When designing network security, consider the security risks of allowing private network users to connect to the Internet.
After this lesson, you will be able to
Estimated lesson time: 30 minutes
When private network users access resources on the Internet, several risks are introduced to your network's overall security. If they're not carefully managed, these risks can result in reduced security for your network. Typical risks include
IMPORTANT
The absence of an Internet connection doesn't mean that there's no threat from viruses. Viruses can be introduced through floppy disks and shared files on the network.
Figure 15.4 Using NAT to replace the source IP and source port information with a common IP address and random source port
Figure 15.5 Using a modem to bypass firewall security
You can prevent modem usage by using Group Policy to disable the Remote Access Connection Service. This service must be running for Windows 2000 client computers to connect to a remote network by using a dial-up or VPN connection.
You can reduce the risk of threats introduced to the private network by Internet access by implementing the recommendations in Table 15.2.
Table 15.2 Reducing Risks When Providing Internet Connectivity
To | Do the Following |
---|---|
Reduce the risk of viruses | Deploy virus scanning software at each client computer to detect locally introduced viruses. Deploy virus scanning software at common targets, such as e-mail servers, so that viruses are detected before they enter the e-mail system. Deploy virus scanning software at perimeter servers such as firewalls to detect virus-infected data before it enters the private network. Ensure that virus signatures are regularly updated at all deployed locations. |
Prevent the installation of unauthorized software | Restrict installation to signed software when installing from the Internet. Configure Internet Explorer security settings to restrict what content can be installed. Don't include users in Power Users or local Administrators group. This will restrict user access to specific areas of the local disk system where they can install software. |
Prevent Internet users from revealing the private network addressing scheme | Deploy a NAT service at a firewall between the private network and the public network so that all source IP address information is replaced with a common browsing IP address configured at the firewall. Have all internal client computers access the Internet by connecting to the Proxy Server. All requests will appear as if they were requested by the Proxy Server. |
Prevent users from bypassing network security when accessing the Internet | Don't deploy modems to the desktop unless required for another application. Use Group Policy to disable the Remote Access Connection Manager and thereby prevent dial-up sessions. Configure the firewall to allow only authorized computers to connect directly to the Internet. |
To dispel management's fears of risks introduced when employees connect to the Internet, the following items will be included in the Wide World Importers network security plan:
One method of restricting access to the Internet is to allow only specific computers to access the Internet. By assigning users to computers, you can limit Internet access to users who are authorized to log on to specific computers.
Granting computers access to the Internet involves more than configuring client computers. You must also configure Internet permissions for network servers that send data transmissions to the Internet. Resources in a DMZ must be allowed to respond to queries from the Internet. Some servers must initiate connections to the Internet. Servers that require access to the Internet through an external firewall to initiate connections include the following:
You can restrict access by internal computers to the Internet by configuring the firewall to limit which computers are allowed to connect to the Internet. You can further restrict each computer by defining outbound packet filters that define which protocols a computer can use to connect to the Internet. Figure 15.6 shows a firewall that limits the mail server to sending and receiving only SMTP packets.
Figure 15.6 A firewall configured to allow the mail server to send and receive SMTP packets
NOTE
The mail server doesn't require DNS access to the Internet because all DNS requests are passed to the DNS server that's also located in the DMZ.
You must make the following decisions when determining the design of your firewall's packet filters to allow Internet access.
NOTE
You can even assign static IP addresses to remote access clients by configuring the user's dial-up properties to request a static IP address.
Making these four decisions will help you design the necessary outgoing packet filters at your firewall. In a DMZ you may have to establish rules at the internal and external firewall.
NOTE
If NAT is performed at a firewall, you must establish the packet filters at that specific firewall to limit protocols and destination IP addresses. Once the data passes through the NAT service, other firewalls will be unable to identify the packet's original source.
If you're channeling all Internet bound traffic through the Proxy Server, you can restrict specific subnets from using the Proxy Server by excluding their subnet network addresses from the Local Address Table (LAT) table. Figure 15.7 shows the default network ranges that are loaded into the LAT table. By excluding any addresses from these ranges, you effectively block those subnets from using the Proxy Server.
Figure 15.7 Configuring which subnets are included in the LAT table
The network security design for Wide World Importers must include the following items:
Table 15.3 Packet Filter Required for the Internal Firewall
Protocol | Source IP | Source Port | Target IP | Target Port | Transport Protocol | Action |
---|---|---|---|---|---|---|
Any | 172.16.2.1 | Any | Any | Any | Any | Allow |
NOTE
The internal firewall requires additional filters to define network traffic from the private network to the servers in the DMZ. Specifically, filters are required to allow the internal DNS server to connect to the external DNS server and all internal clients require access to the mail server. The required packet filters are discussed in Chapter 14, "Securing anExtranet."
Figure 15.8 LAT definition that excludes the 172.16.24.0.0-172.16.27.255 network range
Table 15.4 External Firewall Packet Filters
Protocol | Source IP | Source Port | Target IP | Target Port | Transport Protocol | Action |
---|---|---|---|---|---|---|
DNS | 172.16.7.2 | Any | 131.107.254.254 | 53 | TCP | Allow |
DNS | 172.16.7.2 | Any | 131.107.254.254 | 53 | UDP | Allow |
DNS | Any | Any | 172.16.7.2 | 53 | TCP | Allow |
DNS | Any | Any | 172.16.7.2 | 53 | TCP | Allow |
SMTP | 172.16.7.3 | Any | Any | 25 | TCP | Allow |
SMTP | Any | Any | 172.16.7.3 | 25 | TCP | Allow |
NOTE
The first two packet filters allow the external DNS server (172.16.7.2) to forward DNS queries to the ISP's DNS server (131.107.254.254). The third and fourth packet filters allow DNS clients on the Internet to connect to the external DNS server to resolve host names for the wideworldimporters.tld Internet domain. The fifth packet filter allows the mail server to send e-mail to any SMTP server on the Internet, and the final packet filter allows the mail server to accept incoming SMTP messages.
Although it's possible to restrict Internet access to specific computers, sometimes it's more appropriate to restrict access based on user accounts. By defining which users and groups can access the Internet, you can extend the standard Windows 2000 security model of assigning permissions to groups for resource access. In this case the resource is simply Internet access.
To manage Internet access based on user accounts, you need a service capable of enforcing which users or groups can access the Internet. This service must provide an authentication mechanism that can identify users and evaluate group memberships. Proxy Server 2.0 provides this functionality through the following services:
NOTE
Microsoft's next generation firewall and proxy server, known as Internet Security and Acceleration (ISA) Server, will provide firewall services to a Microsoft network. ISA will provide the same proxy services with more firewall services than were available in Proxy Server 2.0. For more information on Microsoft ISA Server, please see http://www.microsoft.com/isaserver/.
You can configure each proxy service to restrict access to specific Windows 2000 security groups. Group membership is determined by the access token presented by the user connecting to the proxy service. The access token contains the user's Security ID (SID) and the user's group SIDs.
When the user attempts to access an Internet resource through a proxy service, the user's SID and group SIDs are compared to the Access Control List (ACL) configured for the protocol the user is attempting to use. If the SID is allowed access, the Proxy Server completes the connection.
Authenticated access must occur in order to determine the user's SID and the SIDs of their group memberships. Only if anonymous access is enabled can a user connect to Internet resources without authenticating with the Proxy Server.
Proxy Server 2.0 supports three methods of authenticating users: anonymous access, basic authentication, and Windows Integrated Authentication. The authentication methods supported by Proxy Server 2.0 are configured in the Directory Security tab of the Default Web site in the Internet Services Manager MMC console, as shown in Figure 15.9.
Figure 15.9 Configuring authentication mechanisms for the Proxy Server
NOTE
Because Proxy Server 2.0 was originally written to operate in a Windows NT 4.0 environment, you must download the Proxy Server update to configure the software to authenticate with Active Directory directory service. You can obtain the Proxy Server update from http://www.microsoft.com/proxy/.
When designing Internet access by user account, include the design decisions in Table 15.5.
Table 15.5 Restricting Which Users Can Access the Internet
To | Include the Following in Your Security Design |
---|---|
Allow all users to access the Internet | Configure anonymous authentication and don't configure ACLS for the proxy services. Allow the Users group for the domain to use any protocols available in the proxy services and to use any of the available authentication mechanisms. |
Simplify the process of granting users access to Internet protocols | If the Proxy Server is installed on a domain controller, create domain local groups in the domain where the Proxy Server resides to represent each level of access to Internet protocols required. If the Proxy Server is installed on a member server or stand-alone server in a workgroup, create local groups in the local Security Account Management (SAM) database to represent each level of access to Internet protocols required. Create global groups in each domain that will allow users to access the Internet. Place the global groups within the domain local group or local groups previously created. |
Distinguish users connecting to the proxy service | Plan which authentication mechanisms are required for the network.
|
Specify which users can use the Web Proxy service | Configure the ACL for the Web Proxy service in the Internet Services Manager console to permit only specific groups to use protocols enabled through the Web Proxy service. Protocol choices include HTTP, HTTPS, Gopher, and FTP through the browser interface. |
Specify which users can use the WinSock Proxy service | Configure the ACL for the WinSock Proxy service in the Internet Services Manager console to allow only specific groups access to each protocol defined for the service. |
Wide World Importers has identified two groups of employees who require access to the Internet.
Figure 15.10 Creating groups to provide the IT department internet access
Figure 15.11 Creating groups to provide Internet access to employees granted access to the internet
NOTE
Regularly audit membership of the Internet Users global groups in the wideworldimporters.tld and engineering.wideworldimporters.tld domains to ensure that users from the Mexico City office aren't included in the membership. This prevents users from the Mexico City office from connecting to the Internet if they connect to the network from another office.
To determine membership in the groups, authenticate the users with the Proxy Server. To provide authentication, configure the Proxy Server to support basic authentication and Windows Integrated Authentication. Basic authentication is required to authenticate the Netscape Navigator users because Netscape doesn't support Windows Integrated Authentication. Netscape Navigator uses only basic authentication for Proxy Server access. Disable anonymous authentication on the Proxy Server because Internet access is restricted to members of the IT Access and Internet Access domain local groups. You will use these groups to assign permissions in the Web Proxy and WinSock Proxy permission pages.
Once a user is authenticated, configure the proxy services available in Proxy Server 2.0 to allow access only to specific protocols. For each available protocol, assign permissions to allow only specific groups to use the protocol through the Proxy Server.
NOTE
Only the Web Proxy and the WinSock Proxy support permissions based on user accounts. The Socks Proxy permissions are based on the connection attempt's properties. Much like a packet filter, Socks Proxy permissions define the source and destination IP address and port information for identifying permitted connections.
The Web Proxy allows you to define permissions for the four protocols available in the Web Proxy through the Permissions tab for the Web Proxy service properties, as shown in Figure 15.12.
Figure 15.12 Setting Web Proxy permissions in the Permissions tab of the Web Proxy property pages
You can set permissions separately for the Web (HTTP), Secure (HTTPS), Gopher, and FTP Read services to allow only authorized groups to use the designated protocol. For each protocol, you can define which groups are allowed access to the protocol. You can't assign partial permissions to the protocols.
As with the Web Proxy, you can set permissions for individual protocols in the WinSock Proxy on a per protocol basis. Because the list is extensive, an additional option exists to grant unlimited access to all protocols supported by the Proxy Server, as shown in Figure 15.13.
Figure 15.13 Using the WinSock Proxy to grant unlimited protocol access to security groups
The WinSock Proxy not only provides support for most popular protocols but also allows you to provide access to newer protocols by adding the protocol definitions to the WinSock Proxy. If you're defining a new protocol, you must know exactly what ports are used during a connection attempt that uses the protocol so that you can define the protocol for the WinSock Proxy.
NOTE
Use of the WinSock Proxy service in Proxy Server 2.0 requires the WinSock Proxy client to be installed at the client computer. The proxy client can be installed on Windows 95–, Windows 98–, Windows NT 4.0–, and Windows 2000–based client computers.
Use Table 15.6 when deciding which protocols you will allow for Internet access.
Table 15.6 Determining Which Protocols Can Access the Internet
To | Do the Following |
---|---|
Determine what protocols are required | Survey all employees to determine which applications they use or wish to use to access the Internet. Audit all Internet traffic that originates on the private network to determine protocols currently in use. Identify whether any protocols introduce risks to the private network. For example, Telnet typically uses clear text authentication. Ensure that domain passwords aren't used to access Internet resources. |
Determine who requires protocol access | Ensure that logging contains information on the user or IP address that uses the protocol. This helps you design your groups for restricting access to a specific protocol. |
Define allowed protocols | Configure the Web Proxy, WinSock Proxy, and Socks Proxy to permit only authorized protocols through the Proxy Server. |
Add new protocols | Provide a protocol definition in the WinSock Proxy that accurately describes the ports used by the new protocol. |
Allow access to the WinSock Proxy | Install the WinSock Proxy client on all computers that require access to the Internet using the WinSock Proxy service. |
Wide World Importers must include the following permissions in their Web Proxy and WinSock Proxy configuration:
Wide World Importers must also develop a strategy for the deployment of the WinSock Proxy client to enable the use of FTP and NNTP client software for accessing the Internet.
Your organization may need to configure restrictions on the computers, users, or protocols that can access the Internet. Your design must ensure that all computers and users that require access to the Internet can have it without exposing the network to additional risks. Develop your security plan so that it controls which computers and users can access the Internet. For each scenario that you develop, identify the required protocols so that you can restrict access to the correct protocols.