Professional Documents
Culture Documents
If you've ever used the Internet, it's a good bet that you've used the Domain Name
System, or DNS, even without realizing it. DNS is a protocol within the set of standards
for how computers exchange data on the Internet and on many private networks, known
as the TCP/IP protocol suite. Its basic job is to turn a user-friendly domain name like
"howstuffworks.com" into an Internet Protocol (IP) address like 70.42.251.42 that
computers use to identify each other on the network. It's like your computer's GPS for
the Internet.
Computers and other network devices on the Internet use an IP address to route your
request to the site you're trying to reach. This is similar to dialing a phone number to
connect to the person you're trying to call. Thanks to DNS, though, you don't have to
keep your own address book of IP addresses. Instead, you just connect through a domain
name server, also called a DNS server or name server, which manages a massive
database that maps domain names to IP addresses.
Whether you're accessing a Web site or
sending e-mail, your computer uses a DNS
server to look up the domain name you're
trying to access. The proper term for this
process is DNS name resolution, and you
would say that the DNS server resolves
the domain name to the IP address. For
example,
when
you
enter
"http://www.howstuffworks.com" in your
browser, part of the network connection
includes resolving the domain name
"howstuffworks.com" into an IP address,
like 70.42.251.42, for HowStuffWorks' Web
servers.
Without DNS servers, the Internet would shut down very quickly. But how does your
computer know what DNS server to use? Typically, when you connect to your home
network, Internet service provider (ISP) or WiFi network, the modem or router that
assigns your computer's network address also sends some important network
configuration information to your computer or mobile device. That configuration includes
2
one or more DNS servers that the device should use when translating DNS names to IP
address.
So far, you've read about some important DNS basics. The rest of this article dives
deeper into domain name servers and name resolution. It even includes an introduction
to managing your own DNS server. Let's start by looking at how IP addresses are
structured and how that's important to the name resolution process.
There are billions of IP addresses currently in use, and most machines have a
human-readable name as well.
DNS servers (cumulatively) are processing billions of requests across the Internet
at any given time.
Millions of people are adding and changing domain names and IP addresses each
day.
With so much to handle, DNS servers rely on network efficiency and Internet protocols.
Part of the IP's effectiveness is that each machine on a network has a unique IP address
in both the IPV4 and IPV6 standards managed by the Internet Assigned Numbers
Authority (IANA). Here are some ways to recognize an IP address:
An IP address in the IPV4 standard has four numbers separated by three decimals,
as in: 70.74.251.42
An IP address in the IPV6 standard has eight hexadecimal numbers (base-16)
separated by colons, as in 2001:0cb8:85a3:0000:0000:8a2e:0370:7334. Because
IPV6 is still a very new standard, we'll concentrate on the more common IPV4 for
this article.
Each number in an IPV4 number is called an "octet" because it's a base-10
equivalent of an 8-digit base-2 (binary) number used in routing network traffic. For
example, the octet written as 42 stands for 00101010. Each digit in the binary
number is the placeholder for a certain power of two from 20 to 27, reading from
right to left. That means that in 00101010, you have one each of 21, 23 and 25.
So, to get the base-10 equivalent, just add 21 + 23 + 25 = 2 + 8 + 32 = 42. For
more about how IP addresses are constructed, see our article "What is an IP
address?"
There are only 256 possibilities for the value of each octect: the numbers 0
through 255.
Certain addresses and ranges are designated by the IANA as reserved IP
addresses, which means they have a specific job in IP. For example, the IP address
127.0.0.1 is reserved to identify the computer you're currently using. So, talking to
127.0.0.1 is just talking to yourself!
Where does your computer's IP address come from? If we're talking about your desktop
or laptop computer, it probably comes from a Dynamic Host Configuration Protocol
(DHCP) server on your network. The job of a DHCP server is to make sure your computer
has the IP address and other network configuration it needs whenever you're online.
Because this is "dynamic," the IP address for your computer will probably change from
time to time, such as when you shut down your computer for a few days. As the user,
you'll probably never notice all this taking place. See the sidebar on this page for hints
on where to find the IP address assigned to your computer or mobile device.
Web servers and other computers that need a consistent point of contact use static IP
addresses. This means that the same IP address is always assigned to that system's
4
network interface when it's online. To make sure that interface always gets the same IP
address, IP associates the address with the Media Access Control (MAC) address for that
network interface. Every network interface, both wired and wireless, has a unique MAC
address embedded in it by the manufacturer.
Windows -- Though you can click through the user interface to find your network
interface settings, one quick way to find your IP address is to open the Command
Prompt application from Accessories and enter this command: ipconfig
Mac -- Open your System Preferences, click Network, be sure your current network
connection (with the green dot beside it) is selected, click Advanced, and click the
TCP/IP tab.
Linux or UNIX -- If don't already have a command prompt, open a terminal
application, such as XTERM or iTerm. At the command prompt, enter this command:
ifconfig
Smartphones using WiFi -- Look at your phone's network settings. This will vary
depending on the phone the version of its operating system.
Note that if you're on a home or small local network, your address will probably be in the
form 192.168.x.x, 172.16.x.x or 10.x.x.x (where x is a number between 0 and 255).
These are reserved addresses used on each local network, and a router on that network
then connects you to the Internet.
For more information on IP addresses, see the IANA, operated by the Internet Corporation
for Assigned Names and Numbers (ICANN). Now, though, let's look at the other side of
the DNS equation: domain names.
Domain Names
If we had to remember the IP addresses of all our favorite Web sites, we'd probably go
nuts! Human beings are just not that good at remembering strings of numbers. We are
good at remembering words, however, and that is where domain names come in. You
probably have hundreds of domain names stored in your head, such as:
6
US, UK, RU and other two-letter country codes -- each is assigned to a domain
name authority in the respective country
7
In a domain name, each word and dot combination you add before a top-level domain
indicates a level in the domain structure. Each level refers to a server or a group of
servers that manage that domain level. For example, "howstuffworks" in our domain
name is a second-level domain off the COM top-level domain. An organization may have
a hierarchy of sub-domains further organizing its Internet presence, like "bbc.co.uk"
which is the BBC's domain under CO, an additional level created by the domain name
authority responsible for the UK country code.
The left-most word in the domain name, such as www or mail, is a host name. It specifies
the name of a specific machine (with a specific IP address) in a domain, typically
dedicated to a specific purpose. A given domain can potentially contain millions of host
names as long as they're all unique to that domain.
Because all of the names in a given
domain need to be unique, there has to be
some way to control the list and makes
sure no duplicates arise. That's where
registrars come in. A registrar is an
authority that can assign domain names
directly under one or more top-level
domains and register them with InterNIC,
a service of ICANN, which enforces
uniqueness of domain names across the
Internet.
Each
domain
registration
becomes part of a central domain
registration database known as the whois
What's in a name? For your domain, database. Network Solutions, Inc. (NSI)
the name could make a difference in was one of the first registrars, and today
whether people remember or want to companies like GoDaddy.com offer domain
visit your Web site.
registration in addition to many other Web
site and domain management services.
[source: InterNIC]
Later, when we look at how to create a domain name, we'll see that part of registering a
domain requires identifying one or more name servers (DNS servers) that have the
authority to resolve the host names and sub-domains in that domain. Typically, you
would do this through a hosting service, which has its own DNS servers. Next, we'll look
at how these DNS servers manage your domain, and how DNS servers across the
Internet work together to ensure traffic is routed properly between IP addresses.
8
Because managing DNS seems like such a big job, most people tend to leave it to the IT
professionals. However, by learning a little bit about how DNS works and how DNS
servers are distributed across the Internet, you can manage DNS with confidence. The
first thing to know is what the purpose of a DNS server is on the network where it
resides. A DNS server will have one of the following as its primary task:
Maintain a small database of domain names and IP addresses most often used on
its own network, and delegate name resolution for all other names to other DNS
servers on the Internet.
Pair IP addresses with all hosts and sub-domains for which that DNS server has
authority.
9
DNS servers that perform the first task are normally managed by your Internet service
provider (ISP). As mentioned earlier, the ISP's DNS server is part of the network
configuration you get from DHCP as soon as you go online. These servers reside in your
ISP's data centers, and they handle requests as follows:
If it has the domain name and IP address in its database, it resolves the name
itself.
If it doesn't have the domain name and IP address in its database, it contacts
another DNS server on the Internet. It may have to do this multiple times.
If it has to contact another DNS server, it caches the lookup results for a limited
time so it can quickly resolve subsequent requests to the same domain name.
If it has no luck finding the domain name after a reasonable search, it returns an
error indicating that the name is invalid or doesn't exist.
The second category of DNS servers mentioned above is typically associated with Web,
mail and other Internet domain hosting services. Though some hardcore IT gurus set up
and manage their own DNS servers, hosting services have made DNS management
much easier for the less technical audience. A DNS server that manages a specific
domain is called the start of authority (SOA) for that domain. Over time, the results from
looking up hosts at the SOA will propagate to other DNS servers, which in turn propagate
to other DNS servers, and so on across the Internet.
This propagation is a result of each DNS server caching the lookup result for a limited
time, known as its Time To Live (TTL), ranging from a few minutes to a few days. People
managing a DNS server can configure its TTL, so TTL values will vary across the Internet.
So, each time you look up "www.howstuffworks.com," it's possible that the DNS server
for your ISP will find the lookup results "70.42.251.42" in its own cache if you or someone
else using that server looked for it before within the server's TTL.
This great web of DNS servers includes
the root name servers, which start at the
top of the domain hierarchy for a given
top-level domain. There are hundreds of
root name servers to choose from for
each top-level domain. Though DNS
lookups don't have to start at a root
name server, they can contact a root
name server as a last resort to help track
down the SOA for a domain.
Domain name servers connect to each
other across the Internet and cache Now that you know how DNS servers are
lookup information to make name interconnected to improve the name
resolution process, let's look at how you
resolution more efficient.
can configure a DNS server to be the
authority for your domain.
10
Use the Whois database to find a unique domain name that isn't yet registered.
There are several sites that offer free Whois database searches, such as Network
Solutions. If the search comes up empty, you know the domain name is available.
Register the domain name with a registrar. There are a lot of registrars to choose
from, and some offer special prices for registering the COM, NET, and ORG versions
of a domain at the same time, for registering for two or more years, or for hosting
the domain with the same company.
If you're hosting the domain at a different company than your registrar, configure
the registrar to point your domain name to the correct host name or IP address for
your hosting company (see information below about A records).
Using the DNS servers from your registrar or hosting company means that you have a
parked domain. This means that someone else owns the computer hardware for the DNS
servers, and your domain is just part of that company's larger DNS configuration.
Alternatively, if you're passionate about hosting your own DNS, you can set up your own
server, either as a physical or virtual machine. Whichever DNS setup you decide on, that
DNS server (or group of servers) becomes the SOA for your domain, as described earlier.
Whether your SOA is somewhere else or on your own system, you can extend and modify
your DNS settings to add sub-domains, redirect e-mail and control other services. This
information is kept in a zone file on the DNS server [source: GoDaddy.com]. If you're
running your own server, you'll probably need to manually edit the zone file in a text
editor. Many registrars today have a Web interface you can use to manage DNS for your
domain. Each new configuration you add is called a record, and the following are the
most common types of records you can configure for your DNS server:
Host (A) -- This is the basic mapping of IP address to host name, the essential
component for any domain name.
Canonical Name (CNAME) -- This is an alias for your domain. Anyone accessing that
alias will be automatically directed to the server indicated in the A record.
Mail Exchanger (MX) -- This maps e-mail traffic to a specific server. It could indicate
another host name or an IP address. For example, people who use Google for the
e-mail for their domain will create an MX record that points to ghs.google.com.
Name Server (NS) -- This contains the name server information for the zone. If you
configure this, your server will let other DNS servers know that yours is the
ultimate authority (SOA) for your domain when caching lookup information on your
domain from other DNS servers around the world.
Start of Authority (SOA) -- This is one larger record at the beginning of every zone
file with the primary name server for the zone and some other information. If your
registrar or hosting company is running your DNS server, you won't need to
manage this. If you're managing your own DNS, Microsoft's support information
has a helpful article on the structure of a DNS SOA Record.
11
The following is an example of what a zone file might look like for those who are editing
it directly in a text editor. Note that the center column (second item on each line)
includes a record type from those listed above. When you see an "@" in the left column,
it means that the record applies in all cases not otherwise specified:
@ NS auth-ns1.howstuffworks.com
@ NS auth-ns2.howstuffworks.com
@ MX 10 mail
mail A 209.170.137.42
vip1 A 216.183.103.150
www CNAME vip1
Typical users will probably get the most use out of MX and CNAME records. The MX
records allows you to point your mail services somewhere other than your hosting
company if you choose to use something like Google Apps for your domain. The CNAME
records let you point host names for your domain to various other locations. This could
include setting google.example.com to redirect to google.com, or setting up a dedicated
game server with its own IP address and pointing it to something like
gameserver.example.com. HowStuffWorks' parent company, Discovery, does this:
dsc.discovery.com is the main Web site, science.discovery.com is The Science Channel
Web site, and so on.
Throughout this article, you've read about the role of domain name servers, how DNS
maps domain names to IP addresses and how to choose your domain name and
configure it to work within the distributed system of DNS servers around the world.
12
What is an IP address?
IPv4 uses 32 binary bits to create a single unique address on the network. An IPv4
address is expressed by four numbers separated by dots. Each number is the
decimal (base-10) representation for an eight-digit binary (base-2) number, also
called an octet. For example: 216.27.61.137
IPv6 uses 128 binary bits to create a single unique address on the network. An IPv6
address is expressed by eight groups of hexadecimal (base-16) numbers separated
by colons, as in 2001:cdba:0000:0000:0000:0000:3257:9652. Groups of numbers
that contain all zeros are often omitted to save space, leaving a colon separator to
mark the gap (as in 2001:cdba::3257:9652).
At the dawn of IPv4 addressing, the Internet was not the large commercial sensation it is
today, and most networks were private and closed off from other networks around the
world. When the Internet exploded, having only 32 bits to identify a unique Internet
address caused people to panic that we'd run out of IP addresses. Under IPv4, there are
232 possible combinations, which offers just under 4.3 billion unique addresses. IPv6
raised that to a panic-relieving 2128 possible addresses. Later, we'll take a closer look at
how to understand your computer's IPv4 or IPv6 addresses.
How does your computer get its IP address? An IP address can be either dynamic or
static. A static address is one that you configure yourself by editing your computer's
network settings. This type of address is rare, and it can create network issues if you use
it without a good understanding of TCP/IP. Dynamic addresses are the most common.
They're assigned by the Dynamic Host Configuration Protocol (DHCP), a service running
on the network. DHCP typically runs on network hardware such as routers or dedicated
DHCP servers.
13
Dynamic IP addresses are issued
using a leasing system, meaning
that the IP address is only active for
a limited time. If the lease expires,
the computer will automatically
request a new lease. Sometimes,
this means the computer will get a
new IP address, too, especially if the
computer was unplugged from the
network
between
leases.
This
process is usually transparent to the
user unless the computer warns
about an IP address conflict on the
In Microsoft Windows, you can enter ipconfig network (two computers with the
in the command prompt app to view your same IP address). An address
computer's current IP address configuration. conflict
is
rare,
and
today's
technology
typically
fixes
the
problem automatically.
Next, let's take a closer look at the important parts of an IP address and the special roles
of certain addresses.
IP Classes
Earlier, you read that IPv4 addresses represent four eight-digit binary numbers. That
means that each number could be 00000000 to 11111111 in binary, or 0 to 255 in
decimal (base-10). In other words, 0.0.0.0 to 255.255.255.255. However, some numbers
in that range are reserved for specific purposes on TCP/IP networks. These reservations
are recognized by the authority on TCP/IP addressing, the Internet Assigned Numbers
Authority (IANA). Four specific reservations include the following:
0.0.0.0 -- This represents the default network, which is the abstract concept of just
being connected to a TCP/IP network.
255.255.255.255 -- This address is reserved for network broadcasts, or messages
that should go to all computers on the network.
127.0.0.1 -- This is called the loopback address, meaning your computer's way of
identifying itself, whether or not it has an assigned IP address.
169.254.0.1 to 169.254.255.254 -- This is the Automatic Private IP Addressing
(APIPA) range of addresses assigned automatically when a computer's
unsuccessful getting an address from a DHCP server.
The other IP address reservations are for subnet classes. A subnet is a smaller network of
computers connected to a larger network through a router. The subnet can have its own
address system so computers on the same subnet can communicate quickly without
sending data across the larger network. A router on a TCP/IP network, including the
Internet, is configured to recognize one or more subnets and route network traffic
appropriately. The following are the IP addresses reserved for subnets:
10.0.0.0 to 10.255.255.255 -- This falls within the Class A address range of 1.0.0.0
to 127.0.0.0, in which the first bit is 0.
14
172.16.0.0 to 172.31.255.255 -- This falls within the Class B address range of
128.0.0.0 to 191.255.0.0, in which the first two bits are 10.
192.168.0.0 to 192.168.255.255 -- This falls within the Class C range of 192.0.0.0
through 223.255.255.0, in which the first three bits are 110.
Multicast (formerly called Class D) -- The first four bits in the address are 1110,
with addresses ranging from 224.0.0.0 to 239.255.255.255.
Reserved for future/experimental use (formerly called Class E) -- addresses
240.0.0.0 to 254.255.255.254.
The first three (within Classes A, B and C) are those most used in creating subnets. Later,
we'll see how a subnet uses these addresses. The IANA has outlined specific uses for
multicast addresses within Internet Engineering Task Force (IETF) document RFC 5771.
However, it hasn't designated a purpose or future plan for Class E addresses since it
reserved the block in its 1989 document RFC 1112. Before IPv6, the Internet was filled
with debate about whether the IANA should release Class E for general use.
15
Discover -- The computer sends out a broadcast message on the network, hoping
to discover a DHCP service provider.
Offer -- Each DHCP provider hears the message, recognizes the unique hardware
address of the computer, and sends a message back offering its services to that
computer.
Request -- The computer selects a DHCP provider from its offerings and then sends
a request to that provider asking for an IP address assignment.
Acknowledge -- The targeted DHCP provider acknowledges the request and issues
an IP address to the computer that doesn't match any other IP addresses currently
active on the network.
Next, let's see how subnets work and find out who has those non-reserved IP addresses
out on the Internet.
IP address: 192.168.1.102
Subnet mask: 255.255.255.0
Twenty-four bits (three octets) reserved for network identity
Eight bits (one octet) reserved for nodes
Subnet identity based on subnet mask (first address): 192.168.1.0
The reserved broadcast address for the subnet (last address): 192.168.1.255
Example addresses on the same network: 192.168.1.1, 192.168.1.103
Example addresses not on the same network: 192.168.2.1, 192.168.2.103
Besides reserving IP addresses, the IANA is also responsible for assigning blocks of IP
addresses to certain entities, usually commercial or government organizations. Your
Internet service provider (ISP) may be one of these entities, or it may be part of a larger
block under the control of one of those entities. In order for you to connect to the
Internet, your ISP will assign you one of these addresses. You can see a full list of IANA
assignments and reservations for IPv4 addresses here.
If you only connect one computer to the Internet, that computer can use the address
from your ISP. Many homes today, though, use routers to share a single Internet
connection between multiple computers. Wireless routers have become especially
popular in recent years, avoiding the need to run network cables between rooms.
If you use a router to share an Internet connection, the router gets the IP address issued
directly from the ISP. Then, it creates and manages a subnet for all the computers
connected to that router. If your computer's address falls into one of the reserved subnet
16
ranges listed earlier, you're going through a router rather than connecting directly to the
Internet.
IP addresses on a subnet have two parts: network and node. The network part identifies
the subnet itself. The node, also called the host, is an individual piece of computer
equipment connected to the network and requiring a unique address. Each computer
knows how to separate the two parts of the IP address by using a subnet mask. A subnet
mask looks somewhat like an IP address, but it's actually just a filter used to determine
which part of an IP address designates the network and node.
A subnet mask consists of a series of 1 bits followed by a series of 0 bits. The 1 bits
indicate those that should mask the network bits in the IP address, revealing only those
that identify a unique node on that network. In the IPv4 standard, the most commonly
used subnet masks have complete octets of 1s and 0s as follows:
People who set up large networks determine what subnet mask works best based on the
number of desired subnets or nodes. For more subnets, use more bits for the network;
for more nodes per subnet, use more bits for the nodes. This may mean using nonstandard mask values. For instance, if you want to use 10 bits for networks and 22 for
nodes, your subnet mask value would require using 11000000 in the second octet,
resulting in a subnet mask value of 255.192.0.0.
Another important thing to note about IP addresses in a subnet is that the first and last
addresses are reserved. The first address identifies the subnet itself, and the last address
identifies the broadcast address for systems on that subnet.
See the How DHCP assigns Addresses on the previous page for a look at how all
this information comes together to form your IP address.
17
Network
Address
Translation helps improve
security by reusing IP
addresses. The NAT router
translates traffic coming
into
and
leaving
the
private
network.
See
more
pictures
of
computer networking.
If you are reading this article, you are most likely connected to the Internet and viewing
it at the HowStuffWorks Web site. There's a very good chance that you are using
Network Address Translation (NAT) right now.
The Internet has grown larger than anyone ever imagined it could be. Although the exact
size is unknown, the current estimate is that there are about 100 million hosts and more
than 350 million users actively on the Internet. That is more than the entire population of
the United States! In fact, the rate of growth has been such that the Internet is
effectively doubling in size each year.
So what does the size of the Internet have to do with NAT? Everything! For a computer to
communicate with other computers and Web servers on the Internet, it must have an IP
address. An IP address (IP stands for Internet Protocol) is a unique 32-bit number that
identifies the location of your computer on a network. Basically, it works like your street
address -- as a way to find out exactly where you are and deliver information to you.
When IP addressing first came out, everyone thought that there were plenty of addresses
to cover any need. Theoretically, you could have 4,294,967,296 unique addresses (232).
The actual number of available addresses is smaller (somewhere between 3.2 and 3.3
billion) because of the way that the addresses are separated into classes, and because
some addresses are set aside for multicasting, testing or other special uses.
With the explosion of the Internet and the increase in home networks and business
networks, the number of available IP addresses is simply not enough. The obvious
solution is to redesign the address format to allow for more possible addresses. This is
being developed (called IPv6), but will take several years to implement because it
requires modification of the entire infrastructure of the Internet.
This is where NAT (RFC 1631) comes to the rescue. Network Address Translation allows a
single device, such as a router, to act as an agent between the Internet (or "public
network") and a local (or "private") network. This means that only a single, unique IP
address is required to represent an entire group of computers.
18
But the shortage of IP addresses is only one reason to use NAT. In this article, you will
learn more about how NAT can benefit you. But first, let's take a closer look at NAT and
exactly what it can do...
19
Dynamic
NAT
Maps
an
unregistered IP address to a
registered IP address from a group
of registered IP addresses.
Overloading - A form of dynamic
NAT
that
maps
multiple
unregistered IP addresses to a
single registered IP address by
using different ports. This is known
also
as
PAT
(Port
Address
Translation), single address NAT or
port-level multiplexed NAT.
20
IP address (213.18.123.100), but with a
different port number assignment.
The internal network is usually a LAN (Local Area Network), commonly referred to as
the stub domain. A stub domain is a LAN that uses IP addresses internally. Most of the
network traffic in a stub domain is local, so it doesn't travel outside the internal network.
A stub domain can include both registered and unregistered IP addresses. Of course, any
computers that use unregistered IP addresses must use Network Address Translation to
communicate with the rest of the world.
In the next section we'll look at the different ways NAT can be configured.
NAT Configuration
NAT can be configured in various ways. In the example below, the NAT router is
configured to translate unregistered (inside, local) IP addresses, that reside on the
private (inside) network, to registered IP addresses. This happens whenever a device on
the inside with an unregistered address needs to communicate with the public (outside)
network.
21
When a computer on the stub domain that has an inside local address wants to
communicate outside the network, the packet goes to one of the NAT routers.
The NAT router checks the routing table to see if it has an entry for the destination
address. If it does, the NAT router then translates the packet and creates an entry
for it in the address translation table. If the destination address is not in the routing
table, the packet is dropped.
Using an inside global address, the router sends the packet on to its destination.
A computer on the public network sends a packet to the private network. The
source address on the packet is an outside global address. The destination address
is an inside global address.
The NAT router looks at the address translation table and determines that the
destination address is in there, mapped to a computer on the stub domain.
The NAT router translates the inside global address of the packet to the inside local
address, and sends it to the destination computer.
IP
addresses
have
different
designations based on whether
they are on the private network
(stub domain) or on the public
network (Internet), and whether
the
traffic
is
incoming
or
outgoing.
NAT overloading utilizes a feature of the TCP/IP protocol stack, multiplexing, that allows a
computer to maintain several concurrent connections with a remote computer (or
computers) using different TCP or UDP ports. An IP packet has a header that contains the
following information:
The addresses specify the two machines at each end, while the port numbers ensure that
the connection between the two computers has a unique identifier. The combination of
these four numbers defines a single TCP/IP connection. Each port number uses 16 bits,
which means that there are a possible 65,536 (216) values. Realistically, since different
manufacturers map the ports in slightly different ways, you can expect to have about
4,000 ports available.
22
An internal network (stub domain) has been set up with IP addresses that were not
specifically allocated to that company by IANA (Internet Assigned Numbers
Authority), the global authority that hands out IP addresses. These addresses
should be considered non-routable since they are not unique.
The company sets up a NAT-enabled router. The router has a range of unique IP
addresses given to the company by IANA.
A computer on the stub domain attempts to connect to a computer outside the
network, such as a Web server.
The router receives the packet from the computer on the stub domain.
The router saves the computer's non-routable IP address to an address
translation table. The router replaces the sending computer's non-routable IP
address with the first available IP address out of the range of unique IP addresses.
The translation table now has a mapping of the computer's non-routable IP address
matched with the one of the unique IP addresses.
When a packet comes back from the destination computer, the router checks the
destination address on the packet. It then looks in the address translation table to
see which computer on the stub domain the packet belongs to. It changes the
destination address to the one saved in the address translation table and sends it
to that computer. If it doesn't find a match in the table, it drops the packet.
The computer receives the packet from the router. The process repeats as long as
the computer is communicating with the external system.
An internal network (stub domain) has been set up with non-routable IP addresses
that were not specifically allocated to that company by IANA.
The company sets up a NAT-enabled router. The router has a unique IP address
given to the company by IANA.
A computer on the stub domain attempts to connect to a computer outside the
network, such as a Web server.
The router receives the packet from the computer on the stub domain.
The router saves the computer's non-routable IP address and port number to an
address translation table. The router replaces the sending computer's non-routable
IP address with the router's IP address. The router replaces the sending computer's
source port with the port number that matches where the router saved the sending
computer's address information in the address translation table. The translation
table now has a mapping of the computer's non-routable IP address and port
number along with the router's IP address.
When a packet comes back from the destination computer, the router checks the
destination port on the packet. It then looks in the address translation table to see
which computer on the stub domain the packet belongs to. It changes the
destination address and destination port to the ones saved in the address
translation table and sends it to that computer.
The computer receives the packet from the router. The process repeats as long as
the computer is communicating with the external system.
Since the NAT router now has the computer's source address and source port
saved to the address translation table, it will continue to use that same port
number for the duration of the connection. A timer is reset each time the router
23
accesses an entry in the table. If the entry is not accessed again before the timer
expires, the entry is removed from the table.
In the next section we'll look at the organization of stub domains.
Stub Domains
Look below to see how the computers on a stub domain might appear to external
networks.
Source Computer A
IP Address: 192.168.32.10
Computer Port: 400
NAT Router IP Address: 215.37.32.203
NAT Router Assigned Port Number: 1
Source Computer B
IP Address: 192.168.32.13
Computer Port: 50
NAT Router IP Address: 215.37.32.203
NAT Router Assigned Port Number: 2
24
Source Computer C
IP Address: 192.168.32.15
Computer Port: 3750
NAT Router IP Address: 215.37.32.203
NAT Router Assigned Port Number: 3
Source Computer D
IP Address: 192.168.32.18
Computer Port: 206
NAT Router IP Address: 215.37.32.203
NAT Router Assigned Port Number: 4
As you can see, the NAT router stores the IP address and port number of each computer.
It then replaces the IP address with its own registered IP address and the port number
corresponding to the location, in the table, of the entry for that packet's source
computer. So any external network sees the NAT router's IP address and the port number
assigned by the router as the source-computer information on each packet.
You can still have some computers on the stub domain that use dedicated IP addresses.
You can create an access list of IP addresses that tells the router which computers on the
network require NAT. All other IP addresses will pass through untranslated.
The number of simultaneous translations that a router will support are determined
mainly by the amount of DRAM (Dynamic Random Access Memory) it has. But since a
typical entry in the address-translation table only takes about 160 bytes, a router with 4
MB of DRAM could theoretically process 26,214 simultaneous translations, which is more
than enough for most applications.
IANA has set aside specific ranges of IP addresses for use as non-routable, internal
network addresses. These addresses are considered unregistered (for more information
check out RFC 1918: Address Allocation for Private Internets, which defines these
address ranges). No company or agency can claim ownership of unregistered addresses
or use them on public computers. Routers are designed to discard (instead of forward)
unregistered addresses. What this means is that a packet from a computer with an
unregistered address could reach a registered destination computer, but the reply would
be discarded by the first router it came to.
There is a range for each of the three classes of IP addresses used for networking:
Although each range is in a different class, your are not required to use any particular
range for your internal network. It is a good practice, though, because it greatly
diminishes the chance of an IP address conflict.
25
In specific circumstances, Static NAT, also called inbound mapping, allows external
devices to initiate connections to computers on the stub domain. For instance, if you
wish to go from an inside global address to a specific inside local address that is assigned
to your Web server, Static NAT would enable the connection.
Some NAT routers provide for extensive filtering and traffic logging. Filtering allows your
company to control what type of sites employees visit on the Web, preventing them from
viewing questionable material. You can use traffic logging to create a log file of what
sites are visited and generate various reports from it.
NAT is sometimes confused with proxy servers, but there are definite differences
between them. NAT is transparent to the source and to destination computers. Neither
one realizes that it is dealing with a third device. But a proxy server is not transparent.
The source computer knows that it is making a request to the proxy server and must be
configured to do so. The destination computer thinks that the proxy server IS the source
computer, and deals with it directly. Also, proxy servers usually work at layer 4
(transport) of the OSI Reference Model or higher, while NAT is a layer 3 (network)
protocol. Working at a higher layer makes proxy servers slower than NAT devices in most
cases.
A real benefit of NAT is apparent in network
administration. For example, you can move your
Web server or FTP server to another host computer
without having to worry about broken links. Simply
change the inbound mapping at the router to reflect
the new host. You can also make changes to your
internal network easily, because the only external
IP address either belongs to the router or comes
from a pool of global addresses.
NAT and DHCP (dynamic host configuration protocol
) are a natural fit. You can choose a range of
unregistered IP addresses for your stub domain and
have the DHCP server dole them out as necessary.
It also makes it much easier to scale up your
NAT operates at
layer (layer 3)
Reference Model
layer that routers
26
the Network network as your needs grow. You don't have to
of the OSI request more IP addresses from IANA. Instead, you
-- this is the can just increase the range of available IP
work at.
addresses configured in DHCP to immediately have
room for additional computers on your network.
27
Multi-homing
As businesses rely more and more on the Internet, having multiple points of connection
to the Internet is fast becoming an integral part of their network strategy. Multiple
connections, known as multi-homing, reduces the chance of a potentially catastrophic
shutdown if one of the connections should fail.
In addition to maintaining a reliable connection, multi-homing allows a company to
perform load-balancing by lowering the number of computers connecting to the
Internet through any single connection. Distributing the load through multiple
connections optimizes the performance and can significantly decrease wait times.
Multi-homed networks are often connected to several different ISPs (Internet Service
Providers). Each ISP assigns an IP address (or range of IP addresses) to the company.
Routers use BGP (Border Gateway Protocol), a part of the TCP/IP protocol suite, to route
between networks using different protocols. In a multi-homed network, the router utilizes
IBGP (Internal Border Gateway Protocol) on the stub domain side, and EBGP (External
Border Gateway Protocol) to communicate with other routers.
Multi-homing really makes a difference if one of the connections to an ISP fails. As soon
as the router assigned to connect to that ISP determines that the connection is down, it
will reroute all data through one of the other routers.
NAT can be used to facilitate scalable routing for multi-homed, multi-provider
connectivity.
28
One of the greatest things about the Internet is that nobody really owns it. It is a global
collection of networks, both big and small. These networks connect together in many
different ways to form the single entity that we know as the Internet. In fact, the very
name comes from this idea of interconnected networks.
Since its beginning in 1969, the Internet has grown from four host computer systems to
tens of millions. However, just because nobody owns the Internet, it doesn't mean it is
not monitored and maintained in different ways. The Internet Society, a non-profit group
established in 1992, oversees the formation of the policies and protocols that define how
we use and interact with the Internet.
In this article, you will learn about the basic underlying structure of the Internet. You will
learn about domain name servers, network access points and backbones. But first you
will learn about how your computer connects to others.
29
network. Instead, there are several high-level networks connecting to each other through
Network Access Points or NAPs.
30
The Function of an
Internet Router
All of these networks rely on NAPs,
backbones and routers to talk to each
other. What is incredible about this
process is that a message can leave
one computer and travel halfway
across the world through several
different networks and arrive at
another computer in a fraction of a
second!
The routers determine where to send
information from one computer to
another.
Routers
are specialized
computers that send your messages and those of every other Internet user speeding to
their destinations along thousands of pathways. A router has two separate, but related,
jobs:
It ensures that information doesn't go where it's not needed. This is crucial for
keeping large volumes of data from clogging the connections of "innocent
bystanders."
It makes sure that information does make it to the intended destination.
31
In performing these two jobs, a router is extremely useful in dealing with two separate
computer networks. It joins the two networks, passing information from one to the other.
It also protects the networks from one another, preventing the traffic on one from
unnecessarily spilling over to the other. Regardless of how many networks are attached,
the basic operation and function of the router remains the same. Since the Internet is
one huge network made up of tens of thousands of smaller networks, its use of routers is
an absolute necessity. For more information, read How Routers Work.
32
Internet Backbone
The National Science Foundation (NSF) created the first high-speed backbone in
1987. Called NSFNET, it was a T1 line that connected 170 smaller networks together
and operated at 1.544 Mbps (million bits per second). IBM, MCI and Merit worked with
NSF to create the backbone and developed a T3 (45 Mbps) backbone the following year.
Backbones are typically fiber optic trunk lines. The trunk line has multiple fiber optic
cables combined together to increase the capacity. Fiber optic cables are designated OC
for optical carrier, such as OC-3, OC-12 or OC-48. An OC-3 line is capable of transmitting
155 Mbps while an OC-48 can transmit 2,488 Mbps (2.488 Gbps). Compare that to a
typical 56K modem transmitting 56,000 bps and you see just how fast a modern backbone
is.
Today there are many companies that operate their own high-capacity backbones, and
all of them interconnect at various NAPs around the world. In this way, everyone on the
Internet, no matter where they are and what company they use, is able to talk to
everyone else on the planet. The entire Internet is a gigantic, sprawling agreement
between companies to intercommunicate freely.
33
that a computer belongs to. Host (sometimes referred to as Node) identifies the actual
computer on the network. The Host section always contains the last octet. There are five
IP classes plus certain special addresses. You can learn more about IP classes at What is
an IP address?.
34
HowStuffWorks
Yahoo
Microsoft
Every name in the .COM top-level domain must be unique. The left-most word, like www,
is the host name. It specifies the name of a specific machine (with a specific IP address)
in a domain. A given domain can, potentially, contain millions of host names as long as
they are all unique within that domain.
DNS servers accept requests from programs and other name servers to convert domain
names into IP addresses. When a request comes in, the DNS server can do one of four
things with it:
1. It can answer the request with an IP address because it already knows the IP
address for the requested domain.
2. It can contact another DNS server and try to find the IP address for the name
requested. It may have to do this multiple times.
3. It can say, "I don't know the IP address for the domain you requested, but here's
the IP address for a DNS server that knows more than I do."
4. It can return an error message because the requested domain name is invalid or
does not exist.
35
A DNS Example
Let's say that you type the URL www.howstuffworks.com into your browser. The browser
contacts a DNS server to get the IP address. A DNS server would start its search for an IP
address by contacting one of the root DNS servers. The root servers know the IP
addresses for all of the DNS servers that handle the top-level domains (.COM, .NET,
.ORG, etc.). Your DNS server would ask the root for www.howstuffworks.com, and the root
would say, "I don't know the IP address for www.howstuffworks.com, but here's the IP
address for the .COM DNS server."
Your name server then sends a query to the .COM DNS server asking it if it knows the IP
address for www.howstuffworks.com. The DNS server for the COM domain knows the IP
addresses for the name servers handling the www.howstuffworks.com domain, so it
returns those.
Your name server then contacts the DNS server for www.howstuffworks.com and asks if it
knows the IP address for www.howstuffworks.com. It actually does, so it returns the IP
address to your DNS server, which returns it to the browser, which can then contact the
server for www.howstuffworks.com to get a Web page.
One of the keys to making this work is redundancy. There are multiple DNS servers at
every level, so that if one fails, there are others to handle the requests. The other key is
caching. Once a DNS server resolves a request, it caches the IP address it receives. Once
it has made a request to a root DNS server for any .COM domain, it knows the IP address
for a DNS server handling the .COM domain, so it doesn't have to bug the root DNS
servers again for that information. DNS servers can do this for every request, and this
caching helps to keep things from bogging down.
Even though it is totally invisible, DNS servers handle billions of requests every day and
they are essential to the Internet's smooth functioning. The fact that this distributed
database works so well and so invisibly day in and day out is a testimony to the design.
Be sure to read How Domain Name Servers Work for more information on DNS.
36
the ISP every time you dial in. That IP address is unique for your session -- it may be
different the next time you dial in. This way, an ISP only needs one IP address for each
modem it supports, rather than one for each customer.
37
38
Keeping
the
Messages Moving
When you send e-mail to a friend on
the other side of the country, how
does the message know to end up on
your friend's computer, rather than on
one of the millions of other computers
in the world? Much of the work to get
a message from one computer to
another is done by routers, because
they're the crucial devices that let
messages flow between networks,
rather than within networks.
Let's look at what a very simple router
might do. Imagine a small company
that makes animated 3-D graphics for
local television stations. There are 10 employees of the company, each with a computer.
Four of the employees are animators, while the rest are in sales, accounting and
management. The animators will need to send lots of very large files back and forth to
one another as they work on projects. To do this, they'll use a network.
When one animator sends a file to another, the very large file will use up most of the
network's capacity, making the network run very slowly for other users. One of the
reasons that a single intensive user can affect the entire network stems from the way
that Ethernet works. Each information packet sent from a computer is seen by all the
other computers on the local network. Each computer then examines the packet and
decides whether it was meant for its address. This keeps the basic plan of the network
simple, but has performance consequences as the size of the network or level of network
activity increases. To keep the animators' work from interfering with that of the folks in
the front office, the company sets up two separate networks, one for the animators and
one for the rest of the company. A router links the two networks and connects both
networks to the Internet.
39
Directing Traffic
The router is the only device that sees every message sent by any computer on either of
the company's networks. When the animator in our example sends a huge file to another
animator, the router looks at the recipient's address and keeps the traffic on the
animator's network. When an animator, on the other hand, sends a message to the
bookkeeper asking about an expense-account check, then the router sees the recipient's
address and forwards the message between the two networks.
One of the tools a router uses to decide where a packet should go is a configuration
table. A configuration table is a collection of information, including:
A configuration table can be as simple as a half-dozen lines in the smallest routers, but
can grow to massive size and complexity in the very large routers that handle the bulk of
Internet messages.
A router, then, has two separate but related jobs:
The router ensures that information doesn't go where it's not needed. This is
crucial for keeping large volumes of data from clogging the connections of
"innocent bystanders."
The router makes sure that information does make it to the intended destination.
In performing these two jobs, a router is extremely useful in dealing with two separate
computer networks. It joins the two networks, passing information from one to the other
and, in some cases, performing translations of various protocols between the two
networks. It also protects the networks from one another, preventing the traffic on one
from unnecessarily spilling over to the other. As the number of networks attached to one
another grows, the configuration table for handling traffic among them grows, and the
processing power of the router is increased. Regardless of how many networks are
attached, though, the basic operation and function of the router remains the same. Since
the Internet is one huge network made up of tens of thousands of smaller networks, its
use of routers is an absolute
necessity.
Transmitting
Packets
When you make a telephone call
to someone on the other side of
the country, the telephone system
establishes
a
stable
circuit
between your telephone and the
telephone you're calling. The
circuit might involve a half dozen
or more steps through copper
40
cables, switches, fiber optics, microwaves and satellites, but those steps are established
and remain constant for the duration of the call. This circuit approach means that the
quality of the line between you and the person you're calling is consistent throughout the
call, but a problem with any portion of the circuit -- maybe a tree falls across one of the
lines used, or there's a power problem with a switch -- brings your call to an early and
abrupt end. When you send an e-mail message with an attachment to the other side of
the country, a very different process is used.
Internet data, whether in the form of a Web page, a downloaded file or an e-mail
message, travels over a system known as a packet-switching network. In this system,
the data in a message or file is broken up into packages about 1,500 bytes long. Each of
these packages gets a wrapper that includes information on the sender's address, the
receiver's address, the package's place in the entire message, and how the receiving
computer can be sure that the package arrived intact. Each data package, called a
packet, is then sent off to its destination via the best available route -- a route that
might be taken by all the other packets in the message or by none of the other packets
in the message. This might seem very complicated compared to the circuit approach
used by the telephone system, but in a network designed for data there are two huge
advantages to the packet-switching plan.
The network can balance the load across various pieces of equipment on a
millisecond-by-millisecond basis.
If there is a problem with one piece of equipment in the network while a message
is being transferred, packets can be routed around the problem, ensuring the
delivery of the entire message.
If you have enabled Internet connection sharing between two Windows 98-based
computers, you're using one of the computers (the computer with the Internet
connection) as a simple router. In this instance, the router does so little -- simply
looking at data to see whether it's intended for one computer or the other -- that it
can operate in the background of the system without significantly affecting the
other programs you might be running.
Slightly larger routers, the sort used to connect a small office network to the
Internet, will do a bit more. These routers frequently enforce rules concerning
security for the office network (trying to secure the network from certain attacks).
They handle enough traffic that they're generally stand-alone devices rather than
software running on a server.
The largest routers, those used to handle data at the major traffic points on the
Internet, handle millions of data packets every second and work to configure the
network most efficiently. These routers are large stand-alone systems that have far
more in common with supercomputers than with your office server.
41
42
Joe Smith 123 Maple Street Smalltown, FL 45678
43
The address has several pieces, each of which helps the people in the postal service
move the letter along to your house. The ZIP code can speed the process up; but even
without the ZIP code, the card will get to your house as long as your friend includes your
state, city and street address. You can think of this address as a logical address
because it describes a way someone can get a message to you. This logical address is
connected to a physical address that you generally only see when you're buying or
selling a piece of property. The survey plot of the land and house, with latitude, longitude
or section bearings, gives the legal description, or address, of the property.
Logical Addresses
Every piece of equipment that connects to a network, whether an office network or the
Internet, has a physical address. This is an address that's unique to the piece of
equipment that's actually attached to the network cable. For example, if your desktop
computer has a network interface card (NIC) in it, the NIC has a physical address
permanently stored in a special memory location. This physical address, which is also
called the MAC address (for Media Access Control) has two parts, each 3 bytes long. The
first 3 bytes identify the company that made the NIC. The second 3 bytes are the serial
number of the NIC itself.
The interesting thing is that your computer can have several logical addresses at the
same time. Of course, you're used to having several "logical addresses" bring messages
to one physical address. Your mailing address, telephone number (or numbers) and home
e-mail address all work to bring messages to you when you're in your house. They are
simply used for different types of messages -- different networks, so to speak.
Logical addresses for computer networks work in exactly the same way. You may be
using the addressing schemes, or protocols, from several different types of networks
simultaneously. If you're connected to the Internet (and if you're reading this, you
probably are), then you have an address that's part of the TCP/IP network protocol. If you
also have a small network set up to exchange files between several family computers,
then you may also be using the Microsoft NetBEUI protocol. If you connect to your
company's network from home, then your computer may have an address that follows
Novell's IPX/SPX protocol. All of these can coexist on your computer. Since the driver
software that allows your computer to communicate with each network uses resources
like memory and CPU time, you don't want to load protocols you won't need, but there's
no problem with having all the protocols your work requires running at the same time.
On the next page, youll learn how to find your computers MAC address.
MAC Addresses
The chances are very good that you'll never see the MAC address for any of your
equipment because the software that helps your computer communicate with a network
takes care of matching the MAC address to a logical address. The logical address is what
the network uses to pass information along to your computer.
If you'd like to see the MAC address and logical address used by the Internet Protocol (IP)
for your Windows computer, you can run a small program that Microsoft provides. Go to
the "Start" menu, click on "Run," and in the window that appears, type WINIPCFG
44
(IPCONFIG/ALL for Windows 2000/XP). When the gray window appears, click on "More
Info" and you'll get this sort of information:
45
Windows 98 IP Configuration:
Host Name: NAMEHOWSTUFFWORKS
DNS Servers: 208.153.64.20
 208.153.0.5
Node Type: Broadcast
NetBIOS Scope ID:
IP Routing Enabled: Yes
WINS Proxy Enabled: No
NetBIOS Resolution Uses DNS: No
Ethernet adapter:
Description: PPP Adapter
Physical Address: 44-45-53-54-12-34
DHCP Enabled: Yes
IP Address: 227.78.86.288
Subnet Mask: 255.255.255.0
Default Gateway: 227.78.86.288
DHCP Server: 255.255.255.255
Primary WINS Server:
Secondary WINS Server: Lease Obtained: 01 01 80 12:00:00 AM
Lease Expires: 01 01 80 12:00:00 AM
There's a lot of information here that will vary depending on exactly how your connection
to the Internet is established, but the physical address is the MAC address of the adapter
queried by the program. The IP address is the logical address assigned to your
connection by your ISP or network administrator. You'll see the addresses of other
servers, including the DNS servers that keep track of all the names of Internet sites (so
you can type "www.howstuffworks.com" rather than "216.27.61.189") and the gateway
server that you connect to in order to reach the Internet. When you've finished looking at
the information, click OK. (Note: For security reasons, some of the information about this
connection to the Internet has been changed. You should be very careful about giving
your computer's information to other people -- with your address and the right tools, an
unscrupulous person could, in some circumstances, gain access to your personal
information and control your system through a "Trojan Horse" program.
46
47
In a modern network, every e-mail message is broken up into small pieces. The pieces
are sent individually and reassembled when they're received at their final destination.
Because the individual pieces of information are called packets and each packet can be
sent along a different path, like a train going through a set of switches, this kind of
network is called a packet-switched network. It means that you don't have to build a
dedicated network between you and your friend on the other side of the country. Your email flows over any one of thousands of different routes to get from one computer to the
other.
Depending on the time of day and day of the week, some parts of the huge public
packet-switched network may be busier than others. When this happens, the routers that
make up this system will communicate with one another so that traffic not bound for the
crowded area can be sent by less congested network routes. This lets the network
function at full capacity without excessively burdening already-busy areas. You can see,
though, how Denial of Service attacks (described in the next section), in which people
send millions and millions of messages to a particular server, will affect that server and
the routers forwarding message to it. As the messages pile up and pieces of the network
become congested, more and more
routers send out the message that
they're busy, and the entire network with
all its users can be affected.
Tracing a Message
If you're using a Microsoft Windowsbased system, you can see just how
many routers are involved in your
Internet traffic by using a program you
have on your computer. The program is
called Traceroute, and that describes
what it does -- it traces the route that a
packet of information takes to get from
your computer to another computer
connected to the Internet. To run this program, click on the "MS-DOS Prompt" icon on the
"Start"
menu.
Then,
at
the
"C:\WINDOWS>"
prompt,
type
"tracert
www.howstuffworks.com". When I did this from my office in Florida, the results looked
like this:
The first number shows how many routers are between your computer and the router
shown. In this instance, there were a total of 14 routers involved in the process (number
15 is the Howstuffworks.com Web server). The next three numbers show how long it
takes a packet of information to move from your computer to the router shown and back
again. Next, in this example, starting with step six, comes the "name" of the router or
server. This is something that helps people looking at the list but is of no importance to
the routers and computers as they move traffic along the Internet. Finally, you see the
Internet Protocol (IP) address of each computer or router. The final picture of this trace
route shows that there were 14 routers between the Web server and me and that it took,
on average, a little more than 2.5 seconds for information to get from my computer to
the server and back again.
48
You can use Traceroute to see how many routers are between you and any other
computer you can name or know the IP address for. It can be interesting to see how
many steps are required to get to computers outside your nation. Since I live in the
United States, I decided to see how many routers were between my computer and the
Web server for the British Broadcasting Corporation. At the C:\WINDOWS> prompt, I
typed tracert www.bbc.com. The result was this:
49
You can see that it took only one
more step to reach a Web server on
the other side of the Atlantic Ocean
than it did to reach a server two
states away!
On the next page, we'll go into detail
about Denial of Service attacks.
50
51
52
With a firewall in place, the landscape is much different. A company will place a firewall
at every connection to the Internet (for example, at every T1 line coming into the
company). The firewall can implement security rules. For example, one of the security
rules inside the company might be:
Out of the 500 computers inside this company, only one of them is permitted to receive
public FTP traffic. Allow FTP connections only to that one computer and prevent them on
all others.
53
A company can set up rules like this for FTP servers, Web servers, Telnet servers and so
on. In addition, the company can control how employees connect to Web sites, whether
files are allowed to leave the company over the network and so on. A firewall gives a
company tremendous control over how people use the network.
Firewalls use one or more of three methods to control traffic flowing in and out of the
network:
Packet filtering - Packets (small chunks of data) are analyzed against a set of
filters. Packets that make it through the filters are sent to the requesting system
and all others are discarded.
Proxy service - Information from the Internet is retrieved by the firewall and then
sent to the requesting system and vice versa.
Stateful inspection - A newer method that doesn't examine the contents of each
packet but instead compares certain key parts of the packet to a database of
trusted information. Information traveling from inside the firewall to the outside is
monitored for specific defining characteristics, then incoming information is
compared to these characteristics. If the comparison yields a reasonable match,
the information is allowed through. Otherwise it is discarded.
Firewall Configuration
Firewalls are customizable. This means that you can add or remove filters based on
several conditions. Some of these are:
IP addresses - Each machine on the Internet is assigned a unique address called an IP
address. IP addresses are 32-bit numbers, normally expressed as four "octets" in a
"dotted decimal number." A typical IP address looks like this: 216.27.61.137. For
example, if a certain IP address outside the company is reading too many files from a
server, the firewall can block all traffic to or from that IP address.
Domain names - Because it is hard to remember the string of numbers that make up an
IP address, and because IP addresses sometimes need to change, all servers on the
Internet also have human-readable names, called domain names. For example, it is
easier for most of us to remember www.howstuffworks.com than it is to remember
216.27.61.137. A company might block all access to certain domain names, or allow
access only to specific domain names. Protocols - The protocol is the pre-defined way
that someone who wants to use a service talks with that service. The "someone" could
be a person, but more often it is a computer program like a Web browser. Protocols are
often text, and simply describe how the client and server will have their conversation.
The http in the Web's protocol. Some common protocols that you can set firewall filters
for include:
IP (Internet Protocol) - the main delivery system for information over the Internet
TCP (Transmission Control Protocol) - used to break apart and rebuild information
that travels over the Internet
HTTP (Hyper Text Transfer Protocol) - used for Web pages
FTP (File Transfer Protocol) - used to download and upload files
UDP (User Datagram Protocol) - used for information that requires no response,
such as streaming audio and video
54
ICMP (Internet Control Message Protocol) - used by a router to exchange the
information with other routers
SMTP (Simple Mail Transport Protocol) - used to send text-based information (email)
SNMP (Simple Network Management Protocol) - used to collect system information
from a remote computer
Telnet - used to perform commands on a remote computer
55
A company might set up only one or two machines to handle a specific protocol and ban
that protocol on all other machines.
Ports - Any server machine makes its services available to the Internet using numbered
ports, one for each service that is available on the server (see How Web Servers Work for
details). For example, if a server machine is running a Web (HTTP) server and an FTP
server, the Web server would typically be available on port 80, and the FTP server would
be available on port 21. A company might block port 21 access on all machines but one
inside the company.
Specific words and phrases - This can be anything. The firewall will sniff (search
through) each packet of information for an exact match of the text listed in the filter. For
example, you could instruct the firewall to block any packet with the word "X-rated" in it.
The key here is that it has to be an exact match. The "X-rated" filter would not catch "X
rated" (no hyphen). But you can include as many words, phrases and variations of them
as you need.
Some operating systems come with a firewall built in. Otherwise, a software firewall can
be installed on the computer in your home that has an Internet connection. This
computer is considered a gateway because it provides the only point of access between
your home network and the Internet.
With a hardware firewall, the firewall unit itself is normally the gateway. A good example
is the Linksys Cable/DSL router. It has a built-in Ethernet card and hub. Computers in
your home network connect to the router, which in turn is connected to either a cable or
DSL modem. You configure the router via a Web-based interface that you reach through
the browser on your computer. You can then set any filters or additional information.
Hardware firewalls are incredibly secure and not very expensive. Home versions that
include a router, firewall and Ethernet hub for broadband connections can be found for
well under $100.
Remote login - When someone is able to connect to your computer and control it
in some form. This can range from being able to view or access your files to
actually running programs on your computer.
Application backdoors - Some programs have special features that allow for
remote access. Others contain bugs that provide a backdoor, or hidden access,
that provides some level of control of the program.
SMTP session hijacking - SMTP is the most common method of sending e-mail
over the Internet. By gaining access to a list of e-mail addresses, a person can
send unsolicited junk e-mail (spam) to thousands of users. This is done quite often
by redirecting the e-mail through the SMTP server of an unsuspecting host, making
the actual sender of the spam difficult to trace.
56
Operating system bugs - Like applications, some operating systems have
backdoors. Others provide remote access with insufficient security controls or have
bugs that an experienced hacker can take advantage of.
57
Denial of service - You have probably heard this phrase used in news reports on
the attacks on major Web sites. This type of attack is nearly impossible to counter.
What happens is that the hacker sends a request to the server to connect to it.
When the server responds with an acknowledgement and tries to establish a
session, it cannot find the system that made the request. By inundating a server
with these unanswerable session requests, a hacker causes the server to slow to a
crawl or eventually crash.
E-mail bombs - An e-mail bomb is usually a personal attack. Someone sends you
the same e-mail hundreds or thousands of times until your e-mail system cannot
accept any more messages.
Macros - To simplify complicated procedures, many applications allow you to
create a script of commands that the application can run. This script is known as a
macro. Hackers have taken advantage of this to create their own macros that,
depending on the application, can destroy your data or crash your computer.
Viruses - Probably the most well-known threat is computer viruses. A virus is a
small program that can copy itself to other computers. This way it can spread
quickly from one system to the next. Viruses range from harmless messages to
erasing all of your data.
Spam - Typically harmless but always annoying, spam is the electronic equivalent
of junk mail. Spam can be dangerous though. Quite often it contains links to Web
sites. Be careful of clicking on these because you may accidentally accept a cookie
that provides a backdoor to your computer.
Redirect bombs - Hackers can use ICMP to change (redirect) the path information
takes by sending it to a different router. This is one of the ways that a denial of
service attack is set up.
Source routing - In most cases, the path a packet travels over the Internet (or
any other network) is determined by the routers along that path. But the source
providing the packet can arbitrarily specify the route that the packet should travel.
Hackers sometimes take advantage of this to make information appear to come
from a trusted source or even from inside the network! Most firewall products
disable source routing by default.
Some of the items in the list above are hard, if not impossible, to filter using a firewall.
While some firewalls offer virus protection, it is worth the investment to install anti-virus
software on each computer. And, even though it is annoying, some spam is going to get
through your firewall as long as you accept e-mail.
The level of security you establish will determine how many of these threats can be
stopped by your firewall. The highest level of security would be to simply block
everything. Obviously that defeats the purpose of having an Internet connection. But a
common rule of thumb is to block everything, then begin to select what types of traffic
you will allow. You can also restrict traffic that travels through the firewall so that only
certain types of information, such as e-mail, can get through. This is a good rule for
businesses that have an experienced network administrator that understands what the
needs are and knows exactly what traffic to allow through. For most of us, it is probably
better to work with the defaults provided by the firewall developer unless there is a
specific reason to change it.
One of the best things about a firewall from a security standpoint is that it stops anyone
on the outside from logging onto a computer in your private network. While this is a big
58
deal for businesses, most home networks will probably not be threatened in this manner.
Still, putting a firewall in place provides some peace of mind.
59
Web site
Online business
FTP download and upload area
In cases like this, you may want to create a DMZ (Demilitarized Zone). Although this
sounds pretty serious, it really is just an area that is outside the firewall. Think of DMZ as
the front yard of your house. It belongs to you and you may put some things there, but
you would put anything valuable inside the house where it can be properly secured.
Setting up a DMZ is very easy. If you have multiple computers, you can choose to simply
place one of the computers between the Internet connection and the firewall. Most of the
software firewalls available will allow you to designate a directory on the gateway
computer as a DMZ.
Once you have a firewall in place, you should test it. A great way to do this is to go to
www.grc.com and try their free Shields Up! security test. You will get immediate
feedback on just how secure your system is!
60
What is a packet?
It turns out that everything you do on the Internet involves packets. For example, every
Web page that you receive comes as a series of packets, and every e-mail you send
leaves as a series of packets. Networks that ship data around in small packets are called
packet switched networks.
On the Internet, the network breaks an e-mail message into parts of a certain size in
bytes. These are the packets. Each packet carries the information that will help it get to
its destination -- the sender's IP address, the intended receiver's IP address, something
that tells the network how many packets this e-mail message has been broken into and
the number of this particular packet. The packets carry the data in the protocols that the
Internet uses: Transmission Control Protocol/Internet Protocol (TCP/IP). Each packet
contains part of the body of your message. A typical packet contains perhaps 1,000 or
1,500 bytes.
Each packet is then sent off to its destination by the best available route -- a route that
might be taken by all the other packets in the message or by none of the other packets
in the message. This makes the network more efficient. First, the network can balance
the load across various pieces of equipment on a millisecond-by-millisecond basis.
Second, if there is a problem with one piece of equipment in the network while a
message is being transferred, packets can be routed around the problem, ensuring the
delivery of the entire message.
Depending on the type of network, packets may be referred to by another name:
frame
block
cell
segment
Network
Structure
Packet
Length of packet (some networks have fixed-length packets, while others rely on
the header to contain this information)
Synchronization (a few bits that help the packet match up to the network)
61
Packet number (which packet this is in a sequence of packets)
Protocol (on networks that carry multiple types of information, the protocol defines
what type of packet is being transmitted: e-mail, Web page, streaming video)
Destination address (where the packet is going)
Originating address (where the packet came from)
62
Payload - Also called the body or data of a packet. This is the actual data that the
packet is delivering to the destination. If a packet is fixed-length, then the payload may
be padded with blank information to make it the right size.
Trailer - The trailer, sometimes called the footer, typically contains a couple of bits that
tell the receiving device that it has reached the end of the packet. It may also have some
type of error checking. The most common error checking used in packets is Cyclic
Redundancy Check (CRC). CRC is pretty neat. Here is how it works in certain computer
networks: It takes the sum of all the 1s in the payload and adds them together. The
result is stored as a hexadecimal value in the trailer. The receiving device adds up the 1s
in the payload and compares the result to the value stored in the trailer. If the values
match, the packet is good. But if the values do not match, the receiving device sends a
request to the originating device to resend the packet.
As an example, let's look at how an e-mail message might get broken into packets. Let's
say that you send an e-mail to a friend. The e-mail is about 3,500 bits (3.5 kilobits) in
size. The network you send it over uses fixed-length packets of 1,024 bits (1 kilobit). The
header of each packet is 96 bits long and the trailer is 32 bits long, leaving 896 bits for
the payload. To break the 3,500 bits of message into packets, you will need four packets
(divide 3,500 by 896). Three packets will contain 896 bits of payload and the fourth will
have 812 bits. Here is what one of the four packets would contain:
Each packet's header will contain the proper protocols, the originating address (the IP
address of your computer), the destination address (the IP address of the computer
where you are sending the e-mail) and the packet number (1, 2, 3 or 4 since there are 4
packets). Routers in the network will look at the destination address in the header and
compare it to their lookup table to find out where to send the packet. Once the packet
arrives at its destination, your friend's computer will strip the header and trailer off each
packet and reassemble the e-mail based on the numbered sequence of the packets.
63
When the World Wide Web emerged for widespread public use in the early 1990s, it
transmitted data -- text, photos and more -- via phone lines. You used a modem attached
to a computer, dialed a local "access number," and then you were free to surf the
Internet. You may have had to pay an Internet service provider, but the transmission
method was basically just a phone call. In the years following, Internet access via DSL
and cable lines made the fast transmission of large amounts of data possible, meaning
the Internet had huge data capacity. In short, we're now using the Internet to make
phone calls, where we used to use phone calls to get on the Internet.
This technology is called Voice over Internet Protocol technology, or VoIP. Simply
put, voices are transmitted as data via the Internet. An extension of VoIP is called IP
trunking, in which multiple users with the same Internet connection -- several workers
in the same office for example -- use VoIP to send and receive data, both Internet and
voice. VoIP and IP trunking is big business. It's a new communications framework, slowly
replacing the old phone company infrastructure. Also called "unified communications," IP
trunking will be a $17 billion business in just a few years [source: Viscusi]. It's a good
time to learn what the new standard in telephony will be, as well as the specifics on how,
exactly, a computer network turns voices into data, then back to voices, to create a
seamless phone call.
What is IP Trunking?
IP trunking is large-scale, corporate, industrial or institutional use of VoIP. An entire
organization hooks into the data world at large via one connection; that connection is
then split among all the parties' phones and computers. While VoIP is used in millions of
homes, IP trunking is almost exclusively used by businesses because they're the ones
that have a need for multiple telephone lines and many telephony services (call waiting,
voice mail systems, call forwarding, etc.), which are also carried via certain IP trunking
services.
At its core, IP trunking and VoIP is voice on data lines. That means that voices travel over
the Internet as bits of data, not "voices" or electrical impulses as they do on a traditional,
land-based telephone line.
In addition to large data capacity methods like DSL and cable Internet, one of the ways IP
trunking can handle multiple phone calls -- as well as Internet data usage coming from
multiple places on a forked communications network in one building -- is via cloud
computing. This means that the power of multiple computers all comes together to
create a virtual, ad hoc "supercomputer" that, by creating a vast capacity to do so,
handles the needs of the network, whatever those needs may be at any given moment.
This extends to the IP trunking service provider. Its "cloud" of computers and networks
powers your call. So the IP trunking consumer doesn't have to necessarily have a
superfast computer or even a large computing network to make sure its calls and its data
go through. Cloud computing replaces traditional telephony's line-to-line switching
methods.
64
and how it's possible to send a phone call out into
find out exactly how your voice turns into a "data
series of tubes to its destination. And also get an
same data networks can send your e-mails at the
65
66
67
IP Trunking Benefits
There are many benefits to adopting IP trunking to use for your company's or institution's
multiple phone lines. Are you an organization that does a lot of work or research online?
Then adopting IP trunking is a logical step to take. The main reason is that it combines
your data/Internet network and your phone network. That could potentially save your
company hundreds of dollars a month on maintenance fees because the phone and
Internet system are now the same system. It could also save you money on employment
costs (so long as your existing IT guy or gal knows how to use an IP trunking system).
Cheaper communications is one of the best things IP trunking has going for it. Many
Internet service providers are also phone service providers, and they're the ones offering
IP trunking. Since they run all channels of communication, these companies are
empowered to offer "bundling" discounts, reducing your communication rates even
further.
One of the main reasons consumer-level VoIP has taken off is because of its flat-fee
pricing structure. Services like Vonage charge a single rate for unlimited phone calls,
local and long distance included. Because VoIP and IP trunking convert voices to data,
you're not technically using the phone lines to make long distance calls -- you're just
transmitting data. As far as bandwidth is concerned, your phone call is the same as an email. In short, long-distance charges drop to as low as 2 cents per call, and then just a
single monthly fee for each of your IP trunk users, about $20 to $30 per trunk [source:
Bandwidth.com]. Another bonus is that because it's a system based on remote data
transfer anyway, you can even have users at multiple locations use the same trunk. You
don't have to pay for multiple IP trunking servers.
But what if you don't think IP trunking is established enough to use for your primary
communication needs? Well, it's always a good idea to have a backup. IP trunking is easy
enough to use, and with the equipment you already have around in the office (phones,
computers), it can be used to provide network redundancy. If landlines ever go down,
but the Internet is still up, it can help you out. Because it's not phone-based in a DSL, T1
or cable setup, you can simply enable VoIP-based calling, resuming communications
productivity immediately.
68
One big problem with VoIP and IP trunking is the relative lack of security. It's not yet as
secure as a landline. Landlines provide direct, physical connections of voice to voice.
VoIP calls are data traveling by wire and through the air. So potentially, they can be
backed into or accessed by someone -- either from within your own IP trunking network,
or outside of it. In the early days of widespread cell phone usage, it was common to
overhear other people's phone calls.
And even where it is available, services, bandwidth capacity and voice quality vary. So,
research different providers before you sign up for anything.
Using North Carolina State University's computer lab once meant reserving a PC and
then going to the lab at the available time -- possibly the middle of the night -- to work
on it. That's no longer true, thanks to virtual computing. [source: North Carolina State
University]
Today, students and faculty can reserve and log in to the NCSU Virtual Computing
Laboratory anytime, anywhere from their own PCs or laptops. What's more, this remoteaccess system lets users choose the software they need, including industrial strength
computer-assisted design (CAD) and engineering programs that take more memory than
they have on their own systems. At the same time, professors can build customized
software images in minutes for students to access anywhere.
Virtual computing makes one computer act and perform like many computers. Through
virtual computing providers, users can download and use more than one operating
system and perform a multitude of functions at the same time through a single mouse
click and receive all the benefits of additional programs and hardware without having to
purchase or install them on their own computer. Executives can check their company email on the road, students can take classes from home and managers can keep up with
documents stored on internal servers from anywhere in the world.
Virtual computing is increasing possibilities and performance in the world of information
technology (IT): increased storage space, more software applications, performance and
troubleshooting solutions, as well as data backup. In this article, we'll cover what virtual
computing is, who performs the virtual services, the system requirements and the
benefits and challenges to the user.
69
Memory
Software
Allocation and reassignment of input/output and other processes
Data backup
Automated problem solving and troubleshooting
Tools for monitoring and managing systems
Users can access software applications for a single computer or an entire network
because of the ability to select only what you need when you need it. They also can save
or back up data and text documents to a virtual server (thus freeing space on individual
computers) and reallocate or assign different processes to the virtual environment. This
enables computers to operate at optimal speeds.
Virtual computing initially began as a method of borrowing space or storage for
computer systems, but it's since grown significantly, offering data and software
applications, as well as operating and utility systems. The corporate environment most
commonly uses it, where IT system managers run multiple applications on several
servers.
VIRTUALLY SURFING
While there are many reasons for using virtual computing services, some people have
gotten creative in their reasoning. Because all applications run remotely, some users log
in to the Internet to do all their surfing through a virtual computer. This enables them to
access files without worrying about hidden pages sabotaging their system. The added
benefit is that they can surf and electronically communicate without worrying about
infected files.
70
Sun: Sun Management installs, upgrades, configures and assigns software applications
without interrupting operations. Sun does allow users to convert back to a previous
configuration.
Although the above providers offer similar services, the system specifications vary per
provider. This chart details the specific offerings.
System Requirements
Before you purchase and download virtual PC applications, you need to ensure that your
computer meets the system requirements. Every computer system has a limited amount
of resources. A reduction in available memory and storage occurs once those resources
are used. While the system requirements to download virtual applications are dependent
on the provider and the package, we'll provide the minimal requirements for Microsoft
Windows and Mac users as an example:
Microsoft's Virtual PC application -- Microsoft Virtual PC 2007 -- requires a 400 MHz
Pentium-compatible processor (1.0 GHz or faster) and 20 megabytes of disk space. The
virtual application runs on the following Windows operating systems:
71
Windows
Windows
Windows
Windows
Windows
Vista Business
Vista Enterprise
Vista Ultimate
XP Professional
XP Tablet PC Edition
Other systems, like Windows 98, Windows 2000, or Windows ME can handle virtual
computing, but they require more memory to do so.
Mac users can access virtual computing through Virtual PC for Mac Version 7. They'll
need a 700 MHz native PowerPC G3, G4 or G5 processor, 3 GB of free hard drive space
and 512 MB of RAM. Virtual PC for Mac will run on Mac OS X Version 10.2.8, 10.3, 10.4.1
and later versions.
72
Virtual files are easy to back up. Entire virtual machines can be stored on one or two
small files, making copying an easy and fast process.
Virtual
Future
Computing
Disadvantages
and
the
While virtual computing does enable servers to perform more tasks and run more
applications, it can also be time consuming and laborious for some IT staff. Even though
the applications are remote, managers must still track and monitor files, applications,
data and storage. Virtual computing can increase their workload because now they have
more places to track.
Security and firewall issues must also be monitored and addressed to prevent the loss or
theft of data in a virtual or remote environment. Transfer of information and the need for
physical computers and servers to interact remotely must also be monitored continually.
It's a balancing act, but for many organizations, virtual computing doesn't cut costs or
the need for IT staff.
Other cost issues include what virtual providers should charge for each use of software
application. Because virtual computing allows one computer to run many applications at
the same time, the computer could be running several different applications of the same
software simultaneously. There have been concerns regarding paying repeatedly for the
same software. To address that issue, providers are exploring a meter process, which
would provide users a specific amount of uses and charge them for any overages.
Virtual computing has been in existence for years. Only recently has its application
become more popular in the corporate IT world. In the technology world, however, new
developments and explorations continue to produce faster, more integrated technologies
than before.
IBM introduced the concept of grid computing. Grid computing joins the monumental
power of all of IBM's data centers worldwide (forming a grid) and makes it available to
customers. Unlike traditional virtual computing, grid computing offers consumers
unlimited use. The government, aerospace industry, science, higher education facilities
and the military are all currently using grid computing. For more information on grid
computing, read the white paper, "Grid Explained."
Consider also virtual computers, where files aren't stored on a hard drive, but are
remotely accessed through cyberspace on any computer where you can log in to the
Internet. This concept is currently available to computer users for Internet and e-mail
access. Virtual computers will expand that capability and allow users access to all of
their files and applications from any computer. Traditional microcomputers with large,
external hard drives won't be necessary. Users will not need to carry laptops or
removable storage devices like CDs from one computer to another.
73
74
Clients would be able to access their applications and data from anywhere at any
time. They could access the cloud computing system using any computer linked to
75
the Internet. Data wouldn't be confined to a hard drive on one user's computer or
even a corporation's internal network.
76
It could bring hardware costs down. Cloud computing systems would reduce the
need for advanced hardware on the client side. You wouldn't need to buy the
fastest computer with the most memory, because the cloud system would take
care of those needs for you. Instead, you could buy an inexpensive computer
terminal. The terminal could include a monitor, input devices like a keyboard and
mouse and just enough processing power to run the middleware necessary to
connect to the cloud system. You wouldn't need a large hard drive because you'd
store all your information on a remote computer.
Corporations that rely on computers have to make sure they have the right
software in place to achieve goals. Cloud computing systems give these
organizations company-wide access to computer applications. The companies don't
have to buy a set of software or software licenses for every employee. Instead, the
company could pay a metered fee to a cloud computing company.
Servers and digital storage devices take up space. Some companies rent physical
space to store servers and databases because they don't have it available on site.
Cloud computing gives these companies the option of storing data on someone
else's hardware, removing the need for physical space on the front end.
Corporations might save money on IT support. Streamlined hardware would, in
theory, have fewer problems than a network of heterogeneous machines and
operating systems.
If the cloud computing system's back end is a grid computing system, then the
client could take advantage of the entire network's processing power. Often,
scientists and researchers work with calculations so complex that it would take
years for individual computers to complete them. On a grid computing system, the
client could send the calculation to the cloud for processing. The cloud system
would tap into the processing power of all available computers on the back end,
significantly speeding up the calculation.
While the benefits of cloud computing seem convincing, are there any potential
problems? Find out in the next section.
77
78
Privacy is another matter. If a client can log in from any location to access data and
applications, it's possible the client's privacy could be compromised. Cloud computing
companies will need to find ways to protect client privacy. One way is to use
authentication techniques such as user names and passwords. Another is to employ an
authorization format -- each user can access only the data and applications relevant to
his or her job.
Some questions regarding cloud computing are more philosophical. Does the user or
company subscribing to the cloud computing service own the data? Does the cloud
computing system, which provides the actual storage space, own it? Is it possible for a
cloud computing company to deny a client access to that client's data? Several
companies, law firms and universities are debating these and other questions about the
nature of cloud computing.
How will cloud computing affect other industries? There's a growing concern in the IT
industry about how cloud computing could impact the business of computer
maintenance and repair. If companies switch to using streamlined computer systems,
they'll have fewer IT needs. Some industry experts believe that the need for IT jobs will
migrate to the back end of the cloud computing system.
Another area of research in the computer science community is autonomic computing.
An autonomic computing system is self-managing, which means the system monitors
itself and takes measures to prevent or repair problems. Currently, autonomic computing
is mostly theoretical. But, if autonomic computing becomes a reality, it could eliminate
the need for many IT maintenance jobs.
79