Part2 - TCP/IP, and Routers/Firewalls, Networking Hardware
NETWORKING FUNDAMENTALS - Part2
There are VOLUMES of information about TCP/IP available on the Internet. My goal here is to give you what you'll need to setup a home network.
There's an introduction to TCP/IP, then I explain some of the hardware and software you'll need to do what you want safely on the Web. I'll also cover DHCP, and why I recommend using it.
In Part 3, I'll cover Sharing Resources on a Microsoft Network.
Networking behind the scenes :
When you browse to a web site like http://www.xboard.us/bbb, what really happens? First, your computer resolves the name using the Domain Name System (DNS) and finds out the IP Address is [XXX.XX.XXX.XX]. Once it finds the IP Address, it will know whether the server is local, or on a remote network. After it knows the address, and knows it's on an external network, it sends a message to the website's server asking for the home page. The Server sends a reply, and poof! The page appears in your browser!
Since your computer is exposed to the entire Internet, especially if you have DSL or Broadband, you should protect yourself with Hardware and Software Firewalls.
I'll cover all of that below, but I'll begin with an explanation of TCP/IP and IP Addressing.
Transmission Control Protocol/Internet Protocol (TCP/IP)
TCP/IP is a suite of protocols that allow communication between computers, and between networks. A Protocol is nothing more than a set of standards. You can think of it like a language. To communicate effectively, we need a common language or Protocol.
The primary part of TCP/IP I'll be focusing on is IP Addressing.
What's an IP Address?
I like to use an analogy I've seen used many other places. An IP Address is like a person's mailing address. The name, www.xboard.us/bbb is like the person or business name. The IP Address associated with that is like the Country/State/City/Street and House Number.
Take a look at your IP Address:
Windows 98/Me: Go to Start, Run, and type winipcfg. This brings up the IP Configuration window. You can see your IP Address, the Subnet Mask, and the Default Gateway. (you need to choose the right adapter)
Windows 2000/XP: Go to Start, Run, and type cmd. This brings up a Command window. In the Command window, type ipconfig. You'll see the same information in text format.
Parts of an IP Address:
You'll notice that your IP Address is broken into 4 parts separated by periods, for example, 192.168.1.50. The parts are called Octets, and their values can range from 0 to 255 in each part.
How does the computer know which part is the Network (City/State, etc.) part, and which is the Host (house number) part? It uses the Subnet Mask to figure it out.
I'll keep the discussion very simple. There are different ways to divide the network and host portions up (Subnetting), but I'll stick to the scheme you should use on your home network (assuming you have your own router) here.
Here's the breakdown for your home network:
192.168. 1. 50: IP Address
255.255.255. 0: Subnet Mask
192.168. 1. 50
192.168.1 Network .50 Host
In this example, you're using a Class C Address Scheme.
I strongly suggest you stick to the 192.168.1.x network unless you have a reason to change, and unless you know about Private Addressing. If you use Virtual Private Networking (VPN) to get into your business network, and your company uses a 192.168.1.x scheme, you may have to change your IP. I know of no other major reason to change it.
If you need VPN help, please post a message and I'll get you working!
Dynamic Host Configuration Protocol (DHCP)
How do you know what IP Addresses are assigned, what ones are legal for your network, and how to configure your DNS information? You don't have to if you let your Router handle it by enabling DHCP on the Router and on your Computers.
DHCP on the Router
Most home Routers have a web browser interface. Open your browser (Firefox. ) and in the Address dialogue, type 192.168.1.1. (If this doesn't work, check your Default Gateway Address in your IP Configuration. That's the address to put into your browser). Some kind of Router interface should open up. Look for a setting or tab that says DHCP. Make sure DHCP is enabled. You'll want to write down your DHCP Scope (that's the range of addresses that will be used for your PC's), and the DNS Servers.
DHCP on the PC's
Important! If you have configured your IP settings manually, you should write down all of these settings as they are, before making any changes. You may want to put them back temporarily if DHCP doesn't work.
Windows 98/Me: Right click on Network Neighborhood on your desktop, and select Properties from the menu that comes up. Under the Configuration tab, scroll down to TCP/IP -> Your Network Adapter (your adapter name will be here). Highlight TCP/IP for your Network Adapter and click on Properties. In the TCP/IP Properties window, click on the IP Address tab and make sure Obtain IP Address Automatically is selected.
Under the Wins Configuration tab, make sure Use DHCP for Wins Resolution is selected.
Under the Gateway tab, there should be no installed Gateways. If there are, highlight and remove them.
Under the DNS tab, remove any configured servers. You can leave your hostname, but all other fields should be blank.
Windows 2000/XP: Click on Start, Control Panel. In Control Panel, click on Network & Internet Connections, then on Network Connections. (2000, just right click My Network Places on your desktop, then select Properties).
Right Click on Local Area Connection and choose Properties. Make sure Obtain IP Address Automatically, and Obtain DNS Server Address Automatically are selected.
Click Advanced and make sure there are no Gateways.
That's it!
Routing and Firewalls
Ok, you know your IP Address; you know what it means (kind of?), now what?
A Router is like a local post office. If you're sending a letter to someone in your own town, the letter does not have to be sent to another town's post office, so it stays local. If it bears an outside address, it has to be "routed" to a different post office, and it is sent out.
If you have only one computer and you connect directly to a Cable Modem, or DSL connection, your Internet Service Provider (ISP) has the Router.
If you have a LAN, you'll need a Router (it should be a Firewall/Router, but more on that later).
Routers:
A Router has at least an Internal and External Port or Interface. Its only purpose is to take traffic from the Inside Port, and send it to the Outside Port if needed, and do the reverse for inbound traffic.
To illustrate, your computer's browser request goes to the Router (Default Gateway). The Router sends the request to Routers across the Internet until they get to the website's Server. Then the reverse happens to get the traffic back to you!
Out: 192.168.1.50 --> 192.168.1.1 --> Internet Routers --> 209.67.217.28
Back: 209.67.217.28 --> Internet Routers --> 192.168.1.1 --> 192.168.1.50
Everything's wonderful, right? Not really. There's a little problem with connecting to the Internet. There are many people scanning your computer for vulnerabilities and trying to attack you every day! How do you stop them? A Firewall, of course!
Firewalls:
Firewalls basically permit traffic from Inside to Outside, but block traffic from Outside to Inside, unless it's been requested from Inside. Kind of like a flapper valve, or backflow preventer in a pipe. Except that some traffic (that requested from inside) is permitted back in.
For a Hardware Firewall, Inside means on your LAN, and Outside means on the Internet. For your PC, Inside means on your PC, and Outside means everything else. On both Hardware and Software Firewalls you should be able to permit traffic inbound when needed.
Hardware Firewalls:
A Hardware Firewall, like this Linksys Firewall, or this Netgear VPN Passthrough Firewall will be all you need. (Get a VPN Passthrough capable Firewall if you VPN into work).
NAT vs. SPI?
Let's say you're shopping for a Firewall, and you see that the box says "Built-in NAT technology acts as a firewall to protect your internal network." WRONG! It makes me angry when manufacturers take advantage of the public's lack of knowledge like that. Notice the tricky wording "acts as a firewall". To the average person, they'll think they're well protected. It doesn't say it is a firewall!
Network Address Translation (NAT) (more accurately, Port Address Translation) is a normal procedure when you're using an internal network address scheme like the 192.168.1.0 Network so many home networks use. It is NOT designed to be a firewall. It can be overcome by sending fragmented packets, and may be spoofable.
Stateful Packet Inspection (SPI) on the other hand, was a technology developed for use in Firewalls. It keeps track of the "state" of communications between your PC and the outside world. It is much more difficult to break through an SPI Firewall than a NAT Router.
Bottom line, make sure you get a Firewall that does SPI!
Software Firewalls:
Good news! There are some excellent Software Firewalls available for free! I'm listing two here, but there are more out there.
Windows XP Service Pack 2 Firewall - Microsoft has made some progress with the built in XP Firewall. This one's configurable, in that you can let some traffic through from the outside for home networking. It still doesn't warn you about unknown outbound traffic though! That means you won't know if a Trojan, Virus, or Spyware is trying to get out, nor will you be able to block it.
Zone Alarm - This version is free! They have pay versions, but the free one performs all the basic firewall functions you should need.
Sygate Personal Firewall - Another free version by a company that makes more powerful pay versions too.
Testing Firewalls
To test your Hardware Firewall, scan it from outside with Steve Gibson's Shield’s Up! scanner. It's fast and will tell you exactly what ports are insecure on your Firewall.
To test your Software Firewall, download and run Steve Gibson's Leak Test. It simply simulates an application you haven't authorized trying to get to the Internet. You should get a warning that an application is trying to get to the Internet. You say no, and make sure the test program is blocked.
Other Networking Gear
Switches & Hubs:
If you buy any of the most popular home Firewalls, they have 4 to 8 Switch Ports built in. An in depth discussion of the difference isn't needed here. Just know that a Switch is a little better in some ways than a Hub, although the performance difference will be negligible for the home.
If you need a Switch, you can find one like this Belkin 8-Port Switch..
Cabling:
Ethernet NIC's, Router's, Switches, and Hubs use Category 5 (or 5e) cabling. Just get some Cat 5e patch cables and you're all set! Cat 5e will allow you to go to Gigabit Ethernet if you want.
Oh yeah, straight through, or crossover cables? It depends. For this discussion, we'll classify PC's and Routers as "smart" devices, and Switches and Hubs as "dumb" devices. Smart to Smart, or Dumb to Dumb, you need a crossover cable. Dumb to Smart or Smart to Dumb, you need a straight through.
PC to Switch Port on your Router/Firewall (Your Router's doing triple duty here, it's a Router, a Firewall, and a Switch, all in one!), you'll use a straight through cable. You usually only have to worry about finding a crossover cable if you want to go straight from PC to PC, or if you want to plug a Switch into another Switch (and even Switch to Switch, many have an Uplink Port or a Crossover Button alleviating the need for a crossover cable).
That concludes Part 2! I bet you thought it would never end!
Please let me know what you thought!
-------------------------------------
Coming up - Part3 - Sharing Resources on a Microsoft Network
AdBrite
