from networking dilemma
           to
   networking success
 Internet Server Appliances for Small Business
 Abstract
 In t...
Table of Contents
Abstract                                                                                                ...
the networking
         dilemma
The Internet explosion is driving all businesses, large and small, to rethink their commun...
How does this relate to my business?
The small business owner/manager may be faced with computer users demanding faster, m...
Scenario 2: Computers connected to LAN, without a gateway

    Configuration:
      •     Users sharing disk space, printer...
Scenario 3: Computers connected to LAN, with a gateway

     Configuration:
       •      Users sharing computer resources ...
Understanding the Problem
Unfortunately, none of these scenarios represents a viable solution for Internet connectivity fo...
framework for
         a solution

Before looking at possible networking solutions, every business should examine its comm...
Success factors
Businesses that are successful in adding value over the long term tend to adopt a culture that promotes wi...
Communications infrastructure
Businesses are turning increasingly to Internet technologies to support and enhance their co...
Networking services
The following table shows how communication-intensive business processes drive the requirements for
ne...
For a small business, it is essential to provide all these services in a single package to minimize costs. Such a solution...
Any host that is... permanently connected (to the Internet) will
         typically be scanned and probed several times pe...
An effective gateway/firewall combination provides essential protection from would-be intruders intent on compromising
Inte...
Whether in-house or outsourced, network administration services are costly. Even if the business is large enough to
have f...
Compatibility
A small business cannot afford to re-configure the existing computers and network to suit the requirements of...
options for
       networking success
Having derived a set of criteria for networking success, in the form of desirable ch...
Mid-range solutions


Target market:      single worksites of small - to medium-scale enterprises
Security:           high...
Network server appliances




           dial-in                      Internet
       connection


     dial-up           ...
Which category is best for small business?
The following table summarizes the characteristics for all categories:


      ...
Combining the characteristics and ratings into total performance and total cost of ownership (TCO) yields the following:

...
Functionality:
  •      Complete offering of networking services—dual-homed gateway, caching proxy server (transparent to ...
conclusion

The Newlix OfficeServer, the leading product in the Internet server appliance category, is the ideal candidate ...
glossary

Application Service Provider (ASP)
   An ASP is a firm that manages and distributes software-based services and s...
Internet
   The Internet is a global network of networks connecting many millions of computers. Each Internet computer,
  ...
Packet
   A Packet is a piece of a message transmitted over a packet-switching network, such as the Internet. In IP networ...
suggested
      additional reading

Curtin, M & Ranum, M., “Internet Firewalls: Frequently Asked Questions”, revision 9.4,...
Upcoming SlideShare
Loading in...5
×

Whitepaper

333

Published on

TEST

Published in: Design
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
333
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
1
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Whitepaper

  1. 1. from networking dilemma to networking success Internet Server Appliances for Small Business Abstract In today’s hyper-competitive environment, the small business owner/manager faces a strategic dilemma: • to embrace the Web and other networking technologies, with all their opportunities and risks, or • to preserve the status quo because of the fear of costs and security risks. The visionary’s response to this dilemma is to forge ahead, ignoring the pitfalls, recognizing that incorporating networking technologies into core business processes may be crucial to the future growth and survival of the business. The conservative businessperson might not make a decision until the costs and risks are understood and manageable. Fortunately, there is a new breed of product, called the Internet server appliance (or thin server) that can help satisfy both the visionary and the conservative. Purchasing a thin server appliance can meet the needs of small business for Internet connectivity without breaking the budget, and without introducing security risks. In fact, a superior server appliance will provide much more in the way of networking services than basic Internet connectivity, while enhancing security (by actively protecting information assets from electronic intruders), all at a very reasonable total cost of ownership. This white paper demonstrates why a server appliance ought to be the keystone technology in the Internet strategy of any small business, and what criteria to apply when making a purchase decision. Newlix Corporation 1051 Baxter Road • Suite 21 www.newlix.com Ottawa Ontario • K2C 3P1 tel (613)225.0516 • fax (613)225.5625 info@newlix.com
  2. 2. Table of Contents Abstract 1 Table of Contents 2 The Networking Dilemma 3 How does this relate to my business?........................................................................................................................ 4 Scenario 1: No Local Area Network (LAN) ............................................................................................................. 4 Scenario 2: Computers connected to LAN, without a gateway........................................................................... 5 Scenario 3: Computers connected to LAN, with a gateway ................................................................................. 6 Understanding the Problem.......................................................................................................................................... 7 What’s the solution?....................................................................................................................................................... 7 Framework for a Solution 8 Table 1. Requirements Analysis Outline ..................................................................................................................... 8 Business goals................................................................................................................................................................... 8 Success factors................................................................................................................................................................. 9 Business processes.......................................................................................................................................................... 9 Business activities............................................................................................................................................................ 9 Communications infrastructure.................................................................................................................................10 Networking requirements ..........................................................................................................................................10 Table 2. Business Needs and networking Technology ...........................................................................................11 Characteristics of a solution ......................................................................................................................................12 Business-driven characteristics ..................................................................................................................................12 Technology-driven characteristics.............................................................................................................................12 Characteristics in detail ...............................................................................................................................................12 Options for Networking Success 17 Categories of solutions................................................................................................................................................17 Which category is best for small business?.............................................................................................................20 Table 3. Comparison of Internet connections Solutions......................................................................................20 Table 4. Cost-effectiveness of Internet Connection Solutions ...........................................................................21 The Newlix OfficeServer Solution............................................................................................................................21 Table 5. Characteristics of the Newlix OfficeServer ............................................................................................22 Conclusion 23 Glossary 24 Suggested Additional Reading 27 v-00-06-19 newlix corporation 2
  3. 3. the networking dilemma The Internet explosion is driving all businesses, large and small, to rethink their communications strategy. Although public relations and marketing form an important part of the strategy, it goes well beyond that. Businesses are creating value and increasing their competitiveness by linking their customers, suppliers, partners, and employees into their core business processes using Internet technology to create dynamic, collaborative communities (intranets and extranets). The Internet is also enabling entirely new kinds of businesses that provide value-added services, such as professionally managed, targeted knowledge brokering, to individuals or other businesses. For example: • Courier companies provide up-to-date shipment tracking to customers via the Web to cut costs. • Manufacturers are involving suppliers and partners in cross-enterprise supply-chain management to optimize manufacturing schedules and reduce inventories. • Engineering teams are improving productivity and overcoming geographical separation using distributed collaboration tools. • Specialized information services are alerting clients to current events that affect their business decisions. All of these business applications are based an a small set of basic networking services, such as the Web, e-mail, local area networking (LAN), and wide area networking (WAN). These in turn depend on securely and reliably connecting people (via their computers) to each other and to the global Internet. Driving forces Competitive and bottom-line pressures are driving businesses to deploy Internet technology in order to communicate more effectively, both externally and internally. At the same time, businesses must protect their information assets and man- age costs. Each business is at the focal point of these forces, and must meet them head-on to survive and grow—achieving “networking success”. The technological foundation of networking success is secure and reliable connectivity. For the small business (1 to 100 employees), networking costs are a significant issue, both for initial investment and for ongoing maintenance. Security is the other big issue; ensuring the integrity and confidentiality of the information assets of the business and of its clients is fundamental to its survival. In the past, typical solutions were either: • highly secure, but at a prohibitive cost for small business, or • low-cost initially, but inadequate and expensive to maintain Thus, the potential purchaser was forced to choose between security and cost. This white paper shows how to avoid both overly expensive and inadequate solutions by examining the problems and pitfalls of connecting to the Internet, and proposes a cost-effective solution for a small business to achieve networking success. newlix corporation 3
  4. 4. How does this relate to my business? The small business owner/manager may be faced with computer users demanding faster, more convenient Internet access (or perhaps any access at all) so that they can do their jobs more effectively. Some of them may be highly skilled professionals who could cover more information in their research in less time (thus generating more revenue) if they had high-speed Internet access for Web browsing and e-mail. However, the cost of a dedicated high-speed connection for each user might be prohibitive. The typical solution is to share a single high-speed connection among many users through a gateway system. Therefore, the costs and risks associated with shared Internet access must be considered carefully before any purchasing decision is made. The following scenarios are typical of approaches that have been tried for providing basic Internet access to small businesses. They give some insight into the drawbacks of the ‘obvious’ solutions. Scenario 1: No Local Area Network (LAN) Configuration: • One or more disconnected (standalone) computers. • No Internet access yet, or Internet access (typically dialup) on individual computer(s). Advantages: • Standalone operation can reduce or slow down the spread of computer viruses. • Potential intrusion by hackers is restricted to machines with Internet access. • No network administration required. Problems: • Difficult to share computer resources (e.g. hard disk space, printers). • Cost of giving Internet access to additional users (typically requires additional telephone lines). • Cost of simultaneous connections (one per user, but each connection is typically idle most of the time). • Security: no protection from unwanted intrusion while online, unless each machine with Internet access has personal firewall software installed. non-permanent connection permanent connection to cable, telephone (DSL), or wireless network Internet dial-up high-speed modem modem (typical) PC PC PC PC Security note: Each computer with Internet access is vulnerable to attack when connected. newlix corporation 4
  5. 5. Scenario 2: Computers connected to LAN, without a gateway Configuration: • Users sharing disk space, printers, and other resources. • Internet access via modem on individual computers, or a shared modem pool. Advantages: • More cost-effective use of resources by sharing over the LAN. • Modem pool can reduce costs by sharing outside telephone lines. Problems: • Costs of Internet access for multiple users (similar to stand-alone case). • Security: unwanted intrusion can affect all computers on the LAN, unless each machine with Internet access has personal firewall software installed. Internet shared modem pool PC LAN PC LAN server PC Security note: Every computer on the LAN is vulnerable to attack when any computer is connected. newlix corporation 5
  6. 6. Scenario 3: Computers connected to LAN, with a gateway Configuration: • Users sharing computer resources via the LAN server(s). • Internet access is also shared (over a single telephone line or cable connection) using Internet connection sharing (gateway) software installed on one computer. Advantages: • Cost-effective: access cost is shared, and PC gateway software is free or inexpensive. • Security: single point of connection to the Internet; only the gateway needs to be secured. Problems: • Inexpensive gateway software may be unreliable. • Security: intruders can attack all computers on the LAN, unless there is also a firewall at the gateway. • Reliable, dedicated gateway/firewall systems tend to be expensive, considering initial cost and maintenance/upgrades. • Total cost of ownership can be high, depending on level of expertise required to maintain the gateway/firewall. Internet LAN high-speed modem server (typical) PC LAN PC with gateway software PC Note: Gateway function could be located on a LAN server, instead of separate PC's as shown. Security note: Every computer on the LAN is vulnerable to attack, unless the gateway is secured with a firewall. newlix corporation 6
  7. 7. Understanding the Problem Unfortunately, none of these scenarios represents a viable solution for Internet connectivity for small business, with the possible exception of Scenario 1 for a one-person, single-computer office. With multiple computers at a work site, it makes sense to install a LAN to enable sharing of computer resources, including the Internet connection. Although gateway and firewall software is inexpensive and readily available for personal computers (PCs), there are some serious shortcomings with this “roll your own” approach: • Reliability: personal computer operating systems typically do not provide the level of continuous availability required of a gateway, even for a small business. As the business evolves to embed networking into its core business processes, the level of networking availability will become a key factor in the performance of the business. • Functionality: gateway software for personal computers typically performs only basic Internet connection shar- ing. Separate products must be selected and installed for a firewall, e-mail, a Web server, and other essential services. Even then, the resulting solution typically won’t support remote and mobile users. Nor will it allow multiple work sites (each with their own LAN) to be linked as if they belonged to one large LAN. Lack of support for these wide area networking (WAN) requirements may present obstacles to future growth of the business. • Total Cost of Ownership: although the initial purchase cost for the gateway and related software may be reasonable, the ‘hidden’ costs for installation, configuration, and (most importantly) ongoing administration of the complete suite of software may be prohibitive. Depending on the particular operating system running on the gateway computer, a highly skilled network administrator might be required, even to perform basic tasks such as adding a new computer to the LAN, or adding a new e-mail account. It’s obvious from these shortcomings that a seemingly straightforward approach to Internet connectivity could lead to an inadequate solution, or one with very high ongoing costs, or both. The small business owner/manager is caught between the driving forces for greater network connectivity, and the absolute business need to avoid inadequate, high-cost solutions. What’s the solution? Is there a solution that is reliable, functionally complete, and easy on the budget, considering the total cost of ownership? The answer, of course, is yes. It’s called an Internet server appliance (or thin server), and the Newlix OfficeServer is the leading product in that category. The remainder of this white paper explores a path to networking success, while avoiding the pitfalls and shortcomings of approaches that are not suitable for small business. It begins with principles that apply to any business, and leads to the Newlix OfficeServer as the ideal solution for small business. The following sections are best read in order, but some can be skipped to get to a particular topic: • First, a requirements analysis explains the need for network connectivity and related services, such as e-mail. • Second, the networking requirements in combination with the needs of small business determine the important characteristics of a networking solution. • Next, an analysis of four categories of solutions with respect to the characteristics leads to the conclusion that the server appliance category is the most appropriate for a small business. • Finally, an analysis of the Newlix OfficeServer positions it as the leading candidate in the server appliance category. newlix corporation 7
  8. 8. framework for a solution Before looking at possible networking solutions, every business should examine its communication needs. Time and money are scarce resources that should not be wasted by jumping into a ‘solution’ that does not meet the needs of the business, or one with a high total cost of ownership. All businesses today are under tremendous pressure to do more with less, so it makes sense to consider the business requirements for networking, in order to arrive at a cost-effective solution. A thorough requirements analysis itself can be a costly process. So this white paper derives some common needs and networking requirements that apply to all businesses, by starting with some basic principles. The requirements analysis follows the outline shown in Table 1, proceeding from left to right, and from top to bottom. The business drivers produce the corresponding requirements in the same row of the table. Table 1. Requirements Analysis Outline QUESTION BUSINESS DRIVERS REQUIREMENTS Why does a business exist? Goals Success factors How are goals achieved and Communications Processes Infrastructure success factors supported? What functions are performed? Activities Networking Requirements What does a solution look like? Business-driven Technology-driven Characteristics Characteristics Business goals A business exists to create wealth by adding value in the delivery of products or services. It may have secondary goals such as improving the living standards of its employees or contributing positively to the community. However, it must continually deliver added value in order to achieve long-term viability and to achieve its secondary goals, especially in today’s hyper-competitive environment. Very simply, the ultimate goal of every business is: “Add value or die!” newlix corporation 8
  9. 9. Success factors Businesses that are successful in adding value over the long term tend to adopt a culture that promotes winning behavior patterns such as: • focus —clearly communicated objectives for the entire enterprise, business units, and project teams • delegation —pushing down accountability and decision-making, and eliminating management layers • specialization —each individual contributing to the mission in the most effective way • sharing —pooling of scarce assets, resources, and knowledge • learning —improving processes based on past experience (shared knowledge) • adaptability—creating new processes to continue adding value in a changing business environment These businesses attract ideas, employees, customers, and capital to deliver a better, cheaper service or product, thereby achieving long-term competitive advantage. They have adopted practices and technologies that embody and support the success factors. Business processes Business practices and communications technologies adopted by successful businesses have now converged in the form of networked business processes and applications. The following are examples of business applications that embody networked (or web-centric) business processes: • Web publishing • Marketing programs —such as free newsletters, discussion groups, promotions, lead generation • E-commerce—purchasing over the Internet • Sales management—distributed access to customer and prospect databases • Customer care—support and guidance before and after the sale • Collaborative development (of programs and products) with partners • Telecommuting —remote and mobile employees; virtual corporations • Supply-chain management—with suppliers and partners • Competitive research —information agents that find and deliver relevant information • Finance and administration —distributed budget preparation and monitoring • Employee recruiting and retention —external and internal Web sites with application and resume submission, incentive programs, etc. Clear, meaningful objectives and a culture committed to promoting carefully chosen success factors are critical elements for the success of a business. But to operate a modern business according to these principles, a high-quality communications infrastructure is required. Excellent communications will support the culture and the convergent, networked business processes that will help the business achieve its objectives. Business activities In order to determine specific requirements for a high-quality communications infrastructure, let’s look at some of the business activities that are common to networked business processes, and that support the critical factors for success. Regardless of the type of business, every organization performs at least some of the following activities: • information gathering • information dissemination (publishing) • purchasing products and services • selling products and/or services • direct correspondence with external contacts • internal correspondence • sharing information internally to improve productivity and foster teamwork (to produce better proposals, for example) • sharing tangible assets within workgroups to reduce costs • sharing information selectively with external contacts (suppliers, customers, contractors, remote employees) These activities all have one common characteristic. They depend on timely and high-quality communications, both within the organization, and within the larger sphere of its external contacts. newlix corporation 9
  10. 10. Communications infrastructure Businesses are turning increasingly to Internet technologies to support and enhance their communication-dependent activities, for good reason. The Internet is a very rich and ubiquitous communication medium, built on a costly, high- bandwidth infrastructure that would be beyond the means of any single corporation, organization or government to duplicate. Furthermore, the infrastructure and the Internet services are constantly being upgraded by the combined effort of many individuals and groups. It was also designed from the beginning to be a shared medium, with a low intrinsic cost for each individual message. It’s no wonder that large and small businesses want to exploit this medium. Internet technology enables communication solutions that are equally cost-effective for businesses of all sizes. Given the design of the Internet, it should have put small businesses on an equal footing with large corporations. However, until recently, cost-effective solutions that provided basic Internet connectivity and networking services (without requir- ing a skilled network administrator) did not exist. Now, Internet server appliances have lowered the entry barrier to networking success for small business. Networking requirements The world of networking and the Internet can be a very confusing place. Although some or all of the following networking requirements might be presented as partial networking solutions, in fact, all of them have their place. This white paper places them into perspective: • Web access for information gathering (business intelligence, research), purchasing • Web presence for marketing, customer support, e-commerce • E-mail to stay in touch with prospects, customers, suppliers, partners and investors • Internal e-mail to facilitate internal communication • LAN support for sharing internal information and computer resources What about mobile employees and remote work sites? Mobile and remotely located employees need to exchange information with co-workers at a central location, or share central resources. They need to operate as if connected to the central office LAN, to share files and printers, to run business applications, or anything else that a user directly connected to the LAN can do. Therefore, there is a need for secure wide area networking (WAN) services. These can be provided by telephone dialup service at the gateway, or by a secure virtual private network (VPN) connection between the gateway and a remote computer through the Internet. In the case of a distributed business with a central office and one or more remote offices, business activities require a high level of communication and information sharing among the work sites. So there is a requirement to connect two or more LANs together into a WAN. This should be transparent to the users, so that the users appear to be all connected to the same LAN. This can be accomplished if there is a gateway at each site with secure, high-throughput VPN services. Increasingly today, all businesses are partnering with customers, suppliers, and other external contacts in their business activities. Thus, there is a requirement for networking between businesses, often referred to as business-to-business (B2B) networking, or e-business. This implies treating the external contact as if it were a remote work site, but with special access restrictions to share only the required applications and information. This scenario again requires WAN services and the underlying VPN technology. As a business extends its activities to include remote employees, remote work sites, and external contacts, the following additional requirements appear: • WAN support to extend LAN services to remote/mobile users and branch offices • WAN extended to support external contacts, with appropriate access controls newlix corporation 10
  11. 11. Networking services The following table shows how communication-intensive business processes drive the requirements for networking technology and services. Table 2. Business Needs and Networking Technology NETWORKING NETWORKING BUSINESS ACTIVITIES REQUIREMENTS SERVICES Information gathering Web access Internet gateway File download Information dissemination Web presence Web server Marketing & public relations Web publishing File transfer services Purchasing Web access Internet gateway File download Connectivity to LOB servers Selling Web e-commerce Web & related servers Internet e-business Connectivity to LOB servers Correspondence External e-mail External e-mail services Internal e-mail Internal e-mail services Shared disk storage LAN services Sharing tangible resources Shared printers WAN (VPN) services Shared CD drives Shared documents LAN services Sharing information assets Shared databases WAN (VPN) services Shared applications Retention of assets Network security Firewall protection Confidentiality Secure VPN In summary, a networking solution that satisfies the needs of business today and into the future will provide: • Internet access to support Web browsing and file downloading • Web and file transfer (FTP) servers • connectivity to line-of-business (LOB) application/data servers • e-mail services, both external and internal • LAN services, for sharing both information and computer equipment • WAN services, to extend sharing to remote/mobile users, branch offices, and partners • secure, high-throughput VPN capability, encompassing encryption, authentication, and access control • firewall protection for the LAN newlix corporation 11
  12. 12. For a small business, it is essential to provide all these services in a single package to minimize costs. Such a solution is sometimes called a gateway, although it embodies much more than sharing access to an external network. Security is an underlying requirement for all networking services. Low initial purchase and ongoing maintenance costs are also key requirements. We’re talking about a secure, fully functional gateway with low total cost of ownership. Additionally, there are other desirable characteristics of an ideal solution for small business that must be factored into any purchase decision. Characteristics of a solution The business and technology requirements for networking success lead directly to a set of characteristics against which potential solutions can be compared. The pattern of the requirements analysis suggests breaking the list down into business-driven and technology-driven characteristics. Business-driven characteristics • Security —protection of confidential information and computer resources from electronic intruders • Initial cost —within financial means of small business • Simplicity—installation and ongoing maintenance without requiring a trained computer administrator, to minimize operating costs • Functionality —connectivity and networking services to support business processes and activities Technology-driven characteristics • Reliability—high availability, because Internet access often becomes critical to business operations • Throughput—Internet access speed constrained only by the bandwidth of the physical connection • Compatibility—with popular personal computer systems and networking environments • Support—for both the software and hardware [something that purchasers often overlook] Characteristics in detail Let’s take a closer look at each of the characteristics in turn. The following discussion is quite technical. It’s aimed at those familiar with networking concepts, such as system administrators and power users. If you’d like to skip over the technical details, you can resume reading with one of the following topics: • the four categories of solutions that are available today, and why the server appliance category is the most appropriate for a small business • the Newlix OfficeServer, the leading candidate in the server appliance category Security Protecting the electronic information assets of a business from unauthorized access and accidental loss is a mandatory business requirement. It’s a multi-faceted problem that calls for comprehensive security and recovery plans, which are outside the scope of this white paper. Furthermore, achieving 100% protection is impossible. However, it is possible to make it extremely difficult for electronic intruders to penetrate your LAN from the Internet, satisfying a key part of any security plan. newlix corporation 12
  13. 13. Any host that is... permanently connected (to the Internet) will typically be scanned and probed several times per day. In fact, during peak periods, malicious activity at the level of thousands of packets per day has been recorded... Placing a secure gateway between your LAN and the Internet will provide a high degree of protection. A secure gateway includes a firewall, and together they use some combination of the following techniques: The gateway (sometimes called a dual-homed bastion host) is the only connection between the external Internet and the internal LAN, and only the firewall software is responsible for allowing requests and data (in the form of network packets) to flow between the internal and external networks. The gateway computer acts as a proxy for the internal computers that require Internet services. The firewall can block packets that do not satisfy certain preset security parameters. Network Address Translation (NAT) allows multiple computers to share a single Internet connection without revealing their identity to the external Internet. The sharing machines communicate with each other and with the NAT gateway computer using private network addresses. For traffic to the external Internet, the NAT service translates all private addresses to its network address, while keeping track of which packets belong to which computer. Since the external Internet sees only the single network address of the NAT firewall computer, there’s absolutely no way for Internet scanners to reach past it. This creates a high degree of security for the machines “behind” the NAT gateway. Note that the NAT computer is accessible from the Internet and needs to be protected, by stealth technology for example. [The preceding was adapted from Steve Gibson’s Shields Up! FAQ. Bi-directional NAT protects internal computers that provide Internet services such as e-mail. The firewall can redirect requests originating from the Internet to a protected server behind the NAT gateway, while preserving the external (IP) address of the originating Internet host. This capability, sometimes called “reverse proxy” or “port forwarding”, places any confidential data required by the server behind the protection of the firewall. Stealth technology makes the gateway computer fully or partially “invisible” to other computers (hosts) on the Internet. When an Internet host requests a connection, it never gets a response back, except when requesting specifically enabled services such as HTTP (to the web server), SMTP (for e-mail), and FTP (for file transfer). This prevents would-be Internet intruders from exploiting potential weaknesses in unneeded networking ser- vices, while at the same time allowing computers on the internal LAN to connect to any Internet site. Stealth technology is sometimes also called port blocking, because it operates by refusing to respond to Internet packets that request a connection to any TCP or UDP port, except for those associated with enabled services. A port scanning inhibitor is a feature that briefly disables access to the gateway from an Internet host that tries to perform a port scan on the gateway. Port scanning is a technique used by would-be intruders to detect Internet hosts that might be susceptible to future attack. Inhibiting port scans complements stealth technology by making the gateway effectively “invisible” to Internet hosts that are probing it for weaknesses. Packet filtering looks at each packet entering or leaving the LAN and accepts or rejects it based on preset rules. Packet filtering is fairly effective and transparent to users, but it is difficult to configure. An application gateway applies security mechanisms to specific services, such as an FTP server. This is very effective in protecting certain services from abuse, but must be combined with other techniques for more complete security coverage. This type of gateway can impose a performance degradation. A circuit-level gateway applies security mechanisms when a TCP or UDP connection is established. Once a valid connection has been allowed, packets can flow between the hosts without further checking. newlix corporation 13
  14. 14. An effective gateway/firewall combination provides essential protection from would-be intruders intent on compromising Internet hosts for malicious purposes such as: • defacing Web sites with graffiti • illegally obtaining confidential data (credit card numbers, or personal identities, for example) • deleting data • installing “trojan horse” software to enable launching attacks on other Internet hosts These attacks are invariably preceded by various types of automated port probes and scans that seek to identify vulnerable hosts. Any host that is connected to the Internet for more than a few minutes is likely to be scanned or probed by one or more of these automated scanning tools, and any host that is permanently connected (to DSL or cable services, for example) will typically be scanned and probed several times per day, from various hosts that could be located anywhere around the globe. In fact, during peak periods (such as school holidays), malicious activity at the level of thousands of packets per day has been recorded, all directed at a single home computer. The most effective firewall is one that keeps your gateway computer off the lists of “interesting” (read vulnerable) hosts compiled by the scanning tools, by making it invisible to them with stealth technology. No matter how effective a firewall might be, remember that it is just a first line of defense in protecting private informa- tion. A comprehensive security plan would call for the encryption of highly sensitive data for storage and transmission, as well as other security measures. Virtual private networks (VPNs) introduce additional security issues, which this paper does not fully explore. However, it is important to recognize the three features which must be present to secure a VPN against unwanted intrusion: • authentication, to ensure that only authorized users can join the private network • access control, to control which network resources (such as files) are accessible to certain users • encryption, to prevent interception and modification of private data as it travels over a public network Initial cost The cost of purchasing a solution must be within the financial means of the business. Factors that affect the cost include: • the complexity of the hardware and software • the degree of proprietary vs. off-the-shelf hardware and software • the size of the market and level of competition among vendors For a low-cost solution for small business, look for one that bundles the basic networking services listed earlier in a single box. However, look beyond the initial purchase cost at the total cost of ownership, which is heavily influenced by the next characteristic, simplicity. Simplicity A truly simple solution will encapsulate complex technology so as to minimize the costs of installation and ongoing administration. The networking services should be tightly integrated, presenting a simple, straightforward interface to the customer. Installation, configuration, and ongoing administration should be simple enough to be performed by anyone, as opposed to a highly trained network administrator. In fact, ongoing administration should be limited to adding the occasional new e-mail account. newlix corporation 14
  15. 15. Whether in-house or outsourced, network administration services are costly. Even if the business is large enough to have full-time network administration staff, they are often already overworked administering the existing network. So a networking solution that can be installed and administered by existing staff without a significant time burden, and without additional training, will minimize operating costs. Together with a low initial cost, this will result in a low total cost of ownership. Functionality The ideal solution will provide all the networking services described earlier. In addition, it should provide a reverse proxy capability, so that some of the services or other networking applications can be delivered on powerful application servers behind the firewall. For example, a particular business may want to provide e-mail by running Microsoft Exchange on a Windows NT server, or host a set of web sites on a Unix computer. Reliability As a business incorporates networking into its everyday activities, it will increasingly depend on Internet connectivity for normal operation. Indeed, when networking becomes part of core business processes, such as customer relationship management, the dependence becomes critical. So the network gateway must provide a very high level of availability. The acceptable level depends on the individual business, but it’s not unreasonable to expect availability greater than 99.9% (excluding scheduled maintenance), which translates to less than one hour of downtime per month. In addition to being highly available, the gateway must reliably mediate traffic between the external Internet and the internal LAN, without misdirecting or losing packets, even under heavy traffic conditions. Just as with the issue of security, overall network reliability depends on more than just the gateway server. The ability to manage a computer network to meet availability targets also depends on other factors that are outside the scope of this white paper, including: • backup and restore procedures • availability of technical support • backup power systems • redundancy of critical components and systems • redundant or standby Internet connections • a disaster recovery plan As a business grows in size and dependence on networking, these issues must be addressed through training, hiring, or outsourcing. Throughput High throughput (measured in terms of bytes and packets per second passing through the gateway) is desirable, in order to minimize waiting time for internal (LAN) and external (WAN and web) users. The gateway/firewall combination should impose no noticeable overhead, compared to a standalone connection. With multiple users, it should achieve throughput close to theoretical maximum bandwidth for the type of connection. With a high-speed (DSL or cable) connection, users should notice no degradation in throughput compared to a private connection to the same ISP, unless multiple users are simultaneously transferring (downloading) large files. newlix corporation 15
  16. 16. Compatibility A small business cannot afford to re-configure the existing computers and network to suit the requirements of a newly purchased gateway. So the gateway should inter-operate with all the types of computers found on a LAN, and with the networking infrastructure itself. Inter-operability has several aspects: • When connected to the LAN, the gateway must not disrupt the operation of computers (both users’ workstations and servers) already on the LAN. • The gateway should permit Internet and LAN services to be provided by servers on the LAN, even if it can provide those services itself. For Internet services, it should have a configurable reverse proxy feature to forward Internet requests to the appropriate server on the LAN. • Adding a new computer to the LAN should be a “plug-and-play” operation, at least for popular personal computers. In this context, “plug-and-play” means that the new computer needs little or no manual configura- tion to use LAN and Internet services after it is plugged into the LAN. Support The level of technical support available must be considered when selecting any device involving complex technology, even more so in the case of a gateway product whose reliability will become a critical factor in the operation of the business. Some of the factors to be considered are: • the reputation of the vendor for customer support • the availability of secondary suppliers of support services • the architectural approach -- proprietary, closed system vs. an open system There are support advantages to the customer with an open system architecture, namely easier access to a pool of people (such as existing staff, independent contractors, or professionals employed by IT outsourcing firms) with maintenance skills for the hardware and software components. newlix corporation 16
  17. 17. options for networking success Having derived a set of criteria for networking success, in the form of desirable characteristics of a gateway solution for small business, it’s now possible to examine some options. An analysis of the available solutions leads to a category (the server appliance), and a specific product (the Newlix OfficeServer) that best fit the characteristics. Categories of solutions The available solutions fall into four categories, based on cost and overall performance: • high-end • mid-range • low-end • network server appliances Each category has some significant attributes in terms of the characteristics. The following analysis does not address all the characteristics for each category. However, Table 3 presents a complete picture of characteristics by category in summary form. Generally speaking, you get what you pay for —higher overall performance costs more. However, the network server appliance occupies a unique position in the cost/performance space of solutions, as shown in Table 4. High-end solutions Target market: large enterprises with distributed workgroups, ASPs, ISPs, high-traffic Web portals Security: very high, if configured and administered correctly Initial cost: very high, upwards of US $20K; multiple computers may be required Simplicity: very complex; installation and maintenance requires highly skilled network administrators Functionality: • incomplete offering of networking services; integration of multiple products and servers required; • typically provide remote management of multiple sites for enterprise-level scalability Reliability: very high; typically have hardened operating systems Throughput: extremely high; well-suited to high-traffic situations Support: some products include custom hardware that may limit availability of support Example products: Sun Microsystems SunScreen family of products Summary: not suitable for small business, due to high total cost of ownership newlix corporation 17
  18. 18. Mid-range solutions Target market: single worksites of small - to medium-scale enterprises Security: high, typically a proxy with packet filtering, sometimes with NAT Initial cost: moderate, typical configuration: desktop PC or server + workgroup OS + software components Simplicity: complexity based on underlying OS and level of integration of software components; trained network administrators required Functionality: • integration of multiple products may be required • reverse proxy may be available Reliability: may be a problem, depending on reliability of underlying OS Throughput: high, but less than high-end, due to general-purpose OS Support: 3rd party services available, depending on popularity of underlying OS and hardware Example products: Microsoft Windows NT or Windows 2000 with Proxy Server, Internet Information Server, etc. Summary: marginal for small business, due to high total cost of ownership Low-end solutions Target market: small office and home office (SOHO) Security: adequate if stealth personal firewall installed Initial cost: low. Possible configurations include: • PC + personal OS + software components (often shareware) • SOHO router/firewall + software components Simplicity: better than mid-range; networking experience required to select, install, and maintain software Functionality: • no single product provides all networking services • some OSs include basic gateway (Internet connection sharing) software • VPN functionality not widely available Reliability: likely to be a problem, depending on reliability of underlying OS and networking utilities Throughput: moderate, adequate for a few users Support: uneven level of support from vendors; 3rd party and Web resources available Example products: • Microsoft Windows 98 with Internet Connection Sharing + personal firewall + web/FTP/e-mail servers etc. • Linksys EtherFast Cable/DSL Router + LAN server + web/FTP/e-mail server(s) etc. • WatchGuard Firebox SOHO (or Telecommuter) + LAN server + web/FTP/e-mail server(s) etc. • PC + Linux OS + networking utilities Summary: • Generally not suitable for small business, due to high installation & maintenance costs for a complete solution (OS and networking skills required). • Router/firewall appliances are excellent security products, but don’t provide basic networking services. • Linux is a low-cost, reliable OS, and networking utilities provide complete functionality, but configuration and maintenance require special skills. newlix corporation 18
  19. 19. Network server appliances dial-in Internet connection dial-up high-speed modem modem (typical) PC thin server PC appliance LAN LAN server Macintosh Security note: The LAN is protected behind the firewall of the server appliance. Target market: small - to medium-scale business Security: high to very high, depending on type of firewall and VPN security mechanisms Initial cost: low; may be slightly higher than low-end solution Simplicity: a key criterion for this category, resulting in low total cost of ownership Functionality: check product features and specifications; some might not include all networking services Reliability: very high; typically have hardened operating systems (OS) Throughput: very high; networking software and OS tuned for gateway function Support: 3rd party services available (in addition to vendor, resellers) for products with open architecture Example products: • Cobalt Qube • IBM Whistle InterJet II • Netmax Professional • Newlix OfficeServer Summary: • Combines the best features of other solutions in a package suitable for small business. • Consists of a single box pre-configured and optimized for specific networking services. newlix corporation 19
  20. 20. Which category is best for small business? The following table summarizes the characteristics for all categories: Table 3. Comparison of Internet Connection Solutions CATEGORY/ HIGH-END MID-RANGE LOW-END SERVER CHARACTERISTIC APPLIANCE Security very high high high with firewall high to very high Initial cost high moderate very low low to very low Simplicity very complex complex moderate simple Reliability very high moderate moderate to low very high Throughput extremely high high moderate very high Functionality incomplete incomplete incomplete moderate to complete Compatibility moderate to high high depends on products high to very high vendor, minimal in vendor, resellers, 3rd Support vendor, resellers vendor, resellers some cases party (if open architecture) To make sense of this comparison, consider the two key factors: • total performance —a combination of security, reliability, throughput and functionality • total cost of ownership—a combination of initial and ongoing costs newlix corporation 20
  21. 21. Combining the characteristics and ratings into total performance and total cost of ownership (TCO) yields the following: Table 4. Cost-effectiveness of Internet Connection Solutions High high-end performance server appliance solutions Medium mid-range performance solutions Low low-end performance solutions Performance Low Moderate High to very vs.TCO TCO TCO high TCO The high-end systems are not appropriate for small businesses due to high initial and ongoing costs. Mid-range systems may provide adequate performance in some areas, but do not provide expected reliability, and have high ongoing costs for system administration. Low-end solutions are a dubious choice because of inadequate performance and ongoing costs. The server appliance category provides the most cost-effective solution for small business, with total performance approaching that of the very expensive high-end systems, and total cost of ownership no more than that of the low-end. The Newlix OfficeServer Solution The Newlix OfficeServer is a network server appliance delivering firewall-protected Internet access (over a single Internet connection) and networking services for an entire LAN at a very modest total cost of ownership. It is a “plug-and-play” networking solution, meaning that any new PCs or workstations added to the LAN automatically receive Internet access and networking services. The Newlix OfficeServer excels in each of the characteristics of an ideal networking solution: Security: • A dual-homed gateway incorporating a stealth firewall with network address translation, reverse proxy, and port-scanning inhibitor features. • VPN with authentication, access control, and encryption to IPsec standard for WAN services. • Microsoft VPN with PPTP encryption for dialup or Internet connections from a single PC to a LAN. Initial cost: • Low; complete package costs about the same as a desktop PC. • Often bundled with Internet access, for example, the IPC NewMega Office Server. Simplicity: • Like any appliance, no specialized skills required to achieve successful operation. • Windows Monitor program provides visual indication of server status, and simple server control functions. • True “plug-and-play” capability for installation of both Newlix OfficeServer and LAN clients. • Configuration and administration via Web browser, interacting with user-friendly server administration application. • Designed to be almost administration-free; administration typically confined to adding e-mail accounts for new users. newlix corporation 21
  22. 22. Functionality: • Complete offering of networking services—dual-homed gateway, caching proxy server (transparent to clients), Web and FTP servers, Internet and internal e-mail, LAN server, remote dialup access, secure VPN, all in a single package. • Supports dialup (standard modem) connections, as well as cable, ADSL, ISDN, and any router connection. Reliability: • Very high, based on proven Linux operating system, hardened and optimized for delivering networking services. • Can operate for years without a system software failure. • Disk mirroring ensures uninterrupted operation in the case of a single disk failure. • Software upgrades can be performed without rebooting server, or interruption in service to LAN clients. Throughput: • Limited only by bandwidth of the Internet connection, with low-end Pentium-class PC. • Server software consumes minimal overhead. • Supports multiple concurrent Internet connections with no noticeable degradation in speed. Compatibility: • Supports LAN clients such as NetWare, Windows 95/98, Windows NT/2000, Unix/Linux, and Appletalk. • DHCP server automatically configures new LAN clients, unless another DHCP server already exists on the LAN. Support: • Available from Newlix partners, who have established support networks for their products. • Software upgrades directly from Newlix, and registered partners. • Third-party resources (products and services) available for Intel-architecture PCs and the Linux operating system. The following table summarizes the ratings of the Newlix OfficeServer appliance. Table 5. Rating the Newlix OfficeServer CHARACTERISTIC RATING Security very high Initial cost low Simplicity appliance-level Reliability very high Throughput very high Functionality complete Compatibility very high Support resellers, 3rd party The Newlix OfficeServer’s ratings reflect its high overall performance and low total cost of ownership (TCO), placing it high in the desirable (upper left) square of the cost-effectiveness matrix (Table 4). This is the “sweet spot”, where an informed purchasing decision can leverage a modest investment to achieve a level of networking capability previously unavailable to a small business. newlix corporation 22
  23. 23. conclusion The Newlix OfficeServer, the leading product in the Internet server appliance category, is the ideal candidate to fill the needs of small business for networking services. It provides the best answer to the networking dilemma for the small business owner/manager: How can my business start embracing the Internet without jeopardizing its finances and information assets? Of course, purchasing and installing a network appliance is only part of a networking and Internet communication strategy, albeit the fundamental piece of technology required. Purchasing a Newlix OfficeServer will not magically produce an award-winning, revenue-generating Web site, for example, but it can provide the Internet connectivity and networking services required by small businesses at a reasonable total cost of ownership. It will solve the immediate problem of connectivity without creating new headaches. The competitive pressures to increase market share and/or profitability are driving businesses to adopt networking technology as a key part of their business strategy. The perceived urgency to get a foothold in the global marketplace created by the Internet may dictate moving ahead with implementation before the network communication strategy is complete. The Newlix OfficeServer characteristics ensure a growth path for the future, so you can purchase it with confidence, even if you don’t have a fully developed Internet strategy. You can count on the Newlix OfficeServer to deliver basic networking services with excellent security now, and additional services as your strategy evolves. This is networking success, now and for the future. For additional information about the Newlix OfficeServer, please visit the Newlix website at www.newlix.com. newlix corporation 23
  24. 24. glossary Application Service Provider (ASP) An ASP is a firm that manages and distributes software-based services and solutions to customers across a wide area network (typically over the Internet) from a data centre. Dial-up access Dial-up access, in the Internet context, refers to connecting a computer with a modem to a network over the public telephone network. In general, dialup or dial-in refers to connecting two devices (typically computers) with modems over the telephone network. Digital Subscriber Line (DSL) A DSL is a family of technologies (such as ADSL, SDSL, HDSL, collectively called xDSL) that use sophisticated modula- tion schemes to pack data onto copper wires. They are sometimes referred to as last-mile technologies because they are used only for connections from a telephone switching station to a home or office, not between switching stations. Disk Mirroring Disk Mirroring is a technique for improving the availability of a computer system, whereby data is written to two duplicate disks simultaneously. This way, if one of the disk drives fails, the system can instantly switch to the other disk without any loss of data or service. Dynamic Host Configuration Protocol (DHCP) A DHCP provides configuration parameters to Internet hosts. DHCP consists of two components: a protocol for delivering host-specific configuration parameters from a DHCP server to a host, and a mechanism for allocation of network addresses to hosts. [from Droms, R., “Dynamic Host Configuration Protocol”, IETF RFC 2131, March 1997] Firewall A Firewall is a system designed to prevent unauthorized access to or from a private network. A firewall is frequently used to prevent unauthorized Internet users from accessing a local area network (LAN). All messages entering or leaving the LAN pass through the firewall, which examines each message, and blocks those that do not meet the specified security criteria. FTP—see Internet Protocol. Gateway A Gateway is a combination of hardware and software that links two different types of networks. The term dual- homed gateway emphasizes that a gateway system resides on, and is addressable from two different networks. See also router. HTTP—see Internet Protocol. Integrated Services Digital Network (ISDN) An ISDN is an international communications standard for sending voice, video, and data over digital telephone lines or normal telephone wires. newlix corporation 24
  25. 25. Internet The Internet is a global network of networks connecting many millions of computers. Each Internet computer, called a host, is independent. Its operators can choose which Internet services to use and which local services to make available to the global Internet community. Internet hosts exchange information in a standard way, using Internet protocols. Internet Protocol (IP) IP is the fundamental protocol (or standard format) for transmitting control information and data between two Internet hosts. IP specifies the format of packets and the addressing scheme. Most networks combine IP with a higher-level protocol called Transport Control Protocol (TCP), which establishes a virtual connection between a destination and a source. The combination of TCP with IP is referred to as TCP/IP. Other Internet protocols based on IP or TCP/IP include: • File Transfer Protocol (FTP)—the protocol used on the Internet for sending files between hosts • Hypertext Transfer Protocol (HTTP)—the underlying protocol of the World Wide Web • Point-to-Point Tunneling Protocol (PPTP)—supports the creation of VPNs over the Internet. • Simple Mail Transfer Protocol (SMTP)—a protocol for sending e-mail messages between servers • Universal Datagram Protocol (UDP)—a connectionless protocol used primarily for broadcasting messages. Internet Protocol security (IPsec) IPsec is an architecture (including protocols and algorithms) for providing security services such as authentication and encryption at the IP packet level. IPsec is a viable basis for implementing secure VPNs over the Internet. Internet Server Appliance An Internet Server Appliance is a networking device (sometimes called a thin network server) that mediates traffic between a group of computers on a local area network and the Internet. It provides some or all of the services expected of a network server (such as resource sharing, e-mail, and Web/FTP service). However, being an appliance, it is very easy to install and operate, requiring no special skills to configure or maintain its operation. Internet Service Provider (ISP) or Internet Access Provider (IAP) An ISP is a company that provides access to the Internet. Line-Of-Business (LOB) LOB pertains to the revenue-generating processes of a business, such as order-entry, billing, and customer relation- ship management. Local Area Network (LAN) A LAN is a computer network that spans a relatively small area. Most LANs are confined to a single building or group of buildings, and a single organization. Operating System (OS) An OS is the most important program that runs on a computer. Every general-purpose computer must have an operating system in order to run other programs. An operating system handles input and output operations on behalf of other programs, and ensures that different programs and users on the system do not interfere with each other. The OS is also responsible for security, ensuring that unauthorized users do not access the system. newlix corporation 25
  26. 26. Packet A Packet is a piece of a message transmitted over a packet-switching network, such as the Internet. In IP networks, packets are often called datagrams. Packets are transmitted individually and can even follow different routes to the destination. Once all the packets forming a message arrive at the destination, they are recompiled into the original message. PPTP—see Internet Protocol. Port A port is a logical connection point for IP traffic directed to a computer. A port is identified by a unique integer, and is related to a specific Internet service, such as a Web or FTP server. Port Scan A Port Scan is a technique for identifying a networked computer that might be vulnerable to attack, whereby another computer on the network (typically on the Internet) tries to connect to the subject computer at different port numbers in rapid succession. This type of behavior is usually interpreted as an indicator of malicious intent. Router A Router is a packet-switching device that interconnects two or more networks at the level of the network protocol (IP, for example). Internet routers discover and maintain information about the topology of the network, and make packet forwarding decisions based on minimum cost criteria. They also perform certain network management functions. SMTP—see Internet Protocol. Total Cost of Ownership (TCO) TCO is a very popular buzzword representing how much it actually costs to own a device (such as a PC). The TCO includes: the original cost of the computer and software, hardware and software upgrades, technical support, maintenance, and training. UDP—see Internet Protocol. Virtual Private Network (VPN) A VPN is a network created by partitioning a shared underlying communications medium in a way that ensures privacy. For example, there are a number of systems that enable the creation of private networks using the Internet as the medium for transporting data. These systems use encryption and other security mechanisms to ensure that only authorized users can access the network and that the data cannot be intercepted. IPsec includes a set of such security mechanisms. Wide Area Network (WAN) A WAN is a computer network that spans a relatively large geographical area. Typically, a WAN consists of two or more local-area networks (LANs). The largest WAN in existence is the Internet. World Wide Web The World Wide Web is a rich and vast information medium consisting of multimedia documents delivered on demand by certain Internet servers (called Web servers). The documents can reference other Web documents (via hyperlinks), and can include words, images, drawings, animation, and audio/video clips. Applications (called Web browsers) are available for all types of personal computers that enable users to view the multimedia content and to follow hyperlinks (an experience often called Web surfing). newlix corporation 26
  27. 27. suggested additional reading Curtin, M & Ranum, M., “Internet Firewalls: Frequently Asked Questions”, revision 9.4, 25 November 1999 [an introduction to firewalls, with practical implementation suggestions] Dyson, E., Release 2.1: A Design for Living in the Digital Age, Broadway Books, 1998, ISBN 0-7679-0012-X [an exploration of the impact and responsibility of using the Internet and other digital technologies; see Chapter 10 for a discussion of security issues.] Gibson, S., “Internet Connection Security for Windows Users”, Gibson Research Corporation Hurwicz, M., “A Virtual Private Affair”, Byte magazine, July 1997 [covers the technological and business issues related to implementing VPNs] Huston, G., ISP Survival Guide, chapter 12, “Virtual Private Networks”, Wiley, 1998, ISBN 0471314994 IBM Corporation, “Enabling Your Network for e-business”, 1999 [An introduction to networking, and the IBM approach to networking success.] Newman, D., “Lab Test: Super Firewalls!”, Data Communications magazine, 21 May 1999 [comparison of high-end firewall systems] Kent, S. & Atkinson, R., “Security Architecture for the Internet Protocol”, IETF RFC 2401, November 1998 [discusses IPsec, including AH and ESP traffic security protocols.] Semeria, C., “Internet Firewalls and Security: A Technology Overview”, 3Com Corporation, 1996 Newlix OfficeServer Features & Benefits Newlix OfficeServer Frequently Asked Questions newlix corporation 27

×