W
Will
What is the easiest way to get Windows XP Professional to act as an NAT
server for only one of its attached host adapters?
server for only one of its attached host adapters?
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.
You should upgrade or use an alternative browser.
C
Chuck
What is the easiest way to get Windows XP Professional to act as an NAT
server for only one of its attached host adapters?
Will,
ICS is a Windows XP NAT ROUTER solution - not NAT server. You can configure ICS
on any one of multiple LAN connections.
<http://nitecruzr.blogspot.com/2005/05/ics-is-ok-but-you-can-do-better.html>
http://nitecruzr.blogspot.com/2005/05/ics-is-ok-but-you-can-do-better.html
W
Will
Chuck said:Will,
ICS is a Windows XP NAT ROUTER solution - not NAT server. You can configure ICS
on any one of multiple LAN connections.
ICS isn't all that secure I guess? What's the cheapest commercial NAT
solution that would work on a Windows XP host? Most commercial solutions
are going to be full blown stateless firewalls that require a server OS for
the install, not to mention fairly serious dollars.....
I need the NAT on Windows XP just as a performance tweak on a VMWare virtual
machine used for a non production system. The VMWare built-in NAT
functions work but have terrible performance problems. I can certainly
try ICS, but just hate to lower security on the XP host.
S
Steve Winograd [MVP]
"Will" said:Chuck said:ICS isn't all that secure I guess? What's the cheapest commercial NAT
solution that would work on a Windows XP host? Most commercial solutions
are going to be full blown stateless firewalls that require a server OS for
the install, not to mention fairly serious dollars.....
I need the NAT on Windows XP just as a performance tweak on a VMWare virtual
machine used for a non production system. The VMWare built-in NAT
functions work but have terrible performance problems. I can certainly
try ICS, but just hate to lower security on the XP host.
I respectfully disagree with Chuck's comments about ICS being insecure
or straining the resources of the server. In my opinion, ICS, with
the Windows Firewall enabled on the host, is fine, because:
1. The attack that he cites that can kill the Windows firewall has to
come from a computer on the LAN. The attack can't come from the
Internet. See this site for details:
http://www.networkworld.com/news/2006/103006-new-windows-attack-can-kill.html
2. In my opinion, ICS puts a negligible load on the host computer. A
typical home broadband router has a much slower processor and much
less memory than an XP ICS host computer. For example, my SMC
Barricade router has a 40 MHz CPU and less than 1 MB of memory. A
computer meeting the absolute minimum requirements or Windows XP is 10
times faster and has 128 times as much memory. A more recent computer
is at least 50 times faster than that router and has at least 256
times as much memory.
--
Best Wishes,
Steve Winograd, MS-MVP (Windows Networking)
Please post any reply as a follow-up message in the news group
for everyone to see. I'm sorry, but I don't answer questions
addressed directly to me in E-mail or news groups.
Microsoft Most Valuable Professional Program
http://mvp.support.microsoft.com
C
Chuck
Chuck said:ICS isn't all that secure I guess? What's the cheapest commercial NAT
solution that would work on a Windows XP host? Most commercial solutions
are going to be full blown stateless firewalls that require a server OS for
the install, not to mention fairly serious dollars.....
I need the NAT on Windows XP just as a performance tweak on a VMWare virtual
machine used for a non production system. The VMWare built-in NAT
functions work but have terrible performance problems. I can certainly
try ICS, but just hate to lower security on the XP host.
Will,
The disadvantages of ICS are a combination of issues. You read the list I
suspect, and I know Steve did. All of them are not that earth shattering, and
if a NAT router was expensive, ICS would be well worth it. As it was 5 years
ago.
When you see decent NAT routers available for as little as $10 after rebate, why
gamble?
And yes, Steve, the currently known exploit uses a hostile computer on the LAN
as the attack medium. But that's why we have WF in the first place - to protect
each computer from the other. If you recognise that need, you must recognise
the need to prevent that protection from being tampered with.
Use one computer for doing the web browsing, and another for sharing the
service, and sharing it in safety. Don't mix the two. Certainly not to save as
little as less than one months web service.
W
Will
Chuck said:When you see decent NAT routers available for as little as $10 after rebate, why
gamble?
In case you have not use the VMWare Server virtual machine software before,
it creates "virtual network adapters" between the host computer and the
virtual machines. In this model, the host creates a virtual switch fabric
corresponding to each of the networks for the virtual adapters.
There is no place in this model to plug in an NAT hardware router. The NAT
capability must exist in some form on the host computer or the virtual
machines do not get NAT.
And yes, Steve, the currently known exploit uses a hostile computer on the LAN
as the attack medium. But that's why we have WF in the first place - to protect
each computer from the other. If you recognise that need, you must recognise
the need to prevent that protection from being tampered with.
And I would probably go farther than that and point out that the risk is
seldom from direct attack from the outside. These days most compromises
happen when users visit web sites and install trojans as active/x controls.
Once a host is taken over from inside, the inside host becomes the mechanism
for attacking other hosts on the internal network.
Use one computer for doing the web browsing, and another for sharing the
service, and sharing it in safety. Don't mix the two. Certainly not to save as
little as less than one months web service.
If I could fix the performance problem I am trying to fix, I would probably
start doing all of my web browsing inside of virtual machines. They can
have their state checkpointed and easily recovered to a known point in time
after you begin to suspect a problem inside the VM.