Home

Forum

Networking

Tips & Tricks

Performance

Knowledge Base

 
 

 

StarBand Home Network Case Study
By Robert (Taco) Dias

1.  Introduction

Setting up a home network can be daunting. If you add the complexities associated with the installation and configuration of the StarBand Model 360 modem, it can be very frustrating to say the least. I have gone through many hours of headaches in trying to optimize the operation of the 360 in my home network environment. Thus the reasons for this case study. First, by "putting it on paper" it has forced me to review all pertinent issues related to this topic. Second, It is my hope that by making this document available to others, it may serve as a guide for them to successfully setup their own StarBand network and may shorten their time in doing so.

Before I begin, I must give credit to Ken Knight (and his excellent site located at http://starbandusers.com ) for his tireless efforts to help all with their StarBand related problems and to provide a forum for discussions related to StarBand. I have found the users on this site to be some of the technically most-competent people I have seen anywhere. They are also extremely helpful and respectful of both novice and experienced computer users alike. Without the information presented on the site and the direct help of its members, I am sure my StarBand efforts would have been less than successful.

This case study will review the physical layout of my network and its configuration. Although your configuration will likely be different, the basic configuration will serve to highlight factors to be considered in the setup of a network. The IP addressing scheme will be reviewed and specifics related to StarBand and routers will be detailed. Network security issues will be discussed and specific configuration information for two software firewall products will be presented. These are ZoneAlarm Pro and BlackIce Defender. Finally, other useful software used by me will be briefly highlighted with emphasis on networking and security issues. Information resources are also presented.

2.  Network Configuration

The generalized network layout is presented below. The Model 360 modem is connected to a PC that is equipped with two network interface cards (NICs). This PC serves as a gateway to the 360 for the remainder of the network. One NIC connects via CAT5 Ethernet crossover cable to the Ethernet port on the Model 360. The other NIC connects also by a crossover cable to a WAN port on a router. This router serves to provide Internet access to all local PCs, i.e. client PCs in the LAN. The clients are connected by CAT5 Ethernet straight-through (or patch) cable. Both NICs in the gateway PC are manually set to 10mbps and half duplex. The client PCs are all set to 100mbps and full duplex.

 

 

The gateway PC is a Pentium II 350Mhz system with 256 MB of RAM. It is running Microsoft Windows 2000 Professional (W2K) along with the W2K-built-in Internet Connection Sharing (ICS) to provide a shared resource for client PCs to access the Internet. ICS is implemented by "sharing" the NIC card that is attached to the Model 360.

The details of the IP address setup of the NICs in the gateway PC and in one client PC and the configuration of the router are presented in the next section.

 

3.  IP Addressing and Router Configuration

a. IP Addressing.

The NICs in the gateway PC are configured as shown in the following screen capture. The NetGear NIC connects to the router and the 3Com NIC connects to the Model 360. To access this information, go to the Command Prompt and issue the following command at the C:\> prompt: 

Ipconfig /all          and press the Enter Key.

 

 

The 3Com NIC is set to obtain its addressing information from the Model 360 since DHCP is enabled. The NetGear NIC, on the other hand, is manually configured (DHCP not enabled). Note that, for the NetGear NIC there is no Default Gateway entered. ICS handles the routing.

The NIC settings for one of the client PCs are given below for completeness. Note that all client PC NICs are set for DHCP Enabled. The DHCP Server for the client PCs is the router.

 

 

b. Router Configuration and Specifications.

The router is a NetGear Model FR314 Firewall/Router. The WAN port of the router hooks to the NetGear NIC by crossover cable to the gateway PC. This port, like many DSL/Cable routers, can only support 10 MBPS and half duplex. The four LAN ports, however, support 100 MBPS and Full Duplex (as well as 10/half). The clients connect to the LAN ports by straight-through cables.

Note that a simple HUB could be substituted here instead of a router. If a hub were used, the client PCs would get their IP address information from the gateway PC. That is, ICS would provide the DHCP services.

Some might feel that a router is "overkill" in this setup. I feel however that it gives me another level of protection since it is both a firewall and a router. This is because Network Address Translation (NAT) is in effect, and the LAN addresses are on a different subnet than the gateway PC. The firewall also offers Stateful Packet Inspection, DoS protection, etc.

The router configuration is presented in the following two screen-captures.

 

c. Summary of IP Addressing & Router Setup.

The Model 360 acts as a DHCP Server and assigns settings to the Gateway PC's NIC that is connected to it (in my case the 3COM NIC). These values are:

IP Address: 148.63.xx.xx Subnet Mask: 255.255.192.0 Default Gateway: 148.63.xx.xx DHCP Server: 148.63.xx.xx DNS Servers: 148.78.249.200 & 148.78.249.201 (Note: some of these settings are specific to your StarBand Cluster and Subcluster)

The addressing information for the second NIC in the gateway PC (the one that connects to the router, i.e. the NetGear NIC) is manually assigned and depends on the architecture of the network. For my setup it is as follows:

IP Address: 192.168.0.1 Subnet Mask: 255.255.255.0 Default Gateway: (leave blank) DHCP Server: (none, manually configured) DNS Servers: 148.78.249.200 & 148.78.249.201 (same as for 3COM NIC)

The router is configured as follows:

Network Addressing Mode: NAT with fixed addresses NetGear Firewall LAN IP Address: 192.168.1.1 (Notice the different subnet for the LAN addressing) WAN Gateway Address (NIC that the router connects to): 192.168.0.1 WAN IP (NAT Public) Address: 192.168.0.2 WAN Subnet Mask: 255.255.255.0 DHCP Settings: DHCP Server: Enabled Client Default Gateway: 192.168.0.1 Set DNS Servers using NetGear Firewall's Network Settings Dynamic IP Range Start: 192.168.1.2 Dynamic IP Range End: 192.168.1.9

Client PCs on the LAN side of the router are assigned IP addresses by the router's DHCP server in the range of 192.168.1.2 to 192.168.1.9 with a subnet mask of 255.255.255.0.

The home network therefore has two subnets in addition to the Starband assigned subnet of 148.63.xx.xx. These two are 192.168.0.x and 192.168.1.x.

4. StarBand Mission Control Software Information

The StarBand software is only installed on the gateway PC. Version information for installed software components are presented below.

 

 

5. Firewall Configuration and Network Security

In addition to the protection afforded by NAT which is built into ICS and the hardware firewall/router, two software packages provide firewall and intrusion detection for the network. Both of these packages are loaded at system startup. Although they serve somewhat similar functions, each has features that render them superior in some respects to the other. These are BlackIce Defender (BID) and ZoneAlarm Pro (ZAP). BID is primarily used as an Intrusion Detection System (IDS). ZAP serves as the primary software firewall. (Incidentally, ZAP also loads and is initialized before BID, so it gets "first shot" at blocking intrusion attempts.)

The following pages provide detailed configuration property sheets for these programs. Those for BID are presented first and are followed by those for ZAP. For the most part, these configuration property sheets are self-explanatory. Where needed for clarity or explanation, additional comments are made on the appropriate pages. Please note that the IP addresses given in some of the screen shots are specific to the particular satellite, cluster and sub-cluster that you are using. Your IP addresses for DNS, IOSA, HPA, etc. will likely be different from mine.

a. BlackIce Defender Configuration Sheets

 

 

 

In the previous sheet and the following one, IP address 192.168.0.2 is explicitly allowed access to the LAN. This address corresponds to the WAN port on the router, the port through which passes all traffic to the gateway PC and ultimately the Internet. Client PCs cannot access the gateway PC or the Internet unless this address is entered and explicitly allowed access.

 

 

b. ZoneAlarm Pro Configuration Sheets

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

c. Security Discussion

Now that we have a “full time” connection to the Internet, security of our PCs becomes more critical. This coupled with the rise in virus releases and infections means we have to take measures to insure the security of our PCs and networks from attack by hackers and by malicious code. This subsection will briefly outline some of the steps you can take to increase your security. But let me say first that nothing we do will be 100% safe. If someone can make it, then someone can break it. For me, my best protection has been complete and frequent backup of my critical systems. This also has the added benefit that if you blunder when adjusting settings, modifying your registry, or other major changes (which we StarBand users so often do), recovery is rather painless. I use Norton Ghost for backup of all my PCs. I've been using the product since 1995 (before Symantec purchased the product) and over this time it has become a very mature and robust application. I am using the most current Enterprise version but less expensive versions are available (the most recent being Norton Ghost 2002). It can be purchased separately or bundled with Norton System Works Professional

Some general factors that you can implement to increase security relate to changing default settings of your operating system, which is assumed here to be one by Microsoft.  As we all know, some Microsoft products have some rather large security “holes” present.  Patches are constantly being released by Microsoft to correct problems. You should make it a habit to look at Microsoft’s update site to check for recent security updates.  While speaking of updates, this also applies to anti-virus updates also. I recommend updating the definitions at least weekly if not more frequently.  There are settings in the operating system that need to be changed from the default settings. Under “Properties” of your network interface card (NIC), DO NOT ENABLE THE NETBEUI PROTOCOL, AND DO NOT ALLOW FILE AND PRINT SHARING, at least for the PC that is connected to the 360 modem. The only network protocol that is required is TCP/IP. In Internet Explorer there are also settings that should be changed. All security settings related to Active X controls, certificates, scripting and JAVA should be set to “high security” or “prompt”. It does get a little tiresome responding to the security prompts, but at least you will be the one making the decisions on what happens to your PC. 

If you use Outlook or Outlook Express as your email client, it is important that the auto-preview feature be turned off. Auto-preview of email is enough by itself to trigger malicious code in the email. Also do not open any email attachments unless you know for sure that it is safe, even if it is from someone you know. Scan the attachment first.  As a side note, my Wife’s PC was recently infected with a virus despite all the security measures that I have implemented on our home network. She got the virus by opening email. Where had I failed in the security setup of her PC?  It turned out that I did not have the antivirus software set to automatically scan both incoming and outgoing email. My point in this is that nothing will protect us from our own stupidity. Fortunately I had a recent Norton Ghost image of her PC and within 20 minutes she was up and running with only a loss of some email and eBAY information.

Specific settings in ZoneAlarm Pro (presented in the previous section) significantly affect the security and operability of your PC and home network.  Basically, I’ve “allowed” essentially everything that is going out to the Internet. As far as what is allowed into the network, I’ve disallowed everything coming in unless it was instigated as a result of something going out.   There are exceptions to this, for example allowing some applications to act as servers on the Internet. A word of caution is needed here – be very careful what you allow and be very careful which IP ranges you put into your Local Zone.  ZoneAlarm Pro automatically identifies your wide area network and, by default, puts it into the Network section of “LocalZone Contents” with a check mark to allow the range to be part of your local zone (See screen capture of settings on Page 14). If this default is “allowed”, then your entire subnet as defined by StarBand (148.63.xx.0/255.255.192.0) has rights as assigned to your Local Zone.  THIS SHOULD BE UNCHECKED.  

 

6. Software and Other Resources

a. Security-related Software

There are two freeware add-on software products that enhance the functionality of BID and ZAP. These are VisualIce and VisualZone by Visualize Software. They can be downloaded from the following web site: http://www.visualizesoftware.com These programs offer enhanced reporting, "Whois" lookup of intruders, backtracking, location, email of abuse comments, and other useful tools.

Eye-Net Consulting also offers name resolution, reverse lookup, and other tools to help identify hackers. Their site is at: http://www.eye-net.com.au/itools/inetnum.php

Of major importance to network security is protection against virus attacks. I prefer the antivirus software by Kaspersky Labs called Kaspersky AVP. Information on their products can be obtained at their web site at: http://www.kaspersky.com/

There are other popular antivirus packages including Symantec's Norton Antivirus. I found however that Norton Antivirus affected performance in a detrimental way. Important to the protection afforded by antiviral software is frequent updating of the virus definitions. Also, you need to install antiviral software on all PCs that access the Internet, not just the gateway PC.

Another form of security breach is by so called "spy-ware" that is placed on your system during web browsing. This type of software reports back to vendors on your usage habits and other personal information. Free software by LavaSoft called Ad-Aware can remove this spy-ware from your system. It can be downloaded from their web site at: http://www.lavasoftusa.com/aaw.html

One final software package that I have found to be very useful in tracking the location of hackers is called VisualRoute and can be obtained from the vendor's site at the following URL: http://www.visualware.com/visualroute/index.html 
This program provides a listing of all "hops" taken to a particular IP address and provides name resolution, mapping, time measurements, etc.

If you do get hacked or infected with a virus from which you cannot recover, it is important to have a backup copy of the contents of your PC's hard drive. I've found Norton's Ghost to be an excellent product for making an image of your drive. Ghost is available from most computer software retailers.

b. Other Resources

To test your network security, there are several sites that can scan your network. Some of the more popular ones are:
http://www.hackerwhacker.com:4000/startdemo.dyn?answer=firewall/
http://www.dslreports.com/ 
http://www.it-sec.de/vulchke.html                

Finally, if you need information about networking (in general) and networking hardware (in particular), the site Practically Networked is a great site to visit. It is located at:
                     http://www.practicallynetworked.com/ 
It has information on hardware evaluations and testing, "how-to" resources, price comparisons, user reviews, and many other items of interest to "networkers".

This concludes the main body of this document. Following  is an appendix that contains a Network Status Report generated by StarBand's Mission Control.

 

APPENDIX

Mission Control: Network Status Report

User name: Robert Dias

E-Mail address: bdias@starband.net

Date: Dec/08/2001 Time: 19:26:27

Modem Parameters

 PC IP address: 148.63.xx.xx

Modem MAC address: xx:xx:xx:xx:xx:xx

Modem identification: xxxx

Modem version: 1.05

Firmware version: 07.02.01

Boot code version: 07.00.05

Hardware version: 2

Satellite delay: 43

Modem Location Parameters

Modem Cluster: 2

Modem Subcluster: 3

Modem ID Code: xxxx

Modem Location ZipCode: 23061

Current Modem Status

Modem Interface type: LAN

Receiver Lock status: Locked

Eb/N0: 7.200

Online status: Online

Hub Synchronization status: Synchronized

Satellite Data Accelerator Tunnel status: Up

Web Page Accelerator Tunnel status: Up

Authorization status: Registered

StarBand Software Parameters

Status Server version: version 2.03

Status Server status: Normal

Satellite Data Accelerator client version number: NettGain2000 Client - 1.3.8-3

Primary Satellite Data Accelerator server IP address: 172.21.2.10

HPA IP address: 172.18.2.20

Local Computer Parameters

Processor Type: GenuineIntel Family 6 Model 5 Stepping 2

OS Type: Windows 2000

Available Memory: 255.51 MB

HostName: e5200

Domain Name:

DNS Server IP address: 148.78.249.200

DNS Server IP address: 148.78.249.201

Local Network Adapters

Adapter Description: NETGEAR FA311 Fast Ethernet PCI Adapter

Adapter GUID: {xxxxxxxxx}

Adapter IP Address: 192.168.0.1

Adapter Netmask: 255.255.255.0

Default Gateway IP Address:

DHCP Enabled: No

Adapter Description: 3Com EtherLink PCI

Adapter GUID: {xxxxxxxx}

Adapter IP Address: 148.63.xx.xx

Adapter Netmask: 255.255.192.0

Default Gateway IP Address: 148.63.xx.xx

DHCP Enabled: Yes

DHCP Server IP Address: 148.63.xx.xx

DHCP Lease obtained: Sat Dec 08 19:19:26 2001

DHCP Lease expires: Sat Dec 08 19:49:26 2001

End of Appendix

 

 

 

 


.