Network Edge Protection: A Technical Deep
Download
Report
Transcript Network Edge Protection: A Technical Deep
Network Edge Protection:
A Technical Deep-Dive into
Internet Security & Acceleration
Server 2006
1
Agenda
What Is ISA Server 2006?
Technical Review of:
Secure Application Publishing
Branch Office Security
Internet Access Protection
ISA on Appliances
Summary
What is ISA Server 2006?
ISA Server 2006 is the integrated edge security
gateway that helps protect your IT environment from
Internet-based threats while providing your users with
fast, more secure access to applications and data.
Three Deployment Scenarios
Secure Application
Publishing
Branch Office
Security
Internet Access
Protection
Making Exchange,
SharePoint and Web
application servers
available for secure
remote access
Securely connecting
your branch offices
and utilizing
bandwidth efficiently
Protecting your
environment from
internal users accessing
unwanted or harmful
content on the Internet
Secure Application
Publishing
“We have multiple applications, and
everybody has too many passwords and too
many logons. Our goal was to make it so that
once an employee gains access to our intranet
home page, he or she doesn’t have to log on
again to use another application.”
– Wendy Lou, IT Security Architect, Northwest
Airlines
4
The Concerns
An increasing number of
employees need access
to information hosted on
the corporate network
1
Hackers want to steal
information on corporate
data servers for personal
gain. Able to evade
current “hardware”
firewall by hiding attacks
in encrypted sessions
2
Opening “ports” on the
corporate firewall to
company resources
puts the customer at
risk of Internet-based
attackers
3
Traditional “hardware”
firewalls are not
specifically built to protect
Exchange & SharePoint®
Portal Server
4
Secure Application
Publishing
The Solution
Automatic
translation of links
to internal shares
Strong
user/group
based access
controls
NTLM,
Kerberos
authentication
support
Load
balancing of
server farms
Exchange &
SharePoint
publishing
tools
Smartcard &
one-time
password
support
Inspection of
encrypted traffic
using SSL Bridging
Single sign-on for
access to multiple
servers
Pre-authentication
so only valid traffic
reaches servers
Authentication with Active
directory via LDAP
ISA 2006 and IAG 2007
IAG 2007
Customizable and differentiated
application access based on user
identity, content / file attributes,
URL and client security state
ISA 2006
General application access from
Web-enabled clients when
content-specific policy is not
needed
Branch Office Security
Much of our business relies on Web-based
transactions between our branch offices and
the main servers at our head office. Due to
bandwidth restrictions at some of the more
remote locations, we were limited in the types of
solutions we could deploy.”
– Josée Corriveau, Applications Architecture and
Infrastructure Manager, Desjardins Group
The Concerns
Branch office employee
productivity suffers
when they cannot
access corporate data
at the main office, or
when data access is
slow.
1
The cost of WAN links
is a major line item for
many companies with
extensive branch office
deployments.
2
Companies with large
numbers of branch
offices need to reduce
the overhead in
managing thousands of
firewall and Web proxy
servers.
3
Branches not as tightly
managed can lead to
increased probability of
a security breach that
can impact the main
office network.
4
Branch Office
Security
The Solution
Web caching for
faster response
times
DiffServ IP settings
for traffic
prioritization
BITS support to
accelerate
software update
deployment
Answer files on
removable media for
unattended
installation
Integrated
application-layer
firewall, VPN &
web proxy
HTTP traffic
compression to
minimize
bandwidth use
Enterprise &
array policy
model for large
deployments
Cache Array
Routing protocol
for efficient
cache use
Central policy storage and fast
propagation of policy using
bandwidth optimizations
Internet Access Protection
“It’s important that we control users
connecting to the Internet for legal reasons.
A number of our staff is highly trained medical
professionals who need access to
information about sensitive issues within
sports medicine.”
– Mark Richards, Head of Information
Systems, English Institute of Sport
The Concern
Security breaches require
that customers determine
the source of the breach
(what user, on what
computer, at what time,
using what application).
1
Uncontrolled Internet
access can lead to
decrease in employee
productivity as well as them
introducing viruses, worms,
Trojan horses, and other
exploit code to the internal
network
2
A variety of apps can
be used to send
proprietary info out to
the Internet, such as email, newsgroups,
peer-to-peer file
sharing, instant
messaging, and more.
3
Slow or unusable
Internet connections can
put the company at a
competitive
disadvantage and
reduce overall employee
productivity
4
Internet Access
Protection
The Solution
Enhanced protection
against DoS, DDoS
& DNS attacks
Integrated
Network Load
Balancing for
high availability
Integrated
applicationlayer firewall &
web proxy
Securityenhanced
remote
management
using TLS
Built-in traffic
inspection for
over 120
protocols
Customizable
cache rules for
flexibility
Fast RAM & on-disk
caching for fast web
page response
times
Enhanced worm
protection through
connection quotas
Comprehensive
alert triggers &
responses
ISA 2006 on Appliances
1. Hardware comes preloaded, preconfigured,
and pretested with ISA Server.
2. Hardened configuration for reduced attack
surface.
3. Easy to purchase, set up, and deploy.
4. Out-of-box configuration tools and Webbased administration available
More information
1
2
Configuration Training, Capacity
Planner & more tools on
http://www.microsoft.com/isaserver
Try out FREE virtual labs at
http://www.microsoft.com/technet/traincert/virtuallab/isa.mspx
3
Download trials, demos, test environments, & virtual hard disks from
http://www.microsoft.com/forefront/edgesecurity/trial.mspx
Summary
Secure Application Publishing
Branch Office Security
Internet Access Protection
An integral part of Microsoft Forefront™
Visit http://www.microsoft.com/infrastructure
Learn more about how ISA Server 2006 fits in the Forefront & System
Center solution
Download beta/evaluation software
ISA Server 2006 wins Redmond
Reader’s Choice Awards in
Software-Based Firewall Category!
Windows ITPro Readers vote
ISA Server 2006 as number one
in Firewall/Server Category!