Chapter Scenario: Blue Yonder Airlines

Blue Yonder Airlines is a North American airline that serves the West Coast of the United States. Blue Yonder uses a combination of Microsoft, Macintosh, and UNIX clients and servers for its corporate networking solution. Blue Yonder management is concerned that the combination of operating systems might create security vulnerabilities. You've been hired to ensure that the inclusion of these heterogeneous operating systems in the existing Windows 2000 network doesn't weaken the airline's network security.

Macintosh Deployment at Blue Yonder Airlines

Blue Yonder Airlines publishes a monthly magazine, Into the Wild Blue Yonder, that's given to all passengers. It's published by the Marketing department.

The Marketing department uses QuarkXPress on Macintosh computers to do the magazine's development and layout. The Macintosh computers access the Windows 2000 network when downloading digital photos and stories written by contributors using Microsoft Word. The stories and photos are stored on a Windows 2000 file server named BYDATA. Authentication of the Macintosh clients must not allow the inspection of user passwords as the passwords are transmitted to the BYDATA server.

The magazine is printed from an AGFA 9000 film printer located in the Marketing department. Because of the high costs associated with printing to a film printer, access to the printer should be restricted to the Macintosh users in the Marketing department.

UNIX Deployment at Blue Yonder Airlines

The flight scheduling system used by Blue Yonder Airlines stores its data in a database running on a UNIX server. The server hosting the UNIX database also stores analysis reports that are available through a Network File System (NFS) server share running on the UNIX server. Windows 2000 users need to access the UNIX database for scheduling flights and storing analysis reports on the NFS server share. Windows 2000 users must authenticate with the NFS server.

The UNIX database uses Kerberos v5 for authentication. Active Directory directory service user accounts must be able to authenticate with the UNIX KDC to provide access to the UNIX database using the UNIX database client. The Windows 2000 users shouldn't have to provide alternate credentials when they connect to the UNIX database.

The UNIX server must periodically connect to the BYDATA server to access scheduling projection reports. These reports record statistics for departures and arrivals that are used to determine modifications to the flight schedule. All access to the BYDATA server must be authenticated to ensure that security is maintained.

A Recent Acquisition

Blue Yonder Airlines recently acquired a smaller company that delivers cargo in the Pacific Northwest. The smaller airline, Consolidated Messenger, uses a NetWare 4.11 network. The accounting department in the Salt Lake City office must access data stored on the NetWare network that's related to the acquisition.

The network security design must meet the following objectives:

• All members of the accounting department require the same level of access to the data stored on a NetWare server named AIRDATA1. The data to which the accounting department requires access is stored on the DATA: volume in a folder named Accounting. The accounting department requires permission to read the data stored on the NetWare server, but they must not modify any data.
• As the Consolidated Messenger network is merged into the Blue Yonder network, the directories of the two networks must be integrated so that user accounts are maintained within the operating systems of both networks.
• NetWare users must be able to connect to the BYDATA server using native NetWare client software.
• Eventually, all data stored in the NetWare environment must be migrated to the Windows 2000 environment and maintain all current security settings.