Previous Table of Contents Next Internet Identification More than likely, you have one of the following types of Internet access: o Method 1: Workstation dialup connections only (see Figure 19.1). [19-01t.jpg] Figure 19.1 A workstation dialing up to a typical Internet service provider. o Method 2: Firewall or proxy direct to ISP (see Figure 19.2). [19-02t.jpg] Figure 19.2 A firewall or proxy server located on your network that's connected to the ISP. o Method 3: ISP router only, no firewall (see Figure 19.3). [19-03t.jpg] Figure 19.3 A router connecting a network directly to an ISP and therefore directly to the Internet (this method is becoming rare due to security concerns). o Method 4: Firewall or proxy, DMZ (demilitarized zone) network to ISP router (see Figure 19.4). [19-04t.jpg] Figure 19.4 A typical demilitarized zone setup allows for "permissive" access to public access servers. It's important to identify what type of connection you have. How do you find out? Well, method 1 is pretty easy-if you use Windows dialup networking to connect to the Internet, you usually hear a modem dial and you see the dialup networking dialog box before you connect (see Figure 19.5). A dialup connection makes you a "connection unto yourself," and you're actually classified as a method 3 (a direct connection to your ISP with no firewall). In other words, unless your workstation acts as a router (Windows 95 cannot, and Windows NT must be configured to do so), nobody else on your network can avail themselves of your Internet connection. (If you do decide to use NT as a cheap router to your ISP, remember that your connection is classified as method 3-you do not have a firewall protecting your network. Beware!) [19-05t.jpg] Figure 19.5 The dialup networking dialog box. In general, the first steps for troubleshooting this method of Internet connectivity are pretty easy-you either make the connection or you don't! In most cases, being "down" is due to the ISP's equipment or the telephone company. (Having problems after you connect? See "Here I Ping Again," later in this chapter.) In contrast, if you use methods 2 through 4, you don't usually do anything more than log in to your workstation; the local area network is used as the onramp. Method 2 is one of the more common configurations, particularly if your ISP hosts your Web pages (that is, it runs a server that your Web pages live on, without you needing to run your own Web server). This is a particularly easy way to do things for a small-to-medium sized shop; you only need a wide-area connection (dialup or leased) from the firewall or proxy to your ISP. Method 3 is sort of unusual. It implies that the user either doesn't care about security-possible, I suppose-or that security is taken care of in the ISP's shop. Although there are still some folks in the United States who don't lock their doors, their numbers are dwindling; so, too, are those who don't have their own firewall. Method 4 tends to be the norm for most larger shops. What does the presence of an intermediate network, or "demilitarized zone" (DMZ) mean? Machines that don't have to be absolutely and totally secure machines can be placed on the outside network and made available for outside Internet users. The fact that they're "in front" of the firewall or "on ______________________________________________________________ If an outside machine is "on the side" of the firewall, it means that you need outside users to get to the server, but you also want those users to be restricted in some way. Instead of having to configure many servers, you just need to configure the firewall to only allow certain traffic. For example, you might allow FTP sessions from the outside world to get to the FTP server at point B in Figure 19.4 but not allow anything else from the outside. When a server is "in front" of the firewall, it means that the firewall is not protecting the server at all. Sometimes this is done because the firewall would impede the function of the server. For example, because a proxy server requires a proxy client, it would be impractical in this case to use a "side" DMZ for machines meant for public access. In this case, a front DMZ would mean that Internet traffic could reach public access machines without being hindered by the proxy server. ______________________________________________________________ the side" of the firewall means that they're treated separately from the production network. An outside DMZ is cool, because you can walk up to the hub that it's on and monitor your traffic as well as check or use intruder detection software to see if unwanted folks are probing your network. More importantly for our purposes, you can hook a network ______________________________________________________________ Even if you have a proxy server that will not pass ping packets, traceroutes, or DNS lookups, you can plug into your DMZ segment and troubleshoot your little heart out because you're bypassing the firewall. ______________________________________________________________ analyzer or a regular old Windows 95 laptop to it and troubleshoot unhindered by possible firewall restrictions. (Refer to point A in Figure 19.4.) Seven Years of Plenty... Once you've identified your firewall type, it's really important-before trouble strikes-to try the troubleshooting techniques presented in this hour so that you can know what works and what doesn't work during a "normal" period. If you don't figure out what's normal for your shop, how will you know when it's broken? In other words, if you have a proxy server that doesn't allow ping-you're not going to ever be able to ping, so attempting to ping during an outage will gain you no knowledge. However, if you know that ping typically does work through your firewall, then during an outage, if you're not able to ping through your firewall, you might suspect that either the firewall is down or that the link (Ethernet or leased line) to your provider's router is down. You can then investigate appropriately. Previous Table of Contents Next