Internet Connectivity Introduction

[ganeshbala]

Internet Connectivity Introduction

In most organizations and networks today, Internet connectivity is no longer an additional option, but a necessity. Most organizations that have a networking environment need to provide its employees or users with some form of connectivity to the Internet.

E-mail and Web sites have evolved into being important mechanisms for a vast number of organizations. Internet connectivity or connections support a company's business in a number of ways. Company employees use the Internet for a number of reasons, including the following:

* Exchange e-mail with other employees at different branch offices, and with business partners and suppliers.
* Access the LAN when working from home.
* Find valuable information, or conduct research using the Web
* Mobile users utilize the Internet to remotely access the LAN.
* The Internet also provides the means for other organizations to connect to the company to perform business transactions.

Understanding Routed Connections to the Internet

A routed connection to the Internet utilizes a routing device or router to pass traffic between the private network and the public network or Internet. A router essentially routes traffic to the Internet, and from the Internet.

Using routers to route traffic between the private network and Internet has the following features and characteristics:

* Enables full Internet access for all computers located on the private network.
* Enables all computers on the private network to access the Internet to provide services such as Domain Name System (DNS) to the Internet.

The different types of routers are:

* Hardware routers: These are dedicated routing devices thats sole purpose is to provide a routing capability for the organization. Hardware routers are ideal for providing Internet connections for the organization.
    * Software routers: Software routers run as a service on a computer residing within the network. The requirements for a computer to run as a software router are:
  o A connection to the internal private network or LAN.
  o A connection to the public network or Internet.

      The Routing and Remote Access Service (RRAS) of Windows Server 2003 can be used to enable a computer to run as a software router. The computer running as a software router with the necessary connections is called a multi-homed network computer.

Before computers located on the LAN can use a routed connection to connect to the Internet, the following events has to occur:

* Obtain valid IP addresses from an Internet Service Provider (ISP). These addresses are in turn obtained from and managed by an approved authority.
* Assign these valid IP addresses to computers residing in the private network using either of the following methods:
   o Manually configure the necessary computers with IP addresses.
   o Use the Dynamic Host Configuration Protocol (DHCP) service to do this. Here, you will need to configure the IP addresses on the DHCP server which the DHCP server can then assign to DHCP clients.

A few advantages of using routed connections to connect the LAN to the Internet are summarized below:

* Setting up routed connections is easy because you typically only need a simple hardware implementation.
* Routed connections provide full Internet connections for all computers residing within the private network.
* Because the routers provide the Internet connections, these connections are maintained and upheld even when the other network servers are unavailable.
* All multimedia applications usually work with a routed connection. This is not always the case with translated connections to the Internet.
* Because a computer has a dedicated IP address for the Internet, it can be used for providing services such as Domain Name System (DNS) to the Internet.

The main disadvantages of using routed connections to connect the LAN to the Internet are listed here:

* A different IP address is needed for each computer within the private network that needs to access the Internet.
* Computers within the LAN can be accessed from the Internet, and from anywhere. This could lead to a number of security issues.

Understanding Translated Connections to the Internet

A translation service can be used to translate private internal network traffic to public traffic which can be routed on the Internet. When you use translation services, all computers on the LAN can connect to the Internet through a single public IP address. Also, the private network is not directly accessible by Internet users as is the case with routed connections.

The Network Address Translation (NAT) translation service can be used to translate internal addresses to public addresses which can be routed on the Internet.

The computer performing the role of the NAT server has the following requirements:

* One network adapter card configured with the internal private IP addresses connecting the internal private client computers.
* One network adapter configured with the public IP address which connects to the Internet.

Windows supports two implementations of the NAT service:

Routing and Remote Access (RRAS); a full NAT implementation through Routing and Remote Access is the recommended approach. This NAT implementation offers all the NAT features. With NAT, all outgoing packets are forwarded to the NAT server. At the NAT server, the source address of these outgoing packets are modified, and then forwarded to the Internet. All incoming packets are transmitted to the NAT server. At the NAT server, the addresses of the packets are changed to internal IP addresses, and are then returned to the source which sent the packet. The information contained in the NAT Session Mapping table enables NAT to return responses to the correct client computer. NAT includes the Basic Firewall feature that only allows response traffic to be forwarded to the private network. With a full NAT implementation, the NAT server can be configured with any private IP address as its internal address. You can use multiple interfaces. The shared external interface can be configured with a single public address or with multiple public addresses. You can also disable the DNS proxy and DHCP server features if you have a DNS server and DHCP server configured within your environment. NAT is installed through the Routing And Remote Access console.

The full NAT implementation is supported by:
    o Windows 2000 Server
    o Windows Server 2003
* Internet Connection Sharing (ICS); should be used for very small networks only. ICS can be considered a simplified basic version of NAT. Internet Connection Sharing (ICS) is a service integrated with Windows that provides Internet connectivity to hosts using an interface. ICS provides a single public IP address to connect to the Internet, fixed address range for hosts, DNS proxy for name resolution, and automatic IP addressing. ICS is also easy to configure. You can use ICS to connect the whole network to the Internet. Private IP addresses are hidden from the public network. Public external addresses are used over the public network. ICS includes the Internet Connection Firewall service for securing the internal private network. One of the main features of using ICS is that it is preconfigured. ICS automatically configures the internal address of the computer hosting the shared connection as 192.168.0.1. Internal clients are assigned addresses in the 192.168.0.0/24 address range. Internal clients exist on the identical physical subnet. All internal clients point to the ICS computer for DNS resolution. The shared external interface has a single public address. You can install ICS using Network And Dial-Up Connections.

ICS is supported by:
  o Windows 98 Second Edition
  o Windows Me
  o Windows XP
  o Windows 2000 Professional

Using Virtual Private Networks (VPNs) for Internet Connectivity

Virtual private networks (VPNs) enable users to connect to a remote private network through the Internet. With a VPN, data is first encrypted and encapsulated before it is sent to the remote VPN server. When the VPN server obtains the data, it decrypts the packet so that is can be interpreted. VPNs are usually implemented to provide connectivity between two or multiple private networks or LANs, and to enable remote access users to connect to and access the network. Many companies supply their own VPN connections via the Internet. Through their ISPs, remote users running VPN client software are assured private access in a publicly shared environment. By using analog, ISDN, DSL, cable technology, dial and mobile IP; VPNs are implemented over extensive shared infrastructures. Email, and database and office applications use these secure remote VPN connections.

A VPN gateway, also called a VPN router, is a connection point that connects two LANs which are connected by a nonsecure network such as the Internet. A VPN gateway connects to either a single VPN gateway, or to multiple VPN gateways to extend the LAN.

Tunneling is the terminology used to describe a method of using an internetwork infrastructure to transfer a payload. Tunneling is also known as the encapsulation and transmission of VPN data, or packets. The tunnel is the logical path or connection that encapsulated packets travel through the transit internetwork. The tunneling protocol encrypts the original frame so that its content cannot be interpreted. The encapsulation of VPN data traffic is known as tunneling.

With Internet-based VPNs, the remote client connects to the Internet and then utilizes VPN client software to establish a connection with the VPN server. All communications between the client and VPN server are encrypted and encapsulated into packets before being transmitted over the public Internet.

Windows Server 2003 has a VPN component included with Routing and Remote Access service (RRAS) of Windows Server 2003 that enables you to configure a Windows Server 2003 computer as a VPN server. You can use the VPN server to enable clients to remotely access the network. Because remote clients typically already have Internet connectivity, you can set up the VPN server to allow the Internet connections from these clients.

In addition to configuring an Internet-based VPN, you can also configure router-to-router VPNs if you want to connect two physically separated LANs. Router-to-router VPNs are also typically called demand-dial connections. This is due to the connection only being established when traffic needs to pass between the LANs. For a router-to-router VPN configuration to work, an Internet connection is needed for each separated LAN. Traffic is then encapsulated on the Internet to create the virtual connection between the two LAN locations.

Using demand-dial connections for small remote sites that only require intermittent VPN connectivity is ideal. Here, you can configure a demand-dial VPN with one-way initiation or with two-way initiation:

* One-way initiation; the client of one VPN server initiates the connection and the other VPN server is configured to accept the connection.
* Two-way initiation; clients of both VPN servers can initiate the connection and each VPN server is configured to accept the connection.

An alternative to using demand-dial connections is the utilization of a persistent connection to the Internet. Dedicated leased lines are classed as being persistent connections. This means that the connections are permanent connections, and remain open all the time. A VPN server set up to use persistent Internet connections can make the connection available to VPN clients.

A VPN tunneling protocol is required to create a VPN. The VPN tunneling protocol provides the tunnel which will be used to send private data as encrypted data over the Internet. The VPN tunneling protocols used to encapsulate data and manage VPN tunnels are:

* Point-to-Point Tunneling Protocol (PPTP): PPTP, an extension of Point-to-Point Protocol (PPP), encapsulates PPP frames into IP datagrams to transmit data over an IP internetwork. Windows Server 2003 includes PPTP version 2. To create and manage the tunnel, PPTP utilizes a TCP connection. A modified version of Generic Route Encapsulation (GRE) deals with data transfer by encapsulating PPP frames for tunneled data. The encapsulated tunnel data can be encrypted and/or compressed. However, PPTP encryption can only be utilized when the authentication protocol is EAP-TLS or MS-CHAP. This is due to PPTP using MPPE to encrypt VPN data in a PPTP VPN, and MPPE needing EAP-TLS or MS-CHAP generated encryption keys. With the Windows Server 2003 implementation of PPTP, both 40-bit encryption and 128-bit encryption is supported.
* Layer Two Transport Protocol (L2TP): L2TP encapsulates PPP frames, and sends encapsulated data over IP, frame relay, ATM and X.25 networks. With L2TP, the PPP and layer two end-points can exist on different devices. L2TP can also operate as a tunneling protocol over the Internet. L2TP uses UDP packets and a number of L2TP messages for tunnel maintenance. UDP is used to send L2TP encapsulated PPP frames as tunneled data. When L2TP is used with IPSec, the highest level of security is assured. This includes data confidentiality and integrity, data authentication, as well as replay protection. IPSec protects the packets of data and therefore provides security on nonsecure networks such as the Internet.

Remote access policies can be used to secure demand-dial connections. You can use a remote access policy to control whether or not a user is allowed to connect to VPN server. Remote access policies contain conditions which you specify through the Routing and Remote Access management console. These conditions determine which users are allowed to connect to the remote access server. Remote access policies can also be used to specify which authentication protocol clients must utilize; specify which encryption methods clients must utilize; and to restrict user access based on user and group membership, and time of day.

Identifying Internet Connectivity Requirements

In order to implement an effective Internet connection strategy, there are a few factors that you need to consider and a few Internet connectivity requirements which you need to determine, including the following:

* When defining any Internet connection design or strategy, one of the foremost factors which need to be determined, is the amount or quantity of bandwidth needed for users to perform their necessary tasks. To determine the bandwidth needed by users, you have to determine the following:
    o The number of users which will most likely be accessing the Internet concurrently.
    o The applications which will be used by these users
    o The tasks or functions which users will perform.

      The amount of bandwidth required affects the following:
    o Which ISP you need to utilize.
    o What costs need to be met
* Determining when the organization's peak Internet bandwidth usage times are, is another issue that needs to be determined. For instance, organizations that operate 24 hours a day would require more bandwidth than another organization running between 8am and 5pm. In addition, you have to remember to provide for non-Internet connection operations, such as off-site backups, that could require a large quantity of bandwidth as well.
* Another important requirement that needs to be determined when you define your Internet connectivity strategy is to determine the number of users which will need Internet connections. This can be broken into a number of factors:
   o How many employees within the company who use computers connected to the private network need connections to the Internet.
   o How many of the Internet connections required would be concurrent connections.
   o How long will users need to be connected to the Internet.
* Determining the locations of computers that need Internet connectivity is also important. The location of computers have an impact on the following:
   o Where routers and other Internet connection devices should be placed.
   o Whether the router should be connected to the backbone network.
   o Whether Internet connection devices should be located within a single area.
* The next important factor pertains to the applications that users will run. Factors to include under this requirement are listed here:
   o The manner in which users will use Internet applications.
   o Determine the functions users will perform using Internet applications, and then attach bandwidth requirements to each of these functions.

Determining Bandwidth Requirements for Internet Connections

One of the key requirements for Internet connections is the availability of sufficient bandwidth for traffic using the Internet connections. Having sufficient hardware equipment and connections to the Internet means nothing if you have insufficient bandwidth.

When determining the bandwidth requirements for Internet connectivity, you have to remember to include the bandwidth requirements of your other services that use the organization's bandwidth.

The main elements that affect bandwidth for Internet connections are listed here:

* The type of e-mail sent. Different e-mail types have different bandwidth requirements.
* The type of traffic passing over the Internet connections. Remember too that an Ethernet 10 Mbps link usually only means that 10 Mbps of data will be able to be sent. This is because of factors such as collision and noise.

Resolving the issues listed here should be included in the overall bandwidth requirement calculation for your Internet connections:

* Whether Dynamic Host Configuration Protocol (DHCP) associated traffic, or DNS associated traffic will be using the link. If yes, then it is recommended that you run both the DHCP service and the DNS service on the same server.
* Whether e-mail traffic will be using the link. E-mail is the common cause of available bandwidth being depleted.
* Whether Voice over IP (VoIP) will be utilizing the connection. VoIP creates additional traffic that in turn has bandwidth requirements.
* Whether operations such as Web browsing will be allowed with the Internet connections.

Database applications that transfer a large quantity of data, and some graphical-based applications also need sufficient bandwidth resources. Any additional services that could possibly be using the link should be provided for in terms of bandwidth.

[gsathish86]

Hi Ganesh,

Wonderful article.  Keep it up.
Rather than documenting the whole thing in a single document.
Split into some basic introduction parts, which will have more keeness of understanding.

Its my small suggestion.

Regards,
Sathish.