CHAPTER 15

                            SECURING INTERNET ACCESS

 

Your network design must include provisions to maintain network security when employees connect

to the Internet.  An important part of this design is your organizations Internet acceptable use policy,

which defines how employees should and should not use the Internet.

 

Chapter Scenario:  Wide World Importers

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

======================================================================

 

winsec15.html                                                 PAGE 2                                                       2002/05/04

 

 

 

 

Lesson 1:  Designing an Internet Acceptable Use Policy

 

Before securing Internet access for private network users, your organization should consider

drafting an Internet acceptable use policy.

 

 

Determining Contents of the Policy:

 

Before securing Internet access for private network users, your organization should consider

drafting an Internet acceptable user policy.  This policy will define what is acceptable employee

usage of the Internet.

 

Determining Contents of the Policy

 

An Internet acceptable use policy must contain the following elements to ensure that private

network users understand the rules when they access the Internet using corporate resources:

 

•   The policy must contain descriptions of the available services.
•   The policy must define user responsibility specifically.
•   The policy must define what constitutes authorized use.
•   Users can access the Internet with authorized protocols.
•   Users can send and receive e-mail for business purposes.
•   Users can send e-mail messages with attachments less than 2 MB in size.
•   Users can connect to any Web pages that are related to business purposes.
•   Users can download files for business purposes as long as the organization’s

virus scanner is running at all times.

•   Users can access Usenet newsgroups subject to business purposes.

 

The policy must define unauthorized use of the Internet.

 

Users could be prevented from access the Internet with unauthorized protocols.

Users could be preventing from exposing sensitive company information to persons outside the

company.

 

Users cannot use e-mail inappropriately.

Users could not install unauthorized software on their local desk.

Users could be prevented from accessing the Internet for personal use.

The policy must define who has ownership of resources stored on the organization’s computers.

The policy must define the consequences of performing unauthorized access.  They May include:

 

• Removal of Internet access privileges
• Termination
• Referring the employee’s actions to local legal authorities

 

 

After defining the Internet acceptable use policy, create a document outlining the policy. 

The document should include a contract that employees sign before gaining access to the Internet.

 

 

======================================================================

 

winsec15.html                                                 PAGE 3                                                       2002/05/04

 

 

 

 

Applying the Decision

 

WWI’ Internet acceptable use policy is missing a key component.  The document needs to

describe the consequences of violating the policy.

 

 

Lesson Summary:

 

A clear definition of authorized and unauthorized actions in an Internet acceptable use policy

will allow network administrators to design a security infrastructure that enforces acceptable

Internet usage.

 

 

Lesson 2:  Securing Access to the Internet by Private Network Users

 

When private network users access resources on the Internet, several risks are introduced to

your network’s overall security.  If they’re not carefully managed, these risks can result in

reduced security for your network.

 

Introducing viruses.  To prevent virus attacks, deploy a virus scanning solution for your network.

Installing unauthorized software.  If you ensure that users are members of the Users group, you

can restrict users to writing data to their hard disk only in common shared areas and their personal

profile directory.

 

Exposing private network addressing.  Outbound Internet traffic could expose the IP addressing

cheme used on the internal network.  A network address translation (NAT) service at the firewall

or perimeter server will replace all outgoing address information with a common address configured

at the NAT server.

 

 

======================================================================

 

winsec15.html                                                 PAGE 4                                                       2002/05/04

 

 

 

 

Users attempting to bypass the established security.  Once restrictions are placed on Internet access,

employees might attempt to bypass the configured security mechanisms.

 

You can prevent modem usage by Group Policy to disable the Remote Access Connection Service.

 

*** See the chart on page 617 for review ***

 

 

Applying the Decision

 

Install virus scanning software at multiple locations on the network.  Install all antivirus plug-in at the

mail server that scans incoming and outgoing messages for virus-infected attachments.

Preconfigure Internet Explorer to ensure that security settings are set to restrict download of specific

content.  Configure the external firewall for WWI with NAT service to ensure that he private network

addressing scheme isn’t exposed on the Internet.

 

 

 

Restricting Internet Access to Specific Computers

 

By assigning users to computers, you can limit Internet Access to users who are authorized to log

on to specific computers.

 

Some servers must initiate connections to the Internet.  Servers that require access to the Internet

through an external firewall to initiate connections include the following:

 

DNS Servers.  DNS is a distributed database of all hosts on the Internet.

 

Mail Servers.  Your mail server must be able to determine which mail server to deliver

mail to for a specific recipient by querying a DNS server for the recipient’s domain Mail

Exchange (MX) resource record.

 

FTP Servers.   Active FTP clients require data transfers from the FTP server to the

FTP client to be initiated by the FTP server.

 

Proxy Servers.  Proxy clients forward all of their Internet-bound requests to their

configured proxy server and the Proxy Server sends the requests to the Internet.

 

NOTE:  The mail server doesn’t require DNS access to the Internet because all DNS requests are

passed to the DNS server that’s also located in the DMZ.

 

 

======================================================================

 

winsec15.html                                                 PAGE 5                                                       2002/05/04

 

 

 

Making Decision

 

You must make the following decisions when determining the design of your firewall’s packet filters

to allow Internet access.

 

•   Determine which computers are required to respond directly to incoming requests.  Typically, all

computers located within your DMZ provide secure access from Public network users.

•   Determine which computers are required to initiate data exchange with computers on the Internet.
•   Determining if the computers that require access to the Internet have a static IP address or DHCP

assigned IP address.

 

 

NOTE:  You can even assign static IP addresses to remote access clients by configuring the user’s

dial-up properties to request a static IP address.

 

 

Determine which protocols the computers use when accessing the Internet.

 

NOTE:  If NAT is performed at a firewall, you must establish the packet filters at that specific

firewall to limit protocols and destination IP addresses.   Once the data passes through the NAT

service, other firewalls will be unable to identify the packet’s original source.

 

 

Restricting Internet Access to Specific Users

 

Although it’s possible to restrict Internet access to specific computers, sometimes it’s more

appropriate to restrict access based on user accounts.

 

 

Providing Proxy Services

 

To manage Internet access based on user accounts, you need a service capable of enforcing which

 users or groups can access the Internet.  This service must provide an authentication mechanism

that can identify users and evaluate group membership.  Proxy 2.0 provides this functionality

through the following services:

 

Web Proxy Service.  Allows users to connect to Internet resources by using NTTP, HTTPS,

Gopher, and FTP through a Conseil Europee bla bla bla.

 

 

 

======================================================================

 

winsec15.html                                                 PAGE 6                                                       2002/05/04

 

 

 

Windows Sockets (WINSoc) Proxy Services.  Allows applications to make use of Windows

sockets to connect to servers through the Proxy Server.

 

Socks Proxy Service.  Allows the establishment of a SOCK 4.3 protocol data channel between

a client and server with the Socks Proxy acting as an intermediary.

 

When the user attempts to access an Internet resource through a proxy service the user’s SID

and group SIDs are compared to the Access Control List (ACL) configured for the protocol the

user is attempting to use.  If the SID is allowed access, the Proxy Server completes the connection.

 

 

Authenticating Proxy Server Requests

 

Proxy Server 2.0 supports three methods of authenticating users:  anonymous access, basic

authentication, and Windows Integrated Authentication.

 

Anonymous Access.  Allows anyone to use the Proxy Server services.  When anonymous

authentication is enabled, the Proxy Server doesn’t request user credentials.

 

Basic Authentication.  Allows authentication with the Proxy Server using clear text.  While

this is a security risk, it’s sometimes the only way authentication can take place if non-

Microsoft Web browsers are deployed.

 

Integrated Windows Authentication.  The user’s access token is checked to obtain

the user’s SID and any group SIDs on the access token in a process that’s transparent

to the user.

 

**** See the making decision chart on page 625 ***

 

NOTE:  You should regularly audit the Internet groups to ensure that only authorized users are

members of these groups.

 

 

Restricting Internet Access to Specific Protocols

 

Once a user is authenticated, configure the proxy services available in Proxy Server 2.0 to allow

access only to specific protocols.  For each available protocol, assign permissions to allow only

specific groups to use the protocol through the Proxy Server.

 

 

 

======================================================================

 

winsec15.html                                                 PAGE 7                                                       2002/05/04

 

 

 

NOTE:  Only the Web Proxy and the WINSock Proxy support permissions based on user

accounts.  The Socks Proxy permissions are based on the connection attempt’s properties. 

Much like a packet filter, Socks Proxy permissions define the source and destination IP

address and port information for identifying permitted connections.

 

 

Restricting Protocol Access in the Web Proxy

 

Once a user is authenticated, configure the proxy services available in Proxy Server 2.0 to allow

access only to specific protocols.  For each available protocol, assign permissions to allow only

specific groups to use the protocol through the Proxy Server.

 

NOTE:  Only the Web Proxy and the WinSock Proxy support permissions based on user

accounts.  The Socks Proxy permissions are based on the connection attempt’s properties. 

Much like a packet filter, Socks Proxy permissions define the source and destination IP) address

and port information for identifying permitted connections.

 

*** See the making decision chart on page 629 ***

 

 

Lesson Summary:

 

•   Your organization may need to configure restrictions on the computers, users, or protocols

that can access the Internet.

•   Your design must ensure that all computers and users that require access to the Internet can

have it without exposing the network to additional risks.

 

 

Lesson 3:  Restricting Access to Content on the Internet

 

Some organizations restrict Internet access based not only on users and computers, but also

on the content of the Internet resources.  Restrictions may be required for:

 

• Denying access to specific domains on the Internet
• Preventing the download of harmful Web content
• Restricting what types of content can be downloaded form the Internet.

 

 

 

======================================================================

 

winsec15.html                                                 PAGE 8                                                       2002/05/04

 

 

 

 

Preventing Access to Specific Web Sites

 

Once you’ve granted access to a specific protocol, you might wish to restrict access based

on the Web site’s host.  For example, your organization’s Internet acceptable use policy

may not permit access to the Internet gaming site.

 

 

Making the Decision

 

When designing security for private network users accessing the Internet, you can prevent

access to specific Web sites by:

 

Identifying Web sites that will always be unauthorized for access.  You generally do this by

identifying types of Web sites that aren’t authorized.

Including the domain names in the domain filter list.  By including the domain in the domain filter

 list, you prevent access to any Web site within the domain.

 

 

Using the Internet Explorer Administration Kit to Preconfigure Settings

 

The Internet Explorer Administration Kit (IEAK) allows you to preconfigure Internet Explorer

settings before deploying Internet Explorer to the desktops in your organization and to update

deployments on an ongoing basis.

 

The IEAK consists of two applications:  The Internet Explorer Customization Wizard and the

IEAK Profile Manager.

 

You can configure the following security related options within the IEAK Customization Wizard:

 

•   Enable Automatic Configuration.  You must enable automatic configuration to allow modified

configuration settings to be downloaded from the .ins file created by the IEAK Profile Manager.

•   Proxy Settings.  You need to have Proxy Server 2.0 on the server.
•   Define Certification Authorities.  Enables the addition or deletion of Certification Authorities

CAs) trusted by Internet Explorer.

•   Define Security Zones.  Allows you to define default security settings based on the zone in

which a Web site is located.

•   Enable Content Rating.  Prevents access to Web sites based on the Content Advisor settings.

Making the Decision

 

 

======================================================================

 

winsec15.html                                                 PAGE 9                                                       2002/05/04

 

 

 

 

You must consider the following items when planning consistent security configuration of

Internet Explorer within an organization:

 

 

•   Determine the desired configuration of Internet Explorer.
•   Define an installation package that applies the standard configuration.
•   Determine how modifications will be deployed.  You can use IEAK Profile Manager to create

and .ins file that’s automatically downloaded to Internet Explorer clients if the browser has the

automatically Detect Settings setting enabled.

•   Prevent modifications of the standard configuration.  Use Group Policy to restrict access to the
•   Internet Explorer Properties dialog box for Windows 2000-based computers.  If users can’t

connect to the property pages, they can’t modify the standard settings and weaken security.

 

 

Managing Content Downloads

 

Internet Explorer allows you to use security zones to manage what content can be downloaded

from Web sites.

 

•   My Computer.  Includes all resources stored on the local computer except for cached Java

classes and content in the Temporary Internet Files folder.

•   Local Intranet. 
•   Trusted Sites.
•   Restricted sites.  A list of sites that a private network user can view but can’t use to download

specific forms of content.

•   Internet.  All sites on the Internet that aren’t included in the Trusted Sites or Restricted Sites

zones.

•   Low.  Allows most content to be downloaded and executed without prompting the user.
•   Medium-Low.  Allows most content to be downloaded and executed without prompting the

user but prompts before downloading signed Active X controls and prevents the downloading

of unsigned ActiveX controls.

•   Medium.  Attempts to download content that’s potentially unsafe cause the user to be prompted

before the content can be downloaded.

•   High.  Disable most Internet Explorer features that introduce risks to the network, including the

ability to download Java and Active X controls.

 

 

======================================================================

 

winsec15.html                                                 PAGE 10                                                     2002/05/04

 

 

 

Preventing Access to Specific Types of Content

 

Many Web sites contain content that isn’t appropriate for business purposes.  Content that falls

into this category can include nudity, sex, language and violence.

 

You can block access to Web sites that contain unauthorized content by using plug-ins that

allow content scanning at the Proxy Server.  If any inappropriate content is discovered, the

Proxy Server won’t load the materials and instead inform the user that the content is blocked.

 

 

Making the Decision

 

Take the following actions when designing a strategy to block specific types of Internet content:

 

• Define your organization’s policy on obscene content. 
• Define what content must be blocked.
• Define what action to take when an unrated Web sit is accessed.
• Prevent users from changing content settings.
• Ensure that all settings for Internet Explorer installations are consistent.

 

 

 

Lesson Summary:

 

•   Creating the restrictions on the content that can be accessed form the Internet ensures that the
•   Internet isn’t abused by an organization’s employees.
•   As with most security settings, Group Policy provides added control by restricting user access

to certain property pages.  By removing the ability to modify configurations, you can ensure that

the desired default settings are maintained.

 

 

Lesson 4:  Auditing Internet Access

 

You can enable Proxy Server 2.0 auditing to track all Internet access performed by the Proxy

Server. If unauthorized access is performed, the logs provide evidence that allows the

administrator to implement restrictions to block further access.

 

 

 

 

======================================================================

 

winsec15.html                                                 PAGE 11                                                     2002/05/04

 

 

 

 

Designing Proxy Server Auditing

 

Proxy Server 2.0 enables logging of actions performed by the Web Proxy, WinSock Proxy,

and Socks Proxy services.  The log data allows an administrator to review all Internet access. 

Unless logging is enabled, there’s no way to ensure that the Proxy Server is properly configured

and that employees are obeying Internet acceptable use policy. There are several log files:

 

 

Web Proxy Log (W3yymmdd.log).   audits all access performed by the Web Proxy

service.

 

WinSock Proxy log (Wsyymmdd.log).  Audits all access performed by the WinSock

Proxy Service.

 

Socks Proxy Log (Spyymmdd.log).  Audits all access performed by the Socks Proxy

Service.

 

 

NOTE:  Depending on the amount of logging, you can choose to create new log files every day,

week or month.  The interval that you select will be based on the amount of data being logged

and the amount of disk space available for storing the log files.

 

Alternately, you can log the proxy services to an Open Database Connectivity (ODBC)

compliant database such as Microsoft SQL server.

 

NOTE:  Proxy Server 2.0 includes SQL scripts for creating the SQL database tables required

to store the Proxy Server logs.

 

 

Lesson Summary:

 

•   Implementing a proxy service isn’t enough to maintain security when private network users

connect to the Internet.  You must perform regular auditing of Internet usage to ensure that

existing policies are being followed.

•   Auditing allows an administrator to secure the network by analyzing existing traffic patterns.