Off Topic...Public IPs

[nick]

I have a client that bought a block if IP addresses from Bellsouth. He
wants to assign those IP addresses to various systems in his office so
he can RDP to them directly. I have a few questions about this...


1. When configuring a block of addresses how does the router know it
has a block? What I mean is, does the router get one static IP, and
through that router we can configure the other systems statically?

2. Wouldn't exposing a domain client system to the Internet, with a
public IP, be a big security risk?

 

[Philip Herlihy]

I have a client that bought a block if IP addresses from Bellsouth. He
wants to assign those IP addresses to various systems in his office so
he can RDP to them directly. I have a few questions about this...


1. When configuring a block of addresses how does the router know it
has a block? What I mean is, does the router get one static IP, and
through that router we can configure the other systems statically?

2. Wouldn't exposing a domain client system to the Internet, with a
public IP, be a big security risk?

1) It's the "subnet mask" that determines which addresses are "local"
and which have to be passed to a gateway (router). Typically a router
has one subnet on one side, and one or more on the other, often with the
router dishing out addresses to the "internal" subnets via DHCP. The
notion of "Subnet Mask" comes from bitwise comparison operations, and
can be hard to get your head around.

Example: a common IP address and subnet mask combination is:
192.168.1.1 with subnet mask 255.255.255.0
The ".0" here effectively means "any", so any address starting with
192.168.1 is to be considered local (ie part of the subnet), and doesn't
need to be diverted elsewhere. A router has two subnets (sometimes
more), typically one internal and one external. A router will often
incorporate a firewall which allows control over which connections are
allowed to pass from one side to the other. If you put your "various
systems" on the external subnet, then the router/firewall can't control
what reaches them, and so they would need well-maintained firewalls
(presumably software ones) themselves.

What I've done to achieve the same thing is buy a decent firewall/router
which allows "virtual servers". I can specify that an incoming
connection on port 9876 (say) should be routed to machine 6 on port 3389
(which will be picked up by Remote Desktop), which a connection on 9875
(say) should go to machine 5, again on port 3389. In the Remote Desktop
client you simply put the entry port number after the router's IP
address, so if you have a modem/router with a public IP address of
123.456.789.123, you'd enter "123.456.789.123:9876" in the RDC address
box. Much more secure than opening up the whole machine.

2) Yes.

Phil, London

 

[nick]

1)  It's the "subnet mask" that determines which addresses are "local"
and which have to be passed to a gateway (router).  Typically a router
has one subnet on one side, and one or more on the other, often with the
router dishing out addresses to the "internal" subnets via DHCP.  The
notion of "Subnet Mask" comes from bitwise comparison operations, and
can be hard to get your head around.

Example: a common IP address and subnet mask combination is:
192.168.1.1  with subnet mask 255.255.255.0
The ".0" here effectively means "any", so any address starting with
192.168.1 is to be considered local (ie part of the subnet), and doesn't
need to be diverted elsewhere.  A router has two subnets (sometimes
more), typically one internal and one external.  A router will often
incorporate a firewall which allows control over which connections are
allowed to pass from one side to the other.  If you put your "various
systems" on the external subnet, then the router/firewall can't control
what reaches them, and so they would need well-maintained firewalls
(presumably software ones) themselves.

What I've done to achieve the same thing is buy a decent firewall/router
which allows "virtual servers".  I can specify that an incoming
connection on port 9876 (say) should be routed to machine 6 on port 3389
(which will be picked up by Remote Desktop), which a connection on 9875
(say) should go to machine 5, again on port 3389.  In the Remote Desktop
client you simply put the entry port number after the router's IP
address, so if you have a modem/router with a public IP address of
123.456.789.123, you'd enter "123.456.789.123:9876" in the RDC address
box.  Much more secure than  opening up the whole machine.

2) Yes.

Phil, London

So why would we need a block of public addresses? Is that for exposing
more than one system to the Internet? I've always just done NAT on the
router like you suggest. But this was confusing me. Supposedly the
client wants to RDP directly to his machine without using port
numbers. I don't see what the big deal would be.

Thanks for the reply.

 

[Philip Herlihy]

So why would we need a block of public addresses? Is that for exposing
more than one system to the Internet? I've always just done NAT on the
router like you suggest. But this was confusing me. Supposedly the
client wants to RDP directly to his machine without using port
numbers. I don't see what the big deal would be.

Thanks for the reply.

If the client wants to RDP directly to his machine without quoting a
port number then either the machine has to have a public IP address, or
it has to be the one machine behind a router to which the router diverts
the default RDP port (3389). But it would be little trouble to set up
an environment variable to translate "graphics" to 123.456.789.321:8765
- client types "graphics" in the box and gets the machine he wants. I'm
assuming that would work - if it doesn't, you can always save an RDP
shortcut - that I have done.

The big deal is security. If you put a machine directly on the Internet
it will be picked up by automated port scans and then automated hacking
attacks, so you need to be running a software firewall. The Windows
firewall has been enough to reduce the incidence of "worms" to a trickle
instead of a flood, although it's rather basic, so what you suggest is
at least feasible. However, unless you have many machines, a NAT
router/firewall gateway offers far more control over what traffic can
enter your network, while providing near-transparent access for
legitimate traffic. If you do have many machines, it would be better
to assign your IP addresses to a series of such gateways, each of which
could provide NAT services to a whole family of computers. But it's a
large network that would need more than one. In theory, each gateway
could support at least 253 client computers per supported subnet, and
many more if the 10.x.x.x number range is used. In practice, cheaper
firewalls have limitations due to processing capacity. The Netgear
FVS114 is terrific value for a really small network, but I found it
gasps for air when serving ten busy machines.

I understand that having a block of IP addresses which share a common
subnet mask is only useful if they are physically connected on the same
cable.

Caveat: my networking experience is confined to relatively small
networks, and there may be further contributions from people with wider
knowledge. One of the good things about answering queries on newsgroups
is that it makes you clarify your own understanding of things, and that
can bring corrections from others, which means I get to learn something
new too!

Phil

 

[Philip Herlihy]

If the client wants to RDP directly to his machine without quoting a
port number then either the machine has to have a public IP address, or
it has to be the one machine behind a router to which the router diverts
the default RDP port (3389). But it would be little trouble to set up
an environment variable to translate "graphics" to 123.456.789.321:8765
- client types "graphics" in the box and gets the machine he wants. I'm
assuming that would work - if it doesn't, you can always save an RDP
shortcut - that I have done.

The big deal is security. If you put a machine directly on the Internet
it will be picked up by automated port scans and then automated hacking
attacks, so you need to be running a software firewall. The Windows
firewall has been enough to reduce the incidence of "worms" to a trickle
instead of a flood, although it's rather basic, so what you suggest is
at least feasible. However, unless you have many machines, a NAT
router/firewall gateway offers far more control over what traffic can
enter your network, while providing near-transparent access for
legitimate traffic. If you do have many machines, it would be better
to assign your IP addresses to a series of such gateways, each of which
could provide NAT services to a whole family of computers. But it's a
large network that would need more than one. In theory, each gateway
could support at least 253 client computers per supported subnet, and
many more if the 10.x.x.x number range is used. In practice, cheaper
firewalls have limitations due to processing capacity. The Netgear
FVS114 is terrific value for a really small network, but I found it
gasps for air when serving ten busy machines.

I understand that having a block of IP addresses which share a common
subnet mask is only useful if they are physically connected on the same
cable.

Caveat: my networking experience is confined to relatively small
networks, and there may be further contributions from people with wider
knowledge. One of the good things about answering queries on newsgroups
is that it makes you clarify your own understanding of things, and that
can bring corrections from others, which means I get to learn something
new too!

Phil

No, using environment variables doesn't work - not even with % signs on
either side!

Phil