This chapter covers some of the more important elements of getting your LAN connected to the Internet. As you may recall from Chapter 11, "Wide Area Networks," using the Internet as a wide area network (WAN) to connect two or more LANs together is a cost-effective way of linking separate LANs together. If you have offices around the country and you want the LAN users to share e-mail and other applications, connecting each office to a local Internet provider and using the Internet as a WAN is more cost-effective than paying a phone company for a cross-country data circuit. This chapter discusses some of the hardware and software associated with establishing Internet access and some of the issues that surround connecting a LAN to a network of millions of computers, which is exactly what the Internet is.
In its early years, the only way you could get access to the Net was through a university or government agency-or possibly a research organization. There were virtually no businesses on the Net, and the only dial-up users were those dialing into the universities or government networks to access a computer that was connected to the Net. All through the 1970s and early 1980s, the Net was very small in terms of the actual number of users. When companies like UUNet and PSI began building Internet network systems that could be connected to the existing Net, the first commercial access to the Net began. Even just a few years ago in the early 1990s the applications and types of connections used to access the Net were very limited. A user with dial-in access, for instance, would be accessing the Net through a shell account, which is all text based; no graphical access existed for Internet services.
Since that time, the Net has grown exponentially with millions of users all around the world. We have yet to witness the potential growth of the Internet. At least half of all U.S. business organizations have not provided dial-up business accounts for their employees or connected their LANs to the Net, and many individuals who will have personal dial-up accounts have yet to join in.
This incredible growth has spawned thousands of Internet providers. The big players that have joined or are planning to join the ISP ranks include AT&T, MCI, and some of the Bell companies. Even a few of the larger cable systems such as Jones Communications and TCI are implementing cable TV connections to the Internet that promise to deliver higher speed access than is possible with a modem over phone company lines-although this type of service is still largely underdeveloped at this time. Aside from the major players like the PSIs and UUNets, there are so-called online services that not only offer Internet access but also fancy bulletin board systems to provide information content, such as America Online and CompuServe. You may have seen advertisements for one of these online services in which a "user" is talking about all the things he or she can do with this service and concludes, "I even have access to the Internet." These companies are offering a dial-in connection to their customized networks that also have a connection to the Internet; but you are not necessarily connecting to the Internet when you dial into their service.
In addition to the big ISPs and the online providers, there are numerous small ISPs that have come out of the woodwork; these are sometimes called "mom-and-pop shops." Five years ago a provider could buy a 56Kbps digital circuit to a large ISP, such as UUNet, hook some modems together, and set up shop. For the most part, we have seen that this kind of ISP is disappearing because of either serious competition from larger, less expensive ISPs or the lack of service they offer. Most mom and pop shops either get smaller and collapse because of these larger providers or, if they survive and grow, typically are bought out by the larger ISPs.
This section discusses the factors to consider when selecting Internet access providers. My first suggestion may disappoint you: If the providers offer freebies, such as hats, stickers, or any other neat paraphernalia when you sign up, find another service provider.
If you are simply looking for dial-up modem service, you have many options from which to choose. There are hundreds of choices that adequately satisfy dial-up service requirements. This route provides an acceptable method of connection to the Internet if you are connecting just a few computers that will do little more than browse the Web and send some e-mail.
If, on the other hand, you have many users who will browse, send e-mail, share documents consistently by e-mail, and perhaps host your company's Web site, you will need to connect your LAN to the Internet. For this type of connectivity, your options are greatly reduced. Most of the large ISPs (not the "online" providers but actual ISPs) have some sort of dedicated LAN to Internet service. UUNet is one of the largest ISPs that specialize in dedicated LAN-to-Internet access. PSI is another large ISP with dedicated access services. Numerous regional providers are also stepping up to the plate. Many of these providers offer dedicated connections to the Net but may require more than just a dedicated "pipe." You may want support from the provider in configuring your network for Internet access or assistance with e-mail and Web page support. This will narrow the field of providers even further. If you are just getting a "pipe" to the Net, you may be responsible for setting up your own news, e-mail, and Web servers. I cover these issues later in this chapter; now let's look at Internet connections.
Before considering the type of Internet connection for your network, you first must decide what kind of service you will provide to your users. I already have mentioned the idea of connecting a LAN to the Internet rather than just utilizing modems. Now let's consider in more detail some of the pros and cons associated with the different types of Internet services and the application of those services as they relate to your organization's needs. What follows is a general description of different types of Internet services, what they provide, and how they may fit into your plans for Internet access.
Dial-up analog service is for users who have modems connected to their computers. This dial-in user can access the Internet in two ways. Again, both of these methods use a modem to allow the computer to speak over the telephone lines. The modem takes the bits-or the 1s and 0s that the computer "speaks"-and turns them into sounds that can be sent over the telephone lines. These sounds are sometimes heard, depending on the modem, as a series of squeals and beeps when you first dial into the ISP's modems. The fastest speed at which a user can access the Internet with a modem is 28,800 bps. Slightly faster speeds may be achieved, but basically this is the maximum speed that the analog telephone lines can support. If you use modems to connect to the Internet, you will have to maintain a modem on each computer or set up a communications server to support a pool of modems that the users can access over the LAN. The modem pool is considered by some (myself included) to be more of a hassle than it's worth, particularly with the speedier and consolidated direct LAN-to-Internet services available from most ISPs.
The first of these modem connection methods is generally called a shell account. A shell account is accessed with a software package, such as a Windows terminal, Procomm, or PC Anywhere. A user dials into the ISP's modems and, after he or she is connected, logs into (connects) to a computer that is directly connected to the Internet in the ISP's facility. This computer, called a server, has its own unique Internet address. The user uses the server's Internet applications, such as e-mail or Telnet, to get around on the Internet. The shell method is the way users originally accessed the Internet through modems.
The main drawback to this type of connection is that there are no graphics associated with it. A user browsing the Web from a shell account will be using a program, such as Lynx, that allows the user to read the text on the Web but without graphics. The advantage to this account is that user can access many applications and programs located on the server that take up too much space or are too expensive to be stored on an individual's computer. Many Internet "power" users and novices alike use shell accounts as a method of Internet access.
Recently, there has been an explosion of SLIP and PPP accounts to access the Internet. These types of accounts have led directly to the widespread use of the Internet by thousands of users who otherwise might not have ventured onto the information superhighway. Like a shell account, a PPP or SLIP user dials into the ISP to connect to the Internet. Unlike the shell account, however, the SLIP/PPP user connects to the ISP with a SLIP or PPP software package, such as a Winsock, Chameleon, or Netscape dialer, and gets an Internet address assigned directly to his or her computer. Then he or she can use the e-mail, Telnet, and Web browser applications located on the computer to communicate or search for information. Because the computer is directly connected to the Internet with its own address, the user can browse the Web in graphical mode. In most cases, users will get an Internet address assigned dynamically each time they connect to the ISP. This means nothing in terms of the functionality. For example, a user's e-mail address always will be the same, but the numerical address of the computer will be different each time he or she dials in. Most ISPs elect to dynamically assign addresses to dial-up customers from predefined pools of addresses for easier management.
The phone companies' recent development of ISDN (Integrated Services Digital Networks) has brought the capability to dial a digital call into an affordable price range. ISDN is an all-digital service. This means that binary (1s and 0s) that computers speak can be directly transmitted over the phone lines without having to change the 1s and 0s into sounds as a modem does. The result is much faster transmission speeds, and that means faster connections to Internet sites. The minimum speed of an ISDN phone call is 56Kbps. With just an ISDN Basic Rate Interface (BRI), users can reach dial speeds up to 128Kbps. This type of speed brings a much more functional and practical access to the Internet than even the fastest modem.
ISDN allows the user to search out and retrieve information two to four times faster than an analog modem. The ISDN service allows the user's computer to transmit a totally digital signal all the way through the phone company's network to the ISP. A modem, on the other hand, is extremely inefficient, and as a result, modem transmission speeds are limited. Obviously, the ISP must have ISDN network connections to support this type of service. Users can place ISDN calls with the help of a device called a terminal adapter (TA). Think of the TA as a modem for digital computer calls. This is not accurate technically because there is no modulating of the computer's digital "talk" into sounds, but the TA is attached to the computer in the same way as a modem. Subscribers use dial-up software that allows them to dial a PPP or SLIP connection over the ISDN line. This account also will get an address assigned when dialing in.
The LAN-to-Internet connections come in two versions; both use a router to connect the LAN to the ISP and require a TCP/IP software package on each computer to access the Internet. This software is different than the software used to dial into the Internet with a TA or modem. The LAN TCP/IP software allows the computer to "talk" over the LAN through the router to the ISP and out to the Internet (see Figures 12.1 and 12.2).
Figure 12.1: LAN dial-up and direct connections to the Internet.
Figure 12.2: Individual dial-up and single desktop connections to the Internet.
With a dedicated LAN connection, the router's connection to the Internet is "nailed up" or dedicated, meaning a path or circuit over the telephone company's network to the ISP is established 24 hours a day, seven days a week. This is an ideal connection for users who host their own Web page servers. Typically, the ISP will provide some support with mail and news servers, allowing users access to their servers. The LAN is available all the time on the Internet. This type of connection is best suited to mid- and large-size LANs with 25 or more users. The speeds of dedicated LAN connections range from 56Kbps to 45Mbps or higher, the average being the T-1 dedicated phone company service that operates at 1.5Mbps. The types of dedicated connections supported will depend on the local telephone company and the ISP.
The other option is the dial-up circuit to the Internet. In this scenario, the circuit to the Internet is dialed up whenever one of the computers issues a connect request to the Internet, such as opening the Web browser and connecting to a site or sending out some e-mail. The router brings up the connection to the Internet when needed and then drops it when there is no traffic to the Internet. ISDN is the most common method of dialing up a LAN-to-Internet connection in high-population areas. In the Midwest, 56K or T-1 is more common than ISDN. This type of service is ideal for small LANs in which there is sporadic use of the Internet. This is not a good connection method, however, if you are planning to serve a Web site, because the connection is typically dialed from the LAN to the ISP in one direction only. The connection would not be initiated through the ISP when a user on the Internet tries to access the home page.
Certain systems must be placed to support your LAN-to-Internet
connection. I will assume first that there already is a LAN installed
in your facility. Before you begin, ask several providers about
the pricing structures of their service options. Make sure you
choose a provider that has a point of presence (POP) local to
your facility. Because the telephone company charges for your
dedicated circuit likely will be based on mileage (the distance
from your facility to the ISP over the phone lines), you don't
want a provider who is across the state; you will be paying for
both the telephone company lines and the connection charge to
the ISP.
Note |
The acronym POP is used for both Point of Presence and Post Office Protocol. Be careful not to get them confused. It's a little easier now that Post Office Protocol has been upgraded to version 3. Now it's usually called POP3. |
Some ISPs will bundle the telephone company circuit charge into their billing so you only pay the ISP, but there is a charge for this service. Some ISPs also charge for the amount of data that the site receives (and in some cases transmits) across the circuit. An average price for a T-1 connection to an ISP is about $1,500 per month plus phone company charges. There are ISPs that will charge for data packet transmissions in addition to this fee, up to $6,000 a month. In my opinion, this is excessive and potentially could make budgeting your Internet connection difficult because your data packet transmission levels typically go up and down depending on what the users are doing on the Net. If a user is just Web browsing for a few days and then begins to download large files from the Net, your usage of the circuit goes up. One month you could get a $1,500 bill from the ISP, and the next month you could get a $3,500 bill.
Another planning consideration is how to set up the network to accommodate the Internet service. It's likely you will be given a group or block of TCP/IP addresses that you must assign to each workstation and server that will access the Internet.
The address block looks something like this:
192.188.199.0
192.188.199.0 is the network block, and within this block you have 254 individual addresses to assign to each computer. Each class of IP address has the numbers 1 through 256 (1 and 256 are typically reserved for specific machines). Therefore, if you see an IP address number higher than 255, it's probably incorrect.
You have a list of computers with addresses that look like this:
Jim's computer: 192.188.199.1
Bob's computer: 192.188.199.2
Marcia's computer: 192.188.199.3
These addresses are 32 bits long and are divided into 4 groups of 8 bits. Each byte (eight bits) has a value between 1 and 256. You may see addresses that look like this:
12.1.1.2 or 221.221.23.1
You will not see addresses that look like this:
322.198.620.8 or 914.2.832.1
Each computer on the Internet must have a unique address. No two computers on the Internet anywhere in the world can have the same address. The addressing of Internet computers is set up into network blocks. These blocks are then assigned to ISPs, government agencies, large corporations, and ultimately smaller companies and organizations through ISPs or the government. There are three types of address blocks: Class A, Class B, and Class C. The biggest difference is the size of the blocks or the number of individual addresses in each block. A Class A block, for instance, has over 16 million individual addresses. The kinds of organizations that can get a Class A block are limited to governments, the really big ISPs (for example, PSI, UUNet), and groups with more clout than the rest of us. If you want to hear unbridled laughter, tell your ISP you need a Class A address block; all the Class A addresses are already assigned. Class A addresses start with a first byte value of 1 and run up to 127. An example of a Class A network block would be the following:
22.0.0.0
The first byte (22) is the network number, and the other three bytes are for individual computer addresses. The individual addresses available would then be assigned as follows:
22.0.0.1, then 22.0.0.2, and so on
Class B addresses start at 128.0.0.0 and run up to 191.0.0.0, so a Class B network block would look like this:
131.11.0.0
Note that the first and second byte now make up the network number and the remaining two bytes are for individual computer addresses, such as the following:
131.11.0.1 or 131.11.0.2
A Class B address has more than 65,000 individual addresses in it. Class B addresses are rare; not as rare as a Class A, but if you ask your ISP for a Class B you will still get a chuckle. At this point, no Class As, and very few Class Bs, are left.
The last type of address block is the Class C. More than likely you will get this type of network block for your LAN. Class C addresses start at 192 and run through 223. An example of a Class C network address would be the following:
192.188.199.0
Notice that the first three bytes now make up the network block with only 254 addresses available for the individual computers. There are still a fair number of Class C addresses, but they are being assigned at a rapid rate to ISPs. The address blocks are assigned to everyone by the Network Information Center (NIC). Every address block on the Internet is registered with the NIC. Don't bother applying to the NIC for your own address block; the assignment of network addresses occurs in groups of blocks rather than individual network numbers. The NIC is sort of a wholesale distributor of addresses.
You will get your addresses from an ISP when you sign up for service. You must use the addresses assigned by the ISP. If you change providers, new addresses will be issued, and computers will have to be renumbered.
Back in the olden days of the Net (you know, the 1970s and 1980s), before the explosion of users and ISPs, you could actually apply for and receive your very own address block. Some organizations are using these addresses today. They are addresses such as Class A and B networks and in some cases Class C addresses that start with 192. The number of TCP/IP addresses seemed to be unlimited, so the NIC assigned them freely. Now, however, there is a real crunch for addresses, and they are assigned only with great review as to how they will be utilized after assignment. There is currently a plan to unleash the Next Generation IP addressing scheme. This addressing will have to be in addition to, not a replacement of, existing addresses if it is going to be practical. There are no new TCP/IP addresses in use commercially at this writing.
Although individual users or clients don't need to have static IP addresses because they can be shared, Internet hosts must have a permanent address assigned. That address is what tells Internet users where to find the host. Just a few years ago, there were fewer than 10,000 Internet hosts. Now, with every company, organization, and even some individuals gobbling up hosts at a rate of hundreds of thousands per month (see Figure 12.3), the Internet community will breathe a lot easier when a new system is put into place.
Figure 12.3: This timeline illustrates the rapid growth of Internet hosts.
To complete your Internet connectivity, you will need specific router hardware and TCP/IP software. There is a vast array of routers available, including those from Bay Networks, Cisco, Ascend, and 3Com, just some of the major router manufacturers. Basically, all routers perform the same functions, but there are specific features that your ISP may look for or that your WAN circuit will require, such as dial-up ISDN on demand. Make sure you size a router appropriately for your network. If you have 75 users in your LAN and a T-1 to your Internet provider, a Cisco 7000 router is definitely overkill; a Cisco 2500 might be a better choice. If you have a small office with 10 users and want a dial-up LAN service, an Ascend Pipeline 50 would be a good solution.
The TCP/IP software is another important piece. If you will be responsible for the administration of your Internet (TCP/IP) LAN configuration, a good reference book on the nuts and bolts of TCP/IP is essential. O'Reilly publishes TCP/IP, which is generally considered the book on TCP/IP. (It also is referred to as the "crab book" because there is a big crab on the cover. I have no idea why there is a crab on the cover, nor do any of my associates, but we have all read it and agree that it's the best around.)
You will need a router to connect your LAN to the ISP via an ISDN line or some other direct connection. Of course, you can always connect your LAN to an ISP using merely a modem, but your bandwidth is limited to 28.8Kbps. Some ISPs will rent you the equipment you need for the connection. This is a good way to minimize your initial startup costs, and you will not have to worry about configuring the router or maintaining it. The router provides the LAN-to-WAN link. You will, for instance, have your Ethernet LAN connected through the router to a T-1 circuit that goes over to the ISP. This router must be capable of routing the TCP/IP protocol. You will find this feature listed as IP routing in the technical specifications for the router.
There are dozens of routers that will satisfy the connection to the ISP. The biggest name is Cisco, which has been making some of the finest routers for more than a decade. Its affordable 2,500 series can provide suitable basic TCP/IP connectivity from a single LAN to an ISP for about $3,000. Cisco also has a more flexible router at the intermediate level: the 3000 and 4000 series, which are modular chassis platforms that allow you to add different LAN interface cards in the same router (such as a token ring and ethernet) as well as connect multiple WANs together. If your facility is going to connect to one of your remote offices and to the Internet, you will have two WANs at your facility, and a Cisco 4000 might be a good choice. Cisco also makes the Cadillac-actually the tractor-trailer-of routers with their 7000 series. This router is the kind of system that your ISP (or your ISP's ISP ) uses to connect to other ISPs on the Net; you do not need a Cisco 7000 for the scenarios discussed here. You cannot go wrong with a Cisco. Any ISP worth a hill of beans will be familiar with them.
Cisco routers are by no means the only choice for connecting your LAN to the Internet, however; 3Com routers are another option. 3Com has some low-cost routers, such as the 224 and the 227 series, that are roughly the equivalent of the Cisco 2500 series. 3Com also has the modular chassis systems, called Netbuilder II, which provide multiple LAN and WAN Interfaces. Pricing for these systems are fairly comparable to the Cisco systems.
Ascend is another router manufacturer with a reputation for Internet connectivity. Ascend's claim to fame has been primarily in the dial-up access for ISDN and modem users more so than dedicated LAN connections; however, the Ascend Pipeline 50 is a low-cost (about $1,400) IP and IPX router that can be used with some dedicated ISDN applications and is ideal for dial-up LAN connections to the Internet. Ascend also has a new product, the Pipeline 130, that provides IP and IPX routing over T-1 WANs. This product costs about $2,000, making it a very inexpensive router for T-1 Internet access. However, the Pipeline 130 is new, and no real feedback on its performance is available.
There are other routers that can provide Internet access as well. Bay Networks, Wellfleet, and Proteon are all routers that have been used to provide TCP/IP routing, although they do not have the widespread recognition that the previously mentioned routers have. There are probably still other systems available from companies outside the United States that are just not as well known here. Basically any system that can route TCP/IP can be used for Internet access.
You need TCP/IP software for all the computers that will be accessing the Internet. There are many packages from which to choose. Many LAN operating systems, such as NetWare and Windows NT, have either inherent or add-on TCP/IP support. You can also purchase TCP/IP software packages such as Netmanage's Chameleon, FTP software's PC/TCP, or Wollen-gong's Pathways IP software. These packages run under Windows and provide TCP/IP applications such as e-mail and Telnet over the LAN. Macintosh computers have software such as MacTCP that provides the TCP/IP over LAN functionality. These software packages allow the TCP/IP to "talk" over the ethernet, token ring, FDDI, or whatever LAN you have. You must be sure that the package you select is designed to run over your particular network because the workstations are probably already running a protocol such as NetWare's IPX. You will have to set up the LAN interface (NIC) cards with different frame types to allow your LAN operating system protocols and the TCP/IP protocols to coexist on the same NIC. Refer to your LAN operating system and the NIC card specifications for more detail.
The servers will require a little more sophisticated software than will the workstations. A server's function is twofold: It must connect other services on the Internet and allow incoming connections to access files, such as Web pages. The service in TCP/IP that allows for these incoming connections is called a daemon (pronounced demon), or sometimes just the server portion of the TCP/IP software. If you are going to set up a mail server for Internet you must have the POP (Post Office Protocol) and the SMTP (Simple Mail Transfer Protocol) to route incoming and outgoing mail. The same is true for a Web server: you must have the HTTPd (Hypertext Transfer Protocol Daemon) running to serve your Web pages to other users.
If you are running a UNIX system as your Internet server, these services are probably part of the operating system and can be configured for your network specifically by editing the parameters of each server application. A UNIX server is the most common platform used on the Internet to offer these services. SUN Microsystems makes a UNIX Internet server called Netra that has all of the Internet services preinstalled-you simply enter the addresses you get from your ISP and information about the users on your LAN for e-mail accounts. To run another software package for your mail and news, many LAN operating systems such as NetWare or NT now come with some Internet server components installed that you can add to your existing network to provide SMTP and Web services. SMTP, News, POP, Web, and all other TCP/IP-based Internet applications are based on the TCP/IP protocol standard. Any TCP/IP-compliant server software you select will be functional for Internet services. To work on the Internet, you must have a TCP/IP-based server component. Figure 12.4 shows a possible "shopping list."
Figure 12.4: An Internet server software connectivity shopping list.
After you have decided on a provider and chosen the type of service necessary for your network, the provider should be able to assist you in getting the WAN circuit ordered. This should not be a major issue for the provider; if it is, I would have serious reservations regarding the ISP's experience level. The WAN circuit must be connected to the router and configured with the appropriate information to support your LAN and the connection to the ISP. Your computers must be loaded with TCP/IP software and configured with the correct information, such as addresses and domain names. When all this is configured correctly and the WAN is connected to the LAN, you should be able to access the Internet and other Internet users should have access to your site.
This sounds too easy, right? Well, in most cases there is in fact a fair amount of tweaking and fine-tuning to sort out bugs, find the addresses that were entered incorrectly, and troubleshoot the WAN circuit that doesn't seem to work. This is all fairly typical for a job that involves getting so many pieces together. Depending on the provider you choose, you may very well be responsible for a great deal of this headache. Even if the WAN circuit and the router are provided by the ISP, you likely will have to support the LAN yourself.
The provider should issue the addresses you need and give you information on the addresses' domain name server. A domain name server is the service that advertises your organization's name and addresses to the rest of the net; your_business.com or your_group.org are examples of domain names. TCP/IP speaks in numbers, which are the addresses we discussed earlier. Domain name servers associate names with numbers so you can Web browse to www.netscape.com instead of 192.188.199.5. You can register your own domain name through your ISP. This will give you a your_business.com address so your business can have its own Web and e-mail names.
Before you have your WAN circuit installed, your router up and running, and all the servers and workstations set up correctly to access the Internet, you should consider the implications of connecting the network to the rest of the world. Security is a big topic of conversation around the Internet, and with good reason. The TCP/IP protocols and all the associated applications are well studied by thousands of users. Consequently, thousands of people are intimately familiar with how the TCP/IP protocols work and how to manipulate them. Most of these users are honest networking and programming types. A small portion of the Internet population, however, is not so honest, and if this group finds an opportunity to dig around in your network, these users will take it. So let's look at the problem of Internet security.
"Firewall" is the latest buzzword in the networking community. It is almost as worn out as "interactive multimedia." Firewalls are hardware devices like routers that keep the bad guys out of your network. Generally, the actual threat and the appropriate security precautions for networks are largely misunderstood, and so the firewall frenzy abounds. The idea of a firewall is that you can filter out specific addresses or protocols so that they cannot be used to gain access to your network. The firewall can be configured to allow only specific source and destination addresses access to and from your network. Another function prevents an intruder from acquiring an address from your TCP/IP network (called "spoofing") and then using it to gain access to your network servers while looking like a local computer in your network.
There are numerous important, U.S. government-controlled networks that have been accessible over the Internet and have never had a firewall router installed. That's because there is a very clear relationship between the security level of the data and the level of access to the data that a good security administrator needs to know.
The need to classify and protect data basically comes in two forms: data that is so important to your organization that its compromise would be disastrous, and data that is perhaps important but wouldn't be the end of the world if someone gained unauthorized access to it. Within government agencies there are additional levels of classified security, but these two categories will suffice for our purposes . The bottom line is this: If the data falls into the really important category, don't put it on the Internet-regardless of what the firewall specs promise.
If you have a Novell server on your LAN that stores customers' credit card numbers, don't load TCP/IP on it and use that server for a Web page server. Not loading TCP/IP on the server reduces the probability of hacking by a thousandfold. As far as the Internet is concerned, if a network doesn't have a TCP/IP address on it, the network doesn't exist. Now there are still ways that the hacker can gain access to the TCP/IP systems on the network, attempt to spoof a NetWare address, and hack into the Novell server, but if you configure your servers and routers carefully, you will close the openings even further, reducing the possibility of hacking.
If you contend that the data on your system is of global or life-threatening importance, don't even put the server on the same LAN as the TCP/IP systems. Even here you still must maintain the highest security configurations and procedures. The Internet is not the real issue in terms of security; it's the integrity of your users and your administrative/security skills that count.
In many cases, the routers and UNIX servers that you purchase, coupled with the security features inherent in a good LAN operating system, will be more than adequate to secure your LAN and still provide reasonable access to the authorized users without the need for a $25,000 firewall that still is not a cure-all for the issues of security. There are people who will argue this issue ad infinitum and will tear this argument to shreds; they are probably people who have read a lot of the hype in the trade magazines or are trying to sell you a firewall.
In all fairness to some of the better firewall systems, there
are a few that provide some encryption, transforming the data
you send over the Internet to appear as a scrambled mess of characters
instead of a coherent data stream. At the receiving end, the system
unscrambles the data so the server and the user can read it. This
feature can be accomplished with software packages that cost much
less than a firewall router, so the issue of protecting your systems
comes down to education, awareness of what is already available,
and segmenting and classifying your data accordingly.
M&J's connection to the Internet was a difficult decision, the major factor being the lack of connectivity of the Raleigh office. The Philadelphia and Washington, DC offices had been connected by an ISDN line for some time. The
question was, Should the Raleigh office be connected to the WAN through a direct connection-a dedicated ISDN line, for example-or should it connect to the intranet through the Internet? The firm already had determined that it wanted Internet access
for all its employees, for the communications and research benefits.
The decision was finally made to connect the LAN in the Raleigh office to Washington by an ISDN line. In turn, the Philadelphia office set up an ISDN line to the Internet. The reason for this was mostly cost. Even though the ISDN connections were moderately expensive, they provided a less expensive alternative than connecting both offices to the Internet, mainly because the Philadelphia connection would need at least a fractional T-1 to handle the incoming traffic from the Raleigh office, as well as the outgoing traffic from the other two offices. Of course, security also was a factor in the decision. With this method, M&J could keep the intranet behind its firewall, making it more difficult to break into. With the other alternative, the Web server would need the capability to access from the Internet. |
The SGAA's choice was much easier. The SGAA knew it needed a big pipe to the Internet because all of its users will be connecting via that route. It also needed a fast connection so the staff could comb the Internet for information and resources for members. The SGAA decided on a T-1 because the technology had been proven and because it seemed to provide the perfect level of connectivity to give their 300 users a fast interface to the SGAA's intranet. |
As you have seen in this chapter, the issues surrounding Internet access are many, and some require careful consideration to implement them with minimum problems while providing all the functionality the Internet has to offer. There is a merger of Internet, video, voice, LAN, and groupware systems occurring that is a challenge to providers and consumers alike.
Users are beginning to see the emergence of systems integrators as ISPs. A system integrator is an organization that provides engineering expertise in making discreet systems work together. Many customers are finding that they may have one of the finest ISPs available to provide access for their LANs, but if there is a problem getting NetWare and TCP/IP running together, the ISP will say, "Sorry; we don't do windows." When it comes to getting a LAN connected to the Internet, you are talking about a variety of different protocols and services that must come together in just the right way to be functional. Just getting a comprehensive view of the networking capabilities you currently have and what you will need to add to get your LAN on the Internet is a formidable task.
A good systems integrator first provides consultation and insight as to what your options are and then helps you make decisions on hardware or software that is appropriate for your environment. Most systems integrators resell equipment and software, but a good one is vendor independent, meaning they will provide you with information and solutions and recommend systems that fit your needs. There are still only a few systems integrators in the ISP businesses but that is changing slowly. It is difficult to find a company with experience in installing and getting many diverse systems to work together; there must be a very adept core of engineers at its heart. You will know a good systems integrator by its list of projects and clients, many of which should be outside of or unrelated to the Internet business. You want an integrator who has done more than connect people to the Net. Ask for references from the integrator's client list that can be contacted to verify that the integrator is in fact a source for resolving problems and designing solutions for customers.
You certainly do not need a systems integrator to connect your LAN to the Net or even as your ISP, but you may find the additional depth of expertise invaluable. The process of getting your LAN on the Internet is much more involved than establishing a dial-up account. The distinguishing qualities and criteria to be considered in finding a good provider should be networking experience and service reputation-more so than cost. If you are looking for reliable service for your organization and support for your LAN systems, expect to pay a little more for it. As with many purchases, you can almost always eliminate the highest and lowest bids and find a good provider (maybe even a systems integrator) somewhere in the middle.
The diversity of phone company services and new products available can be overwhelming, and having the knowledge base of a competent consultant can save you money and time. There are many kinds of services and products that may be appropriate for your network, especially if you are integrating dial-in access to your LAN for telecommuters or linking several LANs and providing Internet connectivity at the same time. Often these capabilities can be combined and delivered with a single system instead of two or three different systems. A systems integrator will know how to get the most out of networking systems to help you meet your objectives.
This chapter discussed the issues involved in connecting your WAN or LAN to the Internet. We talked about the different types of connections and the equipment you need to create the connection. However, by far the most important decision you will make in this area is the people or companies you will get to assist you. Whether it is an ISP, a systems integrator, or both, you will need some help getting on the Internet. Your decision as to who will get you there probably will make your experience either very simple or incredibly frustrating and time-consuming. In my experience, the best intranet investment you can make is in a competent consultant who can help get your company connected.