Wide World Importers has acquired a T3 connection to the Internet for its Washington, D.C. corporate office. All Internet access from Wide World Importers employees must pass through the firewall located at the Washington office to ensure that only authorized protocols and computers access the Internet. This design is shown in Figure 15.1.
Figure 15.1 Internet access for Wide World Importers
Wide World Importers Domain Model
The Wide World Importers forest consists of two domains: wideworldimporters.tld and engineering.wideworldimporters.tld, as shown in Figure 15.2.
Figure 15.2 The Wide World Importers Active Directory directory service forest
The corporate Information Technology (IT) department will manage Internet access. The IT department plans to apply the Internet access policy equally for both domains. The same rules will apply to all users in the forest.
Computers Permitted to Access the Internet
Wide World Importers uses the network infrastructure shown in Figure 15.3 to provide secure Internet access to employees.
Figure 15.3 The Wide World Importers network infrastructure
Wide World Importers requires all client computers accessing the Internet to use Microsoft Proxy Server 2.0 located on the private network at the Washington office. The IP address of the Proxy Server is 172.16.2.1. The following servers, located in the Demilitarized Zone (DMZ), also send outgoing traffic to the Internet:
- Domain Name System (DNS) server. The external DNS server forwards DNS requests to the DNS server of Wide World Importers' Internet Service Provider (ISP), located at IP address 126.96.36.199. The external DNS server's IP address is 172.16.7.2. The external DNS server resolves Internet requests for hosts in the wideworldimporters.tld domain.
- Mail server. The mail server acts as a Simple Mail Transfer Protocol (SMTP) gateway to the Internet. All outgoing e-mail messages go through the mail server in the DMZ. All incoming e-mail messages for mailboxes in the wideworldimporters.tld domain also go to the mail server in the DMZ. The IP address of the mail server is 172.16.7.3.
Wide World Importers Computers and Applications
Wide World Importers must provide Internet access to a mix of Microsoft Windows 95–, Windows 98–, Windows NT 4.0–, and Windows 2000–based computers.
- Some of the Windows 98–based computers in the Toronto office continue to use Netscape Navigator for Internet browsing.
- News and FTP clients vary by site. Most offices are using third-party versions of the applications.
- A mix of Microsoft Internet Explorer versions is deployed throughout the network. The company plans to standardize on the most recent release of Internet Explorer soon.
Wide World Importers Internet Use Policy
Before deploying Internet access, Wide World Importers plans to develop an Internet acceptable use policy. This document will clearly define expectations for employees who access the Internet through Wide World Importers' Internet connection. The policy will specify that
- Only employees who sign the Internet acceptable use contract will be granted Internet access.
- Not all employees will have Internet access. Only employees who use the Internet in their day-to-day business affairs will have access.
- All employees will be able to send Internet e-mail messages through the corporate e-mail system. Outbound mail will be scanned periodically to ensure that the e-mail service is being used only for authorized business.
- Because all Internet access is through the single connection to the Internet, protocols will be limited to only authorized protocols. The Proxy Server will be configured to allow only authorized protocols through to the Internet.
- Logs will be maintained of all Internet usage and scanned monthly to minimize personal Internet use.
- Access to a popular Internet gaming site, nwtraders.tld, is prohibited.
- Access to sites that display pornography or violence must be prevented.
Wide World Importers Internet Restrictions
The following restrictions will be applied uniformly to all computers and users in the wideworldimporters.tld forest:
- Wide World Importers plans to use the Content Advisor in Internet Explorer to prevent access to inappropriate Internet sites. Content rating must be included in Internet Explorer's configuration and applied during the installation of the Windows 2000–based computers. When installed on Windows 95 and Windows NT-based computers, Internet Explorer will be manually configured by the network administrators at each office during a maintenance visit.
- The Mexico City site will be restricted from using the Internet, except for e-mail services. The manager at the Mexico City site is unwilling to have the employees there sign the Internet acceptable use contract.
- Users who are granted Internet access will be allowed to use only the following protocols: Hypertext Transfer Protocol (HTTP), Hypertext Transfer Protocol Secure (HTTPS), Network News Transport Protocol (NNTP), and File Transfer Protocol (FTP).
- Users in the IT departments at each office will be allowed to use any available protocol. This includes IT departments for both the wideworldimporters.tld and engineering.wideworldimporters.tld domains.
Security Concerns for Wide World Importers
Wide World Importers' management is concerned that employees will introduce threats to corporate network security through the Internet connection. Specifically, management is concerned about
- The introduction of viruses to the network. Due to recent and highly publicized Internet viruses, management wants to deploy a comprehensive virus detection program that detects viruses at all network entry points.
- The installation of unlicensed software downloaded from the Internet. Another company in the same business as Wide World Importers was recently taken to court for using illegal software on client computers. Management wants to ensure that users won't be able to install software downloaded from the Internet.
- Internet hackers gaining access to private network resources. One of the managers read about an Internet hacker and was alarmed to find that hackers can gain access to the network if it's connected to the Internet. Management wants to ensure that the hackers won't have easy access to the corporate network.