CIS485 presentation
Download
Report
Transcript CIS485 presentation
Internet security and
Acceleration 2004
Presented By
Jaime Hernandez
Calvin Lau
Nery Leon
Nancy Smith
System requirements
ISA 2000
• Standard Edition
–
–
–
–
–
Processor 3000 MHz or higher Pentium II
Memory 256 MB of RAM
One local hard disk partitioned with NTFS
Windows 2000 compatible network adapter
IDSN adapter
ISA 2000
• Enterprise Edition
– Same as standard edition
• Add Windows Active Directory
– Difference in editions
• Standard only supports four processors.
ISA 2004
• Computers must be running
– Microsoft Windows 2000 Server
– Windows Server 2003
Hardware Requirements
• Pentium III 500 plus MHz processor
• 256MB of RAM
Network Interface Cards
• Two are needed
– External Interface
– Internal Interface
• Creates multiple internal networks
ISA Server 2004 Firewall
IP: 10.0.1.1/24
DG: None
DNS: 10.0.1.1
IP: 192.168.1.49/24
DG: 192.168.1.60
DNS: None
IP: Public
DG: ISP Router
DNS: None
`
DSL Router
SecureNAT client
IP: 10.0.1.2/24
DG: 10.0.1.1
DNS: 10.0.1.1
ISA Server 2004 Firewall
IP: 192.168.1.60/24
DG: None
DNS: None
Firewall Continued
• Critical Factors
– DNS
– DHCP
Internet Security and Acceleration
Security Aspect.
Security
Efficiently manage, restrict, and control
Internet access
• Act as a circuit-level, packet-filtering, or
application-level firewall
Provide tiered firewall and caching policies
Rules of ISA
• Site and content rules specify who can go to
which sites during which times of the day
• Protocol rules detail the protocols that can
be used
Packet filters restrict or allow passage of
data that meets the configuration
More Rules
Application filters coordinate access to
special services and provide some intrusion
detection
Routing rules specify where data seeking a
particular destination is transferred
Mail server proxy rules direct incoming,
authorized access by mailbox owners to
POP3, SMTP and/or IMAP4 mail
An Example
• Integrating ISA Server with Windows 2004
Active Directory will let you interpret
company rules that restrict most employees
to free-ranging Internet access only during
their prescribed lunch hour and before and
after normal work hours. During normal
working hours you can block them from all
Internet access, restrict them to intranet
servers, or permit access to some sites.
Example Cont.
• Another option is to provide a select group
of employees unrestricted Internet access,
block another group from visiting specific
sites, and permit a third group access to
specific sites. You can also control access
via the IP address of the requesting client
machine, or strictly by the destination site
or protocol used.
Firewalling with ISA
• In the real world, it's difficult to get firewall
configurations correct. What if you could
get it right once, and mandate that all
firewalls (or selected firewalls) apply the
same sets of rules? What if you changed
your mind? Would a change in rules at a
centralized location propagate to some
selected subset of firewalls?
Firewalling with ISA
• Distributed applications need not mean an
anarchical approach to firewall policy
implementation. ISA Server provides tiered
firewall and caching policies that permit
strict centralized management and control
but also let you define which portions of the
network can perform what actions on their
own
Internet Security and Acceleration
Acceleration Aspect
High-Performance Web Cache
•Cache of Web objects
•Fast RAM caching
•ISA Server supports both forward caching
-for outgoing requests to the Internet, and reverse caching, for incoming requests
to your Web server. Your clients benefit from the full gamut of ISA Server caching
and routing features.
•ISA Server includes a Hypertext Transfer Protocol (HTTP)
redirector filter
Scalability
• ISA Server Standard Edition is a standalone server that is designed to scale up to
four processors.
• Internet Security and Acceleration (ISA)
Server Enterprise Edition computers can be
grouped together in arrays.
Scalability continued
• Other features that enhance the scalability
of ISA Server include the following:
-Symmetric Multiprocessing.
-Network Load Balancing.
-CARP.
Distributed and Hierarchical
Caching
• Chained/Hierarchical Caching
Distributed and Hierarchical
Caching
• Web Proxy Routing
Chained Authentication
•
•
With ISA Server, you are also able to support chained authentication when
routing requests to an upstream server. Requests are chained to an upstream
server when the ISA Server routing rules are configured to route to it. Before
the request is routed, the downstream ISA Server might require client
authentication. In addition, when the request is routed, the upstream server
might also require it. In this case, the downstream ISA Server passes the
client's authentication information to the upstream one.
Sometimes, your upstream server may not be able to identify the clients
requesting the object. In this case, the downstream ISA Server passes
credentials—essentially acting as the client making the request—to the
upstream server. When you configure the downstream server settings, you
specify the account to use when passing client requests to an upstream server.
The upstream server delegates client authentication to the downstream proxy.
Then the upstream server authenticates only the downstream server, and
successfully authenticates the client.
Active Caching
• Active caching is a way to keep objects
fresh in the cache by verifying them with
the origin Web server before the object
actually expires and is accessed by a client.
• Pure popularity is not a good guide because
many popular pages never expire due to
clients refreshing the pages manually to
keep the data fresh
Example of Active Caching
The following list traces the activity of a cached object:
An object is requested by a client (possibly for the first time) and downloaded.
The object expires.
If a client accesses that object in a time period of less than n of its time to live
(TTL) period, then it is added to the active cache list.
•
As long as the object is accessed at least once in the n TTL period after being
refreshed, it remains on the active cache list.
•
While on the active cache list, the object will be refreshed before it expires.
The exact time it is refreshed depends on how busy the proxy is. If the proxy is relatively
idle, the object will be refreshed about 50 percent of the way to expiring. If the proxy is
very busy, it will not be refreshed until just before it expires. Intermediate values of "busy"
will lead to intermediate times of refreshing.
If the object is not accessed in the specified period, then it is removed from the list and must
meet the original criteria to be put back on the list.
Streaming Media Support
• Transparently support popular media
formats. Save bandwidth by splitting live
media streams on the gateway
Programmable Cache Control
• Load or delete cached objects
programmatically with caching application
programming interface (API).
Simplified & Robust Managment
Policy-based Access Control
•
•
•
•
•
•
Client address sets: Internet Protocol (IP) addresses or, with
Microsoft Active Directory™, authenticated users and groups.
Destination sets: URLs.
Protocols.
Content groups, for Hypertext Transfer Protocol (HTTP) and
tunneled File Transfer Protocol (FTP) traffic: multipurpose
Internet mail extensions (MIME) types, and file extensions.
Schedules.
Bandwidth priorities.
Windows 2004 Integration
•
•
•
•
•
•
•
•
•
•
•
•
•
Network Address Translation
Integrated Virtual Private Networking.
Authentication.
System Hardening.
Active Directory Storage with Enterprise Edition.
Tiered-Policy Management for Enterprise Edition.
MMC Administration.
Quality of Service (QoS).
Multiprocessor Support.
Client-Side Auto-Discover.
Administration Component Object Model (COM) Object.
Web Filters.
Alerts.
Integrated Administration
• Unified Policy and Access Control.
• Unified Management.
Intuitive User Interface
Microsoft Management Console (MMC)
Intuitive User Interface continued
Some of the ISA Server wizards include:
• Virtual private network (VPN) configuration: Local, remote, and client-to-server.
• Defining a protocol.
• Creating a site and content rule.
• Creating a bandwidth rule.
• Secure publishing.
• Configuring a mail server behind ISA Server, publishing and securing the mail
server,
• and configuring policy for the mail services.
• Securing the system with system hardening.
Detailed Logging
• W3C Extended File Format (Default).
• ISA Server Text Format.
• ODBC Format.
Built-in Reporting
• Create graphical summary reports
showing application usage, security
events, and network activity
Monitoring and Alerting
• Track real-time session and performance
monitoring data. Define alerts to notify an
administrator, stop a service, or execute a
script in response to important system
events.
Bandwidth Priorities
• Set bandwidth priorities to optimize
resource allocation, prioritizing bandwidth
by user, group, application, destination site,
or content type.
Remote Management
• Administer ISA Server remotely using
MMC, Windows 2000 Terminal Services, or
Distributed Component Object Model
(DCOM) command-line scripts.
Multi-Server Management
• With ISA Server Enterprise Edition, manage
an array of servers as a single logical unit.