Previous | Table of Contents | Next |
More than likely, you have one of the following types of Internet access:
Figure 19.1 A workstation dialing up to a typical Internet service provider.
Figure 19.2 A firewall or proxy server located on your network thats connected to the ISP.
Figure 19.3 A router connecting a network directly to an ISP and therefore directly to the Internet (this method is becoming rare due to security concerns).
Figure 19.4 A typical demilitarized zone setup allows for permissive access to public access servers.
Its important to identify what type of connection you have. How do you find out? Well, method 1 is pretty easyif you use Windows dialup networking to connect to the Internet, you usually hear a modem dial and you see the dialup networking dialog box before you connect (see Figure 19.5). A dialup connection makes you a connection unto yourself, and youre actually classified as a method 3 (a direct connection to your ISP with no firewall). In other words, unless your workstation acts as a router (Windows 95 cannot, and Windows NT must be configured to do so), nobody else on your network can avail themselves of your Internet connection. (If you do decide to use NT as a cheap router to your ISP, remember that your connection is classified as method 3you do not have a firewall protecting your network. Beware!)
Figure 19.5 The dialup networking dialog box.
In general, the first steps for troubleshooting this method of Internet connectivity are pretty easyyou either make the connection or you dont! In most cases, being down is due to the ISPs equipment or the telephone company. (Having problems after you connect? See Here I Ping Again, later in this chapter.)
In contrast, if you use methods 2 through 4, you dont usually do anything more than log in to your workstation; the local area network is used as the onramp.
Method 2 is one of the more common configurations, particularly if your ISP hosts your Web pages (that is, it runs a server that your Web pages live on, without you needing to run your own Web server). This is a particularly easy way to do things for a small-to-medium sized shop; you only need a wide-area connection (dialup or leased) from the firewall or proxy to your ISP.
Method 3 is sort of unusual. It implies that the user either doesnt care about securitypossible, I supposeor that security is taken care of in the ISPs shop. Although there are still some folks in the United States who dont lock their doors, their numbers are dwindling; so, too, are those who dont have their own firewall.
Method 4 tends to be the norm for most larger shops. What does the presence of an intermediate network, or demilitarized zone (DMZ) mean? Machines that dont have to be absolutely and totally secure machines can be placed on the outside network and made available for outside Internet users. The fact that theyre in front of the firewall or on
If an outside machine is on the side of the firewall, it means that you need outside users to get to the server, but you also want those users to be restricted in some way. Instead of having to configure many servers, you just need to configure the firewall to only allow certain traffic. For example, you might allow FTP sessions from the outside world to get to the FTP server at point B in Figure 19.4 but not allow anything else from the outside.When a server is in front of the firewall, it means that the firewall is not protecting the server at all. Sometimes this is done because the firewall would impede the function of the server. For example, because a proxy server requires a proxy client, it would be impractical in this case to use a side DMZ for machines meant for public access. In this case, a front DMZ would mean that Internet traffic could reach public access machines without being hindered by the proxy server.
the side of the firewall means that theyre treated separately from the production network.
An outside DMZ is cool, because you can walk up to the hub that its on and monitor your traffic as well as check or use intruder detection software to see if unwanted folks are probing your network. More importantly for our purposes, you can hook a network
Even if you have a proxy server that will not pass ping packets, traceroutes, or DNS lookups, you can plug into your DMZ segment and troubleshoot your little heart out because youre bypassing the firewall.
analyzer or a regular old Windows 95 laptop to it and troubleshoot unhindered by possible firewall restrictions. (Refer to point A in Figure 19.4.)
Once youve identified your firewall type, its really importantbefore trouble strikesto try the troubleshooting techniques presented in this hour so that you can know what works and what doesnt work during a normal period.
If you dont figure out whats normal for your shop, how will you know when its broken? In other words, if you have a proxy server that doesnt allow pingyoure not going to ever be able to ping, so attempting to ping during an outage will gain you no knowledge. However, if you know that ping typically does work through your firewall, then during an outage, if youre not able to ping through your firewall, you might suspect that either the firewall is down or that the link (Ethernet or leased line) to your providers router is down. You can then investigate appropriately.
Previous | Table of Contents | Next |