When should I use ICS, Windows Firewall, and bridging?
Internet Connection Sharing (ICS), Windows Firewall, and home network bridging are designed for use in homes and small businesses. While they can be used in larger networks such as a corporate or government network, they should only be used at the direction of a network administrator. Assisting with the configuration of large networks falls outside the scope of Gateway's warranty support.
Note: Using ICS, Windows Firewall, or Bridging can severely interfere with network operations if they are used incorrectly. Never enable them on a large network unless explicitly instructed to do so by a network engineer familiar with the layout of the network.
While a complete tutorial on network design is beyond the scope of this document, this information should cover the situations most likely to be encountered in home and small business networks.
ICS is used to allow several computers to share one Internet connection. There can only be one ICS host on a network because some of the functions (Network Address Translation (NAT) and Dynamic Host Configuration Protocol (DHCP) for example) interfere with each other when more than one computer is trying to manage them.
Firewalls are security programs that restrict access to the computers they are protecting. As a general rule, Windows Firewall should be used on any connection to the Internet, or any other public network, that is not already protected by a firewall. Windows Firewall can be enabled on systems behind other firewalls for additional security. However, this is not recommended because it creates substantial additional administrative overhead, provides very little additional security, and Windows Firewall cannot be enabled on network adapters that are used for file and print sharing, or many other network services.
Bridging connects two network segments, passing information between them much like a network hub. The only practical use of bridging in a home network is to connect two or more different types of networks, such as a traditional twisted pair Ethernet, Home Phoneline Networking Adapter (HPNA), and wireless Ethernet. Depending on the customer's hardware, a bridge may or may not be needed to connect these networks.
The following examples illustrate the most common types of networks used in homes and small businesses. If these diagrams do not match the customer's layout exactly, use the guidelines in this document to determine where ICS, Windows Firewall, and bridging should be enabled.
A small, isolated network that is not connected to the Internet (or any other public network) does not need ICS or Windows Firewall. On a small network that is never connected to the Internet, bridging is normally enabled in a computer that contains two or more network adapters that are currently in use.
A single computer connected to the Internet (or other public network) should have Windows Firewall enabled on the network adapter used to connect to the Internet, whether it is a modem, Ethernet, or other type of network adapter. An example of this arrangement can be seen in this diagram.
Most home networks connected to the Internet use a wiring scheme similar to the following diagram where a single computer is connected directly to the Internet and other computers access the Internet using ICS. In this example, multiple types of network hardware are used, so a bridge was set up behind the firewall. Note that connecting additional computers to either hub does not alter the use of ICS, Windows Firewall, or bridging.
Many small business networks use a dedicated router with firewall and network address translation (NAT) capabilities. This could be a properly configured server or a standalone commercial product. Some digital subcriber line (DSL) providers also offer home users the use of a router. If a customer is unsure if the DSL or cable modem has firewall capabilities, refer the customer to the appropriate documentation or Internet Service Provider (ISP). If using a dedicated firewall, the network should be configured like the following diagram. Again, note how any necessary bridges are behind the firewall and adding additional computers to either of the hubs does not affect the usage of ICS, Windows Firewall, or bridging.
Some ISPs install networks like the one shown in the following diagram. However, this is not recommended for several reasons. In this arrangement, every system connected to the Ethernet hub and any network it is bridged to should have Windows Firewall enabled. This interferes with file and print sharing and many other network activities. The computers on this network are limited to communicating with each other in the same limited ways they communicate with other computers on the Internet, so if you enable telnet connections, for example, between these computers, this also allows any computer on the Internet to make a telnet connection to them. Adding systems to this network (even temporarily) may require you to rent more IP addresses. This arrangement also requires more manual configuration than the other network topographies discussed in this document. Furthermore, only the customer's ISP can provide the information needed to configure all the computers on the network.