ICS Is OK - But You Can Do Better

A few years back, when routers cost $200 or more, Microsoft added a feature in Windows that lets you share your internet connection with other computers, and save the cost of a router.

All you have to do is to add a network adapter to your computer. Internet Connection Sharing, as they call it, is a NAT router in your computer. It provides a DHCP server, and a routed internet connection, to any client computers connected to the added network card, thru a simple cross-over cable or hub, or through an ad-hoc WiFi LAN.

If the internet connection is thru a modem (as in dialup internet access), ICS can even share that service to any client computers. It's quite simple to setup.

ICS is not without cost, though.

• The added network adapter gets a forced (and (KB230148): not easily configured) ip address of 192.168.0.1. If the primary network adapter (where the internet service originates) is on the 192.168.0.0/24 subnet, you have a problem. If the primary network adapter is using a private LAN address (10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/24), you're behind a NAT router, and you should setup a bridge, rather than use ICS.
• The ICS server has to be on, whenever you wish to access the internet from any ICS client.
• Any time you load software on the ICS server, and / or restart it, you will affect internet service to the ICS clients.
• Occasionally, the internet traffic from the ICS clients may strain the resources of the ICS server.
• Depending upon its configuration, a personal firewall running on the ICS server may also strain the resources of the server. This is generally a problem with malicious incoming traffic, which the firewall must log and / or research.
• If the ICS server is also used for Internet access (as a desktop computer), the ICS server may be vulnerable to any malware acquired thru the Internet.
• If service is thru a dialup modem, the modem management software (as in Remote Access Services) may affect stability of the server. Activity on the server may, conversely, affect stability of RAS.
• If service is thru a dialup modem, malware can hijack the modem, and make unsolicited extremely expensive dialup connections, that can result in a phone bill in the thousands of dollars.

Internet Connection Sharing, Internet Connection Firewall, and Network Bridge are features designed for home and small office networks. These features are offered in some of the Microsoft Windows Server 2003 family operating systems. Information about these features is presented here so you as an IT administrator can be aware of these potential capabilities within your organization's network.

• The ip address on all interfaces of a router is configurable. You can avoid using subnet 192.168.0.0/24, if desired.
• Any computer can be turned off, without affecting internet service to the others.
• The former ICS server can have software installed, and can be restarted, at any time, without affecting the other clients.
• The router, which will be used only for routing packets, will handle the processing of those packets without straining the resources on any of the client computers.
• The router, by blocking malicious web traffic, will lessen the load on the personal firewalls on the client computers.
• The router will provide an additional layer of security, which will be unaffected by any web browsing done by the clients.
• The router, which will be used only for routing packets, won't be vulnerable, as an ICS server also used for Internet access (as a desktop computer).
• Routers for external dialup modems, which will manage the modem without any effect on the former host, are available. Activity on the former server won't affect the dialup service either.
• By moving a dialup modem from the computer to the router, the possibility of a modem hijack is eliminated.