Chapter Scenario: Hanson Brothers

Previous page
Table of content
Next page

Hanson Brothers, a hockey equipment manufacturing company based in Warroad, Minnesota, requires a remote access solution for its employees. Hanson Brothers must address the following three remote access scenarios:

  • Providing access to network resources for employees at the Boise, Calgary, and Warroad offices. Due to the increasing demand that the company implement telecommuting, employees will be allowed to work from home one day a week. Employees require access to all network resources. Some employees have asymmetric digital subscriber line (ADSL) and cable connections to the Internet at home and wish to use these technologies to connect to their local office network.
  • Providing access to a production server at the Warroad office for a partner organization. Adventure Works is a major distributor of Hanson Brothers hockey equipment. Only a single specified computer at Adventure Works will be allowed to dial up to the production server at the Hanson Brothers Warroad office to determine stock availability.
  • Providing network connectivity to a new office in Montréal. Hanson Brothers plans to open a new office in Montréal. Due to the high cost of establishing a dedicated network link across national borders, Hanson Brothers plans to investigate a virtual private networking (VPN) solution.

All domain controllers operating in the Hanson Brothers network are running Microsoft Windows 2000. No more Windows NT 4.0 backup domain controllers (BDCs) are running on the network.

Business goals and network infrastructure proposals for the three projects are detailed in the following sections.

Providing Access to Home Users

Hanson Brothers management plans to meet the following business objectives when granting remote access to employees:

  • Before receiving remote network access, employees must be approved on an individual basis. Approved employees will be placed in a security group named Remote Users. Only members of the Remote Users group will be granted dial-up access to the network.
  • Only administrators will be allowed to connect to the network remotely on Saturday evenings. Remote access to employees will be blocked between the hours of 6:00 P.M. and midnight so that network backups and administrative tasks can be processed.
  • Employees must authenticate with the network using the strongest authentication protocol supported by both the remote client computer and the Routing and Remote Access Service (RRAS) computer.
  • Connections must use 128-bit encryption to ensure that sensitive data is protected from inspection attempts.
  • One server will be used for both dial-up and VPN access at each of the three offices. The remote access server will be placed in a Demilitarized Zone (DMZ) (also known as a perimeter network) at each office. Figure 13.1 shows how the connection will exist at the Warroad office.

    click to view at full size.

    Figure 13.1 Remote access server placement for the Warroad office

  • Users connecting to the remote access server will use their domain accounts and passwords for authentication.
  • Employees use a combination of Windows 98, Windows NT 4.0, and Windows 2000–based computers to connect to the network.
  • All remote access servers will be installed as Windows 2000 stand-alone servers, not as members of the hansonbrothers.tld domain.
  • All remote access policy for employees will be maintained at the Warroad office. It's important that the three offices don't have different remote access policies.

Providing Access to the Partner Organization

While Adventure Works is a trusted partner, Hanson Brothers management wants to ensure that users connecting from Adventure Works have restricted access to the Hanson Brothers corporate network.

  • Connections from Adventure Works will be granted only if strong encryption of account and password is used.
  • Connections from Adventure Works will be limited to a single phone number. Connections from any other phone number will be disallowed.
  • Connections from Adventure Works will be limited to the remote access server hosting the stock application. Connections to any other server on the network must be prevented.
  • The computer accessing the stock application from Adventure Works is running Windows NT 4.0 Workstation as the operating system.

Connecting the Montréal Office

Due to the cost of establishing a dedicated network link between the Montréal and Warroad offices, Hanson Brothers will establish a VPN solution to connect the two offices securely. The following constraints will affect the design of the VPN connection:

  • The Montréal office has acquired a third-party firewall to protect their office. The third-party firewall supports Internet Protocol Security (IPSec) but doesn't support Point to Point Tunneling Protocol (PPTP) or Layer Two Tunneling Protocol (L2TP).
  • The third-party firewall doesn't support certificate-based authentication.
  • Users at the Montréal office access corporate resources through the VPN connection to the corporate office.
  • The VPN connection must provide the strongest encryption of the data encapsulated within the VPN.
  • The Warroad office must ensure that the VPN server accepts only connections from the Montréal office.

Previous page
Table of content
Next page
Microsoft Corporation - MCSE Training Kit (Exam 70-220. Designing Microsoft Windows 2000 Network Security)
MCSE Training Kit (Exam 70-220): Designing Microsoft Windows 2000 Network Security: Designing Microsoft(r) Windows(r) 2000 Network Security (IT-Training Kits)
ISBN: 0735611343
EAN: 2147483647
Year: 2001
Pages: 172
Authors: Microsoft Corporation
BUY ON AMAZON
Interprocess Communications in Linux: The Nooks and Crannies
OpenSSH: A Survival Guide for Secure Shell Handling (Version 1.0)
Java for RPG Programmers, 2nd Edition
Excel Scientific and Engineering Cookbook (Cookbooks (OReilly))
Web Systems Design and Online Consumer Behavior
Understanding Digital Signal Processing (2nd Edition)
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy