Case Scenario Exercise

In this exercise, you will read a scenario about a company’s challenge to minimize the risk of confidential data falling into the wrong hands while staying within an extremely limited security budget. The questions are intended to reinforce key information presented in this chapter. If you are unable to answer a question, review the lessons and try the question again. You can find answers to the questions in the “Questions and Answers” section at the end of this chapter.

Scenario

You are an administrator for Contoso, Ltd. Your company is in the mergers and acquisitions business, working closely with public corporations before major business deals. During the process of a merger, Contoso, Ltd., exchanges hundreds of confidential documents with your customer’s executive and legal teams. Currently, when confidential documents are exchanged between Contoso, Ltd., and its customers, they must be printed and physically delivered because Contoso, Ltd.’s Chief Information Officer (CIO) is not comfortable allowing your customers to retrieve them from the file servers on which the master copies of the documents are stored. After all, allowing electronic access to your file servers from other networks could open the file server to attack. Many people could profit from advance knowledge of a merger, and profit is a powerful motivator to a skilled attacker.

Unfortunately, the cost of having the paperwork delivered is cutting into your company’s profits. Even worse, waiting for the documents to be delivered overnight adds several weeks to the length of the merger process. If you can find a way to provide for secure communications with your external partners and make the CIO comfortable with using electronic communications, you would save your company millions of dollars.

Contoso, Ltd., has offices in New York, Boston, and San Jose. The three offices are networked by means of private links that connect to a switched frame relay network. Additionally, each office has an Internet connection to enable employees to do research by using Internet resources. Many of Contoso, Ltd.’s 300 employees have to travel to customer offices on a regular basis and dial in to Contoso, Ltd.’s bank of modems for access to the internal network. All computers are members of a single Active Directory domain.

Questions

1. Your CIO’s main concern is reducing the length of the merger process by allowing customers to retrieve documents electronically from your file servers. How would you propose that this be accomplished?

2. How can you use IPSec to reduce the costs of the private links between the three offices?

3. How can you use IPSec to reduce the costs of maintaining the dial-up modem bank and the long distance costs associated with remote employees dialing in?

4. How can you use IPSec to improve the security of communications on the internal network?