1

How Domain Name Servers Work

by Marshall Brain and Stephanie Crawford

If you've ever used the Internet, it's a good bet that you've used the Domain Name
System, or DNS, even without realizing it. DNS is a protocol within the set of standards
for how computers exchange data on the Internet and on many private networks, known
as the TCP/IP protocol suite. Its basic job is to turn a user-friendly domain name like
"howstuffworks.com" into an Internet Protocol (IP) address like 70.42.251.42 that
computers use to identify each other on the network. It's like your computer's GPS for
the Internet.
Computers and other network devices on the Internet use an IP address to route your
request to the site you're trying to reach. This is similar to dialing a phone number to
connect to the person you're trying to call. Thanks to DNS, though, you don't have to
keep your own address book of IP addresses. Instead, you just connect through a domain
name server, also called a DNS server or name server, which manages a massive
database that maps domain names to IP addresses.
Whether you're accessing a Web site or
sending e-mail, your computer uses a DNS
server to look up the domain name you're
trying to access. The proper term for this
process is DNS name resolution, and you
would say that the DNS server resolves
the domain name to the IP address. For
example,
when
you
enter
"http://www.howstuffworks.com" in your
browser, part of the network connection
includes resolving the domain name
"howstuffworks.com" into an IP address,
like 70.42.251.42, for HowStuffWorks' Web
servers.

When you enter a URL into your Web

browser, your DNS server uses its
resources to resolve the name into the
IP address for the appropriate Web
server.

You can always bypass a DNS lookup by

entering 70.42.251.42 directly in your
browser (give it a try). However, you're
probably more likely to remember
"howstuffworks.com" when you want to
return later. In addition, a Web site's IP
address can change over time, and some
sites associate multiple IP addresses with
a single domain name.

Without DNS servers, the Internet would shut down very quickly. But how does your
computer know what DNS server to use? Typically, when you connect to your home
network, Internet service provider (ISP) or WiFi network, the modem or router that
assigns your computer's network address also sends some important network
configuration information to your computer or mobile device. That configuration includes

2
one or more DNS servers that the device should use when translating DNS names to IP
address.
So far, you've read about some important DNS basics. The rest of this article dives
deeper into domain name servers and name resolution. It even includes an introduction
to managing your own DNS server. Let's start by looking at how IP addresses are
structured and how that's important to the name resolution process.

DNS Servers and IP Addresses

You just learned that the primary job of a domain name server, or DNS server, is to
resolve (translate) a domain name into an IP address. That sounds like a simple task, and
it would be, except for the following points:

There are billions of IP addresses currently in use, and most machines have a
human-readable name as well.
DNS servers (cumulatively) are processing billions of requests across the Internet
at any given time.
Millions of people are adding and changing domain names and IP addresses each
day.

With so much to handle, DNS servers rely on network efficiency and Internet protocols.
Part of the IP's effectiveness is that each machine on a network has a unique IP address
in both the IPV4 and IPV6 standards managed by the Internet Assigned Numbers
Authority (IANA). Here are some ways to recognize an IP address:

An IP address in the IPV4 standard has four numbers separated by three decimals,
as in: 70.74.251.42
An IP address in the IPV6 standard has eight hexadecimal numbers (base-16)
separated by colons, as in 2001:0cb8:85a3:0000:0000:8a2e:0370:7334. Because
IPV6 is still a very new standard, we'll concentrate on the more common IPV4 for
this article.
Each number in an IPV4 number is called an "octet" because it's a base-10
equivalent of an 8-digit base-2 (binary) number used in routing network traffic. For
example, the octet written as 42 stands for 00101010. Each digit in the binary
number is the placeholder for a certain power of two from 20 to 27, reading from
right to left. That means that in 00101010, you have one each of 21, 23 and 25.
So, to get the base-10 equivalent, just add 21 + 23 + 25 = 2 + 8 + 32 = 42. For
more about how IP addresses are constructed, see our article "What is an IP
address?"
There are only 256 possibilities for the value of each octect: the numbers 0
through 255.
Certain addresses and ranges are designated by the IANA as reserved IP
addresses, which means they have a specific job in IP. For example, the IP address
127.0.0.1 is reserved to identify the computer you're currently using. So, talking to
127.0.0.1 is just talking to yourself!

Where does your computer's IP address come from? If we're talking about your desktop
or laptop computer, it probably comes from a Dynamic Host Configuration Protocol
(DHCP) server on your network. The job of a DHCP server is to make sure your computer
has the IP address and other network configuration it needs whenever you're online.
Because this is "dynamic," the IP address for your computer will probably change from
time to time, such as when you shut down your computer for a few days. As the user,
you'll probably never notice all this taking place. See the sidebar on this page for hints
on where to find the IP address assigned to your computer or mobile device.
Web servers and other computers that need a consistent point of contact use static IP
addresses. This means that the same IP address is always assigned to that system's

4
network interface when it's online. To make sure that interface always gets the same IP
address, IP associates the address with the Media Access Control (MAC) address for that
network interface. Every network interface, both wired and wireless, has a unique MAC
address embedded in it by the manufacturer.

FINDING YOUR IP ADDRESS

The following are tips on how to find your computer's IP address. Note that the address
will change periodically unless you've chosen to use a static IP (rare for end-users):

Windows -- Though you can click through the user interface to find your network
interface settings, one quick way to find your IP address is to open the Command
Prompt application from Accessories and enter this command: ipconfig
Mac -- Open your System Preferences, click Network, be sure your current network
connection (with the green dot beside it) is selected, click Advanced, and click the
TCP/IP tab.
Linux or UNIX -- If don't already have a command prompt, open a terminal
application, such as XTERM or iTerm. At the command prompt, enter this command:
ifconfig
Smartphones using WiFi -- Look at your phone's network settings. This will vary
depending on the phone the version of its operating system.

Note that if you're on a home or small local network, your address will probably be in the
form 192.168.x.x, 172.16.x.x or 10.x.x.x (where x is a number between 0 and 255).
These are reserved addresses used on each local network, and a router on that network
then connects you to the Internet.
For more information on IP addresses, see the IANA, operated by the Internet Corporation
for Assigned Names and Numbers (ICANN). Now, though, let's look at the other side of
the DNS equation: domain names.

Domain Names
If we had to remember the IP addresses of all our favorite Web sites, we'd probably go
nuts! Human beings are just not that good at remembering strings of numbers. We are
good at remembering words, however, and that is where domain names come in. You
probably have hundreds of domain names stored in your head, such as:

howstuffworks.com -- our favorite domain name

google.com -- one of the most used domain names in the world
mit.edu -- a popular EDU name
bbc.co.uk -- a three-part domain name using the country code UK

You'll recognize domain names as having strings of characters separated by dots

(periods). The last word in a domain name represents a top-level domain. These top-level
domains are controlled by the IANA in what's called the Root Zone Database, which we'll
examine more closely later. The following are some common top-level domains:

COM -- commercial Web sites, though open to everyone

NET -- network Web sites, though open to everyone
ORG -- non-profit organization Web sites, though open to everyone
EDU -- restricted to schools and educational organizations
MIL -- restricted to the U.S. military
GOV -- restricted to the U.S. government

6
US, UK, RU and other two-letter country codes -- each is assigned to a domain
name authority in the respective country

7
In a domain name, each word and dot combination you add before a top-level domain
indicates a level in the domain structure. Each level refers to a server or a group of
servers that manage that domain level. For example, "howstuffworks" in our domain
name is a second-level domain off the COM top-level domain. An organization may have
a hierarchy of sub-domains further organizing its Internet presence, like "bbc.co.uk"
which is the BBC's domain under CO, an additional level created by the domain name
authority responsible for the UK country code.
The left-most word in the domain name, such as www or mail, is a host name. It specifies
the name of a specific machine (with a specific IP address) in a domain, typically
dedicated to a specific purpose. A given domain can potentially contain millions of host
names as long as they're all unique to that domain.
Because all of the names in a given
domain need to be unique, there has to be
some way to control the list and makes
sure no duplicates arise. That's where
registrars come in. A registrar is an
authority that can assign domain names
directly under one or more top-level
domains and register them with InterNIC,
a service of ICANN, which enforces
uniqueness of domain names across the
Internet.
Each
domain
registration
becomes part of a central domain
registration database known as the whois
What's in a name? For your domain, database. Network Solutions, Inc. (NSI)
the name could make a difference in was one of the first registrars, and today
whether people remember or want to companies like GoDaddy.com offer domain
visit your Web site.
registration in addition to many other Web
site and domain management services.
[source: InterNIC]
Later, when we look at how to create a domain name, we'll see that part of registering a
domain requires identifying one or more name servers (DNS servers) that have the
authority to resolve the host names and sub-domains in that domain. Typically, you
would do this through a hosting service, which has its own DNS servers. Next, we'll look
at how these DNS servers manage your domain, and how DNS servers across the
Internet work together to ensure traffic is routed properly between IP addresses.

The Distributed System

Every domain has a domain name server handling its requests, and there is a person or
IT team maintaining the records in that DNS server's database. No other database on the
planet gets as many requests as DNS servers, and they handle all those queries while
also processing data updates from millions of people every day. That's one of the most
amazing parts of DNS -- it is completely distributed throughout the world on millions of
machines, managed by millions of people, and yet it behaves like a single, integrated
database!

8
Because managing DNS seems like such a big job, most people tend to leave it to the IT
professionals. However, by learning a little bit about how DNS works and how DNS
servers are distributed across the Internet, you can manage DNS with confidence. The
first thing to know is what the purpose of a DNS server is on the network where it
resides. A DNS server will have one of the following as its primary task:

Maintain a small database of domain names and IP addresses most often used on
its own network, and delegate name resolution for all other names to other DNS
servers on the Internet.
Pair IP addresses with all hosts and sub-domains for which that DNS server has
authority.

9
DNS servers that perform the first task are normally managed by your Internet service
provider (ISP). As mentioned earlier, the ISP's DNS server is part of the network
configuration you get from DHCP as soon as you go online. These servers reside in your
ISP's data centers, and they handle requests as follows:

If it has the domain name and IP address in its database, it resolves the name
itself.
If it doesn't have the domain name and IP address in its database, it contacts
another DNS server on the Internet. It may have to do this multiple times.
If it has to contact another DNS server, it caches the lookup results for a limited
time so it can quickly resolve subsequent requests to the same domain name.
If it has no luck finding the domain name after a reasonable search, it returns an
error indicating that the name is invalid or doesn't exist.

The second category of DNS servers mentioned above is typically associated with Web,
mail and other Internet domain hosting services. Though some hardcore IT gurus set up
and manage their own DNS servers, hosting services have made DNS management
much easier for the less technical audience. A DNS server that manages a specific
domain is called the start of authority (SOA) for that domain. Over time, the results from
looking up hosts at the SOA will propagate to other DNS servers, which in turn propagate
to other DNS servers, and so on across the Internet.
This propagation is a result of each DNS server caching the lookup result for a limited
time, known as its Time To Live (TTL), ranging from a few minutes to a few days. People
managing a DNS server can configure its TTL, so TTL values will vary across the Internet.
So, each time you look up "www.howstuffworks.com," it's possible that the DNS server
for your ISP will find the lookup results "70.42.251.42" in its own cache if you or someone
else using that server looked for it before within the server's TTL.
This great web of DNS servers includes
the root name servers, which start at the
top of the domain hierarchy for a given
top-level domain. There are hundreds of
root name servers to choose from for
each top-level domain. Though DNS
lookups don't have to start at a root
name server, they can contact a root
name server as a last resort to help track
down the SOA for a domain.
Domain name servers connect to each
other across the Internet and cache Now that you know how DNS servers are
lookup information to make name interconnected to improve the name
resolution process, let's look at how you
resolution more efficient.
can configure a DNS server to be the
authority for your domain.

10

Creating a New Domain Name

When you want to create a new domain name, you need to do the following:

Use the Whois database to find a unique domain name that isn't yet registered.
There are several sites that offer free Whois database searches, such as Network
Solutions. If the search comes up empty, you know the domain name is available.
Register the domain name with a registrar. There are a lot of registrars to choose
from, and some offer special prices for registering the COM, NET, and ORG versions
of a domain at the same time, for registering for two or more years, or for hosting
the domain with the same company.
If you're hosting the domain at a different company than your registrar, configure
the registrar to point your domain name to the correct host name or IP address for
your hosting company (see information below about A records).

Using the DNS servers from your registrar or hosting company means that you have a
parked domain. This means that someone else owns the computer hardware for the DNS
servers, and your domain is just part of that company's larger DNS configuration.
Alternatively, if you're passionate about hosting your own DNS, you can set up your own
server, either as a physical or virtual machine. Whichever DNS setup you decide on, that
DNS server (or group of servers) becomes the SOA for your domain, as described earlier.
Whether your SOA is somewhere else or on your own system, you can extend and modify
your DNS settings to add sub-domains, redirect e-mail and control other services. This
information is kept in a zone file on the DNS server [source: GoDaddy.com]. If you're
running your own server, you'll probably need to manually edit the zone file in a text
editor. Many registrars today have a Web interface you can use to manage DNS for your
domain. Each new configuration you add is called a record, and the following are the
most common types of records you can configure for your DNS server:

Host (A) -- This is the basic mapping of IP address to host name, the essential
component for any domain name.
Canonical Name (CNAME) -- This is an alias for your domain. Anyone accessing that
alias will be automatically directed to the server indicated in the A record.
Mail Exchanger (MX) -- This maps e-mail traffic to a specific server. It could indicate
another host name or an IP address. For example, people who use Google for the
e-mail for their domain will create an MX record that points to ghs.google.com.
Name Server (NS) -- This contains the name server information for the zone. If you
configure this, your server will let other DNS servers know that yours is the
ultimate authority (SOA) for your domain when caching lookup information on your
domain from other DNS servers around the world.
Start of Authority (SOA) -- This is one larger record at the beginning of every zone
file with the primary name server for the zone and some other information. If your
registrar or hosting company is running your DNS server, you won't need to
manage this. If you're managing your own DNS, Microsoft's support information
has a helpful article on the structure of a DNS SOA Record.

11
The following is an example of what a zone file might look like for those who are editing
it directly in a text editor. Note that the center column (second item on each line)
includes a record type from those listed above. When you see an "@" in the left column,
it means that the record applies in all cases not otherwise specified:
@ NS auth-ns1.howstuffworks.com
@ NS auth-ns2.howstuffworks.com
@ MX 10 mail
mail A 209.170.137.42
vip1 A 216.183.103.150
www CNAME vip1

To increase visibility and prevent

misdirected
customers,
many
businesses create the same secondlevel domain name under several toplevel domains worldwide.

Typical users will probably get the most

use out of MX and CNAME records. The MX
records allows you to point your mail
services somewhere other than your
hosting company if you choose to use
something like Google Apps for your
domain. The CNAME records let you point
host names for your domain to various
other locations. This could include setting
google.example.com
to
redirect
to
google.com, or setting up a dedicated
game server with its own IP address and
pointing
it
to
something
like
gameserver.example.com. HowStuffWorks'
parent company, Discovery, does this:
dsc.discovery.com is the main Web site,
science.discovery.com is The Science
Channel Web site, and so on.

Typical users will probably get the most use out of MX and CNAME records. The MX
records allows you to point your mail services somewhere other than your hosting
company if you choose to use something like Google Apps for your domain. The CNAME
records let you point host names for your domain to various other locations. This could
include setting google.example.com to redirect to google.com, or setting up a dedicated
game server with its own IP address and pointing it to something like
gameserver.example.com. HowStuffWorks' parent company, Discovery, does this:
dsc.discovery.com is the main Web site, science.discovery.com is The Science Channel
Web site, and so on.
Throughout this article, you've read about the role of domain name servers, how DNS
maps domain names to IP addresses and how to choose your domain name and
configure it to work within the distributed system of DNS servers around the world.

12

What is an IP address?

by Stephanie Crawford and HowStuffWorks.com Contributors

Every machine on a network has a unique identifier. Just as you would address a letter to
send in the mail, computers use the unique identifier to send data to specific computers
on a network. Most networks today, including all computers on the Internet, use the
TCP/IP protocol as the standard for how to communicate on the network. In the TCP/IP
protocol, the unique identifier for a computer is called its IP address.
There are two standards for IP addresses: IP Version 4 (IPv4) and IP Version 6 (IPv6). All
computers with IP addresses have an IPv4 address, and many are starting to use the new
IPv6 address system as well. Here's what these two address types mean:

IPv4 uses 32 binary bits to create a single unique address on the network. An IPv4
address is expressed by four numbers separated by dots. Each number is the
decimal (base-10) representation for an eight-digit binary (base-2) number, also
called an octet. For example: 216.27.61.137
IPv6 uses 128 binary bits to create a single unique address on the network. An IPv6
address is expressed by eight groups of hexadecimal (base-16) numbers separated
by colons, as in 2001:cdba:0000:0000:0000:0000:3257:9652. Groups of numbers
that contain all zeros are often omitted to save space, leaving a colon separator to
mark the gap (as in 2001:cdba::3257:9652).

At the dawn of IPv4 addressing, the Internet was not the large commercial sensation it is
today, and most networks were private and closed off from other networks around the
world. When the Internet exploded, having only 32 bits to identify a unique Internet
address caused people to panic that we'd run out of IP addresses. Under IPv4, there are
232 possible combinations, which offers just under 4.3 billion unique addresses. IPv6
raised that to a panic-relieving 2128 possible addresses. Later, we'll take a closer look at
how to understand your computer's IPv4 or IPv6 addresses.
How does your computer get its IP address? An IP address can be either dynamic or
static. A static address is one that you configure yourself by editing your computer's
network settings. This type of address is rare, and it can create network issues if you use
it without a good understanding of TCP/IP. Dynamic addresses are the most common.
They're assigned by the Dynamic Host Configuration Protocol (DHCP), a service running
on the network. DHCP typically runs on network hardware such as routers or dedicated
DHCP servers.

13
Dynamic IP addresses are issued
using a leasing system, meaning
that the IP address is only active for
a limited time. If the lease expires,
the computer will automatically
request a new lease. Sometimes,
this means the computer will get a
new IP address, too, especially if the
computer was unplugged from the
network
between
leases.
This
process is usually transparent to the
user unless the computer warns
about an IP address conflict on the
In Microsoft Windows, you can enter ipconfig network (two computers with the
in the command prompt app to view your same IP address). An address
computer's current IP address configuration. conflict
is
rare,
and
today's
technology
typically
fixes
the
problem automatically.
Next, let's take a closer look at the important parts of an IP address and the special roles
of certain addresses.

IP Classes
Earlier, you read that IPv4 addresses represent four eight-digit binary numbers. That
means that each number could be 00000000 to 11111111 in binary, or 0 to 255 in
decimal (base-10). In other words, 0.0.0.0 to 255.255.255.255. However, some numbers
in that range are reserved for specific purposes on TCP/IP networks. These reservations
are recognized by the authority on TCP/IP addressing, the Internet Assigned Numbers
Authority (IANA). Four specific reservations include the following:

0.0.0.0 -- This represents the default network, which is the abstract concept of just
being connected to a TCP/IP network.
255.255.255.255 -- This address is reserved for network broadcasts, or messages
that should go to all computers on the network.
127.0.0.1 -- This is called the loopback address, meaning your computer's way of
identifying itself, whether or not it has an assigned IP address.
169.254.0.1 to 169.254.255.254 -- This is the Automatic Private IP Addressing
(APIPA) range of addresses assigned automatically when a computer's
unsuccessful getting an address from a DHCP server.

The other IP address reservations are for subnet classes. A subnet is a smaller network of
computers connected to a larger network through a router. The subnet can have its own
address system so computers on the same subnet can communicate quickly without
sending data across the larger network. A router on a TCP/IP network, including the
Internet, is configured to recognize one or more subnets and route network traffic
appropriately. The following are the IP addresses reserved for subnets:

10.0.0.0 to 10.255.255.255 -- This falls within the Class A address range of 1.0.0.0
to 127.0.0.0, in which the first bit is 0.

14
172.16.0.0 to 172.31.255.255 -- This falls within the Class B address range of
128.0.0.0 to 191.255.0.0, in which the first two bits are 10.
192.168.0.0 to 192.168.255.255 -- This falls within the Class C range of 192.0.0.0
through 223.255.255.0, in which the first three bits are 110.
Multicast (formerly called Class D) -- The first four bits in the address are 1110,
with addresses ranging from 224.0.0.0 to 239.255.255.255.
Reserved for future/experimental use (formerly called Class E) -- addresses
240.0.0.0 to 254.255.255.254.

The first three (within Classes A, B and C) are those most used in creating subnets. Later,
we'll see how a subnet uses these addresses. The IANA has outlined specific uses for
multicast addresses within Internet Engineering Task Force (IETF) document RFC 5771.
However, it hasn't designated a purpose or future plan for Class E addresses since it
reserved the block in its 1989 document RFC 1112. Before IPv6, the Internet was filled
with debate about whether the IANA should release Class E for general use.

15

HOW DHCP ASSIGNS ADDRESSES

When you add a computer to a network, that computer uses a four-step process to get an
IP address from DHCP:

Discover -- The computer sends out a broadcast message on the network, hoping
to discover a DHCP service provider.
Offer -- Each DHCP provider hears the message, recognizes the unique hardware
address of the computer, and sends a message back offering its services to that
computer.
Request -- The computer selects a DHCP provider from its offerings and then sends
a request to that provider asking for an IP address assignment.
Acknowledge -- The targeted DHCP provider acknowledges the request and issues
an IP address to the computer that doesn't match any other IP addresses currently
active on the network.

Next, let's see how subnets work and find out who has those non-reserved IP addresses
out on the Internet.

Internet Addresses and Subnets

The following is an example of a subnet IP address you might have on your computer at
home if you're using a router (wireless or wired) between your ISP connection and your
computer:

IP address: 192.168.1.102
Subnet mask: 255.255.255.0
Twenty-four bits (three octets) reserved for network identity
Eight bits (one octet) reserved for nodes
Subnet identity based on subnet mask (first address): 192.168.1.0
The reserved broadcast address for the subnet (last address): 192.168.1.255
Example addresses on the same network: 192.168.1.1, 192.168.1.103
Example addresses not on the same network: 192.168.2.1, 192.168.2.103

Besides reserving IP addresses, the IANA is also responsible for assigning blocks of IP
addresses to certain entities, usually commercial or government organizations. Your
Internet service provider (ISP) may be one of these entities, or it may be part of a larger
block under the control of one of those entities. In order for you to connect to the
Internet, your ISP will assign you one of these addresses. You can see a full list of IANA
assignments and reservations for IPv4 addresses here.
If you only connect one computer to the Internet, that computer can use the address
from your ISP. Many homes today, though, use routers to share a single Internet
connection between multiple computers. Wireless routers have become especially
popular in recent years, avoiding the need to run network cables between rooms.
If you use a router to share an Internet connection, the router gets the IP address issued
directly from the ISP. Then, it creates and manages a subnet for all the computers
connected to that router. If your computer's address falls into one of the reserved subnet

16
ranges listed earlier, you're going through a router rather than connecting directly to the
Internet.
IP addresses on a subnet have two parts: network and node. The network part identifies
the subnet itself. The node, also called the host, is an individual piece of computer
equipment connected to the network and requiring a unique address. Each computer
knows how to separate the two parts of the IP address by using a subnet mask. A subnet
mask looks somewhat like an IP address, but it's actually just a filter used to determine
which part of an IP address designates the network and node.
A subnet mask consists of a series of 1 bits followed by a series of 0 bits. The 1 bits
indicate those that should mask the network bits in the IP address, revealing only those
that identify a unique node on that network. In the IPv4 standard, the most commonly
used subnet masks have complete octets of 1s and 0s as follows:

255.0.0.0.0 = 11111111.00000000.00000000.00000000 = eight bits for networks,

24 bits for nodes
255.255.0.0 = 11111111.11111111.00000000.00000000 = 16 bits for networks,
16 bits for nodes
255.255.255.0 = 11111111. 11111111.11111111.00000000 = 24 bits for
networks, eight bits for nodes

People who set up large networks determine what subnet mask works best based on the
number of desired subnets or nodes. For more subnets, use more bits for the network;
for more nodes per subnet, use more bits for the nodes. This may mean using nonstandard mask values. For instance, if you want to use 10 bits for networks and 22 for
nodes, your subnet mask value would require using 11000000 in the second octet,
resulting in a subnet mask value of 255.192.0.0.
Another important thing to note about IP addresses in a subnet is that the first and last
addresses are reserved. The first address identifies the subnet itself, and the last address
identifies the broadcast address for systems on that subnet.
See the How DHCP assigns Addresses on the previous page for a look at how all
this information comes together to form your IP address.

17

How Network Address Translation

Works
by Jeff Tyson

Network
Address
Translation helps improve
security by reusing IP
addresses. The NAT router
translates traffic coming
into
and
leaving
the
private
network.
See
more
pictures
of
computer networking.
If you are reading this article, you are most likely connected to the Internet and viewing
it at the HowStuffWorks Web site. There's a very good chance that you are using
Network Address Translation (NAT) right now.
The Internet has grown larger than anyone ever imagined it could be. Although the exact
size is unknown, the current estimate is that there are about 100 million hosts and more
than 350 million users actively on the Internet. That is more than the entire population of
the United States! In fact, the rate of growth has been such that the Internet is
effectively doubling in size each year.
So what does the size of the Internet have to do with NAT? Everything! For a computer to
communicate with other computers and Web servers on the Internet, it must have an IP
address. An IP address (IP stands for Internet Protocol) is a unique 32-bit number that
identifies the location of your computer on a network. Basically, it works like your street
address -- as a way to find out exactly where you are and deliver information to you.
When IP addressing first came out, everyone thought that there were plenty of addresses
to cover any need. Theoretically, you could have 4,294,967,296 unique addresses (232).
The actual number of available addresses is smaller (somewhere between 3.2 and 3.3
billion) because of the way that the addresses are separated into classes, and because
some addresses are set aside for multicasting, testing or other special uses.
With the explosion of the Internet and the increase in home networks and business
networks, the number of available IP addresses is simply not enough. The obvious
solution is to redesign the address format to allow for more possible addresses. This is
being developed (called IPv6), but will take several years to implement because it
requires modification of the entire infrastructure of the Internet.
This is where NAT (RFC 1631) comes to the rescue. Network Address Translation allows a
single device, such as a router, to act as an agent between the Internet (or "public
network") and a local (or "private") network. This means that only a single, unique IP
address is required to represent an entire group of computers.

18
But the shortage of IP addresses is only one reason to use NAT. In this article, you will
learn more about how NAT can benefit you. But first, let's take a closer look at NAT and
exactly what it can do...

19

What Does NAT Do?

NAT is like the receptionist in a large office. Let's say you have left instructions with the
receptionist not to forward any calls to you unless you request it. Later on, you call a
potential client and leave a message for that client to call you back. You tell the
receptionist that you are expecting a call from this client and to put her through.
The client calls the main number to your office, which is the only number the client
knows. When the client tells the receptionist that she is looking for you, the receptionist
checks a lookup table that matches your name with your extension. The receptionist
knows that you requested this call, and therefore forwards the caller to your extension.
Developed by Cisco, Network Address Translation is used by a device (firewall, router or
computer that sits between an internal network and the rest of the world. NAT has many
forms and can work in several ways:
Static
NAT
Mapping
an
unregistered IP address to a
registered IP address on a one-toone basis. Particularly useful when
a device needs to be accessible
from outside the network.
In static NAT, the computer with the IP
address of 192.168.32.10 will always
translate to 213.18.123.110.

Dynamic
NAT
Maps
an
unregistered IP address to a
registered IP address from a group
of registered IP addresses.
Overloading - A form of dynamic
NAT
that
maps
multiple
unregistered IP addresses to a
single registered IP address by
using different ports. This is known
also
as
PAT
(Port
Address
Translation), single address NAT or
port-level multiplexed NAT.

In dynamic NAT, the computer with the IP

address 192.168.32.10 will translate to the
first available address in the range from
213.18.123.100 to 213.18.123.150.

In overloading, each computer on the

private network is translated to the same

Overlapping - When the IP

addresses used on your internal
network
are
registered
IP
addresses in use on another
network, the router must maintain
a lookup table of these addresses
so that it can intercept them and
replace them with registered
unique IP addresses. It is important
to note that the NAT router must
translate the "internal" addresses
to registered unique addresses as
well as translate the "external"

20
IP address (213.18.123.100), but with a
different port number assignment.

registered addresses to addresses

that are unique to the private
network. This can be done either
through static NAT or by using DNS
and implementing dynamic NAT.
The
internal
IP
range
(237.16.32.xx)
is
also
a
registered range used by another
network. Therefore, the router is
translating the addresses to
avoid a potential conflict with
another network. It will also
translate the registered global IP
addresses
back
to
the
unregistered local IP addresses
when information is sent to the
internal network.

The internal network is usually a LAN (Local Area Network), commonly referred to as
the stub domain. A stub domain is a LAN that uses IP addresses internally. Most of the
network traffic in a stub domain is local, so it doesn't travel outside the internal network.
A stub domain can include both registered and unregistered IP addresses. Of course, any
computers that use unregistered IP addresses must use Network Address Translation to
communicate with the rest of the world.
In the next section we'll look at the different ways NAT can be configured.

NAT Configuration
NAT can be configured in various ways. In the example below, the NAT router is
configured to translate unregistered (inside, local) IP addresses, that reside on the
private (inside) network, to registered IP addresses. This happens whenever a device on
the inside with an unregistered address needs to communicate with the public (outside)
network.

An ISP assigns a range of IP addresses to your company. The assigned block of

addresses are registered, unique IP addresses and are called inside global
addresses. Unregistered, private IP addresses are split into two groups. One is a
small group (outside local addresses) that will be used by the NAT routers. The
other, much larger group, known as inside local addresses, will be used on the
stub domain. The outside local addresses are used to translate the unique IP
addresses, known as outside global addresses, of devices on the public
network.
Most computers on the stub domain communicate with each other using the inside
local addresses.
Some computers on the stub domain communicate a lot outside the network.
These computers have inside global addresses, which means that they do not
require translation.

21
When a computer on the stub domain that has an inside local address wants to
communicate outside the network, the packet goes to one of the NAT routers.
The NAT router checks the routing table to see if it has an entry for the destination
address. If it does, the NAT router then translates the packet and creates an entry
for it in the address translation table. If the destination address is not in the routing
table, the packet is dropped.
Using an inside global address, the router sends the packet on to its destination.
A computer on the public network sends a packet to the private network. The
source address on the packet is an outside global address. The destination address
is an inside global address.
The NAT router looks at the address translation table and determines that the
destination address is in there, mapped to a computer on the stub domain.
The NAT router translates the inside global address of the packet to the inside local
address, and sends it to the destination computer.

IP
addresses
have
different
designations based on whether
they are on the private network
(stub domain) or on the public
network (Internet), and whether
the
traffic
is
incoming
or
outgoing.
NAT overloading utilizes a feature of the TCP/IP protocol stack, multiplexing, that allows a
computer to maintain several concurrent connections with a remote computer (or
computers) using different TCP or UDP ports. An IP packet has a header that contains the
following information:

Source Address - The IP address of the originating computer, such as

201.3.83.132
Source Port - The TCP or UDP port number assigned by the originating computer
for this packet, such as Port 1080
Destination Address - The IP address of the receiving computer, such as
145.51.18.223
Destination Port - The TCP or UDP port number that the originating computer is
asking the receiving computer to open, such as Port 3021

The addresses specify the two machines at each end, while the port numbers ensure that
the connection between the two computers has a unique identifier. The combination of
these four numbers defines a single TCP/IP connection. Each port number uses 16 bits,
which means that there are a possible 65,536 (216) values. Realistically, since different
manufacturers map the ports in slightly different ways, you can expect to have about
4,000 ports available.

Dynamic NAT and Overloading

Here's how dynamic NAT works:

22

An internal network (stub domain) has been set up with IP addresses that were not
specifically allocated to that company by IANA (Internet Assigned Numbers
Authority), the global authority that hands out IP addresses. These addresses
should be considered non-routable since they are not unique.
The company sets up a NAT-enabled router. The router has a range of unique IP
addresses given to the company by IANA.
A computer on the stub domain attempts to connect to a computer outside the
network, such as a Web server.
The router receives the packet from the computer on the stub domain.
The router saves the computer's non-routable IP address to an address
translation table. The router replaces the sending computer's non-routable IP
address with the first available IP address out of the range of unique IP addresses.
The translation table now has a mapping of the computer's non-routable IP address
matched with the one of the unique IP addresses.
When a packet comes back from the destination computer, the router checks the
destination address on the packet. It then looks in the address translation table to
see which computer on the stub domain the packet belongs to. It changes the
destination address to the one saved in the address translation table and sends it
to that computer. If it doesn't find a match in the table, it drops the packet.
The computer receives the packet from the router. The process repeats as long as
the computer is communicating with the external system.

Here's how overloading works:

An internal network (stub domain) has been set up with non-routable IP addresses
that were not specifically allocated to that company by IANA.
The company sets up a NAT-enabled router. The router has a unique IP address
given to the company by IANA.
A computer on the stub domain attempts to connect to a computer outside the
network, such as a Web server.
The router receives the packet from the computer on the stub domain.
The router saves the computer's non-routable IP address and port number to an
address translation table. The router replaces the sending computer's non-routable
IP address with the router's IP address. The router replaces the sending computer's
source port with the port number that matches where the router saved the sending
computer's address information in the address translation table. The translation
table now has a mapping of the computer's non-routable IP address and port
number along with the router's IP address.
When a packet comes back from the destination computer, the router checks the
destination port on the packet. It then looks in the address translation table to see
which computer on the stub domain the packet belongs to. It changes the
destination address and destination port to the ones saved in the address
translation table and sends it to that computer.
The computer receives the packet from the router. The process repeats as long as
the computer is communicating with the external system.
Since the NAT router now has the computer's source address and source port
saved to the address translation table, it will continue to use that same port
number for the duration of the connection. A timer is reset each time the router

23
accesses an entry in the table. If the entry is not accessed again before the timer
expires, the entry is removed from the table.
In the next section we'll look at the organization of stub domains.

Stub Domains
Look below to see how the computers on a stub domain might appear to external
networks.
Source Computer A
IP Address: 192.168.32.10
Computer Port: 400
NAT Router IP Address: 215.37.32.203
NAT Router Assigned Port Number: 1
Source Computer B
IP Address: 192.168.32.13
Computer Port: 50
NAT Router IP Address: 215.37.32.203
NAT Router Assigned Port Number: 2

24
Source Computer C
IP Address: 192.168.32.15
Computer Port: 3750
NAT Router IP Address: 215.37.32.203
NAT Router Assigned Port Number: 3
Source Computer D
IP Address: 192.168.32.18
Computer Port: 206
NAT Router IP Address: 215.37.32.203
NAT Router Assigned Port Number: 4
As you can see, the NAT router stores the IP address and port number of each computer.
It then replaces the IP address with its own registered IP address and the port number
corresponding to the location, in the table, of the entry for that packet's source
computer. So any external network sees the NAT router's IP address and the port number
assigned by the router as the source-computer information on each packet.
You can still have some computers on the stub domain that use dedicated IP addresses.
You can create an access list of IP addresses that tells the router which computers on the
network require NAT. All other IP addresses will pass through untranslated.
The number of simultaneous translations that a router will support are determined
mainly by the amount of DRAM (Dynamic Random Access Memory) it has. But since a
typical entry in the address-translation table only takes about 160 bytes, a router with 4
MB of DRAM could theoretically process 26,214 simultaneous translations, which is more
than enough for most applications.
IANA has set aside specific ranges of IP addresses for use as non-routable, internal
network addresses. These addresses are considered unregistered (for more information
check out RFC 1918: Address Allocation for Private Internets, which defines these
address ranges). No company or agency can claim ownership of unregistered addresses
or use them on public computers. Routers are designed to discard (instead of forward)
unregistered addresses. What this means is that a packet from a computer with an
unregistered address could reach a registered destination computer, but the reply would
be discarded by the first router it came to.
There is a range for each of the three classes of IP addresses used for networking:

Range 1: Class A - 10.0.0.0 through 10.255.255.255

Range 2: Class B - 172.16.0.0 through 172.31.255.255
Range 3: Class C - 192.168.0.0 through 192.168.255.255

Although each range is in a different class, your are not required to use any particular
range for your internal network. It is a good practice, though, because it greatly
diminishes the chance of an IP address conflict.

25

Security and Administration

Static NAT (inbound mapping) allows a

computer on the stub domain to
maintain a specific address when
communicating with devices outside
the network.

Implementing dynamic NAT automatically

creates a firewall between your internal
network and outside networks, or between
your internal network and the Internet.
NAT only allows connections that originate
inside the stub domain. Essentially, this
means that a computer on an external
network cannot connect to your computer
unless your computer has initiated the
contact. You can browse the Internet and
connect to a site, and even download a
file; but somebody else cannot latch onto
your IP address and use it to connect to a
port on your computer.

In specific circumstances, Static NAT, also called inbound mapping, allows external
devices to initiate connections to computers on the stub domain. For instance, if you
wish to go from an inside global address to a specific inside local address that is assigned
to your Web server, Static NAT would enable the connection.
Some NAT routers provide for extensive filtering and traffic logging. Filtering allows your
company to control what type of sites employees visit on the Web, preventing them from
viewing questionable material. You can use traffic logging to create a log file of what
sites are visited and generate various reports from it.
NAT is sometimes confused with proxy servers, but there are definite differences
between them. NAT is transparent to the source and to destination computers. Neither
one realizes that it is dealing with a third device. But a proxy server is not transparent.
The source computer knows that it is making a request to the proxy server and must be
configured to do so. The destination computer thinks that the proxy server IS the source
computer, and deals with it directly. Also, proxy servers usually work at layer 4
(transport) of the OSI Reference Model or higher, while NAT is a layer 3 (network)
protocol. Working at a higher layer makes proxy servers slower than NAT devices in most
cases.
A real benefit of NAT is apparent in network
administration. For example, you can move your
Web server or FTP server to another host computer
without having to worry about broken links. Simply
change the inbound mapping at the router to reflect
the new host. You can also make changes to your
internal network easily, because the only external
IP address either belongs to the router or comes
from a pool of global addresses.
NAT and DHCP (dynamic host configuration protocol
) are a natural fit. You can choose a range of
unregistered IP addresses for your stub domain and
have the DHCP server dole them out as necessary.
It also makes it much easier to scale up your

NAT operates at
layer (layer 3)
Reference Model
layer that routers

26
the Network network as your needs grow. You don't have to
of the OSI request more IP addresses from IANA. Instead, you
-- this is the can just increase the range of available IP
work at.
addresses configured in DHCP to immediately have
room for additional computers on your network.

27

Multi-homing
As businesses rely more and more on the Internet, having multiple points of connection
to the Internet is fast becoming an integral part of their network strategy. Multiple
connections, known as multi-homing, reduces the chance of a potentially catastrophic
shutdown if one of the connections should fail.
In addition to maintaining a reliable connection, multi-homing allows a company to
perform load-balancing by lowering the number of computers connecting to the
Internet through any single connection. Distributing the load through multiple
connections optimizes the performance and can significantly decrease wait times.
Multi-homed networks are often connected to several different ISPs (Internet Service
Providers). Each ISP assigns an IP address (or range of IP addresses) to the company.
Routers use BGP (Border Gateway Protocol), a part of the TCP/IP protocol suite, to route
between networks using different protocols. In a multi-homed network, the router utilizes
IBGP (Internal Border Gateway Protocol) on the stub domain side, and EBGP (External
Border Gateway Protocol) to communicate with other routers.
Multi-homing really makes a difference if one of the connections to an ISP fails. As soon
as the router assigned to connect to that ISP determines that the connection is down, it
will reroute all data through one of the other routers.
NAT can be used to facilitate scalable routing for multi-homed, multi-provider
connectivity.

28

How Internet Infrastructure

Works
by Jeff Tyson

One of the greatest things about the Internet is that nobody really owns it. It is a global
collection of networks, both big and small. These networks connect together in many
different ways to form the single entity that we know as the Internet. In fact, the very
name comes from this idea of interconnected networks.
Since its beginning in 1969, the Internet has grown from four host computer systems to
tens of millions. However, just because nobody owns the Internet, it doesn't mean it is
not monitored and maintained in different ways. The Internet Society, a non-profit group
established in 1992, oversees the formation of the policies and protocols that define how
we use and interact with the Internet.
In this article, you will learn about the basic underlying structure of the Internet. You will
learn about domain name servers, network access points and backbones. But first you
will learn about how your computer connects to others.

The Internet: Computer Network Hierarchy

Every
computer
that
is
connected to the Internet is
part of a network, even the
one in your home. For
example, you may use a
modem and dial a local
number to connect to an
Internet Service Provider
(ISP). At work, you may be
part of a local area network
(LAN), but you most likely still
connect to the Internet using
an ISP that your company has
contracted with. When you
connect to your ISP, you
When you connect to the Internet, your computer become part of their network.
The ISP may then connect to a
becomes part of a network.
larger network and become
part of their network. The
Internet is simply a network of
networks.
Most large communications companies have their own dedicated backbones connecting
various regions. In each region, the company has a Point of Presence (POP). The POP is
a place for local users to access the company's network, often through a local phone
number or dedicated line. The amazing thing here is that there is no overall controlling

29
network. Instead, there are several high-level networks connecting to each other through
Network Access Points or NAPs.

30

Internet Network Example

Here's an example. Imagine that Company A is a large ISP. In each major city, Company
A has a POP. The POP in each city is a rack full of modems that the ISP's customers dial
into. Company A leases fiber optic lines from the phone company to connect the POPs
together (see, for example, this UUNET Data Center Connectivity Map).
Imagine that Company B is a corporate ISP. Company B builds large buildings in major
cities and corporations locate their Internet server machines in these buildings. Company
B is such a large company that it runs its own fiber optic lines between its buildings so
that they are all interconnected.
In this arrangement, all of Company A's customers can talk to each other, and all of
Company B's customers can talk to each other, but there is no way for Company A's
customers and Company B's customers to intercommunicate. Therefore, Company A and
Company B both agree to connect to NAPs in various cities, and traffic between the two
companies flows between the networks at the NAPs.
In the real Internet, dozens of large Internet providers interconnect at NAPs in various
cities, and trillions of bytes of data flow between the individual networks at these points.
The Internet is a collection of huge corporate networks that agree to all
intercommunicate with each other at the NAPs. In this way, every computer on the
Internet connects to every other.

The Function of an
Internet Router
All of these networks rely on NAPs,
backbones and routers to talk to each
other. What is incredible about this
process is that a message can leave
one computer and travel halfway
across the world through several
different networks and arrive at
another computer in a fraction of a
second!
The routers determine where to send
information from one computer to
another.
Routers
are specialized
computers that send your messages and those of every other Internet user speeding to
their destinations along thousands of pathways. A router has two separate, but related,
jobs:

It ensures that information doesn't go where it's not needed. This is crucial for
keeping large volumes of data from clogging the connections of "innocent
bystanders."
It makes sure that information does make it to the intended destination.

31
In performing these two jobs, a router is extremely useful in dealing with two separate
computer networks. It joins the two networks, passing information from one to the other.
It also protects the networks from one another, preventing the traffic on one from
unnecessarily spilling over to the other. Regardless of how many networks are attached,
the basic operation and function of the router remains the same. Since the Internet is
one huge network made up of tens of thousands of smaller networks, its use of routers is
an absolute necessity. For more information, read How Routers Work.

32

Internet Backbone
The National Science Foundation (NSF) created the first high-speed backbone in
1987. Called NSFNET, it was a T1 line that connected 170 smaller networks together
and operated at 1.544 Mbps (million bits per second). IBM, MCI and Merit worked with
NSF to create the backbone and developed a T3 (45 Mbps) backbone the following year.
Backbones are typically fiber optic trunk lines. The trunk line has multiple fiber optic
cables combined together to increase the capacity. Fiber optic cables are designated OC
for optical carrier, such as OC-3, OC-12 or OC-48. An OC-3 line is capable of transmitting
155 Mbps while an OC-48 can transmit 2,488 Mbps (2.488 Gbps). Compare that to a
typical 56K modem transmitting 56,000 bps and you see just how fast a modern backbone
is.
Today there are many companies that operate their own high-capacity backbones, and
all of them interconnect at various NAPs around the world. In this way, everyone on the
Internet, no matter where they are and what company they use, is able to talk to
everyone else on the planet. The entire Internet is a gigantic, sprawling agreement
between companies to intercommunicate freely.

Internet Protocol: IP Addresses

Every machine on the Internet has a unique identifying number, called an IP Address.
The IP stands for Internet Protocol, which is the language that computers use to
communicate over the Internet. A protocol is the pre-defined way that someone who
wants to use a service talks with that service. The "someone" could be a person, but
more often it is a computer program like a Web browser.
A typical IP address looks like this: 216.27.61.137.
To make it easier for us humans to remember, IP addresses are normally expressed in
decimal format as a dotted decimal number like the one above. But computers
communicate in binary form. Look at the same IP address in binary:
11011000.00011011.00111101.10001001.
The four numbers in an IP address are called octets, because they each have eight
positions when viewed in binary form. If you add all the positions together, you get 32,
which is why IP addresses are considered 32-bit numbers. Since each of the eight
positions can have two different states (1 or zero), the total number of possible
combinations per octet is 28 or 256. So each octet can contain any value between zero
and 255. Combine the four octets and you get 232 or a possible 4,294,967,296 unique
values!
Out of the almost 4.3 billion possible combinations, certain values are restricted from use
as typical IP addresses. For example, the IP address 0.0.0.0 is reserved for the default
network and the address 255.255.255.255 is used for broadcasts.
The octets serve a purpose other than simply separating the numbers. They are used to
create classes of IP addresses that can be assigned to a particular business, government
or other entity based on size and need. The octets are split into two sections: Net and
Host. The Net section always contains the first octet. It is used to identify the network

33
that a computer belongs to. Host (sometimes referred to as Node) identifies the actual
computer on the network. The Host section always contains the last octet. There are five
IP classes plus certain special addresses. You can learn more about IP classes at What is
an IP address?.

34

Internet Protocol: Domain Name System

When the Internet was in its infancy, it consisted of a small number of computers hooked
together with modems and telephone lines. You could only make connections by
providing the IP address of the computer you wanted to establish a link with. For
example, a typical IP address might be 216.27.22.162. This was fine when there were
only a few hosts out there, but it became unwieldy as more and more systems came
online.
The first solution to the problem was a simple text file maintained by the Network
Information Center that mapped names to IP addresses. Soon this text file became so
large it was too cumbersome to manage. In 1983, the University of Wisconsin created
the Domain Name System (DNS), which maps text names to IP addresses
automatically. This way you only need to remember www.howstuffworks.com, for
example, instead of HowStuffWorks.com's IP address.

URL: Uniform Resource Locator

When you use the Web or send an e-mail message, you use a domain name to do it. For
example, the Uniform Resource Locator (URL) "http://www.howstuffworks.com"
contains the domain name howstuffworks.com. So does this e-mail address:
example@howstuffworks.com. Every time you use a domain name, you use the
Internet's DNS servers to translate the human-readable domain name into the machinereadable IP address. Check out How Domain Name Servers Work for more in-depth
information on DNS.
Top-level domain names, also called first-level domain names, include .COM, .ORG,
.NET, .EDU and .GOV. Within every top-level domain there is a huge list of second-level
domains. For example, in the .COM first-level domain there is:

HowStuffWorks
Yahoo
Microsoft

Every name in the .COM top-level domain must be unique. The left-most word, like www,
is the host name. It specifies the name of a specific machine (with a specific IP address)
in a domain. A given domain can, potentially, contain millions of host names as long as
they are all unique within that domain.
DNS servers accept requests from programs and other name servers to convert domain
names into IP addresses. When a request comes in, the DNS server can do one of four
things with it:
1. It can answer the request with an IP address because it already knows the IP
address for the requested domain.
2. It can contact another DNS server and try to find the IP address for the name
requested. It may have to do this multiple times.
3. It can say, "I don't know the IP address for the domain you requested, but here's
the IP address for a DNS server that knows more than I do."
4. It can return an error message because the requested domain name is invalid or
does not exist.

35

A DNS Example
Let's say that you type the URL www.howstuffworks.com into your browser. The browser
contacts a DNS server to get the IP address. A DNS server would start its search for an IP
address by contacting one of the root DNS servers. The root servers know the IP
addresses for all of the DNS servers that handle the top-level domains (.COM, .NET,
.ORG, etc.). Your DNS server would ask the root for www.howstuffworks.com, and the root
would say, "I don't know the IP address for www.howstuffworks.com, but here's the IP
address for the .COM DNS server."
Your name server then sends a query to the .COM DNS server asking it if it knows the IP
address for www.howstuffworks.com. The DNS server for the COM domain knows the IP
addresses for the name servers handling the www.howstuffworks.com domain, so it
returns those.
Your name server then contacts the DNS server for www.howstuffworks.com and asks if it
knows the IP address for www.howstuffworks.com. It actually does, so it returns the IP
address to your DNS server, which returns it to the browser, which can then contact the
server for www.howstuffworks.com to get a Web page.
One of the keys to making this work is redundancy. There are multiple DNS servers at
every level, so that if one fails, there are others to handle the requests. The other key is
caching. Once a DNS server resolves a request, it caches the IP address it receives. Once
it has made a request to a root DNS server for any .COM domain, it knows the IP address
for a DNS server handling the .COM domain, so it doesn't have to bug the root DNS
servers again for that information. DNS servers can do this for every request, and this
caching helps to keep things from bogging down.
Even though it is totally invisible, DNS servers handle billions of requests every day and
they are essential to the Internet's smooth functioning. The fact that this distributed
database works so well and so invisibly day in and day out is a testimony to the design.
Be sure to read How Domain Name Servers Work for more information on DNS.

Internet Servers and Clients

Internet servers make the Internet possible. All of the machines on the Internet are either
servers or clients. The machines that provide services to other machines are servers.
And the machines that are used to connect to those services are clients. There are Web
servers, e-mail servers, FTP servers and so on serving the needs of Internet users all over
the world.
When you connect to www.howstuffworks.com to read a page, you are a user sitting at a
client's machine. You are accessing the HowStuffWorks Web server. The server machine
finds the page you requested and sends it to you. Clients that come to a server machine
do so with a specific intent, so clients direct their requests to a specific software server
running on the server machine. For example, if you are running a Web browser on your
machine, it will want to talk to the Web server on the server machine, not the e-mail
server.
A server has a static IP address that does not change very often. A home machine that is
dialing up through a modem, on the other hand, typically has an IP address assigned by

36
the ISP every time you dial in. That IP address is unique for your session -- it may be
different the next time you dial in. This way, an ISP only needs one IP address for each
modem it supports, rather than one for each customer.

37

Ports and HTTP

Any server machine makes its services available using numbered ports -- one for each
service that is available on the server. For example, if a server machine is running a Web
server and a file transfer protocol (FTP) server, the Web server would typically be
available on port 80, and the FTP server would be available on port 21. Clients connect to
a service at a specific IP address and on a specific port number.
Once a client has connected to a service on a particular port, it accesses the service
using a specific protocol. Protocols are often text and simply describe how the client and
server will have their conversation. Every Web server on the Internet conforms to the
hypertext transfer protocol (HTTP). You can learn more about Internet servers, ports
and protocols by reading How Web Servers Work.
Networks, routers, NAPs, ISPs, DNS and powerful servers all make the Internet possible. It
is truly amazing when you realize that all this information is sent around the world in a
matter of milliseconds! The components are extremely important in modern life -without them, there would be no Internet. And without the Internet, life would be very
different indeed for many of us.

38

How Routers Work

by Curt Franklin

The Internet is one of the 20th century's greatest communications developments. It

allows people around the world to send e-mail to one another in a matter of seconds, and
it lets you read, among other things, the articles on HowStuffWorks.com.
We're all used to seeing the various parts of the Internet that come into our homes and
offices -- the Web pages, e-mail messages and downloaded files that make the Internet a
dynamic and valuable medium. But none of these parts would ever make it to your
computer without a piece of the Internet that you've probably never seen. In fact, most
people have never stood "face to machine" with the technology most responsible for
allowing the Internet to exist at all: the router.

Keeping
the
Messages Moving
When you send e-mail to a friend on
the other side of the country, how
does the message know to end up on
your friend's computer, rather than on
one of the millions of other computers
in the world? Much of the work to get
a message from one computer to
another is done by routers, because
they're the crucial devices that let
messages flow between networks,
rather than within networks.
Let's look at what a very simple router
might do. Imagine a small company
that makes animated 3-D graphics for
local television stations. There are 10 employees of the company, each with a computer.
Four of the employees are animators, while the rest are in sales, accounting and
management. The animators will need to send lots of very large files back and forth to
one another as they work on projects. To do this, they'll use a network.
When one animator sends a file to another, the very large file will use up most of the
network's capacity, making the network run very slowly for other users. One of the
reasons that a single intensive user can affect the entire network stems from the way
that Ethernet works. Each information packet sent from a computer is seen by all the
other computers on the local network. Each computer then examines the packet and
decides whether it was meant for its address. This keeps the basic plan of the network
simple, but has performance consequences as the size of the network or level of network
activity increases. To keep the animators' work from interfering with that of the folks in
the front office, the company sets up two separate networks, one for the animators and
one for the rest of the company. A router links the two networks and connects both
networks to the Internet.

39

Directing Traffic
The router is the only device that sees every message sent by any computer on either of
the company's networks. When the animator in our example sends a huge file to another
animator, the router looks at the recipient's address and keeps the traffic on the
animator's network. When an animator, on the other hand, sends a message to the
bookkeeper asking about an expense-account check, then the router sees the recipient's
address and forwards the message between the two networks.
One of the tools a router uses to decide where a packet should go is a configuration
table. A configuration table is a collection of information, including:

Information on which connections lead to particular groups of addresses

Priorities for connections to be used
Rules for handling both routine and special cases of traffic

A configuration table can be as simple as a half-dozen lines in the smallest routers, but
can grow to massive size and complexity in the very large routers that handle the bulk of
Internet messages.
A router, then, has two separate but related jobs:

The router ensures that information doesn't go where it's not needed. This is
crucial for keeping large volumes of data from clogging the connections of
"innocent bystanders."
The router makes sure that information does make it to the intended destination.

In performing these two jobs, a router is extremely useful in dealing with two separate
computer networks. It joins the two networks, passing information from one to the other
and, in some cases, performing translations of various protocols between the two
networks. It also protects the networks from one another, preventing the traffic on one
from unnecessarily spilling over to the other. As the number of networks attached to one
another grows, the configuration table for handling traffic among them grows, and the
processing power of the router is increased. Regardless of how many networks are
attached, though, the basic operation and function of the router remains the same. Since
the Internet is one huge network made up of tens of thousands of smaller networks, its
use of routers is an absolute
necessity.

Transmitting
Packets
When you make a telephone call
to someone on the other side of
the country, the telephone system
establishes
a
stable
circuit
between your telephone and the
telephone you're calling. The
circuit might involve a half dozen
or more steps through copper

40
cables, switches, fiber optics, microwaves and satellites, but those steps are established
and remain constant for the duration of the call. This circuit approach means that the
quality of the line between you and the person you're calling is consistent throughout the
call, but a problem with any portion of the circuit -- maybe a tree falls across one of the
lines used, or there's a power problem with a switch -- brings your call to an early and
abrupt end. When you send an e-mail message with an attachment to the other side of
the country, a very different process is used.
Internet data, whether in the form of a Web page, a downloaded file or an e-mail
message, travels over a system known as a packet-switching network. In this system,
the data in a message or file is broken up into packages about 1,500 bytes long. Each of
these packages gets a wrapper that includes information on the sender's address, the
receiver's address, the package's place in the entire message, and how the receiving
computer can be sure that the package arrived intact. Each data package, called a
packet, is then sent off to its destination via the best available route -- a route that
might be taken by all the other packets in the message or by none of the other packets
in the message. This might seem very complicated compared to the circuit approach
used by the telephone system, but in a network designed for data there are two huge
advantages to the packet-switching plan.

The network can balance the load across various pieces of equipment on a
millisecond-by-millisecond basis.
If there is a problem with one piece of equipment in the network while a message
is being transferred, packets can be routed around the problem, ensuring the
delivery of the entire message.

The Path of a Packet

The routers that make up the main part of the Internet can reconfigure the paths that
packets take because they look at the information surrounding the data packet, and they
tell each other about line conditions, such as delays in receiving and sending data and
traffic on various pieces of the network. Not all routers do so many jobs, however.
Routers come in different sizes. For example:

If you have enabled Internet connection sharing between two Windows 98-based
computers, you're using one of the computers (the computer with the Internet
connection) as a simple router. In this instance, the router does so little -- simply
looking at data to see whether it's intended for one computer or the other -- that it
can operate in the background of the system without significantly affecting the
other programs you might be running.
Slightly larger routers, the sort used to connect a small office network to the
Internet, will do a bit more. These routers frequently enforce rules concerning
security for the office network (trying to secure the network from certain attacks).
They handle enough traffic that they're generally stand-alone devices rather than
software running on a server.
The largest routers, those used to handle data at the major traffic points on the
Internet, handle millions of data packets every second and work to configure the
network most efficiently. These routers are large stand-alone systems that have far
more in common with supercomputers than with your office server.

41

Routing Packets: An Example

Let's take a look at a medium-sized router -- the router we use in the HowStuffWorks
office. In our case, the router only has two networks to worry about: The office network,
with about 50 computers and devices, and the Internet. The office network connects to
the router through an Ethernet connection, specifically a 100 base-T connection (100
base-T means that the connection is 100 megabits per second, and uses a twisted-pair
cable like an 8-wire version of the cable that connects your telephone to the wall jack).
There are two connections between the router and our ISP (Internet service provider).
One is a T-1 connection that supports 1.5 megabits per second. The other is an ISDN line
that supports 128 kilobits per second. The configuration table in the router tells it that all
out-bound packets are to use the T-1 line, unless it's unavailable for some reason
(perhaps a backhoe digs up the cable). If it can't be used, then outbound traffic goes on
the ISDN line. This way, the ISDN line is held as "insurance" against a problem with the
faster T-1 connection, and no action by a staff member is required to make the switch in
case of trouble. The router's configuration table knows what to do.
In addition to routing packets from one point to another, the HowStuffWorks router has
rules limiting how computers from outside the network can connect to computers inside
the network, how the HowStuffWorks network appears to the outside world, and other
security functions. While most companies also have a special piece of hardware or
software called a firewall to enforce security, the rules in a router's configuration table
are important to keeping a company's (or family's) network secure.
One of the crucial tasks for any router is knowing when a packet of information stays on
its local network. For this, it uses a mechanism called a subnet mask. The subnet mask
looks like an IP address and usually reads "255.255.255.0." This tells the router that all
messages with the sender and receiver having an address sharing the first three groups
of numbers are on the same network, and shouldn't be sent out to another network.
Here's an example: The computer at address 15.57.31.40 sends a request to the
computer at 15.57.31.52. The router, which sees all the packets, matches the first three
groups in the address of both sender and receiver (15.57.31), and keeps the packet on
the local network. (You'll learn more about how the addresses work in the next section.)
Between the time these words left the Howstuffworks.com server and the time they
showed up on your monitor, they passed through several routers (it's impossible to know
ahead of time exactly how many "several" might be) that helped them along the way. It's
very similar to the process that gets a postal letter from your mailbox to the mailbox of a
friend, with routers taking the place of the mail sorters and handlers along the way.

Knowing Where to Send Data

Routers are one of several types of devices that make up the "plumbing" of a computer
network. Hubs, switches and routers all take signals from computers or networks and
pass them along to other computers and networks, but a router is the only one of these
devices that examines each bundle of data as it passes and makes a decision about
exactly where it should go. To make these decisions, routers must first know about two
kinds of information: addresses and network structure.
When a friend mails a birthday card to be delivered to you at your house, he probably
uses an address that looks something like this:

42
Joe Smith 123 Maple Street Smalltown, FL 45678

43
The address has several pieces, each of which helps the people in the postal service
move the letter along to your house. The ZIP code can speed the process up; but even
without the ZIP code, the card will get to your house as long as your friend includes your
state, city and street address. You can think of this address as a logical address
because it describes a way someone can get a message to you. This logical address is
connected to a physical address that you generally only see when you're buying or
selling a piece of property. The survey plot of the land and house, with latitude, longitude
or section bearings, gives the legal description, or address, of the property.

Logical Addresses
Every piece of equipment that connects to a network, whether an office network or the
Internet, has a physical address. This is an address that's unique to the piece of
equipment that's actually attached to the network cable. For example, if your desktop
computer has a network interface card (NIC) in it, the NIC has a physical address
permanently stored in a special memory location. This physical address, which is also
called the MAC address (for Media Access Control) has two parts, each 3 bytes long. The
first 3 bytes identify the company that made the NIC. The second 3 bytes are the serial
number of the NIC itself.
The interesting thing is that your computer can have several logical addresses at the
same time. Of course, you're used to having several "logical addresses" bring messages
to one physical address. Your mailing address, telephone number (or numbers) and home
e-mail address all work to bring messages to you when you're in your house. They are
simply used for different types of messages -- different networks, so to speak.
Logical addresses for computer networks work in exactly the same way. You may be
using the addressing schemes, or protocols, from several different types of networks
simultaneously. If you're connected to the Internet (and if you're reading this, you
probably are), then you have an address that's part of the TCP/IP network protocol. If you
also have a small network set up to exchange files between several family computers,
then you may also be using the Microsoft NetBEUI protocol. If you connect to your
company's network from home, then your computer may have an address that follows
Novell's IPX/SPX protocol. All of these can coexist on your computer. Since the driver
software that allows your computer to communicate with each network uses resources
like memory and CPU time, you don't want to load protocols you won't need, but there's
no problem with having all the protocols your work requires running at the same time.
On the next page, youll learn how to find your computers MAC address.

MAC Addresses
The chances are very good that you'll never see the MAC address for any of your
equipment because the software that helps your computer communicate with a network
takes care of matching the MAC address to a logical address. The logical address is what
the network uses to pass information along to your computer.
If you'd like to see the MAC address and logical address used by the Internet Protocol (IP)
for your Windows computer, you can run a small program that Microsoft provides. Go to
the "Start" menu, click on "Run," and in the window that appears, type WINIPCFG

44
(IPCONFIG/ALL for Windows 2000/XP). When the gray window appears, click on "More
Info" and you'll get this sort of information:

45
Windows 98 IP Configuration:
Host Name: NAMEHOWSTUFFWORKS
DNS Servers: 208.153.64.20
&nbsp208.153.0.5
Node Type: Broadcast
NetBIOS Scope ID:
IP Routing Enabled: Yes
WINS Proxy Enabled: No
NetBIOS Resolution Uses DNS: No
Ethernet adapter:
Description: PPP Adapter
Physical Address: 44-45-53-54-12-34
DHCP Enabled: Yes
IP Address: 227.78.86.288
Subnet Mask: 255.255.255.0
Default Gateway: 227.78.86.288
DHCP Server: 255.255.255.255
Primary WINS Server:
Secondary WINS Server: Lease Obtained: 01 01 80 12:00:00 AM
Lease Expires: 01 01 80 12:00:00 AM
There's a lot of information here that will vary depending on exactly how your connection
to the Internet is established, but the physical address is the MAC address of the adapter
queried by the program. The IP address is the logical address assigned to your
connection by your ISP or network administrator. You'll see the addresses of other
servers, including the DNS servers that keep track of all the names of Internet sites (so
you can type "www.howstuffworks.com" rather than "216.27.61.189") and the gateway
server that you connect to in order to reach the Internet. When you've finished looking at
the information, click OK. (Note: For security reasons, some of the information about this
connection to the Internet has been changed. You should be very careful about giving
your computer's information to other people -- with your address and the right tools, an
unscrupulous person could, in some circumstances, gain access to your personal
information and control your system through a "Trojan Horse" program.

Understanding the Protocols

The first and most basic job of the router is to know where to send information addressed
to your computer. Just as the mail handler on the other side of the country knows enough
to keep a birthday card coming toward you without knowing where your house is, most
of the routers that forward an e-mail message to you don't know your computer's MAC
address, but they know enough to keep the message flowing.
Routers are programmed to understand the most common network protocols. That
means they know the format of the addresses, how many bytes are in the basic package
of data sent out over the network, and how to make sure all the packages reach their
destination and get reassembled. For the routers that are part of the Internet's main
"backbone," this means looking at, and moving on, millions of information packages
every second. And simply moving the package along to its destination isn't all that a
router will do. It's just as important, in today's computerized world, that they keep the
message flowing by the best possible route.

46

47
In a modern network, every e-mail message is broken up into small pieces. The pieces
are sent individually and reassembled when they're received at their final destination.
Because the individual pieces of information are called packets and each packet can be
sent along a different path, like a train going through a set of switches, this kind of
network is called a packet-switched network. It means that you don't have to build a
dedicated network between you and your friend on the other side of the country. Your email flows over any one of thousands of different routes to get from one computer to the
other.
Depending on the time of day and day of the week, some parts of the huge public
packet-switched network may be busier than others. When this happens, the routers that
make up this system will communicate with one another so that traffic not bound for the
crowded area can be sent by less congested network routes. This lets the network
function at full capacity without excessively burdening already-busy areas. You can see,
though, how Denial of Service attacks (described in the next section), in which people
send millions and millions of messages to a particular server, will affect that server and
the routers forwarding message to it. As the messages pile up and pieces of the network
become congested, more and more
routers send out the message that
they're busy, and the entire network with
all its users can be affected.

Tracing a Message
If you're using a Microsoft Windowsbased system, you can see just how
many routers are involved in your
Internet traffic by using a program you
have on your computer. The program is
called Traceroute, and that describes
what it does -- it traces the route that a
packet of information takes to get from
your computer to another computer
connected to the Internet. To run this program, click on the "MS-DOS Prompt" icon on the
"Start"
menu.
Then,
at
the
"C:\WINDOWS>"
prompt,
type
"tracert
www.howstuffworks.com". When I did this from my office in Florida, the results looked
like this:
The first number shows how many routers are between your computer and the router
shown. In this instance, there were a total of 14 routers involved in the process (number
15 is the Howstuffworks.com Web server). The next three numbers show how long it
takes a packet of information to move from your computer to the router shown and back
again. Next, in this example, starting with step six, comes the "name" of the router or
server. This is something that helps people looking at the list but is of no importance to
the routers and computers as they move traffic along the Internet. Finally, you see the
Internet Protocol (IP) address of each computer or router. The final picture of this trace
route shows that there were 14 routers between the Web server and me and that it took,
on average, a little more than 2.5 seconds for information to get from my computer to
the server and back again.

48
You can use Traceroute to see how many routers are between you and any other
computer you can name or know the IP address for. It can be interesting to see how
many steps are required to get to computers outside your nation. Since I live in the
United States, I decided to see how many routers were between my computer and the
Web server for the British Broadcasting Corporation. At the C:\WINDOWS> prompt, I
typed tracert www.bbc.com. The result was this:

49
You can see that it took only one
more step to reach a Web server on
the other side of the Atlantic Ocean
than it did to reach a server two
states away!
On the next page, we'll go into detail
about Denial of Service attacks.

Denial of Service Attacks

In the first quarter of 2000, there were several attacks on very popular Web sites. Most of
these were "Denial of Service" attacks -- attacks that served to prevent regular readers
and customers of the sites from getting a response to their requests. How did someone
manage to do this? They did it by flooding the servers, and their attached routers, with
requests for information at a rate far too great for the system to handle.
Most routers have rules in the configuration table that won't allow millions of requests
from the same sending address. If too many requests from one address are received in a
short period of time, the router simply discards them without forwarding. The people
responsible for the attacks knew this, so they illicitly planted programs on many different
computers. These programs, when triggered, began sending thousands of requests a
minute to one or more Web sites. The programs "spoofed" the IP address of the sender,
placing a different false IP address on each packet so that the routers' security rules
wouldn't be triggered.
When the packet floods were triggered, millions of requests for information began to hit
the targeted Web sites. While the servers were being heavily taxed by the requests, the
real impact was to the routers just "upstream" from the servers. Suddenly these routers,
which were robust but of a size appropriate for normal traffic, were getting the levels of
requests normally associated with Internet backbone routers. They couldn't handle the
massive number of packets, and began discarding packets and sending status messages
to other routers stating that the connection was full. As these messages cascaded
through the routers leading to attacked servers, all paths to the servers were clogged,
legitimate traffic couldn't get through the logjam, and the attackers' goals were
accomplished.
Web content providers and router companies have placed new rules designed to prevent
such an attack in the configuration tables, and the companies and universities whose
computers were used to launch the attacks have worked to prevent their systems being
used maliciously. Whether their defenses, or the new attacks designed by criminals, will
prevail remains to be seen.

50

Backbone of the Internet

In order to handle all the users of even a large private network, millions and millions of
traffic packets must be sent at the same time. Some of the largest routers are made by
Cisco Systems, Inc., a company that specializes in networking hardware. Cisco's Gigabit
Switch Router 12000 series of routers is the sort of equipment that is used on the
backbone of the Internet. These routers use the same sort of design as some of the most
powerful supercomputers in the world, a design that ties many different processors
together with a series of extremely fast switches. The 12000 series uses 200-MHz MIPS
R5000 processors, the same type of processor used in the workstations that generate
much of the computer animation and special effects used in movies. The largest model
in the 12000 series, the 12016, uses a series of switches that can handle up to 320
billion bits of information per second and, when fully loaded with boards, move as
many as 60 million packets of data every second. Beyond the computing power of
the processors, these routers can handle so much information because they are very
highly specialized. Relieved of the burden of displaying 3-D graphics and waiting for
mouse input, modern processors and software can cope with amazing amounts of
information.
Even with the computing power available in a very large router, how does it know which
of the many possibilities for outbound connection a particular packet should take? The
answer lies back in the configuration table. The router will scan the destination address
and match that IP address against rules in the configuration table. The rules will say that
packets in a particular group of addresses (a group that may be large or small,
depending on precisely where the router is) should go in a specific direction. Next the
router will check the performance of the primary connection in that direction against
another set of rules. If the performance of the connection is good enough, the packet is
sent, and the next packet handled. If the connection is not performing up to expected
parameters, then an alternate is chosen and checked. Finally, a connection will be found
with the best performance at a given moment, and the packet will be sent on its way. All
of this happens in a tiny fraction of a second, and this activity goes on millions of times a
second, around the world, 24 hours every day.
Knowing where and how to send a message is the most important job of a router. Some
simple routers do this and nothing more. Other routers add additional functions to the
jobs they perform. Rules about where messages from inside a company may be sent and
from which companies messages are accepted can be applied to some routers. Others
may have rules that help minimize the damage from "denial of service" attacks. The one
constant is that modern networks, including the Internet, could not exist without the
router.

51

How Firewalls Work

by Jeff Tyson

If you have been using the Internet

for any length of time, and
especially if you work at a larger
company and browse the Web while
you are at work, you have probably
heard the term firewall used. For
example, you often hear people in
companies say things like, "I can't
use that site because they won't let
it through the firewall."

Firewalls have helped protect computers in

large companies for years. Now, they're a
critical component of home networks, as
well.
See
more
computer
networking
pictures.

If you have a fast Internet

connection into your home (either a
DSL connection or a cable modem),
you may have found yourself
hearing about fi rewalls for your
home
network as well. It turns out that a small home network has many of the same security
issues that a large corporate network does. You can use a firewall to protect your home
network and family from offensive Web sites and potential hackers.
Basically, a firewall is a barrier to keep destructive forces away from your property. In
fact, that's why its called a firewall. Its job is similar to a physical firewall that keeps a fire
from spreading from one area to the next. As you read through this article, you will learn
more about firewalls, how they work and what kinds of threats they can protect you
from.

What Firewall Software Does

A firewall is simply a program or hardware device that filters the information coming
through the Internet connection into your private network or computer system. If an
incoming packet of information is flagged by the filters, it is not allowed through.
If you have read the article How Web Servers Work, then you know a good bit about how
data moves on the Internet, and you can easily see how a firewall helps protect
computers inside a large company. Let's say that you work at a company with 500
employees. The company will therefore have hundreds of computers that all have
network cards connecting them together. In addition, the company will have one or more
connections to the Internet through something like T1 or T3 lines. Without a firewall in
place, all of those hundreds of computers are directly accessible to anyone on the
Internet. A person who knows what he or she is doing can probe those computers, try to
make FTP connections to them, try to make telnet connections to them and so on. If one
employee makes a mistake and leaves a security hole, hackers can get to the machine
and exploit the hole.

52
With a firewall in place, the landscape is much different. A company will place a firewall
at every connection to the Internet (for example, at every T1 line coming into the
company). The firewall can implement security rules. For example, one of the security
rules inside the company might be:
Out of the 500 computers inside this company, only one of them is permitted to receive
public FTP traffic. Allow FTP connections only to that one computer and prevent them on
all others.

53
A company can set up rules like this for FTP servers, Web servers, Telnet servers and so
on. In addition, the company can control how employees connect to Web sites, whether
files are allowed to leave the company over the network and so on. A firewall gives a
company tremendous control over how people use the network.
Firewalls use one or more of three methods to control traffic flowing in and out of the
network:

Packet filtering - Packets (small chunks of data) are analyzed against a set of
filters. Packets that make it through the filters are sent to the requesting system
and all others are discarded.
Proxy service - Information from the Internet is retrieved by the firewall and then
sent to the requesting system and vice versa.
Stateful inspection - A newer method that doesn't examine the contents of each
packet but instead compares certain key parts of the packet to a database of
trusted information. Information traveling from inside the firewall to the outside is
monitored for specific defining characteristics, then incoming information is
compared to these characteristics. If the comparison yields a reasonable match,
the information is allowed through. Otherwise it is discarded.

Firewall Configuration
Firewalls are customizable. This means that you can add or remove filters based on
several conditions. Some of these are:
IP addresses - Each machine on the Internet is assigned a unique address called an IP
address. IP addresses are 32-bit numbers, normally expressed as four "octets" in a
"dotted decimal number." A typical IP address looks like this: 216.27.61.137. For
example, if a certain IP address outside the company is reading too many files from a
server, the firewall can block all traffic to or from that IP address.
Domain names - Because it is hard to remember the string of numbers that make up an
IP address, and because IP addresses sometimes need to change, all servers on the
Internet also have human-readable names, called domain names. For example, it is
easier for most of us to remember www.howstuffworks.com than it is to remember
216.27.61.137. A company might block all access to certain domain names, or allow
access only to specific domain names. Protocols - The protocol is the pre-defined way
that someone who wants to use a service talks with that service. The "someone" could
be a person, but more often it is a computer program like a Web browser. Protocols are
often text, and simply describe how the client and server will have their conversation.
The http in the Web's protocol. Some common protocols that you can set firewall filters
for include:

IP (Internet Protocol) - the main delivery system for information over the Internet
TCP (Transmission Control Protocol) - used to break apart and rebuild information
that travels over the Internet
HTTP (Hyper Text Transfer Protocol) - used for Web pages
FTP (File Transfer Protocol) - used to download and upload files
UDP (User Datagram Protocol) - used for information that requires no response,
such as streaming audio and video

54
ICMP (Internet Control Message Protocol) - used by a router to exchange the
information with other routers
SMTP (Simple Mail Transport Protocol) - used to send text-based information (email)
SNMP (Simple Network Management Protocol) - used to collect system information
from a remote computer
Telnet - used to perform commands on a remote computer

55
A company might set up only one or two machines to handle a specific protocol and ban
that protocol on all other machines.
Ports - Any server machine makes its services available to the Internet using numbered
ports, one for each service that is available on the server (see How Web Servers Work for
details). For example, if a server machine is running a Web (HTTP) server and an FTP
server, the Web server would typically be available on port 80, and the FTP server would
be available on port 21. A company might block port 21 access on all machines but one
inside the company.
Specific words and phrases - This can be anything. The firewall will sniff (search
through) each packet of information for an exact match of the text listed in the filter. For
example, you could instruct the firewall to block any packet with the word "X-rated" in it.
The key here is that it has to be an exact match. The "X-rated" filter would not catch "X
rated" (no hyphen). But you can include as many words, phrases and variations of them
as you need.
Some operating systems come with a firewall built in. Otherwise, a software firewall can
be installed on the computer in your home that has an Internet connection. This
computer is considered a gateway because it provides the only point of access between
your home network and the Internet.
With a hardware firewall, the firewall unit itself is normally the gateway. A good example
is the Linksys Cable/DSL router. It has a built-in Ethernet card and hub. Computers in
your home network connect to the router, which in turn is connected to either a cable or
DSL modem. You configure the router via a Web-based interface that you reach through
the browser on your computer. You can then set any filters or additional information.
Hardware firewalls are incredibly secure and not very expensive. Home versions that
include a router, firewall and Ethernet hub for broadband connections can be found for
well under $100.

Why Firewall Security?

There are many creative ways that unscrupulous people use to access or abuse
unprotected computers:

Remote login - When someone is able to connect to your computer and control it
in some form. This can range from being able to view or access your files to
actually running programs on your computer.
Application backdoors - Some programs have special features that allow for
remote access. Others contain bugs that provide a backdoor, or hidden access,
that provides some level of control of the program.
SMTP session hijacking - SMTP is the most common method of sending e-mail
over the Internet. By gaining access to a list of e-mail addresses, a person can
send unsolicited junk e-mail (spam) to thousands of users. This is done quite often
by redirecting the e-mail through the SMTP server of an unsuspecting host, making
the actual sender of the spam difficult to trace.

56
Operating system bugs - Like applications, some operating systems have
backdoors. Others provide remote access with insufficient security controls or have
bugs that an experienced hacker can take advantage of.

57
Denial of service - You have probably heard this phrase used in news reports on
the attacks on major Web sites. This type of attack is nearly impossible to counter.
What happens is that the hacker sends a request to the server to connect to it.
When the server responds with an acknowledgement and tries to establish a
session, it cannot find the system that made the request. By inundating a server
with these unanswerable session requests, a hacker causes the server to slow to a
crawl or eventually crash.
E-mail bombs - An e-mail bomb is usually a personal attack. Someone sends you
the same e-mail hundreds or thousands of times until your e-mail system cannot
accept any more messages.
Macros - To simplify complicated procedures, many applications allow you to
create a script of commands that the application can run. This script is known as a
macro. Hackers have taken advantage of this to create their own macros that,
depending on the application, can destroy your data or crash your computer.
Viruses - Probably the most well-known threat is computer viruses. A virus is a
small program that can copy itself to other computers. This way it can spread
quickly from one system to the next. Viruses range from harmless messages to
erasing all of your data.
Spam - Typically harmless but always annoying, spam is the electronic equivalent
of junk mail. Spam can be dangerous though. Quite often it contains links to Web
sites. Be careful of clicking on these because you may accidentally accept a cookie
that provides a backdoor to your computer.
Redirect bombs - Hackers can use ICMP to change (redirect) the path information
takes by sending it to a different router. This is one of the ways that a denial of
service attack is set up.
Source routing - In most cases, the path a packet travels over the Internet (or
any other network) is determined by the routers along that path. But the source
providing the packet can arbitrarily specify the route that the packet should travel.
Hackers sometimes take advantage of this to make information appear to come
from a trusted source or even from inside the network! Most firewall products
disable source routing by default.

Some of the items in the list above are hard, if not impossible, to filter using a firewall.
While some firewalls offer virus protection, it is worth the investment to install anti-virus
software on each computer. And, even though it is annoying, some spam is going to get
through your firewall as long as you accept e-mail.
The level of security you establish will determine how many of these threats can be
stopped by your firewall. The highest level of security would be to simply block
everything. Obviously that defeats the purpose of having an Internet connection. But a
common rule of thumb is to block everything, then begin to select what types of traffic
you will allow. You can also restrict traffic that travels through the firewall so that only
certain types of information, such as e-mail, can get through. This is a good rule for
businesses that have an experienced network administrator that understands what the
needs are and knows exactly what traffic to allow through. For most of us, it is probably
better to work with the defaults provided by the firewall developer unless there is a
specific reason to change it.
One of the best things about a firewall from a security standpoint is that it stops anyone
on the outside from logging onto a computer in your private network. While this is a big

58
deal for businesses, most home networks will probably not be threatened in this manner.
Still, putting a firewall in place provides some peace of mind.

59

Proxy Servers and DMZ

A function that is often combined with a firewall is a proxy server. The proxy server is
used to access Web pages by the other computers. When another computer requests a
Web page, it is retrieved by the proxy server and then sent to the requesting computer.
The net effect of this action is that the remote computer hosting the Web page never
comes into direct contact with anything on your home network, other than the proxy
server.
Proxy servers can also make your Internet access work more efficiently. If you access a
page on a Web site, it is cached (stored) on the proxy server. This means that the next
time you go back to that page, it normally doesn't have to load again from the Web site.
Instead it loads instantaneously from the proxy server.
There are times that you may want remote users to have access to items on your
network. Some examples are:

Web site
Online business
FTP download and upload area

In cases like this, you may want to create a DMZ (Demilitarized Zone). Although this
sounds pretty serious, it really is just an area that is outside the firewall. Think of DMZ as
the front yard of your house. It belongs to you and you may put some things there, but
you would put anything valuable inside the house where it can be properly secured.
Setting up a DMZ is very easy. If you have multiple computers, you can choose to simply
place one of the computers between the Internet connection and the firewall. Most of the
software firewalls available will allow you to designate a directory on the gateway
computer as a DMZ.
Once you have a firewall in place, you should test it. A great way to do this is to go to
www.grc.com and try their free Shields Up! security test. You will get immediate
feedback on just how secure your system is!

60

What is a packet?
It turns out that everything you do on the Internet involves packets. For example, every
Web page that you receive comes as a series of packets, and every e-mail you send
leaves as a series of packets. Networks that ship data around in small packets are called
packet switched networks.
On the Internet, the network breaks an e-mail message into parts of a certain size in
bytes. These are the packets. Each packet carries the information that will help it get to
its destination -- the sender's IP address, the intended receiver's IP address, something
that tells the network how many packets this e-mail message has been broken into and
the number of this particular packet. The packets carry the data in the protocols that the
Internet uses: Transmission Control Protocol/Internet Protocol (TCP/IP). Each packet
contains part of the body of your message. A typical packet contains perhaps 1,000 or
1,500 bytes.
Each packet is then sent off to its destination by the best available route -- a route that
might be taken by all the other packets in the message or by none of the other packets
in the message. This makes the network more efficient. First, the network can balance
the load across various pieces of equipment on a millisecond-by-millisecond basis.
Second, if there is a problem with one piece of equipment in the network while a
message is being transferred, packets can be routed around the problem, ensuring the
delivery of the entire message.
Depending on the type of network, packets may be referred to by another name:

frame
block
cell
segment

Next, learn about the parts of

packets and an example of how
packets are applied.

Network
Structure

Packet

Most network packets are split into

three parts:
Header - The header contains
instructions about the data carried
by the packet. These instructions may include:

Length of packet (some networks have fixed-length packets, while others rely on
the header to contain this information)
Synchronization (a few bits that help the packet match up to the network)

61
Packet number (which packet this is in a sequence of packets)
Protocol (on networks that carry multiple types of information, the protocol defines
what type of packet is being transmitted: e-mail, Web page, streaming video)
Destination address (where the packet is going)
Originating address (where the packet came from)

62
Payload - Also called the body or data of a packet. This is the actual data that the
packet is delivering to the destination. If a packet is fixed-length, then the payload may
be padded with blank information to make it the right size.
Trailer - The trailer, sometimes called the footer, typically contains a couple of bits that
tell the receiving device that it has reached the end of the packet. It may also have some
type of error checking. The most common error checking used in packets is Cyclic
Redundancy Check (CRC). CRC is pretty neat. Here is how it works in certain computer
networks: It takes the sum of all the 1s in the payload and adds them together. The
result is stored as a hexadecimal value in the trailer. The receiving device adds up the 1s
in the payload and compares the result to the value stored in the trailer. If the values
match, the packet is good. But if the values do not match, the receiving device sends a
request to the originating device to resend the packet.
As an example, let's look at how an e-mail message might get broken into packets. Let's
say that you send an e-mail to a friend. The e-mail is about 3,500 bits (3.5 kilobits) in
size. The network you send it over uses fixed-length packets of 1,024 bits (1 kilobit). The
header of each packet is 96 bits long and the trailer is 32 bits long, leaving 896 bits for
the payload. To break the 3,500 bits of message into packets, you will need four packets
(divide 3,500 by 896). Three packets will contain 896 bits of payload and the fourth will
have 812 bits. Here is what one of the four packets would contain:
Each packet's header will contain the proper protocols, the originating address (the IP
address of your computer), the destination address (the IP address of the computer
where you are sending the e-mail) and the packet number (1, 2, 3 or 4 since there are 4
packets). Routers in the network will look at the destination address in the header and
compare it to their lookup table to find out where to send the packet. Once the packet
arrives at its destination, your friend's computer will strip the header and trailer off each
packet and reassemble the e-mail based on the numbered sequence of the packets.

63

How IP Trunking Works

by Brian Boone

When the World Wide Web emerged for widespread public use in the early 1990s, it
transmitted data -- text, photos and more -- via phone lines. You used a modem attached
to a computer, dialed a local "access number," and then you were free to surf the
Internet. You may have had to pay an Internet service provider, but the transmission
method was basically just a phone call. In the years following, Internet access via DSL
and cable lines made the fast transmission of large amounts of data possible, meaning
the Internet had huge data capacity. In short, we're now using the Internet to make
phone calls, where we used to use phone calls to get on the Internet.
This technology is called Voice over Internet Protocol technology, or VoIP. Simply
put, voices are transmitted as data via the Internet. An extension of VoIP is called IP
trunking, in which multiple users with the same Internet connection -- several workers
in the same office for example -- use VoIP to send and receive data, both Internet and
voice. VoIP and IP trunking is big business. It's a new communications framework, slowly
replacing the old phone company infrastructure. Also called "unified communications," IP
trunking will be a $17 billion business in just a few years [source: Viscusi]. It's a good
time to learn what the new standard in telephony will be, as well as the specifics on how,
exactly, a computer network turns voices into data, then back to voices, to create a
seamless phone call.

What is IP Trunking?
IP trunking is large-scale, corporate, industrial or institutional use of VoIP. An entire
organization hooks into the data world at large via one connection; that connection is
then split among all the parties' phones and computers. While VoIP is used in millions of
homes, IP trunking is almost exclusively used by businesses because they're the ones
that have a need for multiple telephone lines and many telephony services (call waiting,
voice mail systems, call forwarding, etc.), which are also carried via certain IP trunking
services.
At its core, IP trunking and VoIP is voice on data lines. That means that voices travel over
the Internet as bits of data, not "voices" or electrical impulses as they do on a traditional,
land-based telephone line.
In addition to large data capacity methods like DSL and cable Internet, one of the ways IP
trunking can handle multiple phone calls -- as well as Internet data usage coming from
multiple places on a forked communications network in one building -- is via cloud
computing. This means that the power of multiple computers all comes together to
create a virtual, ad hoc "supercomputer" that, by creating a vast capacity to do so,
handles the needs of the network, whatever those needs may be at any given moment.
This extends to the IP trunking service provider. Its "cloud" of computers and networks
powers your call. So the IP trunking consumer doesn't have to necessarily have a
superfast computer or even a large computing network to make sure its calls and its data
go through. Cloud computing replaces traditional telephony's line-to-line switching
methods.

So now you know what IP trunking is

the ether of the Internet. Read on to
packet," and how it's sent through a
answer to this question: How do the
same time in the same place?

64
and how it's possible to send a phone call out into
find out exactly how your voice turns into a "data
series of tubes to its destination. And also get an
same data networks can send your e-mails at the

65

How Your Voice Travels Over the Internet

Here's how IP trunking makes a phone call happen (without you even knowing you're
using advanced technology).
The trunking service run through your service provider is a circuit that connects
switches (your system, the receiving party's system) to each other. Because it's using
high-volume means of data transmission, such as cable or DSL, it can support multiple
calls at the same time (which makes it great for an office).
The same VoIP trunk or network is used to connect multiple users, even remote ones,
into the computer/phone framework. Everyone who has a phone in the office has those
phones routed digitally through their desktop computers. This is called a privacy
branch exchange (PBX). First, you speak into the phone as you normally would. The
trunking program on your computer, via a special phone/computer card, then digitizes
your voice and compacts it to an Internet protocol (IP) packet, which essentially
means that it's "data." The program then addresses and directs that packet to the other
PBX -- the person you're talking to on the phone -- via his or her unique computer or IP
address. The packet is then sent into the Internet via your service provider's IP network
to reach its destination. There, the data is converted back into a voice.
All of this happens instantaneously and alongside packets of Internet/WWW data (emails, photos, videos) traveling through the same channels at the same time. This is
possible because a phone call is not a "phone call" to the trunking system -- it's data,
which takes up very little bandwidth.

HOLD THE PHONE

Since VoIP and IP trunking are computer-based programs to make calls, it makes sense
that the interface for making phone calls is computer based, meaning an application
window on your computer screen. You can plug a microphone/headphone apparatus into
your computer's audio jack to make the calls. This is called a soft phone because you
are using software to make calls.
Option No. 2: a USB phone. They look an awful lot like "real," or traditional, telephone
handsets. Available even in cordless models, USB phones simply plug into your
computer's USB drive, much like a mouse or keyboard. One costs about the same as a
landline phone, anywhere from $10 to $100.
Another option for the device you'll use to make the actual calls is a hard phone. It
looks like a phone (or a cordless phone base), but it actually houses a very small
computer -- it bypasses the need for a PC entirely. It plugs into an Ethernet port on your
Internet router, hooking your phone calls right into the Web. Cost? $100 and up.
A variation on the hard phone is a Wi-Fi phone. This is a good one to use if your
computer network uses wireless, Wi-Fi technology to connect to the Internet. Rather than
connecting via cords plugged into the Ethernet, the Wi-Fi phone communicates wirelessly
with the Internet through a wireless access point. Like a hard phone, it bypasses the need
for a PC because it does all of its own "computing" to turn your voice to data and then
put that data out into the stream. Cost? $100 to $200.

66

67

IP Trunking Benefits
There are many benefits to adopting IP trunking to use for your company's or institution's
multiple phone lines. Are you an organization that does a lot of work or research online?
Then adopting IP trunking is a logical step to take. The main reason is that it combines
your data/Internet network and your phone network. That could potentially save your
company hundreds of dollars a month on maintenance fees because the phone and
Internet system are now the same system. It could also save you money on employment
costs (so long as your existing IT guy or gal knows how to use an IP trunking system).
Cheaper communications is one of the best things IP trunking has going for it. Many
Internet service providers are also phone service providers, and they're the ones offering
IP trunking. Since they run all channels of communication, these companies are
empowered to offer "bundling" discounts, reducing your communication rates even
further.
One of the main reasons consumer-level VoIP has taken off is because of its flat-fee
pricing structure. Services like Vonage charge a single rate for unlimited phone calls,
local and long distance included. Because VoIP and IP trunking convert voices to data,
you're not technically using the phone lines to make long distance calls -- you're just
transmitting data. As far as bandwidth is concerned, your phone call is the same as an email. In short, long-distance charges drop to as low as 2 cents per call, and then just a
single monthly fee for each of your IP trunk users, about $20 to $30 per trunk [source:
Bandwidth.com]. Another bonus is that because it's a system based on remote data
transfer anyway, you can even have users at multiple locations use the same trunk. You
don't have to pay for multiple IP trunking servers.
But what if you don't think IP trunking is established enough to use for your primary
communication needs? Well, it's always a good idea to have a backup. IP trunking is easy
enough to use, and with the equipment you already have around in the office (phones,
computers), it can be used to provide network redundancy. If landlines ever go down,
but the Internet is still up, it can help you out. Because it's not phone-based in a DSL, T1
or cable setup, you can simply enable VoIP-based calling, resuming communications
productivity immediately.

More IP Trunking Tips

VoIP has quietly been gaining ground as a new communications system for about 10 years
in the form of services like Skype and Vonage. It's available in most large- and mid-sized
American cities because it piggybacks on T1 and DSL service lines, which are nearly
universal in population centers. (Verizon alone has programs in 350 cities [source:
Verizon.com].) But even though it potentially frees a business from landlines and can
connect multiple, remote users into the same outgoing network, it's not actually available
everywhere just yet.
When you research IP trunking, keep an eye out for SIP trunking. This is like IP
trunking, but with a slight difference in technology that increases the power of the phone
system and allows for more data transmissions. This increased power in an SIP trunking
system is used for advanced telephony services, such as voice mail, directory assistance,
and 900-number blocking -- all important business needs.

68
One big problem with VoIP and IP trunking is the relative lack of security. It's not yet as
secure as a landline. Landlines provide direct, physical connections of voice to voice.
VoIP calls are data traveling by wire and through the air. So potentially, they can be
backed into or accessed by someone -- either from within your own IP trunking network,
or outside of it. In the early days of widespread cell phone usage, it was common to
overhear other people's phone calls.
And even where it is available, services, bandwidth capacity and voice quality vary. So,
research different providers before you sign up for anything.

How Virtual Computing Works

by Patti McKenna

Using North Carolina State University's computer lab once meant reserving a PC and
then going to the lab at the available time -- possibly the middle of the night -- to work
on it. That's no longer true, thanks to virtual computing. [source: North Carolina State
University]
Today, students and faculty can reserve and log in to the NCSU Virtual Computing
Laboratory anytime, anywhere from their own PCs or laptops. What's more, this remoteaccess system lets users choose the software they need, including industrial strength
computer-assisted design (CAD) and engineering programs that take more memory than
they have on their own systems. At the same time, professors can build customized
software images in minutes for students to access anywhere.
Virtual computing makes one computer act and perform like many computers. Through
virtual computing providers, users can download and use more than one operating
system and perform a multitude of functions at the same time through a single mouse
click and receive all the benefits of additional programs and hardware without having to
purchase or install them on their own computer. Executives can check their company email on the road, students can take classes from home and managers can keep up with
documents stored on internal servers from anywhere in the world.
Virtual computing is increasing possibilities and performance in the world of information
technology (IT): increased storage space, more software applications, performance and
troubleshooting solutions, as well as data backup. In this article, we'll cover what virtual
computing is, who performs the virtual services, the system requirements and the
benefits and challenges to the user.

What is Virtual Computing?

Virtual computing allows computer users remote access to software applications and
processes when they need it. Users gain access via the Internet through a wireless or
network server. For a fee, users can boost their computers' capabilities, size,
performance, processes and/or software applications whenever they need it. This realtime technology offers:

Operating and utility systems

Storage

69

Memory
Software
Allocation and reassignment of input/output and other processes
Data backup
Automated problem solving and troubleshooting
Tools for monitoring and managing systems

Users can access software applications for a single computer or an entire network
because of the ability to select only what you need when you need it. They also can save
or back up data and text documents to a virtual server (thus freeing space on individual
computers) and reallocate or assign different processes to the virtual environment. This
enables computers to operate at optimal speeds.
Virtual computing initially began as a method of borrowing space or storage for
computer systems, but it's since grown significantly, offering data and software
applications, as well as operating and utility systems. The corporate environment most
commonly uses it, where IT system managers run multiple applications on several
servers.

VIRTUALLY SURFING
While there are many reasons for using virtual computing services, some people have
gotten creative in their reasoning. Because all applications run remotely, some users log
in to the Internet to do all their surfing through a virtual computer. This enables them to
access files without worrying about hidden pages sabotaging their system. The added
benefit is that they can surf and electronically communicate without worrying about
infected files.

Virtual Computing Requirements

Virtual Computing Providers
The number of virtual providers is growing steadily. In this section, we'll cover four of the
major providers of virtual computing and the services they provide.
Hewlett-Packard (HP): HP assists its customers with problem solving and
troubleshooting, management of electronic systems and allocating storage as needed,
including tracking and managing online and offline storage. HP offers hardware and
software applications and solutions to its virtual customers, giving them customer
support through HP OpenView Service Desk. Security and prevention of data loss are also
included.
IBM: IBM offers management tools in system security, storage, performance, availability,
operations and configuration. Each of these areas includes software, hardware, utilities,
protection, and diagnoses and repairs of faulty software and applications.
Microsoft: Through its Windows Operating System, Microsoft provides hardware and
software storage operations, management, upgrades and monitoring.

70
Sun: Sun Management installs, upgrades, configures and assigns software applications
without interrupting operations. Sun does allow users to convert back to a previous
configuration.
Although the above providers offer similar services, the system specifications vary per
provider. This chart details the specific offerings.
System Requirements
Before you purchase and download virtual PC applications, you need to ensure that your
computer meets the system requirements. Every computer system has a limited amount
of resources. A reduction in available memory and storage occurs once those resources
are used. While the system requirements to download virtual applications are dependent
on the provider and the package, we'll provide the minimal requirements for Microsoft
Windows and Mac users as an example:
Microsoft's Virtual PC application -- Microsoft Virtual PC 2007 -- requires a 400 MHz
Pentium-compatible processor (1.0 GHz or faster) and 20 megabytes of disk space. The
virtual application runs on the following Windows operating systems:

71

Windows
Windows
Windows
Windows
Windows

Vista Business
Vista Enterprise
Vista Ultimate
XP Professional
XP Tablet PC Edition

Other systems, like Windows 98, Windows 2000, or Windows ME can handle virtual
computing, but they require more memory to do so.
Mac users can access virtual computing through Virtual PC for Mac Version 7. They'll
need a 700 MHz native PowerPC G3, G4 or G5 processor, 3 GB of free hard drive space
and 512 MB of RAM. Virtual PC for Mac will run on Mac OS X Version 10.2.8, 10.3, 10.4.1
and later versions.

Virtual Computing Advantages

The benefits of virtual computing vary depending on the user. The main benefits cited by
providers and users are explained in this section.
You can achieve faster system speeds due to freeing up the system, memory and
storage. Virtual computing provides increased efficiency by allocating a computer's
processes to a virtual environment, making the computer available for other processes
and applications.
Hackensack (N.J.) University Medical Center uses virtual computing to give medical and
administrative staff online access to the software of their choice from whichever
computer they're near, including patients' bedsides. The medical center provides ondemand access to 40 medical and business applications from more than 1,000 terminals,
using a solution from Citrix Systems.
The medical center has saved $1.3 million on maintenance, upgrades and help desk
calls, according to Benjamin Bordonaro, director of information technology. At the same
time, having immediate access to patients' records in their rooms allows nurses to record
medications as they're given and doctors to chart orders on the spot during rounds.
[source: Citrix]
It's also flexible. You have the ability to use software when you need it without having to
install, configure and store it on the computer. In addition, technical support is available
electronically or by telephone at any time.
Automated troubleshooting, diagnosing and repairing of hardware and software are
available as needed. Virtual computing programs automatically review your computer's
speed and efficiency and reallocate processes or repair programs as needed.
You have the flexibility to change platforms and servers at will. Virtual computing users
can run more than one operating system on one PC at the same time. For instance,
through virtual computing, you can run Windows on a Mac computer. Effectively, your
computer has the capability of becoming many computers.
There's a reduction in cooling and power costs, as well. Virtual computing eliminates the
need to operate multiple computers and servers, which saves energy.

72
Virtual files are easy to back up. Entire virtual machines can be stored on one or two
small files, making copying an easy and fast process.

Virtual
Future

Computing

Disadvantages

and

the

While virtual computing does enable servers to perform more tasks and run more
applications, it can also be time consuming and laborious for some IT staff. Even though
the applications are remote, managers must still track and monitor files, applications,
data and storage. Virtual computing can increase their workload because now they have
more places to track.
Security and firewall issues must also be monitored and addressed to prevent the loss or
theft of data in a virtual or remote environment. Transfer of information and the need for
physical computers and servers to interact remotely must also be monitored continually.
It's a balancing act, but for many organizations, virtual computing doesn't cut costs or
the need for IT staff.
Other cost issues include what virtual providers should charge for each use of software
application. Because virtual computing allows one computer to run many applications at
the same time, the computer could be running several different applications of the same
software simultaneously. There have been concerns regarding paying repeatedly for the
same software. To address that issue, providers are exploring a meter process, which
would provide users a specific amount of uses and charge them for any overages.

The Future of Virtual Computing

Virtual computing has been in existence for years. Only recently has its application
become more popular in the corporate IT world. In the technology world, however, new
developments and explorations continue to produce faster, more integrated technologies
than before.
IBM introduced the concept of grid computing. Grid computing joins the monumental
power of all of IBM's data centers worldwide (forming a grid) and makes it available to
customers. Unlike traditional virtual computing, grid computing offers consumers
unlimited use. The government, aerospace industry, science, higher education facilities
and the military are all currently using grid computing. For more information on grid
computing, read the white paper, "Grid Explained."
Consider also virtual computers, where files aren't stored on a hard drive, but are
remotely accessed through cyberspace on any computer where you can log in to the
Internet. This concept is currently available to computer users for Internet and e-mail
access. Virtual computers will expand that capability and allow users access to all of
their files and applications from any computer. Traditional microcomputers with large,
external hard drives won't be necessary. Users will not need to carry laptops or
removable storage devices like CDs from one computer to another.

73

How Cloud Computing Works

by Jonathan Strickland

Let's say you're an executive at a

large corporation. Your particular
responsibilities include making sure
that all of your employees have the
right hardware and software they
need to do their jobs. Buying
computers for everyone isn't enough
-- you also have to purchase software
or
software
licenses
to
give
employees the tools they require.
Whenever you have a new hire, you
have to buy more software or make
sure your current software license
allows another user. It's so stressful
that you find it difficult to go to sleep
on your huge pile of money every
night.
Soon, there may be an alternative for
executives like you. Instead of
installing a suite of software for each
computer, you'd only have to load
one application. That application would allow workers to log into a Web-based service
which hosts all the programs the user would need for his or her job. Remote machines
owned by another company would run everything from e-mail to word processing to
complex data analysis programs. It's called cloud computing, and it could change the
entire computer industry.
In a cloud computing system, there's a significant workload shift. Local computers no
longer have to do all the heavy lifting when it comes to running applications. The
network of computers that make up the cloud handles them instead. Hardware and
software demands on the user's side decrease. The only thing the user's computer needs
to be able to run is the cloud computing system's interface software, which can be as
simple as a Web browser, and the cloud's network takes care of the rest.
There's a good chance you've already used some form of cloud computing. If you have
an e-mail account with a Web-based e-mail service like Hotmail, Yahoo! Mail or Gmail,
then you've had some experience with cloud computing. Instead of running an e-mail
program on your computer, you log in to a Web e-mail account remotely. The software
and storage for your account doesn't exist on your computer -- it's on the service's
computer cloud.
What makes up a cloud computing system? Find out in the next section.

74

Cloud Computing Architecture

When talking about a cloud computing system, it's helpful to divide it into two sections:
the front end and the back end. They connect to each other through a network, usually
the Internet. The front end is the side the computer user, or client, sees. The back end is
the "cloud" section of the system.
The front end includes the client's computer (or computer network) and the application
required to access the cloud computing system. Not all cloud computing systems have
the same user interface. Services like Web-based e-mail programs leverage existing Web
browsers like Internet Explorer or Firefox. Other systems have unique applications that
provide network access to clients.
On the back end of the system are the various computers, servers and data storage
systems that create the "cloud" of computing services. In theory, a cloud computing
system could include practically any computer program you can imagine, from data
processing to video games. Usually, each application will have its own dedicated server.
A central server administers the system, monitoring traffic and client demands to ensure
everything runs smoothly. It follows a set of rules called protocols and uses a special kind
of software called middleware. Middleware allows networked computers to
communicate with each other. Most of the time, servers don't run at full capacity. That
means there's unused processing power going to waste. It's possible to fool a physical
server into thinking it's actually multiple servers, each running with its own independent
operating system. The technique is called server virtualization. By maximizing the output
of individual servers, server virtualization reduces the need for more physical machines.
If a cloud computing company has a lot of clients, there's likely to be a high demand for
a lot of storage space. Some companies require hundreds of digital storage devices.
Cloud computing systems need at least twice the number of storage devices it requires
to keep all its clients' information stored. That's because these devices, like all
computers, occasionally break down. A cloud computing system must make a copy of all
its clients' information and store it on other devices. The copies enable the central server
to access backup machines to retrieve data that otherwise would be unreachable.
Making copies of data as a backup is called redundancy.
What are some of the applications of cloud computing? Keep reading to find out.

Cloud Computing Applications

The applications of cloud computing are practically limitless. With the right middleware,
a cloud computing system could execute all the programs a normal computer could run.
Potentially, everything from generic word processing software to customized computer
programs designed for a specific company could work on a cloud computing system.
Why would anyone want to rely on another computer system to run programs and store
data? Here are just a few reasons:

Clients would be able to access their applications and data from anywhere at any
time. They could access the cloud computing system using any computer linked to

75
the Internet. Data wouldn't be confined to a hard drive on one user's computer or
even a corporation's internal network.

76
It could bring hardware costs down. Cloud computing systems would reduce the
need for advanced hardware on the client side. You wouldn't need to buy the
fastest computer with the most memory, because the cloud system would take
care of those needs for you. Instead, you could buy an inexpensive computer
terminal. The terminal could include a monitor, input devices like a keyboard and
mouse and just enough processing power to run the middleware necessary to
connect to the cloud system. You wouldn't need a large hard drive because you'd
store all your information on a remote computer.
Corporations that rely on computers have to make sure they have the right
software in place to achieve goals. Cloud computing systems give these
organizations company-wide access to computer applications. The companies don't
have to buy a set of software or software licenses for every employee. Instead, the
company could pay a metered fee to a cloud computing company.
Servers and digital storage devices take up space. Some companies rent physical
space to store servers and databases because they don't have it available on site.
Cloud computing gives these companies the option of storing data on someone
else's hardware, removing the need for physical space on the front end.
Corporations might save money on IT support. Streamlined hardware would, in
theory, have fewer problems than a network of heterogeneous machines and
operating systems.
If the cloud computing system's back end is a grid computing system, then the
client could take advantage of the entire network's processing power. Often,
scientists and researchers work with calculations so complex that it would take
years for individual computers to complete them. On a grid computing system, the
client could send the calculation to the cloud for processing. The cloud system
would tap into the processing power of all available computers on the back end,
significantly speeding up the calculation.

While the benefits of cloud computing seem convincing, are there any potential
problems? Find out in the next section.

Cloud Computing Concerns

PRIVATE EYES ARE WATCHING YOU
There are a few standard hacker tricks that could cause cloud computing companies
major headaches. One of those is called key logging. A key logging program records
keystrokes. If a hacker manages successfully to load a key logging program on a victim's
computer, he or she can study the keystrokes to discover user names and passwords. Of
course, if the user's computer is just a streamlined terminal, it might be impossible to
install the program in the first place.
Perhaps the biggest concerns about cloud computing are security and privacy. The idea
of handing over important data to another company worries some people. Corporate
executives might hesitate to take advantage of a cloud computing system because they
can't keep their company's information under lock and key.
The counterargument to this position is that the companies offering cloud computing
services live and die by their reputations. It benefits these companies to have reliable
security measures in place. Otherwise, the service would lose all its clients. It's in their
interest to employ the most advanced techniques to protect their clients' data.

77

78
Privacy is another matter. If a client can log in from any location to access data and
applications, it's possible the client's privacy could be compromised. Cloud computing
companies will need to find ways to protect client privacy. One way is to use
authentication techniques such as user names and passwords. Another is to employ an
authorization format -- each user can access only the data and applications relevant to
his or her job.
Some questions regarding cloud computing are more philosophical. Does the user or
company subscribing to the cloud computing service own the data? Does the cloud
computing system, which provides the actual storage space, own it? Is it possible for a
cloud computing company to deny a client access to that client's data? Several
companies, law firms and universities are debating these and other questions about the
nature of cloud computing.
How will cloud computing affect other industries? There's a growing concern in the IT
industry about how cloud computing could impact the business of computer
maintenance and repair. If companies switch to using streamlined computer systems,
they'll have fewer IT needs. Some industry experts believe that the need for IT jobs will
migrate to the back end of the cloud computing system.
Another area of research in the computer science community is autonomic computing.
An autonomic computing system is self-managing, which means the system monitors
itself and takes measures to prevent or repair problems. Currently, autonomic computing
is mostly theoretical. But, if autonomic computing becomes a reality, it could eliminate
the need for many IT maintenance jobs.

79