Case Study
|
| < Day Day Up > |
|
You should give yourself 20 minutes to review this testlet, review the table and exhibits, and complete the questions.
Overview
Thrilling Sporting Goods, Inc. is a purveyor of sporting goods worldwide. Along with carrying the standard equipment for team and individual sports, it specializes in equipment for adventure sports like rock climbing and kayaking. This area is a fast-growing area of the company’s overall business. It has traditionally used a catalog and its five storefronts to sell its goods. The company would like to look at using the Internet as a vehicle to sell merchandise and support its sales staff.
Network Infrastructure
IIS servers that serve partners and the Internet are located on the perimeter network.
There is a server named SportWeb that is not a member of the domain located in the perimeter network. This server runs an ASP application that is used by the company’s sales force to view inventory information.
Each office contains several servers, as the following table shows:
| Server Name | Function | Location |
|---|---|---|
| SportWeb | Web server (IIS 6.0) | Perimeter network |
| SportISA1 | Firewall server | Between internal and perimeter networks |
| SportISA2 | Firewall server | Between perimeter network and the Internet |
| SportApp | Microsoft SQL Server 2000 server | Perimeter network |
| SportDC | Domain controller | Internal network |
| SportIntranet | Web server | Internal network |
Interviews
Chief Information Officer We have an initiative that all new applications must be web based. In addition, we are retrofitting legacy applications with web components. We need to track and report on what resources users and partners are using. This will help us keep the websites beneficial and secure. We have purchased a package that will produce reports from log data stored in SQL Server 2000.
IT Director We manage our network with Group Policy objects (GPOs) to ease the burden of accessing each server and workstation.
Chief Security Officer We need to make sure that we have a strong authentication mechanism for authenticating with the extranet. Partner companies often have weaker security policies and employees tend to write down user IDs and passwords. The ISA servers allow HTTP, HTTPS, IPSec, and FTP traffic. We do not allow the NetBIOS protocols through the firewalls.
Security Policy
IIS must not be installed on domain controllers or infrastructure servers.
ASP applications can be run only if they are installed on SportWeb or SportIntranet. Further application development will be done in ASP.NET and take advantage of the security of ASP.NET.
All users who access the website from the internal network must be authenticated by an Active Directory server. The user credentials must be protected while the user is authenticating.
The attack surface on any web server must be as minimal as possible.
All company data must be secured so internal and external users only have appropriate access.
All WAN communications must be encrypted.
All user access to the website must be tracked. The log must be stored in a SQL Server 2000 database for reporting purposes.
|
| < Day Day Up > |
|
EAN: 2147483647
Pages: 168