Determining Windows 2000 Network Security Strategies
Determining Windows 2000 Network Security Strategies |
|
In some cases, Windows 2000 network security technologies are dependent on other Windows 2000 security technologies. For example, the virtual private networking Layer Two Tunneling Protocol (L2TP) uses IPSec to provide security from the remote client to the VPN server. The IPSec security negotiation requires certificates to authorize the connection. Therefore, a certification server is required with the appropriate configuration. Typically, a Windows 2000 certificate server is joined to a domain. The domain specifies Group Policy with public key infrastructure (PKI) settings for computers to auto-enroll in this certificate authority to get a computer certificate for IPSec. L2TP creates the necessary IPSec policy to ensure the L2TP traffic is secure. However, administrators might want to also secure other traffic between all servers and clients. This requires the configuration of IPSec on each client and server. Because IPSec is configured using a policy, after you create the policy in Active Directory™, you can apply it to all computers on a group or domain basis. You can deploy certificates and IPSec policy to all domain computers by centralized administration using Group Policy in Active Directory.
For more information about planning for the deployment of Windows 2000 certificates, see "Planning Your Public Key Infrastructure"in this book. For more information about Active Directory planning, see "Designing the Active Directory Structure"in this book.
When your Internet connection is in place, anyone who can find it presents a potential network security risk. Therefore, the first community of users to address when you deploy an overall network security strategy is the group previously defined as Everyone. You have already done this, in part, by putting in place a proxy server as well as security monitoring policies, procedures, and technologies.
You might also want to consider the network applications that Everyone can benefit from and the security requirements those applications have. For example, you might want to set up Microsoft Internet Information Services (IIS) with an internal Web site. IIS has many security options available that you need to carefully consider and configure as required. (IIS includes extensive documentation about this subject.) Also consider using File Transfer Protocol (FTP) servers and other services that Everyone can benefit from.
People in the Staff group might want to access the corporate network from any location in order to access internal Web sites, to copy files, to print documents, and for other simple functions. The primary security goal in these cases is to verify that the user is an authorized employee before the user gains free access to the network. Therefore, the initial connection into the network must be secure, but no further validation is required. An additional concern is that you need to prevent unauthorized people from intercepting and reading the traffic on your network.
Employees can use Internet service providers (ISPs) to access the company network; however, not all staff will have such access. You might not want to make all intranet services available through the Internet, or you might require the guaranteed network capacity of a dedicated network link. Using Windows 2000 Routing and Remote Access service, you can define remote access policies to be highly specific as to how users can access the internal network when connecting over the Internet.