Internal Clients Only
Dedicated Line
This class of site either has an IP Network with clients and possibly some hosts, or is preparing
to install one, but in either case has no intention of
providing services to the outside world. There may be Internet-style services available internally,
but the desire is to spend no time thinking about security from prying eyes on the outside. For this
site, the steps to an Internet connection are straightforward.
- If you have no existing IP Network, fetch and read RFC 1597 about Network Addresses. You
will wish to use one of the Class B Networks from this document. Network Safety has a
short summary version of the document available for you. If
you purchase hardware or services from us, we will help select and subnet a network for you.
- Contact several local Internet Service Providers in your area and select one that you feel
will be responsive to your needs.
- If you purchase one of our Firewall NAT devices, request the
smallest subnet that your ISP can provide. All of your clients will be sharing a single IP Address
for everything that they do. The actual RFC 1597 addresses that you are using will be hidden.
- Install our Firewall NAT, configuring the external interface to the IP Address given to you by
your ISP, and configuring the internal interface IP Address to an address from the IP Network
you are using for your clients.
- Configure your clients (via bootp or DHCP, we hope) to use the NAT as the default gateway
for your internal network. In this way, any request that needs to go "out" will do so by way of
the NAT.
This is how your network appears in this configuration. A router (and modem or DSU)
connects you to your Internet Services Provider. You may wish to lease this router from your
ISP for convenience. The NAT will be your security, so there's not much router setup required.
The LAN that is shared by the router and your NAT is "public." You must assume that someone
with ill intent can reach this LAN. Host computers must never be placed on a public LAN like this.
The NAT is our NetNAT. Its job is to let your internal clients access the Internet, while turning
aside all service requests from the outside.
The "Private Net" LAN segment is within your facility. This segment is your world, with your
internal clients and hosts.
To the outside world, you appear to have a single IP Address: the IP Address of the NAT's
Ethernet port on the public segment.
If your Internet Service Provider uses RFC 1490 compliant Frame Relay for a dedicated link,
you can eliminate the extra router and LAN hardware, and use our NetNAT for the connection.
We offer Frame Relay adapters in two versions, one with a 56K speed limit and one with a T-1
speed limit. Both feature built-in CSU/DSU, with a smart T-1 CSU on the T-1 model.
The NAT is our NetNAT. Its job is to let your internal clients access the Internet, while turning
aside all service requests from the outside.
The "Private Net" LAN segment is within your facility. This segment is your world, with your
internal clients and hosts.
To the outside world, you appear to have a single IP Address: the IP Address of the NAT
on the Frame Relay link.
How Does This Work?
Your world's workstations and hosts each have a unique IP Address, that is used in communication
with others. When a client application wishes to connect to a server, it performs the following
steps:
- creates a "socket" for its use in the connection-to-be,
- puts its IP Address into the "source IP Address" fields of the socket structure,
- makes up a number in the range 1024 through 65534,
- put this number in the "source Port Number" fields of the structure,
- places the server's IP Address in the "destination" part of the structure,
- puts the service's Port Number in the "destination Port Number" part, and
- opens the connection to the server.
In TCP and UDP, the primary IP protocols in use, a connection is defined by the unique combination
of the four numbers we just saw put into the socket structure. These were:
- Source IP Address (the address of the computer sending the message),
- Source Port Number (for a client, usually 1024 or above),
- Destination IP Address (the address of the computer to receive the message), and
- Destination Port Number (for a server this can be anything below 65,535)
Each end now has a "socket," that may be used to communicate with the other end. People called
it a "socket" to help us visuallize its nature. Imagine an old-time telephone switchboard, with
thousands of sockets and a bunch of patch cables. Each socket corresponded to a destination, and
by plugging the correct cable into the correct socket, you could have two-way communication with
that destination.
If the client and server are on your private LAN, the communication happens directly between the
two participants. If the server is not on your LAN, the client will send the connect request to the
NAT instead. The request is still addressed to the ultimate server, but the message goes to the
NAT as your network's default gateway to the outside.
The NetNAT Magic
As the message passes through the NetNAT, the source IP Address is saved and replaced with
the IP Address of the NetNAT's PPP interface. Because the source port may already be in use
by another client, the NetNAT saves the original one and replaces it with a freshly-allocated one
from the NetNAT's pool. Thus, the outside world sees a different IP Address and (probably) a
different port number than were used by the client application.
The opposite occurs on a response. The original IP Address and port are restored to the destination
part of the message header before the message is sent to the client device. The NetNAT maintains
a context block for each active connection. No message from the outside is permitted in unless
it completely matches the characteristics of the connection: the four numbers described above.
The end result is that the Internet sees a single IP Address at your site. You may have thousands
of devices that access the Internet, but nobody will know that but you.
Special Support
There is always a chance that, by changing the IP Address and/or Port Number, you will no
longer be able to use certain services. We have already built in support for the two most
common of these services:
- FTP - the File Transfer Protocol, and
- RealAudio - the wonderful new audio delivery mechanism.
As we find others, and if they seem destined for greatness, we will try to add support.
This page was last modified on 30 September, 1995.
This information is proprietary to Network Safety. Network
Safety, WebElite, DialNAT and NetNAT are trademarks of Network Safety.
For information on our products and services,
please contact our sales department.
This page was prepared using WebElite, our professional editor for the Web.