5-configuring-access-to-internal

Download Report

Transcript 5-configuring-access-to-internal

Configuring Access to Internal
Resources
1
What is ISA server publishing?
• Publish internal servers to the Internet, so that
users on the Internet can access those internal
resources
• Making internal resources accessible to the
Internet increases the security risks for the
organization.
• ISA Server uses Web and server publishing
rules to publish internal network resources to
the Internet
2
What is ISA server publishing?
Web Server
File Server
Client
Remote User
Internet
Mail Server
3
What is ISA server publishing?
Web Server
Using a perimeter network is to
provide an additional layer of
Security!!!
Mail Server
File Server
ISA server
Internal Network
4
What Are Web Publishing Rules?
• Make Web sites on protected networks
available to users on other networks, such as
the Internet
• A Web publishing rule is a firewall rule that
specifies how ISA Server will route incoming
requests to internal Web servers
• Web Publishing is sometimes referred to as
“reverse proxying”.
5
What do Web publishing rules
provide?
•
•
•
•
•
•
Access to Web servers running HTTP protocol
HTTP application-layer filtering
Path mapping
User authentication
Content caching
Support for publishing multiple Web sites
using a single IP address
• Link translation
6
What Are Server Publishing Rules
• Web publishing and secure Web
publishing rules can grant access only to
Web servers using HTTP or HTTPS.
• To grant access to internal resources
using any other protocol, you must
configure server publishing rules!!!
7
•
•
•
•
What do Server publishing rules
provide?
Access to multiple protocols
Application-layer filtering for
specified protocols
Support for encryption
IP address logging for the client
computer
8
Considerations for Configuring DNS
for Web and Server Publishing
http://isalab.com
External IP
address
131.107.1.1
IP address
172.16.10.1
Web Server
ISA server
A split DNS uses two different DNS
servers with the same DNS domain
name to provide
name resolution for internally and
externally accessible resources!
Internal Network
9
Configuring Web Publishing Rules
• Web Listener
• Non-SSL Web Publishing Rules
• SSL Web Publishing Rules
10
Web Listener
• Web listeners are used by Web and secure
Web publishing rules
• A Web listener is an ISA Server configuration
object that defines how the ISA Server
computer listens for HTTP requests and SSL
requests
• All incoming Web requests must be received
by a Web listener
• A Web listener may be used in multiple Web
publishing rules
11
Web Listener
http://isalab.com
IP address
172.16.10.1
Web Listener
External IP
address
131.107.1.1
Web Server
Web Listener
ISA server
Internal Network
12
How to Configure Web Listeners
•
•
•
•
Network
Port numbers
Client authentication methods
Client Connection Settings
13
Network
If you have multiple network
adapters or multiple IP addresses
14
Port numbers
By default, the Web listener will listen on
for HTTP requests on Port 80
15
How to Configure Web Listeners
Web listener “listens” on an
interface or IP address that you choose for
incoming connections to the port you define
16
Configuring Non-SSL Web
Publishing Rules
17
Configuring Non-SSL Web
Publishing Rules
Rule Action Page
18
Configuring Non-SSL Web
Publishing Rules
• Publishing Type Page
– Publish a single Web
site or load balancer
– Publish a server farm
of load balanced Web
Servers
– Publish multiple web
sites
19
Configuring Non-SSL Web
Publishing Rules
• The Server Connection Security Page:
20
Configuring Non-SSL Web
Publishing Rules
• The Internal Publishing
Details Page:
– Internal Site Name
– Computer name or IP
address
21
Configuring Non-SSL Web
Publishing Rules
• The Internal
Publishing Details
Page:
– Path Name
– Forward the original
host header instead of
the actual one
22
Configuring Non-SSL Web
Publishing Rules
• The Public Name
Details Page
– Accept requests
for
– Public Name
– Path (optional
23
Configuring Non-SSL Web
Publishing Rules
• The Select Web Listener Page and Creating an
HTTP Web Listener:
– Edit
– New
24
Configuring Non-SSL Web
Publishing Rules
• The Authentication Settings Page
25
•
•
•
•
•
•
•
•
•
Web Listener Authentication
Methods
Basic
Digest
Integrated
RADIUS
RADIUS OTP
SecurID
OWA Forms-based
Forms-Based Authentication
SSL Certificate
26
Configuring Non-SSL Web
Publishing Rules
• The Single Sign on Settings Page
27
Configuring Non-SSL Web
Publishing Rules
• The Authentication Delegation Page
28
Secure Web Publishing
More
secure!!
Encrypted
content
Web Server
Remote User
Client
Internet
29
Cryptography issues
• Only sender, intended receiver should
“understand” message contents
– sender encrypts message
– receiver decrypts message
Sender
Encrypt
Decrypt
Receiver
30
Types of Cryptography
• Crypto often uses keys:
– Algorithm is known to everyone
– Only “keys” are secret
• Public key cryptography
– Involves the use of two keys
• Symmetric key cryptography
– Involves the use one key
• Hash functions
– Involves the use of no keys
– Nothing secret: How can this be useful?
31
Secret-Key or Symmetric
Cryptography
Receiver uses the same key
and the related decryption
method to decrypt (or
decipher) the message.
Sender uses the key
and the encryption
method to encrypt (or
encipher) a message
Send encrypted
message
Sender and Receiver agree on an
encryption method and a shared key
32
Public key or Asymmetric
Cryptography
Sender generates
a public key
use private
key to decrypt
this message
use sender’s
public key to
encrypt a
message
Send public key
sender
Use public key to
determine a
private key.
Send encrypted message
receiver
No-one without access to Sender’s private
key (or the information used to construct it)
can easily decrypt the message!!
33
Hash Function Algorithms
• A hash function is a math
equation that create a
message digest from
message.
• A message digest is used
to create a unique digital
signature from a
particular document.
• MD5 example
Original Message
(Document, E-mail)
Hash Function
Digest
34
digital signature
How can Receiver determine that
the message received was indeed
sent by Sender?
Send encrypted message
Decrypt
message
Private key
sender
receiver
Public key
35
digital signature
Data
Hash
Signature
Verify
?
Public Key
36
Man in Middle
receiver
sender
Modify
37
Digital certificate
• A digital certificate (DC) is a digital file that
certifies the identity of an individual or
institution, or even a router seeking access to
computer- based information. It is issued by a
Certification Authority (CA), and serves the
same purpose as a driver’s license or a
passport
38
Digital certificate
CERTIFICATE
Issuer
Subject
Subject Public
Key
Issuer Digital
Signature
39
Certification Authorities
• A trusted agent who certifies public keys for general
use (Corporation or Bank).
– User has to decide which CAs can be trusted.
• The model for key certification based on friends and
friends of friends is called “Web of Trust”.
– The public key is passing from friend to friend.
– Works well in small or high connected worlds.
– What if you receive a public key from someone you don’t
know?
40
CA model
Root Certificate
CA Certificate
Browser Cert.
CA Certificate
Server Cert.
41
What is the Process of obtaining a
certificate
Certificate
Verify sender’s identity and
issues digital certificate
containing the public key
OK!!
generates a
Encrypt
public/private
key pair
Sender
Private
key
Public
key
CA
Verify and
Decrypt
Receiver
42
Secure Sockets Layer
• Secure Sockets Layer (SSL) is used to validate
the identities of two computers involved in a
connection across a public network, and to
ensure that the data sent between the two
computers is encrypted
• SSL uses digital certificates and public and
private keys
43
Secure Sockets Layer
Application
SSL
TCP
IP
Application
SSL
TCP
IP
44
Advantages of SSL
• Independent of application layer
• Includes support for negotiated encryption
techniques.
– easy to add new techniques.
• Possible to switch encryption algorithms in
the middle of a session
45
HTTPS Usage
• HTTPS is HTTP running over SSL.
– used for most secure web transactions.
– HTTPS server usually runs on port 443.
– Include notion of verification of server via a
certificate.
– Central trusted source of certificates
46
SSL and ISA server 2006
• SSL bridging
SSL tunneling
47
Configuring SSL-to-SSL Bridging for
Secured Websites
• Working with ThirdParty Certificate
Authorities
• Installing a Local
Certificate Authority and
Using Certificates
• Modifying a Rule to
Allow for End-to-End SSL
Bridging
48
Configuring SSL-to-SSL Bridging for
Secured Websites
• Installing an SSL
Certificate on a
SharePoint Server
• Exporting and
Importing the
SharePoint SSL
Certificate to the ISA
Server
49
Configuring SSL-to-SSL Bridging for
Secured Websites
• Creating a
SharePoint
Publishing Rule
50
Configuring SSL-to-SSL Bridging for
Secured Websites
• Choosing a certificate for the listener
51
Configuring Server Publishing Rule
52