Corporate.Net
internetRx
By Chris Lewis
and
Joel Conover
Q:
The users at my company have browsers on their PCs for access to an intranet's internal applications. We also have implemented an Internet connection that everyone has access to. We now want to manage who gets access to the Internet and who does not. We use Dynamic Host Configuration Protocol (DHCP) to allocate IP addresses. Does this limit our options?
A:
The most common way to manage which user machines get access through an external Internet connection involves maintaining a list of IP addresses in the router that connects you to t
he Internet. Typically, you identify a list of IP addresses that can access the Internet, and all others are denied access. This method takes some manual administration, but it works quite well--as long as the IP addresses remain constant.
With DHCP, there is the possibility that occasionally a user will get a different IP address. DHCP is most commonly implemented by allocating the same IP address to a workstation every time the workstation requests an IP address. This method works well until the network card fails, for example, and is replaced in a user's PC. In this situation, the DHCP server assigns a new IP address to the user PC, since the request will be coming from the new network card with a previously unknown Media Access Control (MAC) address. This IP address will not be in the router access list, and the user will not be able to use the Net until the access list is altered.
A similar problem could occur if a user moves from a location served by one DHCP server to a location served by anoth
er DHCP server. In this case, the user's PC will be assigned a new IP address, and could be denied Internet access.
One possible solution is to identify users who need access to the Internet and assign them to one DHCP server, which will alloc
ate IP addresses only from a specific range. The access list on the router can be configured to allow all IP addresses from this range, and to deny access to all other IP addresses. Even if a network card is replaced, the user will get a new IP address from the range permitted to access the Internet.
There are other options. You can configure users to use a Domain Name System (DNS) server that has pointers to the Internet. If a user pointing to one of these DNS machines tries to type in an Internet URL, the user's browser will not be able to resolve that URL to an IP address, and the user will not be able to use the Internet. This solution gets around the need to maintain access lists and diminishes worries about which DHCP server the user is getting an IP addre
ss from.
A similar method involves configuring user PCs to a default gateway that knows how to reach the Internet connection, while configuring other user PCs to a different default gateway that does not have a routing table entry for reaching the Internet.
Q:
I have heard about people using the Internet as a cheap way to conduct long-distance and international telephone calls. Does this work, and if so, how can I use it to save my organization money?
A:
For quite some time, services available on the Internet have provided voice connectivity for the home user. There are now solutions for PBX-to-PBX connections over IP that can save companies money on their long-distance and international phone bills.
Home-user products rely on a user dialing into an Internet service provider (ISP) node and establishing a connection to a server on the Internet. The server registers the user
name and IP address for that session and lists the user in its directory as ready to receive calls. This process is necessary, as voice over the Internet occurs by addressing packets to IP addresses, which change every time a user dials into an ISP node. Using voice
over the Internet in this situation requires users to agree on a time when they will both be logged into the Internet server. This process is not necessary for the PBX-to-PBX products, since the gateways that connect each PBX to the Internet will have a fixed IP address.
|
REPORTS
ANALYTICS
Follow 
