This an article a little bit technical about
underlying hardware, software protocols,
TCP/IP protocols, networking technology, security measures and more.
- -
Intranet
by:
Pawan
Bangar
Introduction to Intranets
What exactly is an intranet? It's
one of those terms that's more thrown around than understood, and has become
more of a buzzword than a commonly understood idea. Simply put, an intranet
is a private network with Internet technology used as the underlying architecture.
An intranet is built using the Internet's TCP/IP protocols for communications.
TCP/IP protocols can be run on many hardware platforms and cabling schemes.
The underlying hardware is not what makes an intranet-it's the software
protocols that matter.
Intranets can co-exist with other
local area networking technology. In many companies, existing "legacy systems"
including mainframes, Novell networks, minicomputers, and various databases,
are being integrated into an intranet. A wide variety of tools allow this
to happen. Common Gateway Interface (CGI) scripting is often used to access
legacy databases from an intranet. The Java programming language can be
used to access legacy databases as well.
With the enormous growth of the Internet,
an increasing number of people in corporations use the Internet for communicating
with the outside world, for gathering information, and for doing business.
It didn't take long for people to recognize that the components that worked
so well on the Internet could be equally valuable internally and that is
why intranets are becoming so popular. Some corporations do not have TCP/IP
networks, the protocol required to access the resources of the Internet.
Creating an intranet in which all the information and resources can be
used seamlessly has many benefits. TCP/IP-based networks make it easy for
people to access the network remotely, such as from home or while traveling.
Dialing into an intranet in this way is much like connecting to the Internet,
except that you're connecting to a private network instead of to a public
Internet provider. Interoperability between networks is another substantial
bonus.
Security systems separate an intranet
from the Internet. A company's intranet is protected by firewalls-hardware
and software combinations that allow only certain people to access the
intranet for specific purposes.
Intranets can be used for anything
that existing networks are used for-and more. The ease of publishing information
on the World Wide Web has made them popular places for posting corporate
information such as company news or company procedures. Corporate databases
with easy-to-build front-ends use the Web and programming languages such
as Java.
Intranets allow people to work together
more easily and more effectively. Software known as groupware is another
important part of intranets. It allows people to collaborate on projects;
to share information; to do videoconferencing; and to establish secure
procedures for production work. Free server and client software and the
multitude of services, like newsgroups, stimulated the Internet's growth.
The consequence of that growth stimulated and fueled the growth of intranets.
The ease with which information can be shared, and with which people can
communicate with one another will continue to drive the building of intranets.
A Global View of an Intranet
An intranet is a private corporate
or educational network that uses the Internet's TCP/IP protocols for its
underlying transport. The protocols can run on a variety of network hardware,
and can also co-exist with other network protocols, such as IPX. People
from inside an intranet can get at the larger Internet resources, but those
on the Internet cannot get into the intranet, which allows only restricted
access from the Internet.
Videoconferencing is an important application
that requires sending massive quantities of data. Intranets can be built
using components that allow the extremely high bandwidths required for
transferring such information.
Often an intranet is composed of a number
of different networks inside a corporation that all communicate with one
another via TCP/IP. These separate networks are often referred to as subnets.
Software that allows people to communicate
with each other via e-mail and public message boards and to collaborate
on work using workgroup software is among the most powerful intranet programs.
Applications that allow different corporate departments to post information,
and for people to fill out corporate forms, such as time sheets, and for
tapping into corporate financial information are very popular.
Much of the software used on intranets
is standard, off-the-shelf Internet software such as the Netscape Navigator
and the Microsoft Explorer Web browsers. And customized programs are often
built, using the Java programming language and CGI scripting.
Intranets can also be used to allow
companies to do business-to-business transactions, such as ordering parts,
sending invoices, and making payments. For extra security, these intranet-to-intranet
transactions need never go out over the public Internet, but can travel
over private leased lines instead.
Intranets are a powerful system for
allowing a company to do business online, for example, to allow anyone
on the Internet to order products. When someone orders a product on the
Internet, information is sent in a secure manner from the public Internet
to the company's intranet, where the order is processed and completed.
In order to protect sensitive corporate
information, and to ensure that hackers don't damage computer systems and
data, security barriers called firewalls protect an intranet from the Internet.
Firewall technology uses a combination of routers, servers and other hardware
and software to allow people on an intranet to use Internet resources,
but blocks outsiders from getting into the intranet.
Many intranets have to connect to "legacy
systems"-hardware and databases that were built before an intranet was
constructed. Legacy systems often use older technology not based on the
intranet's TPC/IP protocols. There are a variety of ways in which intranets
can tie to legacy systems. A common way is to use CGI scripts to access
the database information and pour that data into HTML formatted text, making
it available to a Web browser.
Information sent across an intranet
is sent to the proper destination by routers, which examine each TCP/IP
packet for the IP address and determine the packet's destination. It then
sends the packet to the next router closest to the destination. If the
packet is to be delivered to an address on the same subnetwork of the intranet
it was sent from, the packet may be able to be delivered directly without
having to go through any other routers. If it is to be sent to another
subnetwork on the intranet, it will be sent to another internal router
address. If the packet is to be sent to a destination outside the intranet-in
other words, to an Internet destination-the packet is sent to a router
that connects to the Internet
How TCP/IP and IPX Work on Intranets
What distinguishes an intranet from
any other kind of private network is that it is based on TCP/IP-the same
protocols that apply to the Internet. TCP/IP refers to two protocols that
work together to deliver data: the Transmission Control Protocol (TCP)
and the Internet Protocol (IP). When you send information across an intranet,
the data is broken into small packets. The packets are sent independently
through a series of switches called routers. Once all the packets arrive
at their destination, they are recombined into their original form. The
Transmission Control Protocol breaks the data into packets and recombines
them on the receiving end. The Internet Protocol handles the routing of
the data and makes sure it gets sent to the proper destination.
In some companies, there may be a mix
of TCP/IP-based intranets and networks based on other networking technology,
such as NetWare. In that instance, the TCP/IP technology of an intranet
can be used to send data between NetWare or other networks, using a technique
called IP tunneling. In this instance, we'll look at data being sent from
one NetWare network to another, via an intranet. NetWare networks use the
IPX (Internet Packet Exchange) protocol as a way to deliver data-and TCP/IP
networks can't recognize that protocol. To get around this, when an IPX
packet is to be sent across an intranet, it is first encapsulated inside
an IP packet by a NetWare server specifically for and dedicated to providing
the IP transport mechanism for IPX packets.
Data sent within an intranet must be
broken up into packets of less than 1,500 characters each. TCP breaks the
data into packets. As it creates each packet, it calculates and adds a
checksum to the packet. The checksum is based on the byte values, that
is, the precise amount of data in the packet.
Each packet, along with the checksum,
is put into separate IP wrappers or "envelopes." These wrappers contain
information that details exactly where on the intranet-or the Internet-the
data is to be sent. All of the wrappers for a given piece of data have
the same addressing information so that they can all be sent to the same
location for reassembly.
The packets travel between networks
by intranet routers. Routers examine all IP wrappers and look at their
addresses. These routers determine the most efficient path for sending
each packet to its final destination. Since the traffic load on an intranet
often changes, the packets may be sent along different routes, and the
packets may arrive out of order. If the router sees the address is one
located inside the intranet, the packet may be sent directly to its destination,
or it may instead be sent to another router. If the address is located
out on the Internet, it will be sent to another router so it can be sent
across the Internet.
As the packets arrive at their destination,
TCP calculates a checksum for each packet. It then compares this checksum
with the checksum that has been sent in the packet. If the checksums don't
match, TCP knows that the data in the packet has been corrupted during
transmission. It then discards the packet and asks that the original packet
be retransmitted.
TCP includes the ability to check packets
and to determine that all the packets have been received. When all the
non-corrupt packets are received, TCP assembles them into their original,
unified form. The header information of the packets relays the sequence
of how to reassemble the packets.
An intranet treats the IP packet as
it would any other, and routes the packet to the receiving NetWare network.
On the receiving NetWare network, a NetWare TCP/IP server decapsulates
the IP packet-it discards the IP packet, and reads the original IPX packet.
It can now use the IPX protocol to deliver the data to the proper destination.
How the OSI Model Works
A group called the International
Standards Organization (ISO) has put together the Open Systems Interconnect
(OSI) Reference Model, which is a model that describes seven layers of
protocols for computer communications. These layers don't know or care
what is on adjacent layers. Each layer, essentially, only sees the reciprocal
layer on the other side. The sending application layer sees and talks to
the application layer on the destination side. That conversation takes
place irrespective of, for example, what structure exists at the physical
layer, such as Ethernet or Token Ring. TCP combines the OSI model's application,
presentation, and session layers into one which is also called the application
layer.
The application layer refers to application
interfaces, not programs like word processing. MHS (Message Handling Service)
is such an interface and it operates at this level of the OSI model. Again,
this segmentation and interface approach means that a variety of email
programs can be used on an intranet so long as they conform to the MHS
standard at this application interface level.
The presentation layer typically simply
provides a standard interface between the application layer and the network
layers. This type of segmentation allows for the great flexibility of the
OSI model since applications can vary endlessly, but, as long as the results
conform to this standard interface, the applications need not be concerned
with any of the other layers.
The session layer allows for the communication
between sender and destination. These conversations avoid confusion by
speaking in turn. A token is passed to control and to indicate which side
is allowed to speak. This layer executes transactions, like saving a file.
If something prevents it from completing the save, the session layer, which
has a record of the original state, returns to the original state rather
than allowing a corrupt or incomplete transaction to occur.
The transport layer segments the data
into acceptable packet sizes and is responsible for data integrity of packet
segments. There are several levels of service that can be implemented at
this layer, including segmenting and reassembly, error recovery, flow control,
and others.
The IP wrapper is put around the packet
at the network or Internet layer. The header includes the source and destination
addresses, the sequence order, and other data necessary for correct routing
and rebuilding at the destination.
The data-link layer frames the packets-for
example, for use with the PPP (Point to Point). It also includes the logical
link portion of the MAC sublayer of the IEEE 802.2, 802.3 and other standards.
Ethernet and Token Ring are the two
most common physical layer protocols. They function at the MAC (Media Access
Control) level and move the data over the cables based on the physical
address on each NIC (Network Interface Card). The physical layer includes
the physical components of the IEEE 802.3 and other specifications.
How TCP/IP Packets Are Processed
Protocols such as TCP/IP determine
how computers communicate with each other over networks such as the Internet.
These protocols work in concert with each other, and are layered on top
of one another in what is commonly referred to as a protocol stack. Each
layer of the protocol is designed to accomplish a specific purpose on both
the sending and receiving computers. The TCP stack combines the application,
presentation, and the session layers into a single layer also called the
application layer. Other than that change, it follows the OSI model. The
illustration below shows the wrapping process that occurs to transmit data.
The TCP application layer formats the
data being sent so that the layer below it, the transport layer, can send
the data. The TCP application layer performs the equivalent actions that
the top three layers of OSI perform: the application, presentation, and
session layers.
The next layer down is the transport
layer, which is responsible for transferring the data, and ensures that
the data sent and the data received are in fact the same data-in other
words, that there have been no errors introduced during the sending of
the data. TCP divides the data it gets from the application layer into
segments. It attaches a header to each segment. The header contains information
that will be used on the receiving end to ensure that the data hasn't been
altered en route, and that the segments can be properly recombined into
their original form.
The third layer prepares the data for
delivery by putting them into IP datagrams, and determining the proper
Internet address for those datagrams. The IP protocol works in the Internet
layer, also called the network layer. It puts an IP wrapper with a header
onto each segment. The IP header includes information such as the IP address
of the sending and receiving computers, and the length of the datagram,
and the sequence order of the datagram. The sequence order is added because
the datagram could conceivably exceed the size allowed for network packets,
and so would need to be broken into smaller packets. Including the sequence
order will allow them to be recombined properly.
The Internet layer checks the IP header
and checks to see whether the packet is a fragment. If it is, it puts together
fragments back into the original datagram. It strips off the IP header,
and then sends the datagram to the transport layer.
The transport layer looks at the remaining
header to decide which application layer protocol-TCP or UDP-should get
the data. Then the proper protocol strips off the header and sends the
data to the receiving application.
The application layer gets the data
and performs, in this case, an HTTP request.
The next layer down, the data link layer,
uses protocols such as the Point-to-Point Protocol (PPP) to put the IP
datagram into a frame. This is done by putting a header-the third header,
after the TCP header and the IP header-and a footer around the IP datagram
to fra-me it. Included in the frame header is a CRC check that checks for
errors in the data as the data travels over the network.
The data-link layer ensures that the
CRC for the frame is right, and that the data hasn't been altered while
it was sent. It strips off the frame header and the CRC, and sends the
frame to the Internet layer.
On the receiving computer, the packet
travels through the stack, but in the opposite order from which the packet
was created. In other words, it starts at the bottom layer, and moves its
way up through the protocol stack. As it moves up, each layer strips off
the header information that was added by the TCP/IP stack of the sending
computer.
The final layer is the physical network
layer, which specifies the physical characteristics of the network being
used to send data. It describes the actual hardware standards, such as
the Ethernet specification. The layer receives the frames from the data
link layer, and translates the IP addresses there into the hardware addresses
required for the specific network being used. Finally, the layer sends
the frame over the network.
The physical network layer receives
the packet. It translates the hardware address of the sender and receiver
into IP addresses. Then it sends the frame up to the data link layer.
How Bridges Work
Bridges are hardware and software
combinations that connect different parts of a single network, such as
different sections of an intranet. They connect local area networks (LANs)
to each other. They are generally not used, however, for connecting entire
networks to each other, for example, for connecting an intranet to the
Internet, or an intranet to an intranet, or to connect an entire subnetwork
to an entire subnetwork. To do that, more sophisticated pieces of technology
called routers are used.
When there is a great amount of traffic
on an Ethernet local area network, packets can collide with one another,
reducing the efficiency of the network, and slowing down network traffic.
Packets can collide because so much of the traffic is routed among all
the workstations on the network.
In order to cut down on the collision
rate, a single LAN can be subdivided into two or more LANs. For example,
a single LAN can be subdivided into several departmental LANs. Most of
the traffic in each departmental LAN stays within the department LAN, and
so it needn't travel through all the workstations on all the LANs on the
network. In this way, collisions are reduced. Bridges are used to link
the LANs. The only traffic that needs to travel across bridges is traffic
bound for another LAN. Any traffic within the LAN need not travel across
a bridge.
Each packet of data on an intranet has
more information in it than just the IP information. It also includes addressing
information required for other underlying network architecture, such as
for an Ethernet network. Bridges look at this outer network addressing
information and deliver the packet to the proper address on a LAN
Bridges consult a learning table that
has the addresses of all the network nodes in it. If a bridge finds that
a packet belongs on its own LAN, it keeps the packet inside the LAN. If
it finds that the workstation is on another LAN, it forwards the packet.
The bridge constantly updates the learning table as it monitors and routes
traffic.
Bridges can connect LANs in a variety
of different ways. They can connect LANs using serial connections over
traditional phone lines and modems, over ISDN lines, and over direct cable
connections. CSU/DSU units are used to connect bridges to telephone lines
for remote connectivity.
Bridges and routers are sometimes combined
into a single product called a brouter. A brouter handles both bridging
and routing tasks. If the data needs to be sent only to another LAN on
the network or subnetwork, it will act only as a bridge delivering the
data based on the Ethernet address. If the destination is another network
entirely, it will act as a router, examining the IP packets and routing
the data based on the IP address.
How Intranet Routers Work
Just as routers direct traffic on
the Internet, sending information to its proper destination, and routers
on an intranet perform the same function. Routers-equipment that is a combination
of hardware and software-can send the data to a computer on the same sub
network inside the intranet, to another network on the intranet, or outside
to the Internet. They do this by examining header information in IP packets,
and then sending the data on its way. Typically, a router will send the
packet to the next router closest to the final destination, which in turn
sends it to an even closer router, and so on, until the data reaches its
intended recipient.
A router has input ports for receiving
IP packets, and output ports for sending those packets toward their destination.
When a packet comes to the input port, the router examines the packet header,
and checks the destination in it against a routing table-a database that
tells the router how to send packets to various destinations.
Based on the information in the routing
table, the packet is sent to a particular output port, which sends the
packet to the next closest router to the packet's destination.
If packets come to the input port more
quickly than the router can process them, they are sent to a holding area
called an input queue. The router then processes packets from the queue
in the order they were received. If the number of packets received exceeds
the capacity of the queue (called the length of the queue), packets may
be lost. When this happens, the TCP protocol on the sending and receiving
computers will have the packets re-sent.
In a simple intranet that is a single,
completely self-contained network, and in which there are no connections
to any other network or the intranet, only minimal routing need be done,
and so the routing table in the router is exceedingly simple with very
few entries, and is constructed automatically by a program called ifconfig.
In a slightly more complicated intranet
which is composed of a number of TCP/IP-based networks, and connects to
a limited number of TCP/IP-based networks, static routing will be required.
In static routing, the routing table has specific ways of routing data
to other networks. Only those pathways can be used. Intranet administrators
can add routes to the routing table. Static routing is more flexible than
minimal routing, but it can't change routes as network traffic changes,
and so isn't suitable for many intranets.
In more complex intranets, dynamic routing
will be required. Dynamic routing is used to permit multiple routes for
a packet to reach its final destination. Dynamic routing also allows routers
to change the way they route information based on the amount of network
traffic on some paths and routers. In dynamic routing, the routing table
is called a dynamic routing table and changes as network conditions change.
The tables are built dynamically by routing protocols, and so constantly
change according to network traffic and conditions.
There are two broad types of routing
protocols: interior and exterior. Interior routing protocols are typically
used on internal routers inside an intranet that routes traffic bound only
for inside the intranet. A common interior routing protocol is the Routing
Information Protocol (RIP). Exterior protocols are typically used for external
routers on the Internet. AÊcommon exterior protocol is the Exterior
Gateway Protocol (EGP).
Intranets come in different sizes. In
a small company, an intranet can be composed of only a handful of computers.
In a medium-sized business, it may include dozens or hundreds of computers.
And in a large corporation, there may be thousands of computers spread
across the globe, all connected to a single intranet. When intranets get
large, they need to be subdivided into individual subnets or subnetworks.
To understand how subnetting works,
you first need to understand IP addresses. Every IP address is a 32-bit
numeric address that uniquely identifies a network and then a specific
host on that network. The IP address is divided into two sections: the
network section, called the netid, and the host section, called the hostid.
Each 32-bit IP address is handled
differently, according to what class of network the address refers to.
There are three main classes of network addresses: Class A, Class B, and
Class C. In some classes, more of the 32-bit address space is devoted to
the netid, while in others, more of the address space is devoted to the
hostid. In a Class A network, the netid is composed of 8 bits, while the
hostid is composed of 24 bits. In a Class B network, both the netid and
the hostid are composed of 16 bits. In a Class C network, the netid is
composed of 24 bits, while the hostid is composed of 8 bits. There's a
simple way of knowing what class a network is in. If the first number of
the IP address is less than 128, the network is a Class A address. If the
first number is from 128 to 191, it's a Class B network. If the first number
is from 192 to 223, it's a Class C network. Numbers above 223 are reserved
for other purposes. The smaller the netid, the fewer number of networks
that can b!
e subnetted, but the larger number
of hosts on the network. A Class A rating is best for large networks while
a Class C is best for small ones.
To create a subnet, the demarcation
line on the IP address is moved between the netid and the hostid, to give
the netid more bits to work with and to take away bits from the hostid.
To do this, a special number called a subnet mask is used.
Subnetting is used when intranets
grow over a certain size and they begin to have problems. One problem is
management of host IP addresses-making sure that every computer on the
network has a proper, up-to-date host address, and that old host addresses
are put out of use until needed in the future. In a corporation spread
out over several locations-or across the world-it's difficult, if not impossible,
to have one person responsible for managing the host addresses at every
location and department in the company.
Another problem has to do with a
variety of hardware limitations of networks. Dissimilar networks may all
be part of an intranet. An intranet may have some sections that are Ethernet,
other sections that are Token Ring networks, and conceivably other sections
that use different networking technologies altogether. There is no easy
way for an intranet router to link these dissimilar networks together and
route the information to the proper places.
Another set of problems has to do
with the physical limitations of network technology. In some kinds of networks,
there are some strict limitations on how far cables can extend in the network.
In other words, you can't go over a certain distance of cabling without
using repeaters or routers. A "thick" Ethernet cable, for example, can
only be extended to 500 meters, while a "thin" Ethernet cable can only
go to 300 meters. Routers can be used to link these cables together, so
that an intranet can be extended well beyond those distances. But when
that is done, each length of wire is essentially considered its own subnetwork.
Yet one more set of problems has
to do with the volume of traffic that travels across an intranet. Often
in a corporation, in a given department, most of the traffic is intradepartmental
traffic-in other words, mail and other data that people within a department
send to each another. The volume of traffic outside to other departments
is considerably less. What's called for is a way to confine intradepartmental
traffic inside the departments, to cut down on the amount of data that
needs to be routed and managed across the entire intranet.
Subnetting solves all these problems
and more. When an intranet is divided into subnets, one central administrator
doesn't have to manage every aspect of the entire intranet. Instead, each
subnet can take care of its own administration. That means smaller organizations
within the larger organization can take care of problems such as address
management and a variety of troubleshooting chores. If an intranet is subnetted
by divisions or departments, it means that each division or department
can guide the development of its own network, while adhering to general
intranet architecture. Doing this allows departments or divisions more
freedom to use technology to pursue their business goals.
Subnets also get around problems
that arise when an intranet has within it different kinds of network architecture,
such as Ethernet and Token Ring technologies. Normally-if there is no subnetting-a
router can't link these different networks together because they don't
have their own addresses. However, if each of the different networks is
its own subnet-and so has its own network address-routers can then link
them together and properly route intranet traffic.
Subnetting can also cut down on the
traffic traveling across the intranet and its routers. Since much network
traffic may be confined within departments, having each department be its
own subnet means that all that traffic need never cross an intranet router
and cross the intranet-it will stay within its own subnet.
Subnetting can also increase the
security on an intranet. If the payroll department, for example, were on
its own subnet, then much of its traffic would not have to travel across
an intranet. Having its data traveling across the intranet could mean that
someone could conceivably hack into the data to read it. Confining the
data to its own subnet makes that much less likely to happen.
Dividing an intranet into subnets
can also make the entire intranet more stable. If an intranet is divided
in this way, then if one subnet goes down or is often unstable, it won't
affect the rest of the intranet.
This all may sound rather confusing.
To see how it's done, let's take a look at a network, and see how to use
the IP address to create subnets. Let's say we have a Class B network.
That network is assigned the address of 130.97.0.0. When a network is given
an address, it is assigned the netid numbers-in this case, the 130.97-and
it can assign the host numbers (in this case, 0.0) in any way that it chooses.
The 130.97.0.0 network is a single
intranet. It's getting too large to manage, though, and we've decided to
divide it into two subnets. What we do is fairly straightforward. We take
a number from the hostid field and use it to identify each of the subnets.
So one subnet gets the address 130.97.1.0, and the other gets the address
130.97.2.0. Individual machines on the first subnet get addresses of 130.97.1.1,
130.97.1.2, and so on. Individual machines on the second subnet get addresses
of 130.97.2.1, 130.97.2.2 and so on.
Sounds simple. But we have a problem.
The Internet doesn't recognize 130.97.1.0 and 130.97.2.0 as separate networks.
It treats them both as 130.97.0.0 since the "1" and "2" that we're using
as a netid is only known to the Internet as a hostid. So our intranet router
will not be able to route incoming traffic to the proper network.
To solve the problem, a subnet mask
is used. A subnet mask is a 32-bit number in IP form used by intranet routers
and hosts that will help routers understand how to route information to
the proper subnet. To the outside Internet, there is still only one network,
but the subnet mask allows routers inside the intranet to send traffic
to the proper host.
A subnet mask is a number such as
255.255.255.0 (the built-in default for Class C addresses; the Class B
default is 255.255.0.0 and the default for Class A is 255.0.0.0). A router
takes the subnet mask and applies that number against the IP number of
incoming mail to the network by using it to perform a calculation. Based
on the resulting IP number, it will route mail to the proper subnet, and
then to a particular computer on the subnet. For consistency, everyone
in a particular intranet will use the same subnet mask.
Subnetting an Intranet
When intranets are over a certain
size, or are spread over several geographical locations, it becomes difficult
to manage them as a single network. To solve the problem, the single intranet
can be subdivided into several subnets, subsections of an intranet that
make them easier to manage. To the outside world, the intranet still looks
as if it's a single network.
If you're building an intranet and want
it to be connected to the Internet, you'll need a unique IP address for
your intranet network, which the InterNIC Registration Services will handle.
There are three classes of intranet you can have: Class A, Class B, or
Class C. Generally, a Class A rating is best for the largest networks,
while a Class C is best for the smallest. A Class A network can be composed
of 127 networks, and a total of 16,777,214 nodes on the network. A Class
B network can be composed of 16,383 networks, and a total of 65,534 nodes.
A Class C network can be composed of 2,097,151 networks, and 254 nodes.
When an intranet is assigned an address,
it is assigned the first two IP numbers of the Internet numeric address
(called the netid field) and the remaining two numbers (called the hostid
field) are left blank, so that the intranet itself can assign them, such
as 147.106.0.0. The hostid field consists of a number for a subnet and
a host number.
When an intranet is connected to the
Internet, a router handles the job of sending packets into the intranet
from the Internet. In our example, all incoming mail and data comes to
a router for a network with the netid of 147.106.0.0.
When intranets grow-for example, if
there is a department located in another building, city, or country-there
needs to be some way to manage network traffic. It may be impractical and
physically impossible to route all the data necessary among many different
computers spread across a building or the world. A second network-called
a subnetwork or subnet-needs to be created.
In order to have a router handle all
incoming traffic for a subnetted intranet, the first byte of the hostid
field is used. The bits that are used to distinguish among subnets are
called subnet numbers. In our example, there are two subnets on the intranet.
To the outside world, there appears to be only one network.
Each computer on each subnet gets its
own IP address, as in a normal intranet. The combination of the netid field,
the subnet number, and then finally a host number, forms the IP address.
The router must be informed that the
hostid field in subnets must be treated differently than non-subnetted
hostid fields, otherwise it won't be able to properly route data. In order
to do this, a subnet mask is used. A subnet mask is a 32-bit number such
as 255.255.0.0 that is used in concert with the numbers in the hostid field.
When a calculation is performed using the subnet mask and the IP address,
the router knows where to route the mail. The subnet mask is put in people's
network configuration files.
Overview of an Intranet Security
System
Any intranet is vulnerable to attack
by people intent on destruction or on stealing corporate data. The open
nature of the Internet and TCP/IP protocols expose a corporation to attack.
Intranets require a variety of security measures, including hardware and
software combinations that provide control of traffic; encryption and passwords
to validate users; and software tools to prevent and cure viruses, block
objectionable sites, and monitor traffic.
The generic term for a line of defense
against intruders is a firewall. A firewall is a hardware/software combination
that controls the type of services allowed to or from the intranet.
Proxy servers are another common tool
used in building a firewall. A proxy server allows system administrators
to track all traffic coming in and out of an intranet.
A bastion server firewall is configured
to withstand and prevent unauthorized access or services. It is typically
segmented from the rest of the intranet in its own subnet or perimeter
network. In this way, if the server is broken into, the rest of the intranet
won't be compromised.
Server-based virus-checking software
can check every file coming into the intranet to make sure that it's virus-free.
Authentication systems are an important
part of any intranet security scheme. Authentication systems are used to
ensure that anyone trying to log into the intranet or any of its resources
is the person they claim to be. Authentication systems typically use user
names, passwords, and encryption systems.
Server-based site-blocking software
can bar people on an intranet from getting objectionable material. Monitoring
software tracks where people have gone and what services they have used,
such as HTTP for Web access.
One way of ensuring that the wrong people
or erroneous data can't get into the intranet is to use a filtering router.
This is a special kind of router that examines the IP address and header
information in every packet coming into the network, and allows in only
those packets that have addresses or other data, like e-mail, that the
system administrator has decided should be allowed into the intranet.
All intranets are vulnerable to attack.
Their underlying TCP/IP architecture is identical to that of the Internet.
Since the Internet was built for maximum openness and communication, there
are countless techniques that can be used to attack intranets. Attacks
can involve the theft of vital company information and even cash. Attacks
can destroy or deny a company's computing resources and services. Attackers
can break in or pose as a company employee to use the company's intranet
resources.
Firewalls are hardware and software
combinations that block intruders from access to an intranet while still
allowing people on the intranet to access the resources of the Internet.
Depending on how secure a site needs to be, and on how much time, money,
and resources can be spent on a firewall, there are many kinds that can
be built. Most of them, though, are built using only a few elements. Servers
and routers are the primary components of firewalls.
Most firewalls use some kind of packet
filtering. In packet filtering, a screening router or filtering router
looks at every packet of data traveling between an intranet and the Internet.
Proxy servers on an intranet are
used when someone from the intranet wants to access a server on the Internet.
A request from the user's computer is sent to the proxy server instead
of directly to the Internet. The proxy server contacts the server on the
Internet, receives the information from the Internet, and then sends the
information to the requester on the intranet. By acting as a go-between
like this, proxy servers can filter traffic and maintain security as well
as log all traffic between the Internet and the network.
Bastion hosts are heavily fortified
servers that handle all incoming requests from the Internet, such as FTP
requests. A single bastion host handling incoming requests makes it easier
to maintain security and track attacks. In the event of a break in, only
that single host has been compromised, instead of the entire network. In
some firewalls, multiple bastion hosts can be used, one for each different
kind of intranet service request.
How Firewalls Work
Firewalls protect intranets from
any attacks launched against them from the Internet. They are designed
to protect an intranet from unauthorized access to corporate information,
and damaging or denying computer resources and services. They are also
designed to stop people on the intranet from accessing Internet services
that can be dangerous, such as FTP.
Intranet computers are allowed access
to the Internet only after passing through a firewall. Requests have to
pass through an internal screening router, also called an internal filtering
routeror choke router. This router prevents packet traffic from being sniffed
remotely. A choke router examines all pack-ets for information such as
the source and destination of the packet.
The router compares the information
it finds to rules in a filtering table, and passes or drops the packets
based on those rules. For example, some services, such as rlogin, may not
be allowed to run. The router also might not allow any packets to be sent
to specific suspicious Internet locations. A router can also block every
packet traveling between the Internet and the internal network, except
for e-mail. System administrators set the rules for determining which packets
to allow in and which to block.
When an intranet is protected by a firewall,
the usual internal intranet services are available-such as e-mail, access
to corporate databases and Web services, and the use of groupware.
Screened subnet firewalls have one more
way to protect the intranet-an exterior screening router, also called an
exterior filtering router or an access router. This router screens packets
between the Internet and the perimeter network using the same kind of technology
that the interior screening router uses. It can screen packets based on
the same rules that apply to the internal screening router and can protect
the network even if the internal router fails. It also, however, may have
additional rules for screening packets specifically designed to protect
the bastion host.
As a way to further protect an intranet
from attack, the bastion host is placed in a perimeter network-a subnet-inside
the firewall. If the bastion host was on the intranet instead of a perimeter
network and was broken into, the intruder could gain access to the intranet.
A bastion host is the main point of
contact for connections coming in from the Internet for all services such
as e-mail, FTP access, and any other data and requests. The bastion host
services all those requests-people on the intranet contact only this one
server, and they don't directly contact any other intranet servers. In
this way, intranet servers are protected from attack.
SharePoint
Portal Server 2003 enables enterprises to develop an intelligent portal
that seamlessly connects users, teams, and knowledge so that people can
take advantage of relevant information across business processes to help
them work more efficiently. SharePoint Portal Server 2003 provides an enterprise
business solution that integrates information from various systems into
one solution through single sign-on and enterprise application integration
capabilities, with flexible deployment options and management tools.
