MCSE Training Kit (Exam 70-220): Designing Microsoft Windows 2000 Network Security: Designing Microsoft(r) Windows(r) 2000 Network Security (IT-Training Kits)

Lab Objectives

This lab prepares you to design security for Internet-accessible resources in a DMZ by meeting the following objectives:

• Determine a DMZ configuration that meets all business needs
• Design firewall packet filters to allow authorized traffic to enter and exit the DMZ

About This Lab

This lab looks at designing a DMZ for the Contoso Ltd. extranet to expose services to the Internet in a secure manner. Once you've established a DMZ configuration, you will design the internal and external firewalls packet filters to allow only authorized protocols to enter and exit the DMZ and private network.

Before You Begin

Make sure that you've completed reading the chapter material before starting the lab. Pay close attention to the sections where the design decisions were applied throughout the chapter for information on building your administrative structure.

Scenario: Contoso Ltd.

Contoso Ltd., an international magazine sales company, wants to design a DMZ to protect Internet-accessible resources by allowing only authorized protocols to enter and exit the DMZ.

Your DMZ design must meet the following business objectives:

• Contoso has a limited budget for the DMZ project and can afford only two firewalls for the creation of the DMZ.
• The DMZ configuration must prevent private network addressing from being exposed to the Internet. Only IP addresses from the 131.107.100.0/24 and 131.107.99.0/24 networks should be revealed to the Internet.
• The firewalls must ensure that only authorized traffic can enter and exit the DMZ. All other data must be dropped at the firewalls.

Internet-Accessible IP Addresses

Contoso owns the contoso.tld domain on the Internet. While this is the same domain as the Active Directory forest root, the two namespaces are maintained separately to ensure that the private network IP addresses aren't exposed to the Internet. On the Internet the following DNS resource records are available to public network users:

@ IN SOA ns.contoso.tld. admin.contoso.tld. ( 6 ; serial number 900 ; refresh 600 ; retry 86400 ; expire 3600 ) ; minimum TTL @ NS ns.contoso.tld. @ MX 10 mail.contoso.tld. mail A 131.107.99.3 ns A 131.107.99.2 vpn A 131.107.100.3 www A 131.107.99.4

Server Roles

Each server in the DMZ plays a specific role in Contoso's extranet services. The following list defines each role:

• ns.contoso.tld. Acts as the authoritative name service for contoso.tld on the Internet. This server resolves all queries from the Internet for resources in the contoso.tld domain. The private network DNS servers for contoso.tld (ns1.contoso.tld and ns2.contoso.tld) are configured to forward irresolvable DNS queries to ns.contoso.tld in the DMZ. ns.contoso.tld uses root hints to resolve resource records for other DNS domains and forwards DNS requests to any DNS server on the Internet for resolution.
• mail.contoso.tld. Acts as the mail gateway for e-mail sent to recipients in the contoso.tld domain. Public network access to the mail server should be limited to SMTP. All users with mailboxes hosted on the mail.contoso.tld server connect to the mail server either directly from the private network or remotely through a VPN to the DMZ.
• vpn.contoso.tld. Acts as the tunnel server for both PPTP and L2TP/IPSec VPN clients. VPN clients must be able to access the mail.contoso.tld server with Microsoft Outlook 2000 using the native Exchange client. Additionally, VPN clients must be able to access all resources on the London network.
• www.contoso.tld. The NLBS Web cluster that hosts the Contoso Web site. Public network users should only be able to connect to the Web cluster using HTTP or HTTPS protocols. From the private network, the same restriction applies except for the two Web administrator computers located at IP addresses 172.30.110.10 and 172.30.110.11. These computers must be able to connect to the component Web servers directly using IPSec ESP packets. Additionally, the servers in the www.contoso.tld NLBS Web cluster must be able to connect to the SQL server at IP address 172.30.10.10 with an IPSec ESP connection to encrypt all SQL-data transmissions. The SQL connection is for storing data on new subscriptions and back issue orders.

Exercise 1: Planning the DMZ Configuration

An external consultant has proposed the DMZ configuration shown in Figure 14.23. In this exercise you will evaluate the DMZ configuration, and, if necessary, modify the DMZ configuration to meet Contoso's business needs. Answers to these questions can be found in the appendix.

Figure 14.23 Proposed DMZ configuration for Contoso Ltd.

1. Are there any problems with the proposed DMZ configuration?

2. If the IP address of the VPN server were changed to 172.29.100.206, would this meet Contoso's security requirements and validate the DMZ configuration?

3. Given that Contoso has funds for only two firewalls, what modifications can you make to the DMZ to meet all security design objectives? What features must be supported by the external firewall to meet these objectives?

4. Draw your proposed DMZ configuration.

Answers

Exercise 2: Designing Packet Filters for the DMZ

This exercise looks at the specific packet filters required at both the internal and external firewall to secure public network access and private network access to resources in the DMZ. You must design the packet filters based on the DMZ configuration shown in Figure 14.24.

Figure 14.24 Modified DMZ configuration for Contoso Ltd.

When you design the necessary packet filters, assume that both the internal and external firewalls support mirroring of packet filters.

Securing DNS Access

You must secure DNS so that only the traffic patterns shown in Figure 14.25 are allowed to enter and exit the DMZ.

Figure 14.25 Allowed access to and from the DNS servers in the private network and the DMZ

• Only the ns1.contoso.tld and ns2.contoso.tld DNS servers may forward DNS requests to the ns.contoso.tld DNS server. The internal firewall must block all other DNS requests sent to any DNS server on the Internet from the private network.
• The ns.contoso.tld DNS server resolves DNS queries by using root hints and sending queries to the authoritative DNS servers on the Internet.
• DNS queries from the Internet for contoso.tld must be passed only to the external DNS server.

Answer the following questions based on this situation. Answers can be found in the appendix.

1. In the following table, enter the packet filters that you must enter at the internal firewall to allow only the ns1.contoso.tld and ns2.contoso.tld DNS servers to forward DNS queries to the ns.contoso.tld DNS server in the DMZ.

   Protocol	Source IP	Source Port	Target IP	Target Port	Transport Protocol	Action
   DNS
   DNS
   DNS
   DNS
   DNS
   DNS

2. In the following table, enter the packet filters that you must enter at the external firewall to allow the ns.contoso.tld DNS servers to query other DNS servers on the Internet and to allow public network users to query the ns.contoso.tld DNS server for contoso.tld resource records.

   Protocol	Source IP	Source Port	Target IP	Target Port	Transport Protocol	Action
   DNS
   DNS
   DNS
   DNS

3. Can you perform any other configuration changes at the external DNS server to increase security?

Securing Web Access

You must configure the externally accessible Web NLBS cluster to allow only the traffic patterns shown in Figure 14.26 to pass through the internal and external firewalls.

Figure 14.26 Allowed access to and from the Web cluster

• Public network users should be able to connect to the NLBS cluster address (172.29.100.202) only by using HTTP or HTTPS protocols.
• The individual Web server nodes in the NLBS cluster must be able to connect to the SQL server on the private network at IP address 172.30.10.10 using IPSec encrypted packets to securely store new subscription and back issue orders.
• The Web administrator's workstation, located at 172.30.10.200, must be able to connect to the Web cluster nodes using any protocol. All transmissions must be protected with IPSec encryption.
• Private network users from the London office (172.30.0.0/24) can connect to the Web cluster only by using HTTP or HTTPS. No other protocols are allowed.

Answer the following questions based on this situation. Answers can be found in the appendix.

1. In the following table, enter the packet filters that you must configure at the internal firewall to secure Web-related transmissions between the private network and the DMZ.

   Protocol	Source IP	Source Port	Target IP	Target Port	Transport Protocol	Action
   IKE
   ESP
   IKE
   ESP
   IKE
   ESP
   IKE
   ESP
   HTTP
   HTTPS

2. Why must you create separate entries for the nodes in the NLBS cluster for IPSec connections from the Web administrator's computer?

3. In the following table, enter the packet filters that you must configure at the external firewall to secure Web-related transmissions between the public network and the DMZ.

   Protocol	Source IP	Source Port	Target IP	Target Port	Transport Protocol	Action
   HTTP
   HTTPS

4. What can you apply to the node servers in the NLBS cluster to ensure that maximum security is applied to the Web server?

5. Complete the following table of static address mapping that you must configure at the external firewall.

   Host Name	External IP Address	Internal IP Address

Securing VPN Server Access

You must secure the VPN server located in the DMZ, as shown in Figure 14.27, so that only the following traffic patterns are allowed to interact with the DMZ and the private network:

Figure 14.27 Allowed access to and from the VPN server

• Public network user connections must be allowed only to the VPN server using L2TP/IPsec and PPTP.
• The VPN server authenticates users with the RADIUS authentication proto-col by forwarding authentication requests to the IAS server at IP address 172.30.10.50 on the private network.
• The VPN server logs all accounting information locally.
• VPN users are assigned an IP address from the 131.107.100.128/25 network range (131.107.100.129 – 131.107.100.254).
• VPN users must be allowed to connect to the mail server in the DMZ using any protocol.
• VPN users must be able to connect to any server in the private network using any protocol.

Answer the following questions based on this situation. Answers can be found in the appendix.

1. In the following table, enter the packet filters that you must configure at the internal firewall to allow VPN users to connect to any server in the private network.

   Protocol	Source IP	Source Port	Target IP	Target Port	Transport Protocol	Action
   RADIUS- Auth
   Any

2. In the following table, enter the packet filters that you must configure at the external firewall to allow VPN users to connect to the tunnel server and to the mail server once they authenticate with the network.

   Protocol	Source IP	Source Port	Target IP	Target Port	Transport Protocol	Action
   PPTP
   GRE
   IKE
   ESP
   RADIUS- Accting
   Any

3. Why do you have to establish rules at the external firewall for allowing access to resources on the private network?

Securing Mail Access

The mail server located in the DMZ is running Exchange Server 5.5. Figure 14.28 shows the traffic patterns that must be allowed to access the Exchange Server from the public network, the external DMZ, and the private network.

Figure 14.28 Allowed access to and from the mail server

• The mail server only accepts incoming e-mail messages from the public network.
• The mail server must be able to connect to any other mail server on the Internet to deliver Internet e-mail messages.
• Private network users (172.30.0.0/16) must be able to connect to the mail server using any protocol.
• VPN users connecting to the mail server are assigned IP addresses from the 131.107.100.129 – 131.107.100.254 range of IP addresses. All VPN users must be able to connect to the mail server using any protocol.

Answer the following questions based on this situation. Answers can be found in the appendix.

1. In the following table, enter the packet filters that you must configure at the internal firewall to allow private network users to access the mail server.

   Protocol	Source IP	Source Port	Target IP	Target Port	Transport Protocol	Action
   Any

2. Do you need to create a separate packet filter to allow private network mail servers on the London network to connect to the mail server in the DMZ?

3. In the following table, enter the packet filters that you must configure at the external firewall to allow VPN users to access the mail server and to allow Internet e-mail to be exchanged with the mail server in the DMZ.

   Protocol	Source IP	Source Port	Target IP	Target Port	Transport Protocol	Action
   SMTP
   SMTP
   Any

4. If private network users were allowed to access the mail server using Outlook Web Access (OWA) by connecting to the URL https://mail.contoso.tld/exchange/, what additional packet filter would be required at the external firewall?

   Protocol	Source IP	Source Port	Target IP	Target Port	Transport Protocol	Action

Answers