Contents
Overview 1
Lesson: Determining Threats and Analyzing
Risks to Network Perimeters 2
Lesson: Designing Security for Network
Perimeters 8
Lab A: Designing Security for Network
Perimeters 17

Module 11: Creating a
Security Design for
Network Perimeters




Information in this document, including URL and other Internet Web site references, is subject to
change without notice. Unless otherwise noted, the example companies, organizations, products,
domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious,
and no association with any real company, organization, product, domain name, e-mail address,
logo, person, place or event is intended or should be inferred. Complying with all applicable
copyright laws is the responsibility of the user. Without limiting the rights under copyright, no
part of this document may be reproduced, stored in or introduced into a retrieval system, or
transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or
otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.

 2002 Microsoft Corporation. All rights reserved.

Microsoft, MS-DOS, Windows, Windows NT, Active Directory, ActiveX, BizTalk, PowerPoint, Visio,
and Windows Media
are either registered trademarks or trademarks of Microsoft Corporation in the
United States and/or other countries.

The names of actual companies and products mentioned herein may be the trademarks of their
respective owners.


Module 11: Creating a Security Design for Network Perimeters iii

Instructor Notes
In this module, students will learn how to determine threats and analyze risks to
network perimeters. Students will also learn how to design security for network
perimeters, including screened subnets, and for computers that connect directly
to the Internet.
After completing this module, students will be able to:
!
Determine threats and analyze risks to network perimeters.
!
Design security for network perimeters.

To teach this module, you need Microsoft

®
PowerPoint
®
file 2830A_11.ppt.

It is recommended that you use PowerPoint version 2002 or later to
display the slides for this course. If you use PowerPoint Viewer or an earlier
version of PowerPoint, all of the features of the slides may not be displayed
correctly.

To prepare for this module:
!
Read all of the materials for this module.
!
Complete the practices.
!
Complete the lab and practice discussing the answers.
!
Read the additional reading for this module, located under Additional
Reading on the Web page on the Student Materials CD.
!
Visit the Web links that are referenced in the module.

Presentation:
45 minutes

Lab:
30 minutes
Required materials
Im

p
ortan
t
Preparation tasks
iv Module 11: Creating a Security Design for Network Perimeters


How to Teach This Module
This section contains information that will help you to teach this module.
Lesson: Determining Threats and Analyzing Risks to Network
Perimeters
Explain that the perimeter of a network is any entry point into an organization’s
network. A screened subnet (which is a type of network perimeter) and a single
computer on a network that is directly connected to the Internet are both
examples of a network perimeter. Emphasize to students that a network
perimeter is more than just a DMZ, demilitarized zone, or screened subnet—it
is anything that reaches outside the network that could allow an attacker inside
the network.
This page is intended simply to give examples of vulnerabilities. To elaborate
attacks, draw upon your own experiences. The next page deals with common
vulnerabilities, so try not to skip ahead.
Explain the vulnerabilities, but do not discuss how to secure against them. The
second lesson in the module covers that topic.
This practice requires that students have classroom access to the Internet. If
students do not have classroom access, simply read the practice answers to
them and then ask students if they have experienced such attacks.
Lesson: Designing Security for Network Perimeters
This section describes the instructional methods for teaching this lesson.
Emphasize the additional reading and Web sites referenced throughout the
module for additional depth on the topics provided.

This page introduces screened subnets. Use this page to reemphasize what the
perimeter of a network is. The common designs shown are known by many
different names. Emphasize the fact that different parts of a network may be
separated from each other by perimeters; for example, a main office and a
branch office, or a main network and a test network. Be sure to point students to
the ISA Server Installation and Deployment Guide, under Additional Reading
on the Web page on the Student Materials CD.
This page emphasizes the threats that network computers are under, and the
threats to which those computers expose the network when they connect to
outside networks. Many students may feel that this module is or is supposed to
be about screened subnets; emphasize that an organization’s computer that is
connected to an outside network is effectively on the perimeter of the
organization’s network, and may present a serious risk to network security. As
security designers, students must be aware of the risks involved and design
security measures to mitigate against those risks.
Answers may vary. Use the security responses that students give to generate
classroom discussion.
What Is the Perimeter of
a Network?
Why Perimeter Security
Is Important
Common Vulnerabilities
to Perimeter Securit
y

Practice: Analyzing
Risks to Network
Perimeters
Common Network
Perimeter Desi

g
ns
Guidelines for
Protecting Computers
on a Perimeter
Practice: Risk and
Response
Module 11: Creating a Security Design for Network Perimeters v

Use this page to review the content of the module. Students can use the
checklist as a basic job aid. The phases mentioned on the page are from
Microsoft Solutions Framework (MSF). Use this page to emphasize that
students must perform threat analysis and risk assessment on their own
networks for the topic covered in this module, and then they must design
security responses to protect the networks.
Assessment
There are assessments for each lesson, located on the Student Materials
compact disc. You can use them as pre-assessments to help students identify
areas of difficulty, or you can use them as post-assessments to validate learning.
Lab A: Designing Security for Network Perimeters
To begin the lab, open Microsoft Internet Explorer and click the name of the
lab. Play the video interviews for students, and then instruct students to begin
the lab with their lab partners. Give students approximately 20 minutes to
complete this lab, and spend about 10 minutes discussing the lab answers as a
class.
For general lab suggestions, see the Instructor Notes in Module 2, “Creating a
Plan for Network Security.” Those notes contain detailed suggestions for
facilitating the lab environment used in this course.
Customization Information
This section identifies the lab setup requirements for a module and the

configuration changes that occur on student computers during the labs. This
information is provided to assist you in replicating or customizing Microsoft
Official Curriculum (MOC) courseware.
This module includes only computer-based interactive lab exercises, and as a
result, there are no lab setup requirements or configuration changes that affect
replication or customization.

The lab in this module is also dependent on the classroom
configuration that is specified in the Customization Information section at the
end of the Automated Classroom Setup Guide for Course 2830A, Designing
Security for Microsoft Networks.

Lab Setup
There are no lab setup requirements that affect replication or customization.
Lab Results
There are no configuration changes on student computers that affect replication
or customization.
Security Policy
Checklist
General lab suggestions
Importan
t

Module 11: Creating a Security Design for Network Perimeters 1

Overview

*****************************
ILLEGAL FOR NON
-

TRAINER USE
******************************
In this module, you will learn how to determine threats and analyze risks to
network perimeters. You will also learn how to design security for network
perimeters, including screened subnets, and for computers that connect directly
to the Internet.
After completing this module, you will be able to:
!
Determine threats and analyze risks to network perimeters.
!
Design security for network perimeters.

Introduction
Ob
j
ectives
2 Module 11: Creating a Security Design for Network Perimeters


Lesson: Determining Threats and Analyzing Risks to
Network Perimeters

*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
The perimeter, or boundary, of a network is where your organization ends and
the area outside your organization begins. Perimeters are not always easy to
identify. Attackers who penetrate weaknesses in your perimeter can potentially

access information on your network.
After completing this lesson, you will be able to:
!
Describe the perimeter of a network.
!
Explain the importance of perimeter security.
!
List common vulnerabilities to perimeter security.

Introduction
Lesson objectives
Module 11: Creating a Security Design for Network Perimeters 3

What Is the Perimeter of a Network?

*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
A perimeter is any point that connects to networks outside of an organization.
In a typical network, perimeter points can include:
!
Direct Internet connections. Any connection to the Internet from within an
organization.
!
Dedicated WAN links. Wide area network (WAN) links to branch offices,
trusted partners, or other facilities outside of the organization.
!
Screened subnets. Protected areas within a network that run services, such

as business-to-business (B2B) services, that the organization exposes to
public networks, such as the Internet.
!
VPN clients. A virtual private network (VPN) tunnel to remote users who
are accessing the internal network across a public network.
!
Applications. Organizations may run applications that access the Internet or
access services running in a screened subnet.
!
Wireless connections. Access to wireless networks can often be gained from
outside of an organization’s physical facilities.

Key points
4 Module 11: Creating a Security Design for Network Perimeters


Why Perimeter Security Is Important

*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
Assets are vulnerable to threats from both external and internal attackers. For
example:
An external attacker runs a series of port scans on a network. The attacker uses
the information to create a network diagram of the perimeter, including
computers in the screened subnet, operating systems of network devices and
computers, services running in the screened subnet, and the level of security
that is implemented on the network. The attacker researches known

vulnerabilities of these network devices, computers, and services, and then
attacks the network systematically.
An employee receives an e-mail from a friend through an external Web-based
e-mail account. When the employee opens a file that is enclosed in the e-mail, a
new worm virus automatically spreads to all computers on the internal network.
The traffic from the spreading virus slows legitimate traffic, resulting in a
denial of service (DoS) for network users.
Key points
External attacker
scenario
Internal attacker
scenario
Module 11: Creating a Security Design for Network Perimeters 5

Common Vulnerabilities to Perimeter Security

*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
Of all the areas of your network, the network perimeter has the greatest
exposure to public networks and therefore is one of the areas most threatened
by attack. Before Internet connectivity became common, an organization’s
network often maintained only one connection to a public network.
Today, Internet access, remote access, and branch office connectivity have
become vital to the operation of an organization. As organizations increase their
requirements for connectivity, the difficulty of managing network connections
increases, and so does the risk that information and computers may be exposed
to attack.

For more information about common attacks to network perimeters, see:
!
The Web page, Hacking Methods, on the Internet Security Systems Web
site, at:
Hacking/Methods/Technical/default.htm.
!
The white paper, Managing the Threat of Denial-of-Service Attacks, on the
CERT Coordination Center Web site, at:
archive/pdf/Managing_DoS.pdf.

Key points
Additional readin
g

6 Module 11: Creating a Security Design for Network Perimeters


Practice: Analyzing Risks to Network Perimeters

*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
Northwind Traders has 10,000 users who work in one facility. All users have
computers running Microsoft
®
Windows
®
2000 that belong to an Active

Directory
®
directory service domain. Northwind Traders recently deployed a
Web server so that employees can retrieve their e-mail messages.
The IT manager has asked you to explain how a Land attack and a SYN flood
attack (or SYN-ACK attack) can prevent users from retrieving their e-mail. Use
the Internet to locate information about how Land and SYN-ACK attacks affect
perimeter security.
1. What is a Land attack, and how can it prevent users from receiving their e-
mail messages?
A Land attack sends SYN packets with the same source and destination
IP addresses and the same source and destination ports to a host
computer. This makes it appear as if the host computer sent the packet
to itself. The host will continue to attempt to contact itself and prevent
legitimate traffic from being processed. An attacker could use a Land
attack against the router, firewall, or Web server at Northwind Traders
to prevent users from retrieving their e-mail.
Sources of information include:
• The Web page, CERT Advisory CA-1997-28 IP Denial-of-Service
Attacks, on the CERT Coordination Center Web site, at:

• Q165005, Windows NT Slows Down Because of Land Attack.


Introduction
Questions
Module 11: Creating a Security Design for Network Perimeters 7

2. What is a SYN-ACK or SYN flood attack, and how can it prevent users
from receiving their e-mail messages?

At the beginning of a TCP connection, a SYN-ACK attack sends a SYN
packet to the target host from a spoofed source IP address. The target
host responds with a SYN-ACK packet, and then leaves the TCP
sessions in a half-open state while waiting for the spoofed host to
respond. Because the spoofed host will never respond, the session will
remain half open. The attacker repeatedly changes the spoofed source
address on each new packet that is sent to generate additional traffic
and deny legitimate traffic. An attacker could use a SYN-ACK attack
against the router, firewall, or Web server at Northwind Traders to
prevent users from retrieving their e-mail messages.
Sources of information include:
• RFC 2267, Defeating Denial of Service Attacks which employ IP
Source Address Spoofing.
• Q142641, Internet Server Unavailable Because of Malicious SYN
Attacks.



8 Module 11: Creating a Security Design for Network Perimeters


Lesson: Designing Security for Network Perimeters

*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
A perimeter of a network is by nature a place of low trust. You must ensure that
your network perimeter is secure and that it provides the services that you, your

customers, and your partners require. Identify the perimeter, decide what
services you will provide in the perimeter, and determine how you will securely
manage and monitor these services. You can also use firewalls and hardware
devices to secure your network perimeter from attack.
After completing this lesson, you will be able to:
!
Describe common network perimeter designs.
!
Explain the steps for designing a secure screened subnet.
!
Explain how perimeter devices protect a network.
!
List guidelines for protecting computers on a perimeter.

Introduction
Lesson objectives
Module 11: Creating a Security Design for Network Perimeters 9

Common Network Perimeter Designs

*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
The design of a secure network perimeter includes protection for the internal
network or local area network (LAN). On the perimeter, you can use a firewall
or a screened subnet, which is an area of limited trust on networks, such as a
Web server that is exposed to the Internet. A screened subnet is sometimes
called a DMZ, demilitarized zone, or a perimeter network, because it is often a

small network located on the edge of the main network. You can use routers
and firewalls to screen traffic that goes in and out of a screened subnet.
Types of network perimeters include:
!
Bastion host. Acts as the main connection for computers on the internal
network that are accessing the Internet. As a firewall, the bastion host is
designed to defend against attacks that are aimed at the internal network.
Smaller networks typically use bastion hosts to protect the internal network
from intruders.
A bastion host uses two network adapters, one connected to the internal
network and one connected to the Internet. This configuration physically
isolates the internal network from potential intruders on the Internet.

However, the bastion host is only a single line of defense between an
internal network and the Internet.
!
Three-pronged configuration. Gives users on the Internet limited access to
network resources, while preventing unwanted traffic to computers that are
located on the LAN. A three-pronged configuration uses a firewall with
three network adapters—one connected to the LAN, one connected to a
screened subnet that is separate from the LAN, and one connected to the
Internet. A three-pronged configuration isolates the internal network from
the Internet and also permits limited access from the Internet and the
internal network to the screened subnet.
Key points
10 Module 11: Creating a Security Design for Network Perimeters


!
Back to back configuration. Places the screened subnet between two

firewalls. The two firewalls are connected to the screened subnet; one
firewall is connected to the Internet, and the other firewall is connected to
the internal network. In this configuration, there is no single point of access
from the Internet to the LAN. To reach the internal network, an attacker
would need to get past both firewalls.

For more information about designing screened subnets, see:
!
The Design a Firewall System practice on the CERT Coordination Center
Web site, at:
!
The white paper, ISA Server Installation and Deployment Guide, under
Additional Reading on the Web Page on the Student Materials CD.

Additional reading
Module 11: Creating a Security Design for Network Perimeters 11

Steps for Designing Secure Screened Subnets

*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
When designing secure screened subnets, determine:
1. Services that you will provide in the screened subnet. The computer that
runs each service in the screened subnet, such as Simple Mail Transfer
Protocol (SMTP) and Web servers, must be secured against threats to the
service.
2. How each service communicates with internal and external systems.

Determine which protocols and ports each service requires for inbound and
outbound communication. The firewall administrator uses this information
to configure ingress and egress filtering.
3. How each service authenticates users. Determine how you will authenticate
users and the security that the authentication protocol provides. Ensure that
users can be authenticated securely. It is very difficult to detect attackers
who have gained valid credentials due to a poorly designed authentication
strategy.
4. How you will manage each service. Determine how you will manage
services that run on the internal network and from the Internet. Be sure to
include processes for applying security patches to the computers that run
each service.
5. How you will monitor and audit each service. Determine how you will audit
each service, how often you will audit each service, and who will be
responsible for monitoring the audit logs for suspicious events.
6. How you will configure firewall and router rules to secure the network. Use
the information from steps 1 to 5 to determine how to configure the
firewalls and routers. Work with your firewall administrator to implement
and test the configurations.

Key points
12 Module 11: Creating a Security Design for Network Perimeters


For more information about determining the protocols and ports that services
use, see:
!
The list, Port Numbers, at the Internet Assigned Numbers Authority (IANA)
Web site, at:
!

The list, Protocol Numbers, at the IANA Web site, at:

!
Q281336, How to Determine Which Program Uses or Blocks Specific TCP
Ports.
!
Q289241, A List of the Windows 2000 Domain Controller Default Ports.

Additional reading
Module 11: Creating a Security Design for Network Perimeters 13

How Perimeter Devices Protect a Network

*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
You can secure screened subnets by using the following security mechanisms
on routers and firewalls:
!
Packet filtering. Permits or blocks IP-based packets according to packet
filtering rules that include criteria such as source and destination IP
addresses and ports.
!
Routing rules. Determine how to route network traffic after it arrives at the
router. You can configure router rules to permit or deny traffic to certain
networks.
!
Stateful packet inspection. Prevents TCP and User Datagram Protocol

(UDP) traffic from traversing ports after initial communication has been
established.
!
Application gateway. Uses detailed knowledge of how an application
communicates with other applications to communicate securely with outside
networks.
!
Server publishing. Makes services available to the Internet from a screened
subnet or internal network without direct connectivity to the Internet.
!
User-based authentication. Enables network administrators to determine
which users can access different types of Internet resources. Administrators
can also track each user’s use of Internet resources.
!
Intrusion detection. Passive or active monitoring that detects possible
security compromises and reports them to administrators.

For more information about firewalls, see:
!
The white paper, Security with Internet Security and Acceleration Server
2000, under Additional Reading on the Web page on the Student
Materials CD.
!
The white paper, Deploying Firewalls, at:
pub/documents/sims/pdf/sim008.pdf.

Key points
Additional reading
14 Module 11: Creating a Security Design for Network Perimeters



Guidelines for Protecting Computers on a Perimeter

*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
For computers or traveling users that connect directly to the Internet or other
networks that are not trusted, follow these guidelines:
!
Use and maintain antivirus software. Third-party antivirus software can
prevent attacks from such threats as viruses, Trojan horse applications, and
worms.
!
Use personal firewall applications. Internet Connection Firewall (ICF) and
third-party personal firewalls are smaller versions of enterprise firewalls that
provide protection from attackers on the Internet.
!
Do not persistently store passwords. Users that store passwords, such as
Remote Access Service (RAS) or logon passwords, on their computers
expose their user accounts and the network to attack.
!
Consider preventing users from using third-party e-mail applications. Any
e-mail applications that access the Web can spread viruses because they
circumvent the mail servers that use the organization’s firewall.
!
Educate users about security. Increasing user awareness through
information campaigns and training can help change behavior and prevent
users from creating network vulnerabilities.


For more information, see:
!
The Web page, 5-Minute Security Advisor - Using the Internet Connection
Firewall, at:
5min/5min-204.asp.
!
The Web page, Virus Alerts, at:
security/virus/alerts/default.asp.
!
The white paper, Securing Mobile Computers with Windows XP
Professional, under Additional Reading on the Web page on the Student
Materials CD.

Key points
Additional reading
Module 11: Creating a Security Design for Network Perimeters 15

Practice: Risk and Response

*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
For each scenario, choose whether to accept, mitigate, transfer, or avoid the risk
presented, and then enter an appropriate security response.
Answers may vary.
Scenario Risk strategy Security response


A home user with a cable
modem connects to the
corporate network by using
VPN
Mitigate Require home users to use Windows
XP with ICF enabled, and supply
antivirus software for users to
install on home personal computers
Your organization uses a
bastion host firewall to
protect a small branch office
Accept If properly configured, the bastion
host firewall should adequately
protect the network of the small
branch office

Introduction
16 Module 11: Creating a Security Design for Network Perimeters


Security Policy Checklist

*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
Use the following checklist to guide your security design for network
perimeters.
Phase Task Details


Planning Model threats STRIDE (Spoofing, Tampering, Repudiation,
Information disclosure, Denial of service, and
Elevation of privilege) and life cycle threat models
Manage risks Qualitative and quantitative risk analysis

Phase Task Details

Building Create policies
and procedures
for securing:
Perimeter devices and network perimeters
Servers in screened subnets
Computers connected to the Internet

Checklist
Module 11: Creating a Security Design for Network Perimeters 17

Lab A: Designing Security for Network Perimeters

*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
After completing this lab, you will be able to apply security design concepts to
network perimeters.
You are a consultant hired by Contoso Pharmaceuticals to help the company
design security for its network. Each lab uses an interactive application to
convey scenario-based information. To begin a lab, on the desktop, click

Internet Explorer; this opens a Web page that contains links to each lab. Click
a link to begin a lab.
Work with a lab partner to perform the lab.
!
To complete a lab
1. Read Ashley Larson’s e-mail in each lab to determine the goals for the lab.
2. Click Reply, and then type your answer to Ashley’s questions.
3. Click Send to save your answers to a folder on your desktop.
4. Discuss your answers as a class.

Objectives
Scenario
Estimated time to
complete this lab:
30 minutes
18 Module 11: Creating a Security Design for Network Perimeters


Lab A: Designing Security for Network Perimeters
Lab Questions and Answers

Answers may vary. The following are possible answers.

1. How would you configure the firewall?
Configure the firewall to permit only inbound and outbound File
Transfer Protocol (FTP) traffic. Depending on how the Sales
administrators plan to manage the server, it may be necessary to open
additional ports for other purposes, such as for Terminal Services.



2. What broader security concerns do you have about the arrangement that
Josh has proposed?
The firewall is only part of the security solution in this scenario. When
designing security for networks, especially those connected to public
networks, apply the concept of defense-in-depth by implementing
security at each boundary whenever possible. For example, adding a
firewall to the network to protect the FTP server is a good security
measure but ignores the security configuration of the router, the FTP
server, and physical access to the network connection.
To improve security of the network as a whole, implement packet
filtering on the edge router to permit only traffic that is used to meet
business objectives to enter and exit the network. Based on the port
scan that John Chen performed, NetBIOS and remote procedure call
(RPC) traffic is permitted to enter and exit the network freely, even
though there is no business justification for doing so.
To better secure the FTP server, install the latest service pack and
security updates, remove all nonessential services, and implement
additional security that is appropriate for its role as an FTP server.
Another security issue is that a PC technician was able to enter a room
where the edge router was located and add a server to the screened
subnet. Either the PC technician has more access than he requires, or
the room is not secure.


3. What can Contoso do to prevent attacks from external networks from
happening to other employees?
The security incident at the hotel was likely due to a nonsecured
portable computer that was directly exposed to an untrusted network.
At a minimum, require users to enable Internet Connection Firewall
(ICF) when they connect to untrusted networks. Train users to enable

and disable ICF when they move between trusted and untrusted
networks.
Also, train users about how to protect their portable computers and
other company assets when they are away from the office.