module 12: providing secure internet access to network users

Module 12: Providing Secure Internet Access

to Network Users

Overview

Protecting Internal Network Resources

Planning Internet Usage Policies

Managing Internet Access Through Proxy Server Configuration

Managing Internet Access Through Client-side Configuration

As organizations capitalize on the marketing and resource potential of the Internet, an increasing number of employees require Internet access as part of their job functions. By providing access from a private network to the Internet, you introduce some inherent security risks, including the possibility of virus attacks and exposing internal addressing schemes.

To best secure a Microsoft® Windows® 2000 network, restrict Internet access to a specific subset of network users, computers, or protocols. You can manage Internet access through both client-side and Proxy Server configurations.

At the end of this module, you will be able to:

Design a strategy for protecting private network resources from the public network.

Plan which users, computers, and protocols are allowed access to the Internet.

Design the Microsoft Proxy Server 2.0 requirements for maintaining security when local network users access the Internet.

Design the client-side requirements for maintaining security when local network users access the Internet.


Protecting the Internal Network from Exposure to Viruses

Minimizing Risks Associated with Modem Usage

Protecting Internal Network Addresses

Protecting DNS Namespaces

When providing Internet access from your private network, it is important to review the inherent security risks to your network resources. For example, private network users may inadvertently introduce viruses from the Internet to the local network. Desktop modems are a security risk because they may allow users to connect to the Internet, bypassing the firewall. By exposing the internal network address and Domain Name System (DNS) namespaces, an attacker on the Internet may be able to access private network resources. To address all of these risks, your network security plan must include vigilant management of Internet usage and careful design of network namespaces.

In this lesson you will learn about the following topics:

Protecting the internal network form exposure to viruses.

Minimizing risks associated with modem usage.

Protecting internal network addresses.

Protecting DNS namespaces.

Protecting the Internal Network from Exposure to Viruses

FirewallProxyServer Client

Internet Internet

Exchange Server

Virus Inspection

Perimeter ServersPerimeter Servers

When accessing the Internet, network users may inadvertently introduce viruses to the private network. Viruses can be introduced to the local network through downloaded files, e-mail attachments, and even by certain Web page content such as Java and ActiveX® controls.

To protect against exposure to viruses, develop a virus-protection plan that includes:

Implementing virus-scanning software at all perimeter servers.

Implementing virus-scanning software at all client systems.

Implementing virus-scanning plug-ins for applications.

Minimizing Risks Associated with Modem Usage

Modem

LAN

Firewall

InternetInternet

Dial-Up UserDial-Up User

ISPISP

Recognizing Problems with Modem Usage

Using Security Templates to Prevent Modem Deployment

One common method of providing Internet access is to provide modems to designated employees. Although modems offer a quick solution, they bypass network security and management policies by providing an alternate pathway between the local area network (LAN) and the Internet.

Recognizing Problems with Modem Usage

Problems with using modems to access the Internet from inside the private network include:

Bypasses perimeter security.

Requires individual configuration of browsers and dial-up connections.

Complicates management of protocols and content.

Bypasses perimeter security.

Direct dial-up access to an Internet service provider (ISP) can bypass any perimeter security configured for outgoing Internet traffic.

Requires individual configuration of browsers and dial-up connections.

Internet access by modems requires that each client's profile be configured with an ISP-specific dial-up network configuration. In addition, the user's browser may require customization for use with the ISP.

Complicates management of protocols and content.

Modems at the individual desktop systems allow other computers to dial up for network access. Unless each Windows 2000-based computer is deployed as a Remote Authentication Dial-In User Service (RADIUS) client, centralized administration of remote access policies is not possible. In addition, specific network protocols and Internet content cannot be centrally managed as they pass through a firewall.

Using Security Templates to Prevent Modem Deployment

To prevent users from deploying modems to connect to the Internet, create a security template that disables the Remote Access Connection Manager. If you want to prevent users from hosting dial-up connections to the internal network, ensure that Routing and Remote Access is disabled.

Deploy the security template by using Group Policy at the domain level so that it affects all Windows 2000-based computers.

Important: Place all servers that will host Routing and Remote Access in the same organizational unit (OU). Then apply Group Policy to enable Routing and Remote Access for these servers.

Using Private Network Addressing

Concealing Internal Network Addresses

Protecting Internal Network Addresses

Firewall

192.168.10.1192.168.10.2

192.168.10.3

131.107.2.200InternetInternet

When internal network users access the Internet, packets originating from the internal network contain the source Internet Protocol (IP) address of the user's computer. If your IP address is an externally available IP address, revealing the internal network addressing scheme introduces risk. An attacker on the public network may use this information in an attempt to circumvent firewall security. In this attack, known as IP spoofing, an attacker sends packets with source addresses from the internal network.

Using Private Network Addressing

To help prevent IP spoofing, your network security plan must ensure that all clients on the internal network are configured with addresses from the following range reserved exclusively for private network usage in RFC 1918:

10.0.0.1 through 10.255.255.254

172.16.0.1 through 172.31.255.254

192.168.0.1 through 192.168.255.254 Note: The IP address range of 169.254.0.0/16 is

sometimes implemented on the internal network. The Internet Assigned Numbers Authority (IANA) has reserved this address for Automatic Private IP Addressing (APIPA)..

By assigning these addresses on the internal network, you ensure that:

Internal networks do not use an address range that is currently implemented on the Internet.

Access cannot be gained to the private network even if the source addresses are exposed on the Internet, because Internet routing tables will not contain defined routes.

Firewalls can recognize and drop packets that originate on the Internet network adapter with a forged internal source address.

Concealing Internal Network Addresses

Network address translation (NAT) conceals the internal address scheme by intercepting network traffic and replacing outgoing packets with a common source address. Alternatively, using a proxy server with an external network adapter on the Internet will also protect internal addressing because all Internet-destined packets will appear to originate at the proxy server.

Protecting DNS Namespaces

External DNS Servers Only include externally available

resources

Never include Active Directory– related SRV records

Never expose internal network IP addresses

Internal DNS Servers May include records referencing

external resources

Use internal network addressing

Never make available to the public network

External DNS Server

Internal DNS Server

To prevent your network from becoming vulnerable to IP spoofing attacks, configure your DNS servers to conceal internal DNS resource records and Active Directory™ directory service-related SRV (service) resource records from Internet users. To conceal DNS namespaces, you will need to maintain two DNS servers-an externally accessible DNS server and an internally accessible DNS server.

External DNS Server Configuration

Configure the externally accessible DNS server so that it:

Only includes resource records for externally available resources.

Never includes Active Directory-related SRV resource records.

Never includes resource records that might expose the internal network addressing scheme.

Internal DNS Server Configuration

Configure the internally accessible DNS server so that it:

May include resource records that reference externally accessible resources (depending on your Active Directory naming design).

Uses internal addressing schemes to reference all resource records for resources located within a screened subnet.

Is never accessible from the public network. If communication is required between the external and internal DNS servers, restrict channels to only those DNS servers.


Selecting Protocols for Internet Access

Selecting Users for Internet Access

Selecting Computers for Internet Access

Educating Users on Acceptable Internet Usage

Before configuring and enforcing measures to secure Internet access, you must define what you consider to be safe and appropriate use of the Internet. With Proxy Server and a firewall solution, it is possible to manage precisely which protocols, users, and computers can access the Internet. Part of your security plan must include clearly communicating your security policies to all Internet users.


Selecting protocols for Internet access

Selecting users for Internet access

Selecting computers for Internet access

Educating users on acceptable Internet usage

FTP HTTP

HTTPS

FTP HTTP HTTPSTelnetFinger

Firewall

Selecting Protocols for Internet Access

Proxy ClientProxy Client

Determining Necessary Protocols

Determining Risks of Using Each Protocol

Defining Allowed and Disallowed Protocols

Internet Internet

Proxy ServerProxy Server

Although Hypertext Transfer Protocol (HTTP) is the most common application protocol on the Internet, your organization may be using several other application protocols (such as File Transfer Protocol [FTP] and Telnet) to access Internet resources. By determining current protocol usage and reviewing whether it meets your acceptable usage policies, you can design firewall filters to effectively manage protocol usage.

One method of determining the necessary protocols is to temporarily allow all protocols to be used for outgoing Internet access and log usage during that period. Review the logs to:

Determine necessary protocols.

Determine security risks associated with each protocol.

Define allowed and disallowed protocols.

Determine necessary protocols.

Logging will determine exactly which protocols have been used to access the Internet and the frequency of their usage. It is also useful to know exactly who is using each protocol. Some protocols may not require access by all users.

Determine security risks associated with each protocol.

Many protocols have known security risks, such as the use of clear-text authentication that can reveal user accounts and passwords to an attacker. When using these protocols, establish specific guidelines for their use. For example, if Telnet is required, ensure that users do not have the same Telnet and internal network passwords.

Define allowed and disallowed protocols.

Enforce protocol usage with Proxy Server and your firewall by defining each protocol by transport protocol and port usage. Use Proxy Server to limit which security groups can use each defined protocol when accessing the Internet.

Internet Internet

Selecting Users for Internet Access


Proxy Rules

Marketing NetMeeting Authenticated Users HTTP Authenticated Users HTTPS

MarketingMarketing

User1User1

Determine Which Groups Can Use Each Protocol

Configure Proxy Server to Only Forward Requests by Members of Approved Groups

User2User2

User2User2

Your Internet access configuration does not need to include all users of the private network. By using software that is able to interact with Active Directory, you can configure protocol access based on user identity.

Proxy Server can be configured to only allow specific security groups to use specific protocols. Whenever a request to use a protocol is made to Proxy Server, Proxy Server will determine whether the user's access token contains a security identifier (SID) that is allowed to use the requested protocol. If a matching SID is found, the request is granted. Otherwise, the request is denied.

For example, if you determine that only specific users need to use Microsoft NetMeeting® over the Internet, you can create a security group that only contains those users. You could then configure Proxy Server to only allow users from that group to use NetMeeting protocols when accessing the Internet.

Selecting Computers for Internet Access

Prevent Client Computers from Communicating Directly Through the Firewall

Manage Internet Access from the Proxy Server

Computer Protocol

Proxy anyMail SMTPOthers none

Firewall

Internet Internet Proxy Server

Proxy Server

Proxy ClientProxy Client

In addition to restricting which users and protocols will be allowed to access the Internet, you can combine Proxy Server with a firewall to define which computers can access the Internet. To prevent internal clients from bypassing security, configure the firewall to allow only specific internal computers, such as Proxy Server, to pass traffic to the Internet. This allows you to manage Internet access at a single point.

The following questions will help determine which computers can pass traffic through the firewall:

Does the internal computer need to communicate directly with hosts on the Internet?

Some computers require direct access to hosts on the Internet. For example, a Mail server needs to communicate with external Mail servers by using Simple Mail Transfer Protocol (SMTP) to transfer messages.

Does the internal computer use specific protocols when communicating with a host on the Internet?

A Mail server only requires permission to use SMTP to communicate with other Mail servers. Set the firewall to allow the Mail server to connect to other Mail servers only if the destination port is Transmission Control Protocol (TCP) port 25. Conversely, a proxy server must use several different protocols and requires less restrictive settings at the firewall.

Tip: In certain smaller networks, Proxy Server can be used as a firewall to separate the internal network from the public network. When combined with Routing and Remote Access, you can create specific packet filters to restrict which internal computers can connect directly to the Internet.

Educating Users on Acceptable Internet Usage

An Acceptable Usage Policy Document:

Clearly defines responsibilities of Internet usersClearly defines responsibilities of Internet users

Clearly defines who can access the InternetClearly defines who can access the Internet

Clearly defines disciplinary actionsClearly defines disciplinary actions

The actions of internal network users, whether intentional or unintentional, are the biggest single threat to network security. By educating users on acceptable Internet usage, you clearly define expectations and consequences.

A detailed acceptable usage policy clearly defines:

Who is allowed to access the Internet. Requests may be examined on a case?by-case basis.

User responsibilities. Responsibilities of internal network users include:•Defining password usage guidelines, such as never using corporate passwords for Internet sites. •Listing acceptable tasks.•Listing all unacceptable tasks, such as disclosure of company information, and limits on e-mail attachment size.•Defining ownership of all data stored on company property.

An explanation of disciplinary actions if a user breaks the acceptable usage guidelines.

It is recommended that your organization's legal department review the acceptable usage document to ensure that all inclusions in the document are legally binding for your jurisdiction. Ensure that both management and individual users sign the document, thereby stating that they accept all guidelines.


Planning Microsoft Proxy Server Services

Configuring Proxy Server Authentication

Restricting Access to Specific Internet Sites

Configuring Internet Access by Groups

Auditing Proxy Server Usage

After you have determined which protocols, computers, and users may access the Internet, there are two general methods of enforcing your acceptable usage policy. One is to configure restrictions at the server, and the other is to configure restrictions at the client computers. Both methods need to be part of a comprehensive security policy.

Server-side configuration includes careful planning of proxy services, such as Proxy Server. Planning issues include limiting access to authenticated users, blocking objectionable Internet sites, using groups to simplify management of Internet access, and auditing Internet usage at the Proxy Server.


Planning Microsoft Proxy Server services

Configuring Proxy Server authentication

Restricting access to specific Internet sites

Configuring Internet access by groups

Auditing Proxy Server usage

Planning Microsoft Proxy Server Services

Application-level Security

Implemented through the Web proxy service

Circuit-level Security

Implemented through the WinSock proxy and the SOCKS proxy

Packet-level Security

Implemented through dynamic packet filtering

A common tool for managing Internet access in a Windows 2000 network is Microsoft Proxy Server. Proxy Server secures Internet access based on user or group membership information stored in Active Directory.

Proxy Server provides three different levels of protection as users access resources on the public network:

Application-level security

Circuit-level security

Packet-level security

Your security configuration will require a mix of all three levels of protection to secure internal clients when they access public networks.

Configuring Proxy Server Authentication

Anonymous Access

Basic Authentication

Integrated Windows Authentication

In addition to application-level, circuit-level, and packet-level security, Proxy Server provides the ability to allow only authenticated users to access specific services. There are three methods of authentication supported by Proxy Server: anonymous access, basic authentication, and Integrated Windows authentication.

Note: When creating custom templates, select function-based names for the templates. Function-based names allow users to easily select the proper certificates based on the tasks that the user is performing at that time.

Anonymous Access

No user credentials are required to use Proxy Server services. If the IIS World Wide Web Publishing Service is configured to only allow anonymous access, any permissions configured for protocols are ignored because the identities of individual users are not determined. To force users to authenticate with Proxy Server, you must disable anonymous access.

Basic Authentication

With basic authentication, a user provides his or her user name and password when prompted to authenticate with Proxy Server. The user name and password are transmitted to the Proxy Server in clear text and can be considered a security risk.

Tip: If you are using basic authentication with third-party clients, consider using supplementary encryption, such as Secure Sockets Layer (SSL) to ensure that encryption takes the place of the authentication credentials.

Integrated Windows Authentication

Integrated Windows authentication provides a transparent logon procedure for clients. The user is not prompted for his or her credentials. The credentials are obtained from the user's access token that was generated when the user logged on. Remember that your clients must support whatever authentication method you implement. For example, if you are using an Internet browser other than Microsoft Internet Explorer, you will not be able to implement Integrated Windows authentication.

Note: To allow Proxy Server to run on Windows 2000 and authenticate accounts against Windows 2000, download the Proxy Server update at www.iana.org/assignments/port-numbers

Restricting Access to Specific Internet Sites

1. Client attempts to connect to www.nwtraders.msft

2. Proxy Server checks URL against domain filter list

3. Client is informed that access to the site has been prohibited

Access Prohibited!

Domain Filter List:

131.107.30.14(nwtraders.msft)

131.107.46.20(contoso.msft)

1111

2222 3333

Proxy Server

Proxy Server

You can configure Proxy Server to deny access to specific domain names or Web sites by using domain filters. For example, to prohibit access to Web sites within the nwtraders.msft domain, list the domain name in the domain filter list. If a client were to request access to any Web site in the nwtraders.msft domain, Proxy Server would check the Uniform Resource Locator (URL) against the domain filter list and prohibit access to the site.

In addition, there are several third-party products that plug in to Proxy Server that enable advanced Internet filtering. For more details about these products, see www.microsoft.com/proxy.

Note: Proxy Server converts fully qualified domain names (FQDNs) in the filter list to IP addresses before applying the filter. By tracking IP addresses in addition to FQDNs, the filter prevents users from entering the IP address of a restricted site to bypass the filter.

Controlling Internet Access by Groups

Use Proxy Server to Grant Protocol Access Based on User Groups

Create Protocol Definitions If a Protocol Definition Does Not Exist

Proxy Server allows network administrators to designate groups, rather than individual users, that can use specific protocols. For example, you could configure Proxy Server so that only members of the Research group can use the Network News Transport Protocol (NNTP) to access newsgroups on the Internet.

Note: By default, permissions are not filtered. This means that any Proxy Clients will be able to use any protocol without restrictions.

You can use Proxy Server to create new definitions of protocols based on protocol and port definitions. This allows you to define both incoming and outgoing rules for the new protocol. For example, if a new protocol were developed that required clients to connect to the host server on TCP port 8888, you could create a protocol filter that allowed any client port to connect to TCP port 8888. You would then restrict this protocol filter to a specific Active Directory group.

Auditing Proxy Server Usage

Write Auditing Logs to Text Files or ODBC-Compliant Databases

Analyze Logs to Determine Current Usage


01/01/2000 briank ….

01/01/2000 robd….

01/01/2000 gregb …

01/01/2000 andys ….

01/01/2000 lorrinb ….

01/01/2000 dont …

01/01/2000 patricel ….

01/01/2000 jackc ….

01/01/2000 paulho …

LogLog

Client Computer Name: ed08Client User Name: edzachDestination Name: http://www.contoso.msftDestination Port: 80Log Date: 01/01/2000Log Time: 17:15Object Name: default.htmObject Source: CacheProtocol Name: HTTPResult Code: 200Service Name: CERNProxy

Proxy Server generates detailed service logs that record who is accessing the Internet, the protocols used, and the sites visited. The Web proxy, WinSock proxy, and SOCKS proxy services generate separate service logs. The separate logs allow detailed analysis to be performed on a service-by-service basis.

Note: By default, Proxy Server records data to text files stored in the systemroot\system32\Msplogs directory. Log events may also be stored in an Open Database Connectivity (ODBC)-compliant database such as Microsoft SQL Server™.

Network administrators must perform regular auditing of the log files to ensure that all users are following Internet-acceptable usage. For example, if you fear that a specific protocol has security weaknesses, you can query the logs to determine whether any internal clients have used the protocol. The use of an ODBC-compliant database for the log files will aid in performing queries against the collected data.Inspection of the logs can determine whether additional protocols need to be included in exclusion lists or if protocol usage needs to be limited to a specific security group due to misuse.

Note: There are several third-party products available to analyze Proxy Server logs. For more information, see www.microsoft.com/proxy.


Defining Security Zones for Internet Access

Assigning Security Levels to Internet Zones

Controlling Types of Content Accessed on the Internet

Automatically Configuring Proxy Clients

Standardizing Deployment of Browsers with the IEAK

In addition to server-side configuration, it is possible to manage and enforce your acceptable usage policies at the client computer. Client-side configuration includes defining Internet zones and associating those zones with enforceable security levels. You can control the type of Internet content accessible to clients and enforce these configurations by automatically configuring the clients and customizing the Internet browsers with the Internet Explorer Administration Kit (IEAK).


Defining security zones for Internet access

Assigning security levels to Internet zones

Controlling types of content accessed on the Internet

Automatically configuring Proxy Clients

Standardizing deployment of browsers with the IEAK

Defining Security Zones for Internet Access

Assign a unique security level to each zone to define the allowed level of browser access

Security Zones:

Internet Explorer divides online content into distinct security zones. Each zone can have a unique security level assigned to it that will define the level of browser access granted to clients.

The predefined security zones included in Internet Explorer are:

My Computer zone. Includes everything that is located on the local computer system, on hard disks, and on removable media. It does not include cached Java classes or any content of the Temporary Internet Files folder.

Local Intranet zone. Includes all sites that are located within the private network, including all network segments that are protected by an organization's firewall.

Internet zone. Contains all sites on the Internet that are not included in the Trusted sites or Restricted sites zone.

Trusted sites zone. Contains a listing of all sites on the Internet that you consider trusted for content download. This zone typically contains business partner sites.

Restricted sites zone. Contains all Internet sites to which you allow client access, but want to restrict the content that can be downloaded.

You can add specific URLs to the zones so that consistent Internet access is enforced across the organization. By default, the Local Intranet zone will include all sites that bypass the Proxy Server and all universal naming convention (UNC) paths.

Assigning Security Levels to Internet Zones

Default Security Levels

Customized Security Levels

By assigning security levels to Internet zones, you can group and control access to sites based on your assigned level of trust. When opening a Web page with Internet Explorer, the zone from which the Web page was loaded is determined and Internet Explorer applies the security level assigned to that zone.

Default Security Levels

You can assign these default security levels:

Low. This security level allows most content to download and run without the user being prompted. Minimal safeguards are implemented. Only apply this security setting to sites that you completely trust.

Medium-low. This security level allows the user to download and run most types of content without providing prompts. Unsigned ActiveX controls will not be downloaded.

Medium. This security level prompts the user before downloading any potentially unsafe content and is appropriate for most Internet content.

High. This security level provides the safest access to the Internet but is less functional. This setting disables most of the less secure features of Internet Explorer, including downloading any Java or ActiveX controls.

Customized Security Levels

You can implement custom levels of security to specify access control to potentially harmful content on the Internet. For example, you could allow the downloading of signed ActiveX controls, but prevent the acceptance of cookies (files containing information about a user that are sent to a Web server each time a request is made).

Controlling Types of Content Accessed on the Internet

RSACi ranks Internet content into five levels of suitability based on violence, nudity, sex, and language

Inappropriate content can be screened by the Internet Explorer Content Advisor

LevelLevel Language RatingLanguage Rating

4 Crude, vulgar language, or extreme hate speech

3 Strong language or hate speech

2 Moderate expletives or profanity

1 Mild expletives

0 None of the above

You may choose to include descriptions of acceptable Internet content in your acceptable usage guidelines. The Internet Explorer Content Advisor, included with Microsoft Internet Explorer 5.0, controls the types of content that network users can access.

Internet Explorer is installed with the Recreational Software Advisory Council on the Internet (RSACi) system. Each RSACi category groups Internet content into five levels of appropriateness based on language, nudity, sex, and violence.

Note: For more information about specific content allowed at each RSACi rating level, see the Internet Content Rating Association Web page at www.icra.org.

When the Internet Explorer Content Advisor is enabled, Internet Explorer screens Web content by reading RSACi ratings contained in hidden Hypertext Markup Language (HTML) tags called meta tags. You can configure Internet Explorer to deny access to unrated Web sites.

Content Advisor settings can be distributed, maintained, and enforced by using the IEAK and the IEAK Profile Manager. You can preconfigure Internet Explorer with a secured supervisor password that restricts the ability to change or disable Content Advisor settings.

Automatically Configuring Proxy Clients

Use Auto-configure to Reduce Potential for Misconfiguration

Do Not Use Default Ports

Require Proxy Server to Prevent Clients from Connecting Directly to the Internet

To enforce proxy security with minimal configuration, you will need to set up auto-configuration of all Proxy Clients. This reduces the potential for misconfiguration while ensuring that all clients use the designated Proxy Server to access the Internet.

When installing Proxy Server, you can configure the client installation files with preconfigured settings. These preconfigured settings are applied when the Proxy Client software is installed on a client computer.

Tip: Do not configure the Proxy Server to use the default port (port 80) for client connections. Instead, use a random port from 1024 through 9999, such as 8000.

In a Proxy Server environment, select the Automatically detect settings option to ensure that Web browsers direct all requests to the Proxy Server. This option also ensures that updates to the default configuration are transferred to clients the next time that they start Internet Explorer.

Standardizing Deployment of Browsers with the IEAK

Use IEAK to Design Customized Browsers with Preset Proxy and Security Zone Settings

Implement Updates to Profile Data by Editing the .ins File

By default, Internet Explorer allows users to select a proxy server and to increase and decrease security zone settings. The IEAK enables you to create customized browsers with preset options, including security zone and proxy settings that cannot be modified.

The IEAK is composed of the IEAK Profile Manager and the Internet Explorer Customization wizard. The IEAK Profile Manager records specific profile data in an .ins file stored on a network server. When changes to the browser configuration are detected in the .ins file, both the registry and any necessary local files are updated at the client computer. Updates can occur on a predetermined schedule or the next time the browser is started.

For Internet Explorer to detect and apply configuration changes from the .ins file, you must configure Internet Explorer with the Automatically detect settings option. This setting can also be configured in the Internet Explorer Customization wizard.

Note: You can download the IEAK at www.microsoft.com/ windows/ieak/ .

Lab A: Securing the Internal Network When Accessing the Internet

Objectives

After completing this lab, you will be able to:

Plan and manage which protocols, computers, and users are allowed to access the Internet.

Protect network resources by hiding internal addressing schemes.

Prerequisites

Before working on this lab, you must have:

Knowledge of the design decisions required to address security threats introduced by the Internet.

Knowledge of Proxy Server and DNS namespaces.

Northwind Traders is a well-established, but relatively low-technology, Denver trading company specializing in catalog sales. In this lab, you will design a solution to secure Northwind Traders' network as the organization allows Internet access from within its private network.

You will work with a partner to complete the exercises. Each exercise describes a particular aspect of the design.

Review the scenario, and read the goals and any criteria for each exercise. Answer any questions and give your reasons for your answers. Be prepared to discuss your responses and explain how you reached your conclusions.

Exercise 1: Identifying Threats Introduced from the Internet

In this exercise, you will identify security threats that are introduced as Northwind Traders opens its LAN and allows Internet access from within its private network.

Scenario

Before providing Internet access from the internal network, most employees used modems on their desktops for accessing the Internet. Several of these modems are still installed.

There are currently no restrictions on the type of network protocols available to access the Internet. Northwind Traders has recently suffered three separate virus attacks that can be traced to Internet access.

Exercise 2: Managing Access to the Internet

In this exercise, you will design a plan that addresses security threats introduced when Northwind Traders began accessing the Internet from within its private network. To design the plan, you will restrict which protocols, computers, and users can access the Internet.

Your task is to use your firewall and Proxy Servers to secure the network by managing employee access to the Internet. You will limit exactly what type of content can be accessed from the internal network. You also want full auditing of all Internet access for an acceptable usage policy that has been established. You must accomplish your work without exposing the internal structure or compromising the internal network.

Scenario

All modems at user desktop computers have been removed from the Northwind Traders network. The following diagram shows the network infrastructure recommended by a network consultant. This network infrastructure will allow internal clients to securely access the Internet.

Criteria

The following criteria need to be satisfied for the internal clients accessing the Internet:

You need to plan which protocols, computers, and users are allowed to access the Internet.

You need to provide Internet access to employees in the corporate office without compromising internal network resources.

You have been directed to allow Internet access only to full-time employees. You will allow only Proxy Servers to navigate outside of the private network.

All other internal access (unless explicitly defined) will be disallowed. Northwind Traders is using nwtraders.msft on both the internal and external

networks. You must design DNS to protect all internal addresses in DNS. You need to restrict the Mail server to provide SMTP services only for internal

network users. You must implement virus protection to protect against further virus attacks

within the internal network.

Review



