After completing this lab, you’ll be able to
In this lab, you’ll design a security strategy that takes into account authentication, encryption, authorization, and firewall protection. The exercises in this lab are based on a Web site that’s set up for the exclusive use of a set of users who must be authenticated to access resources in the site, as described in the scenario. Note that in the first exercise authentication and encryption are grouped together (unlike the lessons in the chapter). This is because encryption goes hand-in-hand with some authentication models.
Before you begin this lab, you must be able to
Northwind Traders is implementing a Web site that will allow wholesale customers to access their accounts. Customers work on client computers that are configured with a broad range of operating systems and browsers. When users log on, they should be prompted for usernames and passwords in order to be authenticated into the system. Users will be authenticated through Windows accounts; no customized authentication applications or ISAPI filters will be used. Once authenticated, users should be able to read and execute ASP applications that access data from SQL Server databases. All data that’s transmitted between authenticated users and the Web site should be secure in order to ensure the privacy and integrity of that data. At this time, no IP addresses, networks, or domain names will be denied access to your site.
The Web portion of the company’s network will include a Web cluster and a Data cluster, as shown in Figure 10.16. All the computers in the two clusters are configured with Windows 2000 Advanced Server.
Figure 10.16 - Network topology for Northwind Traders
When users access the Web site, they’ll go to http://www.northwindtraders.com. From there, they’ll be redirected to https://www.northwindtraders.com/secure/default.asp and prompted for a username and password. Once authenticated, they’ll view a home page that provides them with various options that allow them to find the information they need.
As the network administrator, you must design a security strategy that allows approved customers to access the resources they need on the site, prevents these users from accessing any resources beyond what they need, and prevents any unauthorized users from accessing the site. In addition, you want to use firewall protection to protect site resources, particularly the databases, and the private corporate network.
As the network administrator, you’ve set up user accounts for each wholesale customer who plans to access your Web site. Because these users will all have the same level of access, you create a user group—Customers—and add each of these users to the group. You now want to set up an authentication model.
Once you’ve planned how users will be authenticated, you can determine how they’ll be authorized to use the ASP applications. You must address two levels of authorization: IIS and NTFS. Remember, users must be able to access the ASP pages and use the tools on those pages to access the needed information. Also note that no IP addresses, networks, or domain names will be denied access to your site.
Your firewall strategy should try to maximize the protection of your private network and your Web services, particularly the databases. You’ll use your firewalls to define your perimeter network and to isolate your private network.