Transcript
Introduction: - A small business network design will of course be a function of the number of users, and the programs that make it up. For most small businesses a peer to peer network with a file server, a router, and a few workstations will be adequate. Your file server can basically be a standard PC that you consider to be your file server.
Small Office Network Internet – ISP Modem Router
Wire to office Translates electronic data Disperses electronic data
Network Adaptor Required for each Computer Wired
Wireless
NIC (network interface card) or Ethernet card
Wireless Adaptor
With this configuration you can use the file server as locker for all of your data and set up online backup software to back b ack it up continually. The costs for these services are negligible when considering the frustration and lost time that comes from losing your data. I would like to suggest use static IP addresses to each work station not DHCP. What this means is that the IP address of each machine ma chine will remain the same at all a ll times. Removing the variability that is associated with DHCP makes trouble shoots much easier if you have any problems or need to add equipment to the network. What you will need to get started; cat 5 Ethernet Cable (purchase lengths accordingly) cable/dsl modem (the box the cable supplying the internet plugs into) Router (Wired or Wi-Fi. If using Wi-Fi stick with 802.11n) Two workstation and two laptop File server (another computer) Modem Printer Network: - One or more devices connected together To the Internet with a router To each other in order to share Resources: Internet Connections Sharing Files Sharing Printers WAN, LAN, WLAN, PAN WAN – Wide Wide Area Network … many computers, locations LAN – Local Local Area Network … few computers, 1 location
PAN – Personal Personal Area Network … home network WLAN – Wireless Wireless Local Area Network Note :- Cross-over cable can be confusing. Hold them side by side and the colors should be the same, otherwise orange and blue are switched Wireless Wireless Networking Standards 802.11 a, b, and g configuration specifications to insure compatibility compa tibility Different speed/range capabilities Equipment conforming to “g” is most popular/available
Good for 100-400 feet … in a house General rule – erent standards – don’t don’t mix equipment made to diff erent Bluetooth Standard which is often used for peripheral devices Printers, scanners, cell phones, etc Short range (10 ft), high speed What is a Cable/DSL Modem Modem (modulator/demodulator) encodes/decodes information transmitted to the internet Usually provided and controlled by your ISP Connects your home to the Internet. This is the device that gets your public IP (internet protocol) address Normally has no firewall protection
What is a Router Connects one network to another … Sometimes called a “Gateway”
Connects your computer to the internet (cable modem or DSL Line) – keeps keeps LAN traffic local Routers keep track of IP addresses and physical p hysical (MAC) addresses of hosts IP (Internet Protocol) address … your computers internet address
MAC (Media Access Control) … id for each physical communication device What is an Access Point A point where computers access a network Device which links wireless users to network Transmits and receives data (Transceiver) Bridge between wireless and wired networks Can be linked together to cover broad area No security or firewall implemented What is a Firewall A device that filters packets of data or traffic Its job is to be a traffic cop You configure the firewall: What will allow to pass What will it block Hides your home network from the outside world Can be either in hardware or software
Most popular routers for home have built in firewall protection What Does a Firewall do? They: Protect your home computer from the bad guys Keep your information private Make you less of a target By: Stopping viruses Hiding your computer from the world Making the bad guys work harder to get your info Firewall Protection
Hardware Firewall Routers The idea is layers of protection
Examples of home combo units include Belkin (we will demo tonight) Dlink Linksys Netgear Software Firewalls
Adding a second level of protection
Controlling what leaves your computer By being aware of application level attacks By allow you to schedule Usage of the internet by time (control access at night) By location (block content for young children) Software Firewalls for Home Use Examples Zone Alarm (Free) McAfee Firewall Symantec’s Norton Personal Firewall
Computer Associates with Firewall (free) Windows Firewall in XP Service Pack 2 (free) Configure Wireless Firewall/router Overview Basic Settings … name, ip address, etc
Check for firmware updates
Set Account name and password Change name and password … don’t used default
Wireless Settings SSID broadcast …
make sure that remote computers are set to automatically connect Do not enable DMZ Do enable ping blocking Security - Blocking and Filtering Wireless Security encryption MAC filtering Back up settings Basic Settings and Info Run Install CD that comes with router Basic info will be automatically entered or requested To change info: For Belkin the default IP IP address is 192.168.2.1 Other manufacturers use different ip addresses (later slide) Enter this into address bar Setup page will be displayed Firmware – firmware firmware that is embedded in a hardware device Updated occasionally by manufactures Check whenever you access router Account Name
Change name Default name is set by manufacturer … eg, Belkin54
Bad guys know defaults and default administrative passwords Create Administrative Password Use Strong Password Record your password where you can find it so you can make changes Default Info Router default info is easily available on internet for consumers So Change Name and Password Mfg
Default IP
Belkin
192.168.2.1
User Name admin
Password
D-link
192.168.0.1
admin
blank
Linksys
192.168.1.1
blank
admin
Netgear
192.168.0.1
admin
password
blank
Wireless Settings SSID - service set identifier id entifier name given to your wireless network Broadcasting this ID makes network visible to PCs in area can be turned off so it will not be detected by other PCs in area Be sure to set up your own pc to automatically detect and logon to your WLAN
DMZ – allows you to select a PC to access WLAN outside the firewall do not enable unless firewall interferes with some activity Ping Blocking – troubleshooting troubleshooting tool Signal sent and echo received indicates valid ip address Used by hackers to find active computers Enable ping blocking … won’t send echo back
Security Blocking and Filtering Encryption – coding coding transmissions Multiple variations. 2 most common: WPA-PSK … Wireless Protected Access (Pre-shared key) Use same password for all computers Preferred Choice WEP … Wired equivalent privacy 64 or 128 bit encryption … doesn’t matter Enter Password … converts to hex code
Must enter hex code 2nd Choice (if WPA not supported) MAC Filtering MAC address … Media Access Control address
Unique ID permanently attached to each communication device by manufacturer – hardware id Can find MAC address: address: run cmd ipconfig/all
Enter MAC addresses of acceptable network clients If address is not on filter list, access to network will be denied Very effective security method RECAP Steps to protect your wireless network
Change the default password on your router Enable WPA(PSK) or WEP on router and wireless workstation Use MAC address filtering SSID broadcast off Prohibit Peer-to-peer (Ad Hoc) networking 5. Keep current on hardware bios upgrades Print and File Sharing Overview Print and File Sharing: Useful, but Risky if all computers are not secure Setting up Network for Printer and File sharing Interface card Set Interface card to allow Each computer in network Make sure each computer is part of network
Printer Make sure that Print sharing is allowed for printer Load appropriate print drivers on each computer Firewall Settings Reset network IP range to trusted zone Place files to share in “Shared Documents” folder
Print and File Sharing Details (1) Be sure WLAN is working and secure Interface card Start connect to NIC or WLAN card properties Check “File and Printer sharing on Microsoft Networks”
Repeat for all PCs on Network Printer Start Printers and Faxes shared printer Select properties sharing check “share this Printer) Print and File Sharing Details (2) Firewall Be sure WLAN IPs are allowed in Firewall for all PCs P Cs Zone Alarm Firewall zones add IP
range
Network ID for each computer Under My Computer Properties Computer name
Click Change and add WLAN name as Workgroup Shared Documents Folder for each computer Any files in the Shared Documents folder will be accessible from all computers www.lccug.com
Set Up Your Router If you are using a new router it should work right away with your computers. co mputers. It may come with software that will set up your initial configurations. Security for small business wireless network If you choose to go with a wireless/ Wi-Fi network a few precautions can be taken to minimize the threat of an intruder. 1. Change your routers SSID. This is simply what you call your router. A name like “Joe the plumber’s small business wireless wireless network” could potentially draw some attention so stick with something that promotes anonymity. 2. Don’t broadcast. Some router have a broadcast setting that you want to make mak e sure is turned off. 3. Use a password. Set up 128-bit WEP encryption. This is a straight forward process that varies depending on your router. Once you set the password write it down and file it away. 4. Enable firewall. If your wireless router has one enable the firewall. 5. Set up a work group. The Th e last measure is simply naming the workgroup of your network. This will have to be done on each workstation. To do this, go to “Control Panel,” then “System Properties,” then “Computer Name.” Click the “Change” button and type in a new workgroup name. What can one expect to pay for the above solution? Well, I recently reviewed a proposal from a mom and pop computer repair and consulting company and the price for a new server, one workstation, the router, and setting it all up was right around $1760.00. Copyright SHYEntrepreneur.com. All Rights Reserved.
How to set up a TCP/IP network You may want set up a local network for the Internet protocol TCP/IP TCP/ IP (in addition to IPX) to allow use of applications which use TCP/IP on your network. In addition you may want to set up
TCP/IP to allow computers on your LAN to access a ccess the Internet as described below. To do this set up the TCP/IP protocol in Windows 98/XP networking and bind it to your Ethernet adapter. ad apter. Each computer on the LAN needs to have its own address. The addresses in the ranges 10.10.10.0 to 10.10.10.255 and 192.168.0.0 to 192.168.0.255 have been reserved for local networks so no site on the Internet will have addresses in these ranges. Therefore you should give each computer on your LAN a different address within this range such as 10.10.10.1, 10.10.10.2, etc. Doesn’t use 10.10.10.0 or 10.10.10.255 as these have special uses. Set the network mask to 255.255.255.0 on each computer. You may be able to use the network connection wizard to automatically set up your network. Connecting your local network to the Internet You can set up a modem on one of your computers under dial up networking to access an Internet Service Provider (ISP) such as IBM.net or sprynet.com even thou gh you have a local loc al TCP/IP network set up. The computer will automatically autom atically go to your local network for addresses add resses in the 10.10.10.X range and to your dial up network for other addresses. But what if you want employees on any of your computers to have access to the Internet for email and other applications? This can be done as follows: ISPs generally provide a single Internet Protocol (IP) address to their low -cost dial-up customers. This IP address is usually assigned dynamically at logon time so that it can be reassigned to someone else when you log off. ISPs also usually only allow one person to log on at a time under a single account so even if you have multiple phone lines and modems you would need multiple ISP accounts to allow two or more people peop le simultaneous internet access. There are a number nu mber of software products such as Trumpet Firesock ( see "connectivity "conn ectivity products" at www.tucows.com or www.cws.com ) which allow multiple computers on a LAN to use a single ISP account accou nt simultaneously. These programs use "IP spoofing" to make multiple users look like a single user to your ISP. The modem and connectivity product are installed on one of your computers. The TCP protocol in all the computers is set so that the address of the connectivity connectivit y computer (eg 10.10.10.1) is set as the gateway. gatewa y. All the computers are set to use the Domain Name Server address (DNS) specified by the ISP. The connectivity product can be set to automatically dial and connect to the ISP whenever anyone tries to access any internet service outside your LAN and disconnect after a predetermined time elapses with no access. The "connectivity computer" compute r" would need to be left on whenever anyone might need access. Alternately a stand-alone "router" can be used to connect between your LAN and the internet via dial-up modem, high speed access, or ISDN line. You can usually connect multiple computers to a network that also includes a cable modem or DSL modem to allow all the computers Internet access. However, cable and DSL accounts also typically charge more for multiple computer access to the Internet. If you have two NIC cards in a connectivity computer you can connect one to your cable modem and the other to your inhouse network linking to other computers. Windows XP will nearly automatically set up both sides of this arrangement (no additional connectivity product ne eded) such that the cable or DSL modem thinks it is only talking to one user. You only pay the single sin gle user charge while your other computers can access the Internet via the connectivity computer. You may also be able to use a single NIC to connect to your internal network and use a USB cable to connect to the cable or
DSL modem, avoiding a second NIC. Inexpensive router boxes can be used to connect a single modem to multiple computers. Cable and DSL "always on" services normally semi-permanently assign an IP address and name to your account. Voice Over IP Services Inexpensive router boxes are now available to support voice over IP (VOIP) services provided b y Vonage or other Internet based telephone service. These units connect to the Internet via RJ-45 cable connecting to your cable or DSL modem and typically provide two RJ-11 phone connectors and three RJ-45 ethernet connectors. The ethernet connectors can be connected directly to up to three computers. The phone connectors can be connected to ordinary phones to provide up to two lines of phone service. The phone lines can be routed to many phones via standard building phone lines. However, these small VOIP boxes may not be able to drive as many ringers as a typical telephone company line. If you are using more than one phone on each line, check with the box vendor to see how many phones each line can handle. A major advantage of Vonage or other non-locality based VOIP provider is that by b y taking the little box with you and plugging it in to local Internet, you can be reached on your local number wherever you go. Callers have no way of knowing you are not in your office. Careful, if someone should happen to dial 911 while in the remote location, the fire trucks are going to go to the wrong address! The quality of the VOIP service is mostly dependent depend ent on the quality of the th e underlying Internet service. For example, if you are having h aving problems with Vonage it is more likely that the actual problem is with your cable or DSL supplier. If you are using a separate router (e.g. wireless wireless router) the VOIP box should be connected to the modem and the router connected to the VOIP box. This way the VOIP box will have priority over the computer's access and voice quality will be better during times when your computers are accessing the Internet. Be advised that fax machines typically do not work well with VOIP. This is because any momentary delay, slowdown, or dropped packets, which do not cause any problem with the computer Internet connection, and only cause a click on the voice line, can interfere with the operation of the analog modem in the fax causing a dropped fax error. If you are having problems faxing, try setting the fax's modem to operate at a slower speed (2400 baud) instead of the normal 14,400 baud. If the fax's instruction manual does not say how to do this (they frequently do not), try searching on the Internet. Unfortunately, if it works today it still might not work tomorrow when if the Internet is busier. Many people report they are totally totall y unable to obtain reliable fax operation op eration through VOIP. It is futile to look to the VOIP service for a solution and your Internet provider is likely to blame the VOIP provider. An obvious solution that eliminates the need to even have a fax machine is to have capability for receiving faxes as an email attachment and for sending faxes from a scanned or PDF document file uploaded to the VOIP provider. This would allow you to send and receive faxes at your laptop in the field as well as at your SOHO and also allows you to store faxes on your hard drive as opposed to paper file. For some unknown reason, Vonage does not provide
this capability although they do provide the capability for receiving voice mail messages as email attached audio files. You may obtain fax capability from myfax.com, which allows faxes to be be sent by sending an email with or without attachment to [email protected], allows receipt of faxes by email, and provides incoming fax numbers matching your area code. They have a cheaper service in which you cannot specify area code for your incoming fax number. Dynamic Host Configuration Protocol (DHCP) All the participating devices (computers, routers, etc) in an Internet network need certain configuration data to operate including the Internet Protocol (IP) address to be used by the device, IP address of the upstream gateway, mask defining the size of the local lo cal network, and nameserver addresses. Modern software and hardware can use DHCP to get this information automatically from the upstream side at startup and avoid th e need for manual entry. However, you need to initialize the boxes in a particular order for this to work. If you first turn on the cable or DSL modem, the modem will get its information from the company. Then you can turn on your router box, which will get its information from the modem. Then turn on computers so they can get their configuration data from the router box. If power fails frequently in your area you may want to use a small uninterruptible u ninterruptible power supply (UPS). to power the modem and an d router boxes to avoid having to go through this sequence later. Using ISDN with a local network If you live in an area which whi ch provides Integrated Services Digital Network (ISDN) at reasonable rates such as the Southern part of Bell Atlantic’s service area you may want to consider using ISDN vs a modem and analog a nalog line to provide Internet connectivity to a LAN.ISDN is being replaced with DSL or cable high speed Internet access. Wireless Inexpensive wireless routers are now available that connect to a cable or DSL modem and provide a local wireless Internet "hot spot" in addition to providing typically three RJ-45 connections for wired service. Modern laptops,, netbooks, and smart phones typically come with built-in wireless capability. capability. Small wireless adapters that plug into a USB port can be used to connect a desktop machine to the wireless network. Wireless typically has more "glitches" than wired and may be somewhat slower, so if a computer is semi-permanently in the same room as the router, use a wired connection. Typical Small Office Network with Internet Capability Here is a description of a typical Internet enabled small office network for a small company "SmallCo": Five PC type computers running Windows or MacOS are connected via NICs N ICs to an Ethernet using 10-base-T RJ-45 wiring and an 8 port hub. PCs are configured to use TCP/IP protocol and to use file and printer sharing over the IPX/SPX protocol so all employees can use all the printers and can use a common co mmon file areas or drives on the PCs. P Cs. A stand-alone router is used to connect con nect to
the Internet via DSL, cable, or analog an alog modem using an Internet access provider and single user account. The company has a web site at www.xyz.com hosted elsewhere by an ISP or web site developer. (Some DSL and cable providers object to users running web sites from their DSL DS L or cable accounts.) Each employee has an email address such as [email protected] , [email protected] etc. [email protected] etc. The web site provider furnishes POP email mail boxes box es for each employee. Alternately, the web site provider can supply aliases to route mail from "[email protected]” to an access provider mail box. Email clients on the employee computers access the POP mail boxes to receive mail and send mail via an access provider SMTP S MTP server. Managing Modems and Routers Cable modems, DSL modems, and routers usually have a built-in web server that displays d isplays administrative pages. By entering the proper numerical IP address in your browser, you can contact this web server and configure the operation of the device. Modems Mod ems also usually display diagnostic information including incoming signal strength, etc. This information is very useful when talking to your provider about any problem. Modems, routers, and your individual computers all can be configured to act as firewalls. This can cause confusion if, for example, you are trying to alter the firewall to allow some new service. Also see DHCP above. Copyright © 1997 - 2010 Azinet LLC
