Module 1: Overview of Microsoft ISA Server

Download Report

Transcript Module 1: Overview of Microsoft ISA Server

Module 1:
Overview of Microsoft
ISA Server
Overview

Introducing ISA Server

Using Caching

Using Firewalls

Deployment Scenarios for ISA Server

The Internet enables organizations to connect with customers,
partners, and employees. Although this presents new business
opportunities, it can also cause concerns about security,
performance, and manageability.
Microsoft® Internet Security and Acceleration (ISA) Server 2000 is
designed to address the needs of today's Internet-enabled
organizations. ISA Server includes caching features that enable
organizations to save network bandwidth and provide faster Web
access for users. ISA Server also includes a firewall service that
helps protect network resources against unauthorized access from
outside of the organization's network, while enabling efficient
authorized access. Finally, ISA Server includes management and
administration features that enable organizations to centrally
control and manage Internet use and access.
After completing this module, you will be able to:

Explain the use of ISA Server.

Describe the use of Web caching.

Describe the use of firewalls.

Identify common deployment scenarios for ISA Server.
Introducing ISA Server

ISA Server Editions

Benefits of ISA Server

Installation Modes

ISA Server is an enterprise firewall and cache server
running on the Microsoft Windows® 2000 Server
operating system that provides policy-based access
control, acceleration, and management of
internetworking. ISA Server is available in two editions
that are designed to meet the business and networking
needs of your organization. Whether deployed as
separate components or as an integrated firewall and
caching server, ISA Server provides organizations with
a unified management console that is designed to
simplify security and access management.
In this lesson you will learn about the following topics:

ISA Server editions

Benefits of ISA Server

Installation modes
ISA Server Editions

ISA Server Standard Edition

ISA Server Enterprise Edition

ISA Server is available in two editions that are designed
to meet the business and networking needs of your
organization
ISA Server Standard Edition

The standard edition provides firewall security and Web
caching capabilities for small businesses, workgroups,
and departmental environments. The standard edition
provides robust security, fast Web access, intuitive
management, and excellent price and performance for
business-critical environments.
ISA Server Enterprise Edition

The enterprise edition is designed to meet the
performance, management, and scalability needs of
high-volume Internet traffic environments with
centralized server management, multiple levels of
access policy, and fault-tolerant capabilities. The
enterprise edition provides secure, scalable, and fast
Internet connectivity for mission-critical environments.
Benefits of ISA Server
Acceleration
Fast Web Access with a High-Performance Cache
Security
Secure Internet Connectivity Through a Multilayered
Firewall
Management
Unified Management with Integrated Administration
Extensibility
Extensible and Open Platform

ISA Server is a key member of the .NET Enterprise
Server family. The products in .NET Enterprise Server
family are Microsoft's comprehensive family of server
applications for building, deploying, and managing
scalable, integrated, Web-based solutions and services.
ISA Server offers several benefits to organizations that
want fast, secure, and manageable Internet connectivity.
Fast Web Access with a High-Performance Cache
ISA Server provides the following Web performance
benefits:

Provides faster Web access for users by retrieving
objects locally rather than over a slower connection to
the potentially congested Internet.

Reduces bandwidth costs by reducing network traffic
from the Internet.

Distributes the content of Web servers and e?commerce
applications efficiently and cost-effectively to reach
customers worldwide.

Note: The capability for distributing Web content is
available only in the ISA Server Enterprise Edition.
Secure Internet Connectivity Through a Multilayered
Firewall
ISA Server provides the following security benefits:

Protects networks from unauthorized access by
inspecting network traffic at several layers.

Protects Web, e-mail, and other application servers from
external attacks by using Web publishing and server
publishing to securely process incoming requests to
internal servers.

Filters incoming and outgoing network traffic to ensure
security.

Enables secure access for authorized users from the
Internet to the internal network by using virtual private
networks (VPNs).
Unified Management with Integrated Administration
ISA Server provides the following management benefits:

Controls access centrally to ensure and enforce
corporate policies.

Improves productivity by limiting Internet use to
approved applications and destinations.

Allocates bandwidth to match business priorities.

Provides monitoring tools and produces reports that
show how Internet connectivity is used.

Automates commonly performed tasks by using scripts.
Extensible and Open Platform
ISA Server provides the following extensibility and
customization benefits:

Addresses security and performance needs that are
specific to an organization by using the ISA Server
Software Development Kit (SDK) for in-house
development of add-on components.

Extends security and management functionality with
third-party solutions.

Automates administrative tasks with scriptable
Component Object Model (COM) objects.
Installation Modes

Cache Mode

Firewall Mode

Integrated Mode

Features Available with Each Mode

You can install ISA Server in three different modes:

cache mode,

firewall mode,

integrated mode.
Cache Mode

In cache mode, you can improve network performance
and save bandwidth by storing frequently accessed
Web objects closer to the user. You can then route
requests from clients to a cache server that holds the
cached objects.
Firewall Mode

In firewall mode, you can secure network traffic by
configuring rules that control communication between
an internal network and the Internet. You can also
publish internal servers, which enables an organization
to share data on its network with partners or customers.
Integrated Mode

In integrated mode, you can combine the firewall and
cache services on a single host computer. Although
organizations can deploy ISA Server as a separate
firewall or as a separate caching server, you can
combine the firewall and cache server by choosing
integrated mode. Many organizations can benefit from
unified administration of caching and firewall functions.
Features Available with Each Mode

Depending on which mode you select, different features
are available. The table below lists the features that are
available for the firewall and cache modes. In integrated
mode, all of the features are available.
Features Available with Each Mode
Using Caching

The Caching Process

Types of Caching
Cache

Caching improves network performance by maintaining
a cache of frequently accessed Web objects. You can
deploy ISA Server as a forward caching server to
improve the speed at which users on your internal
network can access Internet resources. You can also
deploy ISA Server as a reverse caching server to
improve the speed at which external users can access
selected Web resources that you make available to the
Internet. In addition, you can distribute the cache across
multiple ISA Server computers. By distributing the
cache, a client can access content from the ISA Server
computer that is closest to the client. Distributed
caching also provides load balancing and fault
tolerance in a network that has multiple ISA Server
computers.
In this lesson you will learn about the following topics:

The caching process

Types of caching
The Caching Process
2 GET www.nwtraders.msft
Internet
3 Object is sent from Internet
5 Object is sent from cache
ISA Server
Cache
1 GET www.nwtraders.msft
4 GET www.nwtraders.msft
Client 1
Client 2

The process that ISA Server uses to cache content is
similar to the process that a Web browser uses to save
temporary Internet files. Most Web browsers cache
objects locally, storing requested Web pages in a folder
on a computer's hard disk. The Web browser then gains
subsequent access to the same objects by retrieving
the objects from the local hard disk. ISA Server takes
this concept one step further and maintains a
centralized cache of frequently requested Web objects
to improve performance for multiple users.

The following steps describe the caching process that ISA Server
uses to retrieve Web objects for clients:
1.
Client 1 requests a Web object.
2.
If the object is not already in the ISA Server cache, ISA Server
retrieves the object from the Web server on the Internet.
3.
The Web server on the Internet returns the object to the ISA Server
computer. ISA Server retains a copy of the object in its cache and
returns the object to Client 1. The time that it takes the client to
receive the object and the resulting Internet traffic are
approximately the same as if the client had assessed to the object
directly.
4.
Client 2 requests the same Web object.
5.
ISA Server returns the object from its cache rather than obtaining
it from the Web server on the Internet. The client receives the
object much quicker and the request requires no Internet traffic.
Types of Caching
Internal Network
Forward
Caching
Cache
Internet
Cache
Internet
Reverse
Caching
Web Server
Internal Network
Distributed
Caching
Cache
Internet
Cache
Cache

The caching service accelerates Web performance for
both internal and external clients. ISA Server supports
both forward caching for outgoing requests and reverse
caching for incoming requests. In addition, the cache
can be distributed across multiple ISA Server
computers.
Forward Caching

You can use forward caching to provide internal
clients with access to Web objects on the Internet. The
ISA Server computer maintains a centralized cache of
frequently requested Web objects that can be
accessed by any Web browser. Objects served from
the cache require significantly less processing than
objects served from the Internet.
Reverse Caching

You can use reverse caching to provide external clients
with access to Web objects from an internal Web server.
The ISA Server computer, which is located in front of the
Web server, forwards requests to the internal Web
server only when it cannot retrieve a requested object
from its cache. ISA Server improves the speed at which
external clients receive Web objects.
Distributed Caching

You set up an array of ISA Server computers to perform distributed
caching. An array is a group of ISA Server computers that that you
manage as a single, logical entity. Distributing cached objects
enhances caching performance through load balancing and provides
fault tolerance if an ISA Server computer is unavailable. You can
distribute both forward caching and reverse caching.

Note: Distributed caching is available in only the ISA Server
Enterprise Edition.
 Using Firewalls

Firewall Overview

Bastion Host

Perimeter Network with Three-Homed Firewall

Perimeter Network with Back-to-Back Firewalls

Filters and Network Access

A firewall is a system, consisting of hardware, software,
or a combination of both, that is designed to protect
private networks from unauthorized access. There are
several types of firewall designs, including bastion
hosts and perimeter networks with a three-homed
firewall or with back-to-back firewalls. Firewalls use
packet filtering and other types of filtering to control
network access.
In this lesson you will learn about the following topics:

Firewall overview

Bastion host

Perimeter network with three-homed firewall

Perimeter network with back-to-back firewalls

Filters and network access
Firewall Overview
A Firewall is:

A Controlled Point of Access for All Traffic that Enters
the Internal Network

A Controlled Point of Access for All Traffic that Leaves
the Internal Network

In a building, you construct a firewall to keep a fire in
one area of the building from spreading to another area
of a building. A firewall on a network provides a similar
purpose—it prevents the potential dangers of the
Internet from spreading to your internal network. A
firewall is typically installed at the point where an
internal network connects to the Internet.
A firewall serves two primary functions:

It is a controlled point of access for all traffic that enters
the internal network.
A firewall prevents unauthorized users from gaining
access to your network data and resources.

It is a controlled point of access for all traffic that leaves
the internal network.
A firewall ensures that interactions between the Internet
and your internal network conform to the security rules
and policies of your organization
Bastion Host
Internet
Firewall
Internal Network

A bastion host is a computer that is the main point of
contact for clients of internal networks to gain access to
the Internet. As a firewall, the bastion host is designed
to defend against attacks aimed at the internal network.
A bastion host is typically used for smaller networks to
protect the internal network from the intruders.
Configuration of a Bastion Host

A bastion host has two network adapters, one
connected to the internal network and one connected to
the Internet. This configuration physically isolates the
internal network from potential intruders on the Internet.
Because a bastion host configuration is a single point of
defense, it is important to make sure that the computer
is well secured.
Advantage of a Bastion Host

The advantage of using a bastion host is that it
minimizes the cost and the amount of administration
that is required for a firewall. However, a bastion host
depends on a single firewall to secure the entire
network. If an Internet user compromises the firewall,
that Internet user can gain access to the organization's
internal network, including any resources that are not
sufficiently secured.

Important: Because a bastion host allows Internet users
to have direct access to your internal network, you must
use additional means to protect your internal resources,
such as setting strict access permissions on networks
resources.
Perimeter Network with Three-Homed Firewall
Perimeter Network
Internet
Firewall
Internal Network

A perimeter network is a small network that contains
resources that you want to make available to users on
the Internet while maintaining the security of these
resources. A perimeter network is separate from both
your internal network and the Internet. A perimeter
network allows external clients to gain access to
specific servers located in the perimeter network, while
completely preventing access to the internal network.
You typically use a perimeter network to deploy Internetaccessible resources, such as e-mail and Web servers.
A perimeter network can be set up in one of two
configurations: a perimeter network with a three-homed
firewall or a perimeter network with back-to-back
firewalls.
Configuration of Perimeter Network with ThreeHomed Firewall

In a perimeter network configuration with a three-homed
firewall, the firewall is set up with three network
adapters. One adapter is connected to each of the
following networks:



The Internet
The internal network servers located in the perimeter
network
The internal network clients
Configuration of Perimeter Network with ThreeHomed Firewall (continue)

Although the servers in the perimeter network each
have Internet protocol (IP) addresses that can be
accessed by external clients which is specific to ISA
server, the firewall computer does not allow direct
access to resources that are located on the internal
network.
Note: An organization's security policy may also allow
limited and very controlled network traffic between
computers in the perimeter network and selected
computers on the internal network.
Advantages of a Perimeter Network with ThreeHomed Firewall

A three-homed firewall provides more security than a
bastion host because it allows secure access to some
network resources from the Internet without allowing
network traffic between the Internet and your internal
network. A three-homed firewall gives you a single point
of administration to configure access to both your
perimeter network and your internal network. However,
a three-homed firewall also presents a single point of
access to all parts of your network, which means that
you must be especially careful in designing your access
rules and monitoring for security breaches.
Perimeter Network with Back-to-Back Firewalls
Perimeter Network
Internet
External
Firewall
Internal
Firewall

In addition to a perimeter network with a three-homed
firewall, you can also configure a perimeter network
with back-to-back firewalls.
Configuration of Back-to-Back Firewalls

In a perimeter network with back-to-back firewalls, two
firewalls are located on either side of the perimeter
network. The two firewalls are connected to the
perimeter network, with one also connected to the
Internet and the other one also connected to the internal
network. In this configuration, there is no single point of
access. To reach the internal network, a user would
need to get past both firewalls which is called Defense
in Depth.
Advantages of Back-to-Back Firewalls

You can configure more restrictive security rules on
back-to back firewalls than on a three-homed firewall,
which helps you to protect your internal network more
reliably.
It is also easier to configure rules for a back-to-back
firewall design if an organization's access policy allows
limited and very controlled network traffic between
computers in the perimeter network and selected
computers on the internal network.
Important: The back-to-back firewall configuration is the
safest and most commonly used firewall design. Some
organizations use variations of this design to achieve
even higher levels of security.
Filters and Network Access
Access Policy

HTTP 
All Destinations
Allow
Streaming
Media
Streaming
Media
SMTP
DNS Intrusion
External Network
SMTP

Firewall
Internal Network

ISA Server enables you to control network access for
both outgoing and incoming traffic. To control outgoing
traffic, you can use access policies and rules. To control
incoming traffic, you can use IP packet filters,
application filters, and intrusion detection filters.
Controlling Outgoing Traffic

You can use access policies and rules to control
outgoing traffic. An access policy consists of the
following rules:


Protocol rules. Define which protocols users can use for
communication between the internal network and the
Internet. For example, a protocol rule might allow clients
to use Hypertext Transfer Protocol (HTTP).
Site and content rules. Define the content and the
Internet sites that users can gain access to. For
example, a site and content rule might allow users to
gain access to any destination on the Internet.

ISA Server also masks the IP addresses on your internal
network when clients are connected to the Internet.
Masking these IP addresses makes it more difficult for
outside users to discover the structure of your internal
network or to gain access to your internal network.
Controlling Incoming Traffic

You can use IP packet filters and application filters to
control incoming traffic.
IP Packet Filters

Packet filters control network access based on the
characteristics of network packets. IP packet filters
work by parsing the headers of each IP packet and then
applying rules to determine whether to route or drop the
packet based on the header information. ISA Server
allows you to allow or deny network packets based on
the characteristics of an IP packet, including the:



Source address or destination address.
Network protocol, such as the Internet Control Message
Protocol (ICMP), TCP or UDP.
Source port or destination port.
Application Filters

Application filters accept or deny data from specific applications or
data with specific content. Application filters examine network
traffic that spans more than one IP packet, such as an entire e?mail
message. ISA Server includes several application filters that are
automatically installed with ISA Server, including:


Streaming media filter. Enables you to control client access to data
that uses streaming media protocols to gain access to media
streaming servers, such as Microsoft Windows Media™ Technology
(WMT) Server.
Simple Mail Transfer Protocol (SMTP) filter. Filters incoming e-mail
based on source, user, or domain, and then generates the
corresponding alert. The filter maintains a list of rejected users and
domains from which e?mail messages are not accepted.
Intrusion Detection Filters

Intrusion detection filters filter IP packet filters or
application filters that analyze all incoming traffic for
specific intrusions. ISA Server includes several
intrusion detection filters, including:


DNS intrusion detection filter. Intercepts and analyzes
Domain Name System (DNS) traffic destined for the
internal network. This filter checks for several known
attacks on DNS servers and prevents them from
reaching the DNS server.
POP intrusion detection filter. Intercepts and analyzes
Post Office Protocol (POP) traffic destined for the
internal network and prevents the attacks from reaching
the POP server.
 Deployment Scenarios for ISA Server

Branch Office/Small Business Cache Server

Branch Office/Small Business Firewall

Enterprise Cache

Enterprise Firewall

You can configure ISA Server to correspond with
different deployment scenarios. Although organizations
of all sizes can benefit from a combination of the
caching and firewall services, the specific
configurations that an organization uses can vary
depending on scale, resources, budget, and the
organization's approach to security and management.
In this lesson you will learn about the following topics:

Branch offices/small business cache server

Branch office/small business firewall

Enterprise cache

Enterprise firewall
Branch Office/Small Business Office Cache Server
Main Office
ISA Server
Cache
Branch Office
Internet
ISA Server
Cache
Small Business

In this scenario, you set up ISA Server as a cache server
to reduce network traffic between a branch office and
the main office or between a small business and the
Internet. The ISA Server computer stores local copies of
the most frequently accessed Web objects from the
main office or from the Internet in RAM and on a hard
disk.
Because you use less network bandwidth when
accessing Web content, more bandwidth remains
available for other applications. By caching the Web
content, you can also reduce long-distance telephone
charges that you would incur because of demand
dialing between a branch office and the main office or
between a small business and an Internet Service
Provider (ISP).

The following steps describe the process that ISA Server uses
when a user requests Web objects:
1.
A user at a branch office or small business requests a Web object.
This request may be an object that is located on a Web server at
the main office or on the Internet.
2.
The client computer sends the request to the ISA Server computer.
If the Web object is not in the cache, the ISA Server computer
forwards the request to the main office or to the Internet.
3.
The server at the main office or the server on the Internet sends
the Web object to the ISA Server computer at the branch office or
the small business.
4.
The ISA Server computer caches the object and then sends it to
the client computer. The ISA Server computer fulfills subsequent
requests for the same Web object from its local cache.
Branch Office/Small Business Firewall
Internet
Branch Office or
Small Business
ISA Server
Actual Connection
Perceived Connection

In this scenario, you set up an ISA Server computer as a dedicated
firewall that acts as the secure gateway to the Internet for internal
clients. The ISA Server computer is placed between the internal
network and the Internet. In a small network, a single ISA Server
computer can provide Internet connectivity and security for the
entire network.
The ISA Server computer is transparent to the other parties in the
communication path. The branch office or small business users do
not recognize that a firewall is in the communication path unless a
user attempts to gain access to a service or a site in which you
configure an access policy that specifically denies access.
The ISA Server computer blocks all attempts to gain access to the
internal network from the Internet and hides the internal network
from the users on the Internet.
Enterprise Cache Server
ISA Server Array
Cache
Internet
Cache
Cache
Corporate Network

In this scenario, caching is distributed among an array
of ISA Server computers in an enterprise environment.
By distributing the load of cached objects, ISA Server
enhances caching performance and provides fault
tolerance if an ISA Server computer becomes
unavailable. ISA Server arrays enable you to scale ISA
Server to accelerate Internet access for a very large
number of users.
When deploying an enterprise-caching scenario, you
can centrally administer all caching and access
restrictions.

ISA Server also supports chained, or hierarchical, caching. Chained
caching is a hierarchical connection between individual ISA Server
computers or between arrays of ISA Server computers. Requests
from clients are sent upstream through the chain until the
requested object is found. If the object is not cached, the ISA Server
retrieves the object from the Internet. Chained caching is also an
effective means of distributing server load and providing fault
tolerance.
Note: Chained caching can be useful in a scenario in which an ISA
Server computer at a main office caches all of the Web objects that
are retrieved from the Internet. The ISA Server computer at the
branch office retrieves Web objects from the ISA Server computer
at the main office and then caches them locally at the branch office.
Enterprise Firewall
Perimeter Network
Internet
ISA Server
ISA Server

In this scenario, two ISA Server computers that are
configured as firewalls are located on either side of a
perimeter network. The servers in the perimeter network
each have IP addresses that can be accessed by
external clients. The ISA Server firewalls prevent
external clients from gaining access to resources that
are located on the internal network.
When you deploy an enterprise caching solution, you
can centrally administer all of the firewall settings.
Note: An enterprise firewall configuration may include
multiple ISA Server computers to handle a large amount
of network traffic. You can configure multiple ISA Server
computers centrally as an array.
Review

Introducing ISA Server

Using Caching

Using Firewalls

Deployment Scenarios for ISA Server