Thursday, 09 September 2010 03:58 am    
BestData Products NITRO 5X
Home Products Store Tech Support Rebates Where To Buy Company Partners  
 
Technologies
Best Data Products - Learning Center
 Contributers to this information page
Splitters

Because DSL technology uses a wide frequency range, it is possible to have simultaneous voice and data use of a single copper connection. (Indeed, one of the original design goals of DSL was to make it possible for one copper wire to service multiple homes (e.g. a small subdivision with only 1 copper connection to the local phone exchange) by multiplexing multiple 4kHz conversations onto one copper pair.) The voice call will use the normal 0-4kHZ spectrum and the DSL modem will use the higher frequencies to pass the data traffic. Of course, this sharing of the copper is not without some potential problems. In particular, many phones may pass onto the copper frequencies higher than 4kHz, interfering with the DSL data stream. Also, the higher frequencies used by the DSL may be picked up by the phone, causing static on the headset.

The original solution to the 4kHz interference problem was to use "splitters:" a device called a splitter is attached to the phone line near where it enters the customer premise. The splitter forks the phone line: one branch hooks up to the original house telephone wiring and the other branch heads to the DSL modem. See figure 1. Besides splitting the phone line, the splitter acts as a low pass filter, allowing only 0-4kHz frequencies to pass to/from the phone and thus eliminating the 4kHz interference between phones and DSL modems.

Figure 1

The problem with splitters is that it requires breaking and remaking some telephone wiring connections and perhaps even installing new wiring to the DSL modem. In many cases, this means a service call to the customer premise. To avoid this, various alternatives have been proposed. The Universal ADSL group is working on reduced speed DSL that is more immune to frequency interference and that probably uses only frequencies beyond human hearing. Rockwell has proposed something similar called CDSL (consumer DSL). Another solution, used by Netspeed equipment is to use "micro filters." Netspeed calls this "EZ-DSL." A micro filter is essentially a customer-installable low-pass filter with an RJ-11 jack on either end: the customer plugs the phone into one end and the plugs the other end into the wall jack. A micro filter is placed between each telecom device and the wall jack it plugs into, except for the DSL modem. See figure 2.

Figure 2

Note that the micro filter solution is essentially a customer-installable (i.e. no wiring required) version of the splitter solution. Also note that it is only necessary to ensure that there is a micro filter somewhere between telephones and the DSL line. If the customer premise wiring makes it easy to do, the setup in figure 2 can be replaced by the setup in figure 3 (the degenerate case, in which the micro filter solution essentially becomes a splitter solution). The figure 3 setup can potentially have less line degradations and there have apparently been cases where a setup like figure 2 produces a line that is too marginal to work with a DSL modem, but will work when wired as in figure 3.

Figure 3

 

Sharing a modem/cable/xDSL connection between multiple computers

Anyone with more than 1 home computer and an Internet connection eventually asks the question: "How do I share my Internet connection between my 2 (3,4,5...) computers?" Modem connections can be shared and it's even more tempting to share cable/xDSL connections because of their "always on" nature and the greater bandwidth available. The methods are generally the same for any of the connection technologies and fall into three general categories:

  1. Obtain a separate IP address for each computer and make sure that you have some sort of networking enabled to share the connection. One option is to connect the cable modem to a hub and to connect your computers to the same hub. Alternatively, with a bit more setup you may use a router and perform routing on your local network

    The advantage of this solution is that each computer has equal and full access to the Internet. One disadvantage is that many ISPs charge separately for each IP address. There are also security concerns: if you just connect your local LAN direct to the Internet, you better make sure your hosts are each individually secured. The other two solutions depend on a centralized approach to the external connection, making it a logical extension to deploy a centralized security solution (e.g. a firewall).
  2. Use NAT (network address translation) software to let multiple computers share a single IP address. Sygate is an example of a product in this area. Linux's IP masquerading is another. NAT1000 is another.
  3. Use proxy servers to proxy the particular service you want to share (e.g. HTTP proxy server, ftp proxy server, etc.). Wingate is an example of a product in this area.

dslreports.com has a nice set of drawings that depict the different ways of wiring up a LAN to the Internet. 

 

Sharing a DSL connection with Both Local and Remote Computers

A more elaborate situation involves sharing a DSL connection with both your local LAN and with a remote laptop when you hit the road.

Sharing data over the Internet (VPN)

When I say "sharing data over the Internet"  I mean using the Internet as a "long cable" to connect two (or more) geographically separate hosts. In other words, two separate hosts want to share files back and forth between each other. There are a number of ways to do this, each with separate capabilities and problems.

  1. OS-independent, bare bones: run an FTP server.
    One host runs an FTP server and other hosts can, via an FTP client, get and send files to the FTP server. This is a simple mechanism, is operating system (OS) independent, and is a time-honored tradition on the Internet.  However, it's not real seamless and the capabilities are somewhat limited.
  2. Use standard Windows networking, with the Internet providing the connnection.
    This is a nice extension of a local LAN over the Internet, however the mechanism is not very secure. It opens the hosts at either end to potential security attacks and, typically, the data passing over the Internet (i.e. the contents of your files) is not encrypted.  In other words, it is open to people to read or even (with more work) modify, as the data moves over the Internet.
  3. Use VPN.
    VPN, or Virtual Private Networking, is a mechanism for establishing a secure and private network on top of an open and insecure network.  In effect, you end up using the Internet as a pipe, and establish a secure and protected connection between two separate LANs over this pipe.  A VPN connection typically provides all the capabilites of the "standard Windows networking" connection, with much better security and data integrity.  Windows provides VPN services through a technology know as PPTP.   Microsoft has several white papers on the technology on their web site.  The "Routing and Remote Access" (also known as the multi-protocol router) patch for Windows NT provides both PPTP client and server capabilities.
Security

An excellent site for firewall reviews and other site security information is http://www.firewallguide.com/.

An xDSL (or cable modem) connection to the Internet has a greater security risk than a plain old analog modem dialup connection. For one, the bandwidth is greater, allowing the possibility of more cracking to be done in the same period of time. More importantly, the connection is usually always on, which makes your hosts a much easier (and potentially more lucrative) target to find. The discussion in this section concentrates on examples of LANs connected via DSL to the Internet, but the points can be applied to the single computer case just as well. (The LAN case encompasses the single computer case.)

One mechanism for sharing a DSL modem is to connect it direct to your local LAN hub and to use valid IP addresses for each of yours hosts:

Figure 4: Direct Hub Connection

While this is a conceptually simple method for sharing an DSL connection (particularly with a bridging DSL modem and an ISP that is handing out IP addresses as required via DHCP), it requires a fair amount of diligence if you are concerned about the security of the local hosts. First, the only thing preventing your local LAN traffic from zipping around your ISP's LAN is an Ethernet learning bridge. While a bridge will not forward traffic destined to local MAC addresses, it will forward multicasts and broadcasts. A malicious cracker could make use of this information to target your systems. In addition, if you are using more broadcast-chatty protocols on your local LAN, like NetBEUI, you are passing even more information onto the ISP's system. A learning bridge is not a security device, it is a traffic-limiting device, designed to keep your local point-to-point LAN traffic from swampping the rest of the network. Second, a configuration like this leaves every host equally open to attacks from the outside. Each host has to be secured independently and equally if you want to prevent a weak link in your system. Finally some security techniques (such as firewalls and preventing your file and printer sharing traffic from even being accessible) are not available in a configuration like this. There is nothing inherently wrong with this configuration: it is a perfectly valid configuration, depending on your security needs. Most companies with a concern about the data on their local LAN would not use a configuration like this. However, historically, many departments at educational institutions would connect with mechanisms similar to Figure 4 (with a standard Ethernet bridge, usually from DEC, rather than a DSL modem, but the concept is the same).

Other details of the direct hub connection: (under construction): possible problems if only using TCP/IP transport (lack of connectivity, or connectivity through ISP's gateway); using multiple IP addresses problematic if both DHCP and static assignments are desired; using multiple transports and unbinding file-printer sharing/netbios from TCP/IP.

Another option would place a dual-homed gateway between the ISP and your local LAN. If the local LAN is using non-routed IP addresses and if the gateway is only providing access through a proxy server or a NAT server, then the security is improved:

images/security2.gif (6478 bytes)

Figure 5

The dual-homed host solution isolates your local LAN traffic from the ISP's network. In addition, a NAT/proxy server on the dual-homed host provides some protection to other hosts in the local LAN, which do not have to be watched/secured as tightly. In a situation like this, an operating system with security capabilities would be advisable. For Windows users, Windows NT, because of its security capabilities, would make more sense on the dual-homed host rather than Windows 95/98. Using NTFS, it is possible to lock down the OS files for NT, helping to defeat cracking attempts from the outside. In addition, it is possible, via the network control panel applet to disable the Workstation, Server, and NetBios bindings from the network adaptor that is connected to the DSL modem. This eliminates all Windows networking file access through the NIC connected to the DSL: you won't have to worry about anyone making a network neighborhood connection to shares on your gateway machine. Unbinding like this does not eliminate file and printer sharing through the local LAN side of your gateway machine, which is a great feature. In other words, you have file and printer sharing capabilities on interfaces 192.168.0.1, .2, and .3, but don't even expose file and printer sharing capabilities through interface 204.180.205.31.

The dual-homed approach, with a fairly small degree of inconvenience (as compared to figure 4), provides the opportunity for improved security. To summarize the dual-homed approach:

  1. Use a dual-homed machine to make your connection to the DSL modem.
  2. Run a NAT or proxy or firewall server on the gateway machine. Only run those services that are necessary (e.g. if you don't need to run an ftp server, don't.)
  3. Use an OS with security capabilities on the gateway machine. Disable the guest account. Use reasonable passwords on all accounts. Lock down the OS files. Unbind native file networking protrocols from the DSL-side NIC on the gateway machine.  For Windows NT users, consult the quick checklist for securing Windows NT to make sure your Windows NT installation is reasonably secure.  Also, the IIS security checklist has lots of information about securing a Windows NT machine that is connected to the Internet.  If you want all the details on locking down your NT machine, this is the place to look.

NSA has a popular set of white papers on securing Windows 2000.

For a great tome on security and see the CERT site

Port scanning sites

HackerWacker will do a port scan and a few other probes of your host, testing for common security problems.

http://grc.com/ will do a port scan (look for "Shields Up").

http://www.dslreports.com/r3/dsl/secureme

Contributers
 

 
 
      New Products & News          Customer Premises Equipment       Learn about & Support
   
Best Data introduces Triple Play Wireless Router
Best Data introduces ADSL 2+ Router for the SOHO Market
   
   
DSL Modems & Routers
Cable Modems
56K Modems
   
Learn about Triple Play
Check Your Broadband Speed
Tech Support
Sitemap
   
Home | Products | Store | Tech-Support | Rebates | Where to Buy | Company | Partners | Privacy | Term of Use
     |  Copyright © 1987 - 2005. Best Data Products, Inc. All rights reserved.   |