Case Study: Assigning Group Membership

SCENARIO

DotComBust enterprises has received new funding and has started up operations again, albeit with a much smaller budget and only 10 employees, compared to the 350 employees they had in their previous incarnation. The organization lost all their data and proprietary information during a network break-in prior to their first failure.

The company is located in San Francisco, occupying a small section of the 10th floor of a 45-floor office building. The company is split into two categories of employees: management and nonmanagement. There are two managers (president and vice-president) and eight nonmanagement employees.

The president oversees the company's payroll and uses a Dell computer. The vice-president uses a Gateway computer and the temps are forced to use clone computers that were built by the vice-president's son-in-law. All computers on the network are on the same private network segment: 192.168.1.0/24.

There is no software engineering group, no security operations group, no executive committee, no CTO, no CEO, CIO, and no environmental compliance officer. This organizational structure makes it relatively easy to set access controls on shared resources on the internal network. However, there has been some debate among the two managers as to whether they should configure separate groups for the president and vice-president.

Networking requirements are relatively simple. To bolster their image as an Internet company, they want to implement the following Internet services:

• Web server

• SMTP mail relay server

• NNTP server

• Microsoft Exchange server

• VPN server

They considered outsourcing all of these services, but they have had bad experiences with outsourcing because everyone they know in the hosted services business has gone bankrupt. It is also considered a plus to be able to report to clients that they have the skill to manage their own Internet services.

The company was able to get a T1 connection to the Internet, but they were assigned only a single IP address (the ISP did not trust them with more than one). The ISP also required that the company purchase a router with an integrated CSU/DSU, rather than lease one, because of the principals' past financial difficulties.

ANALYSIS

Like most scenario questions in the testing industry, this one is full of extraneous information that has nothing to do with solving either the technical- or management-oriented problems for this company. However, you can use the information about the required services and type of Internet connection to make a good stab at how to properly configure this company's network. The company should configure the router as a screening router that limits access to only those services located on the DMZ segment behind it. The screening router should also have the features of a stateful, dynamic packet-filtering router to simplify packet filter configuration. There should be a DMZ segment behind the screening router. The DMZ segment is bound by the LAN interface of the router and the external interface of the firewall. Because the ISP allows the company only a single public IP address, you have to enable NAT on the router and use private IP addresses on the DMZ segment. The public servers' SMTP relay, NNTP, and Web should all be put on the DMZ segment. Because NAT is being used on the router, you need to create NAT mappings so that packets arriving on the WAN interface of the router are forwarded to the servers on the DMZ segment. The Exchange server should be placed on the internal network, behind the firewall. The firewall needs to be configured to allow incoming packets from the DMZ segment SMTP relay server to be delivered to the internal network Exchange server. Policies on the router need to be configured to allow outbound access for internal network clients to access the protocols required by the internal network users.