Network Topology and Internet Security ---------------------------------------------------------------------------- There are several methods to providing Internet service to an interior corporate LAN from a single Internet gateway machine. Some of these provide stalwart protection, others invite diaster. Here are a few: Physical Isolation: Security level: Very high The most simple and secure method. A host is isolated from the rest of the network. No internet user can see the internal LAN, of course, nor can any LAN user see the internet. The server itself is still open to attack, however. This method is therefore not very extensible. Adding a few small workstations (or kiosks) onto the server may increase usabilty somewhat. This would grant some corporate users access to the internet at large. This requires additional hardware, and cost however. Protocol Isolation: Security level: High If computers on the LAN need to see the Internet server, use this, the next most secure method: protocol isolation. This method is deceptively simple, based on the premise that 'Netspeak is TCP/IP. The Internet server needs to be outfitted with two NICs, one for the Internet proper, one for the internal LAN. The NIC connected to the Internet is bound to TCP/IP, and the other NIC is bound to IPX, netBEUI, or some network protocol that is not TCP/IP. The key is that the Internet requires use of IP. Since the corporate LAN is running a different protocol, it cannot communicate with the Internet, and vice versa. This method is useful for corporations that have ftp servers, and users who make data available for disseminination. The resources on the server are available from either direction, but cannot be passed through. Standard firewall. Third-party Router: Security level: High If you are running TCP/IP on a large corporate network with high volume or multiple subnets, you will likely want to use a third-party router connected to a leased line. Some routers will allow for packet filtering, and tracing as well as other features. If implemented correctly, it is usally very secure. Full Gateway Machine: Security level: Low An internal LAN running TCP/IP served by an unprotected Internet gateway machine. Very little protection for the internal network is provided here. A skilled hacker will easily penetrate this type of setup. An unskilled hacker will also likely be able to break in. This setup relies on the host operating system to provide security through file permissions and intrinsic security features. Not highly recommended. 2/19/95 -----------------------------------------------------------------------------