1. from networking dilemma
to
networking success
Internet Server Appliances for Small Business
Abstract
In today’s hyper-competitive environment, the small business owner/manager faces a strategic dilemma:
• to embrace the Web and other networking technologies, with all their opportunities and risks, or
• to preserve the status quo because of the fear of costs and security risks.
The visionary’s response to this dilemma is to forge ahead, ignoring the pitfalls, recognizing that incorporating
networking technologies into core business processes may be crucial to the future growth and survival of the business.
The conservative businessperson might not make a decision until the costs and risks are understood and manageable.
Fortunately, there is a new breed of product, called the Internet server appliance (or thin server) that can help satisfy
both the visionary and the conservative.
Purchasing a thin server appliance can meet the needs of small business for Internet connectivity without breaking
the budget, and without introducing security risks. In fact, a superior server appliance will provide much more in
the way of networking services than basic Internet connectivity, while enhancing security (by actively protecting
information assets from electronic intruders), all at a very reasonable total cost of ownership. This white paper
demonstrates why a server appliance ought to be the keystone technology in the Internet strategy of any small
business, and what criteria to apply when making a purchase decision.
Newlix Corporation
1051 Baxter Road • Suite 21
www.newlix.com Ottawa Ontario • K2C 3P1
tel (613)225.0516 • fax (613)225.5625
info@newlix.com
2. Table of Contents
Abstract 1
Table of Contents 2
The Networking Dilemma 3
How does this relate to my business?........................................................................................................................ 4
Scenario 1: No Local Area Network (LAN) ............................................................................................................. 4
Scenario 2: Computers connected to LAN, without a gateway........................................................................... 5
Scenario 3: Computers connected to LAN, with a gateway ................................................................................. 6
Understanding the Problem.......................................................................................................................................... 7
What’s the solution?....................................................................................................................................................... 7
Framework for a Solution 8
Table 1. Requirements Analysis Outline ..................................................................................................................... 8
Business goals................................................................................................................................................................... 8
Success factors................................................................................................................................................................. 9
Business processes.......................................................................................................................................................... 9
Business activities............................................................................................................................................................ 9
Communications infrastructure.................................................................................................................................10
Networking requirements ..........................................................................................................................................10
Table 2. Business Needs and networking Technology ...........................................................................................11
Characteristics of a solution ......................................................................................................................................12
Business-driven characteristics ..................................................................................................................................12
Technology-driven characteristics.............................................................................................................................12
Characteristics in detail ...............................................................................................................................................12
Options for Networking Success 17
Categories of solutions................................................................................................................................................17
Which category is best for small business?.............................................................................................................20
Table 3. Comparison of Internet connections Solutions......................................................................................20
Table 4. Cost-effectiveness of Internet Connection Solutions ...........................................................................21
The Newlix OfficeServer Solution............................................................................................................................21
Table 5. Characteristics of the Newlix OfficeServer ............................................................................................22
Conclusion 23
Glossary 24
Suggested Additional Reading 27
v-00-06-19
newlix corporation 2
3. the networking
dilemma
The Internet explosion is driving all businesses, large and small, to rethink their communications strategy. Although
public relations and marketing form an important part of the strategy, it goes well beyond that. Businesses are creating
value and increasing their competitiveness by linking their customers, suppliers, partners, and employees into their core
business processes using Internet technology to create dynamic, collaborative communities (intranets and extranets).
The Internet is also enabling entirely new kinds of businesses that provide value-added services, such as professionally
managed, targeted knowledge brokering, to individuals or other businesses.
For example:
• Courier companies provide up-to-date shipment tracking to customers via the Web to cut costs.
• Manufacturers are involving suppliers and partners in cross-enterprise supply-chain management to optimize
manufacturing schedules and reduce inventories.
• Engineering teams are improving productivity and overcoming geographical separation using distributed
collaboration tools.
• Specialized information services are alerting clients to current events that affect their business decisions.
All of these business applications are based an a small set of basic networking services, such as the Web, e-mail, local area
networking (LAN), and wide area networking (WAN). These in turn depend on securely and reliably connecting people
(via their computers) to each other and to the global Internet.
Driving forces
Competitive and bottom-line pressures are driving businesses to deploy Internet technology in order to communicate
more effectively, both externally and internally. At the same time, businesses must protect their information assets and man-
age costs. Each business is at the focal point of these forces, and must meet them head-on to survive and grow—achieving
“networking success”. The technological foundation of networking success is secure and reliable connectivity.
For the small business (1 to 100 employees), networking costs are a significant issue, both for initial investment and for
ongoing maintenance. Security is the other big issue; ensuring the integrity and confidentiality of the information assets of
the business and of its clients is fundamental to its survival. In the past, typical solutions were either:
• highly secure, but at a prohibitive cost for small business, or
• low-cost initially, but inadequate and expensive to maintain
Thus, the potential purchaser was forced to choose between security and cost. This white paper shows how to avoid both
overly expensive and inadequate solutions by examining the problems and pitfalls of connecting to the Internet, and
proposes a cost-effective solution for a small business to achieve networking success.
newlix corporation 3
4. How does this relate to my business?
The small business owner/manager may be faced with computer users demanding faster, more convenient Internet access
(or perhaps any access at all) so that they can do their jobs more effectively. Some of them may be highly skilled
professionals who could cover more information in their research in less time (thus generating more revenue) if they had
high-speed Internet access for Web browsing and e-mail. However, the cost of a dedicated high-speed connection for each
user might be prohibitive. The typical solution is to share a single high-speed connection among many users through a
gateway system. Therefore, the costs and risks associated with shared Internet access must be considered carefully before
any purchasing decision is made.
The following scenarios are typical of approaches that have been tried for providing basic Internet access to small
businesses. They give some insight into the drawbacks of the ‘obvious’ solutions.
Scenario 1: No Local Area Network (LAN)
Configuration:
• One or more disconnected (standalone) computers.
• No Internet access yet, or Internet access (typically dialup) on individual computer(s).
Advantages:
• Standalone operation can reduce or slow down the spread of computer viruses.
• Potential intrusion by hackers is restricted to machines with Internet access.
• No network administration required.
Problems:
• Difficult to share computer resources (e.g. hard disk space, printers).
• Cost of giving Internet access to additional users (typically requires additional telephone lines).
• Cost of simultaneous connections (one per user, but each connection is typically idle most of the time).
• Security: no protection from unwanted intrusion while online, unless each machine with Internet access
has personal firewall software installed.
non-permanent connection
permanent connection to cable,
telephone (DSL), or wireless network
Internet
dial-up high-speed
modem modem (typical)
PC PC PC PC
Security note: Each computer with Internet access is vulnerable to attack when connected.
newlix corporation 4
5. Scenario 2: Computers connected to LAN, without a gateway
Configuration:
• Users sharing disk space, printers, and other resources.
• Internet access via modem on individual computers, or a shared modem pool.
Advantages:
• More cost-effective use of resources by sharing over the LAN.
• Modem pool can reduce costs by sharing outside telephone lines.
Problems:
• Costs of Internet access for multiple users (similar to stand-alone case).
• Security: unwanted intrusion can affect all computers on the LAN, unless each machine with Internet
access has personal firewall software installed.
Internet
shared
modem pool
PC
LAN PC
LAN
server
PC
Security note: Every computer on the LAN is vulnerable to attack when any computer is connected.
newlix corporation 5
6. Scenario 3: Computers connected to LAN, with a gateway
Configuration:
• Users sharing computer resources via the LAN server(s).
• Internet access is also shared (over a single telephone line or cable connection) using Internet connection
sharing (gateway) software installed on one computer.
Advantages:
• Cost-effective: access cost is shared, and PC gateway software is free or inexpensive.
• Security: single point of connection to the Internet; only the gateway needs to be secured.
Problems:
• Inexpensive gateway software may be unreliable.
• Security: intruders can attack all computers on the LAN, unless there is also a firewall at the gateway.
• Reliable, dedicated gateway/firewall systems tend to be expensive, considering initial cost and
maintenance/upgrades.
• Total cost of ownership can be high, depending on level of expertise required to maintain the gateway/firewall.
Internet
LAN
high-speed modem server
(typical)
PC
LAN
PC with
gateway software
PC
Note: Gateway function could be located on a LAN server, instead of separate PC's as shown.
Security note: Every computer on the LAN is vulnerable to attack, unless the gateway
is secured with a firewall.
newlix corporation 6
7. Understanding the Problem
Unfortunately, none of these scenarios represents a viable solution for Internet connectivity for small business, with the
possible exception of Scenario 1 for a one-person, single-computer office. With multiple computers at a work site, it makes
sense to install a LAN to enable sharing of computer resources, including the Internet connection. Although gateway and
firewall software is inexpensive and readily available for personal computers (PCs), there are some serious shortcomings
with this “roll your own” approach:
• Reliability: personal computer operating systems typically do not provide the level of continuous availability
required of a gateway, even for a small business. As the business evolves to embed networking into its core
business processes, the level of networking availability will become a key factor in the performance of the
business.
• Functionality: gateway software for personal computers typically performs only basic Internet connection shar-
ing. Separate products must be selected and installed for a firewall, e-mail, a Web server, and other essential
services. Even then, the resulting solution typically won’t support remote and mobile users. Nor will it allow
multiple work sites (each with their own LAN) to be linked as if they belonged to one large LAN. Lack of support
for these wide area networking (WAN) requirements may present obstacles to future growth of the business.
• Total Cost of Ownership: although the initial purchase cost for the gateway and related software may be
reasonable, the ‘hidden’ costs for installation, configuration, and (most importantly) ongoing administration of
the complete suite of software may be prohibitive. Depending on the particular operating system running on the
gateway computer, a highly skilled network administrator might be required, even to perform basic tasks such as
adding a new computer to the LAN, or adding a new e-mail account.
It’s obvious from these shortcomings that a seemingly straightforward approach to Internet connectivity could lead to an
inadequate solution, or one with very high ongoing costs, or both. The small business owner/manager is caught between the
driving forces for greater network connectivity, and the absolute business need to avoid inadequate, high-cost solutions.
What’s the solution?
Is there a solution that is reliable, functionally complete, and easy on the budget, considering the total cost of ownership?
The answer, of course, is yes. It’s called an Internet server appliance (or thin server), and the Newlix OfficeServer is the
leading product in that category.
The remainder of this white paper explores a path to networking success, while avoiding the pitfalls and shortcomings
of approaches that are not suitable for small business. It begins with principles that apply to any business, and leads to
the Newlix OfficeServer as the ideal solution for small business. The following sections are best read in order, but some
can be skipped to get to a particular topic:
• First, a requirements analysis explains the need for network connectivity and related services, such as e-mail.
• Second, the networking requirements in combination with the needs of small business determine the important
characteristics of a networking solution.
• Next, an analysis of four categories of solutions with respect to the characteristics leads to the conclusion that the
server appliance category is the most appropriate for a small business.
• Finally, an analysis of the Newlix OfficeServer positions it as the leading candidate in the server appliance category.
newlix corporation 7
8. framework for
a solution
Before looking at possible networking solutions, every business should examine its communication needs. Time and money
are scarce resources that should not be wasted by jumping into a ‘solution’ that does not meet the needs of the business,
or one with a high total cost of ownership. All businesses today are under tremendous pressure to do more with less, so it
makes sense to consider the business requirements for networking, in order to arrive at a cost-effective solution.
A thorough requirements analysis itself can be a costly process. So this white paper derives some common needs and
networking requirements that apply to all businesses, by starting with some basic principles. The requirements analysis
follows the outline shown in Table 1, proceeding from left to right, and from top to bottom. The business drivers produce
the corresponding requirements in the same row of the table.
Table 1. Requirements Analysis Outline
QUESTION BUSINESS DRIVERS REQUIREMENTS
Why does a business exist? Goals Success factors
How are goals achieved and Communications
Processes Infrastructure
success factors supported?
What functions are performed? Activities Networking Requirements
What does a solution look like? Business-driven Technology-driven
Characteristics Characteristics
Business goals
A business exists to create wealth by adding value in the delivery of products or services. It may have secondary goals
such as improving the living standards of its employees or contributing positively to the community. However, it must
continually deliver added value in order to achieve long-term viability and to achieve its secondary goals, especially in
today’s hyper-competitive environment. Very simply, the ultimate goal of every business is: “Add value or die!”
newlix corporation 8
9. Success factors
Businesses that are successful in adding value over the long term tend to adopt a culture that promotes winning
behavior patterns such as:
• focus —clearly communicated objectives for the entire enterprise, business units, and project teams
• delegation —pushing down accountability and decision-making, and eliminating management layers
• specialization —each individual contributing to the mission in the most effective way
• sharing —pooling of scarce assets, resources, and knowledge
• learning —improving processes based on past experience (shared knowledge)
• adaptability—creating new processes to continue adding value in a changing business environment
These businesses attract ideas, employees, customers, and capital to deliver a better, cheaper service or product, thereby
achieving long-term competitive advantage. They have adopted practices and technologies that embody and support
the success factors.
Business processes
Business practices and communications technologies adopted by successful businesses have now converged in the form
of networked business processes and applications. The following are examples of business applications that embody
networked (or web-centric) business processes:
• Web publishing
• Marketing programs —such as free newsletters, discussion groups, promotions, lead generation
• E-commerce—purchasing over the Internet
• Sales management—distributed access to customer and prospect databases
• Customer care—support and guidance before and after the sale
• Collaborative development (of programs and products) with partners
• Telecommuting —remote and mobile employees; virtual corporations
• Supply-chain management—with suppliers and partners
• Competitive research —information agents that find and deliver relevant information
• Finance and administration —distributed budget preparation and monitoring
• Employee recruiting and retention —external and internal Web sites with application and resume submission,
incentive programs, etc.
Clear, meaningful objectives and a culture committed to promoting carefully chosen success factors are critical
elements for the success of a business. But to operate a modern business according to these principles, a high-quality
communications infrastructure is required. Excellent communications will support the culture and the convergent,
networked business processes that will help the business achieve its objectives.
Business activities
In order to determine specific requirements for a high-quality communications infrastructure, let’s look at some of the
business activities that are common to networked business processes, and that support the critical factors for success.
Regardless of the type of business, every organization performs at least some of the following activities:
• information gathering
• information dissemination (publishing)
• purchasing products and services
• selling products and/or services
• direct correspondence with external contacts
• internal correspondence
• sharing information internally to improve productivity and foster teamwork (to produce better proposals, for example)
• sharing tangible assets within workgroups to reduce costs
• sharing information selectively with external contacts (suppliers, customers, contractors, remote employees)
These activities all have one common characteristic. They depend on timely and high-quality communications, both
within the organization, and within the larger sphere of its external contacts.
newlix corporation 9
10. Communications infrastructure
Businesses are turning increasingly to Internet technologies to support and enhance their communication-dependent
activities, for good reason. The Internet is a very rich and ubiquitous communication medium, built on a costly, high-
bandwidth infrastructure that would be beyond the means of any single corporation, organization or government to
duplicate. Furthermore, the infrastructure and the Internet services are constantly being upgraded by the combined effort
of many individuals and groups. It was also designed from the beginning to be a shared medium, with a low intrinsic
cost for each individual message. It’s no wonder that large and small businesses want to exploit this medium. Internet
technology enables communication solutions that are equally cost-effective for businesses of all sizes.
Given the design of the Internet, it should have put small businesses on an equal footing with large corporations. However,
until recently, cost-effective solutions that provided basic Internet connectivity and networking services (without requir-
ing a skilled network administrator) did not exist. Now, Internet server appliances have lowered the entry barrier to
networking success for small business.
Networking requirements
The world of networking and the Internet can be a very confusing place. Although some or all of the following networking
requirements might be presented as partial networking solutions, in fact, all of them have their place. This white paper
places them into perspective:
• Web access for information gathering (business intelligence, research), purchasing
• Web presence for marketing, customer support, e-commerce
• E-mail to stay in touch with prospects, customers, suppliers, partners and investors
• Internal e-mail to facilitate internal communication
• LAN support for sharing internal information and computer resources
What about mobile employees and remote work sites?
Mobile and remotely located employees need to exchange information with co-workers at a central location, or share
central resources. They need to operate as if connected to the central office LAN, to share files and printers, to run
business applications, or anything else that a user directly connected to the LAN can do. Therefore, there is a need for
secure wide area networking (WAN) services. These can be provided by telephone dialup service at the gateway, or by a
secure virtual private network (VPN) connection between the gateway and a remote computer through the Internet.
In the case of a distributed business with a central office and one or more remote offices, business activities require a high
level of communication and information sharing among the work sites. So there is a requirement to connect two or more
LANs together into a WAN. This should be transparent to the users, so that the users appear to be all connected to the
same LAN. This can be accomplished if there is a gateway at each site with secure, high-throughput VPN services.
Increasingly today, all businesses are partnering with customers, suppliers, and other external contacts in their business
activities. Thus, there is a requirement for networking between businesses, often referred to as business-to-business (B2B)
networking, or e-business. This implies treating the external contact as if it were a remote work site, but with special
access restrictions to share only the required applications and information. This scenario again requires WAN services
and the underlying VPN technology.
As a business extends its activities to include remote employees, remote work sites, and external contacts, the following
additional requirements appear:
• WAN support to extend LAN services to remote/mobile users and branch offices
• WAN extended to support external contacts, with appropriate access controls
newlix corporation 10
11. Networking services
The following table shows how communication-intensive business processes drive the requirements for
networking technology and services.
Table 2. Business Needs and Networking Technology
NETWORKING NETWORKING
BUSINESS ACTIVITIES REQUIREMENTS SERVICES
Information gathering Web access Internet gateway
File download
Information dissemination Web presence Web server
Marketing & public relations Web publishing File transfer services
Purchasing Web access Internet gateway
File download Connectivity to LOB servers
Selling Web e-commerce Web & related servers
Internet e-business Connectivity to LOB servers
Correspondence External e-mail External e-mail services
Internal e-mail Internal e-mail services
Shared disk storage LAN services
Sharing tangible resources
Shared printers WAN (VPN) services
Shared CD drives
Shared documents LAN services
Sharing information assets
Shared databases WAN (VPN) services
Shared applications
Retention of assets Network security Firewall protection
Confidentiality Secure VPN
In summary, a networking solution that satisfies the needs of business today and into the future will provide:
• Internet access to support Web browsing and file downloading
• Web and file transfer (FTP) servers
• connectivity to line-of-business (LOB) application/data servers
• e-mail services, both external and internal
• LAN services, for sharing both information and computer equipment
• WAN services, to extend sharing to remote/mobile users, branch offices, and partners
• secure, high-throughput VPN capability, encompassing encryption, authentication, and access control
• firewall protection for the LAN
newlix corporation 11
12. For a small business, it is essential to provide all these services in a single package to minimize costs. Such a solution is
sometimes called a gateway, although it embodies much more than sharing access to an external network.
Security is an underlying requirement for all networking services. Low initial purchase and ongoing maintenance costs
are also key requirements. We’re talking about a secure, fully functional gateway with low total cost of ownership.
Additionally, there are other desirable characteristics of an ideal solution for small business that must be factored into
any purchase decision.
Characteristics of a solution
The business and technology requirements for networking success lead directly to a set of characteristics against which
potential solutions can be compared. The pattern of the requirements analysis suggests breaking the list down into
business-driven and technology-driven characteristics.
Business-driven characteristics
• Security —protection of confidential information and computer resources from electronic intruders
• Initial cost —within financial means of small business
• Simplicity—installation and ongoing maintenance without requiring a trained computer administrator, to
minimize operating costs
• Functionality —connectivity and networking services to support business processes and activities
Technology-driven characteristics
• Reliability—high availability, because Internet access often becomes critical to business operations
• Throughput—Internet access speed constrained only by the bandwidth of the physical connection
• Compatibility—with popular personal computer systems and networking environments
• Support—for both the software and hardware [something that purchasers often overlook]
Characteristics in detail
Let’s take a closer look at each of the characteristics in turn. The following discussion is quite technical. It’s aimed at those
familiar with networking concepts, such as system administrators and power users. If you’d like to skip over the technical
details, you can resume reading with one of the following topics:
• the four categories of solutions that are available today, and why the server appliance category is the most
appropriate for a small business
• the Newlix OfficeServer, the leading candidate in the server appliance category
Security
Protecting the electronic information assets of a business from unauthorized access and accidental loss is a mandatory
business requirement. It’s a multi-faceted problem that calls for comprehensive security and recovery plans, which are
outside the scope of this white paper. Furthermore, achieving 100% protection is impossible. However, it is possible to
make it extremely difficult for electronic intruders to penetrate your LAN from the Internet, satisfying a key part of
any security plan.
newlix corporation 12
13. Any host that is... permanently connected (to the Internet) will
typically be scanned and probed several times per day. In fact,
during peak periods, malicious activity at the level of thousands
of packets per day has been recorded...
Placing a secure gateway between your LAN and the Internet will provide a high degree of protection. A secure gateway
includes a firewall, and together they use some combination of the following techniques:
The gateway (sometimes called a dual-homed bastion host) is the only connection between the external
Internet and the internal LAN, and only the firewall software is responsible for allowing requests and data (in
the form of network packets) to flow between the internal and external networks. The gateway computer acts
as a proxy for the internal computers that require Internet services. The firewall can block packets that do not
satisfy certain preset security parameters.
Network Address Translation (NAT) allows multiple computers to share a single Internet connection without
revealing their identity to the external Internet. The sharing machines communicate with each other and with
the NAT gateway computer using private network addresses. For traffic to the external Internet, the NAT
service translates all private addresses to its network address, while keeping track of which packets belong to
which computer. Since the external Internet sees only the single network address of the NAT firewall computer,
there’s absolutely no way for Internet scanners to reach past it. This creates a high degree of security for the
machines “behind” the NAT gateway. Note that the NAT computer is accessible from the Internet and needs to be
protected, by stealth technology for example. [The preceding was adapted from Steve Gibson’s Shields Up! FAQ.
Bi-directional NAT protects internal computers that provide Internet services such as e-mail. The firewall can
redirect requests originating from the Internet to a protected server behind the NAT gateway, while preserving
the external (IP) address of the originating Internet host. This capability, sometimes called “reverse proxy” or
“port forwarding”, places any confidential data required by the server behind the protection of the firewall.
Stealth technology makes the gateway computer fully or partially “invisible” to other computers (hosts) on the
Internet. When an Internet host requests a connection, it never gets a response back, except when requesting
specifically enabled services such as HTTP (to the web server), SMTP (for e-mail), and FTP (for file transfer).
This prevents would-be Internet intruders from exploiting potential weaknesses in unneeded networking ser-
vices, while at the same time allowing computers on the internal LAN to connect to any Internet site. Stealth
technology is sometimes also called port blocking, because it operates by refusing to respond to Internet packets
that request a connection to any TCP or UDP port, except for those associated with enabled services.
A port scanning inhibitor is a feature that briefly disables access to the gateway from an Internet host that
tries to perform a port scan on the gateway. Port scanning is a technique used by would-be intruders to detect
Internet hosts that might be susceptible to future attack. Inhibiting port scans complements stealth technology
by making the gateway effectively “invisible” to Internet hosts that are probing it for weaknesses.
Packet filtering looks at each packet entering or leaving the LAN and accepts or rejects it based on preset rules.
Packet filtering is fairly effective and transparent to users, but it is difficult to configure.
An application gateway applies security mechanisms to specific services, such as an FTP server. This is very
effective in protecting certain services from abuse, but must be combined with other techniques for more
complete security coverage. This type of gateway can impose a performance degradation.
A circuit-level gateway applies security mechanisms when a TCP or UDP connection is established. Once a valid
connection has been allowed, packets can flow between the hosts without further checking.
newlix corporation 13
14. An effective gateway/firewall combination provides essential protection from would-be intruders intent on compromising
Internet hosts for malicious purposes such as:
• defacing Web sites with graffiti
• illegally obtaining confidential data (credit card numbers, or personal identities, for example)
• deleting data
• installing “trojan horse” software to enable launching attacks on other Internet hosts
These attacks are invariably preceded by various types of automated port probes and scans that seek to identify vulnerable
hosts. Any host that is connected to the Internet for more than a few minutes is likely to be scanned or probed by one
or more of these automated scanning tools, and any host that is permanently connected (to DSL or cable services, for
example) will typically be scanned and probed several times per day, from various hosts that could be located anywhere
around the globe. In fact, during peak periods (such as school holidays), malicious activity at the level of thousands of
packets per day has been recorded, all directed at a single home computer. The most effective firewall is one that keeps
your gateway computer off the lists of “interesting” (read vulnerable) hosts compiled by the scanning tools, by making
it invisible to them with stealth technology.
No matter how effective a firewall might be, remember that it is just a first line of defense in protecting private informa-
tion. A comprehensive security plan would call for the encryption of highly sensitive data for storage and transmission,
as well as other security measures.
Virtual private networks (VPNs) introduce additional security issues, which this paper does not fully explore. However, it
is important to recognize the three features which must be present to secure a VPN against unwanted intrusion:
• authentication, to ensure that only authorized users can join the private network
• access control, to control which network resources (such as files) are accessible to certain users
• encryption, to prevent interception and modification of private data as it travels over a public network
Initial cost
The cost of purchasing a solution must be within the financial means of the business. Factors that affect the cost include:
• the complexity of the hardware and software
• the degree of proprietary vs. off-the-shelf hardware and software
• the size of the market and level of competition among vendors
For a low-cost solution for small business, look for one that bundles the basic networking services listed earlier in a
single box. However, look beyond the initial purchase cost at the total cost of ownership, which is heavily influenced by
the next characteristic, simplicity.
Simplicity
A truly simple solution will encapsulate complex technology so as to minimize the costs of installation and ongoing
administration. The networking services should be tightly integrated, presenting a simple, straightforward interface to the
customer. Installation, configuration, and ongoing administration should be simple enough to be performed by anyone,
as opposed to a highly trained network administrator. In fact, ongoing administration should be limited to adding the
occasional new e-mail account.
newlix corporation 14
15. Whether in-house or outsourced, network administration services are costly. Even if the business is large enough to
have full-time network administration staff, they are often already overworked administering the existing network. So
a networking solution that can be installed and administered by existing staff without a significant time burden, and
without additional training, will minimize operating costs. Together with a low initial cost, this will result in a low
total cost of ownership.
Functionality
The ideal solution will provide all the networking services described earlier. In addition, it should provide a reverse proxy
capability, so that some of the services or other networking applications can be delivered on powerful application servers
behind the firewall. For example, a particular business may want to provide e-mail by running Microsoft Exchange on a
Windows NT server, or host a set of web sites on a Unix computer.
Reliability
As a business incorporates networking into its everyday activities, it will increasingly depend on Internet connectivity
for normal operation. Indeed, when networking becomes part of core business processes, such as customer relationship
management, the dependence becomes critical. So the network gateway must provide a very high level of availability. The
acceptable level depends on the individual business, but it’s not unreasonable to expect availability greater than 99.9%
(excluding scheduled maintenance), which translates to less than one hour of downtime per month. In addition to being
highly available, the gateway must reliably mediate traffic between the external Internet and the internal LAN, without
misdirecting or losing packets, even under heavy traffic conditions.
Just as with the issue of security, overall network reliability depends on more than just the gateway server. The ability
to manage a computer network to meet availability targets also depends on other factors that are outside the scope of
this white paper, including:
• backup and restore procedures
• availability of technical support
• backup power systems
• redundancy of critical components and systems
• redundant or standby Internet connections
• a disaster recovery plan
As a business grows in size and dependence on networking, these issues must be addressed through training, hiring,
or outsourcing.
Throughput
High throughput (measured in terms of bytes and packets per second passing through the gateway) is desirable, in order
to minimize waiting time for internal (LAN) and external (WAN and web) users. The gateway/firewall combination
should impose no noticeable overhead, compared to a standalone connection. With multiple users, it should achieve
throughput close to theoretical maximum bandwidth for the type of connection. With a high-speed (DSL or cable)
connection, users should notice no degradation in throughput compared to a private connection to the same ISP, unless
multiple users are simultaneously transferring (downloading) large files.
newlix corporation 15
16. Compatibility
A small business cannot afford to re-configure the existing computers and network to suit the requirements of a newly
purchased gateway. So the gateway should inter-operate with all the types of computers found on a LAN, and with the
networking infrastructure itself. Inter-operability has several aspects:
• When connected to the LAN, the gateway must not disrupt the operation of computers (both users’ workstations
and servers) already on the LAN.
• The gateway should permit Internet and LAN services to be provided by servers on the LAN, even if it can
provide those services itself. For Internet services, it should have a configurable reverse proxy feature to forward
Internet requests to the appropriate server on the LAN.
• Adding a new computer to the LAN should be a “plug-and-play” operation, at least for popular personal
computers. In this context, “plug-and-play” means that the new computer needs little or no manual configura-
tion to use LAN and Internet services after it is plugged into the LAN.
Support
The level of technical support available must be considered when selecting any device involving complex technology, even
more so in the case of a gateway product whose reliability will become a critical factor in the operation of the business.
Some of the factors to be considered are:
• the reputation of the vendor for customer support
• the availability of secondary suppliers of support services
• the architectural approach -- proprietary, closed system vs. an open system
There are support advantages to the customer with an open system architecture, namely easier access to a pool of people
(such as existing staff, independent contractors, or professionals employed by IT outsourcing firms) with maintenance
skills for the hardware and software components.
newlix corporation 16
17. options for
networking success
Having derived a set of criteria for networking success, in the form of desirable characteristics of a gateway solution for
small business, it’s now possible to examine some options. An analysis of the available solutions leads to a category (the
server appliance), and a specific product (the Newlix OfficeServer) that best fit the characteristics.
Categories of solutions
The available solutions fall into four categories, based on cost and overall performance:
• high-end
• mid-range
• low-end
• network server appliances
Each category has some significant attributes in terms of the characteristics. The following analysis does not address
all the characteristics for each category. However, Table 3 presents a complete picture of characteristics by category in
summary form.
Generally speaking, you get what you pay for —higher overall performance costs more. However, the
network server appliance occupies a unique position in the cost/performance space of solutions, as shown in Table 4.
High-end solutions
Target market: large enterprises with distributed workgroups, ASPs, ISPs, high-traffic Web portals
Security: very high, if configured and administered correctly
Initial cost: very high, upwards of US $20K; multiple computers may be required
Simplicity: very complex; installation and maintenance requires highly skilled network administrators
Functionality: • incomplete offering of networking services; integration of multiple products and
servers required;
• typically provide remote management of multiple sites for enterprise-level scalability
Reliability: very high; typically have hardened operating systems
Throughput: extremely high; well-suited to high-traffic situations
Support: some products include custom hardware that may limit availability of support
Example products: Sun Microsystems SunScreen family of products
Summary: not suitable for small business, due to high total cost of ownership
newlix corporation 17
18. Mid-range solutions
Target market: single worksites of small - to medium-scale enterprises
Security: high, typically a proxy with packet filtering, sometimes with NAT
Initial cost: moderate, typical configuration: desktop PC or server + workgroup OS + software components
Simplicity: complexity based on underlying OS and level of integration of software components; trained
network administrators required
Functionality: • integration of multiple products may be required
• reverse proxy may be available
Reliability: may be a problem, depending on reliability of underlying OS
Throughput: high, but less than high-end, due to general-purpose OS
Support: 3rd party services available, depending on popularity of underlying OS and hardware
Example products: Microsoft Windows NT or Windows 2000 with Proxy Server, Internet Information Server, etc.
Summary: marginal for small business, due to high total cost of ownership
Low-end solutions
Target market: small office and home office (SOHO)
Security: adequate if stealth personal firewall installed
Initial cost: low. Possible configurations include:
• PC + personal OS + software components (often shareware)
• SOHO router/firewall + software components
Simplicity: better than mid-range; networking experience required to select, install, and maintain software
Functionality: • no single product provides all networking services
• some OSs include basic gateway (Internet connection sharing) software
• VPN functionality not widely available
Reliability: likely to be a problem, depending on reliability of underlying OS and networking utilities
Throughput: moderate, adequate for a few users
Support: uneven level of support from vendors; 3rd party and Web resources available
Example products: • Microsoft Windows 98 with Internet Connection Sharing + personal firewall + web/FTP/e-mail
servers etc.
• Linksys EtherFast Cable/DSL Router + LAN server + web/FTP/e-mail server(s) etc.
• WatchGuard Firebox SOHO (or Telecommuter) + LAN server + web/FTP/e-mail server(s) etc.
• PC + Linux OS + networking utilities
Summary: • Generally not suitable for small business, due to high installation & maintenance costs for a
complete solution (OS and networking skills required).
• Router/firewall appliances are excellent security products, but don’t provide basic networking
services.
• Linux is a low-cost, reliable OS, and networking utilities provide complete functionality, but
configuration and maintenance require special skills.
newlix corporation 18
19. Network server appliances
dial-in Internet
connection
dial-up high-speed
modem modem (typical)
PC
thin server PC
appliance
LAN
LAN
server Macintosh
Security note: The LAN is protected behind the firewall of the server appliance.
Target market: small - to medium-scale business
Security: high to very high, depending on type of firewall and VPN security mechanisms
Initial cost: low; may be slightly higher than low-end solution
Simplicity: a key criterion for this category, resulting in low total cost of ownership
Functionality: check product features and specifications; some might not include all networking services
Reliability: very high; typically have hardened operating systems (OS)
Throughput: very high; networking software and OS tuned for gateway function
Support: 3rd party services available (in addition to vendor, resellers) for products with open architecture
Example products: • Cobalt Qube
• IBM Whistle InterJet II
• Netmax Professional
• Newlix OfficeServer
Summary: • Combines the best features of other solutions in a package suitable for small business.
• Consists of a single box pre-configured and optimized for specific networking services.
newlix corporation 19
20. Which category is best for small business?
The following table summarizes the characteristics for all categories:
Table 3. Comparison of Internet Connection Solutions
CATEGORY/ HIGH-END MID-RANGE LOW-END SERVER
CHARACTERISTIC APPLIANCE
Security very high high high with firewall high to very high
Initial cost high moderate very low low to very low
Simplicity very complex complex moderate simple
Reliability very high moderate moderate to low very high
Throughput extremely high high moderate very high
Functionality incomplete incomplete incomplete moderate to
complete
Compatibility moderate to high high depends on products high to very high
vendor, minimal in vendor, resellers, 3rd
Support vendor, resellers vendor, resellers
some cases party (if open architecture)
To make sense of this comparison, consider the two key factors:
• total performance —a combination of security, reliability, throughput and functionality
• total cost of ownership—a combination of initial and ongoing costs
newlix corporation 20
21. Combining the characteristics and ratings into total performance and total cost of ownership (TCO) yields the following:
Table 4. Cost-effectiveness of Internet Connection Solutions
High high-end
performance server appliance solutions
Medium mid-range
performance solutions
Low low-end
performance solutions
Performance Low Moderate High to very
vs.TCO TCO TCO high TCO
The high-end systems are not appropriate for small businesses due to high initial and ongoing costs. Mid-range systems
may provide adequate performance in some areas, but do not provide expected reliability, and have high ongoing costs
for system administration. Low-end solutions are a dubious choice because of inadequate performance and ongoing
costs. The server appliance category provides the most cost-effective solution for small business, with total performance
approaching that of the very expensive high-end systems, and total cost of ownership no more than that of the low-end.
The Newlix OfficeServer Solution
The Newlix OfficeServer is a network server appliance delivering firewall-protected Internet access (over a single Internet
connection) and networking services for an entire LAN at a very modest total cost of ownership. It is a “plug-and-play”
networking solution, meaning that any new PCs or workstations added to the LAN automatically receive Internet access
and networking services.
The Newlix OfficeServer excels in each of the characteristics of an ideal networking solution:
Security:
• A dual-homed gateway incorporating a stealth firewall with network address translation, reverse proxy, and
port-scanning inhibitor features.
• VPN with authentication, access control, and encryption to IPsec standard for WAN services.
• Microsoft VPN with PPTP encryption for dialup or Internet connections from a single PC to a LAN.
Initial cost:
• Low; complete package costs about the same as a desktop PC.
• Often bundled with Internet access, for example, the IPC NewMega Office Server.
Simplicity:
• Like any appliance, no specialized skills required to achieve successful operation.
• Windows Monitor program provides visual indication of server status, and simple server control functions.
• True “plug-and-play” capability for installation of both Newlix OfficeServer and LAN clients.
• Configuration and administration via Web browser, interacting with user-friendly server administration application.
• Designed to be almost administration-free; administration typically confined to adding e-mail accounts for new users.
newlix corporation 21
22. Functionality:
• Complete offering of networking services—dual-homed gateway, caching proxy server (transparent to clients),
Web and FTP servers, Internet and internal e-mail, LAN server, remote dialup access, secure VPN, all in a single
package.
• Supports dialup (standard modem) connections, as well as cable, ADSL, ISDN, and any router connection.
Reliability:
• Very high, based on proven Linux operating system, hardened and optimized for delivering networking services.
• Can operate for years without a system software failure.
• Disk mirroring ensures uninterrupted operation in the case of a single disk failure.
• Software upgrades can be performed without rebooting server, or interruption in service to LAN clients.
Throughput:
• Limited only by bandwidth of the Internet connection, with low-end Pentium-class PC.
• Server software consumes minimal overhead.
• Supports multiple concurrent Internet connections with no noticeable degradation in speed.
Compatibility:
• Supports LAN clients such as NetWare, Windows 95/98, Windows NT/2000, Unix/Linux, and Appletalk.
• DHCP server automatically configures new LAN clients, unless another DHCP server already exists on the LAN.
Support:
• Available from Newlix partners, who have established support networks for their products.
• Software upgrades directly from Newlix, and registered partners.
• Third-party resources (products and services) available for Intel-architecture PCs and the Linux operating system.
The following table summarizes the ratings of the Newlix OfficeServer appliance.
Table 5. Rating the Newlix OfficeServer
CHARACTERISTIC RATING
Security very high
Initial cost low
Simplicity appliance-level
Reliability very high
Throughput very high
Functionality complete
Compatibility very high
Support resellers, 3rd party
The Newlix OfficeServer’s ratings reflect its high overall performance and low total cost of ownership (TCO), placing
it high in the desirable (upper left) square of the cost-effectiveness matrix (Table 4). This is the “sweet spot”, where an
informed purchasing decision can leverage a modest investment to achieve a level of networking capability previously
unavailable to a small business.
newlix corporation 22
23. conclusion
The Newlix OfficeServer, the leading product in the Internet server appliance category, is the ideal candidate to fill
the needs of small business for networking services. It provides the best answer to the networking dilemma for the
small business owner/manager:
How can my business start embracing the Internet without
jeopardizing its finances and information assets?
Of course, purchasing and installing a network appliance is only part of a networking and Internet communication
strategy, albeit the fundamental piece of technology required. Purchasing a Newlix OfficeServer will not magically produce
an award-winning, revenue-generating Web site, for example, but it can provide the Internet connectivity and networking
services required by small businesses at a reasonable total cost of ownership. It will solve the immediate problem of
connectivity without creating new headaches.
The competitive pressures to increase market share and/or profitability are driving businesses to adopt networking
technology as a key part of their business strategy. The perceived urgency to get a foothold in the global marketplace
created by the Internet may dictate moving ahead with implementation before the network communication strategy
is complete. The Newlix OfficeServer characteristics ensure a growth path for the future, so you can purchase it with
confidence, even if you don’t have a fully developed Internet strategy. You can count on the Newlix OfficeServer to deliver
basic networking services with excellent security now, and additional services as your strategy evolves. This is networking
success, now and for the future.
For additional information about the Newlix OfficeServer, please visit the Newlix website at www.newlix.com.
newlix corporation 23
24. glossary
Application Service Provider (ASP)
An ASP is a firm that manages and distributes software-based services and solutions to customers across a wide area
network (typically over the Internet) from a data centre.
Dial-up access
Dial-up access, in the Internet context, refers to connecting a computer with a modem to a network over the public
telephone network. In general, dialup or dial-in refers to connecting two devices (typically computers) with modems
over the telephone network.
Digital Subscriber Line (DSL)
A DSL is a family of technologies (such as ADSL, SDSL, HDSL, collectively called xDSL) that use sophisticated modula-
tion schemes to pack data onto copper wires. They are sometimes referred to as last-mile technologies because they are
used only for connections from a telephone switching station to a home or office, not between switching stations.
Disk Mirroring
Disk Mirroring is a technique for improving the availability of a computer system, whereby data is written to two
duplicate disks simultaneously. This way, if one of the disk drives fails, the system can instantly switch to the other
disk without any loss of data or service.
Dynamic Host Configuration Protocol (DHCP)
A DHCP provides configuration parameters to Internet hosts. DHCP consists of two components: a protocol for
delivering host-specific configuration parameters from a DHCP server to a host, and a mechanism for allocation of
network addresses to hosts. [from Droms, R., “Dynamic Host Configuration Protocol”, IETF RFC 2131, March 1997]
Firewall
A Firewall is a system designed to prevent unauthorized access to or from a private network. A firewall is frequently
used to prevent unauthorized Internet users from accessing a local area network (LAN). All messages entering or
leaving the LAN pass through the firewall, which examines each message, and blocks those that do not meet the
specified security criteria.
FTP—see Internet Protocol.
Gateway
A Gateway is a combination of hardware and software that links two different types of networks. The term dual-
homed gateway emphasizes that a gateway system resides on, and is addressable from two different networks.
See also router.
HTTP—see Internet Protocol.
Integrated Services Digital Network (ISDN)
An ISDN is an international communications standard for sending voice, video, and data over digital telephone lines
or normal telephone wires.
newlix corporation 24
25. Internet
The Internet is a global network of networks connecting many millions of computers. Each Internet computer,
called a host, is independent. Its operators can choose which Internet services to use and which local services to
make available to the global Internet community. Internet hosts exchange information in a standard way, using
Internet protocols.
Internet Protocol (IP)
IP is the fundamental protocol (or standard format) for transmitting control information and data between two
Internet hosts. IP specifies the format of packets and the addressing scheme. Most networks combine IP with a
higher-level protocol called Transport Control Protocol (TCP), which establishes a virtual connection between a
destination and a source. The combination of TCP with IP is referred to as TCP/IP. Other Internet protocols based
on IP or TCP/IP include:
• File Transfer Protocol (FTP)—the protocol used on the Internet for sending files between hosts
• Hypertext Transfer Protocol (HTTP)—the underlying protocol of the World Wide Web
• Point-to-Point Tunneling Protocol (PPTP)—supports the creation of VPNs over the Internet.
• Simple Mail Transfer Protocol (SMTP)—a protocol for sending e-mail messages between servers
• Universal Datagram Protocol (UDP)—a connectionless protocol used primarily for broadcasting messages.
Internet Protocol security (IPsec)
IPsec is an architecture (including protocols and algorithms) for providing security services such as authentication
and encryption at the IP packet level. IPsec is a viable basis for implementing secure VPNs over the Internet.
Internet Server Appliance
An Internet Server Appliance is a networking device (sometimes called a thin network server) that mediates traffic
between a group of computers on a local area network and the Internet. It provides some or all of the services expected
of a network server (such as resource sharing, e-mail, and Web/FTP service). However, being an appliance, it is very
easy to install and operate, requiring no special skills to configure or maintain its operation.
Internet Service Provider (ISP) or Internet Access Provider (IAP)
An ISP is a company that provides access to the Internet.
Line-Of-Business (LOB)
LOB pertains to the revenue-generating processes of a business, such as order-entry, billing, and customer relation-
ship management.
Local Area Network (LAN)
A LAN is a computer network that spans a relatively small area. Most LANs are confined to a single building or group
of buildings, and a single organization.
Operating System (OS)
An OS is the most important program that runs on a computer. Every general-purpose computer must have an
operating system in order to run other programs. An operating system handles input and output operations on behalf
of other programs, and ensures that different programs and users on the system do not interfere with each other. The
OS is also responsible for security, ensuring that unauthorized users do not access the system.
newlix corporation 25
26. Packet
A Packet is a piece of a message transmitted over a packet-switching network, such as the Internet. In IP networks, packets
are often called datagrams. Packets are transmitted individually and can even follow different routes to the destination.
Once all the packets forming a message arrive at the destination, they are recompiled into the original message.
PPTP—see Internet Protocol.
Port
A port is a logical connection point for IP traffic directed to a computer. A port is identified by a unique integer, and
is related to a specific Internet service, such as a Web or FTP server.
Port Scan
A Port Scan is a technique for identifying a networked computer that might be vulnerable to attack, whereby another
computer on the network (typically on the Internet) tries to connect to the subject computer at different port
numbers in rapid succession. This type of behavior is usually interpreted as an indicator of malicious intent.
Router
A Router is a packet-switching device that interconnects two or more networks at the level of the network protocol (IP,
for example). Internet routers discover and maintain information about the topology of the network, and make packet
forwarding decisions based on minimum cost criteria. They also perform certain network management functions.
SMTP—see Internet Protocol.
Total Cost of Ownership (TCO)
TCO is a very popular buzzword representing how much it actually costs to own a device (such as a PC). The TCO
includes: the original cost of the computer and software, hardware and software upgrades, technical support,
maintenance, and training.
UDP—see Internet Protocol.
Virtual Private Network (VPN)
A VPN is a network created by partitioning a shared underlying communications medium in a way that ensures
privacy. For example, there are a number of systems that enable the creation of private networks using the Internet
as the medium for transporting data. These systems use encryption and other security mechanisms to ensure that
only authorized users can access the network and that the data cannot be intercepted. IPsec includes a set of such
security mechanisms.
Wide Area Network (WAN)
A WAN is a computer network that spans a relatively large geographical area. Typically, a WAN consists of two or
more local-area networks (LANs). The largest WAN in existence is the Internet.
World Wide Web
The World Wide Web is a rich and vast information medium consisting of multimedia documents delivered on
demand by certain Internet servers (called Web servers). The documents can reference other Web documents (via
hyperlinks), and can include words, images, drawings, animation, and audio/video clips. Applications (called Web
browsers) are available for all types of personal computers that enable users to view the multimedia content and to
follow hyperlinks (an experience often called Web surfing).
newlix corporation 26
27. suggested
additional reading
Curtin, M & Ranum, M., “Internet Firewalls: Frequently Asked Questions”, revision 9.4, 25 November 1999
[an introduction to firewalls, with practical implementation suggestions]
Dyson, E., Release 2.1: A Design for Living in the Digital Age, Broadway Books, 1998, ISBN 0-7679-0012-X
[an exploration of the impact and responsibility of using the Internet and other digital technologies; see Chapter 10
for a discussion of security issues.]
Gibson, S., “Internet Connection Security for Windows Users”, Gibson Research Corporation
Hurwicz, M., “A Virtual Private Affair”, Byte magazine, July 1997
[covers the technological and business issues related to implementing VPNs]
Huston, G., ISP Survival Guide, chapter 12, “Virtual Private Networks”, Wiley, 1998, ISBN 0471314994
IBM Corporation, “Enabling Your Network for e-business”, 1999
[An introduction to networking, and the IBM approach to networking success.]
Newman, D., “Lab Test: Super Firewalls!”, Data Communications magazine, 21 May 1999
[comparison of high-end firewall systems]
Kent, S. & Atkinson, R., “Security Architecture for the Internet Protocol”, IETF RFC 2401, November 1998
[discusses IPsec, including AH and ESP traffic security protocols.]
Semeria, C., “Internet Firewalls and Security: A Technology Overview”, 3Com Corporation, 1996
Newlix OfficeServer Features & Benefits
Newlix OfficeServer Frequently Asked Questions
newlix corporation 27