ICS Is OK - But You Can Do Better

A few years back, when routers cost $200 or more, Microsoft added a feature in Windows that lets you share your internet connection with other computers, and save the cost of a router.

All you have to do is to add a network adapter to your computer. Internet Connection Sharing, as they call it, is a NAT router in your computer. It provides a DHCP server, and a routed internet connection, to any client computers connected to the added network card, thru a simple cross-over cable or hub, or through an ad-hoc WiFi LAN.

If the internet connection is thru a modem (as in dialup internet access), ICS can even share that service to any client computers. It's quite simple to setup.

ICS is not without cost, though.


  • The added network adapter gets a forced (and (KB230148): not easily configured) ip address of 192.168.0.1. If the primary network adapter (where the internet service originates) is on the 192.168.0.0/24 subnet, you have a problem. If the primary network adapter is using a private LAN address (10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/24), you're behind a NAT router, and you should setup a bridge, rather than use ICS.
  • The ICS server has to be on, whenever you wish to access the internet from any ICS client.
  • Any time you load software on the ICS server, and / or restart it, you will affect internet service to the ICS clients.
  • Occasionally, the internet traffic from the ICS clients may strain the resources of the ICS server.
  • Depending upon its configuration, a personal firewall running on the ICS server may also strain the resources of the server. This is generally a problem with malicious incoming traffic, which the firewall must log and / or research.
  • If the ICS server is also used for Internet access (as a desktop computer), the ICS server may be vulnerable to any malware acquired thru the Internet.
  • If service is thru a dialup modem, the modem management software (as in Remote Access Services) may affect stability of the server. Activity on the server may, conversely, affect stability of RAS.
  • If service is thru a dialup modem, malware can hijack the modem, and make unsolicited extremely expensive dialup connections, that can result in a phone bill in the thousands of dollars.

And note this Microsoft advisory
Internet Connection Sharing, Internet Connection Firewall, and Network Bridge are features designed for home and small office networks. These features are offered in some of the Microsoft Windows Server 2003 family operating systems. Information about these features is presented here so you as an IT administrator can be aware of these potential capabilities within your organization's network.

If you have a domain, with a DHCP server, ICS isn't a good idea at all. You can only have one DHCP server on any LAN. The DHCP server in ICS will cause problems.

(Edit 10/31/2006): This week, ICS is being used as an attack vector, to disable Windows Firewall. If you're using ICS / WF to share your Internet service, and to protect your LAN, you may want to reconsider your network design. Internet Connection Sharing / Windows Firewall simply isn't good protection.

A far better solution for sharing internet service is to use a NAT router, and to connect the primary computer (otherwise the ICS server), and all secondary computers (otherwise the ICS clients), as peers, to the router.

  • The ip address on all interfaces of a router is configurable. You can avoid using subnet 192.168.0.0/24, if desired.
  • Any computer can be turned off, without affecting internet service to the others.
  • The former ICS server can have software installed, and can be restarted, at any time, without affecting the other clients.
  • The router, which will be used only for routing packets, will handle the processing of those packets without straining the resources on any of the client computers.
  • The router, by blocking malicious web traffic, will lessen the load on the personal firewalls on the client computers.
  • The router will provide an additional layer of security, which will be unaffected by any web browsing done by the clients.
  • The router, which will be used only for routing packets, won't be vulnerable, as an ICS server also used for Internet access (as a desktop computer).
  • Routers for external dialup modems, which will manage the modem without any effect on the former host, are available. Activity on the former server won't affect the dialup service either.
  • By moving a dialup modem from the computer to the router, the possibility of a modem hijack is eliminated.


When you think about it, if you have Ethernet based internet service, or PPP dialup internet service, using a NAT router to manage and share the service makes a lot of sense. If your internet service isn't of either type, for instance a USB connected broadband modem, or non-PPP dialup service, you should consider getting better service.

If you can afford broadband internet service, you can afford a NAT router - you can get a broadband NAT router for as little as $40 at Walmart. If you have dialup service, a dialup router / modem is still affordable. Especially considering the convenience, performance, and security gains.

>> Top

1 comments:

Dennis Enderson said...

Your suggestion to set up a bridge as opposed to using ICS solved a browsing problem I have been struggling with for many, many moons. My home network consists of 3 desktop systems connected with HPNA attached to a router and 2 laptops wirelessly connected to the router. Until today, I could never see all 5 systems in Network Neighborhood. Thank you, thank you, thank you from the bottom of my heart.