Securing Perimeter with ISA Server 2004
Download
Report
Transcript Securing Perimeter with ISA Server 2004
Securing the Network
Perimeter with
ISA Server 2004
Ravi Sankar
IT Professional Evangelist
Microsoft
Session Prerequisites
Hands-on experience with Microsoft Windows Server
Basic understanding of internal and remote network security
fundamentals
Experience implementing network resources such as Web
servers, FTP servers, and computers running Microsoft
Exchange Server
Level 200
Session Overview
Introduction to ISA Server 2004
Securing Access to Internal Servers
Implementing Application and Web Filtering
Securing Access to Exchange Server
Virtual Private Networking with ISA Server 2004
Introduction to ISA Server 2004
Introduction to ISA Server 2004
Securing Access to Internal Servers
Implementing Application and Web Filtering
Securing Access to Exchange Server
Virtual Private Networking with ISA Server 2004
Securing the Network Perimeter: What Are the Challenges?
Business partner
Main office
Challenges Include:
Determining proper firewall design
Internet
Access to resources for remote
users
Wireless
Effective monitoring and reporting
Need for enhanced packet
inspection
Security standards compliance
Remote user
Branch office
Securing the Network Perimeter: What Are the
Design Options?
Bastion host
Three-legged configuration
Internal network
Web server
Internal network
Perimeter
network
Back-to-back configuration
Internal network
Perimeter
network
Internet
Configuring ISA Server to Secure the Network Perimeter
Use ISA Server to:
Provide firewall functionality
Publish internal resources such as Web or Exchange servers
Implement multilayer packet inspection and filtering
Provide VPN access for remote users and sites
Provide proxy and caching services
LAN
Web
Server
Web
Server
ISA
Server
VPN
Server
Internet
User
Exchange
Server
Remote User
Installing ISA Server 2004
RAM
Windows 2000 Server or
Windows Server 2003
CPU
256 MB
500 MHz
Hard Disk Format
Hard Disk Space
NTFS
Internal NIC
External NIC
150 MB
Choose an installation type and installation components
Configure the internal network
What Is the ISA Server 2004 Default Configuration?
The ISA Server default configuration blocks all network
traffic between networks connected to ISA Server
Only members of the local Administrators group have
administrative permissions
Default networks are created
Access rules include system policy rules and the
default access rule
No servers are published
Caching is disabled
The Firewall Client Installation Share is accessible if
installed
Managing ISA Server 2004
Monitoring ISA Server 2004
Components
Explanation
Alerts
Monitors ISA Server for configured events and then
performs actions when the specified events occur
Sessions
Provides information on the current client sessions
Logging
Reports
Connectivity
Performance
Provides detailed information about the Web proxy,
Microsoft Firewall service, or SMTP Message
Screener
Summarizes information about the usage patterns
on ISA Server
Enables monitoring of connections from the
computer running ISA Server to any other computer
or URL on any network
Monitors server performance in real time, creates a
log file of server performance, or configures
performance alerts
Configuring Access Rules
Types of access rule elements used to create access rules are:
Protocols
User sets
Content types
Schedules
Network objects
Access rules always define:
Allow
Deny
User
Destination network
Destination IP
Destination site
an action on traffic from user from source to destination with conditions
Protocol
IP port/type
Source network
Source IP
Schedule
Content type
Configuring ISA Server to Enable Access to
Internet Resources
Is the…
User allowed access?
Computer allowed access?
Protocol allowed?
Destination allowed?
Content allowed?
ISA
server
Proxy server
Web
server
Implementing Network Templates to Configure
ISA Server 2004
Bastion host
Internal network
Three-legged configuration
Internal network
Web server
Deploy the Edge
Firewall template
Internet
Perimeter
network
Deploy the 3-Leg
Perimeter template
Back-to-back configuration
Internal network
Deploy the
Front end
or Back end
template
Perimeter
network
Deploy the Single Network Adapter template for Web proxy and caching only
Demonstration 1: Applying a Network Template
Use a network template to configure
ISA Server 2004 as an edge firewall
Deploying ISA Server 2004: Best Practices
To deploy ISA Server to provide Internet access:
Plan for DNS name resolution
Create the required access rule elements and
configure the access rules
Plan the access rule order
Implement the appropriate authentication
mechanisms
Test access rules before deployment
Deploy the Firewall Client for maximum security and
functionality
Use ISA Server logging to troubleshoot Internet
connectivity issues
Securing Access to Internal Servers
Introduction to ISA Server 2004
Securing Access to Internal Servers
Implementing Application and Web Filtering
Securing Access to Exchange Server
Virtual Private Networking with ISA Server 2004
Securing Access to Internal Servers: What Are
the Challenges?
The challenges vary depending on the type of access that
is required:
Access to
public
Web sites
• Ensure that only the specified Web sites are
accessible
• Filter traffic at the application layer
• Hide the complexity of the internal network
Access to
secure
Web sites
• Enable authentication
Access to
non-Web
resources
• Ensure that only the specified servers are
accessible
• Enable data encryption
• Filter traffic at the application layer
What Is ISA Server Publishing?
ISA Server enables three types of publishing rules:
Web publishing rules for publishing Web sites using HTTP
Secure Web publishing rules for publishing Web sites that
require SSL for encryption
Server publishing rules for publishing servers that do not
use HTTP or HTTPS
Implementing ISA Server Web Publishing Rules
To create a Web publishing rule, configure:
Action
Web listener
Name or IP address
Path mappings
Users
Bridging
Traffic source
Link translation
Public name
Implementing ISA Server Secure Web Publishing Rules
To create a secure Web publishing rule:
Choose an SSL bridging mode or SSL tunneling
Install a digital certificate on ISA Server, on a Web server, or on
both
Configure a Web listener for SSL
Configure a secure Web publishing rule
Demonstration 2: Configuring a Secure Web
Publishing Rule
Configure a secure Web publishing rule to
an internal Web server
Implementing Server Publishing Rules
To create a server publishing rule, configure:
Action
Traffic
Traffic source
Traffic destination
Networks
To enable secure server
publishing, configure ISA
Server to publish a secure
protocol, and then install a
server certificate on the
published server
Securing Access to Internal Servers: Best Practices
To enable access to internal servers:
Implement a split DNS for internal and external
access to the resources
Become familiar with Web access error messages
Implement SSL certificates correctly
Implementing Application and Web Filtering
Introduction to ISA Server 2004
Securing Access to Internal Servers
Implementing Application and Web Filtering
Securing Access to Exchange Server
Virtual Private Networking with ISA Server 2004
Firewall Requirements: Multiple-Layer Filtering
Packet filtering:
Filters packets based on information in the network and transport
layer headers
Enables fast packet inspection, but cannot detect higher-level attacks
Stateful filtering:
Filters packets based on the TCP session information
Ensures that only packets that are part of a valid session are
accepted, but cannot inspect application data
Application filtering:
Filters packets based on the application payload in network packets
Can prevent malicious attacks and enforce user policies
Application and Web Filters in ISA Server 2004
Application filters:
Are add-ons to the firewall service
Enable firewall traversal for complex protocols
Enable application-layer intrusion detection
Enable application-layer content filtering
Web filters:
Are DLLs based on the ISAPI model
Enable request and response scanning and modification
Enable blocking of specific responses
Enable traffic logging and analysis
Enable data encryption and compression
Enable custom authentication schemes
Implementing HTTP Web Filtering in ISA Server 2004
Use HTTP Web filtering to:
Filter traffic from internal clients to other networks
Filter traffic from Internet clients to internal Web servers
HTTP Web filtering is rule-specific—you can configure
different filters for each access or publishing rule
HTTP Web filtering can block HTTP packets based on:
Length of request headers and payload
Length of URL
HTTP request method
HTTP request file name extension
HTTP request or response header
Signature or pattern in the response header or body
Demonstration 3: Application Filtering in ISA Server 2004
Edit the default application filtering that is
performed by ISA Server 2004
Implementing the HTTP Web Filter: Best Practices
To configure a baseline HTTP filter:
Configure maximum header, payload, URL, and
query lengths
Verify normalization, and do not block high-bit characters
Allow only GET, HEAD, and POST
Block executable and server-side includes extensions
Block potentially malicious signatures
Use the HTTPFilterConfig.vbs script from the ISA
Server CD to import and export HTTP filter
configurations
Securing Access to Exchange Server
Introduction to ISA Server 2004
Securing Access to Internal Servers
Implementing Application and Web Filtering
Securing Access to Exchange Server
Virtual Private Networking with ISA Server 2004
Secure Client Access to Exchange Server: What Are
the Challenges?
Outlook mobile access
XHTML, cHTML, HTML
Exchange
front-end
server
Wireless
network
ISA
server
Exchange
back-end
servers
ActiveSync-Enabled
mobile devices
Outlook web access
Outlook using RPC
Outlook using RPC
over HTTP
Outlook express
using IMAP4 or
POP3
Configuring Secure Outlook RPC Client Access
ISA
server
Exchange
servers
Exchange UUID = 2000
Use the mail server
publishing rule to enable
Outlook RPC connections
Port 135
Exchange UUID = 3000
Outlook
client
Configuring RPC over HTTP Client Access
RPC over HTTP requires:
Outlook 2003 running on Windows XP
Exchange Server 2003 running on Windows Server 2003
and Windows Server 2003 global catalog servers
Windows Server 2003 server running RPC proxy server
Modifying the Outlook profile to use RPC over HTTP to
connect to the Exchange server
To enable RPC over HTTP connections through ISA
Server, use the Secure Web Publishing Wizard to
publish the /rpc/*virtual directory
Configuring ISA Server for Outlook Web Access
To configure ISA Server to enable OWA access:
1
Use the Mail Server Publishing Wizard to publish
the OWA server
2
Configure a bridging mode. For best security, secure the
connection from client to ISA Server and from ISA Server
to OWA server
3
Configure a Web listener for OWA publishing. Choose
forms-based authentication for the Web listener
Forms-based authentication ensures that user
credentials are not stored on the client computer; can be
used to block access to attachments
Demonstration 4: Configuring Outlook Web Access
Configure an OWA publishing rule and
forms-based authentication
Securing Access to Exchange Server: Best Practices
Enable Outlook RPC connections for pre–Exchange
Server 2003 and Outlook 2003 environments
Use forms-based authentication on ISA Server for
OWA
Implement RPC over HTTP with SSL
Explore the use of additional ISA Server features to
protect computers running Exchange Server
Consider third-party add-ons for ISA Server to
protect computers running Exchange Server
Virtual Private Networking with ISA Server 2004
Introduction to ISA Server 2004
Securing Access to Internal Servers
Implementing Application and Web Filtering
Securing Access to Exchange Server
Virtual Private Networking with ISA Server 2004
Virtual Private Networking: What Are the Challenges?
VPNs provide a secure option for communicating
across a public network
VPNS are used in two primary scenarios:
Network access for remote clients
Network access between sites
VPN quarantine control provides an additional level of
security by providing the ability to check the
configuration of the VPN client machines before allowing
them access to the organization’s network
Enabling Virtual Private Networking with ISA Server
ISA Server enables VPN access:
By including remote-client VPN access for individual clients
and site-to-site VPN access to connect multiple sites
By enabling VPN-specific networks, including:
VPN Clients network
Quarantined VPN Clients network
Remote-site network
By using network and access rules to limit network traffic
between the VPN networks and the other networks with
servers running ISA Server
By extending RRAS functionality
Enabling VPN Client Connections
To enable VPN client connections:
Choose a tunneling protocol
Choose an authentication protocol
Use MS-CHAP v2 or EAP if possible
Enable VPN client access in ISA Server Management
Configure user accounts for remote access
Configure remote-access settings
Configure firewall access rules for the VPN Clients
network
Implementing Site-to-Site VPN Connections
To enable site-to-site VPN connections:
Choose a tunneling protocol
Configure the remote-site network
Configure network rules and access rules to enable:
open communications between networks, or
controlled communications between networks
Configure the remote-site VPN gateway
How Does Network Quarantine Work?
VPN
VPN Clients
clients network
Network
Domain
Controller
controller
Web
Server
server
Quarantine script
Quarantine remote
access policy
RQC.exe
Rqc.exe
ISA
Server
server
DNS
Server
server
File
Server
server
Quarantined
VPN Quarantine
VPN
Clients Network
Implementing Network Quarantine
To implement quarantine control on ISA Server:
1 Create a client-side script that validates client
configuration
2 Use CMAK to create a CM profile for remote-access
clients
3 Create and install a listener component
4 Enable quarantine control on ISA Server
5 Configure network rules and access rules for the
Quarantined VPN Clients network
Demonstration 5: Configuring Site-to-Site VPN Connections
Configure ISA Server on one site to enable
site-to-site VPN connections
Configuring VPN Access Using ISA Server: Best Practices
Use strongest possible authentication protocols
Enforce the use of strong passwords when using PPTP
Avoid the use of pre-shared keys for L2TP/IPSec
Configure access rules to control access for VPN clients
and site-to-site VPN connections
Use access rules to provide quarantined VPN clients
with the means to meet the security requirements
Session Summary
ISA Server 2004 is secure by default because it blocks all
traffic—configure access rules to provide the fewest possible
access rights
Many applications now use HTTP as a tunneling protocol—use
HTTP filtering to block the applications
Implementing Outlook RPC publishing and RPC over HTTP
publishing means that users can use Outlook from anywhere
Implement ISA Server publishing rules to make internal
resources accessible from the Internet
Use access rules to limit access for VPN remote-access
clients, site-to-site VPN clients, and network quarantine clients
Next Steps
Find additional security training events:
http://www.microsoft.com/seminar/events/security.mspx
Sign up for security communications:
http://www.microsoft.com/technet/security/signup/
default.mspx
Attend Course 2824: Implementing Microsoft Internet
Security and Acceleration Server 2004
http://www.microsoft.com/learning/syllabi/en-us/
2824afinal.mspx
Get additional security information on ISA Server:
http://www.microsoft.com/technet/security/prodtech/isa/
default.mspx
Questions and Answers