Connecting to the Internet
This article is a basic overview to get you started. There are other articles here that cover certain details in more depth. You may also want to read:
- Installing a Small Office Network
- Internet Mail
- OSR5 PPP Setup
- IPFILTER Firewalls
- DSL and Cable Modem Security
- VPN’s and other remote access
- E-Smith Server and Gateway
Some common misunderstandings that are covered here:
- Email, web, ftp or whatever are all different, and each can be controlled or supplied independently of the other. This means that Jack in your office can have complete access to everything, Mary gets only email, and poor Bill gets nothing at all.
- You don’t necessarily need a static ip address even if you want to provide a web or ftp site.
- You don’t need Microsoft Exchange to use Outlook or Outlook Express. These work quite happily with any POP or IMAP server.
- You can have an internal email domain but host your web site elsewhere. That means that mail for yourcompany.com can come directly to your office, but that www.yourcompany.com is hosted somewhere else. Web and mail are two different things and can be separated.
- You don’t need (or even want) real ip addresses for each machine in your office.
Connectivity
The first thing is to get connected. Your choices range from dialup PPP to full T1s or even higher (assuming you had the money and the need), but the typical small office probably will be using DSL, Frame Relay or a partial T1. Cable access is also starting to be seen.
At the lower ends of connectivity (DSL and Cable), the provider almost almost always also deals in the home connectivity market and therefore will provide some Windows based software, and that software may also be capable of sharing multiple machines. I’m not going to preach here why you don’t want a business network relying on something like that; we’re just going to plunge ahead into better options. However, I will note that (as usual) you probably are going to have to deal with Windows-centric support folk.
When dealing with these providers, be sure they understand what you want are what they are providing and not providing. If you want a static IP address, be sure to say so, but also watch out that they don’t give you (and charge you for) real IP addresses for every machine you have. If you are going to use a computer as a router, you don’t need them to provide a router (though sometimes they will have to anyway just because it is part of their connection). The same is true for firewall, NAT or proxy software.
If you don’t understand all of this after reading this and the related articles, you probably should hire someone who does to deal with all of this. You can waste a lot of money- I’ve seen many $10,000-20,000 installations that could have been done for a tenth of the cost.
Your Internal Network
You want to isolate your internal network from the Internet. The internal machines will have access to the web, to email, to ftp or to whatever you want to give them access to, but the big bad world shouldn’t have access to them. Of course, there may be some machines or services that you do want the outside world to have access to, but your starting position should be everything isolated and closed off.
To achieve that isolation, the internal machines will use one of the private, unassigned network ranges, such as 10.x.x.x or 192.168.x.x or 172.16.x.x (if you don’t understand this, see Networking 101 ).The advantage of this is that such addresses are non-routable on the Internet, so are effectively invisible and unusable- even if you connected a machine with such an address directly to the Internet, it wouldn’t work, and that in itself is a large part of the isolation and protection we want. We give these invisible machines access through a gateway machine, a machine or router that has one address that is in our internal, private network, and one address that is real, and that real address is the connection to the internet. If we’re using a computer for that function, that computer will have two network cards unless your internet connection is dialup.
Static or Dynamic IP
Your internet address (the external, real address) can be constant, or it can be assigned by DHCP. The advantage to a static, unchanging ip address is just that: it doesn’t change. If you are providing access from the outside world to your network, that’s very helpful. However, it’s not absolutely necessary.
Most access to you isn’t done by ip numbers anyway, it’s done by name. Somebody points their web browser at www.yourcompany.com, not at 64.109.x.x or whatever. The actual ip address is looked up by DNS (Domain Name Service). When you registered yourcompany.com, somebody (probably your ISP) became responsible for providing that address to machines that need it.
If the address is static, the ISP just typed in that number once and then leaves it at that- your address never changes. However, if you have a dynamic address, it can and will change every now and then. Normally, you might keep the same address for days or even longer- the DHCP software generally is designed and configured to do that, but potentially you have the possibility of having your address change at any time. If you want “mycompany.com” to point to whatever address you have today, you need a Dynamic DNS Service to be the ones responsible for your address lookup, and you need to notify them (automatically, of course, through software) that your address has changed so that they can update their tables. There are all sorts of such services available, from free to not free; just search the Web for Dynamic DNS Service and you’ll find plenty to choose from.
Either way, you now have the ability to offer services (web, ftp, etc.) from your computers. The service could be on a computer that has a real ip address, or it could actually be inside your network on one of the machines with those invisible, private addresses. How is that possible? Special software sitting on the machine that does have the real address redirects packets inward to the private address. This is an inward or reverse proxy function- most routers have this capability also.
Firewall/Gateway/Router
This is what will provide the access and the NAT (Network Address Translation) that will let the internal machines work behind it. NAT is the software that translates an unroutable internal address into a real, usable external address.
If you want to be very compulsive and technical, most of us really use PAT (Port Address Translation) which is an overloaded NAT. Folks who worry about such distinctions think of NAT as providing a specific external address for each outgoing internal address. That wouldn’t necessarily mean that you would have just as many external addresses as internal, but it would mean that the number of concurrent uses would be limited by the number of external addresses. With PAT, one external address is used for all internal machinres- the software keeps track of what belongs to what by using different port numbers in the packets.
A firewall also limits what can come in to your machine from outside. The difficulty here is that you may actually want to provide some services: you may want to run a web site, or allow telnet or ftp access to your machine. That makes the firewall’s job more difficult: it’s fairly easy to just lock everything up so there is no access at all, but it’s much more difficult to let the good guys in while keeping the bad guys out.
As mentioned above, the services you provide could be located on the firewall machine, or on a machine inside your network. They could also be hosted on a machine outside the firewall- this is often called a DMZ (Demilitarized Zone). Basically you have an external network with real IP addresses and one of these is a gateway/firewall to your internal network. More complicated installations have multiple layers of firewalls.
You’ll also hear the term “proxy server”. Actually, NAT provides a proxy service; proxy just means that somebody else is representing you, and that’s just what NAT does. However, when people say “proxy server”, they usually mean something different, and they usually specifically mean a web browsing proxy server. The difference is this: with NAT, you don’t do anything special to browse the web- just use your browser with your default gateway pointing at the NAT machine and it works. However, if you have a web proxy server, you need to tell your browser that you are using it- that’s a setting you make that points your browser to the proxy (that may be done automatically by DHCP). Often, the proxy server is also a cache server- it will cache frequently accessed pages to improve performance. It may also offer filtering capabilities- the ability to restrict access to certain pages or perhaps to grant or deny access to certain users.
You don’t necessarily need a proxy server to deny services to certain
users. Often the NAT sofware has basic filtering capability, and you can also use software such as TCP Wrappers to control access.
Where is it?
That brings me to another area of confusion. People get confused about web sites, email and ftp. They want to host their web site externally, and get confused about email and how this all works. The clue to understanding your options is DNS.
Whenever any access is made by name, the actual ip address gets looked up in DNS. If you have a domain name, somebody, somewhere, is responsible for knowing the addresses associated with that name. You can find out who that somebody is by using “whois” or just with “dig”:
dig yourdomain.com any
The DNS keeps track of every host name you use (www.yourdomain.com, ftp.yourdomain.com) and also tracks one more very important address: the MX or Mail Exchange record. Each host name can point to a different address: www.yourdomain.com and ftp.yourdomain.com could be located thousands of miles apart, on totally different machines. The MX record can also be different. So, you might have your web site hosted by someone like Hostpro, your FTP site somewhere else, and an MX record pointing directly to a mail server at your place of business. You can also have multiple names pointing to the same place: I have pcunix.com and aplawrence.com but both domains go to the same places.
POP, IMAP, SMTP
SMTP means Simple Mail Transport Protocol- it’s how email moves across the Internet. Once email gets to your mail server, you’ll use POP or IMAP to get it to your Windows machine. Neither POP nor IMAP deliver mail or are used to send mail- they are only what moves the mail from the server to your machine. When you send mail from a Windows machine, you aren’t using POP or IMAP- you are talking to an SMTP server. That may, of course, be running on the same machine, but it could be different.
The major difference between POP and IMAP is that IMAP downloads only header information until you actually want to read the message. This is good for slow links: you don’t waste time downloading the body of a message you aren’t going to read.
Sendmail is what sends mail OUT. If you have a domain name, and have a SMTP server, you can have your MX (mail exchange) record pointed to your server. In that case, sendmail (or something like it) would handle incoming mail also.
If you don’t (or even if you do), you might have a multidrop POP mailbox somewhere. That’s a mailbox where all your mail gets collected. It’s called multidrop because you can have any number of names going to one place. In this case, you’d use something like “fetchmail” on your server to bring the mail down and distribute it.
See E-Smith Server and Gateway as an example of a mail server that can do these things.
What now?
You can build your own gateway and firewall using SCO or Linux- the links at the beginning of this article cover the specific details. You can also buy packaged solutions like the E-Smith server also referenced above. For small offices, you can use products like Multitech’s Routefinder or ProxyServer.
Or, you can go out and spend a ton of money on a high priced Cisco router, an NT server with Exchange, and a Pix firewall. After all, it’s your money, and if you want to waste it, that’s certainly your choice.
Please read this disclaimer
Copyright and reprint info
A.P. Lawrence provides SCO Unix and Linux consulting services http://www.pcunix.com