For most people, the word "router" conjures up the image of a chunk of silicon and steel racked somewhere between their subnet and far horizons. Today's high-speed routers are great for large corporate networks, but they can break the budgets of smaller companies. With a few network cards and the right software, however, you can turn any good PC into a capable router -- and more -- at a fraction of the cost of your traditional router. When you consider that traditional corporate routers with security can cost $4,000 or more, spending half that on a fast PC and some software makes sense -- especially if you don't plan to use all the features of the higher-priced offering.
Tiny Software's WinRoute Pro and Vicomsoft's Internet Gateway are ideal for connecting hundreds of users to the Internet via dial up, ISDN, cable modem, asymmetric DSL, T-1 and beyond. Anyone familiar with IP networking basics should have no trouble putting either of these two products to immediate use connecting, protecting and supporting their organization.
Tiny package -- big punch
Tiny's WinRoute Pro Version 4.1 is a router; a network address translation (NAT)-based pass-through firewall with VPN support, URL filtering and port mapping; a Dynamic Host Configuration Protocol (DHCP) server with Domain Name System (DNS) forwarding; a Simple Mail Transfer Protocol/Post Office Protocol 3 (POP3) mail server with aliasing; a proxy server; and an HTTP cache utilizing a single file to preserve hard drive space.
Here's a few tips to help you get started with the e-mail server of Tiny Software's WinRoute Pro: Enter your ISP's outgoing mail server into the Relay SMTP server field under the General tab. If you have a domain, enter it in the space provided. Use the Remote POP3 tab to enable WinRoute to receive "blind-forwarded" e-mail from your ISP, and distribute it to your respective user accounts. If you have an Internet domain, you can set it to receive e-mail via SMTP or from any POP3 account. However, if you're using SMTP, you must map the TCP protocol Port 25 to the internal IP address of your WinRoute machine.
DSL and PPPoE: Although PPP over Ethernet (PPPoE) support isn't built into WinRoute Pro, it should work fine with external PPPoE equipment such as that often used with various DSL connections. Tiny has thoughtfully provided some specific PPPoE solutions in its online manual.
This tidy package installs onto any Windows operating system, occupying just 22M bytes of hard drive space and less than 5M bytes of RAM.
WinRoute Pro's installation is straightforward but requires some attention to detail. Before loading the software, install two network cards in the PC. The first card will be your subnet's default gateway, so give it a local IP address (leave the default gateway blank). Leave the card's other settings as if it were connecting directly to the Internet. Configure the second card to connect to your ISP.
WinRoute Pro loads as a service under Windows NT or 2000, and you can access the administration console from the system tray. You'll configure most of WinRoute Pro's initial settings via the Interface Table. Access it via the center toolbar icon that looks like a network card, and ensure that NAT is turned off for the internal card and on for the external card.
For the initial tests, we set DNS forwarding to 'on' and disabled the proxy, mail and DHCP servers. The DNS forwarding service lets your network computers use the DNS servers specified in their own network settings, passing the request through the firewall. Alternatively, you can use the IP address of your host machine's internal network card as the DNS server address and enter thee actual DNS server addresses in the block under DNS forwarding. This option is handy if you might be changing DNS servers for your entire network at a later date.
In addition to using the Internet's DNS server structure, you can edit a Hosts file, similar to the LM Hosts file found in Windows. The Hosts file lets you enter DNS entries for your domain behind the NAT firewall, such as for your internal Web server. Just for fun, we entered a forward-looking and a reverse DNS entry for my local domain. WinRoute Pro handled it with aplomb, as would NT's DNS server. Although a Tiny technician confirmed this ability, he emphasized that the WinRoute Pro's DNS forwarding service wasn't specifically designed to handle reverse look-ups.
WinRoute Pro's User Accounts serves two purposes. First, it lets you define levels of administrative control over WinRoute Pro, including remote administration. Second, it serves as a database for your e-mail users. It has complete NT integration, letting you input current NT users as well as use NT's logon authentication.
E-mail for the masses
WinRoute Pro's mail server installation was straightforward and lets you assign unlimited aliases for your e-mail users. Two more features include an antispamming switch to prevent external users from using your e-mail server as a launch platform and an e-mail synchronization scheduling service suited for dial-up connections. To configure your e-mail clients to work with WinRoute Pro, enter the TCP/IP address of the WinRoute Pro machine's internal network card, or the domain name assigned to that address, into the appropriate POP3 and SMTP fields, as well as the e-mail account name and password. Any POP3/SMTP e-mail client will then use WinRoute Pro's e-mail server.
We set up a few local accounts, reconfigured our Outlook clients and sent mail, including attachments, to other local users.
Then we reconfigured the e-mail server to send and receive e-mail for three external e-mail accounts and sort it based on which user was connecting. In both cases WinRoute Pro's e-mail server worked without a single glitch.
Web cache accelerates
Network address translation (NAT) substitutes a client's TCP/IP address with that of the NAT router, entering the substitution in a table, and making certain changes to the packet, including the IP address and TCP checksums. To external Web sites, it appears as if your entire subnet is one computer. While NAT is an excellent way to isolate your network from external users, NAT is incomplete as a firewall. By itself, NAT doesn't control packets to the same extent as full-fledged firewalls, which combine subnet isolation with packet inspection designed to monitor and control each packet based on its origin, destination, source application and content. Nevertheless, NAT remains a strong barrier against unwanted intrusions.
Internet accessBecause NAT is more advanced and secure than proxy technology, we wondered why WinRoute Pro included a proxy server. The answer is WinRoute Pro's proxy server provides something that NAT doesn't: caching. By caching HTTP, FTP and Gopher files, WinRoute Pro saves a considerable amount of bandwidth -- if your cache setting is large enough. You can adjust the size of the cache stored in the server's memory -- your fastest cache -- and the size of the cache stored on the hard drive. WinRoute Pro also lets you specify a network drive for the cache, among other settings. Subnet stealth
WinRoute Pro's security options underscore Tiny's desire to remain current with leading-edge practices. Keeping a balanced level of security for your company is easy with WinRoute Pro. The help menu contains five typical installations, along with clearly detailed settings to maximize security. You can easily modify one of these examples to meet the specific needs of your organization.
One advanced NAT feature we liked was 'silent mode,' which tells WinRoute Pro to ignore connection requests originating outside your network, making it appear as if your network doesn't exist. This stealthy approach is a very good way to thwart hackers, who scan and target only networks that return certain hits. If the scan's results are blank for your subnet, the hacker has no idea that it exists and moves on.
WinRoute Pro's DHCP Server streamlines your client configurations. Choose the 'obtain IP address from DHCP server' option on your clients; configure the DHCP server for your network's IP range, default gateway, DSN server and Warehouse Information Network Standards server; and WinRoute Pro automatically configures your clients when they boot.
WinRoute Pro offers many other advanced features, such as antispoofing, detailed port mapping, the ability to use multiple network interface cards to administer multiple subnets, remote administration and the ability to organize e-mail users into groups. Finally, WinRoute Pro's series of logs have a variety of detailed settings that will suit most systems administrators, including separate logs for each server and a debugging log for the IP connections.
Vicomsoft's RIP router
Vicomsoft's Internet Gateway is geared more toward midsize corporations, as it supports automatic routing tables via Routing Information Protocol (RIP), used widely throughout the Internet, and formally defined in RFCs 1058 and 1723. Simply put, Internet Gateway is a full-fledged router, capable of automated routing table updates and routing metrics -- all transparent to the user and systems administrator. If you really want to get your hands dirty, however, you can manually edit the routing tables.
Our test network was built around two PCs, a switch, a cable modem, three network cards, a software-based security scanner, and a hardware-based network analyzer to simulate and record typical corporate network traffic.
We used a Pentium III 800EB for the host machine. After installing 256M bytes of PC-133 SDRAM and a 40G-byte Ultra ATA/100 hard drive, we loaded it with Windows 2000 Professional with Service Pack 1. We then loaded Internet Security Systems' Internet Scanner onto a P5-200MMX running Windows NT 4.0 with Service Pack 6a, 128M bytes of EDO RAM and a 4.5G-byte EIDE hard drive with 900M bytes of free space. Three Linksys LNE100TX cards with full-duplex, 100Base-TX capability were installed, with the first two cards in the Pentium III 800, and the third card in the P5-200. A Linksys BEFSR41 Cable/DSL Router with a built-in full-duplex 10/100Base-TX 4-port switch rounded out our network setup.
We used Spirent Communications' SmartBits 200 with four ML-7710 10/100Base-TX SmartMetrics Ethernet SmartCards to simulate a corporate network environment. We configured two cards for use on the LAN, building five Virtual Transmit Engines (VTE) simulating a typical subnet's background traffic of three workgroups, a server and an edge connection, for a total of 30M bit/sec of LAN traffic, 10% of which carried external destinations. We configured the remaining two cards to simulate two WAN connections, with three VTEs of 500K bit/sec each.
The Enterprise Suite version of Internet Gateway includes client access for an unlimited number of users, a DHCP server, a DNS server with caching, a TCP/IP router with NAT firewall and a Web caching server. Remote administration is standard. It also includes some features not found in WinRoute Pro, such as Connection Teaming, the built-in ability to act as a gateway to Macintosh networks (MacIP/LocalTalk), a Web Header Server and a Fallback Server (see descriptions, below). Because the product is geared more toward larger firms, it doesn't have an e-mail server, so you would probably use it alongside an e-mail server such as Microsoft's Exchange.
Installation was a breeze but required a reboot. Running as a service wasn't automatic but was provided as an option, which I strongly recommend for all NT and Win 2000 users. Internet Gateway automatically configured itself for our network, changing the TCP/IP address we had established for our internal network card to 192.168.181.253, with a default gateway of 192.168.181.254. Although this selection was more sound than our original choice, due to the more efficient utilization of subnetting, we would have preferred a pop-up window that gave us the IP address recommendation and an option to retain our original settings.
If you're using static IP addresses on your subnet, you'll have to reconfigure Internet Gateway (a minor issue) or your clients (a major one). Most administrators will choose Internet Gateway's DHCP server, which automatically configures the clients.
Internet Gateway's interface is exceptionally clean because most of the program's settings are automatic. The first screen you'll see upon rebooting is a Web page asking if you'd like to test the Internet connection. If you already have an ISP, go ahead and test your connection. Otherwise, exit the window. After testing the connection, you might want to browse through Vicomsoft's excellent online knowledge base.
The suite's primary window includes a Status View that shows all network cards, their TCP/IP addresses and current status. It includes an instantaneous and a 5-minute throughput window for monitoring network traffic on each network card. Right-clicking on a network card provides easy access to configuration changes or for initiating trace action. Trace action records a packet's source and destination address and port, packet type (IP or User Datagram Protocol [UDP]), and any error messages, such as a bad IP checksum.
You'll access most of Internet Gateway's features through the Preferences panel, where you can change the settings for the Status window, edit various network settings - including IP addresses and routing options - manage local and remote security, and tweak the logging options. If you need to modify the PPP settings, use the PPP tab to change the base address, router name and authentication source.
Internet Gateway's Web caching optioon displays throughput for Internet activity, cache activity and cache activity as a percentage of the total, giving you instant feedback on how much bandwidth you're saving. The settings include IP and port address but unfortunately don't let you choose where the cache resides, as the program defaults to the installation subdirectory, which may be limited in terms of available size or speed.
One of Internet Gateway's most useful features is found under the Connections tab. Connection Teaming lets you use Internet Gateway's RIP and PPP Multilink-capable router over multiple Internet connections. When combined with the Fallback feature, located on the same window, Internet Gateway gives you a robust, multipath way of maintaining an optimum Internet connection.
In addition to the Connection Teaming preferences, you can also edit the individual port settings for Connection Teaming, including available bandwidth and next router address.
We were very pleased with both products, as they did exactly what they were designed to do. We tested their ability to handle a significant amount of traffic in a simulated corporate environment, as well as each product's firewall security.
WinRoute Pro and Internet Gateway could inspect the 30M bit/sec of LAN traffic and route, without error, the 3M bit/sec of WAN traffic generated by the SmartBits 200 (see 'How we did it,' page 56). Internet Gateway used about 35% of the available processing power of our Pentium III 800, whereas WinRoute Pro used slightly less than 30%. If you've enabled any additional services, such as Web caching or WinRoute Pro's e-mail server, you can expect to use a significantly greater chunk of processing power, so plan accordingly.
During our security tests, WinRoute Pro exhibited outstanding results, refusing to acknowledge a request for connection unless the connection originated inside the firewall. Even then, it limited connections to the specific ports opened by the internal programs and only allowed actions that were initiated from within.
Internet Gateway, on the other hand, accepted an anonymous connection on Port 139, commonly used by NetBIOS, although it did not respond to further intrusions. Port scans reported all ports except 139 as 'closed.' Keep in mind that some hacks, such as openclose and syncstorm, can be used to disrupt or disable machines with an open port.
Our second scanning policy searched for all major known exploits. While we found several discrepancies with both products, they were within the limits of what we expected to find, given that we used router attacks against a PC-based NAT router, and not an actual hardware-based router. While a determined hacker would not find it too difficult to bring either of these software packages to its knees, he would find it difficult to penetrate their security, as both implement NAT very well, and Internet Security Scanner was unable to discern any information beyond the firewall. In other words, the firewalls in both products did what they were designed to do - keep the bad guys out.
Making a choice
While neither product is specifically designed to be a full-fledged firewall, both excel at providing your corporation with the same NAT-based Internet connection as traditional routers, thus isolating your subnet from the outside world. Given that most corporate routers cost several thousand dollars for routing and security, both products are attractive alternatives. In addition, both products performed very well at their additional tasks of caching DNS and HTTP requests and acting as DHCP servers. Although we were particularly impressed by the routing capabilities of Vicomsoft's Internet Gateway and the ingenious e-mail server of Tiny's WinRoutePro, we would have liked multiple router support in WinRoute Pro, and better logging options in Internet Gateway. Both products came with very well-written manuals, available on their Web sites in PDF format.
If you need the throughput and redundancy of multiple Internet connections, go with Vicomsoft's Internet Gateway. If you're more interested in e-mail services, however, you can't go wrong with Tiny Software's WinRoute Pro.
Detailed product info from Tiny Software
Detailed product info from VicomSoft
This story, "Soft routers: Doing more for less" was originally published by Network World.