EZLAN.NET
Copyright © 2001-2008

Hardware and Software Specifications, Examples, Links, and other info. are valid at the publishing time. In case it become invalid use the Internet Search.

1st Published, Dec. 2004

Over 9,000,000 Hits Site Wide in 2007

 

 

 

 

Cable/DSL Routers - NAT, Open Ports, DMZ, SPI.

If your are familiar with sharing Internet connection, and the use of a Cable/DSL Router you can skip the following three links, otherwise please read first the content of the following three links.

There are few ways to share Internet (The three pages bellow were written by me ages ago. You might ignore the prices, and the Brand recommendations, but the principles are still the same).

Link to:  Basic Options for Internet Connection Sharing.

Link to:  Hubs, routers, switches, DSL, LANs, WANs...?

Link to:  Diagram of  Broadband Internet Connection with Cable/DSL Router.

 I would suggest to every one with Broadband Internet Connection (Cable or DSL) to use a Cable/DSL Router even if you do not have a Network and you are using only one computer connected to the Internet.      

You can find Wired Entry Level Cable/DSL Router (2005) on sale for less than $15.  This small expense gets you a Hardware firewall that would be the foundation of Protecting your computer system.

Cable/DSL Routers main function is to provide Network Address Translation (NAT). It is necessary to provide NAT when you share one Internet connection between few computers so that each computer will send, and receive the Internet information that belongs to it.

A by product of this NAT is simple but effective Firewall.

NAT is implemented in a way that each computer can get only the info that was requested from inside of the LAN. As a result "rouge" info. from the Internet can not get in (since it was not requested). The NAT Firewall just blocks en-mass every thing that tries to come in none requested.

In these days many people use the Internet for variety of applications like: Home Web/Mail Server, Remote Control of other computers over the Internet, Online Games, etc.

Many of these applications work through ports that are closed by the Routers, and software Firewall.  If you are using such applications you need to set the Router to work correctly with the Ports rules.  The general terms used for this is Port Opening or Port Forwarding.

So what do you do if you want a system that can answer request coming independently in from the Internet?

DMZ , or the "Shut Gun" approach. Each Cable/DSL Router allows you to put one computer on the DMZ (De Militarized Zone), i.e. no military no one is protecting you.  Under this setting one of your Network computers is out in front of the Firewall, thus all the ports are Opened. Be careful while being on the DMZ the computer and its content is exposed to the Internet

Port Opening - A more common and secure approach is to open Individual  Ports that are used by your Internet capable applications.


E.g. In a case you want to keep an ftp server, to let your friends download files via the Internet, you open the ftp ports and info can come in through this port regardless of the NAT (e.g. for ftp you open port 20 and 21).

Port Range - Most Routers let you define a range of ports to be kept open (e.g. 5000-6000).

Port Triggering - Some applications connect to the Internet by using port X expecting an answer through port Y. Port Triggering makes sure that port Y is available to receive the answer.

The way to open a port depends on the Router, and or Firewall program. Each manufacture  has his own  "Shticks" to go about it. Each one has his way of organizing the Menus. You  have to read the Manual in order to know how to do it

 The term that it is referred to could be Port Mapping, Port Opening, etc. In a Virtual Server. 


List of ports that are associated with various applications can be found here:

Link to: Special Applications - Port List.

This Site has Port Opening instructions for many Cable/DSL Routers.

Link to: PortForward.com

More Recent Cable/DSL Router are also capable to Inspect the Internet traffic, it call Statefull Packets Inspection (SPI).  SPI actually examinations the Network Outbound/Inbound Packets, thus can make a content decision.

The following is an Example of the SPI help file on my Router (SMC Barricade).

Allow all to pass except those match the specified rules
Deny all to pass except those match the specified rules
You can specify 8 rules for each directions: inbound or outbound. For each rule, you can define the following:
Source IP address
Source port address
Destination IP address
Destination port address
Protocol: TCP or UDP or both.
For source or destination IP address, you can define a single IP address (4.3.2.1) or a range of IP addresses (4.3.2.1-4.3.2.254). An empty implies all IP addresses.

Each rule can be enabled or disabled individually.

A more elaborate SPI , might help businesses to control their employs “recreational” surfing, or can help parents to better protect their kids.

VPN.

Many of the old Routers actually interfere with the VPN.

More recent Routers are VPN through. I.e. they allow the VPN traffic to go through but do not participate in the process of the VPN.

Few Routers (D-Link & Linksys has few models) are actually VPN End Point. I.e. they do in Hardware the Server part of the VPN.  If you are a serious VPN user you look into one of the VPN End Point Routers.

About UPnP you can read here: Universal Plug n' Play.

More about protection here:

Basic Protection for Broadband Internet Installation.

Internet infestation

Copyright © 2001-2008 EZLAN.NET.  All Rights Reserved.
 Home