This lab prepares you to design a remote access solution for Contoso Ltd. The lab meets the following objectives:
- Design a secure remote access solution for remote users
- Design a secure remote access solution for remote networks
About This Lab
This lab examines the planning required to provide remote connectivity to the Contoso Ltd. network and explores solutions for providing secure connectivity to remote users and remote networks.
Before You Begin
Make sure that you've completed reading the chapter material before starting the lab. Pay close attention to the sections where the design decisions were applied throughout the chapter for information on designing your administrative structure.
Scenario: Contoso Ltd.
Contoso Ltd., an international magazine sales company, plans to provide network access for their remote sales force. Currently, the sales force connects to the regional office by using toll-free numbers, but the costs are increasing to the point that alternative solutions must be found.
In a separate but related project, the company plans to open a new market research office in Barcelona, Spain, in two months. Rather than implementing a dedicated network link from the London office to the Barcelona office, Contoso wants to research the design requirements for implementing a VPN between the two offices.
The following sections outline the business goals for the two projects.
Providing Remote Access to the Remote Sales Force
Contoso must develop an alternative for remote network connectivity for the remote sales force. Your proposed solution must meet the following objectives:
- It must reduce the costs associated with long-distance calls. Currently the sales force connects to the London, Seattle, and Lima offices by calling a toll-free number. With the expansion of markets, the cost of the toll-free lines has increased rapidly.
- It must reduce the costs associated with maintaining a modem pool at each office. With the current growth of the remote sales force, the modem pool has been steadily increasing each quarter. In the last quarter more than 100 modems were added to the pool between the three offices.
- It must utilize smart card logon. Several remote sales force personnel were recently issued laptops running Windows 2000 Professional with built-in smart card readers. Contoso wants to ensure that all sales force personnel running Windows 2000 are required to log on with smart cards.
- It must provide remote access from laptops running both Windows 98 and Windows 2000 Professional. The remote sales force in South America is running older laptops with the Windows 98 operating system. The solution must allow connectivity from these laptops.
- It must simplify logon procedures. Remote access clients should select a local access phone number for their current location, provide their domain credentials, and log on to the network. The use of additional account and password combinations is unacceptable.
- It must provide mutual authentication of both the remote access user and the remote access server. Contoso wants to minimize the risk of an unauthorized remote access server accepting remote connections from the sales force.
- It must be restricted exclusively to the remote sales force. The solution must be restricted so that only members of the remote sales force can connect to the network. In the previous model this was accomplished by informing only the remote sales force of the toll-free number used to connect to the office.
- It must ensure the strongest form of encryption. Due to fears of confidential sales information being compromised, Contoso wants all authentication and data transmissions to be encrypted using only the strongest encryption algorithms. If the strongest form of encryption can't be used, the network connection must not be allowed.
- It must terminate connections if idle for more than 30 minutes. Due to the volume of remote sales force and the limited number of connections to the network, a connection that's idle for more than 30 minutes should be disconnected.
- The ability to save the user's password within the remote access network connection must be removed. An unauthorized person recently used a stolen laptop to connect to the network and access confidential documents. Users must be required to enter their passwords when connecting to the network remotely.
- All network traffic originating at remote clients must be inspected at a firewall. This allows the firewall to apply packet filters that prevent unauthorized network traffic from entering the corporate network.
Connecting the Barcelona Office to the Corporate Network
As mentioned earlier, Contoso wants to connect the Barcelona office to the London office using a VPN solution. The VPN solution must meet the following business objectives:
- All data that's sent between the two offices must be encrypted using the strongest form of encryption available for VPNs. Because the data will be transmitted over the Internet, there's a risk that the data could be inspected by unauthorized sources. Requiring the strongest form of encryption ensures that all data transmitted by the VPN solution is protected.
- The VPN servers must use dual authentication for network access. Both the computer accounts and the user accounts associated with the VPN must be authenticated.
- The tunnel server at the London office must be located in the DMZ behind an external firewall. Contoso wants to place the tunnel server behind the external firewall to prevent hackers from directly accessing the tunnel server. To allow this, you must configure the firewall to only allow VPN access to the tunnel server and prevent all other access attempts.
Exercise 1: Securing Access for the Remote Sales Force
This exercise examines providing secure access to the Contoso network for the remote sales force. Your design must meet the business objectives introduced in the lab scenario. Answers to these questions can be found in the appendix.
Determining a Solution
- What can Contoso do to reduce the costs associated with toll-free phone lines for remote access connectivity and still provide remote connectivity to the corporate network?
- If Contoso wants to implement the same VPN protocol for all remote access connections by the sales force, what VPN protocol must be deployed?
- If the remote access server for the remote sales force is deployed as shown in Figure 13.17, will anything prevent the use of PPTP or L2TP/IPSec VPN connections?
Figure 13.17 Proposed network configuration for the remote sales force VPN server
- How can the requirement for logging on with the user's domain account and password be accomplished if the user is initially connecting to an ISP?
- By using remote access policy, how can Contoso manage a sales force that runs different operating systems on their laptops?
Designing the Firewall
- How should you configure the firewall to support both PPTP and L2TP so that VPN traffic reaches the VPN server?
- Will the external firewall be able to inspect the data sent through the VPN tunnel to the tunnel server?
- Will the internal firewall be able to inspect the data sent through the VPN tunnel to the tunnel server?
Designing Remote Access for Laptops Running Windows 2000 Professional
The following questions deal with the design decisions associated with the laptops running Windows 2000 Professional.
- How can you develop a remote access policy that's applied only to remote access client computers running Windows 2000 Professional?
- How would you enforce the use of smart card logon for sales force personnel running Windows 2000?
- What PKI design is required to allow smart card logon?
- If L2TP/IPSec is used by the Windows 2000 Professional laptops, are any additional certificates required?
- What can you do in remote access policy to ensure that the required authentication protocol, encryption algorithm, and idle disconnect settings are applied to all remote access clients?
- What settings must you configure in the remote access policy to meet the design objectives for connections from laptops running Windows 2000 Professional?
- What can you do at the remote access clients to ensure that the required authentication protocol, encryption algorithm, and idle disconnect settings are used?
Designing Remote Access for Laptops Running Windows NT 4.0 Workstation
The following questions deal with the design decisions associated with the laptops running Windows NT 4.0 Workstation.
- How can you develop a remote access policy that will only be applied to remote access client computers running Windows NT 4.0 Workstation?
- What remote access policy profiles settings are required to ensure that the desired authentication protocol, encryption algorithm, and idle disconnect settings are applied to all Windows 98 remote access clients?
Identifying RADIUS Design Decisions
The following section examines the RADIUS design required for the providing remote access to the sales force users.
- What RADIUS component is required at the ISP to allow sales force users to connect using their domain account and password?
- How will the ISP know where to forward authentication requests from the remote access clients? How would you configure this setting?
- Where on the Contoso network would you place the RADIUS server to provide the maximum level of security?
- What computers would you configure as RADIUS clients on the Contoso network?
- What happens to remote access policy design when RADIUS is deployed?
Exercise 2: Securing the Connection to the Barcelona Office
The following exercise examines the design decisions that you must address when designing network connectivity for the Barcelona office. Answers to these questions can be found in the appendix.
- What protocol must you use for the VPN between the London and Barcelona offices?
- Could you use the same VPN server for both the network connection to the Barcelona office and for the sales force users? What must you configure if the VPN server can support both connection requests?
- What must you include in the remote access policy to identify the connections from the Barcelona VPN server?
- What PKI design is required to meet the business objectives?
- Figure 13.18 shows the proposed network configuration to connect the Barcelona office to the London office. What packet filters are required at the Barcelona server to only allow connections from the London VPN server?
Figure 13.18 Connecting the Barcelona office to the London office