, nor does it need to be on a separate PC.

The simplest method for accessing the ME102 console is to connect a PC via the USB port. Windows will recognize the ME102 as a new device and will install the necessary drivers. Once that is completed, the USBManager software needs to be installed. On running, the Manager displays a panel showing the both AP's and management utility version numbers. Two buttons are available, Configure and Exit. Clicking Configure shows the AP USB Management Screen, General Configuration.

Here, we specify our ESSID (Extended Service Set ID), which is similar in concept to the Workgroup name used in Microsoft Networking and defines the ID that wireless clients should use when negotiating a connection. In addition, it is possible to specify a channel that the clients will use.

In order to use the SNMP Manager, the AP requires an IP address that matches the network it is connected to. By default, the ME102 has an IP address of 192.168.0.5, which could be an issue if this address is already in use on your LAN! Here we show a modified address.

Wireless networking can be a great convenience but it does have some security issues. The Wireless Encryption Protocol (WEP), whilst not perfect, offers some protection from casual wardrivers and the ME102 offers both 64 and 128-bit WEP Key modes. When WEP is enabled, a number of keys need to be defined. These are comprised of a number of hexadecimal numbers, either 5 0r 13 depending on whether 64 or 128-bit encryption is chosen. Using 64-bit keys makes life easier as the keys are shorter, but it does make the encryption that much easier to break! 128-bit keys are longer, so harder to configure on the clients. The ME102 can hold up to four keys, but will default to the one specified. Wireless clients will need to have the same key set in order to connect to the AP.

The fact that the keys are hexadecimal means that each character can be either a number between 0 and 9, or a letter between A and F, so 0A 0B 0C 0D 0E is a vaild 64-bit key, as is 12 34 56 78 90. A valid 128-bit key could be 00 01 02 03 04 05 06 07 08 09 0A 0B 0C or DE AD BE EF FE ED DE AF BE EF DE AD ED. Whatever keys are used (and these are only examples not recommended for general use) they will need to be configured in any client in order to get a connection. Note, however, by default, the ME102 is set to both Open System AND Shared Key, so if only WEP clients are required to connect, then the Authentication Type needs to be set to Shared Key only.

The operational settings of the ME102 can largely be left at default, with the only change you should make is to change the AP's password.

Accessing the ME102 SNMP Management Console

The alternative method of managing the ME102 is to use the supplied SNMP management Utility. The SNMP utility basically has the same configuration options as the USB version except that it has set up options for MAC address locking and can also display statistics.

The SNMP utility is required to be installed on a Windows PC connected to the LAN. When the SNMP utility is run, it scans the network looking for ME102 APs. Once found, the AP will be displayed in a window:

Simply select the AP to manage and click login. Enter the password when prompted and the general configuration screen will now be displayed. As this does not differ from the USB management utility the following sections will concentrate on the MAC 'locking' and statistics offerings.

Limiting Connections by MAC Address

An additional security option with the ME102 is to set it so that only known MAC addresses are allowed to connect via the wireless link. The MAC address is the unique 12 digit hexadecimal number burnt into all network interface cards, and is often called the Hardware Address. To find this address for a particular card, use either ipconfig or winipcfg, depending on your version of Windows, or ifconfig if using Un*x. Once you have the MAC address(es), create a text file on the management PC and enter them, one per line. Save the file, them from within the SNMP manager load this text file. The MAC addresses will appear as shown below:

To enable these MAC addresses, click on Download to AP and also do not forget to click on Apply!

Statistics

For what it is worth, the SNMP Manager can also display some usage statistics that show the number of packets received on both the ethernet and wireless interfaces:

Connecting a Wireless Client

In theory, it should be possible to connect any 802.11b compatible device via the ME102, and this would include devices from manufacturers like Linksys, D-Link and many others. Most of these cards are based on the PRISM specification, and can use the same drivers. Windows installations may be a little less forgiving, however, and you should install the appropriate drivers as supplied with the card. Linux users should consult Jean Tourrilhes's website for info on their wireless NIC. This is an excellent resource, IMHO.

Once a wireless connection is established, then conventional TCP/IP networking takes over. In other words you need a TCP/IP address, a default gateway and some sort of DNS functionality.

Network Lab: The Linksys BEFSR41 Etherfast Cable/DSL Router

The Linksys BEFSR41 Etherfast Cable/DSL Router

'Instant Broadband' is what it says on the tin, and it does exactly that. The BEFSR41 is a small blue/grey device, just slightly larger than a video cassette. The rear of the unit has a number of RJ45 sockets that offer a single WAN connection and 4 LAN connections. The front of the unit shows link and activity LEDs for each interface.

The Linksys router is also available in a single or 8-port LAN version.

Connecting to Cable Modem

Connecting the Router ot the modem is as simple as connecting a straight RJ45 cable between the WAN port of the Router and the Cable Modem. By default the Router is set to get it's WAN ip address from a DHCP server and this works very well with the NTL servers. One issue that may arise if you change an existing PC for the Linksys is that the Cable Modem will retain the MAC address of the original NIC and it can be troublesome to get the modem to see the Linksys as a new device. Two options are available:

1. Power off your CM and after powering back on, allow it to re-sync with the head-end before switching on the Router. Note it may be necessary to leave the modem off for 4 hours so that your dhcp lease expires, or,
2. Configure the Linksys to have the same MAC address as your CM connected PC NIC has. This is known as MAC spoofing or, in Linksys speak, cloning.

Connecting to LAN

By default, the Linksys will have a LAN IP address of 192.168.1.1 and a netmask of 255.255.255.0. This means that unless a PC that is connected to it is set to get an IP address via DHCP, then it will need setting up with an address on the 192.168.0 subnet. Be aware however, that this address must not be 192.168.1.1, nor must it be in the range 192.168.1.100 to 192.168.1.149, as this is the default DHCP scope configured on the router. You also cannot use 0 or 255 as the last number.

Again, a straight RJ45 cable is all that is need to connect a PC up to the Linksys. Four ports are available for the LAN side, although five physically exist. The fifth is actually an uplink port for connecting a hub or switch to the Router. Note that use of the uplink port means that port 1 is not available so in effect you have a 3 port switch in this scenario.

Theoretically, your Linksys connected network may look like the following diagram, which shows two PCs connected to a CM via a Linksys router. Note that both PCs have obtained their IP address from the Linksys, which in turn has got it's WAN address from the NTL dhcp server.

In the scenario where you have more than four machines that you want to connect to the Internet, then you will need to attach further network devices to the Linksys so that the physical limit of the router can be extended. Typically, this is achieved by attaching a hub or switch to the uplink port of the router using a straight RJ45 cable. Alternatively, you could connect a hub/switch to one of the other router ports using a cross-over cable, but there would not be any real gain in doing this.

PCs connected to the additional hub/switch can still use the dhcp service on the Linksys, and will still be part of the 192.168.1.0 subnet. No configuration changes are needed on the router for this to work correctly. The following diagram shows how it works in practice:

Integrating with your existing Network

As previously discussed, by default the BEFSR41 is designed to allow up to four PCs to connect to a Cable Modem or ADSL connection, where the WAN IP address is obtained by dhcp, and the IP addresses for the LAN clients are delivered by the router's own dhcp server range between 192.168.1.100 to 192.168.1.149. If you are moving from an existing gateway system for instance, your IP addresses may not work very well with the default settings of the router. Of course, if the PCs you already have networked are already getting their IP address via dhcp, then it should be just a matter of connecting them to the router and obtaining a new address. Note that you may need to release the old address before attempting to get an address from the router.

Changing the Default Configuration

WARNING. Changing the default settings on your Linksys can reduce the effectiveness of the security offered by the router, and in some instances stop it working all together!

MAC Cloning

Perhaps the first thing you will want to do is to clone the MAC address of the NIC that the Cable Modem has been talking to all this time. The MAC, or Hardware, address of a particular network device, be it a NIC or a router, is unique, and consists of six hexadecimal numbers. The CM 'learns' this MAC address from the device attached to it, i.e., a NIC in a PC and will only talk to that MAC address, until it is reset and has 'forgotten' the original MAC.

Note that it is no longer necessary to clone MAC addresses. If you change from a PC or another router to a Linksys (or any other router) then all you should need to do is power-cycle your cable modem, then power up your new device. I have left the MAC address details in, just in case you decide to do it anyway:-)

1. Finding the MAC address that the CM 'learns'

   The easiest way of doing this is by using whatever facility your currently connected device has for displaying it's NIC MAC address. Make sure the device is connected to the CM service and can connect to Internet services. Run whatever utility your system has for showing the MAC address and make a note of it.

   • Win9X

     Use the command winipcfg by selecting Run from the Start Menu. A window will be shown that looks like this:

     

     In Microsoft parlance, the MAC address is displayed as the Adapter Address, but is the same thing.

   • WinNT/2000

     With Windows NT/2000 you need to run a DOS command window and typing the command ipconfig /all . Note, that the following output is truncated in order to show the relevant MAC address information, which Microsoft now call the Physical Address.

     C:\>ipconfig /all
     
     Ethernet adapter Local Area Connection 5:
     
            Connection-specific DNS Suffix  . : nigs.net
            Description . . . . . . . . . . . : Linksys EtherFast 10/100 PC Card
            Physical Address. . . . . . . . . : 00-E0-98-21-25-4C
            DHCP Enabled. . . . . . . . . . . : Yes
            Autoconfiguration Enabled . . . . : Yes
     
     

   • Linux

     At your shell prompt type ifconfig, which will result in output that will look very similar to that shown in the following screen dump, which shows the output from a two NIC Linux machine where eth0 is attached to an NTL Cable Modem and eth1 is attached to the internal network. Here the MAC address of the NIC is displayed as the HWaddr. This example also shows that it is important to get the correct address, or in other words, the address of the NIC attached to the Cable Modem.

     

2. Setting up a PC to access the Linksys Manager

   In an ideal world, you do not need to access the Linksys Manager in order to get it operational, but password issues aside, in order to clone your MAC address you have to. Simply connect a PC to one of the LAN ports of the router, and assuming the PC can lease an address, run a web browser set to use a LAN connection and connect to site http://192.168.1.1. A successful connection will result in you being asked for the Linksys Manager password. The default settings for this are Username = nothing, Password = admin. CHANGE THIS PASSWORD!

   Once connected you will be faced with the general setup interface of the Linksys. For NTL, ensure that 'Obtain an IP automatically' is selected in the WAN Connection Type section, as shown below. There is no requirement to enter either the Host Name or Domain Name.

   

3. Setting the MAC address

   The MAC Clone option is accessed via the Advanced configuration option of the Linksys Manager. Click on the Advanced tab, then click on the MAC Addr. Clone tab.

   Replace the shown MAC address with the address you got from your original NIC, click Apply, and that should be it. Once you return to the Manager, select the Setup tab and check the WAN MAC address is displayed correctly.

   In my experience with the Linksys, using our internal e-smith provided dhcp server, the Linksys never needs a reboot in order to make changes such as MAC changes, but with a Cable Modem, I would suggest you power off the Linksys after making this change, just in case.

Changing the Default 192.168.1.0 Network

Set the LAN address of the Linksys by entering the IP address and Subnet Mask on the main setup screen.

Changing the network number you are using from the default set-up by Linksys is only really necessary if you are connecting an existing LAN to it and that LAN does not use DHCP, or, you just want to be different. It is important to be aware, however, that the Linksys will only support up to a maximum of 253 devices, or, more specifically IP addresses attached to it and this is enforced by the fact that the minimum netmask you can use is 255.255.255.0. If you are using a 10.0.0.0 network with mask of 255.0.0.0, then a reconfiguration of the LAN machines will be necessary. Of course, that reconfiguration is quite simple if dhcp is used where a release and renew of the IP lease is all that would be required.

Note that any change in the Linksys LAN address will also change the Linksys DHCP address, so again a release and renew are necessary to get dhcp machines to get an address on the new network.

Of course, any machines with manually assigned address will need a manual change to use the new network!

Advanced Configuration

All of these options are available on the Advanced menu.

Port Filtering

Linksys Routers, much like many other LAN sharing options, by default, allow all traffic from LAN to WAN. Port Filtering allows the blocking of particular IP addresses or ports so that particular Internet applications will not work. For instance, you may decide that you do not want anyone on your LAN using IRC, so you can the 6667 port for IRC and the Linksys will block that traffic. Note, however, that you cannot set a filter explicitly to an address. Add an address to the Filter IP Range and ALL of it's internet activity will be blocked, set a port to be blocked and all LAN machines will be denied access to that port.

The following screen shot shows filtering set up to block the Microsoft Networking ports. This has no effect on clients connected to the router connecting to each other, but does prevent unwanted connections that could be made outside.

Note also, that this screen also contains the settings for remote access, UPnP, and so on. I would recommend the settings shown for most installations, although this example does show IPSec pass-thru' enabled to allow VPN traffic out via the Internet. Enabling this would only be necessary if required, i.e, if you access work from home.

Forwarding

Forwarding, or Port Forwarding to give it its proper name, is used to set the Linksys firewall rules to allow connections from the WAN, i.e., the Internet, to machines on the internal LAN. This could be anything for anything from a Web server to an SSH daemon, as long as you know the ports that are required to support the service.

The screenshot below shows port 80 (http) forwarded to an internal machine with IP address 192.168.3.99, which is running an Apache Web Server. Note that the protocol is set to TCP only, and that no UPnP forwarding or port triggering is necessary.

Any clients wishing to connect to the web server must connect to the external IP address of the router, and not the LAN address of the web server. It is also possible to forward your own domain's www address to your NTL assigned address, or you can use one of the many dynamic DNS services, such as dyndns.org.

DMZ Host

Having a DMZ host takes away what can be a chore setting up individual ports you want to forward for applications discussed earlier. Making a device a DMZ host causes the Linksys to advertise all of the ports that the DMZ host is advertising. Whilst this can be useful for applications such as Microsoft's Netmeeting, it can also reveal services such as FTP and Web and File and Print Sharing, which you may or may not want to advertise and I would recommend only using the DMZ facility as a last resort.

Another security issue with the DMZ facility of the Linksys, is that the DMZ host remains as part of the internal LAN, in the same way as machines with forwarded ports, and can make connections to the other machines on the network. If your DMZ host is compromised, your whole internal network could be as well.

As in the case with a host advertising ports via the forwarding facility of the Linksys, do not make your DMZ host an address that is in the range of the Linksys DHCP service. Use an address such as 192.168.1.20, or 192.168.1.30 instead.

Security Considerations

The Linksys Router does a very good job of providing a protected connection to the Internet. Once changes are made to the router's default configuration, however, it is important to remember that whilst NAT is a very good way of stopping direct connections to your LAN machines, it only actually protects you at the TCP/IP level. Applications such as HTTP or telnet can be exploited and your NAT device will quite happily pass that exploit traffic. As far is it's concerned, if traffic on port 80 is allowed, it can pass. It has no concern with the content of that traffic, merely the act of making sure that connection from a to b is allowed according to it's NAT tables.

For example, I decide to run a web server on a Linux machine that I have configured as the DMZ host on a router. Unbeknownst to me, this Linux machine also has a Telnet daemon running, so when the Linksys configuration sets the Linux machine as the DMZ host, it also advertises it's Telnet port. Stupid idiot that I am, my root password is blank, so if anyone scans my my NTL address for accessible ports, telnet is stting there, wide open and no password. As far as the Linksys is concerned, the telnet traffic is allowed, it does not know that I neglected to set a password on the host so it allows a connection from anywhere to the DMZ host. As the DMZ host is still on my internal network, anyone having access to the DMZ host can now start looking for other machines on the network, or even start messing with the Linksys configuration itself. Again, the Linksys would not be able to tell that the connection it has allowed to the DMZ host is actually about to set up a filter that blocks access to port 80!

It's fairly obvious that Port Forwarding has a distinct advantage over using the DMZ function, as you prevent accidentally leaking services. It is important to remember, tho', that just having a single port, for http say, as opposed to the whole lot, is not the end of the story. Exploits on running services are probably the main method of gaining access to other systems so it is important that any services run are ran in such way as to prevent accidental system access. It is also recommended that you also install a software firewall, such as ZoneAlarm or Tiny Personal Firewall, or at the least an intrusion detection program such as BlackIce, on the host you are forwarding to. For Linux hosts, I would recommend running your chains or tables as if you were actually connected to the Internet, especially, if you place your Linux host as the DMZ host. Of course, this is all irrelevant if your system is compromised, but at least an attempt at prevention is better than the cure, IMO.

• Ensure your OS is patched

  Nothing more embarrassing than getting hit by an attack that could have been prevented by applying a patch that was released two years ago. This does not necessarily mean that you should apply patches as soon as they are released, however, as some patches may introduce new problems as well as fixing old ones!. Consult the support websites and forums for your system to establish that patch what is required as opposed to what there is.

• Ensure the service is patched

  Same applies as above. Also consider whether there are any settings that can be set. or even utilities that can be employed that can prevent unwanted egress into your network. For instance, with SSH, you could configure it so that only known host keys can connect, or with Microsoft's IIS use IISLock to disable unwanted services within IIS itself.

• Employ Firewall or IDS

  On the face, of it, a waste of effort as in order to run your service, you have to open the ports for the service in the firewall anyway! There are also tools available that will disable software firewalls possibly making them doubly superfluous. Use of some firewalls can be useful, however, if they are able to block unwanted access going out of your host to other hosts on your network. If you have to use a DMZ host (such as for Netmeeting), then ensure that only the ports for the application are opened, and not all.

  With your other LAN hosts, use a different software firewall to that used on the DMZ host as well. Note, however, there is little protection that you can apply to the Linksys to prevent tampering once your service host is compromised apart from ensuring your password is suitably strong.

• Employ Up to Date AntiVirus

  If you use an MS host for port forwarding or DMZ host, AV software will prevent Trojans being installed that could be used against your other LAN hosts. Also use AV on your other MS machines.

Network Lab: Sygate Single NIC Gateway

Sygate Single NIC Gateway

Sygate Technologies produce an Internet Gateway product called Sygate that fits quite nicely with NTL's CM service in the instance where you do not want a dedicated PC Gateway or a Hardware Router. In-built with Sygate is the ability to implement an Internet Router/NAT service using software running on a Windows 95, 98 or NT 2000 PC containing a single Network Card. Sygate do this with the use of a 'virtual' NIC. The real NIC is set-up as your CM facing interface and obtains it's IP address via the normal Windows' DHCP mechanism. The 'virtual' NIC runs on an IP range that is completely different to the IP network allocated by NTL, thus enabling an additional network to run on the same 'network' as your PC -> CM connection. The local machines are set with the 'virtual' IP address of the Sygate server as the default gateway.

Obtaining and Installing Sygate

Syagte is a nice 5MB download from http://www.sygate.com as sygate.exe, which, when run produces a folder within which is the Sygate Home Network program, which actually installs the Sygate server. The installation prompts for either a server or client installation, and server is required if you want this machine to provide Internet access. Once installed Sygate can be configured to provide single NIC capability, DHCP services for your LAN, connection filtering and an add-on firewall function.

Sygate Configuration

After installation and a reboot, Sygate requires licensing information to be entered prior to running. The license key for the 30-day trial version is H1001001 and no other info is required in order to run the trial.

The routing engine of Sygate runs as a background process, and in order to see whether your Internet link is up, or to configure you need to run the Sygate Manager. The default manager screen is shown below:

Configuration is performed from the options available from the Advanced button on the main manger screen. Note that the Firewall, Access Rules and Permissions do not require any configuration by default for simple Internet Sharing.

Configuration For Configuring the Network Operation of Sygate Firewall For access to the Sygate Firewall add-on Access Rules For adding access rules for various applications Activity Log Er, the activity log! Permissions Allow or disallow connection to specified hosts.

Configuring Sygate to provide gateway services to your LAN is simply a case of telling Sygate which interface you are going to use for your Internet Connection, and whether you want to use a single NIC connection. To enable this and then add the Internal IP address that you wish your gateway to be. Note that in the screen dump below , the IP address shown underneath the selected NIC would normally be the address as supplied by NTL's DHCP server. The address shown in the example is one obtained by the Sygate PC NIC from our internal DHCP server, rather than NTL's. Operation, however, is identical.

When Single NIC is enabled, Sygate automatically sets the Gateway IP to 192.168.0.1, and this should be the address set as the client's default gateway.

As can be seen from above the configuration of Sygate is quite straightforward with the options quite clearly labled. For instance, if you want to run a DHCP server internally, enable it here. Sygate will automatically assign a range of IP addresses but you can define your own from the options available from the Advanced button. Note that your DHCP range should be from the same IP subnet as your Sygate server is configured to be on, i.e., if Sygate Gateway IP is 192.168.0.1, then your DHCP range will need to withing the address range for that address, or from 192.168.0.2 to 192.168.0.254 if using the whole range.

Client Configuration

With DHCP enabled on Sygate, your client PCs need to be set to get their address automatically. If DNS is disabled within the TCP settings of the client, then the client should also discover it's DNS server as well as it's default gateway. Applications on the client PC need to be setup as tho' they have a direct connection to the Internet - remember that Sygate only provides NAT facilities, it does not provide proxy services, tho' some applications may need Access Rules defined in order for them to function correctly.

If no DHCP service is configured in Sygate, then client PCs require their TCP/IP settings to be set manually using a unique address from your network. The Gateway and DNS servers should be set to the Gateway address as defined in Sygate, e.g., 192.168.0.1 if using the default address allocated by Sygate. Again, client applications will need to be set as tho' they are connected direct to the Internet.

There is the facility with Sygate to create Client Configuration disks, but in reality, all this does is set the IP address of the client and it is not really needed.

Conclusion

Sygate is an excellent way to share an Internet Connection without needing to buy additional hardware. The machine used for this trial was a Compaq Deskpro P133 with 16MB of RAM, with a single 3COM NIC and performance was suprisingly good. Note, however, Sygate is not free. It's smallest license costs $40, but this only supports three client PCs. More clients mean more cost, with there being a point at the 10 user level where a hardware router such as a Linksys is better VFM. Sygate also does not offer any firewalling capabilities beyond NAT, tho' there is a free Firewall add-on available.

Network Lab: Using e-smith Internet Gateway on the NTL Cable Modem Service

Using e-smith Internet Gateway on the NTL Cable Modem Service

An excellent system for sharing your Cable Modem connection on your LAN is the e-smith Server and Gateway offering from e-smith, inc.. Based on a very trimmed distribution of RedHat Linux, e-smith offers an extremely effective means of using your Cable connection to the maximum.

Despite the fact that e-smith runs a light version of RedHat, it still provides numerous services to your LAN as well as providing gateway services to the Internet. At it's very basic, e-smith is a Linux Router offering NAT and firewalling (as of Version 4.1) services but with it's ability to also operate as the Proxy, Mail, DNS and FTP servers for your LAN connected machines it can also provide both Intranet/Internet Web servers, both with CGI, PHP and SSL support. In addition Virtual Domains and Information Bays can also be set-up, resulting in an extremely flexible and powerful Internet system.

Perhaps the most outstanding feature of e-smith is it's administration utilities. The majority of the configuration for the system is performed from a web browser running on the internal network nearly all administration tasks can be done from it, with the important configuration available from a text-based configuration tool. You therefore do not need an extensive knowledge of Linux in order to use it, although some knowledge can be useful.

Obtaining and Installing E-Smith

The e-smith distribution is available for free download from the e-smith website and it is only available as an iso image, so you will need to be able to extract this image to a CD. Once you have your extracted e-smith CD, you can either boot your intended machine direct from the CDRom, or you can create a boot disk on floppy by using the included rawrite utility in the dosutils directory. Further details on the installation of e-smith are also on the e-smith downloads page.

It is important to note two things when considering e-smith. The first is that installing e-smith will wipe the hard disk of the target machine, so make sure there is not data on the disk that you want, and the second is that e-smith has partial support for some hardware, so check the compatibility list to make sure you can use it.

Installation Considerations For NTL Cable Modem Service

During the installation process for e-smith you will be asked a couple of questions regarding your IP address settings, your hostname and your domain.

As regards the IP address allocation, you should enable your external facing interface to use the DHCP client with the (send ethernet address as client id) option selected. I find this option works 100% of the time. It is entirely optional to enable DHCP for the internal LAN, I choose not to, but you may prefer to do so. If you do, remember to set your LAN PCs to contact a DHCP server for their address, which they will get from your e-smith server.

As far as your hostname and domain settings are concerned, I would recommend setting the hostname as your NTL account name and the domain to ntlworld.com. My own set-up reflects the fact that I have my own domain registered and if you also have your own domain, then I would set your e-smith domain to be that instead as one consequence of specifying ntlworld.com as your domain is that www.ntlworld.com will resolve to your e-smith server. To some this may be an improvement, but to others it could be a major issue. If this is an issue you can bypass the e-smith proxy for this host within the setup of your browser.

During the configuration after installation, e-smith will also ask if you are using an Dynamic DNS facility, and I can thoroughly recommend the services available from Dyndns. In practice this enables me to advertise my public facing web service as http://nigs.homeip.net, rather than my currently assigned hostname from NTL. The e-smith setup for Dyndns requires your Dyndns username and password so that your dynamic hostname is updated automatically by the e-smith server in the event that your NTL assigned IP address changes for some reason.

Something else to consider is your Cable Modem's association with the MAC address of the Network Adapter connected to it. If you go thru' the process of installing an e-smith machine from scratch to replace an existing system attached to the Cable Modem, i.e., different PC and different Network cards, then you may need to reset your Modem so that the existing NIC's MAC address is deleted and the modem can re-learn your new MAC address. A method of avoiding the re-setting of the modem involves editing one of the e-smith template files so your NIC has the same MAC address of the original NIC connected to the modem.

On the subject of NICs, it is important to know that e-smith only supports PCI network adapters, and you will need two of them.

Editing NIC config to avoid CM re-boot

e-smith uses templates in order to build the necessary system files and these templates take the configuration set in the manager systems and applies them to the correct file. On a conventional RedHat system, the network configuration files are held in the /etc/sysconfig/network-scripts directory. e-smith also has it's network files in this directory but they are derived from the data contained in the template files located in /etc/e-smith/templates/etc/sysconfig/network-scripts. For each NIC, there is an ifcfg-ethX directory within here that e-smith uses to create the ifcfg files contained in the normal directories. Two files exist in these directories, template-begin and template-end. In order to 'spoof' the MAC address of the NIC that the Cable Modem thinks you have you need to add the line:

MACADDR=00DEADBEEF00

(where 00DEADBEEF00 = the 12 digit MAC address of your original NIC - see 'Finding Your IP Address', elsewhere)

to the template-begin file in the relevant directory, so e-smith uses this to set the hardware address of the original NIC.

Of course, you can avoid doing this by pin-resetting your modem.

Setting up e-smith initial configuration

After you have booted the system for installation, e-smith will guide you through the necessary steps to transfer the files from CD to the hard disk. Once complete, the system will reboot and automatically display the configuration screens. The default main menu of the console administrator is shown below, however, the first time e-smith is run, it bypasses this screen and allows you to set your configuration.

The e-smith admin console. Use the arrow keys to select an option, this press return As can be seen, most of the options are self explanatory

The display available when 1 is selected in the main menu

Basic e-smith configuration, such as Network settings, domain name, etc., can be done by selecting option 2 from the main menu. It is possible to check your config, without the danger of inadvertantly changing the config, by selecting item 3.

The Review Config screen covers a couple of screens worth of information so it necessary to page up and down thru' it to see all the settings. At the top is shown the ethernet adapter assignment for the system. It just so happens that both my adapters are the same type, but you may use different ones without problems (assuming they are supported by e-smith. Notice also that my assignment shows as being 'swapped'. By default, e-smith assumes eth1 is connected to the Internet but gives the option to change this to eth0 as this is my CM facing interface. The external network are settings are shown below. Here, I have specified my system as beiing a dedicated gateway and server, which gives the most flexibilty, and also told e-smith to use the DHCP client to get the IP address. Just below this are the details of the Dyndns service used. The username and password for this service are also shown here, but I have chosen to not let you see that!

Paging down to see the rest of the configuration reveals the internal Network settings. Note that I have the internal DHCP facility turned off, but you may prefer to enable it. Below this are the details for your domain and hostname. I use my own domain and have the hostname of e-smith set to gatekeeper. I do not use an external proxy as NTL's transparent proxy will trap traffic heading for Port 80 anyway. To avoid the NTL cache specify an external, public, proxy to use and ensure it runs on any other port rather than 80. I also choose to send status reports to e-smith, hence reports is set to on. Console mode refers to the behaviour of e-smith when you logon as admin. In auto mode the main menu is displayed automatically. This is as much configuration that is possible from the admin console. For further configuration, you need to use the e-smith manager from a web browser.

Once configured, reboot your system and, all being well, it will connect to NTL's network, via the modem.

A word about passwords

By default the administrator account has no password, and you will need to specify one. The username is admin and you need to set the password up to be fiendishly difficult for someone else to guess, as this password also allows root access to the system. I recommend you create a password containing a combination of upper and lower case letters and numbers. For example, take the words drum and bass, then join them together and change some characters to uppercase or numbers or add some punctuation, thus 'drum and bass' becomes Drum&B4ss. Your e-smith system will only recognise the first 8 characters of the password, so the password will end up being truncated to Drum&B4s. Note, this is only an example, I do not recommend you actually use this password!

An alternative method of generating a password is to select a suitably long song title and take the first letter of each word in the title. For example, 'The Far Out Son of a Lung', by the Future Sound of London, results in the letters tfosoal, which we can change to be something like TF0$oa1. Again, I do not recommend you use this example for your own password, but hopefully, you get the idea.

Configuration using e-smith manager

To access the e-smith manager, open a web browser on one of your LAN machines and enter the URL of your server, e.g., http://gatekeeper.nigs.net:980/. You will be prompted for the admin username and password, and entering them correctly will produce the index page for the manager interface:

Windows 2000 and ICS

Windows 2000 and ICS

Microsoft made a huge number of changes to their Desktop systems with the advent of Windows 2000 with nowhere the least of them made in the networking department. Still not perfect by any means, but a major step forward from the Win9x days, IMHO. One important improvement that Win2k has over Win9x is that you no longer have to reboot the PC when you change the IP address, but the improvements made to ICS over Win98SE/ME are astounding compared to that small feat! Essentially, if you install two Network Adapters in a Windows 2000 machine, Windows will allow one of them to be used for sharing it's network connection with the other adapter then being pre-set to connect to an private network. Easy.

System Requirements

An Internet service on a gateway machine can be processor intensive, depending both on the Gateway and Clients users' Internet Usage. This is probably more of an issue on a Windows machine than a Linux machine due to the fact that you need to have the WIndows environment up within Windows in order to use the sharing capabilities, whereas with Linux this is not normally necessary. As Windows requires Windows to be running (!), there is a great temptation to use the ICS machine as a workstation as well, but this can cause serious performance issues when clients want to use the ICS machines services. At minimum, I recommend at least a 300Mhz system with at least 128MB of RAM. If, for whatever reason, you need to use the ICS machine as a workstation as well, then I'd suggest doubling both of those.

Like most Internet Gateways, a Windows 2000 machine requires that it has two ethernet adapters installed, at least one of which must have a 10BaseT interface and connect to the Cable Modem using a straight RJ45 cable. The other adapter should connect to your internal network by whatever method used by the private LAN, be it RJ45, Thin/Thicknet or whatever. The information contained here uses 10baseT connectivity throughout. Like ALL gateways, it must also be switched in order for any LAN clients to be able to contact the outside world. If you do not want this situation then the only alternative is to purchase an all-in-one Gateway/Router/Firewall such as a Linksys or SMC Barricade (see the page on routers;-)).

As far as TCP/IP settings for the ICS machine, the CM attached NIC should have it's address DNS server set to be obtained automatically. The other NIC will be set, by ICS, to 192.168.0.1, so there is no need to configure anything for this. Note tho' that if you already have an address configured on NIC2 then this will be overridden when the other NIC is enabled as shared.

Clients that wish to use the ICS server need to have their TCP/IP properties set to automatic also. ICS will enable both a DHCP and a DNS service that the clients can use these to obtain their address, gateway and DNS server. Logically, the setup will look like that depicted in the following diag:

Enabling Sharing

As previously stated, adding two NICs to a Windows 2000 machine adds the facility for one of them to be a shared device that other machines on a private network can also use. Consider a Windows 200o machine that contains two Local Area connections, shown as 5 and 7 in the following screen dump. Connection 5 is connected to the Local LAN and 7 is connected to the Cable Modem, which is the interface on which sharing will be enabled.

Selecting the properties for Connection 7 reveals the adapter and protocol settings. All protocols except TCP/IP should be unticked on this interface, as shown below. Notice that two tabs are available in the Properties. The Sharing tab is added automatically by Windows when two network interfaces are present.

The properties for TCP/IP need to be set for DHCP (or, 'Obtain an IP address automatically' is ticked). In addition, DNS server addresses will also need to be set as automatic. This ensures that your ICS machine will get it's IP settings from NTL's DHCP server.

Selecting the Sharing tab reveals a single option - Enable Internet Connection Sharing for this connection.

When ICS is enabled, Windows prompts a warning about changing the local LAN IP address to 192.168.0.1. Comfirm that you want sharing enabled on the interface, and setup is complete!

The TCP/IP properties for the local LAN are reset to that shown below. No changes should be made to these properties, lest ICS is disrupted.

Client TCP/IP Setup

Enabling ICs automatically sets your network to use 192.168.0.0 as it's network number. The hosts on your network must also use this network number as part of their IP address, with the host part being a number between 2 and 254 (1 cannot be used as the ICS machine already has that address!). ICS does provide a DHCP server, so the simplest method for getting the client PCs to connect is to set them for automatic address and DNS servers. This will result in the client PCs having both default gateway and DNS server as 192.168.0.1.

In some instances, DHCP does not work particularly well with ICS and it may be necessary to configure the client machines manually. In this case, the client needs to have the following settings:

1. IP address is specified as 192.168.0.101 with a mask of 255.255.255.0
2. The Gateway Address is set to 192.168.0.1
3. DNS Servers are set to 194.168.4.100 and 194.168.8.100 (these are NTL's DNS servers)

Subsequent machines added to the Network will also require identical settings, bar the assigned IP Address which will require the final digit to be unique. For example, addresses 192.168.0.102, 192.168.0.150 and 192.168.0.200 are all valid addresses that can be used. I would avoid using addresses in the range 192.168.0.2 to 192.168.0.100 in order to avoid any address conflicts in the event the Windows DHCP server allocates an IP address that has already been set manually on a different machine.