ICAS5192A/03 Install and configure gateway products and ...



Install and configure gateway products and equipment

Overview

[pic]

Image: Overview

You should already know about confirming client requirements and network equipment and reviewing security issues. This resource will help you to install and configure gateway products and equipment within an information technology environment.

In this topic you will learn how to:

• identify and select installation and configuration options

• install and configure gateway products as required by technical guidelines

• plan and execute tests with reference to client requirements and network impact

• analyse error reports and make changes as required.

This topic contains:

• reading notes

• activities

• references

• topic quiz.

As you work through the reading notes you will be directed to activities that will help you practise what you are learning. The topic also includes references to aid further learning and a topic quiz to check your understanding.

Download a print version of this whole topic: Install and configure gateway products and equipment (1.93 MB 2823.doc)

Reading notes

[pic]

Image: Reading notes

Identify configuration options

You will have a range of configuration options to choose from depending on the Internet gateway solution your client has decided on. These options need to be selected in order to satisfy the client’s needs in every case. Some options may only become apparent as the installation progresses and so must be documented during the installation. If possible, screen captures of configuration utilities would be helpful in the documentation process.

We’ll look at a few Internet gateway solutions here and their options. The solutions covered are

• Windows and Internet connection sharing (ICS)

• residential gateway devices

• Linux gateways

• appliances from Cisco and Symantec.

We will start with a discussion of the importance of anti-virus and anti-malware products to the overall solution.

Anti-virus and anti-malware

All computer systems on the local network (including an ICS host system) must also have anti-virus and anti-malware software installed and active to maintain the maximum possible security level. Some suitable products include

• AVG anti-virus: GriSoft

• F-Prot anti-virus: Frisk – Software International

• Adaware anti-malware: Lavasoft

• Spybot – Search and destroy – anti-malware: Spybot

There are of course many more products. Your client may have current products in use, or you can suggest others from your experience.

Note: Remember that Free products may only mean free for private use. Sometimes these products can also be used for educational and non-commercial purposes. You must check on the licensing of any product to ensure that copyright is not infringed when used in each solution.

Internet connection sharing

ICS is the system used by Microsoft Windows workstations to provide connection for more than one computer to the Internet over a single Internet link. This facility has been included in the Windows product range since Windows 98 SE (second edition) and so is available for use in the following Microsoft operating systems:

• Windows 98 SE

• Windows ME (Millennium edition)

• Windows 2000 Professional and Server

• Windows XP Home and Professional

• Windows 2003 Server family.

ICS basically uses one computer workstation as the Internet connection provider for a home or small business network. This computer is still fully functional as a workstation. The ICS system provides network address translation (NAT) for the other workstations on the network.

The ICS host computer needs to be able to access the Internet through either a dial-up or broadband connection and have a network connection to the local network of computers. A dial-up connection can be through an RS-232 serial or a universal serial bus (USB) port with either an analogue or ISDN modem. A broadband connection may be through either a USB or a network port. In the case of a network connection, two network cards are preferred in the ICS host system.

For best security in the ICS solution, a firewall program should be installed and enabled on the ICS host computer, as it is the one that directly presents itself to the Internet. The Windows Internet Connection Firewall or the Windows Firewall of Windows XP with Service Pack 2 or Windows 2003 Server family is sufficient. Take a look at the following for more information:

• Microsoft Windows Internet Connection Firewall:

• Microsoft Windows Firewall:

Some people prefer to use a separate firewall product such as the offerings from the following sources:

• Zone Labs Zone Alarm:

• GriSoft AVG Firewall:

• Symantec Norton Personal Firewall:

Note: If the ICS host operating system is Windows 98 SE, Windows ME or Windows 2000, then a separate software firewall is required since Microsoft does not provide a firewall for these operating systems.

The ICS drivers and protocols are installed and activated in the ICS host computer which forces the network card to have the private IP address of 192.168.0.1. This is a requirement of ICS, and if the IP address is changed to suit an existing network, ICS is deactivated. Some older networking equipment used this IP address as a default IP address, so conflicts may occur and the equipment will need to have its IP address changed.

In order to access the Internet with ICS, other computers and devices on the local network will have IP addresses in the range 192.168.0.2 to 192.168.0.254 with a network mask of 255.255.255.0. These computers need to set their default gateway to be the IP address of the ICS host system (192.168.0.1) and manually set their DNS servers to be the same as the ICS host settings. These settings may alternatively be provided for workstation computers through a dynamic host control protocol (DHCP) server on the network.

In order to determine these DNS addresses on the ICS host

• connect to the Internet

• start a command prompt:

o Start, Run

o type cmd into the Open dialog (or command on Windows 98 SE and ME)

o click on OK

• in the command prompt window, type ipconfig /all

• towards the bottom of the listing you should be able to find a line with DNS servers and an IP address similar to the following:

[pic]

Image: Partial output from the ipconfig /all command showing the DNS Servers information as a line of text saying 283.49.70.20

Figure 1: Partial output from the ipconfig/all command showing the DNS Servers information

The DNS server IP address listed should be used for the other workstations in the local network. Note that there may be more than one DNS server. If the ISP ever changes addresses for these servers, then all workstations need to be updated to reflect the change, possibly via the DHCP server. See Figure 1.

Note: Windows server products also include utilities to configure routing and remote access services. This is the preferred alternative to ICS when multiple connections to remote sites - not just the Internet - are required in a business. The routing and remote access utilities include capabilities to provide NAT, static routes, multiple simultaneous connections and dial-in connections.

Routing and remote access also allows the server’s IP address to be set to any address to match an existing network’s configuration.

ICS and routing and remote access services cannot be used together on the same server.

[pic]

Image: A home or small business LAN with three workstations at the front, a hub behind and an Internet gateway at the back utilising Windows Internet connection sharing as the Internet gateway showing all LAN IP addresses in the 192.168.0.x network. All workstations have the same DNS information, and all non-ICS workstations have the same default gateway of 192.168.0.1, which is the mandatory setting for ICS.

Figure 2: A home or small business LAN utilising Windows Internet connection sharing as the Internet gateway.

Activity 1

To practise, complete Activity 1 – Research ICS, in the Activities section of the Topic menu.

Residential gateway devices

Most residential gateway devices are made specifically for broadband. Some have a built-in ADSL connection, while others require an ADSL router or modem with a network connection in order to connect through to the Internet. In the latter case, the ADSL router should be left virtually not configured to allow the residential gateway’s services to be used. If both were configured, then both must be kept up-to-date.

The built-in facilities of these devices from the various manufacturers are different. All tend to have NAT and port forwarding, and some have basic firewall settings, parental control URL blocking, state-full packet inspection (SPI) for application-level firewall filtering, virtual private networking (VPN) and voice over IP (VoIP).

Note: These devices are made for the final connection interface to the Internet link and so only need to have a traffic throughput equivalent to the maximum Internet connection speed. This speed is generally available to the home user market of 1.5 megabits per second (Mbps) to 24 Mbps.

Don’t misinterpret the throughput of an integrated switch (or hub) as the throughput measurement. These devices are NOT meant for the high-speed interconnection of LANs to segregate networks within an enterprise or large organisation.

Some routers can be used as residential gateways as well. In particular, a few of these routers have a serial port allowing for the backup of Internet access via a dial-up connection in case of the broadband link failing. These devices are also useful for areas without broadband access, such as country and rural areas, since the serial dial-up device may be used as the default Internet connection. Devices with this capability include

• D-Link DI-804HV VPN Router:

• NetGear ProSafe VPN Firewall FVS328:

• Open Networks Open524R:

Residential gateways generally come with a web interface to allow configuration. The web interface often defaults to an IP address of 192.168.1.254, and you will need to adjust a computer on the network to be able to use an address on the same network (192.168.1.1 to 192.168.1.253) in order to access the web interface.

If you decide to modify the LAN IP address of the device, then you will need to use this new IP address in your browser to administer the device in future.

A common default username and password is admin and admin. It is in your client’s and your own best interest to modify this to ensure the security of the settings of the Internet gateway device.

Devices from the same manufacturer tend to have similar interfaces and use similar terminology. The interface and terminology used varies widely from one manufacturer to another.

[pic]

Image: A home or small business LAN utilising a residential gateway device as the Internet gateway showing all LAN IP addresses in the 192.168.1.x network. All workstations have the same DNS information and the same default gateway of 192.168.1.254, which is a common factory setting for residential gateway devices.

Figure 3: A home or small business LAN utilising a residential gateway device as the Internet gateway

The residential gateway shown in Figure 3 has a common, factory-default LAN IP address of 192.168.1.254. If the residential gateway is configured to provide DHCP services, the LAN IP addresses, DNS and default gateway addresses may be provided dynamically to the workstations. Alternatively, these settings may be set manually with all the LAN IP addresses in the 192.168.1.x network range, with all workstations having the same DNS information and the same default gateway being the residential gateway’s 192.168.1.254 IP address.

Activity 2

To practise working with different terminologies used by different manufacturers, complete Activity 2 – Terminology used to set configuration of devices, in the Activities section of the Topic menu.

Linux gateways

Linux has been presented as an alternative to replace many previous systems with basically free software. Linux has the reputation of being more stable, secure and less prone to malicious attack. With the inclusion of two network cards in a system for broadband, or a dial-up device and network card for dial-up Internet access, a Linux system can become an Internet gateway.

It is possible to use a standard Linux distribution as an Internet gateway. The networking features required are built into the basic Linux kernel and are controlled by command-line applications - most recently iptables. While this is possible, it is not desirable since any changes to the firewall must be manually entered into the start-up configuration and need to contain no typing errors. To configure a basic safe system takes in the order of 100 to 200 commands. Each of these needs to be correct and verified to be working.

The preferred configuration method is to use a graphical user interface (GUI) front end or a web interface remote console similar to that of a residential gateway device. These applications will construct and save the required commands and will often have a basic configuration set to ensure a reasonably safe default configuration. Such configuration tools generally provide more thorough and less error-prone firewall configurations than manually applying commands.

Searching for Linux firewall configuration GUI in a search engine to find this type of software may produce the following links:

• – SimonZone Guarddog: free firewall configuration utility with a full default safe configuration. Designed for the KDE (K Desktop Environment). Also, check out the other software available here to help configure an Internet gateway and server, such as Guidedog, Guidance and Watchdog (version 2.4.0 updated 17 December 2004).

• – FS-Security Firestarter: free, open-source firewall configuration utility with a full default safe configuration. Requires Gnome to be installed but also works under the KDE (version 1.0.3 updated 28 January 2005).

• – Webmin Webmin: a free, open-source browser-based configuration utility that can configure just about anything on Linux systems remotely. This includes the Linux firewall and the Shorewall firewall. Everything starts at the default or current installed options, so for the initial setup of a firewall there is a lot of work to do to ensure a safe configuration, but the commands are created and saved which avoids typing errors creating an insecure configuration (version 1.270 updated 5 April 2006).

Note: If you searched for just Linux firewall, you will also get pages that use the ipchains command or even the ipfwadm command. These are old commands used with pre-2.4.0 Linux kernels, so while the topics of discussion on these pages are often relevant, the actual commands are not.

For a home or small business network, an old computer may have sufficient capacity to become an Internet gateway with two network cards. A full Linux firewall distribution becomes the size of a CD-ROM or even a floppy disk, such as

• Vortech Consulting Coyote Linux: – a free floppy disk-based personal firewall. It fits onto one floppy disk and runs without a hard drive in the machine. The firewall can be administered through a web interface using any browser. The initial configuration requires either a functioning Linux or Windows system (version 2.24 updated 5 May 2005). The floppy version is no longer under development but is still available for download and use without support. The floppy version has been replaced by a small hard drive installation version (3.x). This is still free for personal and educational use (version 3.00.47 updated 14 April 2006).

• Linux Embedded Appliance Firewall LEAF: A free, open-source project with a very versatile router/firewall Linux distribution. Unfortunately, the initial setup is difficult. The project bears watching for the enhancements to simplify the installation process and update the documentation (version 2.4.1 updated 23 April 2006).

• FREESCO: – a free, open-source floppy disk-based router with advanced firewall capabilities. It fits onto one floppy disk and runs without a hard drive in the machine. Installation to a small hard drive is also possible. It can also run from a CD, but the configuration changes require writing a new CD each time. See the How-to list to add extra functionality to the base system. The drawback is there is no GUI to configure the installation (version 0.3.5 updated 1 April 2006).

There are many dedicated gateway products available commercially that use Linux as the foundation operating system. These include

• Point Clark Networks’ Clark Connect: Clark Connect provide a free-to-home-user version and a fee for their update services on two commercial versions. The products are open source so you can update them independently.

• Vortech Consulting Wolverine Linux: – a fully-featured firewall installed from a CD to a dedicated PC system. The firewall can be administered through a web interface using any browser. The initial configuration from the CD takes only a few minutes to a small hard drive ( ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download