microsoft internet security and acceleration (isa) server 2004 technical overview jirat boomuang...
TRANSCRIPT
Microsoft Internet Security and Acceleration (ISA) Server 2004Technical Overview
Jirat BoomuangTechnology Specialist
Smith MangmeetakunTechnology SpecialistMicrosoft (Thailand) Limited
Jirat BoomuangTechnology Specialist
Smith MangmeetakunTechnology SpecialistMicrosoft (Thailand) Limited
AgendaAgenda
Introducing ISA Server 2004 Filtering and Policies Server Publishing and VPN Monitoring and Alerts
“The advanced application layer firewall, VPN and Web cache solution that enables customers to maximize IT investments by improving network
security and performance”
ISA Server 2004
Advanced ProtectionApplication layer security designed to protect
Microsoft applications
Ease of UseEfficiently deploy, manage, and enable new usage scenarios
Fast, Secure AccessEmpowers you to connect users to relevant information on your network in a
cost efficient manner
Introducing ISA Server 2004Introducing ISA Server 2004
Explore the User InterfaceExplore the User Interface
Create Perimeter NetworkCreate Perimeter Network
demonstrationdemonstration
Agenda
Introducing ISA Server 2004 Filtering and Policies Server Publishing and VPN Monitoring and Alerts
Why Application Layer Security Is Crucial
Most of today’s attacks are directed against applications Examples: Mail clients (worms, Trojan horse attacks),
Web browsers (malicious Java applets)
Applications encapsulate traffic in HTTP traffic Examples: Peer-to-peer, instant messaging Traditional firewalls cannot determine what traffic is
sent or received
Dynamic port assignments require too many incoming ports to be opened Examples: FTP, RPC
Application Layer Content:?????????????????????????????????????????????????????????????????????????????????????????????
A Traditional Firewall’s View of a Packet
Only packet headers are inspected Application layer content appears as “black box”
IP Header:
Source Address,Dest. Address,
TTL, Checksum
TCP Header:Sequence Number
Source Port,Destination Port,
Checksum
Forwarding decisions based on port numbers Legitimate traffic and application layer attacks use
identical ports
Internet
Expected HTTP Traffic
Unexpected HTTP Traffic
Attacks
Non-HTTP Traffic Corporate NetworkCorporate Network
Application Layer Content:<html><head><meta http-equiv="content-type"
content="text/html; charset=UTF-8"><title>MSNBC - MSNBC Front Page</title><link rel="stylesheet"
ISA Server’s View of a Packet
Packet headers and application content are inspected
IP Header:
Source Address,Dest. Address,
TTL, Checksum
TCP Header:Sequence Number
Source Port,Destination Port,
Checksum
Forwarding decisions based on content Only legitimate and allowed traffic is processed
Internet
Allowed HTTP Traffic
Prohibited HTTP Traffic
Attacks
Non-HTTP TrafficCorporate NetworkCorporate Network
Filtering and PoliciesFiltering and Policies
Configure Perimeter-Internal AccessConfigure Perimeter-Internal Access
Create Internet Access Firewall PolicyCreate Internet Access Firewall Policy
HTTP ScanningHTTP Scanning
System PoliciesSystem Policies
demonstrationdemonstration
Agenda
Introducing ISA Server 2004 Filtering and Policies Server Publishing and VPN Monitoring and Alerts
Traditional Web Publishing
All traffic using TCP port 80 sent to Web server
One Web server per IP address
Web Server
http://www.contoso.com http://www.contoso.com http://39.1.1.1http://39.1.1.1 http://www.contoso.com/../cmd?..http://www.contoso.com/../cmd?.. http://www.contoso.com/%2E%2Ehttp://www.contoso.com/%2E%2E http://www.contoso.com/scripts/http://www.contoso.com/scripts/
Incoming TrafficInternet
ISA Server Web Publishing
ISA Server inspects HTTP request Only allowed requests are forwarded
ISA Server can publish multiple servers
Web Servers
http://www.contoso.com http://www.contoso.com http://39.1.1.1http://39.1.1.1
http://www.contoso.com/../cmd?..http://www.contoso.com/../cmd?..
http://www.contoso.com/%2E%2Ehttp://www.contoso.com/%2E%2E
http://www.contoso.com/scripts/http://www.contoso.com/scripts/
http://www.fabrikam.com/partnershttp://www.fabrikam.com/partners
Incoming TrafficInternet
Securing SSL Traffic
SSL: Confidentiality But No Traffic Inspection
SSL Bridging:1. Client on Internet encrypts communications2. ISA Server decrypts and inspects traffic3. ISA Server sends allowed traffic to published
server, re-encrypting it if required
Easy Configuration and Administration
Web Publishing Wizards make Web Publishing Wizards make configuration easy and prevent configuration easy and prevent
configuration mistakes, monitoring configuration mistakes, monitoring tools show Web usagetools show Web usage
Web Publishing Wizards make Web Publishing Wizards make configuration easy and prevent configuration easy and prevent
configuration mistakes, monitoring configuration mistakes, monitoring tools show Web usagetools show Web usage
Link Translation
Link translation solves problemswith absolute references
www.contoso.com
http://www.contoso.com/default.htm
ExternalClient
HREF=http://teams/sales
teams
WebWebPagePage
Internet
HREF=http://teams.contoso.com/sales
http://teams.contoso.com/sales/
Outlook Web Access: Traditional Firewall
Web traffic to OWA is encrypted Standard SSL encryption Security against eavesdropping and impersonation
Limitation: OWA server is the only defense against application
layer attacks
Exchange Server
OWA Traffic
Web Server Attacks
SSL Tunnel
Concept of defense in depth requires Concept of defense in depth requires inspection of OWA traffic at firewallinspection of OWA traffic at firewall
Concept of defense in depth requires Concept of defense in depth requires inspection of OWA traffic at firewallinspection of OWA traffic at firewall
Internet
Web Server Attacks
How ISA Server Protects OWA
Authentication Unauthorized requests are blocked before they reach the Exchange
server Enforces all OWA authentication methods Optional forms-based authentication prevents caching of credentials
Inspection Invalid HTTP requests, or requests for non-OWA content, are blocked Inspection of SSL traffic before it reaches the Exchange server
Confidentiality Ensures encryption of traffic over the Internet Can prevent the downloading of attachments to client computers
Exchange Server
OWA Traffic
SSL Tunnel
InspectionAuthentication
Internet
RPC and Traditional Firewalls
Open port 135 for incoming traffic
Open every port that RPC might use for incoming traffic
RPC Server (Exchange)
RPC Client (Outlook)
TCP 135:
Port for {
0E4A… ?Port 4402: D
ata
Server: Port 4
402
Traditional firewalls can’t Traditional firewalls can’t provide provide securesecure RPC RPC
accessaccess
Traditional firewalls can’t Traditional firewalls can’t provide provide securesecure RPC RPC
accessaccess
Internet
RPC and ISA Server RPC Server (Exchange)
RPC Client (Outlook)
TCP 135:
Port for {
0E4A… ?Port 4402: D
ata
Server: Port 4
402
Internet
Initial connection: Only allows valid RPC traffic Blocks non-Exchange queries
Secondary connection Only allows connection
to port used byExchange
Enforces encryption
ISA Server enables secure ISA Server enables secure remote e-mail access remote e-mail access
using Outlookusing Outlook
ISA Server enables secure ISA Server enables secure remote e-mail access remote e-mail access
using Outlookusing Outlook
RPC over HTTP encapsulates RPC traffic inside HTTP Internal Web server (RPC proxy) extracts
RPC traffic from HTTP Advantage: Most firewalls allow HTTP traffic
Problem: Traditional firewalls leave the RPC proxy exposed to Web-based attacks
How RPC over HTTP Works
RPC Traffic
Web Server Attacks
Internet HTTP Traffic
How ISA Server Protects RPC over HTTP
ISA Server terminates SSL tunnel Inspects HTTP traffic for protocol compliance Blocks requests for all URLs except
http://.../rpc/... No direct connections from Internet to
RPC Proxy Server Application layer protection for HTTP traffic
RPC Traffic
Web Server Attacks
Internet
Easy Configuration and Administration
Mail Publishing Wizard makes Mail Publishing Wizard makes configuration easy and prevents configuration easy and prevents
configuration mistakesconfiguration mistakes
Mail Publishing Wizard makes Mail Publishing Wizard makes configuration easy and prevents configuration easy and prevents
configuration mistakesconfiguration mistakes
Network Access Quarantine Client script checks whether client meets
corporate security policies Personal firewall enabled? Latest virus definitions used? Required patches installed?
If checks succeed, client gets full access If checks fail, client gets disconnected
after timeout period
Goal: Prevent VPN clients that don’t Goal: Prevent VPN clients that don’t meet security requirements from meet security requirements from
accessing networkaccessing network
Goal: Prevent VPN clients that don’t Goal: Prevent VPN clients that don’t meet security requirements from meet security requirements from
accessing networkaccessing network
VPN Quarantine Process
VPN Client
Quarantine Resources
Client computer connects.1
ISA Server assigns client to Quarantined VPN Clients network, allowing access to limited resources.
2
Script on client computer checks configuration settings.
3
Script sends “success” notification to ISA Server.
4
ISA Server assigns client to VPN Clients network, providing access to internal network.
5
VPN Quarantine Components
ISA 2004 VPN clientVPN tunnel
Dial up
Script
RQC.exeRQS svcTCP 7250
Firewall Service
RRAS
Connection Manager Administration Kit
(CMAK)
Connection Manager profile
Server Publishing and VPNServer Publishing and VPN
Create Web ListenerCreate Web Listener
Publish Web SitePublish Web Site
Publish Exchange for OWAPublish Exchange for OWA
Link TranslationLink Translation
Enable VPNEnable VPN
demonstrationdemonstration
Agenda
Introducing ISA Server 2004 Filtering and Policies Server Publishing and VPN Monitoring and Alerts
Monitoring and AlertsDashboard
Monitoring and Alerting Real-time view of
firewall activity Flexible alerting
mechanism to warn of problems or suspicious activity Intrusion attempts Lack of
connectivity Etc.
Logging
Detailed logging of all firewall activity Choice of logging mechanisms
Local database SQL Server Text files
Reports
Summaries of firewall activity Detailed information of types of traffic, user
activities and more Can be
scheduled Viewable with
Web browser Export data
for further analysis
Session Summary
ISA Server 2004 provides many benefits Advanced application layer firewall VPN Web cache solution
ISA Server 2004 offers many improvements over ISA Server 2000 Enhanced user interface New features Improved functionality
© 2004 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
© 2004 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.