An internet gateway is a device that connects internal private networks to the outside world via the Internet. It translates and converts messages from one protocol to another. The Internet gateway is also there to protect the internal private network from harm. It is at the battle front, protecting important data and information from attack, be it by email, viruses or worms, and hackers. An internet gateway can also provide proxy services, which is a means of reducing network costs by caching internet pages. Without internet gateways, you would not be able to send emails, look at Web Pages or use any web services.
This unit (ICAS5192A) will give you the knowledge and skills to implement and manage security on an operational system. You will learn how to do the following:
- confirm client requirements and network equipment
- review security issues relating to Internet connectivity
- install and configure a gateway
- configure and test node to use gateway.
The topics for this unit are as follows:
2. Review security issues
3. Install and configure gateway products and equipment
4. Configure and test node
In this topic you will learn how to assign nodes to a specific gateway, determine the connection type and configure with reference to network architecture and ensure node software and/or hardware is configured.
1. Confirm client requirements and network equipmentIn this topic you will learn how to confirm and validate client requirements, determine the scope of Internet services with reference to the client requirements, and finally, identify and verify the gateway equipment specification and product availability.
Activity 1.1 Confirming client’s requirementsA friend wants you to make a recommendation on what can be done to allow easy access to the Internet from both of the family’s home computers. Read up on Microsoft’s Home and Small Office Network Topologies at http://search.technet.microsoft.com/search/default.aspx?siteId=1&tab=0&query=network+topologies and determine the appropriate options for your friend. Set out the considerations you make for the various requirements that your friend may have.
onsider under what circumstances you would recommend the following solutions:- residential gateway
- using a host computer with ICS (Internet connection sharing)
- using a host computer with another Internet sharing program
- individual dial-up connections for each computer.
- operating systems used
- connection method to the Internet (broadband, dial-up, wireless broadband)
- common times of use
- location of computers to each other
- phone and network connections.
Table 3: Considerations and recommendations

Activity 1.2 Examining high-end enterprise appliances
To gain an insight into the variety of devices available for larger business and enterprise situations, have a look at the following demonstration from Cisco about their ASA (adaptive security appliance) product range at http://www.cisco.com/cdc_content_elements/flash/asa/flash.html(Cisco ASA demo)
This demo requires Macromedia Software Flash to be installed and will take approximately seven minutes for the Introduction section to download on a dial-up connection. It will take longer if other downloads are also being processed. If the demo is unavailable you might try http://www.cisco.com/go/asa for more information.
A: From the demonstration, you can see that products such as Cisco ASA range have a multipurpose capability that allows them to be distributed as a solution to many different needs in an organisation. A key feature for enterprise use is the central control of remote devices and automatic product updates.
Similar products are available from McAfee and Symantec, to name a few. Virtually all network infrastructure manufacturers will have a range of products to perform gateway functions of some level. Some examples are http://www.mcafee.com/au/products/mcafee/antivirus/internet_gateway/ws_appliances_3000.htm (McAfee – Webshield 3000 Series Appliances)
http://www.mcafee.com/us/products/tools/demos/ws_appliance/ws_appliance.asp (Macromedia Flash demo)
http://www.symantec.com/enterprise/products/allproducts.jsp (Symantec – Gateway Security 5400 Series. Click on the Symantec Gateway Security 5400 Series link.)
Activity 1.3 Validating client requirements
This scenario applies to Activity 3 and Activity 4. Read the scenario and answer the questions that follow.
Compstat is an SME that provides market research to over 100 clients Australia-wide. Compstat’s head office is located in Perth and has three remote offices located in Sydney, Melbourne and Brisbane. Currently, remote sites are connected to the head office via ISDN links. They are looking to upgrade their network to utilise new applications that have improved data-gathering
methods. Currently, market research participants fill in a paper-based form that is then transferred into electronic format by data entry personnel. Compstat wants to change this paper-based system to a computer-based system that utilises web technologies. This will allow the
collection and storage of research data in one step instead of many, saving time and money.
Q: Are the client’s requirements valid? Can they be fulfilled? Refer to the following document: Client Requirements - Sample Validating Client Requirements (23 KB 2821_reading1.xls)Compstat wants to be able to provide a computer kiosk system where the participant completes the questionnaire online in a remote area like a shopping centre. They want to use wireless broadband technologies to connect the kiosk computers to the Compstat web servers anywhere and anytime wireless broadband access is available. This environment will need to be safe and secure.
A: Yes, the client’s requirements are valid. They can be filled using a range of multiple mobile technologies.
Activity 1.4 Scope of Internet services required
Q: To practise determining the scope of Internet services required, refer back to the scenario in Activity 3 and fill in the document Client Requirements - Sample Scope of Internet Services(1.21 MB 2821_reading2.xls)
A: The level of detail in this tool is still incomplete? As I learn about other existing and new technologies, I still need to modify the tool in order to effectively record a client’s requirements for an Internet gateway.Activity 1.5 Identify suitable components
Make a comparison of the specifications of the following products and identify what Internet gateway services they are suitable for.Download the product specification sheets, datasheets and/or user guides or manuals for these products:
Home and small business componentsTP-Link – TL-460 multifunction router http://www.tp-link.com/. Click on the Cable/DSL Routers image then click on the TL-460 image.
MSI – Residential Gateway http://www.msicomputer.com.au/. Search for RG54GS and select the appropriate result link.Billion – BiPAC 5200 ADSL2+ Modem/Router http://www.billion.com/product/adsl.htm. Click on the BiPAC 5200 image.
Enterprise componentsCisco – ASA http://www.cisco.com/go/asa. Scroll down to related documents and click Datasheets. Click on the ASA Platform and Module datasheet link, then download the PDF or read the web page.
Symantec – Gateway Security 5400 Series http://www.symantec.com/enterprise/products/allproducts.jsp Click on the Symantec Gateway Security 5400 Series link.A: Comparing these devices, I see that the specifications concerning what can be done from an Internet gateway or router point of view is very similar across the board from home and small business up to enterprise level. However, the data speeds and the few additional processing functions of the enterprise appliances set them apart. The additional capacity of some enterprise appliances to actively detect worms and viruses and other threats makes these devices come at a price and may not be justifiable to a home or small business client.
2. Review security issuesIn this topic you will learn how to assess security features of Internet gateways with reference to architecture and the security plan and review security measures with the Internet service provider with reference to firewalls and other measures. You will also learn how to brief users on the security plan with reference to Internet use and hazard possibilities.
Activity 2.1 Assess Internet security for home or organisationExamine the security features of an Internet connection you have access to by researching and answering the following questions:
- What do you use to share Internet access at your home or business?
- Is there a network administrator or ‘computer person’ that you can ask some information from at work?
- What services are provided from your side of the Internet link?
- Are there open ports for special programs?
You might also find the following sites helpful in making your decision:
http://www.cert.org/tech_tips/home_networks.html (CERT – Home Network Security)
http://www.webcamsoft.com/en/faq/firewall.html (Configure for DMZ servers)
http://www.haxial.com/faq/routerconfig (Port forwarding examples)
http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a00801162eb.html (Configuring PIX firewall)
http://www.portforward.com/help/porttrigger.htm (Explanation of ports, NAT and port forwarding)
http://www.portforward.com/help.htm (Basic help and definitions)
http://www.irchelp.org/irchelp/security/fwfaq.html (Firewall FAQ)
- MS Windows system on a dial-up connection with a software firewall
- Internet connection sharing (ICS) through a dial-up connection with firewalls on every system
- broadband connection with a router with NAT enabled
- broadband modem connected to one system with a software firewall and ICS running
- broadband connection with NAT router and firewall device routed through a server providing DNS and anti-virus checking of the network traffic.
Check for information about the security arrangements provided by your ISP. Look for FAQs, information pages, connection details and similar pages in order to find out what security measures are in place at the ISP premises that could potentially affect you or your client.
- What does your ISP do for you?
- Do they provide virus scanning of emails?
- Are any ports blocked at their premises such as port 25 or others? Do they explain why they have done this?
- Do they provide static IP addresses?
A: Were you able to find the information? Some ISPs don’t advertise the fact that they block anything. You can determine if your ISP blocks port 25 by running the Telnet program and trying to connect to another ISP’s email server using port 25. For example in Windows you would do the following:
- click on Start -Run then type cmd into the command area and click OK. (or command on Windows 95, 98 or ME)
- in the command window type telnet mail.dodo.com.au 25 and press Enter.
- An unsuccessful connection will time out and show something like the following:

A successful connection will show something like the following:

The images above show that access is possible to the mail server mail.bigpond.com.au but not to the mail server at mail.dodo.com.au.
Bigpond definitely blocks port 25, but you have to search for the information. Try the following to get the information: http://www.bigpond.com/ Type block ports into Search Bigpond and read the article on ‘Why does Bigpond manage the use of port 25Activity 2. 3 Notifying users of Internet security measures
What is the best way to get the information across? You will provide different formats for the security measures depending on your method of deployment of the information. Have a look at the following sites and see the range of information you may need to be providing:Search Google for technology acceptable-use policy within Australia:
- Security policies – guides and examples http://www.infosyssec.org/infosyssec/security/secpol1.htm (Information security portal for information system security professionals.) Note that many links do not work so keep trying different ones.
- Site security policy development: http://www.windowsecurity.com/whitepaper/info/policy/AusCERT.html (Window Security site)
- Computer and information security policy: http://www.windowsecurity.com/whitepaper/info/policy/hk_polic.html (Window Security site)
For the different methods listed in the Reading notes, describe how you may get this information across.
These methods were- induction packages for employees
- seminars
- emails
- log-on notices
- messages of the day
- default home page.
A: There could be various answers here. Some will be more effective than others depending on the audience as well as the content. Here are a few ideas:
Table: Methods of delivery and information formats
3. Install and configure gateway products and equipment
Activity 3.1 Terminology used to set configuration of devices
Q: The following link is for a manufacturer of a proprietary Internet phone system. Their software requires routers or firewalls to be configured to allow the service to be accessed from the Internet on their client’s computers. The feature that allows this is often called port forwarding.
- Click on the link provided below and scroll down to the bottom of the page where you will find links for a variety of routers and firewalls.
- Click on each of these links in turn (use the Back button in between) and assess the differences in terminology and the logical grouping of services in the various menu systems used in these routers and firewalls.
- Specifically, identify the port forwarding references and create a table with the alternative naming, description and grouping for each of the router and firewall products and devices listed.
Table: Devices and terminology

Activity 3.2 Exploring Linux gateways
Q: Research some of the Linux gateway solutions shown in the Reading notes. Click on each of the links and investigate the features and licensing for the various products offered. Produce a table with a basic summary of your findings.
- http://www.simonzone.com (SimonZone Guarddog)
- http://www.coyotelinux.com (Vortech Consulting Coyote Linux)
- http://www.clarkconnect.com (Point Clark Networks’ ClarkConnect)
- http://www.coyotelinux.com (Vortech Consulting Wolverine Linux)
GuardDog requires a working Linux installation before it can be used, so a working knowledge of Linux is required in order to install and configure the Internet gateway.
The other solutions are installed on dedicated systems. Coyote Linux is the least resource hungry and may be installed on an otherwise-disused computer system with two network cards.
Both Clark Connect and Wolverine Linux will benefit from a more powerful system, depending on the final level of performance required by the Internet gateway. So a system with a small hard drive and memory may be suitable without purchasing new equipment specifically for the Internet gateway to be set up on.
Activity 3.3 Enterprise appliances
Q: Research some of the enterprise appliances available from the following manufacturers. Find information on the firewall and VPN throughput and the maximum number of connections.
- Cisco Systems: http://www.cisco.com – search for “Adaptive Security Appliances Models Comparison” and follow the resulting links to locate detailed specifications on an ASA product.

- Symantec Systems: http://www.symantec.com – search for "Symantec Security Appliances Comparison Chart" and follow the resulting links to locate detailed specifications on an appliance product and get the actual comparison chart from the resources list at the bottom of the page.

Activity 3.4 Plan and execute tests
Q: Download and open the Test Plan – Sample Workbook and try the test links while your Internet connection is open. Test Plan - Sample Workbook (19 KB Test Plan_Sample Workbook.xls)
- Practise filling in the workbook as you perform the tests.
- Do all the tests work?
- What other tests would be helpful in this test tool?
- saving the sample test plan with a new file name
- changing the date heading to reflect the date when you performed the tests
- filling in either Pass or Fail in the results column under the date you just entered.
Most connections to the Internet should allow all of these tests to succeed.
Additional tests that would extend the usefulness of the test tool include
- trial downloading of various file types – ZIP, EXE, COM
- trial using of different communications programs – MSN Messenger, ICQ, SSH, Telnet, BitTorrent.
4. Configure and test node
In this topic you will learn how to assign nodes to a specific gateway, determine the connection type and configure with reference to network architecture and ensure node software and/or hardware is configured.
Activity 4.1 Determine the IP configuration method
In order to determine how the IP configuration is obtained on a Microsoft Windows XP system we first have to log in as an unrestricted or administrative level user.
Once you have logged in
- go to Start -Control Panel
- from the control panel list, open the Network Connections option. This will open a window with a Dial-up section and/or a LAN or High-Speed Internet section.
Note: If control panel displays in Category View, you will have an additional step of opening the Internet and Network Connections option before opening the Network Connections option.
Part 1 – Dynamic IP settings
Most dial-up connections are configured as dynamically-allocated IP addresses, so if you have a Dial-up section with a connection present
- right-click on a connection and select Properties from the pop-up menu
- select the Networking tab from the dialog then open the Internet Protocol (TCP/IP) by selecting it from the list and clicking on the Properties button.
In most cases this Properties dialog will show that the options Obtain an IP address automatically and Obtain DNS server address automatically are selected.
Important: Leave these settings as they are by clicking the Cancel buttons until the Network Connections list is displayed again!
A: In Part 1 you should have moved through and displayed the TCP/IP Properties dialog for a Dial-up connection and obtained a dialog similar to the following:
The IP address configuration can be statically (or manually) allocated.
- If you have a connection in the LAN or High-Speed Internet section, then right-click on a connection and select Properties from the pop-up menu.
- Select the Networking tab from the dialog then open the Internet Protocol (TCP/IP) by selecting it from the list and clicking on the Properties button.
In many cases, this Properties dialog will show that the options Obtain an IP address automatically and Obtain DNS server address automatically are selected.
Change the selected options to the following:
- Use the following IP address and use the following DNS server addresses. Notice that the IP address fields become available to take the static IP address information including the IP address, Sub-network mask, default gateway address and the Preferred DNS server address.
Important: Leave these settings as they are by clicking the Cancel buttons until the Network Connections list is displayed again!
A: In Part 2 you should have moved through and displayed the TCP/IP Properties dialog for a LAN or High Speed Internet connection. By selecting the options Use the following IP address and Use the following DNS server addresses, you should have obtained a dialog similar to the following:

In order to determine the current values being used by the system, a command line tool is available.
Open a command prompt window by doing the following:
- Start, Run, type cmd in the Open field and click on the OK button. This brings up a black command prompt window.
- at the flashing prompt, type ipconfig /all and the current values will all be displayed.

Activity 4.2 Configuring Internet Explorer to use a proxy server
Internet Explorer is integrated into the Windows operating system to the degree that you do not need to open Internet Explorer to set parameters. To set the proxy server settings for Internet Explorer on a Microsoft Windows XP system you should
- log in as an Unrestricted or Administrative level user
- go to Start then Control Panel
- from the Control Panel list, open Internet Options and select the Connections tab.
Note: If Control Panel displays in Category View, you will have an additional step of opening the Internet and Network Connections option before opening Internet Options.
This will open a dialog with a Dial-up and Virtual Private Network settings section and a Local Area Network (LAN) settings section. For this activity you can choose an available Dial-up setting and click on the Settings button or click on the LAN Settings button. The difference between the two dialogs is in the Dial-up including fields for the User name and Password for the connection.
To activate the use of a proxy server
- click on the check box under Proxy server beside the instruction Use a proxy server for this connection
- this activates the fields that allow you to enter the IP Address and the Port number for the HTTP proxy server
- you can also activate to bypass the proxy server for local addresses by clicking on the Advanced button. You can configure different server addresses and ports for the different protocols displayed.
Important: Leave these settings as they are by clicking the Cancel buttons until the Control Panel is displayed again.
A: There are a number of different ways to open the proxy settings dialogs. Each connection can be configured with a different set of parameters. Most DHCP servers cannot be used to supply this information to a DHCP client. You should have obtained a dialog for the proxy settings similar to the following:
Activity 4.3 Testing completed node capabilities
The testing tool that you created in order to test the operation of the gateway can be used in the testing of each node as well. Download and open
- Test Plan - Sample Workbook (20 KB 2824_reading01.xls)
Practice filling in the workbook as you perform the tests.
- Do all the tests work?
- What other tests would be helpful in this test tool?
- saving the Sample Test Plan with a new file name
- changing the date heading to reflect the date on which you perform the tests
- fill in either Pass or Fail in the results column under the date you just entered.
Additional tests that would extend the usefulness of the test tool include
- trial downloading various file types – ZIP, EXE, COM
- trial using different communications programs – MSN Messenger, ICQ, SSH, Telnet, BitTorrent.
1 comment:
Nice information on Secure Internet Gateway
Post a Comment