Internal Clients Only
Dial Access
This class of site either has an IP Network with clients and possibly some hosts, or is preparing
to install one, but in either case has no intention of
providing services to the outside world. The access to the Internet is by way of a Demand-Dial
PPP connection, so that the costs of a leased line, DSU and dedicated router may be eliminated.
There may be Internet-style services available internally,
but the desire is to spend no time thinking about security from prying eyes on the outside.
For this site, Network Safety has a real solution.
- If you have no existing IP Network, fetch and read RFC 1597 about Network Addresses. You
will wish to use one of the Class B Networks from this document. Network Safety has a
short summary version of the document available for you. If
you purchase hardware or services from us, we will help select and subnet a network for you.
- Contact several local Internet Service Providers in your area and select one that you feel
will be responsive to your needs.
- If you purchase one of our Dial Firewall NAT devices, request the
smallest subnet that your ISP can provide. All of your clients will be sharing a single IP Address
for everything that they do. The actual RFC 1597 addresses that you are using will be hidden.
- Install our Firewall NAT, configuring the external interface to the IP Address given to you by
your ISP, and configuring the internal interface IP Address to an address from the IP Network
you are using for your clients.
- Configure your clients (via bootp or DHCP, we hope) to use the NAT as the default gateway
for your internal network. In this way, any request that needs to go "out" will do so by way of
the NAT. A brief discussion of IP Routing is provided to help
you understand the "default gateway" concept.
This is how your network appears in this configuration. Our DialNAT
connects you to your Internet Services Provider when your users attempt to use the Internet.
You may order your DialNAT with an internal modem, or add an external modem of your choice
for the dial line, or use our new ISDN interface. The DialNAT establishes the connection
when needed, allows
your internal clients to access the Internet, while turning
aside all service requests from the outside.
The "Private Net" LAN segment is within your facility. This segment is your world, with your
internal clients and hosts.
To the outside world, you appear to have a single IP Address: the IP Address of the DialNAT's
PPP Interface.
How Does This Work?
Your world's workstations and hosts each have a unique IP Address, that is used in communication
with others. When a client application wishes to connect to a server, it performs the following
steps:
- creates a "socket" for its use in the connection-to-be,
- puts its IP Address into the "source IP Address" fields of the socket structure,
- makes up a number in the range 1024 through 65534,
- put this number in the "source Port Number" fields of the structure,
- places the server's IP Address in the "destination" part of the structure,
- puts the service's Port Number in the "destination Port Number" part, and
- opens the connection to the server.
In TCP and UDP, the primary IP protocols in use, a connection is defined by the unique combination
of the four numbers we just saw put into the socket structure. These were:
- Source IP Address (the address of the computer sending the message),
- Source Port Number (for a client, usually 1024 or above),
- Destination IP Address (the address of the computer to receive the message), and
- Destination Port Number (for a server this can be anything below 65,535)
Each end now has a "socket," that may be used to communicate with the other end. People called
it a "socket" to help us visuallize its nature. Imagine an old-time telephone switchboard, with
thousands of sockets and a bunch of patch cables. Each socket corresponded to a destination, and
by plugging the correct cable into the correct socket, you could have two-way communication with
that destination.
If the client and server are on your private LAN, the communication happens directly between the
two participants. If the server is not on your LAN, the client will send the connect request to the
NAT instead. The request is still addressed to the ultimate server, but the message goes to the
NAT as your network's default gateway to the outside.
The DialNAT Magic
As the message passes through the DialNAT, the source IP Address is saved and replaced with
the IP Address of the DialNAT's PPP interface. Because the source port may already be in use
by another client, the DialNAT saves the original one and replaces it with a freshly-allocated one
from the DialNAT's pool. Thus, the outside world sees a different IP Address and (probably) a
different port number than were used by the client application.
The opposite occurs on a response. The original IP Address and port are restored to the destination
part of the message header before the message is sent to the client device. The DialNAT maintains
a context block for each active connection. No message from the outside is permitted in unless
it completely matches the characteristics of the connection: the four numbers described above.
The end result is that the Internet sees a single IP Address at your site. You may have hundreds
of devices that access the Internet, but nobody will know that but you.
Special Support
There is always a chance that, by changing the IP Address and/or Port Number, you will no
longer be able to use certain services. We have already built in support for the two most
common of these services:
- FTP - the File Transfer Protocol, and
- RealAudio - the wonderful new audio delivery mechanism.
As we find others, and if they seem destined for greatness, we will try to add support.
This page was last modified on 30 September, 1995.
This information is proprietary to Network Safety. Network
Safety, WebElite, DialNAT and NetNAT are trademarks of Network Safety.
For information on our products and services,
please contact our sales department.
This page was prepared using WebElite, our professional editor for the Web.