Identity Management and Security Summit - Security Session 2

Jamie Sharp CISSPSecurity ConsultantMicrosoft Services

AgendaAgenda

WirelessWireless

VPNVPN

PerimeterPerimeter

Call to ActionCall to Action

Wireless

Huge fear of wirelessHuge fear of wirelessRooted in misunderstandings of Rooted in misunderstandings of securitysecurityWireless can be made secureWireless can be made secure

Takes workTakes workNeed to understand problemNeed to understand problemNeed to plan for secure solutionNeed to plan for secure solution

Current SituationCurrent Situation

Wireless AntennasWireless AntennasHow To Build A Tin Can Waveguide How To Build A Tin Can Waveguide AntennaAntenna

http://http://www.turnpoint.net/wireless/cantennahowto.htwww.turnpoint.net/wireless/cantennahowto.htmlml

Antenna on the Cheap (er, Chip)Antenna on the Cheap (er, Chip)http://www.oreillynet.com/cs/weblog/view/wlg/http://www.oreillynet.com/cs/weblog/view/wlg/448448

WEPWEP

Secret key shared between access Secret key shared between access point and all clientspoint and all clients

Encrypts traffic before transmissionEncrypts traffic before transmissionPerforms integrity check after Performs integrity check after transmissiontransmission

WEP uses RC4, a stream cipherWEP uses RC4, a stream cipher[key] XOR [plaintext] [key] XOR [plaintext] [ciphertext] [ciphertext]

Maybe double-XOR for “better” security? Maybe double-XOR for “better” security? Hah!Hah!

[ciphertext] XOR [key] [ciphertext] XOR [key] [plaintext] [plaintext]

WEP - WEP - Wired Equivalent PrivacyWired Equivalent Privacy

WEP IssuesWEP Issues

Key and initialisation vector reuseKey and initialisation vector reuseKnown plaintext attackKnown plaintext attackPartial known plaintext attackPartial known plaintext attackWeaknesses in RC4 key scheduling Weaknesses in RC4 key scheduling algorithmalgorithmAuthentication forgingAuthentication forgingRealtime decryptionRealtime decryptionMore InformationMore Information

http://www.isaac.cs.berkeley.edu/isaac/wep-faq.hthttp://www.isaac.cs.berkeley.edu/isaac/wep-faq.htmlml

WEP - WEP - Wired Equivalent PrivacyWired Equivalent Privacy

Solution Today - 802.1XSolution Today - 802.1XPort-based access control Port-based access control mechanism defined by IEEEmechanism defined by IEEE

Works on anything, wired and wirelessWorks on anything, wired and wirelessAccess point must support 802.1XAccess point must support 802.1XNo special WIC requirementsNo special WIC requirements

Allows choice of authentication Allows choice of authentication methods using EAPmethods using EAP

Chosen by peers at authentication timeChosen by peers at authentication timeAccess point doesn’t care about EAP Access point doesn’t care about EAP methodsmethods

Manages keys automagicallyManages keys automagicallyNo need to preprogram WICsNo need to preprogram WICs

Solution Today - EAPSolution Today - EAP

Link-layer security frameworkLink-layer security frameworkSimple encapsulation protocol for Simple encapsulation protocol for authentication mechanismsauthentication mechanismsRuns over any link layer, lossy or losslessRuns over any link layer, lossy or lossless

No built-in securityNo built-in securityDoesn’t assume physically secure linkDoesn’t assume physically secure linkAuthentication methods must incorporate Authentication methods must incorporate their own securitytheir own security

Supported authentication methodsSupported authentication methodsTLS: authentication server supplies certificateTLS: authentication server supplies certificateIKE: server demonstrates possession of IKE: server demonstrates possession of preshared key or private key (certificate)preshared key or private key (certificate)Kerberos: server demonstrates knowledge of Kerberos: server demonstrates knowledge of session keysession keyPEAP: any pluggable method supporting PEAP: any pluggable method supporting mutual authenticationmutual authentication

AuthN Supported in AuthN Supported in WindowsWindows

EAP-MD5 disallowed for wirelessEAP-MD5 disallowed for wirelessCan’t create encrypted session Can’t create encrypted session between supplicant and authenticatorbetween supplicant and authenticatorWould transfer password hashes in the Would transfer password hashes in the clearclearCannot perform mutual authenticationCannot perform mutual authentication

Vulnerable to man-in-the-middle attacksVulnerable to man-in-the-middle attacks

EAP-TLS in Windows XP releaseEAP-TLS in Windows XP releaseRequires client certificatesRequires client certificatesBest to have machine and userBest to have machine and user

Service pack 1 adds protected EAP Service pack 1 adds protected EAP (PEAP)(PEAP)

Protected EAP (PEAP)Protected EAP (PEAP)

Extension to EAPExtension to EAPAllows use of any secure authentication Allows use of any secure authentication mechanism for EAPmechanism for EAP

No need to write individual EAP-enabled No need to write individual EAP-enabled methodsmethods

Windows PEAP allows:Windows PEAP allows:MS-CHAPv2—passwordsMS-CHAPv2—passwordsTLS (SSL channel)—certificatesTLS (SSL channel)—certificates

PEAP-EAP-TLS a little slower than EAP-TLSPEAP-EAP-TLS a little slower than EAP-TLS

SecurID—but not tested/supported for wirelessSecurID—but not tested/supported for wirelessFor many deployments, machine and user For many deployments, machine and user passwords still are necessarypasswords still are necessaryPEAP enables secure wireless nowPEAP enables secure wireless now

Allows easy migration to certificates and Allows easy migration to certificates and smartcards latersmartcards later

Clarifying TerminologyClarifying Terminology

802.11 is the specification for over-802.11 is the specification for over-the-air wireless networksthe-air wireless networks802.1X is a PHY-independent 802.1X is a PHY-independent specification for port-based access specification for port-based access controlcontrolCombining them makes senseCombining them makes senseThere is no such thing as 802.11XThere is no such thing as 802.11X

But there is work on something called But there is work on something called 802.11i802.11i

Association and Association and AuthenticationAuthenticationThe 802.11 association happens firstThe 802.11 association happens first

Need to talk to the AP and get an IP Need to talk to the AP and get an IP addressaddressOpen authentication—don’t have the Open authentication—don’t have the WEP key yetWEP key yet

Access beyond AP prohibited until Access beyond AP prohibited until authN succeedsauthN succeeds

AP drops non-EAPOL trafficAP drops non-EAPOL trafficAfter key is sent in EAPOW-key, access After key is sent in EAPOW-key, access beyond AP is allowedbeyond AP is allowed

Security conversation between Security conversation between supplicant and authentication serversupplicant and authentication server

Wireless NIC and AP are passthrough Wireless NIC and AP are passthrough devicesdevices

802.1X over 802.11802.1X over 802.11SupplicantSupplicantSupplicantSupplicant AuthenticatorAuthenticatorAuthenticatorAuthenticator AuthenticationAuthentication

ServerServerAuthenticationAuthentication

ServerServer

802.11 802.11 associationassociation

EAPOL-startEAPOL-start

EAP-request/EAP-request/identityidentity

EAP-response/EAP-response/identityidentity

RADIUS-access-RADIUS-access-requestrequest

EAP-requestEAP-request RADIUS-access-RADIUS-access-challengechallenge

EAP-response EAP-response (credentials)(credentials)

RADIUS-access-RADIUS-access-requestrequest

EAP-successEAP-success RADIUS-access-acceptRADIUS-access-accept

EAPOW-key EAPOW-key (WEP)(WEP)

Access blockedAccess blocked

Access allowedAccess allowed

802.1X & EAP Provides802.1X & EAP Provides

Mutual device authenticationMutual device authenticationWorkstation and authentication serverWorkstation and authentication serverNo rogue access pointsNo rogue access pointsPrevents man-in-the-middle attacksPrevents man-in-the-middle attacksEnsures key is transferred to correct Ensures key is transferred to correct entityentity

User authenticationUser authenticationNo unauthorized access or interceptionNo unauthorized access or interception

WEP key uniqueness and WEP key uniqueness and regenerationregeneration

System RequirementsSystem Requirements

Client: Windows XP service pack 1Client: Windows XP service pack 1Server: Windows Server 2003 IASServer: Windows Server 2003 IAS

Internet Authentication Service—our Internet Authentication Service—our RADIUS serverRADIUS serverCertificate on IAS computerCertificate on IAS computer

Backporting to Windows 2000Backporting to Windows 2000Client and IAS must have SP3Client and IAS must have SP3No zero-config support in the clientNo zero-config support in the clientSee KB article 313664See KB article 313664Supports only TLS and MS-CHAPv2Supports only TLS and MS-CHAPv2

Future EAP methods in XP and 2003 might Future EAP methods in XP and 2003 might not be backportednot be backported

WPA - An Interim Until WPA - An Interim Until 802.11i802.11iGoalsGoals

Require secure networkingRequire secure networkingSolve WEP issues with software and Solve WEP issues with software and firmware upgradesfirmware upgradesProvide secure wireless for SOHOProvide secure wireless for SOHO

No RADIUS neededNo RADIUS needed

Be forward compatible with 802.11iBe forward compatible with 802.11iBe available todayBe available todayWPA Wireless Security Update in WPA Wireless Security Update in Windows XP Windows XP http://support.microsoft.com/?kbid=815485http://support.microsoft.com/?kbid=815485

The Future - 802.11iThe Future - 802.11i

IEEE is working on 802.11iIEEE is working on 802.11iReplacement for WEPReplacement for WEPIncludes TKIP (Includes TKIP (Temporal Key Integrity Temporal Key Integrity Protocol) Protocol) , 802.1x, and keyed integrity , 802.1x, and keyed integrity checkcheckMandatory AES (Mandatory AES (Advanced Encryption Advanced Encryption Standard) Standard) Addresses all currently known Addresses all currently known vulnerabilities and poor implementation vulnerabilities and poor implementation decisionsdecisions

Need to be IEEE member to read Need to be IEEE member to read work in progresswork in progressExpected ratification in Q4 2003Expected ratification in Q4 2003

VPN

Remote Access TrendsRemote Access Trends

Explosive growth of mobile usersExplosive growth of mobile users63.4M handheld computers to be sold by 63.4M handheld computers to be sold by 2003*2003*

Increasing methods of accessIncreasing methods of accessApplication specific accessApplication specific access

Combined functionalityCombined functionality VPN and Firewall combined platformsVPN and Firewall combined platforms

* Source - (IDC)* Source - (IDC)

VPN Solution ComponentsVPN Solution Components

VPN Server

Internet

ISPTelecommuter

Mobile Worker

Administrator

Corporate NetworkClients

Gateway

Protocols

Authentication

Policy

Deployment Tools

File/Print Server

Database Server

Web Server

Email Server

Domain Controller

IAS Server

Windows VPN ComponentsWindows VPN Components

ClientClient

GatewayGateway

ProtocolsProtocols

AuthenticationAuthentication

PolicyPolicy

Integrated VPN clientIntegrated VPN client

Routing and Remote Routing and Remote Access ServicesAccess Services

Platform Support for Platform Support for Industry Standard Industry Standard

ProtocolsProtocols

Internet Authentication Internet Authentication Services Services

& Active Directory& Active Directory

Windows XPWindows XP

Windows ServerWindows Server20032003

Deployment Deployment ToolsTools

Connection ManagerConnection ManagerAdministration KitAdministration Kit

Windows XP Professional Windows XP Professional

ClientClient

Gateway Gateway

ProtocolsProtocols

AuthenticationAuthentication

DeploymentDeploymentToolsTools

PolicyPolicy

Integrated VPN ClientIntegrated VPN ClientInitiates connection to remote Initiates connection to remote networks.networks.

SimplicitySimplicity New Connections WizardNew Connections Wizard Automatic protocol detectionAutomatic protocol detection

SecuritySecurity Client state check with Client state check with

“Quarantine”“Quarantine” Supports advanced security and Supports advanced security and

encryptionencryption Supports certificates, smart Supports certificates, smart

cards, token cards and morecards, token cards and more

Windows Server GatewayWindows Server Gateway

ClientClient

GatewayGateway

ProtocolsProtocols

AuthenticationAuthentication

DeploymentDeploymentToolsTools

PolicyPolicy

Routing and Remote Access ServicesRouting and Remote Access ServicesLink clients to private networksLink clients to private networks

• SecuritySecurity• Secure remote access connection Secure remote access connection

technologytechnology• Per session VPN packet filtersPer session VPN packet filters

• PerformancePerformance• Offload hardware encryption Offload hardware encryption

supportedsupported• Load Balance support for VPN Load Balance support for VPN

• ManageabilityManageability• Integrated Active DirectoryIntegrated Active Directory™™

authenticationauthentication• Supports standards based Supports standards based

Authentication Servers (RADIUS)Authentication Servers (RADIUS)

Windows XP & Server 2003 Windows XP & Server 2003 ProtocolsProtocols

ClientClient

GatewayGateway

ProtocolsProtocols

AuthenticationAuthentication

DeploymentDeploymentToolsTools

PolicyPolicy

Industry Standard ProtocolsIndustry Standard ProtocolsSpecify link capabilities and Specify link capabilities and encrypts data traffic.encrypts data traffic.

• SecuritySecurity• Advanced security with L2TP/IPSec Advanced security with L2TP/IPSec

tunneling protocols. tunneling protocols. • PKI authentication supportPKI authentication support• Legacy user authentication support Legacy user authentication support

with PPTPwith PPTP• Support for Smart Cards with EAPSupport for Smart Cards with EAP

• InteroperabilityInteroperability• IETF standards based solutions IETF standards based solutions

• Network TransparencyNetwork Transparency• Multi-protocol and Multi-cast supportMulti-protocol and Multi-cast support

ClientClient

GatewayGateway

ProtocolsProtocols

AuthenticationAuthentication

DeploymentDeploymentToolsTools

PolicyPolicy

Internet Authentication ServicesInternet Authentication ServicesValidates user access to the Validates user access to the networknetworkDirectory IntegrationDirectory Integration

• Integrates with Active DirectoryIntegrates with Active DirectoryInteroperabilityInteroperability

• Authenticates other 3Authenticates other 3rdrd party VPN party VPN products that support RADIUSproducts that support RADIUS

SecuritySecurity• Support for “Quarantine”Support for “Quarantine”

New authentication supportNew authentication support• Smart Cards, Token Cards, Smart Cards, Token Cards,

Fingerprint scanners and moreFingerprint scanners and more

Windows Server Windows Server AuthenticationAuthentication

Windows Server PoliciesWindows Server Policies

ClientClient

GatewayGateway

ProtocolsProtocols

AuthenticationAuthentication

DeploymentDeploymentToolsTools

PolicyPolicy

AD Group PolicyAD Group PolicyNetwork policies for users to gain access Network policies for users to gain access

SecuritySecurity• Enforcement of policies to check the Enforcement of policies to check the

state of the client via quarantine state of the client via quarantine serviceservice

• Restricted access based on group Restricted access based on group membershipmembership

ManageabilityManageability• Centralized user management with Centralized user management with

integration of AD and authentication integration of AD and authentication serviceservice

Windows Server Windows Server Deployment ToolsDeployment Tools

ClientClient

GatewayGateway

ProtocolsProtocols

AuthenticationAuthentication

DeploymentDeploymentToolsTools

PolicyPolicy

Connection Manager Administration KitConnection Manager Administration KitCreate and manage client connection Create and manage client connection configurationsconfigurations

Central ConfigurationCentral Configuration• Create pre-configured dial-up Create pre-configured dial-up

connection software for simplified connection software for simplified client experienceclient experience

ExtensibilityExtensibility• Customizable help files, help-desk Customizable help files, help-desk

numbers, and morenumbers, and more• Configurable connect actions to Configurable connect actions to

launch custom code before or after launch custom code before or after connectionconnection

Phonebook ManagementPhonebook Management• Automatic phonebook updates for Automatic phonebook updates for

local ISP access numberslocal ISP access numbers

Windows Server 2003Internet Authentication Service

Active Active DirectoryDirectory

Network Access Quarantine Network Access Quarantine ControlControl

Ensures that remote systems meet Ensures that remote systems meet corporate security standardscorporate security standardsReduces risk of security compromisesReduces risk of security compromisesReduces the spread of virusesReduces the spread of virusesWhitepaper: Network Access Quarantine Whitepaper: Network Access Quarantine Control in Windows Server 2003Control in Windows Server 2003

http://www.microsoft.com/windowsserver2003/techinfo/ohttp://www.microsoft.com/windowsserver2003/techinfo/overview/quarantine.mspxverview/quarantine.mspx

InternetInternet CorpnetCorpnet

Remote UserRemote User RRASRRAS IASIAS

QuarantineQuarantine

Perimeter

What is ISA Server?What is ISA Server?

High Performance Web cacheHigh Performance Web cacheMulti-layered firewallMulti-layered firewall

Packet Level (static and dynamic filters)Packet Level (static and dynamic filters)Circuit Level (stateful inspection)Circuit Level (stateful inspection)Application Level (payload inspection)Application Level (payload inspection)Network Address Translation (NAT)Network Address Translation (NAT)

Centralised or Distributed Centralised or Distributed ManagementManagementICSA CertifiedICSA CertifiedCommon Criteria EAL2 CertifiedCommon Criteria EAL2 Certified

Provide secure, fast Provide secure, fast Internet/Intranet access with proxy Internet/Intranet access with proxy and cachingand caching

Secure Exchange and Web Servers Secure Exchange and Web Servers at the application layerat the application layer

Secure edge gateway with Secure edge gateway with integrated VPN, firewall and integrated VPN, firewall and cachingcaching

ISA = DefenceISA = Defence in Depth in Depth

Current SituationCurrent Situation

Traditional firewalls focus on packet Traditional firewalls focus on packet filtering and stateful inspectionfiltering and stateful inspectionToday’s attacks freely bypass thisToday’s attacks freely bypass thisPorts are overloaded & can be Ports are overloaded & can be exploitedexploited

Port 80 YesterdayPort 80 Yesterday—Web browsing only—Web browsing onlyPort 80 TodayPort 80 Today—Web browsing, OWA, —Web browsing, OWA, XML Web Services, …XML Web Services, …

Packet filtering and stateful Packet filtering and stateful inspection are not enoughinspection are not enough

Application-layer Firewalls Application-layer Firewalls are Necessaryare Necessary

Application-layer firewalls are required Application-layer firewalls are required to stop these attacksto stop these attacks

Enable deep content inspectionEnable deep content inspectionRequirement for network security todayRequirement for network security today

InternetInternet

Packet filtering Packet filtering firewall/routerfirewall/router

Packet filtering Packet filtering firewall/routerfirewall/router

Application-Application-layer firewalllayer firewallApplication-Application-layer firewalllayer firewall

to internalto internal

networknetwork

to internalto internal

networknetwork

““To provide edge security in this application To provide edge security in this application centric world…application-layer firewalls will centric world…application-layer firewalls will be required”be required” —John Pescatore, —John Pescatore, GartnerGartner

Packet filtering & stateful inspectionPacket filtering & stateful inspectionApplication-layer filteringApplication-layer filtering

ImperativeImperative for network security todayfor network security todayPotential to detect/inspect traffic regardless of Potential to detect/inspect traffic regardless of portport

Advanced proxy architectureAdvanced proxy architectureInternet traffic never routed to the internal Internet traffic never routed to the internal networknetwork

Extensible/pluggable architectureExtensible/pluggable architecture30+ partners: netIQ, Trend Micro, Rainfinity, 30+ partners: netIQ, Trend Micro, Rainfinity, Authenex, N2H2, Venation, ISS…Authenex, N2H2, Venation, ISS…

Best firewall for Windows environmentBest firewall for Windows environment

ISA Server = Application-ISA Server = Application-layer Securitylayer Security

Web PublishingWeb Publishing

Occurs at the application levelOccurs at the application levelISA understands HTTPISA understands HTTPCan publish multiple web servers using Can publish multiple web servers using one IP addressone IP addressCan Can Bridge and TunnelBridge and Tunnel SSL requests SSL requestsAllows secure access to the web serverAllows secure access to the web serverAccelerates performanceAccelerates performanceOff-load SSLOff-load SSL

Publishing Web ServersPublishing Web Servers

InternetInternet

africa.internal.nwtraders.msft

www.nwtraders.msft/africawww.nwtraders.msft/africa

europe.internal.nwtraders.msft

Internal NetworkInternal Network

ISA ServerISA Server

www.contoso.msft

AfricaAfrica

EuropeEurope

www.nwtraders.msft/europe

www.nwtraders.msft/europe

www.nwtraders.msft/africawww.nwtraders.msft/africa

www.contoso.msft

Server PublishingServer Publishing

Occurs at the application levelOccurs at the application levelISA understands SMTP, DNS, FTP, POP, ISA understands SMTP, DNS, FTP, POP, RPC, H.323 and Streaming media OOBRPC, H.323 and Streaming media OOBAllows secure access to published Allows secure access to published servicesservicesAll incoming and outgoing requests All incoming and outgoing requests inspected by ISAinspected by ISACan limit rules to specific clientsCan limit rules to specific clientsSingle IP visible to outside worldSingle IP visible to outside world

Server PublishingServer Publishing

InternetInternet192.168.9.1

131.107.3.1

mail1.nwtraders.msft

External Adapter

Internal Adapter

Exchange ServerExchange Server

Internal NetworkInternal Network

mail1.nwtraders.msft

ISA Deployment BenefitsISA Deployment BenefitsCost-effective to build, monitor Cost-effective to build, monitor and operateand operateIntegrated with Windows Integrated with Windows security and compatible with security and compatible with non-Windows hostsnon-Windows hostsSaves bandwidth by caching Saves bandwidth by caching frequently accessed contentfrequently accessed contentProvides a firewall engine with Provides a firewall engine with application layer inspectionapplication layer inspectionEnables QOS, detailed reporting, Enables QOS, detailed reporting, strong user authentication and strong user authentication and high availabilityhigh availability

SMTP FilterSMTP FilterHelp filter out unwanted e-mailHelp filter out unwanted e-mail

Uses ISA Server application-layer Uses ISA Server application-layer filtering abilityfiltering abilityFilter e-mail with increased reliability Filter e-mail with increased reliability and security on several attributesand security on several attributes

SenderSenderDomainDomainKeywordKeywordAttachment extension, name, sizeAttachment extension, name, sizeAny SMTP command and its lengthAny SMTP command and its length

RPC server RPC server (Exchange)(Exchange)RPC server RPC server (Exchange)(Exchange)

RPC client RPC client (Outlook)(Outlook)

RPC client RPC client (Outlook)(Outlook)

ServiceService UUIDUUID PortPort

ExchangeExchange {12341234-{12341234-1111…1111…

44044022

AD AD replicationreplication

{01020304-{01020304-4444…4444…

35435444

MMCMMC {19283746-{19283746-7777…7777…

92392333

RPC services grab random RPC services grab random high ports when they start, high ports when they start,

server maintains tableserver maintains table

Exchange RPC Exchange RPC RPC 101RPC 101

135/tcp135/tcp

Client connects to Client connects to portmapper on server portmapper on server

(port 135/tcp)(port 135/tcp)Client knows UUID Client knows UUID of service it wantsof service it wants

{12341234-1111…}{12341234-1111…}

Client accesses Client accesses application over application over

learned portlearned port

Client asks, “What Client asks, “What port is associated port is associated with my UUID?”with my UUID?”

Server matches UUID to Server matches UUID to the current port…the current port…

44024402

Portmapper responds Portmapper responds with the port and closes with the port and closes

the connectionthe connection

4402/tcp4402/tcp

Due to the random nature of RPC, this is Due to the random nature of RPC, this is not feasible over the Internetnot feasible over the Internet

All 64,512 high ports & port 135 must be All 64,512 high ports & port 135 must be opened on traditional firewallsopened on traditional firewalls

Exchange Exchange ServerServer

Exchange Exchange ServerServer

OutlookOutlookOutlookOutlook

Exchange RPC FilterExchange RPC FilterProtect remote Outlook e-mail without a VPNProtect remote Outlook e-mail without a VPN

ISA ServerISA ServerISA ServerISA Server

InternetInternet

ISA Server Exchange RPC filterISA Server Exchange RPC filter Only port 135 (portmapper) is openOnly port 135 (portmapper) is open

High ports are opened and closed for Outlook High ports are opened and closed for Outlook clients as necessaryclients as necessary

Inspects portmapper traffic at application-Inspects portmapper traffic at application-layerlayerOnly Exchange UUIDs allowed, nothing elseOnly Exchange UUIDs allowed, nothing else

Exchange RPC FilterExchange RPC FilterProtect remote Outlook e-mail without a VPNProtect remote Outlook e-mail without a VPN

Enforce RPC encryptionEnforce RPC encryptionOutlook RPC encryption can be enforced Outlook RPC encryption can be enforced centrallycentrally

Enable outbound RPC communicationEnable outbound RPC communicationOutlook clients behind ISA Server can now Outlook clients behind ISA Server can now access external Exchange Serversaccess external Exchange Servers

ISA Server with ISA Server with Feature Pack 1Feature Pack 1ISA Server with ISA Server with Feature Pack 1Feature Pack 1

Exchange Exchange ServerServer

Exchange Exchange ServerServer

Outlook Outlook clientclient

Outlook Outlook clientclient

RPCRPCRPCRPC

Internal networkInternal network

External networkExternal network

URLScan 2.5 for ISA URLScan 2.5 for ISA ServerServerHelp stop evolving types of Internet attacksHelp stop evolving types of Internet attacksFilters incoming requests based on Filters incoming requests based on

rules setrules setHelps protect from attacks whichHelps protect from attacks which

request unusual actionsrequest unusual actionshave a large number of charactershave a large number of charactersare encoded using an alternate are encoded using an alternate character setcharacter set

Can be used in conjunction with SSL Can be used in conjunction with SSL inspection to detect attacks over SSLinspection to detect attacks over SSL

RSA SecurID RSA SecurID AuthenticationAuthenticationHelp control access with 2-factor Help control access with 2-factor authenticationauthenticationISA Server prompts user for SecurID ISA Server prompts user for SecurID

username and PASSCODEusername and PASSCODERSA ACE/Agent on ISA Server passes RSA ACE/Agent on ISA Server passes credentials to the RSA ACE/Server for credentials to the RSA ACE/Server for validationvalidationWhen credentials are validatedWhen credentials are validated

User is granted access to the protected User is granted access to the protected contentcontentCookie is delivered to the user's Cookie is delivered to the user's browser for subsequent activity during browser for subsequent activity during the sessionthe session

Web serverWeb serverWeb serverWeb server

Authentication DelegationAuthentication DelegationHelp ensure only valid traffic is allowedHelp ensure only valid traffic is allowed

ISA ServerISA ServerISA ServerISA Server

For SecurID and basic authenticationFor SecurID and basic authenticationAuthentication happens at ISA ServerAuthentication happens at ISA Server

Eliminates multiple authentication dialogsEliminates multiple authentication dialogsOnly valid traffic allowed to the internal Only valid traffic allowed to the internal networknetworkEnabled per Web publishing ruleEnabled per Web publishing rule

InternetInternet

clientclientclientclient

Client requests protected Client requests protected content from Web servercontent from Web server

ISA Server pre-authenticates ISA Server pre-authenticates users and logs their activityusers and logs their activityISA Server forwards the credentials ISA Server forwards the credentials

to the protected Web or OWA serverto the protected Web or OWA server

http://http://

Link TranslatorLink TranslatorEliminate the need to re-architect intranet Eliminate the need to re-architect intranet sitessites

Translates hyperlinks within responses Translates hyperlinks within responses Intranet computer names to those of Intranet computer names to those of externally available computersexternally available computersIncluding: Including:

HTTP HTTPS; SharePoint Portal ServerHTTP HTTPS; SharePoint Portal Server

ISA Server ISA Server Feature Pack 1Feature Pack 1ISA Server ISA Server

Feature Pack 1Feature Pack 1Web server (Web server (

www.example.com)

Web server Web server (int-mktg)(int-mktg)

Web server Web server (int-mktg)(int-mktg)http://

http://int-mktg/http://int-mktg/sales.htmlsales.htmlint-mktg/int-mktg/mktg.example.com/mktg.example.com/LINK TRANSLATORLINK TRANSLATOR

http://http://mktg.example.com/http://mktg.example.com/sales.htmlsales.html

clientclientclientclient

Client requests Client requests www.example.com/index.htmlwww.example.com/index.html

InternetInternet

GuidanceGuidanceAnswer commonly asked ISA Server questions Answer commonly asked ISA Server questions

ISA Server Feature Pack 1 walkthroughsISA Server Feature Pack 1 walkthroughsOWA, link translation, RSA SecurIDOWA, link translation, RSA SecurID

Web Publishing Web Publishing Includes many different scenariosIncludes many different scenariosTroubleshooting informationTroubleshooting information

Exchange Server Publishing Exchange Server Publishing Includes Exchange RPC filter, POP and IMAPIncludes Exchange RPC filter, POP and IMAPTroubleshooting informationTroubleshooting information

Additional Documentation Additional Documentation Many subjects, including client types and Many subjects, including client types and creating digital certificatescreating digital certificates

Call to ActionCall to Action

Eliminate fear of wireless networksEliminate fear of wireless networksRevisit corporate remote access Revisit corporate remote access strategystrategyEvaluate the security of your current Evaluate the security of your current Exchange and Web Server Exchange and Web Server deploymentdeploymentRegularly check Regularly check www.microsoft.com/securitywww.microsoft.com/security

© 2003 Microsoft Corporation. All rights reserved.© 2003 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.