Share Internet Connection

Unlike home network that share internet connection from the ISP with some computers at the household, in a business internet connection for corporate network, developing an internet access strategy for the network users should be done efficiently and securely by:

1. Selecting an appropriate connection type based on network’s requirements,
2. Determining what the IP addresses to use for the client computers
3. Deciding how to protect the network from the intruders

Considering and selecting the network’s requirement to share internet connection can be done by assessing the brain-storming questions such as:

• How the user access the internet
• How the authentication method
• How will you control the bandwidth
• How will you control the time user access, time-of-day access
• Application connectivity

Although it is easy to share internet connection with users on the network, doing so with appropriate security complicates the process considerably. Planning to share internet connection should think that security hazards are minimal and that the potential for abuse of the Internet connection by your own users is not an issue.

Connectivity solution

1. Network address translation (NAT)

More detail about NAT has been discussed previously. Developing the NAT strategy for the network users is suitable for home network environment where all the clients have the same security requirements. You cannot share internet connection access per user basis using NAT strategy. Mostly all the wireless routers available at the market today that target home usage, adopt the dual firewall feature, NAT and SPI (stateful packet inspection).

1. Internet Security & Acceleration Server (ISA)

ISA server can be a good solution to share internet connection.ISA Server is a proxy server product that provides extensive firewall capabilities, including filtering at the packet, circuit, and application levels. These capabilities enable the proxy server to block most types of attacks attempted by Internet intruders, with greater efficiency than a typical NAT implementation. The server can also examine the data arriving from the Internet—whether it is contained in Web pages, e-mail messages, or other forms—to see if the files contain viruses or other potentially damaging code.

In addition to protecting the network from outside intrusion, ISA provides extensive internal security capabilities. Using a policy-based model, you can monitor and regulate user access to the Internet. Using a firewall client provided with the product, you can require users to authenticate to the ISA server before they are granted Internet access and grant them specific levels of access based on their identities. This means you can easily control user access to specific Internet applications and locations as well as maintain logs of Internet activities. You can also limit the time users can spend on the Internet by scheduling the hours when access is available.

Mostly all the proxy servers have the capability of accelerating the clients performance by caching downloaded information from the internet. Users who access the same website for example, proxy will provide the same information from the cache memory, much faster than accessing direct to the internet.

1. Hardware firewall appliances

Another option to share internet connection is using hardware firewall. There are many types of hardware firewall appliance available at the marketplace today. Hardware firewall for small network such as home network usually packed together with the wireless router such as WRT610N Linksys wireless router – 3 in one box device (firewall/router, Switch, and wireless access point function). For enterprise class hardware firewall usually supports advanced features – a very secure internet connectivity and private network access including the IDS (intrusion detection system) capability such as Cisco IDS 4200 Series.

Internet connectivity components

There are many design options to share internet connection. In the following diagram, the business / corporate network uses perimeter router as the first security defense against the public – un-trusted network. The Router device is a media transition between Ethernet network in our private network and the internet connectivity medium that can be a T1, T3, frame relay or could be Cable or DSL services. In this router, the secured access-list policy is designed as strong as possible as the first defense.

Firewall with screened subnet

Share Internet Connection Diagram

Both the router interfaces that face the internet and the firewall use the registered public IP addresses. Therefore the area is called the Dirty DMZ or screened subnet which is still accessible by the public. And the area behind the firewall is the private network where corporate network resources reside and that must not be accessible by the public except exclusively defined with a strong security policy. The firewall in this diagram can use hardware firewall appliance or ISA server.

Firewall with NAT and ISA server

NAT is a primary method enabling computers with unregistered IP addresses to access the Internet. It doesn’t matter what the firewall solution you use, we can use NAT as the configuration solution, and even NAT is the default configuration for mostly the hardware firewall. ISA server provides NAT as the basic design.

Share Internet Connection with DMZ

In the ISA server solution, normally there are two interfaces – one interface that use registered public IP address regarded as the public network, while the other interface is in the private network. You can use the private IP addresses scheme (as in the table below) for the network behind the firewall which is the corporate network.

Hardware firewall

The use of hardware firewall to share internet connection is very popular today. The security solution for hardware firewall is designed based on the NAT solution. NAT becomes important part of the built-in firewall design.


One of the options we can apply to a better level of security to the corporate network is by applying two or more interfaces to the firewall, especially to the built-in firewall. In the screen subnet, the public IP address is still used. While the third interface we can put public resources that will be accessed by the internet such as Web servers, by hiding the resources behind the firewall using NAT solution. Each of the IP addresses of the public resources will be mapped to the registered public IP address using static NAT method. With this method, internet users will see as if they were located in the screened subnet. This area is then called DMZ (demilitarized Zone).

The good thing with DMZ is that internet users will never touch the private network – our corporate network that must be protected securely.

Related article:

• Risk security assessment for your network security
• Wireless Switches WS2000
• Slow internet connection