Determining Windows 2000 Network Security Strategies
Determining Windows 2000 Network Security Strategies |
|
To secure your organization's network for access to and from the Internet, you need to put a server between the two. The server provides connectivity for company staff to the Internet while minimizing the risks that connectivity introduces. At the same time, it prevents access to computers on your network from the Internet, except for those computers authorized to have such access.
This server runs firewall or proxy server software. It also has two network interfaces: one for the corporate network and one for the Internet. The firewall or proxy server software examines all network packets on each interface to determine their intended address. Where appropriate, the packets are passed to the other interface for distribution to the rest of the respective network if they pass the software's criteria.
In some cases, the contents of the packets are passed along as if they came from the proxy server, and the results are passed to the requesting computer when they are returned to the proxy server. This ensures that people on the Internet cannot get the addresses of computers within the company other than the proxy server.
Microsoft® Proxy Server 2.0 provides both proxy server and firewall functions. Proxy Server 2.0 runs on Windows 2000, and both need to be configured properly in order to provide full network security. If you have a version of Proxy Server earlier than 2.0 with Service Pack 1, you need to upgrade it for Windows 2000 compatibility at the time that you upgrade the server to Windows 2000.
In many cases, the volume of traffic between a company network and the Internet is more than one proxy server can handle. In these situations, you can use multiple proxy servers; the traffic is coordinated among them automatically. For users on both the Internet and intranet sides, there appears to be only one proxy server.
To use advanced Microsoft Proxy Server features, computers need to have the Microsoft Proxy Server client installed and configured to use the proxy server. Computers without the client (such as those on the Internet) receive basic service from the proxy server as anonymous users.
It is important to test the proxy server before connecting it to the Internet. Set up a small-scale simulation of the Internet and your intranet, and have client computers try to access various services in both directions. Also, attempt to make unauthorized connections to verify that your network rejects them. Be sure to test a wide variety of network access methods to verify that all types of network access are secure. Try different techniques that can be used to take advantage of security holes, to ensure that you do not have such holes in your environment. Books about network security include suggestions for specific issues that you can test. Third-party products can also help with such testing, as can consultants who are experienced in this area.
Procedures for using Microsoft Proxy Server are included with the product. For more information about Microsoft Proxy Server and for details about Microsoft security technologies, see the Microsoft Security Advisor link on the Web Resources page at http://windows.microsoft.com/windows2000/reskit/webresources.
The network security technologies you implement can meet your goals only if you plan and configure them carefully. With thorough preparation, this work can be done very successfully. However, anticipating all possible risks can be very difficult: new risks develop, systems break down, and the environment in which your systems are placed changes over time. Ongoing reviews of your network security strategies can minimize these risks. However, you also need to watch the actual network security activity, to spot weaknesses before they are exploited, and to stop attempts to break security before they are effective.
To watch your network security activity, you need tools to capture the details about the activities and to analyze the data. Microsoft Proxy Server includes logging at two levels: normal and verbose. Windows 2000 also has event logging, which can be enhanced by enabling security auditing. Internet Authentication Server, discussed later in this chapter, has extensive activity reporting options. Third-party products are also available that can help with monitoring servers and applications, including security servers and applications. Be sure you review the documentation for whatever systems you use and select the logging options that best serve your requirements.
When you have a proxy server in place, complete with monitoring facilities and properly prepared staff, you can connect your network to an external network. Conduct a final set of tests to be sure that the implementation properly fulfills your plans. You need to be confident that only the services you have authorized are available, and the risk for misuse is almost nonexistent. This environment requires diligent monitoring and maintenance, but you will also be ready to consider providing other secure networking services.
Note
This chapter does not discuss how to set up a network connection. There are many books that cover this topic, and your network service provider can make the connection or put you in touch with consultants who can make the connection.