Activity: Identifying Security Design Risks

Previous page
Table of content
Next page

You've been hired by an organization to maintain network security when their employees access the Internet. To deploy a solution based on the user's group memberships, you've decided to deploy Proxy Server 2.0 on the network and require that all Internet-bound communications be performed by Proxy Server 2.0 on behalf of the employees.

This activity examines how your security design changes according to the location of the Proxy Server within your organization's network. In this activity the design must meet the following requirements:

  • All access from the private network to Internet-based resources must be performed through the Proxy Server.
  • All access to the Web server in the DMZ must bypass the Proxy Server.
  • Client computers can send DNS requests only to the DNS server located in the private network. The DNS server in the private network is the only computer that may contact the DNS server in the DMZ.
  • The DNS server in the DMZ forwards all Internet-related DNS queries to the ISP's DNS server located at IP address 131.107.1.1.

Locating the Proxy on the Private Network

The first proposal for the network configuration places the Proxy Server on the private network, as shown in Figure 15.14.

click to view at full size.

Figure 15.14 Placing the Proxy Server for your organization on the private network

Based on the proposed location of the Proxy Server, answer the following questions. Answers to these questions can be found in the appendix.

  1. Assuming that the internal firewall processes packet filters in the order that they're listed in the packet filters list, which packet filters are required at the internal firewall to accomplish the following tasks?
    • Allow private network client computers to access the Proxy Server
    • Allow private network client computers to access the Web server in the DMZ using HTTP and HTTPS
    • Restrict access to the DNS server in the DMZ to only the DNS server in the private network
    • Allow the Proxy Server to access any resources on the Internet
    • Prevent private network client computers from directly accessing the Internet

    Protocol Source IP Source Port Target IP Target Port Transport Protocol Action
    HTTP
    HTTPS
    DNS
    DNS
    Any
    Any
  2. What packet filters are required at the external firewall to allow only the Proxy Server to connect to Internet resources and to allow the external DNS server to forward DNS requests to the ISP's DNS server?

    Protocol Source IP Source Port Target IP Target Port Transport Protocol Action
    DNS
    DNS
    Any
  3. Does the external firewall require a packet filter to prevent the private network clients from connecting to the Internet?


Answers

Locating the Proxy in the DMZ

The second proposal for the network configuration places the Proxy Server in the DMZ, as shown in Figure 15.15.

click to view at full size.

Figure 15.15 The Proxy Server location for your organization

Based on the proposed location of the Proxy Server, answer the following questions. Answers to the questions can be found in the appendix.

  1. Assuming that the internal firewall processes packet filters in the order that they're listed in the packet filters list, what packet filters are required at the internal firewall to accomplish the following tasks?
    • Allow private network client computers to access the Proxy Server
    • Allow private network client computers to access the Web server in the DMZ using HTTP and HTTPS
    • Restrict access to the DNS server in the DMZ to only the DNS server in the private network
    • Allow the Proxy Server to access any resources on the Internet
    • Prevent private network client computers from directly accessing the Internet

    Protocol Source IP Source Port Target IP Target Port Transport Protocol Action
    HTTP
    HTTPS
    DNS
    DNS
    Any
    Any
  2. Does the internal firewall require a packet filter for outbound traffic from the Proxy Server?


  3. What packet filters are required at the external firewall to allow only the Proxy Server to connect to Internet resources and to allow the external DNS server to forward DNS requests to the ISP's DNS server?

    Protocol Source IP Source Port Target IP Target Port Transport Protocol Action
    DNS
    DNS
    Any

Answers


Previous page
Table of content
Next page
Microsoft Corporation - MCSE Training Kit (Exam 70-220. Designing Microsoft Windows 2000 Network Security)
MCSE Training Kit (Exam 70-220): Designing Microsoft Windows 2000 Network Security: Designing Microsoft(r) Windows(r) 2000 Network Security (IT-Training Kits)
ISBN: 0735611343
EAN: 2147483647
Year: 2001
Pages: 172
Authors: Microsoft Corporation
BUY ON AMAZON
Java I/O
Professional Java Native Interfaces with SWT/JFace (Programmer to Programmer)
Excel Scientific and Engineering Cookbook (Cookbooks (OReilly))
Practical Intrusion Analysis: Prevention and Detection for the Twenty-First Century: Prevention and Detection for the Twenty-First Century
Web Systems Design and Online Consumer Behavior
Special Edition Using FileMaker 8
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy