Designing for Secure Communications with External Organizations

Many times you need to extend your network to communicate with external organizations. The data your organization will send over these connections is often confidential and needs to be protected. Guarding against eavesdropping and tampering and authenticating the identity of the source of the packets you exchange between your organization and an external organization is vital.

One of the ways to ensure secure communication between your organization and an external organization is to set up a VPN and use L2TP/IPSec as discussed earlier. In addition, you will need to authenticate the external organization, which can be a problem because duplicating user accounts for another organization would surely be a management headache. However, you can use the existing accounts that are in the other (and presumably trusted) organization by setting up a RADIUS client that points to the other organization. You would not need to establish or manage accounts in your organization; all of this would be handled by the other organization.

In addition to the solutions presented in the preceding paragraph, you could set up a dedicated VPN tunnel. Using this approach, the router end points would authenticate each other with, ideally, a certificate obtained from a PKI or Kerberos for maximum security. If security is not as much of a concern you can use a preshared key to establish the dedicated VPN tunnel. You also need to design a way to securely communicate key changes between organizations. This process can be automated with the installation of a PKI because you can set up a secure connection between the organizations. You would use the same kind of technologies used in the demand-dial solution discussed in the previous section.

The main difference between a business’s client computer or branch office connecting with a VPN and connecting with an external organization is the need to authenticate accounts in the external organization. To do this, you can use a RADIUS server, which on Windows Server 2003 is called Internet Authentication Service (IAS), to validate accounts that are located in another organization. This requires that you set up a PKI. You can then use a new feature of Windows Server 2003 known as an IAS proxy to forward the request to a RRAS Server in another forest.

In the following Design Scenario, you will design a security solution for connecting to an external organization.

Design Scenario: Designing a Connection Strategy with an External Organization

Frankfurters, Inc. has decided to expand its business by purchasing a small sausage maker called the Kielbasa Factory. As part of the purchase, the folks in the IT department are integrating the network at the Kielbasa Factory with Frankfurters, Inc.’s network. Employees at Frankfurters will need to access the inventory, accounting, customer, and shipping systems located at the Kielbasa Factory. Frankfurters does not want to spend money on leased lines to the Kielbasa Factory because Frankfurters already has DSL access to the Internet. The Kielbasa Factory has its own Windows Server 2003 forest and infrastructure in place.

1. Question: What should you propose to pro vide external access to the Kielbasa Factory’s network resources from Frankfurters’s network? Answer: You would establish a VPN tunnel between the Kielbasa Factory and Frankfurters, Inc. to encrypt and protect traffic between the companies. The VPN tunnel would use the Internet as a vehicle for connections to av oid the use of leased lines. You would enable IP packet filtering on the interface to allow only the necessary traffic to pass between the networks to protect assets located at the company. You would need to establish a trust between the forests so that employees in one company could access resources in the other without having to log in again.