Module 10: Designing Security for Data Transmission

Transcription

1 Module 10: Designing Security for Data Transmission Table of Contents Module Overview 10-1 Lesson 1: Creating a Security Plan for Data Transmission 10-2 Lesson 2: Creating a Design for Security of Data Transmission Lab: Designing Security for Data Transmission 10-24

2 Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e- mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, address, logo, person, place, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. The names of manufacturers, products, or URLs are provided for informational purposes only and Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links are provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not responsible for the contents of any linked site or any link contained in a linked site, or any changes or updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission received from any linked site. Microsoft is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement of Microsoft of the site or the products contained therein. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property Microsoft Corporation. All rights reserved. Microsoft, Active Directory, ActiveX, BitLocker, BizTalk, Brute Force, Internet Explorer, MS-DOS, Outlook, PowerPoint, SQL Server, Visual Studio, Windows, Windows Live, Windows Mobile, Windows NT, Windows Server and Windows Vista are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. Version 1.2

3 Module 10: Designing Security for Data Transmission 10-1 Module Overview In this module, you will learn how to determine threats and analyze risks to data transmission in an organization. You will also learn how to design security for various types of data transmission, including traffic on local area networks (LANs), wide area networks (WANs), Virtual Private Networks (VPNs), wireless networks, and the Internet. Objectives After completing this module, you will be able to: Create a security plan for data transmission. Design security for data transmission.

4 10-2 Module 10: Designing Security for Data Transmission Lesson 1: Creating a Security Plan for Data Transmission You can protect data that is stored on your network by securing access to it, but when you transmit data across the network in your organization, the data becomes vulnerable to various additional threats. Attackers can potentially intercept transmitted data, depending on how and where the data is transmitted. Objectives After completing this lesson, you will be able to: Describe how Microsoft Solutions Framework (MSF) provides a framework for designing secure data transmission. Describe how the defense in depth model defines secure data transmission. Describe the resources to protect. Apply a threat model to data transmission. Identify the cost to data in transit.

5 Module 10: Designing Security for Data Transmission 10-3 MSF and Security of Data Transmission When you create and deploy your security plan by using MSF, you must use the envisioning phase to identify your goals for data transmission security, and use the planning phase to identify how to achieve these goals. Considerations During the MSF Envisioning Phase When envisioning data transmission security, ensure that you consider the following: Scope of your plan. The location or locations to which your data is transmitted, which your plan will help to protect, and the data transmitted to or from those locations that requires security. Data travels over many types of networks in an organization. These networks have various levels of trust associated with them. For example, LANs are generally associated with a high degree of trust because they are located in an organization s physical facilities. Web server traffic is generally associated with a low level of trust because it crosses public links that are outside your organization s control. The types of networks that your organization uses to transmit data. Common networks include LANs, wireless networks, WANs for branch offices and trusted partners, VPNs for remote users, and the Internet. The goals of secure data transmission. To ensure that the data travels as securely as possible without making the data packets too large for efficient forwarding. Considerations During the MSF Planning Phase When planning to secure your data transmission, ensure that you consider the following:

6 10-4 Module 10: Designing Security for Data Transmission How to achieve the goals for secure data transmission. Select the correct secure data transmission technique for the appropriate data transmission to, from, or at the appropriate location. Defense in depth model. Ensure that your defenses are applied one after the other. This arrangement means that attackers must pass several countermeasures to meet their goal rather than just one. Risk management. Be proactive by identifying risk management strategies for as many risks as possible.

7 Module 10: Designing Security for Data Transmission 10-5 Defense in Depth and Security of Data Transmission The risks to organizations internal networks largely concern the sensitive data transmitted through the network defenses. The connectivity requirements for client workstations on these internal networks also have a number of risks associated with them. Network Architecture Well designed and properly implemented network architecture provides highly available, secure, scalable, manageable, and reliable network connectivity and services. A network segment consists of two or more devices that can communicate with each other on the same physical or logical section of the network. A logical section of the network is provided when a group of network hosts communicate as if they were on the same physical network segment, even though they are physically on different segments. If the segments are logical, they are referred to as virtual local area networks (VLANs). LANs are created by connecting either multiple network hosts or multiple network segments using the appropriate network devices. Organizations can take a number of steps to protect their internal network by using a defense in depth approach. Techniques include: Securing wireless LANs Internet Protocol security (IPsec) Network segmentation

8 10-6 Module 10: Designing Security for Data Transmission Resources to Protect with Data Transmission Security To help to protect your data when it is in transmission, you must consider the types of attacks to which your data transmissions may be susceptible. Examples of Attacks The following are typical examples of the scenarios that you must consider when envisioning and planning the security of your data transmissions. Each organization must be aware of the scenarios that are specific to them: An attacker sits in a car across the street from an organization and uses a highpowered antenna to intercept packets from the organization s wireless network. After intercepting packets, he performs an offline attack on the packets that were transmitted over the wireless network to obtain the Wired Equivalent Privacy (WEP) key that is used to help to protect the data. The attacker then configures his portable computer with the WEP key for the organization s WAN and then connects to the organization s network. An attacker forges from another employee and sends a message to the company president. The message contains links to Web sites that contain offensive content.

9 Module 10: Designing Security for Data Transmission 10-7 STRIDE Threat Model and Security of Data Transmission Threats and vulnerabilities to data transmission differ, depending on the mode of transmission and the goals of the attacker. Threats can range from passive monitoring to malicious disruption of traffic. For example, an attacker who wants to gain knowledge about data while it is transmitted can passively monitor the network from within an organization. This type of attack reveals data but does not interrupt data transmission. However, an attacker who wants to stop the transmission of traffic entirely can attempt a denial-of-service attack over the Internet that prevents legitimate traffic from flowing to and from a network. When identifying threats to data transmission, the Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege (STRIDE) threat model can be applied. Each threat category described by STRIDE has a corresponding set of countermeasure techniques that must be used to reduce risk. The appropriate countermeasure depends upon the specific attack. Stride Threat Categories and Attack Methods Typical threats to data transmission include: Spoofing Spoofing an IP address to make packets appear to come from the internal network to bypass the access control list (ACL) on a router. Tampering Forging Internet Control Message Protocol (ICMP) packets to carry out an attack on a third party. Modifying data in transit.

10 10-8 Module 10: Designing Security for Data Transmission Repudiation Sending forged from a company official. Information disclosure Reading packets. Using a man-in-the-middle attack to intercept network traffic. Denial of service Flooding a computer with TCP SYN messages. Using multiple computers to automatically flood a network. Elevation of privilege Viewing authentication traffic. Viewing network management traffic. Reading wireless encryption packets.

11 Module 10: Designing Security for Data Transmission 10-9 Activity: Identifying Threats to Data Transmission In this activity, you will identify the costs to your organization of protecting data transmission. Scenario Contoso Pharmaceuticals is implementing a Web site so that customers can view their order histories over the Internet. Management has asked you to design a strategy for securing data transmission. To add security to Web transactions, one of the network administrators recommends using Secure Sockets Layer (SSL) on all sessions to the Web site. She also recommends purchasing and installing an SSL hardware accelerator card. Management is reluctant to purchase the SSL certificate that is required for using SSL, which costs $2,500. You determine that the SSL hardware accelerator card costs approximately $1,500. After discussing the issue with the other network administrators, you determine that management does not understand the possible threats to the information that will be transmitted.

12 10-10 Module 10: Designing Security for Data Transmission Questions Q How would you explain to management the threats so that you could justify the cost of the SSL certificate and SSL hardware accelerator card? A Compile data to show that the cost of the certificate and accelerator card is less than the Annual Loss Expectancy (ALE) from exposing customer information to attackers. A The potential ALE from such attacks is significant. The Web connection over the Internet is a public network, which has a low degree of trust. Customer information that could be threatened by network monitoring and other attacks includes addresses, telephone and credit card numbers, and information about the order. If an attacker compromises customer information that is not protected by using SSL, the negative publicity could cause customers to leave.

13 Module 10: Designing Security for Data Transmission Lesson 2: Creating a Design for Security of Data Transmission Designing security for data transmission requires that you secure communication across the network at the various layers of the four-layer Department of Defense Internet model. Each layer is vulnerable to various threats and therefore requires various methods for securing transmitted data. Objectives After completing this lesson, you will be able to: Describe the process to determine security requirements for data transmission. List methods for securing data communication channels. Describe considerations for securing communication at the application layer. Describe how IPsec secures data transmission. Describe the process for securing communication at the data link and physical layers. Apply some guidelines to choosing a VPN tunneling protocol.

14 10-12 Module 10: Designing Security for Data Transmission Process to Determine Security Requirements for Data Transmission To determine security requirements for data transmission: 1. Analyze business and technical requirements for securing data transmission. Your organization may have specific security requirements for data. For example, you may require encryption of all customer data when it is transmitted over public networks. 2. Determine what network traffic to secure. Not all data transmissions require the same level of security. Determine what types of network traffic must be secured, the level of security that they require, and the networks that you use to transmit data. 3. Identify requirements for operating systems and their compatibility with applications. Your organization may use applications or operating systems that support various data transmission protocols. You must determine how to secure the data despite these differences. 4. Identify methods for securing data transmission. There are often several methods that you can use to secure data transmission. Identify the method that is cost effective and provides the level of security that your organization requires. 5. Determine encryption requirements and restrictions. Transmission protocols may use a variety of encryption methods. Determine what encryption algorithms to use and the level of encryption that is necessary to secure data transmissions. Government or industry regulations for using encryption algorithms may also affect your decision. 6. Create an implementation strategy. After you complete your design, ensure that you create an implementation strategy for the security methods so that your organization deploys and implements them correctly.

15 Module 10: Designing Security for Data Transmission Methods for Securing Communication Channels A convenient way to understand data transmission security is to categorize where security can be applied at different layers of the Department of Defense Internet model. You can use different methods of security to secure data transmission at the application, network, data link, and physical layers. Methods for Securing Traffic at Different DOD Model Layers Use the following table as a guide to help you to select the appropriate method for securing data transmissions on your network. Internet model layer Application Network Data link Physical Methods for securing traffic SSL or TLS SMB signing S/MIME 802.1x RPC over HTTP(S) IPsec transport mode IPsec tunnel mode Switches rather than hubs Port authentication Strong physical security on wiring closets, data centers, Internet service providers (ISPs), and co-location facilities Restrictions on access to the LAN from public areas

16 10-14 Module 10: Designing Security for Data Transmission Considerations for Securing Communication at the Application Layer Security protocols at the application layer provide various services and levels of security. You must select the appropriate protocol for the applications in your environment. Application Layer Security Protocols The most common protocols include: SSL or Transport Layer Security (TLS). These protocols use public key and symmetric key encryption for TCP-based communications. Both SSL and TLS provide session encryption and integrity, and server authentication. SSL and TLS enable client computers and servers to communicate in a way that prevents successful eavesdropping, tampering, or message forgery. Both SSL and TLS require the use of digital certificates. To improve the performance of these protocols, add hardware accelerator cards or additional CPUs to servers. Server Message Block (SMB) signing. This protocol provides mutual authentication of SMB hosts for file and print services. Enabling signing also provides data integrity for SMB messages that are exchanged by SMB hosts, such as when a computer that is running Windows XP Professional operating system accesses a file share on a computer that is running Windows 2000 Server. SMB signing may significantly affect the performance of frequently used servers such as domain controllers. You must configure SMB signing on both client computers and servers. You can use Group Policy Objects (GPOs) to configure SMB signing. Secure/Multipurpose Internet Mail Extensions (S/MIME). This protocol is a secure extension of Multipurpose Internet Mail Extensions (MIME) that is used for exchanging digitally signed or encrypted messages. It protects

17 Module 10: Designing Security for Data Transmission messages from interception and forgery by proving message origin and data integrity, and performing encryption. S/MIME requires the use of digital certificates x. Uses port-based authentication to provide authenticated network access for Ethernet networks, including wireless and wired networks. Port-based network access control uses the physical characteristics of a switched LAN infrastructure to authenticate devices that are attached to a LAN port. It also prevents access to the port if the authentication process fails x requires a public key infrastructure (PKI) and a Remote Authentication Dial-In User Service (RADIUS) infrastructure. Remote Procedure Call (RPC) over Hypertext Transfer Protocol (HTTP). RPC over HTTP(S) enables users to remotely connect to a computer running Microsoft Exchange Server over the Internet without using a VPN connection. When you configure Microsoft Outlook messaging and collaboration client to connect to the users mailbox by using RPC over HTTP, the RPC packets that usually travel over TCP/IP directly are encapsulated in HTTP packets. This method is usually implemented with SSL to add session encryption and integrity, and server authentication to the HTTP session.

18 10-16 Module 10: Designing Security for Data Transmission Securing Data Transmission by Using IPsec Security Associations IPsec is a rule-based security protocol that protects data transmission at the network layer. When two IPsec-enabled computers communicate, they must agree on the IPsec configuration for the session. This agreement is called the security association. Encryption IPsec uses the following encryption methods: Data Encryption Standard (DES). Consists of a 56-bit symmetric cipher that is no longer considered secure. Triple DES (3DES). Consists of a 128-bit symmetric cipher that is based on the DES algorithm. Secure Hash Algorithm Version 1.0 (SHA1). Creates a 160-bit hash. Required for compliance with the Federal Information Processing Standard (FIPS). Message Digest 5 (MD5). Creates a 128-bit hash. Diffie-Hellman (DH). An asymmetric key exchange protocol that is based on discrete logarithms. For all computers that use IPsec, you must design IPsec policies that include the elements that are listed in the slide for the previous topic, Considerations for Securing Communication at the Application Layer. In addition, consider how IPsec affects network performance, network monitoring, and intrusion detection software. Also, determine whether IPsec is compatible with any older or non-microsoft operating systems that your organization uses.

19 Module 10: Designing Security for Data Transmission Process for Securing Communication at the Data Link and Physical Layers To prevent attackers from compromising data at the data link and physical layers, you must follow this process: 1. Require port authentication on switches. You can use 802.1x to authenticate on a port-by-port basis all devices that connect to a switch. Use port authentication to prevent unauthorized devices from connecting to your organization s network. 2. Replace hubs with switches. You can make network packet sniffing much more difficult for attackers by replacing passive hubs with active switches. 3. Restrict access to sensitive areas such as wiring closets and data centers. Only authorized personnel should have access to areas where network devices and communication links are physically located. Securing these areas can prevent an attacker from directly connecting to the network or sabotaging equipment. 4. Prohibit LAN access from public areas. These areas are generally associated with a low level of trust. Prohibit or greatly restrict access to LAN connections in public areas to prevent attackers from directly accessing your network.

20 10-18 Module 10: Designing Security for Data Transmission Guidelines for Choosing a VPN Tunneling Protocol If you must provide remote access to your network, you can help to secure the data transmissions by providing VPN tunnels. VPN Tunneling Protocols A VPN uses both public and private networks to create a network connection. Windows Server 2003 operating system supports Point-to-Point Tunneling Protocol (PPTP) and Layer 2 Tunneling Protocol (L2TP) for securing VPN connections. PPTP. A Layer 2 protocol that encapsulates Point-to-Point Protocol (PPP) frames in IP datagrams for transmission over IP-based networks such as the Internet. PPTP uses the Microsoft Point-to-Point Encryption (MPPE) protocol to secure PPTP tunnels. L2TP. Encapsulates PPP frames that are sent over IP-based or connection-oriented networks, such as frame relay networks. When configured to use IP as its datagram transport, L2TP can be used as a tunneling protocol over the Internet. L2TP has no native encryption method. If you use L2TP, you must use IPsec to secure the L2TP tunnel. Considerations Considerations for using tunneling protocols include: Compatibility with Network Address Translation (NAT). Although NAT-Traversal (NAT-T) is fully supported in Windows operating system, IPsec cannot be used to access a server behind a NAT, because NAT changes the IP header of packets. For more information about why IPsec NAT-T is not recommended for computers running Windows Server 2003 that are behind network address translators, see IPsec

21 Module 10: Designing Security for Data Transmission NAT-T is not recommended for Windows Server 2003 computers that are behind network address translators on the Microsoft Web site. For more information about how to configure an L2TP/IPsec server behind a NAT-T device in Windows Vista operating system, see How to configure an L2TP/IPsec server behind a NAT-T device in Windows Vista on the Microsoft Web site. User authentication. Both PPTP and L2TP authenticate the user account that initiates the tunnel. Computer authentication. When using L2TP, IPsec certificates authenticate the client computer and the server. PPTP does not authenticate computer accounts. Compatibility with other operating systems. L2TP and IPsec are supported by many operating systems and network devices. PPTP is primarily used by older Windowsbased computers. Support for workstations running Windows NT version 4.0 operating system. Windows NT 4.0 natively supports the PPTP protocol. With the addition of the L2TP/IPsec VPN client application, which was released in July 2002, Windows NT 4.0 can also support the L2TP and IPsec protocols for VPN connections.

22 10-20 Module 10: Designing Security for Data Transmission Practice: Data Transmission Threats and Countermeasures This practice enables you to review the difference between IPsec-encrypted and unencrypted data transmissions. Objectives In this practice, you will: Start Network Monitor. Capture and read an unencrypted transfer. Enable IPsec. Capture and attempt to read an encrypted transfer. Instructions Start the 2830B-LON-DC1 virtual machine. Start the 2830B-GLA-STA virtual machine. Start the 2830B-BON-CL1 virtual machine. To start Network Monitor 1. Log on to Glasgow as Administrator with a password of Pa$$w0rd 2. Click Start, point to All Programs, point to Microsoft Network Monitor 3.1, and then click Microsoft Network Monitor In the Microsoft Network Monitor 3.1 dialog box, under Select Networks, ensure Local Area Connection is selected, and then click P-Mode.

23 Module 10: Designing Security for Data Transmission In the Microsoft Network Monitor 3.1 dialog box, under Capture Network Traffic, click Create a new capture tab. To capture and read an unencrypted transfer 1. Log on to Bonn as Contoso\Administrator with a password of Pa$$w0rd 2. Click Start, and then click Run. 3. In the Open box, type \\london\share1 and then press ENTER. 4. Switch to Glasgow. 5. In the Microsoft Network Monitor 3.1 dialog box, on the menu, click Capture, and then click Start. 6. Switch to Bonn. 7. In the share1 on London dialog box, double-click Test Doc.txt. 8. When Test Doc has opened, switch to Glasgow. 9. n the Microsoft Network Monitor 3.1 dialog box, on the menu, click Capture, and then click Stop. 10. In the Network Conversations pane, click Other Traffic. 11. Scroll down the Frame Summary pane and click the entry that has: Source: The IP address for London Destination: The IP address for Bonn Protocol Name: SMB Description: SMB: R; Read Andx, FID = 0x0000, 23 bytes 12. Scroll down the Hex Details pane of this frame and notice that it includes the words, THIS IS A TEST OF IPSEC. 13. Close Microsoft Network Monitor 3.1 without saving any changes. To enable IPsec 1. Log on to London as Administrator with a password of Pa$$w0rd 2. Click Start, and then click Run. 3. In the Open box, type mmc and then click OK. 4. In Console1, click File, and then click Add/Remove Snap-in. 5. In Add/Remove Snap-in, click Add. 6. Click IP Security Policy Management, click Add.

24 10-22 Module 10: Designing Security for Data Transmission 7. In the Select Computer or Domain dialog box, ensure Local computer is selected, and then click Finish. 8. In Add Standalone Snap-in, click Close. 9. In Add/Remove Snap-in, click OK. 10. Click IP Security Policies on Local Computer. 11. In the results pane, right-click Secure Server (Require security), and then click Assign. 12. Close any open windows without saving any changes. 13. Switch to Bonn. 14. Close any open windows. 15. Click Start, and then click Control Panel. 16. In Control Panel, double-click Administrative Tools. 17. Double-click Local Security Policy. 18. Click IP Security Policies on Local Computer. 19. In the results pane, right-click Client (Respond Only), and then click Assign. 20. Close any open windows. To capture and attempt to read an encrypted transfer 1. On Bonn, click Start, and then click Run. 2. In the Open box, type \\london\share1 and then press ENTER. 3. Switch to Glasgow. 4. Click Start, point to All Programs, point to Microsoft Network Monitor 3.1, and then click Microsoft Network Monitor In the Microsoft Network Monitor 3.1 dialog box, under Select Networks, ensure Local Area Connection is selected, and then click P-Mode. 6. In the Microsoft Network Monitor 3.1 dialog box, under Capture Network Traffic, click Create a new capture tab. 7. In the Microsoft Network Monitor 3.1 dialog box, on the menu, click Capture, and then click Start. 8. Switch to Bonn. 9. In the share1 on London dialog box, double-click Test Doc. 10. When the Test Doc has opened, switch to Glasgow.

25 Module 10: Designing Security for Data Transmission In the Microsoft Network Monitor 3.1 dialog box, on the menu, click Capture, and then click Stop. 12. In the Network Conversations pane, click Other Traffic. 13. Scroll down the Frame Summary pane and notice that all packets between London and Bonn are using the Encapsulating Security Payload (ESP) protocol. After Completing This Practice Close the 2830B-BON-CL1 virtual machine. Do not save changes. Close the 2830B-GLA-STA virtual machine. Do not save changes. Close the 2830B-LON-DC1 virtual machine. Do not save changes.

26 10-24 Module 10: Designing Security for Data Transmission Lab: Designing Security for Data Transmission After completing this lab, you will be able to apply security design concepts to computer security. Estimated time to complete this lab: 30 minutes Lab Setup Note: You only need to complete these steps once per course. Before you begin the lab, you must: 1. Place the Student Materials CD in the CD-ROM drive. 2. Browse to the Webfiles folder on the CD, open the Downloads folder. 3. Double-click Allfiles.exe. 4. In the WinRAR self-extracting archive dialog box, click Install. Note: The files will be copied to C:\Program Files\Microsoft Learning\2830 on your computer. Lab Scenario For some time now, Contoso Pharmaceuticals has been debating whether to install wireless networks. Susan Burk and Ellen Adams agree that Contoso Pharmaceuticals must evaluate wireless LAN access at the new business offices in Geneva.

27 Module 10: Designing Security for Data Transmission Also, Garth Fort has approved the business-to-business (B2B) project. The B2B architects are busy making some of the design changes that have been suggested. John Y. Chen has sent you an that summarizes the changes. One thing that the B2B architects are not doing is designing the security for data transmission. Garth Fort continually reminds Contoso Pharmaceuticals employees how competitive the business is, so you must make sure that no one can eavesdrop on the B2B information when it is sent between servers.

28 10-26 Module 10: Designing Security for Data Transmission Exercise 1 Identifying Potential Data Transmission Vulnerabilities In this exercise, you will advise the organization on the potential vulnerabilities of data in transit. Scenario Ellen Adams has read several news articles on the Internet that discuss security problems with wireless networks. Before she gives final approval to the project, she wants to understand the security implications of wireless LAN access. If Contoso Pharmaceuticals installs wireless LAN access in the buildings at the Geneva facility, the organization will save $50,000 in construction costs because of reduced wiring and will improve employee productivity. Therefore, Ellen plans to approve the project. To ensure that security is maintained, Ellen wants you to prepare a list of the risks that are involved with installing an b wireless network in the buildings at the Geneva facility, and document how to mitigate those risks. The principal tasks for this exercise are as follows: Prepare a list of the risks that are involved with installing an b wireless network. Document mitigations for each of the risks identified. Task 1. Prepare a list of the risks that are involved with installing an b wireless network. 2. Document mitigations and considerations for each of the risks identified. Supporting information Apply the STRIDE threat model to an b wireless network. Use Job Aid 10 worksheet 1 from the C:\Program Files\Microsoft Learning\2830\Mod10\Labfiles\Job_Aids folder. Use Job Aid 10 worksheet 1 from the C:\Program Files\Microsoft Learning\2830\Mod10\Labfiles\Job_Aids folder.

29 Module 10: Designing Security for Data Transmission Exercise 2 Implementing Countermeasures In this exercise, you will implement countermeasures to help to protect transmission of data. Scenario Garth Fort has approved the plans for the B2B Web site, but the security of transmitted data must still be ensured. You must review the design changes that John Y. Chen is sending you and then send Ellen a list of traffic on the B2B network that is vulnerable, and what can be done to help protect it. The principal tasks for this exercise are: Read the from John Y. Chen. Document the vulnerable traffic on the B2B network. Suggest countermeasures to protect the traffic on the B2B network. Task 1. Read the from John Y. Chen. 2. Document the vulnerable traffic on the B2B network. 3. Suggest countermeasures to protect the traffic on the B2B network. Supporting information Open the C:\Program Files\Microsoft Learning\2830\Mod10\Labfiles \ s folder. Read the John Y. Chen B2B Approved. Use Job Aid 10 worksheet 2 from the C:\Program Files\Microsoft Learning\2830\Mod10\Labfiles\Job_Aids folder. Use Job Aid 10 worksheet 2 from the C:\Program Files\Microsoft Learning\2830\Mod10\Labfiles\Job_Aids folder. Note: The answers to the practices and labs are on the Student Materials CD.

30