Wide pipes shut

Dedicated gateways can shield broadband-connected PCs from prying eyes.

Maury Wright, Executive Editor -- CommVerge, 3/1/2000

I know there's a dedicated network gateway in the future for every well-connected home. This gateway will aggregate and distribute voice, video, and data while setting up a virtual locked door against the outside world. Today, we can examine the forerunners of this future gateway—devices meant for securing and sharing a broadband Internet connection like a cable or DSL modem. Let's take a hands-on look at installing and using these early gateways and speculate on how their descendants might evolve.

In the January edition of Inside The Digital Den ("Splitting the pipe fantastic"), I addressed NAT (network address translation) technology and sharing a broadband Internet connection among multiple PCs. Many homes and small offices are facing this challenge for the first time. Users must figure out both how to share the pipe and how to protect their systems, which will now be persistently connected to the Internet. The recent mischief that besieged popular Internet sites underlines this point. We must protect the data on our machines and ensure that our machines can't be remotely commandeered to participate in such attacks.

My January article focused on using a PC equipped with NAT or proxy-server software to handle the gateway function. I've been using just such an installation for many months. The gateway software runs on the same computer I use for work. This PC—a 450-MHz Pentium II box with 256 Mbytes of memory—seems plenty capable of handling my workload while simultaneously servicing the Internet needs of my network, which includes a notebook and a secondary desktop PC that I often use for large downloads.

Despite my success with this setup, I wondered about the advantages of using a dedicated gateway to share the pipe. For starters, I would no longer have to worry about interrupting the other connected machines if I needed to reboot my work computer. Moreover, I could power down my work system during business trips without cutting my wife and son off from Internet access. I also wondered if a dedicated gateway would deliver quantifiably improved performance or better security. So I set out to explore my options.

Ethernet routers

Inevitably, when the subject of gateways comes up, some Linux advocates claim you should use a PC with the Unix-like open-source OS (for my feelings on the matter, see the sidebar "Linux gateways"). But for the majority of broadband users, a dedicated gateway will mean one of a new generation of network appliances. These gateways start below $500 and provide NAT, router, and/or security firewall features. They require one Ethernet port for the WAN connection to the cable or DSL modem, and at least one other port that links to your private LAN. Most of the newest products actually integrate four-port hubs or switches for the LAN connection.

You could have cobbled together a suitable gateway long before these SOHO products emerged, but at much higher prices. Traditional network gear vendors like Cisco have long offered office-grade Ethernet-to-Ethernet routers and firewalls. Moreover, companies like MultiTech, Cayman, and Netopia have all offered specialty products that could perform the gateway task, but typically for $1000 or more.

In the last year or so, Ramp Networks and BeadleNet have pioneered the market for SOHO router/firewalls with their respective WebRamp 700s and SOHO 2000 products. In October 1999, WatchGuard Technologies acquired BeadleNet, and the SOHO 2000 became known as the WatchGuard SOHO. The WebRamp 700s lists for $479 for a five-user version and $849 for a 25-user version. A quick check of Internet retailers revealed discount pricing around $360 and $585. The WatchGuard SOHO comes in four-, 10-, and 25-user models, with list prices of $349, $399, and $625. Internet retailers listed the devices for $290, $420, and $525.

I requested review units of both the WebRamp 700s and the WatchGuard SOHO, and the units arrived within a day of one another. Both proved to be smallish modem-like devices with small power transformers. Each has five RJ-45 (one WAN and four LAN) connectors on the back.

Dead trees

Faced with deciding which product to try first, I allowed their differing philosophies on installation guidance to sway me. Ramp takes the traditional approach of a fairly detailed manual that gives step-by-step instructions for several sample scenarios and attempts to explain all of the configuration options. The WatchGuard box arrives with the router, the power brick, an Ethernet cable, and a single piece of glossy cardboard that directs you to their Web site. I'm all for saving trees, but I took comfort in the Ramp manual and set to work installing the WebRamp 700s.

Making hardware connections is a breeze with either device. You plug the WAN connector into your cable or DSL modem using a Category-5 patch cable. Depending on your modem, you may need a standard Ethernet cable or the LAN equivalent of a null-modem cable, which has crisscrossed pairs of wires. Ramp provided both types of cables, while WatchGuard only delivered a standard cable. Status LEDs tell you when you've got the correct connection. Next, you plug your PC or PCs into the router and/or connect the router to your network hub.

Both products come with a preassigned static IP address for the LAN side of the router. This lets you configure the router via the LAN connection. You just fire up a Web browser, hit the stop button, and enter the IP address as the URL. After all, those friendly URLs are just nicknames for IP addresses and port numbers.

With the WebRamp unit, I typed in the preconfigured address and waited for what seemed like minutes. I became convinced something was wrong and started tinkering. I ended up wasting an hour chasing demons that didn't exist, until luck smiled on me. Just after I'd re-entered the address, I received a phone call that distracted me for several minutes. It turns out the unit just takes a while to respond, and my phone call had given it enough time. Otherwise my impatience might have prevented me from ever seeing the login prompt.

Once you log in, you usually only need to enter a minimal amount of data. First, choose a mode of operation. You pick standard mode if you're renting multiple IP addresses from your service provider. NAT mode lets you share a single static public IP address. A third choice, NAT mode with DHCP (Dynamic Host Control Protocol) client, lets the router dynamically receive the public IP address from your service provider. After choosing basic NAT mode, I entered the addresses for the DNS servers and typed in the static IP and gateway addresses assigned by my service provider. Configuring client PCs is simple; you set them to get a dynamic IP address from the DHCP server in the WebRamp unit.

At this point, I should've been on the Net, but wasn't. Having configured many computers for Net access, I felt sure I had entered the settings correctly. The manual mentioned booting the devices in proper order (cable modem, then router, then PC) so I again wasted a few hours chasing nonexistent demons. I knew the device was almost working, because the WebRamp diagnostic program could access the name server and associate URLs with IP addresses.

I gave up and called tech support. One minute later, my problem was solved. The WebRamp's DHCP server, controlled by the parameter "Client Default Gateway" on the DHCP configuration menu, comes set for 192.168.1.1. The manual indicates that the client gateway setting should be 192.168.1.151—the same as the LAN IP address of the router. For the connection to work, you must change the setting on the DHCP configuration page. I made the change, ran the Windows 98 winipcfg program, and clicked "release" and then "renew." Now I was surfing.

Ramp should fix the inconsistency in their documentation, but there is a reasonable explanation. Ramp regularly bundles the WebRamp 700s with other products, such as ISDN and modem routers. When combined with those products for its NAT and firewall features, the WebRamp requires the preconfigured address. When you use it with a cable or DSL modem, however, you need to change the address.

Web instruction

After these struggles with a seemingly well-documented product, I was a little apprehensive when I turned to the WatchGuard SOHO a few days later. The single printed sheet that ships with the unit instructs that you must have a working cable or DSL connection to a single computer when you start the process. You surf to WatchGuard's Web site on that computer, and print specific instructions for your installation. In actuality, the Web site senses the OS you are running and provides general instructions for that OS.

I received 10 pages of extremely specific instructions, which led me through the most common connection scenario. I recorded various settings from the computer with the working link. Then I made some changes in the settings, powered down, and reconnected with the WatchGuard SOHO in place. If your service provider has a DHCP server, these steps leave you only a "release" and "renew" (in winipcfg) away from connecting. In my case, I had to use my browser to configure the unit for a static IP address, along with gateway and DNS addresses. In total, it took me about 30 minutes to bring the unit on line.

Looking back, the differing approaches these two companies employ colored my experience. Had I not struggled to bring the Ramp unit online, I suspect I would recommend it more highly. It has more features and flexibility than does the WatchGuard SOHO. For example, the WatchGuard SOHO can't operate in a non-NAT mode, and the WebRamp 700s has far more extensive filtering capabilities, which help you restrict user access to certain Web sites. On the other hand, WatchGuard's no-frills, focused approach to installation may get more users up and running more quickly.

I would heartily recommend either product based on performance. Consider system security. In my January article, I pointed anyone with a broadband link to the ShieldsUp! test hosted by Gibson Research (www.grc.com). With my software-based gateway, I received a passing grade on the test, but also got a stern warning. Basically, the test advised me to hide my system resources from the outside world, rather than merely closing them off. These router/firewalls did the trick in that respect. My private IP addresses and all ports are now invisible to hackers—at least for now.

How fast

I had also planned to quantify the performance advantage (if any) of the hardware gateways. I downloaded test files from private ftp sites dozens of times each using my original software setup and the two hardware gateways. I used private ftp sites to try and eliminate the variable of a busy server on the other end. Still, the noise factor of the Internet made the tests inconclusive.

The WebRamp device clocked the fastest download at more than 1.6 Mbits/sec, but in one session also turned in the lowest rate, around 200 kbits/sec. Most of the tests fell between 400 kbits/sec and 1.2 Mbits/sec.

In the end, I believe the results were almost random, and I wouldn't recommend moving to a hardware gateway based solely on the promise of a better data rate—unless you have so many users that you're pushing the limits of a gateway PC that's running NAT software. I suspect that my software-based setup responded with less latency than the routers at times. But again, I found no measurable advantage for any of the three approaches.

Still, a dedicated router provides a few clear advantages. When I was using the gateway PC with the NAT software, I often ran short of Windows resources more quickly than I do with either router in place. I can't quantify the advantage, but I now reboot my system far less frequently.

Hardware routers also provide more advanced support for VPNs (virtual private networks). Both Ramp and WatchGuard sell VPN upgrades via the Internet, and you can download them directly into your router. Both companies also offer upgrades that let you increase the number of users on your network. I had hoped to test my software setup and these routers with a new VPN program that my corporate IT department is planning to deploy. Alas, that program has been delayed. But watch our Web site for an update.

A reader pointed out another benefit of hardware routers in some installations. Grant Opperman, a marketing consultant, read the January article and saw the reference to this emerging class of SOHO routers. He bought a product that Umax introduced late in 1999. The UGate 3000 can support 253 users and retails for $350, although Opperman paid $260 via an Internet retailer. He chose the unit largely for its price, and is generally pleased, although he did make two calls to tech support during installation. Opperman's LAN has two attached printers that require IP addresses and a TCP/IP network to operate properly. The router allows TCP/IP networking behind the firewall. Moreover, Opperman says he can easily assign private IP addresses on the same subnet to his computers and printers.

Representatives of both WatchGuard and Ramp have questioned whether Umax provides true firewall capabilities beyond the base level of security NAT provides. However, the Umax data sheet claims firewall capabilities, and Opperman reports that ShieldsUP! rated his security as top notch.

Here come the players

I suspect that Ramp and WatchGuard have learned their lessons over time and probably offer better products than the competition right now. But they are about to face more severe price pressure. Linksys lists its four-port EtherFast product for $294, but several Internet retailers have advertised the unit for as low as $160. EtherFast is not just the least expensive dedicated SOHO router. It also integrates an Ethernet switch rather than a hub and supports 253 computers. On busy networks, switches improve performance by providing multiple direct connections between pairs of ports, rather than relying on the traditional Ethernet shared media, which limits a hub to handling a single data stream at any given moment. On the other hand, most SOHO installations won't require or even take advantage of these capabilities.

Also at the low end of the price spectrum, you will find Netgear's RT311 Internet Access Gateway Router. A four-port, 32-user version lists for $355, with Internet sources offering the unit for under $220. Both Linksys and Netgear have been selling low-cost networking products for years. Their distribution channels and manufacturing capabilities will let them establish a market presence quickly. Before buying their products, however, I would closely evaluate the firewall capabilities. Both companies list firewall capabilities on their data sheets. However, one Internet retailer didn't mention security in relation to either the Linksys or Netgear product, but raved about the firewall features of the WebRamp 700s. WatchGuard and Ramp have been in the firewall business at the corporate level for years.

Soon, you can expect a plethora of new products with different combinations of interfaces and functions, as vendors seek to perfect the home-gateway recipe. Already, several vendors are showing router/firewalls that support HomePNA phone-line networking rather than Ethernet. You can expect products that combine a cable or DSL modem with the router. As ISPs, and in particular ILECs (incumbent local exchange carriers) and CLECs (competitive local exchange carriers) roll out voice-over-data services, you will likely see a router/firewall with POTS phone connections alongside the LAN connectors. Arguably, the router/firewall could even be combined with a set-top box.

In addition, someone needs to find a way to bridge control networks and data networks. Echelon and Coactive Networks both offer gateway products that bridge Ethernet to LonWorks control networks. That bridge should reside in the data gateway as well, providing a single whole-house e-security scheme.

And by the way, with so much flexibility in hardware, we need a standard abstraction layer that allows applications to be deployed over different control and data networks. An initiative called OSGI (open services gateway initiative) seeks to do just that. Check in with us in April for an article dedicated to that subject.

Linux gateways I had actually considered dedicating an older PC to the gateway task back before I installed Sybergen's SyGate software NAT product on the primary PC I use for work. I considered installing Windows NT Server, but didn't have spare hardware with the muscle needed to run that OS. Moreover, many SOHO users will find that the Windows NT software costs more than other dedicated hardware gateways. I had decided to use Linux for the job, because it doesn't cost much and it includes support for IP masquerading (Linux-speak for NAT). I never got there. About the time I was considering Linux as a router/gateway, I wrote an article about Linux for our sister publication EDN ("Can Linux crash the gates?" EDN, April 29, 1999. For that article, I installed Red Hat Linux and explored its suitability as a desktop OS. At the risk of once again angering the many Linux enthusiasts of the world, I must admit that I felt Linux was too difficult to install and configure. I felt that I would spend way too much time learning Linux system administration. I know Linux offers terrific reliability, but I'll take Windows with an occasional reboot. If you know Linux or Unix well, and have a spare PC, it may be a good option. You could probably get by using an old 486-based PC as a Linux gateway (see www.trylinuxsd.com for a fairly detailed account of using Linux as a gateway). But, I don't think the Linux option is appropriate for the majority of users. In fact, even installation of a Linux-based product packaged as a plug-and-play appliance/server with gateway capability can prove problematic. In his Dec 6, 1999 Chaos Manor column on Byte.com, Jerry Pournelle related his experience with the NetWinder SOHO server from Rebel.com. While Pournelle endorsed the product, I'm not sure the typical user would have endured the problems he did. Nor would the typical user have had access to the help Pournelle received to resolve the problems. I suspect I would have returned the product before getting it installed and configured. Rebel.com calls the NetWinder a server appliance. The $995 compact tabletop version is the bottom end of their product family, and the only one of their products that targets the SOHO market. Their products are primarily sold to MIS professionals for use in the business market. The NetWinder can do way more than share an Internet connection. It can also act as a print server, includes a 6-Gbyte disk, and can handle basic file-serving chores. I'm sure the NetWinder works fine once it's installed. I would hate to think about having to modify a configuration. Moreover I don't see what advantage it offers other than being perhaps a cheap LAN server. If you go the Linux route with a roll-your-own system or a product like NetWinder, remember that you still must address security. NAT gateways, in general, provide some level of security for the machines behind the gateway, because the gateway hides those private IP addresses. But you really should take further steps to ensure that those machines are protected. In fact, the gateway machine itself remains unprotected unless you take further action. While you may not store important data on the gateway machine, you do need to ensure that a hacker can't hijack it to launch improper activity.