This is Part 5 on Securing Your WHS & Network.
Part 5 looks that the threats and vulnerabilities that are associated with the local area network (LAN). We provide an explanation of DHCP and NAT. We explain how an Internet connection is shared by other computers on the LAN. We describe how to configure the network router to connect to the Internet Service Provider (ISP) by explaining the different types of WAN or wide area network configurations. We follow with an explanation of how the router is configured for the private network's address, DHCP, and the static local IP address of the Windows Home Server.
When a person using a computer wants to access a website they need to have an address for the return of information to display on their computer. This address is called an IP or Internet protocol. Every computer that connects to the Internet has a unique IP address that is available to the public.
The Internet service provider or ISP has a fixed number of public IP addresses. When a customer subscribes for Internet service, part of the monthly charge includes a fee for the IP address. Subscribers that host their own websites or email systems require an IP addresses that does not change. This type is called a static public IP address. This is similar to the address assigned by the post office to a home owner or business. Subscribers desiring static IP address are charged a higher monthly fee.
Normally home and small businesses that subscribe for Internet service from their ISP are not assigned a static public IP address. The ISP assigns an IP from their pool of addresses when a customer makes a connection to the Internet. The IP address assigned to the subscriber is leased or borrowed from the ISP. The lease can be set to expire and return to the available pool after a certain time period of inactivity. The subscriber can lose their lease if there is a break in the Internet connection or the connection is idle.
The method of leasing or assigning an IP address on demand is called dynamic host configuration protocol or DHCP. DHCP is an efficient method to manage the assignment of public IP addresses to their subscribers. The ISP has a server dedicated to the task of assigning the IP addresses.
In Part 3 we said that when customers who subscribed for Internet service were originally assigned a static public IP address. The Internet Engineering Task Force (IETF) realized that the maximum of 4.284 billion possible addresses would be quickly depleted if assignment of static IP addresses continued. The implementation of DHCP evolved as a way to efficiently reuse IP addresses and avoid a shortage problem.
Each ISP is assigned a limited set of IP addresses to be assigned to a customer base whose total number exceeds the number of IP addresses that are assigned to the ISP. The use of DHCP permits the ISP to assign IP addresses when they are needed.
Let's say an ISP has 100 customers. The ISP knows that the chances of all 100 customers need an IP address at the same time is very low. They have determined that they only need 95. Since the ISP pays for the use of an IP, it is in their best interest to keep their number of IP addresses to a minimum. There is a well-established statistical model used by the telephone industry that is based on the Poisson distribution that is used to determine probabilities of customer demand. The result of this analysis is used to optimize the number of IP addresses that an ISP needs to meet the demand.
When a customer initially subscribes for Internet service from their ISP, they might have only one computer that they want to connect to the Internet. In this case all that is needed is for the customer to connect the computer to the cable or DSL modem. Many cable/DSL modems have a USB port for this reason. It is not necessary to install a network card in the computer to connect to the cable/DSL modem with a CAT-5 cable.
In this situation, the computer is connected directly to the Internet. Usually the computer is turned on only when the user wants to use the computer. It is while the computer is turned on that poses the greatest risk because there is nothing to block or prevent attacks to the computer. It is possible for an unknown user to take advantage of known weaknesses with the computer's operating system to take control of the computer, read personal information, insert malicious software programs, or delete files stored on the hard drive. This is why se strongly recommend that an anti-virus security suite of software that includes a personal firewall be used to recognize and thwart attacks to the computer.
As time goes by, this customer with only one computer goes out and buys another one and wants both computers to be connected to the Internet at the same time. The customer could order another cable modem for the second computer but the ISP wants another separate charge for that second cable modem. This scenario becomes too expensive to maintain.
What the customer really needs is a simple way to connect the computers together and use the same cable modem. This is the purpose of a network where two or more computers need access to a shared resource. In this case, the Internet connection is the shared resource.
There are two requirements a network needs to connect to the Internet. A router is needed and each computer needs a network interface card. Our customer is in luck because both computers have a built-in network interfaces plus the ISP has provided a router. The customer uses a CAT-5 cable to connect the router to the cable modem. Then a CAT-5 cable is strung to each computer.
The router and modem do not have to be two separate devices. It is becoming more common that both are combined into one device. The following two pictures show an ADSL modem combined with an Ethernet and wireless router that are commonly used in the US and UK, respectively. Both modem/routers use a RJ-45 cable to connect to the ADSL connection jack provided by the telephone company.
Because the ADSL service uses the same telephone line for both voice and data, the high frequency signal used by ADSL must be filtered for voice and the voice frequency must be filtered for the ADSL connection. Either individual filters are used for every telephone and the ADSL connection; or a splitter is installed to separate the voice and data signals. Filtering or splitting depends on the country and telephone company.
The router performs an important task to allow two or more computers to share an Internet connection. This is called network address translation or NAT. NAT works like the post office. The job of the post office is to pick up and deliver mail. It doesn't know who lives or works at the address but it knows where the mail box is located. Each person at the address can put a letter in the mail box for delivery or take a letter that is addressed to them. These people have no idea as to how the mail gets delivered but over time, the post office has gained their confidence.
The router using NAT remembers each outgoing packet that identifies the computer on the local network and to whom it is sent. The packet is released for delivery. The reply returns to the router that matches the sender to the computer that sent the original packet. The following compares the similarity of NAT with the post office.
We now have a network but are not configured to share the Internet connection. To do this the router is programmed by using an Internet browser. The default IP address for network products is usually 192.168.0.1 or 192.168.1.1 depending on manufacturer and model. Type the address provided by the manufacturer in the browser.
A log in dialog requires a password. The default can be password or blank depending on the manufacturer and model. We strongly recommend that this password be changed to prevent unauthorized access to the private network. Usually there is a wizard that helps set the router configuration. We recommend to run the wizard and when finished make some changes manually.
The public network or WAN (wide area network) settings is where the connection to the ISP is made. These are the options that apply to the majority of subscribers of residential Internet service. The ISP provides the necessary information to enter into the router. Follow their directions as to what is needed to enter into the router.
For cable, the norm is: Dynamic IP Address or DHCP. Enter the primary and secondary DNS address. These IP addresses are provided by the ISP. Click the OK button to save the configuration. The following screen shots are used to describe the router settings using a SonicWALL TZ-180 router. These settings may be organized differently depending on the make and model of the router.
For DSL or FiOS choose PPPoE (point-to-point protocol over Ethernet). Enter the user name, password, and the primary and secondary DNS addresses. The account information and IP addresses are provided by the ISP. Click the OK button to save the configuration.
If one or more static public IP addresses have been assigned, select Static IP Address. You will have to determine which IP address to use for the router. The public IP address must coincide with how the "A Record" for the domain name and IP address is registered in DNS. The majority of routers used for home and small businesses can be configured with one public IP address. Enter the IP address, subnet mask, ISP gateway address and the primary and secondary DNS addresses. Click the OK button to save the configuration.
The ISP provides the customer with the information necessary to connect to the Internet. Follow their directions as to what is needed to enter into the router.
Maybe one the most overlooked threat to a network is the private IP address range that is assigned to the network. It is likely that the majority of home and small business networks use 192.168.0.xxx or 192.168.1.xxx and a subnet mask of 255.255.0.0. This is because the majority of routers and switches come preconfigured with that address range. This is one of 65,526 addresses within the Class C range that can be used for your private network.
The IP address is a set of four groups of numbers that can range from 0 to 255 or 162 or 28. A Class C private IP address always begins with 192.168 and since the last two groups can each have 256 possible numbers, 162 X 162 = 164 (or 28 X 28 = 216) this yields 65,536 available IP addresses. The reason for using 256 numbers as a group range is no doubt a carryover from the hexadecimal system used by mainframe computers. Hexadecimal uses a base of 16 and was used to conserve storage. It uses 0 through 9 and A through F to represent the 16 decimal numbers of 0 through 15. Therefore; FF hexadecimal represents 255 decimal.
The fourth group of the IP address is used to identify the device on the network. This means that the third group of the IP address can be any number between 0 through 255. We recommend that 0 (zero) and 1 not be used because of its commonality so it is okay to choose a number between 2 and 255. We also recommend using a subnet mask of 255.255.255.0 to restrict the local range of IP addresses to 256 possibilities. Using different Class C private IP addresses makes it more difficult to break into the local network.
The configuration settings for the private IP address is usually found in the LAN or local area network settings. The following is an example of configuring the private network address to 192.168.145.xxx.
When a LAN is created the administrator must determine how to assign the private IP addresses to the local computers. Each computer and any device that is connected to the network are required to have a unique IP address assigned to it.
There are two ways to assign an IP address to these devices. One is the hard way. This requires the administrator to type a unique IP address, sub mask, gateway address, and the addresses for the primary DNS and secondary DNS for each computer and device connected to the network. The following is an example of the information that must be manually entered for a Vista computer.
This method assigns a static private IP address to the computer. As computers and devices are added and removed from the network, the administrator must keep track of each IP address used. If two network devices have the same IP address, they cannot communicate on the network.
We recommend that only the router, switches, and servers including the Windows Home Server be assigned a static IP address. For all other devices on the network, we recommend to use the easy way to assign unique IP addresses to each computer.
The easy way to manage IP addresses is by using the DHCP capabilities of the router. This is where a range of IP addresses are defined, the lease time is set, and the static IP address used for the WHS is configured. As computers or other devices are added or removed from the network, the router's DHCP server takes care of the management of the private IP address assignments. Often a range from 100 to 199 is assigned to the IP address pool. The ending portion of the IP address that is assigned to the router and WHS can be any number between 1 and 99. We recommend that IP addresses that range from 1 to 29 can be used as static IP addresses for network routers and switches. Static IP addresses for servers can range from 30 to 99. The following is an example of automatically assigning an IP address to a Vista computer.
Obtaining IP addresses automatically is the default configuration for the network card. This means that there is no additional effort required to alter the configuration of computers and other devices that are connected to the network. The administrator enables the router's DHCP server, enters the starting and ending IP address range, and clicks the OK button to save the configuration. The router now performs the task of assigning private IP addresses. The following is an example of the DHCP server settings.
As stated earlier in this section we recommend that a static private IP address be assigned to the WHS. Since it is a server, many devices depend on it for file access, remote access, and backup. Rather than enter the IP address in the properties of the WHS' network card, the IP address is configured in the DHCP section of the router. Every time the WHS is restarted the router's DHCP server identifies it by its MAC address and the router assigns the static IP address to the WHS.
The MAC or media access control address is six sets of two position hexadecimal numbers that uniquely identifies the network adapter. To find the MAC address, open the properties for the WHS' network connection. The MAC address is called "physical address" in the properties box.
To configure the static IP address for the WHS in the router's static DHCP section, type the computer name, the private static IP address, and the MAC of the network adapter's physical address. Click the OK button to save the configuration.
The example below shows the assignment of the physical address of the WHS in the MAC address. This process can be repeated for each network card in the WHS or for other servers.
If the router includes a wireless access point and wireless devices are going to connect to the network, the router must be configured to properly secure the wireless portion of the network. We discussed in Part 2 how a wireless network works and its vulnerabilities. In Part 6 we identify the threats that are associated with a wireless network and how to configure the router to secure the wireless portion of the local network.
We at Home Server Land make the following recommendations to enhance the security of your computers and local area network against general network threats.
We have identified several threats and vulnerabilities related to the general network. The security plan needs to be updated to address them. We have developed the General Network Threats Risk Assessment to assist with the identification and methods that can reduce threats discussed in this section. The Threat and Risk Assessment Worksheet can be used to document the threats that have been identified and used as a basis to manage them. Both documents are attached at the end of this blog.
This concludes Part 5 of Securing Your WHS & Network. We identified the risks and vulnerabilities that are associated to the network in general and perhaps gets overlooked. We provided an explanation of DHCP and how it can be used to make the job of the administrator easier. We explained how private IP addresses can be used to increase the overall security of the network.
In Part 6, we will continue with securing the network. We will analyze and identify the threats and vulnerabilities of wired and wireless network topologies.
In the meantime, we invite your discussion in response to this blog.
Another great article thank you.
Would it be a good idea for me to convert my entire home network onto IPv6?
My linksys business router which does IPv4 and IPv6 but I am not sure if IPv6 will cause any problems with the WHS?
WHS in its current form supports only IPv4. Could you explain your internal network environment? Like is your environment busioness only or mixed business and home?