ISA Server - synnex download/server/2..pdf · Application layer content appears as “black box ... Extend virtual firewall protection across each ... Supports IIS authentication

© 2005 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

ISA ServerISA Server

LeevenLeeven ChangChangGJUN CTEKGJUN [email protected]@msn.com


AgendaAgenda

Introduction to ISA Server 2006Introduction to ISA Server 2006Secure Application PublishingSecure Application PublishingBranch Office ProtectionBranch Office ProtectionFirewall and Proxy EnhancementsFirewall and Proxy EnhancementsMonitoring ISA with MOMMonitoring ISA with MOM


Guidance

Developer Tools

SystemsManagementActive Directory Active Directory

Federation Services Federation Services (ADFS)(ADFS)

IdentityManagement

Services

Information Protection

Encrypting File System (EFS)

Encrypting File System (EFS)BitLockerBitLocker™™

Network Access Protection (NAP)

Client and Server OS

Server Applications

Edge


ISA Server 2006ISA Server 2006

Application Layer FirewallApplication Layer FirewallProtects internal resource from the outsideProtects internal resource from the outsideSeparate from the rest of the networkSeparate from the rest of the networkControl how Internet resources are usedControl how Internet resources are usedExamines each network packet against your Examines each network packet against your rulesrules

VPNVPNProxy ServerProxy Server

Makes network requests and forwards dataMakes network requests and forwards dataCaches sites for improved performanceCaches sites for improved performance


ISA Server 2006 EditionsISA Server 2006 Editions

ISA Server 2006ISA Server 2006Standard EditionStandard Edition

ISA Server 2006ISA Server 2006Enterprise EditionEnterprise Edition


AppliancesAppliances

Preinstalled on optimized hardwarePreinstalled on optimized hardwarePartner solutions extends ISAPartner solutions extends ISA

Antivirus gateways, URL filtering, availabilityAntivirus gateways, URL filtering, availabilityBoth for Standard and Enterprise EditionBoth for Standard and Enterprise Edition

Enterprise get extended NLB and caching Enterprise get extended NLB and caching functionalitiesfunctionalities

Support for unattended installation using a Support for unattended installation using a USB flash driveUSB flash drive


Appliances Appliances -- BenefitsBenefits

Easy deploymentEasy deploymentEverything is testedEverything is testedHardened configuration Hardened configuration --> Reduced > Reduced attack surfaceattack surfaceExtra configuration tools and web Extra configuration tools and web administrationadministration


Advantages of AppliancesAdvantages of AppliancesEasier purchase process Easier purchase process –– no separate no separate software licensing complexitysoftware licensing complexityLower cost of deploymentLower cost of deploymentPlug & Play, Set & ForgetPlug & Play, Set & Forget

Controlled components and driversControlled components and driversAutomated patch management (on some Automated patch management (on some offerings)offerings)

Fewer calls to tech supportFewer calls to tech supportEasy rollEasy roll--back to factory configurationback to factory configurationQuick learning curve for IT administratorsQuick learning curve for IT administratorsAppliances are the whole solution, not Appliances are the whole solution, not just partjust part


Application Layer Content:?????????????????????????????????????????????????????????????????????????????????????????????

A Traditional FirewallA Traditional Firewall’’s View of a s View of a PacketPacket

Only packet headers are inspectedOnly packet headers are inspectedApplication layer content appears as Application layer content appears as ““black boxblack box””

IP Header:

Source Address,Dest. Address,

TTL, Checksum

TCP Header:Sequence Number

Source Port,Destination Port,

Checksum

Forwarding decisions based on port numbersForwarding decisions based on port numbersLegitimate traffic and application layer attacks use identical Legitimate traffic and application layer attacks use identical portsports

Internet

Expected HTTP Traffic

Unexpected HTTP Traffic

Attacks

Non-HTTP Traffic Corporate NetworkCorporate Network


Application Layer Content:<html><head><meta http-equiv="content-type"

content="text/html; charset=UTF-8"><title>MSNBC - MSNBC Front Page</title><link rel="stylesheet"

ISA ServerISA Server’’s View of a Packets View of a Packet

Packet headers and application content are Packet headers and application content are inspectedinspected

IP Header:

Source Address,Dest. Address,

TTL, Checksum

TCP Header:Sequence Number

Source Port,Destination Port,

Checksum

Forwarding decisions based on contentForwarding decisions based on contentOnly legitimate and allowed traffic is processedOnly legitimate and allowed traffic is processed

Internet

Allowed HTTP Traffic

Prohibited HTTP Traffic

AttacksNon-HTTP Traffic

Corporate NetworkCorporate Network


Simplify complexity and administration of Simplify complexity and administration of managing network security managing network security

Subdivide network into multiple segments with a Subdivide network into multiple segments with a single ISA licensesingle ISA licenseExtend virtual firewall protection across each Extend virtual firewall protection across each segmentsegment

Enforce rules on per Enforce rules on per network basisnetwork basis

Easy setupEasy setupNetwork templates Network templates

MultiMulti--Network SupportNetwork Support

Net A

DMZ_1

Internet VPNISA 2006

DMZ_n

Local AreaNetwork

CorpNet_1

CorpNet_n

QUARANTINE VPN


ISA 2004/2006 Policy ModelISA 2004/2006 Policy Model

Single, ordered rule baseSingle, ordered rule baseLogical and easier to understandLogical and easier to understandEasy to view and to auditEasy to view and to audit

Default System PolicyDefault System Policy


Default System Default System Policy/LockdownPolicy/Lockdown

System Policy System Policy –– a default set of access rules a default set of access rules applied to the ISA Server itselfapplied to the ISA Server itselfLockdown mode:Lockdown mode:

Protects the operating system when firewall Protects the operating system when firewall services are offline becauseservices are offline because……

Security event triggers firewall service shut down Security event triggers firewall service shut down Planned firewall service shut downPlanned firewall service shut downISA Server rebootISA Server reboot


Exploring some basic Exploring some basic taskstasks


Application PublishingApplication Publishing

Use internal resources from the InternetUse internal resources from the InternetOutlook Web AccessOutlook Web Access

Publish through one external IP addressPublish through one external IP addressCached content to external clientCached content to external clientSupports IIS authentication methodsSupports IIS authentication methodsPrePre--authenticate users authenticate users Path configurationPath configuration


ISA terminates all connectionsISA terminates all connectionsDecrypts HTTPSDecrypts HTTPSInspects contentInspects contentInspects URL against rulesInspects URL against rulesReRe--encrypts for delivery to OWAencrypts for delivery to OWA

OWAOWA

ISA ServerISA Server

ExchangeExchange ADAD

x36dj23sx36dj23s2oipn49v2oipn49v<a <a hrefhref……http://...http://...

OWA PublishingOWA Publishing

ISA Server is the hostISA Server is the host


What is Publishing?What is Publishing?ISA Server impersonates internal servers ISA Server impersonates internal servers through a reverse proxy processthrough a reverse proxy process

To make internal sites/services accessible to users To make internal sites/services accessible to users outside the corporate network, including partnersoutside the corporate network, including partnersTo add a layer of security at the network edgeTo add a layer of security at the network edge

Exchange

Intranet Web Server

SharePoint

Active Directory

External Web Server

Internal Network

Internet

RADIUS

DMZHEAD QUARTERS

Administrator


ISA 2006 Active

Directory

SharePoint

ExchangeFarm

Internal Network

Internet link

Single sign-on for access to multiple servers

Exchange & SharePoint publishing tools

Automatic translation of links to internal shares

NTLM, Kerberos authentication support

Smartcard & one-time password support

Authentication with Active directory via LDAP

Load balancing of server farms

Pre-authentication so only valid traffic reaches servers

Strong user/group based access controls

Remote User

Hacker

Inspection of encrypted traffic using SSL Bridging

18

The SolutionThe Solution


Branch Office GatewayBranch Office GatewayKey Differentiating PointsKey Differentiating Points

Easy Integration with Existing Branch Office Infrastructure

Integrated Application-Layer Firewall Provides Added Protection

Integrated Cache Functionality Increases Speed

Integrated S2S VPN Functionality Lowers TCO

Centralized Management from HQ


BITS caching for Microsoft update platformBITS caching for Microsoft update platformReduce the impact of software updates on network bandwidth Reduce the impact of software updates on network bandwidth in the branch officein the branch officeImprove value of ISA 2006 by reducing daysImprove value of ISA 2006 by reducing days--ofof--risk in branch risk in branch office locationsoffice locations

Compression of HTTP content Compression of HTTP content Compress HTTP content before going over the WAN to Compress HTTP content before going over the WAN to accelerate Web browsing and improve bandwidth usageaccelerate Web browsing and improve bandwidth usageCache compressed and uncompressed contentCache compressed and uncompressed content

DiffservDiffserv (Differentiated Services) to prioritize HTTP and (Differentiated Services) to prioritize HTTP and HTTPS application trafficHTTPS application traffic

Improve response time for critical HTTP and HTTPS Improve response time for critical HTTP and HTTPS applicationsapplicationsDetermine what traffic has priority over other traffic based on Determine what traffic has priority over other traffic based on URL and corresponding configured URL and corresponding configured DiffservDiffserv service levelservice level

Branch Office Branch Office Performance ImprovementsPerformance Improvements


HeadquartersHeadquarters

Branch 1Branch 1

Branch Office ScenarioBranch Office Scenario

Branch 2Branch 2

Branch 3Branch 3

Leased Leased lineslines


Branch Office GatewayBranch Office Gateway

Flexible Branch Office Network TopologyFlexible Branch Office Network Topology

Integrated S2S VPN GatewayIntegrated S2S VPN Gateway

HTTP CachingHTTP Caching

Distributed Caching & Web Proxy ChainingDistributed Caching & Web Proxy Chaining

Easy Deployment

Better Protection

Better Management

Lower Connectivity Costs

Bandwidth Optimization

Integrated FirewallIntegrated Firewall

BITS Caching Complements R2 Remote Differential CachingWindows Server R2

ISA Server 2004/2006 Features


Enterprise PoliciesEnterprise Policies

Enterprise policies:Enterprise policies:Multiple Multiple ““templatetemplate”” policies for an policies for an organizationorganizationArrays are assigned Enterprise PoliciesArrays are assigned Enterprise Policies

Effective policy:Effective policy:Calculated from Enterprise Policies and Array Calculated from Enterprise Policies and Array PoliciesPoliciesResult: An ordered set of allow/deny rulesResult: An ordered set of allow/deny rules


Enterprise Policy StructureEnterprise Policy StructureAn enterprise policy consists of:An enterprise policy consists of:

Enterprise rules Enterprise rules (before)(before)Array policy Array policy ““Place HolderPlace Holder””Enterprise rules Enterprise rules (after)(after)


Configuration Storage ServerConfiguration Storage Server

CSSCSS

Management Management ConsoleConsole

ISA 2006 Server ISA 2006 Server ArrayArray

CSSCSS

Replication


Local Local configuration configuration

copy copy


copy copy



copy copy


Published Server 1 : 11.11.11.1

Published Server 2 : 11.11.11.2

ISA- 1 - InternalDIP : 10.10.10.2VIP : 10.10.10.100


ISA- 1 - External DIP : 128.1.1.2VIP : 128.1.1.100

ISA- 2 - ExternalDIP : 128.1.1.1 VIP : 128.1.1.100

External Client : 192.168.1.8

Internet

NL

B C

lust

er

NL

B C

luster

11

2244

33

5566

ISA 1ISA 1

ISA 2ISA 2

Balancing Published ServersBalancing Published Servers


Laptop

ftp.microsoft.com157.31.56.100

Internal Client : 12.12.12.1



ISA- 1 - External DIP : 128.1.1.2VIP : 128.1.1.100

ISA- 1 - ExternalDIP : 128.1.1.1VIP : 128.1.1.100

Internet

44

5566

1122

33

NL

B C

lust

er

NL

B C

lusterISA 1ISA 1

ISA 2ISA 2

Balancing Outbound AccessBalancing Outbound Access


Integrated securityIntegrated securityApplication filtering, BITS cachingApplication filtering, BITS caching

Secure accessSecure accessHTTP compression, traffic prioritizationHTTP compression, traffic prioritization

Efficient managementEfficient managementEasy deployment, fast propagation of policiesEasy deployment, fast propagation of policies

ISA Server 2006ISA Server 2006

HeadquartersHeadquarters

Branch 1Branch 1

Branch 2Branch 2

Branch 3Branch 3

SiteSite--toto--site VPNsite VPN


Integrated SecurityIntegrated Security

BITS caching, Background Intelligent BITS caching, Background Intelligent Transfer ServiceTransfer Service

Transfers files between client and serverTransfers files between client and serverUses leftover bandwidthUses leftover bandwidthMaintains transfers if disconnectedMaintains transfers if disconnected

Windows UpdatesWindows UpdatesData is cached on the ISA ServerData is cached on the ISA ServerSubsequent users pull them from the local Subsequent users pull them from the local cachecache


Secure AccessSecure Access

HTTP compressionHTTP compressionWhen someone requests the response are When someone requests the response are compressed at the ISA server at the HQcompressed at the ISA server at the HQIt reaches the branch and gets decompressedIt reaches the branch and gets decompressed

Traffic PrioritizingTraffic PrioritizingControl when bandwidth is limited Control when bandwidth is limited DiffservDiffserv protocolprotocolISA inspects requests and assigns priority ISA inspects requests and assigns priority depending on destinationdepending on destination


Effective ManagementEffective Management

Branch Office Connectivity WizardBranch Office Connectivity WizardAnswer files for unattended installationAnswer files for unattended installation

More effective policy propagationMore effective policy propagationReduced server requirementsReduced server requirementsOptimization for low bandwidth useOptimization for low bandwidth useSecure Remote Management is possibleSecure Remote Management is possible

Templates and configuration toolsTemplates and configuration tools


Configure the Branch Configure the Branch Office GatewayOffice Gateway


Proxy server featuresProxy server features

Enhanced worm resiliency, mitigate Enhanced worm resiliency, mitigate the impact on the networkthe impact on the networkFaster alert triggers and responsesFaster alert triggers and responsesTo avoid DOS attacks ISA Server To avoid DOS attacks ISA Server controls:controls:

Log throttling measures the volume of denied Log throttling measures the volume of denied recordsrecordsMemory consumptionMemory consumptionPending DNS queriesPending DNS queries


External Web Site

Attacker

INTERNAL NETWORK

Internet

Integrated application-layer firewall & web proxy

ISA Server 2006 Array

Built-in traffic inspection for over 120 protocols

Enhanced protection against DoS, DDoS & DNS attacks

Integrated Network Load Balancing for high availability

Enhanced worm protection through connection quotas

Comprehensive alert triggers & responses

Security-enhanced remote management using TLS

Fast RAM & on-disk caching for fast web page response times

Customizable cache rules for flexibility

The SolutionThe Solution


Flood ResiliencyFlood ResiliencyProtect ISA Server fromProtect ISA Server from——

Worm propagationWorm propagationSynSyn floodsfloodsDenials of serviceDenials of serviceDistributed Distributed DoSDoSHTTP bombingHTTP bombing

In some cases, computers behind In some cases, computers behind ISA are also protected, but this isnISA are also protected, but this isn’’t t the primary goal of the featurethe primary goal of the feature


Web Access ProtectionWeb Access ProtectionKey Differentiating PointsKey Differentiating Points

Deep Content Inspects Actual Content of Traffic

Multi-network Architecture Eases Infrastructure Integration

Flexible SDK allows Easy Development of New Application Filters

CARP Provides High Performance for Caching

Easy-to-Use UI Makes Configuration Easier


Monitoring ISA Server 2006Monitoring ISA Server 2006

MOM Management packMOM Management packHealth indicatorsHealth indicatorsKnowledge from the designersKnowledge from the designers


Monitoring and Alarming

Real-time Firewall Status

Alarming Mechanism


ReportFirewall Active Log

Detail Message

Scheduling

Browseable

Exportable


SummarySummary

Firewall, VPN, ProxyFirewall, VPN, ProxyApplication PublishingApplication PublishingBranch OfficeBranch Office

CachingCachingCompressionCompressionPrioritizing of trafficPrioritizing of traffic

Documents

ISA Server - synnex download/server/2..pdf · Application layer content appears as “black box ... Extend virtual firewall protection across each ... Supports IIS authentication