Lab 10.1: Planning Your Network Security

After completing this lab, you’ll be able to

• Design an authentication and encryption strategy
• Design an authorization strategy
• Design a firewall strategy

About This Lab

In this lab, you’ll design a security strategy that takes into account authentication, encryption, authorization, and firewall protection. The exercises in this lab are based on a Web site that’s set up for the exclusive use of a set of users who must be authenticated to access resources in the site, as described in the scenario. Note that in the first exercise authentication and encryption are grouped together (unlike the lessons in the chapter). This is because encryption goes hand-in-hand with some authentication models.

Before You Begin

Before you begin this lab, you must be able to

• Administer Windows 2000 Server and IIS
• Set up user accounts and groups in a Windows 2000 domain
• Set up IIS and NTFS permissions
• Provide an overview of how firewall protection is implemented in a Web environment

Scenario: A Security Strategy for Northwind Traders

Northwind Traders is implementing a Web site that will allow wholesale customers to access their accounts. Customers work on client computers that are configured with a broad range of operating systems and browsers. When users log on, they should be prompted for usernames and passwords in order to be authenticated into the system. Users will be authenticated through Windows accounts; no customized authentication applications or ISAPI filters will be used. Once authenticated, users should be able to read and execute ASP applications that access data from SQL Server databases. All data that’s transmitted between authenticated users and the Web site should be secure in order to ensure the privacy and integrity of that data. At this time, no IP addresses, networks, or domain names will be denied access to your site.

The Web portion of the company’s network will include a Web cluster and a Data cluster, as shown in Figure 10.16. All the computers in the two clusters are configured with Windows 2000 Advanced Server.

Figure 10.16 - Network topology for Northwind Traders

When users access the Web site, they’ll go to http://www.northwindtraders.com. From there, they’ll be redirected to https://www.northwindtraders.com/secure/default.asp and prompted for a username and password. Once authenticated, they’ll view a home page that provides them with various options that allow them to find the information they need.

As the network administrator, you must design a security strategy that allows approved customers to access the resources they need on the site, prevents these users from accessing any resources beyond what they need, and prevents any unauthorized users from accessing the site. In addition, you want to use firewall protection to protect site resources, particularly the databases, and the private corporate network.

Exercise 1: Planning an Authentication and Encryption Strategy

As the network administrator, you’ve set up user accounts for each wholesale customer who plans to access your Web site. Because these users will all have the same level of access, you create a user group—Customers—and add each of these users to the group. You now want to set up an authentication model.

1. What authentication models does IIS support and how do these models differ?
2. Which authentication model should you use?
3. What are the limitations on the authentication model you chose?
4. In addition to authenticating users, you must ensure that all data transmitted between the users and the Web site is secure in order to ensure that data’s privacy and integrity. One way to secure data is through encryption. What are several methods that you can use to encrypt data and how are those methods different?
5. How can you make data transferred between clients and the Web servers secure?

Exercise 2: Planning an Authorization Strategy

Once you’ve planned how users will be authenticated, you can determine how they’ll be authorized to use the ASP applications. You must address two levels of authorization: IIS and NTFS. Remember, users must be able to access the ASP pages and use the tools on those pages to access the needed information. Also note that no IP addresses, networks, or domain names will be denied access to your site.

1. Before you determine how users will be authorized, you decide to review the access process so that you have a complete picture of how users will access resources. What steps will the access process follow?
2. IIS permissions apply to all users trying to access the Web site. How should you set up those permissions?
3. Unlike IIS permissions, NTFS permissions apply to specific users and groups. How should you set up those permissions?

Exercise 3: Planning a Firewall Strategy

Your firewall strategy should try to maximize the protection of your private network and your Web services, particularly the databases. You’ll use your firewalls to define your perimeter network and to isolate your private network.

1. What are the two basic perimeter network topologies that you can use to set up your firewalls and how do these topologies differ?
2. You want to maximize the amount of security that you provide your network through firewalls. Which configuration should you use?
3. You also want to protect your database as much as possible through the use of firewalls. How many firewalls should you use in your network?