The Internet has undergone remarkable growth over the last several years. That growth has been fueled both by individual users and by a rush of businesses, schools, and other groups connecting their internal LANs and WANs to the Internet. In this chapter you learn how to connect your own network to the Internet; how to configure your existing network servers and clients to use Internet services; how to publish information to the Internet from your servers, and how to secure your network to protect it from intrusions while doing all of the above.
The Internet is just that: a large network which interconnects many smaller networks into a seamless whole. Originally developed by the U.S. Department of Defense, the Internet started by connected internal networks at a few universities and think tanks, then gradually expanded. As other regional networks formed, like the New England Area Regional Network (NEARnet) and the Southeastern Universities Research Association Network (SURAnet), they joined the Internet. Commercial companies began to connect, drawn by the promise of easy access to information resources and the simplicity of joining LANs in different geographic regions.
The metaphor of the Internet as an "information superhighway" has perhaps been overused, but it's accurate in some respects. If you build a house, you must make sure it's connected somehow to a street so that you can drive to and from your garage or carport. Likewise, the first step in connecting your network to the Internet is to find a way to move your packets between your LAN and the Internet itself.
In all cases, you'll deal with an Internet service provider, or ISP, to get a connection. ISPs come in all shapes and sizes, from large national providers like UUnet, AT&T, and MCI, to regional providers like Mindspring (in the southeastern U.S.) and iQuest in the U.S. Midwest, to local providers like AIRnet (serving small communities in northern Alabama) and Washington D.C.'s Digital Express.
Before you choose an ISP, it's important to think about your needs. Here are some factors to consider when selecting a provider:
After you've found an ISP to carry your traffic, you still need a physical data path to move that traffic back and forth. There is a variety of communications methods and speeds for connecting your network to the Internet; which one is right for you depends on your needs and your budget.
In this section, you'll learn about some different connection methods and gain an understanding of each method's benefits and drawbacks, as well as some sample costs.
There are usually two separate costs involved in getting an Internet connection: the fee you pay to the Internet service provider (ISP) you choose, and the fee you pay your local phone company for the leased or dialup line that you use to reach the ISP.
Dialup connections use an ordinary analog modem (usually at v.34 or v.32bis speeds) and an ordinary analog phone line to connect your network to your ISP. There are two types of dialup connections: on-demand and dedicated. As the names imply, an on-demand connection is only active when your network is generating or receiving Internet traffic, while a dedicated connection is always active.
Using dialup equipment offers some attractive benefits:
Of course, dialup connections have some drawbacks, too:
If you want more detailed information on connecting modems to your network, see chapter 25, "Adding Network Modems."
Connecting a Dialup Line to Your Network
There are two approaches to connecting your LAN to the Internet over a dialup connection. The first involves connecting one or more modems directly to your network. Just as some laser printers include an Ethernet port which allows them to be connected to the network, some modems or modem/router combinations can be connected directly to your network and shared. When a machine on your network requests a connection to an outside host, the modem connects to your ISP and begins routing packets.
The second, and very similar, approach is to mount a modem on one of your network servers and use the server itself to route IP packets destined for the Internet over the modem. This option is discussed in the section "Adding Internet Capability to Your Servers" later in the chapter.
Leased line connections get their name from the fact that you lease an actual physical wire (or part of a larger-capacity channel, like an optical fiber) from the local telephone company to carry your traffic. This line is reserved for your use, and it carries your packets to your ISP.
In the U.S. telephone system, a single pair of copper wires can carry 56 Kbps. 1.544 Mbps connections (often called a T1 connection, after AT&T's internal code for a 1.544 Mbps line) are made up of 24 pairs of 56 Kbps lines. A DS3 or T3 line runs at a blistering 45 Mbps and is made up of multiple T1s.
Leased lines offer between 56 Kbps and 1.544 Mbps of bandwidth. Fractional leased lines offer smaller increments of bandwidth at a lower cost, but the leased line charges are usually the same. A hybrid line, like AT&T's Switched-56[tm] service, offers the capacity of a leased line on an as-needed, dialup basis. However, these services are fairly expensive, especially when compared to ISDN.
Leased lines offer some unique benefits due to the nature of their physical setup:
Of course, this speed and flexibility don't come without some additional difficulties:
The leased line requires special hardware, called a channel service unit (CSU) or data service unit (DSU) on each end to connect your existing network to your ISP's facilities. This hardware converts the digital signals from your LAN to analog signals suitable for transmission across the line. This hardware may be combined with a bridge or router to facilitate adding a connection to your existing network. Some manufacturers offer interface cards that fit standard EISA or PCI slots and put data directly onto the computer's bus; these cards can provide a simple way to get connected, especially if you're already doing IP routing on your server itself.
When your local phone company installs your leased line, you'll have a new jack, different from the familiar RJ-11 jack used with standard phones. The exact style of jack depends on the line type and the phone company. You'll use this jack to connect your CSU/DSU to the line.
If you're using a CSU/DSU built into a router, then you'll need to configure the router as part of your network; if you're using a card in your server, you'll need to configure the card using the manufacturer-supplied software, plus you'll need to tell the server how to route TCP/IP packets (see the section "Adding Internet Capability to Your Servers" later in this chapter).
If you need to know more about using bridges and routers in your network, see chapter 14, "Repeaters and Bridges," and chapter 15, "Routers."
The Integrated Subscriber Digital Network, or ISDN, provides up to 128 Kbps over a single inexpensive copper pair. Each basic ISDN line (called a BRI line, for "basic rate interface") provides two 64 Kbps B channels (used for data or voice) and one 16 Kbps D channel (used for control and signaling). The B channels can be bonded to provide 128 Kbps of data bandwidth, or they can be used independently to carry voice or data.
If you need more bandwidth, you can get multiple ISDN lines and multiplex them together, all the way up to a primary rate interface (PRI) lineó12 B channels and one D channel, for a total capacity of 768 Kbps.
To find out if ISDN is available in your area, call the National ISDN hotline at 1-800-992-ISDN. They'll ask for your address and phone number, then search your phone company's database to see whether service is available in your area.
The number of installed ISDN lines has been soaring in many regions. Here are some of the reasons why:
ï ISDN call setup times are fastóaround 0.5 seconds to go off-hook, "dial," and make a connection. With the right routing software, you can use a less-expensive on-demand ISDN connection from your ISP and only bring the connection up when incoming or outgoing traffic requires it.
ï ISDN connections are more than twice as fast as dialups for less than twice the cost. For example, unmetered ISDN in BellSouth's service area costs about $70 per month, versus about $32 per month for a business phone lineóbut the ISDN line provides two channels that can be used as two 64 Kbps data channels, one 128 data channel, two voice channels, or one voice and one data channel.
As with leased lines and pure dialup connections, though, ISDN carries some negatives with it as well:
ISDN connections require special hardware to link your network and the ISDN network. When the phone company installer brings your ISDN line to the point you specify, you'll have yet another kind of wall jack, called a U interface. Most ISDN devices, however, require a different kind of connectionóan S/T interface. To bridge the gap between these interfaces, ISDN lines use a terminating device called an NT-1, which electrically terminates the ISDN line and converts the U interface into an S/T interface.
You have two options for actually connecting the ISDN line to your network:
Some ISDN TAs (usually the standalone, modem-style ones) include a built-in NT-1; that's a valuable feature, because an NT-1 can cost as much as $200. Conversely, some "super" NT-1s (for example, Motorola's BitSurfr Pro) include not only the NT-1, but standard phone jacks for connecting analog devices and even RS-232 ports! If you're connecting your server to your ISDN device, you may be able to use the RS-232 port on such an NT-1 and avoid a TA altogether.
If you want to combine your two B channels into one 128 Kbps virtual channel (known as Bandwidth On Demand, or BONDing), be sure that your selected TA or TA-router supports this feature.
If you read industry publications like Information Week or InfoWorld, you'll see a lot of discussion of "supernetworks." These include Frame Relay, Synchronous Optical Network (SONET), and Asynchronous Transfer Mode (ATM) networks.
These three network types offer stunning bandwidthóranging from a few Mbps all the way up to 1ñ2 gigabits/second. As you'd expect, they're quite expensive and are usually used to tie together corporate LANs into a wide-area corporate network instead of connecting to the Internet. However, as with most other technologies, increasing adoption is driving prices down, and some companies are starting to use these networks internally.
There are ISPs out there who can provide these types of exotic services, so if you need the bandwidth, and don't mind spending the money, you can get connected!
After you have an ISP to carry your traffic, and a physical connection between you and your ISP to do the actual work, the next step is to configure your network servers to speak the Internet's protocols.
The Internet's transmission protocol is TCP/IP, the Transmisson Control Protocol/Internet Protocol. Although your internal network may be using NetBEUI or IPX/SPX, you'll have to make your servers and clients able to speak TCP/IP to exchange data with other Internet hosts.
Besides transmission protocol, there are several service protocols in common use; these protocols define how two computers can exchange mail, files, and Web pages over the Internet. Your clients and servers need to have the right software to make them compliant with these protocols as well; otherwise, they won't be able to communicate with the Internet.
Before you start making configuration changes to your servers, you need to ensure that all your Internet plumbing and wiring is in order. It's a good idea to set up a single client system, connected to your ISP via whatever connection method you've chosen, and test out your ISP's configuration with your clients. The sections that follow discuss some issues to be aware of.
TCP/IP addresses are expressed as four numbers, where each is between 0 and 255, and separated by periods. For example, 129.135.1.1 is the address of Intergraph's corporate World Wide Web server. Network addresses are unique across the entire Internet; for example, only one machine can have the address 129.135.253.14.
If you're not already running TCP/IP on your internal network, then you face the task of assigning individual TCP/IP addresses to each machine that will be visible to the Internet. Your ISP helps you by assigning you a set of addresses for your network's use. These addresses are reserved for your use in the Internet Network Information Center (InterNIC)'s database, so no one else can use them. However, you're responsible for assigning one address to each machine and making sure that there aren't any duplicates.
This can be a difficult job, especially if you have a lot of machines. Fortunately, there's an Internet protocol that can help: the Dynamic Host Configuration Protocol, or DHCP. DHCP provides a way for a not-yet-configured network node to ask a central server what its configuration parameters should be. MacTCP, Microsoft TCP/32 for Windows 3.11, Windows 95, Windows NT Workstation, and Windows NT Server all support DHCP, as do many UNIX versions.
Each TCP/IP address also has a name associated with it; for Intergraph's WWW server, the name which matches the address above is www.intergraph.com. Your ISP will register a domain name for you with the InterNIC; this name is unique to your organization and identifies your machines and the type of organization they belong to. Table 26.1 shows some of the top-level domains on the Internet.
Table 26.1 Top-level domains serve to group Internet hosts by the organization that owns them
| Top-Level Domain | Meaning |
| .com | Commercial: companies and corporations |
| .net | Network: ISPs, network service providers, and so on. |
| .edu | Educational: colleges, universities, elementary schools, and so on. |
| .org | Organizational: non-profit groups or organizations; non-corporate entities |
| Country Code | Geographic: entries in this domain are grouped by country; for example, .ca for Canada and .uk for the United Kingdom |
There are other top-level domains; for example, each country in the world has its own domain, like .uk or .fr. Each top-level domain is further subdivided, so that motorola.com, kraft.com, inria.fr (a French research institute), and mit.edu are all assigned blocks of TCP/IP addresses for their own use.
.com is mostly used in the U.S. Because the Internet is global, the InterNIC is trying to encourage U.S. users to register by geographic domain instead of by organization, as net sites in other countries have been doing for years. These U.S. sites fall into the .us domain. For example, the city of Austin, Texas has a domain name of ci.austin.tx.us.
Computers don't care how they're addressed, but humans like easy-to-read names, like www.intergraph.com, not hard-to-remember numbers like 129.135.1.1. To simplify things for us humans, the Domain Name Service, or DNS, matches computer names to TCP/IP addresses. The Internet's DNS system provides a tree of DNS servers; each top-level domain has a master server, as does each second-level domain (like microsoft.com).
Your network's second-level domain will need access to a DNS server; your ISP will probably give you the address of one of their DNS servers for your use; however, if you're connecting more than a few machines, you may want to run your own local DNS server to allow name resolution within your network. You might also want to maintain your own master server for your domain so that you have easy control over host names and address-to-name mappings.
Microsoft offers a protocol called the Windows Internet Name Service, or WINS, which provides a DNS-like service for mapping NetBEUI names to TCP/IP addresses. When WINS is enabled, clients use broadcast name queries, plus the local LMHOSTS file, to map names to IP addresses. You may or may not run this on your network, depending on how many NetBEUI machines you have and whether you have to interoperate with other client types.
One distinction that we've glossed over so far has to do with how clients on your network reach the Internet. Before you see how to configure your server for TCP/IP, you should understand the distinction. There are two basic methods for providing Internet access to an existing network.
The first method is the easiest to understand: plunk down a router somewhere on your network, connect your Internet connection to it, and let it handle moving packets around. (Of course, the router might just be a routing process running on your server instead of a physical box.) This approach requires that every client that wants access to the service be configured to speak TCP/IP, so it can be quite labor-intensive. However, it doesn't impose any additional load on the server, and it may generate less network load than the second solution.
The second method involves using gateways. Gateways are programs (or hardware devices) that convert between different protocols on a network. For example, the Columbia AppleTalk Package (CAP) is a gateway that allows UNIX servers speaking TCP/IP to handle AppleTalk packets. By installing a TCP/IP gateway on your non-TCP/IP server, you move the workload away from the client and onto the server.
Most gateways depend on tunneling or encapsulation in some way or another. Both are schemes for wrapping a "foreign" packet, like TCP/IP, in a "native" network packet. As far as the client and server are concerned, a TCP/IP packet encapsulated in an IPX packet is just another IPX packetóuntil it gets to the gateway, which strips off the IPX header and framing data, decodes the TCP/IP packet, and sends it to the correct destination.
Which solution is right for you? Well, that depends on your network needs and wants. The add-a-router solution is easy to understand and easy to implement, and it scales well for handling heavy traffic loads. The downside: it can require a lot of work to configure each individual client. Using a gateway means more work for whoever maintains the gateway server, as well as more load on the server, but clients won't have to fiddle with their network configurations.
Adding TCP/IP software (usually called a TCP/IP stack) to your server is relatively straightforward. In fact, TCP/IP connectivity has become so important in today's computing environment that, depending on the vendor, your operating system may have come to you with TCP/IP preconfigured and ready to run.
Novell Netware servers speak Novell's IPX/SPX protocol. This is fineóuntil you want to connect to the Internet! The simplest solution to mixing TCP/IP and IPX is to run a gateway that converts between the two.
If the gateway's implemented as a Netware Loadable Module (NLM), it can run on an existing server or a dedicated server; if it's a standalone system, similar in concept to a router, it will connect to the network at some other point.
In either case, each client machine will need Internet client software which can send out TCP/IP packets encapsulated in IPX packets. Most gateway vendors include a DLL which provides the Winsock interface for applications but emits encapsulated packets instead of pure TCP/IP. It's the gateway's job to take the encapsulated IPX packets, unencapsulate them, and send the resulting TCP/IP packet to the correct destination.
Firefox, Novell, Internet Junction, Internetware, and Performance Technology all offer suitable gateway packages.
Unlike Windows 3.x, Microsoft designed Windows NT to offer solid, fast TCP/IP support as part of the system's core networking tools. The NT Server installation process offers you a choice of whether to install TCP/IP as a supported protocol; if you said yes, you can skip over the rest of this section.
If you're still here, let's take a look at how you can install and configure TCP/IP on your Windows NT Server. Follow these steps:
Most of these steps require that you have Administrator privileges on the machine you're configuring.
1. To open the Network control panel, go to the Program Manager, double-click the Control Panels icon, and double-click the Network control panel.
2. Scroll through the Installed Network Software list. If you
see an entry for TCP/IP Protocol, then TCP/IP is installed, and you're
done with this list. If you don't see TCP/IP Protocol listed, go to the
next step.
3. Click Add Software, then pull down the Network Software
combo list and choose TCP/IP Protocol and Related Components. Click OK.
4. The Windows NT TCP/IP Installation Options dialog appears (as shown
in fig. 26.1). If you're using DHCP on your network, make sure to check
the Enable Automatic DHCP Configuration checkbox. Click Continue.
Windows NT installs the software; it may prompt you for the floppy or CD
with the Windows NT network drivers.
If you want to, you can also host a DHCP server under Windows NT Server. To configure DHCP, use the DHCPADMN program, found in the Windows NT system directory. DHCPADMN allows you to set the TCP/IP configuration parameters for individual clients on your network, including the following:
When an individual machine is set to use DHCP, it can still override the settings from the DHCP server, but this isn't a very good idea. In general, networks that use DHCP should avoid mixing in manual configurations. Microsoft's TCP/IP stacks for its operating system usually prevent users from changing routing or gateway information when DHCP is in use.
UNIX servers are popular for Internet use because almost every UNIX variety includes a full range of TCP/IP capabilities, including packet routing, name resolution using DNS, and route tracing. Most manufacturers include software for all the major protocols, including DNS, FTP, SMTP mail, POP mail, and NNTP news, preinstalled on the system disk.
In addition, there's a huge number of third-party Internet packages for UNIX machines; many, like NCSA's Mosaic and HTTP software, are free, with source code included or available.
Many UNIX manufacturers, including Sun and Silicon Graphics, offer specially configured Internet server bundles, made up of a UNIX workstation with preloaded software and authoring tools.
The chances are excellent that your UNIX servers already have TCP/IP installed and running; in fact, the whole reason why you have UNIX servers on your network may be because of their TCP/IP support! To configure a particular flavor of UNIX, please refer to your system documentationóa comprehensive guide for all the varieties is much too long to present here.
Adding the necessary capability to your servers is a critical first step; having done that, you'll want to configure your client machines so they can access the services you've made available via your servers.
This section explains how to configure your clients to use TCP/IP, how to add Internet client software for browsing web pages, transferring files with FTP, and connecting to remote computers with telnet.
Before you can configure your network clients to access Internet services, you have to make sure that they speak the Internet's lingua francaóTCP/IP. This section shows you how to install and configure TCP/IP stacks on your network clients to prepare them for use on the Internet.
Binding connects a piece of hardware, like a modem or Ethernet card, to a protocol stack. Your network adapter understands how to speak TCP/IP after the adapter and stack are bound together.
Windows NT includes a fast 32-bit TCP/IP driver as part of the base OS; however, it may not be installed and configured during the default installation. These instructions are for Windows NT Workstation 3.51, but the procedure for Windows NT Server is almost identical.
Most of the steps here require that you have Administrator privileges on the machine you're configuring.
Here's how to tell if TCP/IP is installed on your Windows NT client:
1. Open the Network control panel; to do so, go to the Program Manager, double-click the Control Panels icon, and double-click the Network control panel.
2. Scroll through the Installed Network Software list. If you
see an entry for TCP/IP Protocol, then TCP/IP is installed.
To install or reinstall TCP/IP for Windows NT, follow these steps:
1. In the Network control panel, click Add Software, then pull
down the Network Software combo list and choose TCP/IP Protocol
and Related Components. Click OK.
2. The Windows NT TCP/IP Installation Options dialog appears as shown
in figure 26.2. If you're using DHCP on your network, make sure to check
the Enable Automatic DHCP Configuration checkbox. Click Continue.
Windows NT installs the software; it may prompt you for the floppy or CD
with the Windows NT network drivers.
The Windows NT TCP/IP configuration dialog box is very similar to the dialog boxes for Windows 3.11 and Windows 95. If you're using DHCP on your network, you shouldn't manually configure the clients, because any settings you change on the clients will override the settings from the DHCP server.
Now that the software is installed, you must tell your network adapter to support TCP/IP in addition to its other protocols and configure TCP/IP itself. Here's what to do:
1. Open the Network control panel and select TCP/IP Protocol from the
Installed Network Software list. Select the network card you want
to use with TCP/IP from the Network Adapter combo box. TCP/IP is
now bound to the network adapter as a supported protocol.
2. Still in the Network control panel, click Configure. The TCP/IP
Configuration dialog box, shown in figure 26.3 appears.
1. If you're using DHCP on your network, check Enable Automatic
DHCP Configuration and skip the rest of these steps.
2. If not, enter the TCP/IP address and the subnet mask you want to
use for this client machine into the IP Address and Subnet
Mask fields.
3. Enter the IP address of the gateway for this machine in the Default
Gateway field. If you're using the Windows Internet Name Service (WINS),
also fill in the Primary and Secondary WINS Server fields.
4. Click the DNS button. The DNS Configuration dialog box, shown
in figure 26.4 appears. The Host Name field will reflect whatever
the computer's NetBEUI name is; leave it alone. Put the domain name that
this machine lives in into the Domain Name field.
1. For each DNS server you want Windows NT to use, type its address
into the leftmost field in the Domain Name Service Search Order
group, then click Add to add it to the list on the right. Do this
for each server you want to use.
2. You can also tell Windows NT to search the DNS servers for particular
domains first; this helps you by letting you set the default domain to
search for names with no domain specified. Add domains in the Domain
Search Suffix Order group by typing the domain into the field on the left,
then click Add.
3. In both groups, you can reorder entries in the right-hand lists by selecting the entry you want to move and using the Up and Down arrow buttons.
4. When you've entered all the DNS servers and search orders, click OK to save your changes.
Depending on the changes you've made, Windows 95 may require that you restart the machine before it can access TCP/IP services. If you need a restart, a dialog box appears asking your permission before restarting.
When Microsoft built Windows 95, they copied many of Windows NT's most successful featuresóincluding the 32-bit TCP/IP stack, which is built right into Windows 95. Depending on your machine's configuration, though, you may need to activate and configure the TCP/IP stack, because it's not automatically installed by default.
Here's how to tell if Windows 95's TCP/IP is already installed and bound to one of your network adapters:
1. Open the Network control panel by opening the Start menu, choosing
Settings, Control Panel, and double-clicking the Network
icon.
2. If you see TCP/IP listed in the list titled The Following Network
Components Are Installed, it's installed. The entry shown indicates which
network adapter the protocol's bound to. See figure 26.5 for an example.
If the steps shown previously indicate that TCP/IP isn't installed, you'll need to install it. To install TCP/IP, follow these instructions:
1. Open the Network tabbed dialog box. Click the Add button,
select Protocol, and click Add. When the Select Network Protocol dialog
box appears, select Microsoft from the Manufacturers list, select
TCP/IP from the Network Protocols list, and click OK.
2. In the Network tabbed dialog box, look at The Following Network
Components Are Installed list, which indicates which networking hardware
and software you have installed. Your network adapter card should appear
in the list; click its name and then click Properties.
3. Click the Bindings tab in the Network Adapter Properties shhet. A list appears which contains all the network protocols that your adapter can speak. Depending on your network, you may see entries for IPX/SPX, NetBEUI, or other network protocols; leave them alone. Make sure that the box next to TCP/IP in the list is checked, then click OK.
Now that the TCP/IP stack is correctly installed and bound, you'll need to configure it so that it will work on your network. To configure Windows 95's TCP/IP stack follow these steps:
1. Open the Network tabbed dialog box, select your TCP/IP-to-network
adapter binding, and then click Properties.
2. The TCP/IP Properties sheet, shown in figure 26.6, appears. Click the IP Address tab. If you're using DHCP on your network, check the Obtain an IP Address Automatically check box and skip the rest of these steps.
3. If not, enter the TCP/IP address and subnet mask you want to use
for this client machine into the IP Address and Subnet Mask
fields.
1. Click the Gateways tab. Enter the IP address of the gateway for this
machine in the Default Gateway field.
2. If you want this client to use the Windows Internet Name Service
(WINS) for resolving the IP addresses of some machines, click the WINS
Configuration tab and fill in the Primary and Secondary WINS
Server fields with the addresses of your primary and secondary WINS servers.
3. Click the DNS Configuration tab. If you want this client to use DNS
for name resolution, make sure the Enable DNS radio button is selected.
The Host field will reflect whatever the computer's NetBEUI name
is; leave it alone. Put the domain name that this machine lives in into
the Domain field.
4. For each DNS server you want Windows 95 to use, type its address
into the topmost field in the DNS Server Search Order group, then click
Add to add it to the list below. Do this for each server you want
to use.
5. You can also tell Windows 95 to search the DNS servers for particular
domains first; this helps you by letting you set the default domain to
search for names with no domain specified. Add domains in the Domain
Search Suffix Order group by typing the domain into the top field, then
clicking Add.
6. When you've entered all the DNS servers and search orders, click OK to save your changes.
Depending on the changes you've made here, Windows 95 may or may not require that you restart the machine before it can access TCP/IP services. If you need a restart, a dialog box appears asking your permission before restarting.
Configuring TCP/IP services for Windows for Workgroups (WfW) is widely regarded as a black art. Until 1992, Microsoft didn't provide a standard for writing TCP/IP stacks for Windows, so every vendor wrote their own. The predictable result: applications from one vendor wouldn't run on another vendor's stack.
The Winsock standard, introduced in 1992, was an effort to set out a standard set of features that all TCP/IP stacks could support. Today, it's quite rare to find any TCP/IP applications that don't support the Winsock specification.
To determine whether Microsoft TCP/32 is already installed on your client, follow these steps:
1. In the Windows Program Manager, open the Network program group and double-click the Network Setup icon.
2. In the Network Setup dialog box, choose the Drivers button
to display the Network Drivers dialog box. When the Network Drivers dialog
appears, it will list the installed network adapters on your computer;
each adapter will show the protocols bound to it. If Microsoft TCP/32 appears
below your network adapter, then it's already been installed.
If the previous steps indicate that Microsoft TCP/32 isn't installed, don't panic; just follow the steps shown here to install it.
To complete the installation, you'll need Microsoft's "Microsoft TCP/IP-32 for Windows for Workgroups 3.11" disk; Windows NT and Windows 95 provide the TCP/IP drivers as part of the installation, but WfW 3.11 doesn't.
1. Open the Network Setup dialog box by double-clicking the Network Setup icon in the Network program group.
2. Click Drivers, then select your network adapter, then click
Add Protocol. In the Add Network Protocol dialog box, select Unlisted
Or Updated Protocol, (it should be the first item) and click OK.
If you've been using any other vendor's TCP/IP stack, Microsoft recommends
that you uninstall it by using the Remove button in the Network
Drivers dialog before installing Microsoft TCP/32.
1. In the Install Driver dialog box, specify the drive and path to the Microsoft TCP/IP-32 for Windows for Workgroups 3.11 disk, then click OK. Windows shows another dialog box listing the protocols on the disk; select Microsoft TCP/IP 32 and click OK. Finally, Windows will install the TCP/IP files onto your disk. When installation finishes, the Network Drivers dialog box will return.
Now that TCP/IP-32 is installed, it's time to configure it to work with your network. To do so, follow these steps:
1. Open the Network Setup dialog box by double-clicking the Network
Setup icon in the Network program group; click Drivers, then select
Microsoft TCP/IP-32 3.11 from the driver list and click the Setup
button. The Microsoft TCP/IP Configuration dialog box appears, as shown
in figure 26.7.
1. Select your network adapter from the Adapter pull-down list.
2. If you're using DHCP on your network, check Enable Automatic
DHCP Configuration and skip the rest of these steps.
3. If not, enter the TCP/IP address, subnet mask, and default gateway
you want to use for this client machine into the IP Address, Subnet
Mask, and Default Gateway fields.
4. If you're using the Windows Internet Name Service (WINS), check the
Query WINS for Windows Name Resolution checkbox and fill in the
Primary and Secondary WINS Server fields the addresses of
your network or subnet's WINS servers.
5. If you want WfW to use DNS for host name resolution, click the DNS
button. The DNS Configuration dialog appears. The Host Name field
reflects whatever the computer's NetBEUI name is; leave it alone. Put the
domain name that this machine lives in into the Domain Name field.
6. For each DNS server you want WfW to use, type its address into the
leftmost field in the Domain Name Service Search Order group, then
click Add to add it to the list on the right. Do this for each server
you want to use.
7. You can also tell WfW to search the DNS servers for particular domains
first; this helps you by letting you set the default domain to search for
names with no domain specified. Add domains in the Domain Search
Suffix Order group by typing the domain into the left-hand field, then
click Add.
8. In both groups, you can reorder entries in the right-hand lists by selecting the entry you want to move and using the Up and Down arrow buttons.
9. When you've entered all the DNS servers and search orders, click OK to save your changes.
After you've finished configuring Microsoft TCP/IP-32, you'll have to restart the computer for the changes to take effect.
Many companies connect to the Internet just for access to the World Wide Web (WWW) and its wealth of information and reference sources. To access the WWW, you'll need a browseróthe software tool that you use to view Web pages and communicate with Web servers.
Netscape Navigator and NCSA Mosaic are both freely available on the Internet, but their use by companies is restricted. Please make sure that you comply with the provisions of their licenses and purchase copies as appropriate for your use.
The National Center for Supercomputing Applications (NCSA) invented the original Mosaic, the first graphical WWW browser. Although Spyglass now owns the commercial rights to both the Mosaic name and the code itself, NCSA has continued to develop new features and put them into public releases of its Windows version of Mosaic.
NCSA Mosaic for Windows 2.0, the latest version, is available via anonymous FTP to ftp.ncsa.uiuc.edu in the directory /Mosaic/Windows. There are separate subdirectories for Windows 3.1, Windows 95, and Windows NT. Note that there's no Win16 version; you must be running Win32s, Windows 95, or Windows NT to run Mosaic.
Windows Mosaic is packaged as a self-extracting EXE file; after you've retrieved the file, running the EXE file will produce a set of installation files. Run SETUP.EXE and Mosaic will be installed.
To facilitate installing Mosaic on all your client machines, you may want to create a central directory on one of your file servers so that users can connect to the server and install Mosaic themselves.
For more information on using Mosaic, see Que's Special Edition Using the World Wide Web with Mosaic (ISBN 0-7897-0250-9).
Microsoft is among the companies that chose to license Spyglass Mosaic (the commercial version of NCSA's tool) rather than writing their own from scratch. To differentiate Internet Explorer from other Spyglass Mosaic versions, Microsoft has made it fully exploit the features of Windows 95, including support for long file names, shortcuts, and the Windows 95 user interface.
Internet Explorer is part of Microsoft's Plus! pack for Windows 95; to install it, all you have to do is insert the Plus! CD in your CD-ROM drive and click the Internet Jumpstart icon. The setup installer will place Internet Explorer onto your machine.
Note that Internet Explorer doesn't work with Windows 3.1, Windows for Workgroups, or Windows NT.
For complete details on installing and using Internet Explorer, see Que's 10 Minute Guide to Microsoft Internet Explorer (ISBN 0-7897-0628-8).
Netscape, a startup founded by several former NCSA programmers and the founder of Silicon Graphics, has one of the hottest software packages on the market right now: Netscape Navigator. Navigator offers a wealth of WWW, mail, news, and FTP features, all wrapped in a slick, multithreaded package that takes full advantage of Windows NT and Windows 95.
The latest version of Navigator 2.0, offers a host of new featuresóincluding a built-in scripting language, multiple "frames" on a single page, and a nicely integrated e-mail package.
Navigator is available via anonymous FTP from ftp.netscape.com in /NETSCAPE/WINDOWS. Unlike Internet Explorer and Mosaic, there is a 16-bit version of Navigator; the file names are N16E122.EXE for 16-bit versions and N32E122.EXE for 32-bit software.
Navigator's packaged as a self-extracting .EXE file; after you've retrieved the file, running the .EXE file produces a set of installation files. Run SETUP.EXE and Navigator is installed.
Of course, there's a lot more to the Internet than just the World Wide Web; Internet e-mail, file transfer (using the File Transfer Protocol, or FTP), and remote login services (which use the telnet protocol) offer a lot more reasons to get wired. This section discusses installing and using telnet and FTP clients.
For Winsock users, The Consummate Winsock Applications List, available from http://cwsapps.texas.net, is an invaluable source of information. Mac users should visit the TidBITS page at http://www.tidbits.com for Mac-specific information.
OS/2, Windows 95, and Windows NT all include FTP and telnet clients, but they don't offer much beyond bare-bones functionality. For example, the Windows NT/Windows 95 FTP client is a command-line interface indistinguishable from its UNIX predecessors. Fortunately, because the Winsock standard defines how applications should access the network, it's very easy to change between clients. Let's see what else is out there!
The basic purpose of an FTP client is to allow you to transfer files back and forth over the Internet. That may sound simple, but then so did the DOS command line.
If your FTP needs are occasional, you might be able to get by with the stock command-line FTP clientóprovided you don't mind learning FTP's command syntax. A better bet might be to use one of the excellent graphical FTP clients exist for various platforms. Here are some features to look for when choosing an FTP client:
If you want to log into other computers across the Internet, you'll be using the telnet protocol. Like FTP, telnet sounds simpler than it really is; although the built-in Windows telnet client offers a bare-bones solution, it lacks several essential features that you'll quickly come to miss.
Here are some features you should look for when choosing a telnet client:
Integrated packages that combine FTP, telnet, e-mail, and other functions (including WWW browsers, in some cases) have become increasingly popular. Why? They typically offer a consistent user interface, and the components work well together. For example, clicking a WWW URL in a mail message might launch an integrated suite's browser.
Some suites, like Apple's Internet Connection or Netscape's Personal Edition, are really bundles of individual programs, combined with dialup SLIP or PPP modules to provide dialup access.
Most suites depend on Winsock, which is fine if you're running on an OS that includes Winsock support. On Novell networks, you can use a product like Novell's LANWorks 5.0, which provides a Winsock-over-IPX layer that allows the suite to function normally.
Most integrated packages are commercial, like Wollongong's Emissary, InterCon's TCP/Connect II, or CompuServe/Spry's Internet In A Box package. However, there are a few shareware suites, like WinQVT.
Use the guidelines listed previously for choosing FTP and telnet clients to evaluate which integrated package is right for you. In addition, if you're buying a suite that includes e-mail or WWW browsing capability, make sure that what is included will suit your needs.
In many casesóperhaps yoursóthe driving force behind getting connected to the Internet isn't the desire to access information but the desire to publish it. Many traditional media outlets have discovered that the Internet offers a wealth of opportunity, and even small companies can maintain a visible, viable, and valuable presence on the Internet at a fraction of the cost of conventional advertising.
Depending on how your network is configured, you may not be able to publish information to the entire Internet (for example, if your network is firewalled) óbut you can still publish via FTP and WWW services for internal use!
HTTP is the HyperText Transfer Protocolóthe engine behind the WWW. By running an HTTP server on one of your machines, and making it visible on the Internet, you can open up a combination storefront, showroom, and technical support center to the 15-million-plus Internet users who can access the WWW.
In general, the current crop of WWW servers for Macintosh, UNIX, and Windows NT are all fairly similar: they serve WWW pages and can process interactive forms submitted by the client. Most offer address-level access controls and user/password authentication, so you can restrict access to material on your servers. Here's a short list of questions to ask to help find the right server package for your needs:
Before there was a WWW, FTP provided a useful way to move files between computers on the Internet. The large FTP archives of Windows and Macintosh software at the University of Michigan, Washington University in St. Louis, and elsewhere remain among the leading net sites, just because they're so useful.
You can easily set up an FTP server for internal or external use. FTP service is a nice complement to the WWW; sometimes, users just want to download a file, like a patch or a demo version of a program, and FTP does just fine for that.
You might wonder why you should bother with FTP when other file transfer tools, like UNIX NFS or Windows shared network drives, offer a standard interface that looks like the rest of the OS. Here's a one-word summary: interoperability. Clients using FTP can pull files from your site using anything from America Online to a Cray supercomputer, and everything in between. In addition, you can easily host an FTP server on anything from an old 386 running Linux to a fancy Silicon Graphics web server.
Most net archives, including those offered by major companies and universities, offer anonymous accessóanyone can log in and fetch files (most sites prevent anonymous users from uploading files, for obvious security reasons). Many sites also provide non-anonymous access; these sites require that you have a username and password to use them, just like logging in via telnet.
The considerations from the previous section apply here, too; you need to decide how many servers you need and whether you want to use one of the many excellent freeware or shareware servers (like Peter Lewis' FTPd for the Mac, or Alun Jones' program of the same name for Windows) or buy commercially-supported servers.
The Internet is large, international, and uncontrolled. These attributes have helped it blossom into the valuable resource that it is today, but they also introduce a degree of risk for organizations that connect their own networks to it.
A firewall does just what its name implies: it separates "dangerous" things from things which need protection. For example, there's a firewall between the engine of your car and the passenger compartment. There may also be a firewall between your network and the Internet. Network firewalls serve two purposes: they keep unwanted traffic from reaching into your network, and they restrict the hosts and services that users on your network can connect to on the Internet.
Firewalls can be implemented in a number of ways. Many routers offer configuration options which allow you to force the router to ignore some routing requests, whether inbound or outbound; this blocking effectively prevents users from connecting to nonstandard ports or ports for services that you want to control access to. Several manufacturers make standalone firewalls which connect between your Internet connection and your network router. Finally, some software packages, like SurfWatch, allow you to restrict WWW browsing by users on your network.
Firewalls are typically not visible at the individual user level; the network administrators usually maintain them, and they can control which machines can "pierce" the firewall on an address-by-address basis.
If you already know what a proxy shareholder or a proxy holder is, then you understand proxy serversóall they do is accept client requests for services and forward them, if necessary, to a server which can answer them. In a typical proxy installation, all clients in a network point to one proxy server, which is the only machine permitted to make connections which pass through the firewall.
Almost all proxy servers, like those from Netscape and CERN, cache WWW pages. If multiple users request the same page, the page only has to be fetched over the Internet once, until it expires or changes.
Proxy servers are very useful for sites whose Internet connection is slow, because proxy caching reduces the total number of requests sent out to the Net. Proxying can also provide useful anonymity for your users; some companies are very sensitive to competitive pressures and don't want to leave a clear trail of what pages their researchers or marketing employees have been visiting. If your ISP provides a proxy server, it's probably worth using it.
If you follow any of the major media, you've probably noticed a variety of reported security problems and vulnerabilities on the Internet. By design, the Internet is an open, collaborative network, with little security designed in. Many vendors have attemptedówith varying degrees of successóto layer security on top of Internet standards.
As of this writing, the Internet Engineering Task Force (IETF) has introduced a new version of TCP/IP, IPv6, that includes powerful features for verifying the authenticity of connections and protecting data from snoopers by encrypting it at the IP level. IPv6 can interoperate with "classic" TCP/IP, but if you're about to buy equipment or software, make sure to find out whether your vendor plans to support IPv6. The new features are well worth it!
Careful use of firewalling can greatly reduce the risk of an intruder breaking into your internal network from the Internet. Many corporations and universities have their firewalls set to disallow telnet connections to internal hosts from the outside world.
If you're running only machines whose operating systems don't support remote logins, like Windows and the Macintosh OS, don't assume that you have no worries; an attacker can still steal or damage files or data on these types of machines.
Most successful attacks which originate from the Internet are executed by hackers who steal, guess, or eavesdrop on passwords and access numbersómeaning that the best way to protect your machines is to carefully educate your users and administrators.
A complete discussion of security and the Internet could fill a book this sizeóand it has! If you're even halfway interested in security, take the small amount of time to read Bellovin and Cheswick's book (see "Summary" later in this chapter for a full citation) or another equally good one. The investment of time you make to learn about security risks on the Internet will be repaid many times over in both increased security and peace of mind.
If you don't already have a policy for making sure that new software coming onto your computers is scanned for viruses, and that all machines get regular scans, now is an excellent time to start!
Not many PC viruses have been widely spread by the Internet; most often, virus infections come from infected files passed directly from user to user. However, there's only one effective way to protect your machines, and that's to protect them. Be sure that you obtain, and use, a good antivirus tool. Make it a habitónot just a policyóto use it on software you download from the Internet.
For more information on viruses, antivirus software, and protecting your computers from viral infection, see chapter 19, "Antivirus Technology."
Here are some recommendations for configuring your network and services for increased security and safety. This list is only a starting point; make sure to think carefully about your needs and liabilities when setting access and security policies.
ï Use a firewall if at all possible. Many routers support firewall-type blocking and filtering, and the Bellovin and Cheswick book listed in the "Summary" section later in this chapter includes source code for a powerful UNIX firewall.
ï If you don't install a firewall, program your routers to reject incoming connections on nonstandard ports. You should also consider blocking telnet, FTP, and WWW connections to most machines on your network; instead, concentrate those facilities on one or two machines outside the main subnets.
ï Depending on your network type, you may also want to configure blocking of non-TCP/IP services, like IPX and AppleTalk packets, which can be carried as encapsulated TCP/IP packets. For example, if you're on a Novell network you should ensure that your servers won't be visible to other Novell nets elsewhere on the Internet.
ï Consider whether you can use a network gateway to connect your NetBEUI or IPX network to the Internet. By doing so, you avoid installing TCP/IP stacks on each individual client, which makes it much harder for an intruder to do any damage.
ï If you offer an FTP server reachable from the outside Internet, consider turning off the ability for anonymous users to upload files. This protects you against having your site used as a drop-box for illegal or questionable material.
ï Make sure to use whatever logging features are built into your operating system. Make a habit of scanning the logs (automatically or by eyeball) to look for suspicious activity.
As you've seen throughout this chapter, adding Internet access to your existing LAN or WAN isn't that hard. You do need to think ahead to decide what connection methods best suit your needs, and you'll find that extra time invested in security planning will pay off in peace of mind and increased security. Now that you understand what to do to bring Internet access to your network, you may find the following references helpful for providing more detail:
ï For more information on bridges and routers, see chapters 14, 15, and 16 in part IV, "Connections."
ï Setting up your network for outgoing Internet access is similar in many ways to what you have to do to allow incoming access for remote and telecommuting users. See chapter 27, "Adding Remote Network Access (Telecommuting)," for additional details on adding and configuring remote access hardware and software.
ï For more information on how to protect your networked computers from viruses, see chapter 19, "Antivirus Technology."
If you're looking for Internet client or server software for Windows 3.x, Windows 95, or Windows NT, drop by Forrest Stroud's Consummate Winsock Applications List at http://cwsapps.texas.net.
