Clarity, please

Scott C. Best sbest at best.com
Thu Jun 21 17:25:31 EDT 2001


Stephen:

	Hello! Having just finished setting up a firewall
for my home LAN on an @Home cable-modem network, and having 
just config'd it to handle my wife's IPSec connectivity back
to her offices, I thought I'd write. What an intro. :)

	Your question seems to be blurring the distinction
between a VPN and a firewall, so I thought I'd un-blur that
a bit in my answer. Not that it is a critical distinction,
but it is an important detail, and network security is all
about details.
	First off, the first thing your cable-modem should
see when it enters your home is the "external interface"
of a firewall. The simplest of firewalls will have two
interfaces: this one facing the external Internet, and another
one looking internally (the "internal interface"). It is to 
that internal interface you should connect the uplink of your 
ethernet hub, and then to that hub all of your PC's, an 802.11 
access point, or even another hub.
	So far so good. For most home LANs, though, you need
one more thing: the ability to share the single IP address
that @Home gives you with the 5 or 6 (10 or 12?) devices in
your home that you want to be able to access the Internet.
In Windows parlance, this is called "Internet Connection
Sharing" or ICS; in the networking world it's known as Network
Address Translation or many-to-one NAT; in th Linux world 
it's known as IP-Masquerading.

	When a box does both of these things, it's typically
called a firewall/router. LinkSys and others of the $200 box
vendors call them Cable/DSL routers. Same thing. Once you
have one setup, your home network will be an order of
magnitude more secure than it was...at the cost of some lost
convenience. That is, "normal" Internet applications like
web-browsing and email will work fine. But troublesome apps,
like FTP, VPNs, or even Napster may require some special
hand-holding. Reason is pretty simple: a device on your LAN
acting as a server is awaiting for incoming connections, and
your firewall's job is (at a very high level) to block such
things. Also, as convenient as NAT is, it comes at a price
of flexibility as well: some applications will require special
port-forwarding rules to become operation again.

	Speaking of VPNs, let me completely gloss over what
they accomplish technically, and describe instead what they 
are commonly used for: to connect people at home with the 
corporate LAN back at work. So the company installs the VPN 
server, and the worker-bees take home laptops with VPN clients 
installed on them. They connect the laptop into the home LAN, 
fire up the VPN client, and connect securely back with the 
corporate HQ. Well, they connect "securely enough" for checking 
email, using meeting-maker, accessing databases, and other
LAN-based services.
	Me, I've no need for VPNs as much as I have need for
secure remote access. Different animal. For what I need to do, 
SSH (think telnet with encrypted content and cryptographically 
strong authentication) is more than fine, especially in that
an SSH connection can be used as a "secure tunnel" for other
remote-control applications like VNC.

	Sounds complicated. :) It's fairly manageable, though, 
with the right piece of hardware, a receptive audience for 
tech-support questions, and a motivated owner. That being said,
I'd suggest you have a look here:

	http://LEAF.sourceforge.net

	I help out on the developer staff of that project.
It's aim is to turn an old x86 computer with two NICs into
a firewall/router suitable for all of the above. Most 
versions of LEAF boot from a single 1.4MB floppy, so you
don't even need a hard-drive in that old doorstop of a PC.
Terribly useful, and a very newbie-friendly mailing list.
If you're trying to do something fancy with your home LAN,
odds are someone on our list has done it before, a few dozen
times.

	Hope this helps!

cheers,
Scott


On Thu, 21 Jun 2001, Stephen Chowning wrote:

> I am (sooner or later) going to hook a (mostly Mac, one PC) small lan to
> a cable modem internet connection. I have looked at various hardware
> solutions (cable/dsl routers) available for under $200. And at software
> solutions such as IPNetRouter for under $100. IPNetRouter claims to do
> all that a hardware device does for less money. As the hardware devices
> are not that much more $, I don't feel that this is a major issue. I
> would like to implement VPN also, so I would like to know which option
> hardware vs. software is the better solution especially as it pertains
> to implementing VPN, but also in a more general sense, i.e. ease of
> setup/use, security, etc. From reading the posts to this newsgroup, I
> suspect that the main difference will be what my cable co. allows or
> disallows as far as encrypted packets.
> 
> On another note, does anyone feel like explaining how the software
> solution protects the non-gateway machines on the lan? I believe that I
> understand how the hardware works, having an upstream and a downstream
> connection. But my simple, small lan has an ethernet hub with all
> devices plugged into it. Would the gateway machine need two ethernet
> cards, one designated as "upstream", the other "downstream" plugged into
> the hub?
> 
> Thanks,
> Steve


VPN is sponsored by SecurityFocus.com





More information about the VPN mailing list