Market Florist, an Internet-based florist, plans to manage its Web site at the head office in Seattle. The company is currently hosting the ww.marketflorist.tld Web site off-site at its Internet Service Provider (ISP). Market Florist plans to move all Internet-based resources to its own network by the end of the year. The company believes that managing its own Internet site will allow it more flexibility in the services it offers on the Internet.
The decision to host the Internet services at the Seattle office has taken a long time. Senior management is concerned that hosting the Web site locally could result in a security breach that affects the private network. Management has authorized the purchase of a new firewall device but has approved funds for the purchase of only a single firewall.
You've been hired to design a secure Internet presence for Market Florist that provides accessibility to all Internet-accessible resources while maintaining the security of the private network. Additionally, the firewall must protect the private network users by hiding their true IP addresses from the public network.
Market Florist will use marketflorist.tld as its Active Directory directory service forest root and as its namespace on the Internet. The security design for the extranet must allow private network users to connect to the Internet and to Internet-accessible resources without exposing the internal IP addressing scheme to the public network.
Currently an internal DNS server that forwards Internet requests to the ISP's DNS server is located at IP address 10.10.10.3. The new security design calls for the DNS server to forward internal DNS requests to an external DNS server located in the extranet. The external DNS server will forward Internet requests to the ISP's DNS server at IP address 188.8.131.52.
John Coake and Pat Coleman, two members of the IT department, are responsible for maintaining the files available to external users at Market Florist's FTP server. To ensure that no files are uploaded to the FTP server, the FTP server is configured to allow file downloads only. John and Pat use Telnet to connect to the Internet-accessible FTP server and modify the files that are available for download.
Market Florist has designated a specific number of Microsoft Windows 2000–based computers to be accessible from the Internet. Table 14.1 outlines the Windows 2000–based servers and the role they will play in Market Florist's extranet.
Table 14.1 Market Florist Extranet Server Roles
|Server Name||IP Address||Role|
|MFDNS||192.168.77.254||External DNS server, located in the extranet for Market Florist, to allow public network client computers to resolve marketflorist.tld resources. |
Contains only externally accessible resource records. None of the addresses contain internal IP addressing information.
|MFWEB||192.168.77.2||A Network Load Balancing Services (NLBS) Web cluster consisting of four identically configured Web servers: |
The Flower Power application, an application that allows customers to purchase floral arrangements on the Internet, will connect to a Microsoft SQL server on the private network for storing order details.
The port at which the Flower Power application listens for connection will be changed every six months.
|MFFTP||192.168.77.7||File Transfer Protocol (FTP) server used by client computers for downloading brochures on floral arrangements available from Market Florist. |
The FTP server must only allow downloads. All requests to upload data must be terminated immediately.
John Coake and Pat Coleman can access the FTP server by using Telnet from the private network to manipulate the files located in the FTP folder.
Only John and Pat should be allowed to connect to the MFFTP server using Telnet.
|MFMAIL||192.168.77.8||The server running Microsoft Exchange Server 5.5 accepts incoming e-mail and allows remote salespeople to retrieve their e-mail using Post Office Protocol v3 (POP3) client software.|
|MFTUNNEL||192.168.77.9||This server, running Routing and Remote Access service (RRAS), allows employees to connect to private network resources.|
All the servers available in the Market Florist extranet must allow administrators to manage the servers remotely using Terminal Services. Only administrators should be allowed to connect to the server by using Terminal Services.
All the Windows 2000 servers in the extranet are advertised on the Internet with public network addresses to allow external client computers to connect to the Market Florist resources. Table 14.2 shows the public network addresses and host names for the externally accessible resources.
Table 14.2 Market Florist Externally Available Resources
|Hostname||IP address||Private Network Server|
|client.marketflorist.tld||184.108.40.206||All private network client computers accessing the Internet|
To support online ordering, Market Florist uses an ActiveX control named Flower Power. The Flower Power application allows customers to order floral arrangements over the Internet by providing nothing more than their customer number. When an order is made, the customer number and the floral arrangement order are recorded on a server named MFSQL that's located on the private network. The IP address of the internal MFSQL server is 10.10.10.20.
To acquire a Flower Power customer number, the customer must connect to https://www.marketflorist.tld/newcustomer and enter customer and credit card information. A Flower Power administrator will e-mail the customer number to the client to allow easy ordering on the Internet. There are concerns that the Flower Power application is suspect to data interception attacks. To reduce the risk of these attacks, the listening port for the Flower Power server-side application is changed every six months. The current port is User Datagram Protocol (UDP) 6834, but the security plan must provide a strategy for handling the port changing at regular intervals. The firewall solution must ensure that Flower Power connections aren't hijacked by an attacker.