Tips and Tricks
A place to store useful info I don't want to lose
Home
Clippings
Wow
Tips
InfoScraper
Tools
Games
Essays
News
Deals
Comics
TV Guide
Kit

Subscribe to "Tips and Tricks" in Radio UserLand.

Click to see the XML version of this web page.

Click here to send an email to the editor of this weblog. 		 

 

 
  

Today's focus: Protecting one LAN from another

I have worked with several firewalls and have not seen one that is focused on protecting one LAN from another LAN. The caveat is that both LANs would need access to the Internet via some additional firewall located on another segment.
The firewalls I have worked with assume that you will access the Internet via the existing WAN port on the firewall. If you don't want to do this, that is, you want to push them toward another firewall to go on the Internet, it fails. I realize you can do this with a router and two LAN ports, but I am interested in the doorknob twists and reporting. I was wondering if anyone is deploying this kind of scenario and what product(s) they might be using.
-- Chip Gerald

By Ron Nutter - What you are asking to do is becoming more and more common.

You have to protect from hackers from inside your network as well as outside of your network. Novell has shown this as one way to use their Border Manager firewall product for several years.

The main thing that you need to do is to turn off NAT (Network Address Translation) on the firewall servicing a LAN to LAN segment on your network and let it act as the router that it essentially is.

Once you have NAT turned off, make sure that each side of the network can talk to the other. This part has to be working right or when you go to the next step, which involves putting filters in place to allow only the traffic through that you want on a particular segment.

Doing packet filtering, where you only allow the traffic in and out that you want is an area to proceed carefully in.

I cannot stress strongly enough that if you don't know how to use a protocol analyzer now, spend the time before trying to do packet filtering with a firewall. For standard applications such as SMTP, WWW, etc., you won't need an analyzer to help you setup the filters as a general rule. Where it will come in handy is when you have special applications from companies such as banks that are using different port numbers or use port numbers that can shift.

As to specific product recommendations, talk to the individual vendors themselves to see if they can operate in that environment. You should be able to use vendors such as Cisco, Nortel and Novell to mention just a few of the possibilities that are available.

You can expect to find a wide variety when it comes to reporting. Some vendors will give you a text file that you will have to sift through, where others may be able to talk to a syslog server where you can have a little more control over how the output is formatted.

Ron Nutter is a Master Certified Novell Engineer and Microsoft Certified Systems Engineer in the Lexington, Ky. area. Send questions to mailto:helpdesk@networkref.com.

NW Digital Grease Monkey 10/16/02 Copyright Network World, Inc., 2002
  

Windows XP Voice/Video Conferencing

I've always thought one of the neatest things you could do with an Internet connected computer is voice and video conferencing. The idea of using the Internet as a medium to connect to anybody in the world to have a voice/video conversation seemed to be the height of coolness. For the price of a local telephone call to my ISP, I could circumvent the traditional long distance telephone network and carry on real-time live voice/video calls!

Windows XP takes voice and video conversations to the next level by leveraging two different technologies. You can use the old Microsoft voice/video conferencing stand-by, which is NetMeeting, or you can use the new kid on the block - the MSN Messenger. These two voice/video technologies work in different ways and have slightly different capabilities.

NetMeeting is installed on Windows XP, although you won't see it in the Start menu. You have to search the hard disk to find the conf.e x e file and double click that file to get it started. NetMeeting uses a collection of networking protocols known as "H.323". The H.323 protocol "suite" allows you to do all sorts of things, including voice/video communication, instant messaging, file transfer, and application sharing.

The MSN messenger allows you to do the same things you can do with NetMeeting, but it uses a different set of protocols. The primary networking protocol is the Session Initiation Protocol (SIP). Although the MSN Messenger supports the same features as NetMeeting, the MSN Messenger does even more things, such as advanced noise cancellation (which prevents echoes from your speakers) and something called "presence awareness" so that you can find other users easily and make calls to them.

Both NetMeeting and the MSN Messenger work great if both the caller and the callee are directly connected to the Internet. When I say "directly connected" I mean that both computers are connected to their ISPs via a modem or network interface and both computers have a "public" IP address that is accessible to any computer on the Internet. When both computers are directly connected to the Internet, voice/video and data conversations are almost a no-brainer.

You'll run into problems if you want to have voice/video conversations when computers are behind a "NAT" device. Most DSL "routers" are NAT devices. The Windows XP Internet Connection Service (ICS) is also a NAT device. Most standalone firewalls used to protect home and business networks are also NAT devices. In order to use the MSN Messenger and NetMeeting behind a NAT device, you need something called an "Application Layer Gateway (ALG)". For the MSN Messenger, you need a SIP ALG, for NetMeeting you need an H.323 ALG.

There aren't too many places you'll find an H.323 ALG. Microsoft's premiere firewall, Internet Security and Acceleration Server (ISA Server) includes a high quality H.323 ALG. Setting it up can be a complex affair but once you get it going it works great! We describe how to set it up in our ISA Server book "Configuring ISA Server: Creating Firewalls with Windows 2000". Many residential gateway manufacturers, like DLink, are now including software that will allow you to use the MSN Messenger to make voice/video calls to other users. You can also use the Windows XP ICS as your residential gateway and it will handle MSN Messenger voice/video conversations for computers on the network behind it.

The sad thing is almost no one I know takes advantage of these technologies! Every time I suggest that we save some money by using NetMeeting, the other person invariably says "why don't we just use the telephone". Arrgh! The telephone is going to cost us long distance charges! NetMeeting would be free. Maybe this is why the video phone never took hold? But even if the other guy doesn't want to be on video, we could still use just the voice capabilities.

Follow up on Windows XP Voice/Video Conferencing
There's a good number of you who have made the voice/video communications plunge! It was nice to hear so many of you are using the Internet to keep in touch with friends and family. Unfortunately, we heard from an even larger number of people who found voice/video technologies included with Windows XP too complicated and confusing to figure out! Firewalls and NAT routers just made it impossible for most of you to get voice/video services working. I want to thank those of you who suggested the Yahoo Instant Messenger. It turns out the Yahoo Instant Messenger is a lot easier to get working from behind a firewall. If you're going crazy trying to get NetMeeting and the Windows Instant Messenger working, then you should try the Yahoo Instant Messenger and see how that works for you. [Oct 22]

WinXPnews Oct 15, 2002 (Vol. 2, 41 - Issue 47) Copyright Sunbelt Software Distribution, Inc. 1996-2002.
  

Instant Access to your Desktop Icons

Are you the sort of computer user who likes to have 10 windows open at the same time? Browser windows seem to pop up out of nowhere and then there's the email program, the word-processing program, the media player and more. The problem with running all these programs at the same time is you often have to minimize everything to get to an icon on your desktop. Then you lose the order of your windows! What if you could get two-click access to those desktop icons without minimizing a single window? Check this out:

  1. Right click on an empty area of the Taskbar, point to Toolbars and click Desktop.
  2. You'll see a new toolbar called Desktop. On that toolbar you'll see a list of all the icons you have on your desktop. Just click one of the icons and it opens the file or application.

It doesn't get much easier than that!

WinXPnews Oct 15, 2002 (Vol. 2, 41 - Issue 47) Copyright Sunbelt Software Distribution, Inc. 1996-2002.


Click here to visit the Radio UserLand website. © Copyright 2002 Eric Hartwell.
Last update: 11/4/2002; 5:45:30 PM.
This theme is based on the SoundWaves (blue) Manila theme.

October 2002
Sun Mon Tue Wed Thu Fri Sat
    1 2 3 4 5
6 7 8 9 10 11 12
13 14 15 16 17 18 19
20 21 22 23 24 25 26
27 28 29 30 31    
Sep   Nov

"Data! data! data!" he cried impatiently. "I can't make bricks without clay."
— Sherlock Holmes to Dr. Watson in "The Adventure of the Copper Beeches" by Arthur Conan Doyle. 

"I like deadlines," cartoonist Scott Adams once said. "I especially like the whooshing sound they make as they fly by."

"There is nothing like that feeling of spending days and days banging your head against a wall trying to solve a programming problem then suddenly finding that one tiny obscure and seemingly unrelated piece of the puzzle that unlocks the solution. Oh yeah!"

- Chris Maunder, CodeProject Newsletter 28 Jan 2002

"Management at eSnipe, which is me, is also feeling the pain of the 2002 bear market. So rather than pout about it, I bought some stuff on eBay that I really didn’t need, but made me feel better."

- Tom Campbell, president of eSnipe