ICAS5192A Configure an internet gateway

Unit contents

An internet gateway is a device that connects internal private networks to the outside world via the Internet. It translates and converts messages from one protocol to another. The Internet gateway is also there to protect the internal private network from harm. It is at the battle front, protecting important data and information from attack, be it by email, viruses or worms, and hackers. An internet gateway can also provide proxy services, which is a means of reducing network costs by caching internet pages. Without internet gateways, you would not be able to send emails, look at Web Pages or use any web services.

This unit (ICAS5192A) will give you the knowledge and skills to implement and manage security on an operational system. You will learn how to do the following:

• confirm client requirements and network equipment
  
• review security issues relating to Internet connectivity
  
• install and configure a gateway
  
• configure and test node to use gateway.

Unit topics

The topics for this unit are as follows:

1. Confirm client requirements and network equipment

2. Review security issues

3. Install and configure gateway products and equipment

4. Configure and test node

In this topic you will learn how to assign nodes to a specific gateway, determine the connection type and configure with reference to network architecture and ensure node software and/or hardware is configured.

1. Confirm client requirements and network equipment

In this topic you will learn how to confirm and validate client requirements, determine the scope of Internet services with reference to the client requirements, and finally, identify and verify the gateway equipment specification and product availability.

Activity 1.1 Confirming client’s requirements

A friend wants you to make a recommendation on what can be done to allow easy access to the Internet from both of the family’s home computers. Read up on Microsoft’s Home and Small Office Network Topologies at http://search.technet.microsoft.com/search/default.aspx?siteId=1&tab=0&query=network+topologies and determine the appropriate options for your friend. Set out the considerations you make for the various requirements that your friend may have.

onsider under what circumstances you would recommend the following solutions:

• residential gateway
  
• using a host computer with ICS (Internet connection sharing)
  
• using a host computer with another Internet sharing program
  
• individual dial-up connections for each computer.

A: Some of the requirements to consider include

• operating systems used
  
• connection method to the Internet (broadband, dial-up, wireless broadband)
  
• common times of use
  
• location of computers to each other
  
• phone and network connections.

This can be best represented in a table.

Table 3: Considerations and recommendations

Of course, every situation is different. Some may require a greater investment in infrastructure in order to provide the services required. Also, there is no reason to prevent a residential gateway from being used with a dial-up connection as long as the device is able to support a serial port for a modem or ISDN terminal adapter such as various mainstream routers and the Open Networks (http://www.opennw.com/index.php) OPEN524R router. These devices use the serial port as a backup WAN connection in place of a failed broadband link, but can be used without broadband at all for ISDN dial-up connections.

Activity 1.2 Examining high-end enterprise appliances

To gain an insight into the variety of devices available for larger business and enterprise situations, have a look at the following demonstration from Cisco about their ASA (adaptive security appliance) product range at http://www.cisco.com/cdc_content_elements/flash/asa/flash.html(Cisco ASA demo)

This demo requires Macromedia Software Flash to be installed and will take approximately seven minutes for the Introduction section to download on a dial-up connection. It will take longer if other downloads are also being processed. If the demo is unavailable you might try http://www.cisco.com/go/asa for more information.

A: From the demonstration, you can see that products such as Cisco ASA range have a multipurpose capability that allows them to be distributed as a solution to many different needs in an organisation. A key feature for enterprise use is the central control of remote devices and automatic product updates.

Similar products are available from McAfee and Symantec, to name a few. Virtually all network infrastructure manufacturers will have a range of products to perform gateway functions of some level. Some examples are http://www.mcafee.com/au/products/mcafee/antivirus/internet_gateway/ws_appliances_3000.htm (McAfee – Webshield 3000 Series Appliances)

http://www.mcafee.com/us/products/tools/demos/ws_appliance/ws_appliance.asp (Macromedia Flash demo)

http://www.symantec.com/enterprise/products/allproducts.jsp (Symantec – Gateway Security 5400 Series. Click on the Symantec Gateway Security 5400 Series link.)

Activity 1.3 Validating client requirements

This scenario applies to Activity 3 and Activity 4. Read the scenario and answer the questions that follow.

Compstat is an SME that provides market research to over 100 clients Australia-wide. Compstat’s head office is located in Perth and has three remote offices located in Sydney, Melbourne and Brisbane. Currently, remote sites are connected to the head office via ISDN links. They are looking to upgrade their network to utilise new applications that have improved data-gathering
methods. Currently, market research participants fill in a paper-based form that is then transferred into electronic format by data entry personnel. Compstat wants to change this paper-based system to a computer-based system that utilises web technologies. This will allow the
collection and storage of research data in one step instead of many, saving time and money.

Compstat wants to be able to provide a computer kiosk system where the participant completes the questionnaire online in a remote area like a shopping centre. They want to use wireless broadband technologies to connect the kiosk computers to the Compstat web servers anywhere and anytime wireless broadband access is available. This environment will need to be safe and secure.

Q: Are the client’s requirements valid? Can they be fulfilled? Refer to the following document: Client Requirements - Sample Validating Client Requirements (23 KB 2821_reading1.xls)

A: Yes, the client’s requirements are valid. They can be filled using a range of multiple mobile technologies.

Activity 1.4 Scope of Internet services required

Q: To practise determining the scope of Internet services required, refer back to the scenario in Activity 3 and fill in the document Client Requirements - Sample Scope of Internet Services

(1.21 MB 2821_reading2.xls)

A: The level of detail in this tool is still incomplete? As I learn about other existing and new technologies, I still need to modify the tool in order to effectively record a client’s requirements for an Internet gateway.

Activity 1.5 Identify suitable components

Make a comparison of the specifications of the following products and identify what Internet gateway services they are suitable for.

Download the product specification sheets, datasheets and/or user guides or manuals for these products:

Home and small business components

TP-Link – TL-460 multifunction router http://www.tp-link.com/. Click on the Cable/DSL Routers image then click on the TL-460 image.

MSI – Residential Gateway http://www.msicomputer.com.au/. Search for RG54GS and select the appropriate result link.

Billion – BiPAC 5200 ADSL2+ Modem/Router http://www.billion.com/product/adsl.htm. Click on the BiPAC 5200 image.

Enterprise components

Cisco – ASA http://www.cisco.com/go/asa. Scroll down to related documents and click Datasheets. Click on the ASA Platform and Module datasheet link, then download the PDF or read the web page.

Symantec – Gateway Security 5400 Series http://www.symantec.com/enterprise/products/allproducts.jsp Click on the Symantec Gateway Security 5400 Series link.

A: Comparing these devices, I see that the specifications concerning what can be done from an Internet gateway or router point of view is very similar across the board from home and small business up to enterprise level. However, the data speeds and the few additional processing functions of the enterprise appliances set them apart. The additional capacity of some enterprise appliances to actively detect worms and viruses and other threats makes these devices come at a price and may not be justifiable to a home or small business client.

2. Review security issues

In this topic you will learn how to assess security features of Internet gateways with reference to architecture and the security plan and review security measures with the Internet service provider with reference to firewalls and other measures. You will also learn how to brief users on the security plan with reference to Internet use and hazard possibilities.

Activity 2.1 Assess Internet security for home or organisation

Examine the security features of an Internet connection you have access to by researching and answering the following questions:

• What do you use to share Internet access at your home or business?
• Is there a network administrator or ‘computer person’ that you can ask some information from at work?
  
• What services are provided from your side of the Internet link?
  
• Are there open ports for special programs?
  

You might also find the following sites helpful in making your decision:
http://www.cert.org/tech_tips/home_networks.html (CERT – Home Network Security)
http://www.webcamsoft.com/en/faq/firewall.html (Configure for DMZ servers)
http://www.haxial.com/faq/routerconfig (Port forwarding examples)
http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a00801162eb.html (Configuring PIX firewall)
http://www.portforward.com/help/porttrigger.htm (Explanation of ports, NAT and port forwarding)
http://www.portforward.com/help.htm (Basic help and definitions)
http://www.irchelp.org/irchelp/security/fwfaq.html (Firewall FAQ)

A: Were you able to determine the aspects of your Internet security provision at home or work? There are many answers to the creation of Internet security. Perhaps you have one or parts of several of the following solutions:

• MS Windows system on a dial-up connection with a software firewall
  
• Internet connection sharing (ICS) through a dial-up connection with firewalls on every system
  
• broadband connection with a router with NAT enabled
  
• broadband modem connected to one system with a software firewall and ICS running
  
• broadband connection with NAT router and firewall device routed through a server providing DNS and anti-virus checking of the network traffic.

Activity 2.2 Access ISP security information

Check for information about the security arrangements provided by your ISP. Look for FAQs, information pages, connection details and similar pages in order to find out what security measures are in place at the ISP premises that could potentially affect you or your client.

• What does your ISP do for you?
• Do they provide virus scanning of emails?
  
• Are any ports blocked at their premises such as port 25 or others? Do they explain why they have done this?
  
• Do they provide static IP addresses?
  

A: Were you able to find the information? Some ISPs don’t advertise the fact that they block anything. You can determine if your ISP blocks port 25 by running the Telnet program and trying to connect to another ISP’s email server using port 25. For example in Windows you would do the following:

• click on Start -Run then type cmd into the command area and click OK. (or command on Windows 95, 98 or ME)
  
• in the command window type telnet mail.dodo.com.au 25 and press Enter.
  
• An unsuccessful connection will time out and show something like the following:

Telnet output shows that the mail.dodo.com.au mail server is not reachable using port 25 from this computer.

A successful connection will show something like the following:Telnet output shows a connection has been established with the mail.bigpond.com.au mail server on port 25

The images above show that access is possible to the mail server mail.bigpond.com.au but not to the mail server at mail.dodo.com.au.

Bigpond definitely blocks port 25, but you have to search for the information. Try the following to get the information: http://www.bigpond.com/ Type block ports into Search Bigpond and read the article on ‘Why does Bigpond manage the use of port 25

Activity 2. 3 Notifying users of Internet security measures

What is the best way to get the information across? You will provide different formats for the security measures depending on your method of deployment of the information. Have a look at the following sites and see the range of information you may need to be providing:

Search Google for technology acceptable-use policy within Australia:

• Security policies – guides and examples http://www.infosyssec.org/infosyssec/security/secpol1.htm (Information security portal for information system security professionals.) Note that many links do not work so keep trying different ones.
• Site security policy development: http://www.windowsecurity.com/whitepaper/info/policy/AusCERT.html (Window Security site)
• Computer and information security policy: http://www.windowsecurity.com/whitepaper/info/policy/hk_polic.html (Window Security site)
  

For the different methods listed in the Reading notes, describe how you may get this information across.

These methods were

• induction packages for employees
  
• seminars
  
• emails
  
• log-on notices
  
• messages of the day
  
• default home page.

Q: Write your answers below:

A: There could be various answers here. Some will be more effective than others depending on the audience as well as the content. Here are a few ideas:

Table: Methods of delivery and information formats

3. Install and configure gateway products and equipment

In this topic you will learn how install and configure gateway products as required by technical guidelines, plan and execute tests, and analyse error reports and make changes to the gateway.

Activity 3.1 Terminology used to set configuration of devices

Q: The following link is for a manufacturer of a proprietary Internet phone system. Their software requires routers or firewalls to be configured to allow the service to be accessed from the Internet on their client’s computers. The feature that allows this is often called port forwarding.

• Click on the link provided below and scroll down to the bottom of the page where you will find links for a variety of routers and firewalls.
• Click on each of these links in turn (use the Back button in between) and assess the differences in terminology and the logical grouping of services in the various menu systems used in these routers and firewalls.
• Specifically, identify the port forwarding references and create a table with the alternative naming, description and grouping for each of the router and firewall products and devices listed.

A: The pages for the different routers and firewalls show various options for port forwarding to be configured, such as those shown in the next table.

Table: Devices and terminology


Activity 3.2 Exploring Linux gateways

Q: Research some of the Linux gateway solutions shown in the Reading notes. Click on each of the links and investigate the features and licensing for the various products offered. Produce a table with a basic summary of your findings.

• http://www.simonzone.com (SimonZone Guarddog)
• http://www.coyotelinux.com (Vortech Consulting Coyote Linux)
• http://www.clarkconnect.com (Point Clark Networks’ ClarkConnect)
• http://www.coyotelinux.com (Vortech Consulting Wolverine Linux)

A: Each of the products has differing requirements in both the knowledge needed to install them and the ongoing support given. Generally, if a payment and annual fee is required, then support will be more dependable. (You get what you pay for.) The free products are not necessarily inferior to the commercial offerings—often they only differ in the support offered.

GuardDog requires a working Linux installation before it can be used, so a working knowledge of Linux is required in order to install and configure the Internet gateway.

The other solutions are installed on dedicated systems. Coyote Linux is the least resource hungry and may be installed on an otherwise-disused computer system with two network cards.

Both Clark Connect and Wolverine Linux will benefit from a more powerful system, depending on the final level of performance required by the Internet gateway. So a system with a small hard drive and memory may be suitable without purchasing new equipment specifically for the Internet gateway to be set up on.

Activity 3.3 Enterprise appliances

Q: Research some of the enterprise appliances available from the following manufacturers. Find information on the firewall and VPN throughput and the maximum number of connections.

• Cisco Systems: http://www.cisco.com – search for “Adaptive Security Appliances Models Comparison” and follow the resulting links to locate detailed specifications on an ASA product.
  

Table: Cisco Adaptive Security Appliance – ASA 5510 specifications

• Symantec Systems: http://www.symantec.com – search for "Symantec Security Appliances Comparison Chart" and follow the resulting links to locate detailed specifications on an appliance product and get the actual comparison chart from the resources list at the bottom of the page.

Table: Symantec Gateway Security – SGS 5420 specifications

Activity 3.4 Plan and execute tests

Q: Download and open the Test Plan – Sample Workbook and try the test links while your Internet connection is open. Test Plan - Sample Workbook (19 KB Test Plan_Sample Workbook.xls)

• Practise filling in the workbook as you perform the tests.
• Do all the tests work?
• What other tests would be helpful in this test tool?

A: Practise filling in the workbook by

• saving the sample test plan with a new file name
• changing the date heading to reflect the date when you performed the tests
• filling in either Pass or Fail in the results column under the date you just entered.

Most connections to the Internet should allow all of these tests to succeed.

Additional tests that would extend the usefulness of the test tool include

• trial downloading of various file types – ZIP, EXE, COM
• trial using of different communications programs – MSN Messenger, ICQ, SSH, Telnet, BitTorrent.

4. Configure and test node

In this topic you will learn how to assign nodes to a specific gateway, determine the connection type and configure with reference to network architecture and ensure node software and/or hardware is configured.

Activity 4.1 Determine the IP configuration method

In order to determine how the IP configuration is obtained on a Microsoft Windows XP system we first have to log in as an unrestricted or administrative level user.

Once you have logged in

• go to Start -Control Panel
• from the control panel list, open the Network Connections option. This will open a window with a Dial-up section and/or a LAN or High-Speed Internet section.

Note: If control panel displays in Category View, you will have an additional step of opening the Internet and Network Connections option before opening the Network Connections option.

Part 1 – Dynamic IP settings

Most dial-up connections are configured as dynamically-allocated IP addresses, so if you have a Dial-up section with a connection present

• right-click on a connection and select Properties from the pop-up menu
• select the Networking tab from the dialog then open the Internet Protocol (TCP/IP) by selecting it from the list and clicking on the Properties button.

In most cases this Properties dialog will show that the options Obtain an IP address automatically and Obtain DNS server address automatically are selected.

Important: Leave these settings as they are by clicking the Cancel buttons until the Network Connections list is displayed again!

A: In Part 1 you should have moved through and displayed the TCP/IP Properties dialog for a Dial-up connection and obtained a dialog similar to the following:

Part 2 – Static IP settings

The IP address configuration can be statically (or manually) allocated.

• If you have a connection in the LAN or High-Speed Internet section, then right-click on a connection and select Properties from the pop-up menu.
• Select the Networking tab from the dialog then open the Internet Protocol (TCP/IP) by selecting it from the list and clicking on the Properties button.

In many cases, this Properties dialog will show that the options Obtain an IP address automatically and Obtain DNS server address automatically are selected.

Change the selected options to the following:

• Use the following IP address and use the following DNS server addresses. Notice that the IP address fields become available to take the static IP address information including the IP address, Sub-network mask, default gateway address and the Preferred DNS server address.

Important: Leave these settings as they are by clicking the Cancel buttons until the Network Connections list is displayed again!

A: In Part 2 you should have moved through and displayed the TCP/IP Properties dialog for a LAN or High Speed Internet connection. By selecting the options Use the following IP address and Use the following DNS server addresses, you should have obtained a dialog similar to the following:

Part 3 - Current values

In order to determine the current values being used by the system, a command line tool is available.

Open a command prompt window by doing the following:

• Start, Run, type cmd in the Open field and click on the OK button. This brings up a black command prompt window.
• at the flashing prompt, type ipconfig /all and the current values will all be displayed.

A: In Part 3, the IP settings should be displayed in the command prompt window similar to the following:

Activity 4.2 Configuring Internet Explorer to use a proxy server

Internet Explorer is integrated into the Windows operating system to the degree that you do not need to open Internet Explorer to set parameters. To set the proxy server settings for Internet Explorer on a Microsoft Windows XP system you should

• log in as an Unrestricted or Administrative level user
• go to Start then Control Panel
• from the Control Panel list, open Internet Options and select the Connections tab.

Note: If Control Panel displays in Category View, you will have an additional step of opening the Internet and Network Connections option before opening Internet Options.

This will open a dialog with a Dial-up and Virtual Private Network settings section and a Local Area Network (LAN) settings section. For this activity you can choose an available Dial-up setting and click on the Settings button or click on the LAN Settings button. The difference between the two dialogs is in the Dial-up including fields for the User name and Password for the connection.

To activate the use of a proxy server

• click on the check box under Proxy server beside the instruction Use a proxy server for this connection
• this activates the fields that allow you to enter the IP Address and the Port number for the HTTP proxy server
• you can also activate to bypass the proxy server for local addresses by clicking on the Advanced button. You can configure different server addresses and ports for the different protocols displayed.

Important: Leave these settings as they are by clicking the Cancel buttons until the Control Panel is displayed again.

A: There are a number of different ways to open the proxy settings dialogs. Each connection can be configured with a different set of parameters. Most DHCP servers cannot be used to supply this information to a DHCP client. You should have obtained a dialog for the proxy settings similar to the following:

Activity 4.3 Testing completed node capabilities

The testing tool that you created in order to test the operation of the gateway can be used in the testing of each node as well. Download and open

• Test Plan - Sample Workbook (20 KB 2824_reading01.xls)

Practice filling in the workbook as you perform the tests.

• Do all the tests work?
• What other tests would be helpful in this test tool?

A: Practice filling in the workbook by

• saving the Sample Test Plan with a new file name
• changing the date heading to reflect the date on which you perform the tests
• fill in either Pass or Fail in the results column under the date you just entered.

Additional tests that would extend the usefulness of the test tool include

• trial downloading various file types – ZIP, EXE, COM
• trial using different communications programs – MSN Messenger, ICQ, SSH, Telnet, BitTorrent.