View
216
Download
1
Tags:
Embed Size (px)
Citation preview
Securing the Perimeter – Securing the Perimeter – Exchange and VPN Access Exchange and VPN Access with ISA Server 2004with ISA Server 2004
Jamie Sharp CISSPJamie Sharp CISSPSecurity AdvisorSecurity AdvisorAmit PawarAmit PawarNational Technology SpecialistNational Technology SpecialistMicrosoft AustraliaMicrosoft Australia
Session OverviewSession Overview Introduction to ISA Server 2004Introduction to ISA Server 2004 Securing Access to Internal ServersSecuring Access to Internal Servers Implementing Application and Web FilteringImplementing Application and Web Filtering Securing Access to Exchange ServerSecuring Access to Exchange Server Virtual Private Networking with ISA Server 2004Virtual Private Networking with ISA Server 2004
Introduction to ISA Server 2004Introduction to ISA Server 2004 Introduction to ISA Server 2004Introduction to ISA Server 2004 Securing Access to Internal ServersSecuring Access to Internal Servers Implementing Application and Web FilteringImplementing Application and Web Filtering Securing Access to Exchange ServerSecuring Access to Exchange Server Virtual Private Networking with ISA Server 2004Virtual Private Networking with ISA Server 2004
Securing the Network Perimeter: Securing the Network Perimeter: What Are the Challenges?What Are the Challenges?
Internet
Main office
Remote user
Business partner
Branch office
Wireless
Challenges Include:
Determining proper firewall design
Access to resources for remote users
Effective monitoring and reporting
Need for enhanced packet inspection
Security standards compliance
Challenges Include:
Determining proper firewall design
Access to resources for remote users
Effective monitoring and reporting
Need for enhanced packet inspection
Security standards compliance
Securing the Network Perimeter: Securing the Network Perimeter: What Are the Design Options?What Are the Design Options?
Back-to-back configurationBack-to-back configuration
Bastion hostBastion host Three-legged configurationThree-legged configuration
Web serverWeb server
Internal networkInternal networkInternal networkInternal network
Perimeternetwork
InternetInternet
Internal networkInternal network
Perimeternetwork
Configuring ISA Server to Secure Configuring ISA Server to Secure the Network Perimeterthe Network Perimeter
Use ISA Server to:Use ISA Server to: Provide firewall functionalityProvide firewall functionality Publish internal resources such as Web or Exchange serversPublish internal resources such as Web or Exchange servers Implement multilayer packet inspection and filteringImplement multilayer packet inspection and filtering Provide VPN access for remote users and sitesProvide VPN access for remote users and sites Provide proxy and caching servicesProvide proxy and caching services
LANLAN
ServerServer
UserUser Remote User
VPNVPN
InternetInternet
ExchangeServer
ExchangeServer
WebServerWeb
Server ISAServer
ISAServer
WebServerWeb
Server
ISA Server 2004 Default ConfigurationISA Server 2004 Default Configuration
The ISA Server default configuration blocks all network traffic between networks connected to ISA ServerThe ISA Server default configuration blocks all network traffic between networks connected to ISA Server
No servers are published No servers are published
Access rules include system policy rules and the default access ruleAccess rules include system policy rules and the default access rule
Only members of the local Administrators group have administrative permissions Only members of the local Administrators group have administrative permissions
Default networks are created Default networks are created
Caching is disabled Caching is disabled
The Firewall Client Installation Share is accessible if installed The Firewall Client Installation Share is accessible if installed
Configuring Access RulesConfiguring Access RulesTypes of access rule elements used to create access rules are:
ProtocolsUser setsContent typesSchedulesNetwork objects
Types of access rule elements used to create access rules are:ProtocolsUser setsContent typesSchedulesNetwork objects
AllowDenyAllowDeny UserUser
Destination networkDestination IPDestination site
Destination networkDestination IPDestination site
ProtocolIP port/typeProtocolIP port/type
Source networkSource IPSource networkSource IP
ScheduleContent typeScheduleContent type
an action on traffic from user from source to destination with conditions
Access rules always define:
Implementing Network Templates to Implementing Network Templates to Configure ISA Server 2004Configure ISA Server 2004
Deploy the Single Network Adapter template for Web proxy and caching onlyDeploy the Single Network Adapter template for Web proxy and caching only
Back-to-back configurationBack-to-back configuration
Bastion hostBastion host Three-legged configurationThree-legged configuration
Web serverWeb server
Internal networkInternal network
Internal networkInternal network
Internal networkInternal network
Perimeternetwork
Perimeternetwork
Deploy the EdgeFirewall templateDeploy the EdgeFirewall template
Deploy theFront End
or Back Endtemplate
Deploy theFront End
or Back Endtemplate
Deploy the 3-LegPerimeter templateDeploy the 3-Leg
Perimeter template
InternetInternet
Demonstration: Applying a Network Demonstration: Applying a Network TemplateTemplate
Use a network template to configure Use a network template to configure ISA Server 2004 as an edge firewall ISA Server 2004 as an edge firewall
Deploying ISA Server 2004: Best PracticesDeploying ISA Server 2004: Best Practices
To deploy ISA Server to provide Internet access:To deploy ISA Server to provide Internet access:
Plan for DNS name resolution
Create the required access rule elements and configure the access rules
Plan the access rule order
Implement the appropriate authentication mechanisms
Test access rules before deployment
Deploy the Firewall Client for maximum security and functionality
Use ISA Server logging to troubleshoot Internet connectivity issues
Plan for DNS name resolution
Create the required access rule elements and configure the access rules
Plan the access rule order
Implement the appropriate authentication mechanisms
Test access rules before deployment
Deploy the Firewall Client for maximum security and functionality
Use ISA Server logging to troubleshoot Internet connectivity issues
Securing Access to Internal ServersSecuring Access to Internal Servers
Introduction to ISA Server 2004Introduction to ISA Server 2004 Securing Access to Internal ServersSecuring Access to Internal Servers Implementing Application and Web FilteringImplementing Application and Web Filtering Securing Access to Exchange ServerSecuring Access to Exchange Server Virtual Private Networking with ISA Server 2004Virtual Private Networking with ISA Server 2004
What Is ISA Server Publishing?What Is ISA Server Publishing?
ISA Server enables three types of publishing rules:ISA Server enables three types of publishing rules:1. Web publishing rules for publishing Web sites
using HTTP
2. Secure Web publishing rules for publishing Web sites that require SSL for encryption
3. Server publishing rules for publishing servers that do not use HTTP or HTTPS
1. Web publishing rules for publishing Web sites using HTTP
2. Secure Web publishing rules for publishing Web sites that require SSL for encryption
3. Server publishing rules for publishing servers that do not use HTTP or HTTPS
Implementing ISA Server Web Publishing Implementing ISA Server Web Publishing RulesRules
To create a Web publishing rule, configure:To create a Web publishing rule, configure:Action
Name or IP address
Users
Traffic source
Public name
Action
Name or IP address
Users
Traffic source
Public name
Web listener
Path mappings
Bridging
Link translation
Web listener
Path mappings
Bridging
Link translation
Implementing ISA Server Implementing ISA Server Secure Web Publishing RulesSecure Web Publishing Rules
To create a secure Web publishing rule:To create a secure Web publishing rule:
Choose an SSL bridging mode or SSL tunneling
Install a digital certificate on ISA Server, on a Web server, or on both
Configure a Web listener for SSL
Configure a secure Web publishing rule
Choose an SSL bridging mode or SSL tunneling
Install a digital certificate on ISA Server, on a Web server, or on both
Configure a Web listener for SSL
Configure a secure Web publishing rule
Demonstration: Configuring a Demonstration: Configuring a Secure Web Publishing RuleSecure Web Publishing Rule
Configure a secure Web publishing Configure a secure Web publishing rule to an internal Web server rule to an internal Web server
Implementing Server Publishing RulesImplementing Server Publishing Rules
To create a server publishing rule, configure:To create a server publishing rule, configure:Action
Traffic
Traffic source
Traffic destination
Networks
Action
Traffic
Traffic source
Traffic destination
Networks
To enable secure server publishing, configure ISA Server to publish a secure protocol, and then install a server certificate on the published server
To enable secure server publishing, configure ISA Server to publish a secure protocol, and then install a server certificate on the published server
Implementing Application and Web FilteringImplementing Application and Web Filtering
Introduction to ISA Server 2004Introduction to ISA Server 2004 Securing Access to Internal ServersSecuring Access to Internal Servers Implementing Application and Web FilteringImplementing Application and Web Filtering Securing Access to Exchange ServerSecuring Access to Exchange Server Virtual Private Networking with ISA Server 2004Virtual Private Networking with ISA Server 2004
Firewall Requirements: Firewall Requirements: Multiple-Layer FilteringMultiple-Layer Filtering
Packet filtering:Packet filtering:Filters packets based on information in the network and transport layer headers Enables fast packet inspection, but cannot detect higher-level attacks
Filters packets based on information in the network and transport layer headers Enables fast packet inspection, but cannot detect higher-level attacks
Stateful filtering:Stateful filtering:
Filters packets based on the TCP session informationEnsures that only packets that are part of a valid session are accepted, but cannot inspect application data
Filters packets based on the TCP session informationEnsures that only packets that are part of a valid session are accepted, but cannot inspect application data
Application filtering:Application filtering:
Filters packets based on the application payload in network packetsCan prevent malicious attacks and enforce user policies Filters packets based on the application payload in network packetsCan prevent malicious attacks and enforce user policies
Use HTTP Web filtering to:Use HTTP Web filtering to:
Filter traffic from internal clients to other networksFilter traffic from Internet clients to internal Web serversFilter traffic from internal clients to other networksFilter traffic from Internet clients to internal Web servers
Implementing HTTP Web Implementing HTTP Web Filtering in ISA Server 2004Filtering in ISA Server 2004
HTTP Web filtering can block HTTP packets based on:HTTP Web filtering can block HTTP packets based on:
Length of request headers and payloadLength of URLHTTP request methodHTTP request file name extensionHTTP request or response headerSignature or pattern in the response header or body
Length of request headers and payloadLength of URLHTTP request methodHTTP request file name extensionHTTP request or response headerSignature or pattern in the response header or body
HTTP Web filtering is rule-specific—you can configure different filters for each access or publishing rule
Demonstration: Application Filtering in ISA Demonstration: Application Filtering in ISA Server 2004Server 2004
Edit the default application filtering Edit the default application filtering that is performed by ISA Server 2004 that is performed by ISA Server 2004
Securing Access to Exchange ServerSecuring Access to Exchange Server
Introduction to ISA Server 2004Introduction to ISA Server 2004 Securing Access to Internal ServersSecuring Access to Internal Servers Implementing Application and Web FilteringImplementing Application and Web Filtering Securing Access to Exchange ServerSecuring Access to Exchange Server Virtual Private Networking with ISA Server 2004Virtual Private Networking with ISA Server 2004
Secure Client Access to Secure Client Access to Exchange Server ChallengesExchange Server Challenges
Outlook Mobile Access
XHTML, cHTML, HTML
Outlook Mobile Access
XHTML, cHTML, HTML
ActiveSync-Enabled mobile devices
ActiveSync-Enabled mobile devices
WirelessnetworkWirelessnetwork
ISAserver
ISAserver
Outlook Web AccessOutlook using RPCOutlook using RPC
over HTTPOutlook express
using IMAP4 or POP3
Outlook Web AccessOutlook using RPCOutlook using RPC
over HTTPOutlook express
using IMAP4 or POP3
Exchangefront-end
server
Exchangefront-end
server
Exchangeback-endservers
Exchangeback-endservers
Configuring RPC over HTTP Configuring RPC over HTTP Client AccessClient Access
RPC over HTTP requires:RPC over HTTP requires:
Exchange Server 2003 running on Windows Server 2003 and Windows Server 2003 global catalog serversExchange Server 2003 running on Windows Server 2003 and Windows Server 2003 global catalog servers
Outlook 2003 running on Windows XPOutlook 2003 running on Windows XP
Windows Server 2003 server running RPC proxy serverWindows Server 2003 server running RPC proxy server
Modifying the Outlook profile to use RPC over HTTP to connect to the Exchange serverModifying the Outlook profile to use RPC over HTTP to connect to the Exchange server
To enable RPC over HTTP connections through ISA Server, use the Secure Web Publishing Wizard to publish the /rpc/*virtual directory
To enable RPC over HTTP connections through ISA Server, use the Secure Web Publishing Wizard to publish the /rpc/*virtual directory
Configuring ISA Server for Configuring ISA Server for Outlook Web AccessOutlook Web Access
To configure ISA Server to enable OWA access:To configure ISA Server to enable OWA access:
Use the Mail Server Publishing Wizard to publishthe OWA serverUse the Mail Server Publishing Wizard to publishthe OWA server11
Configure a bridging mode. For best security, secure the connection from client to ISA Server and from ISA Server to OWA server
Configure a bridging mode. For best security, secure the connection from client to ISA Server and from ISA Server to OWA server
22
Configure a Web listener for OWA publishing. Choose forms-based authentication for the Web listenerConfigure a Web listener for OWA publishing. Choose forms-based authentication for the Web listener
33
Forms-based authentication ensures that user credentials are not stored on the client computer; can be used to block access to attachments
Forms-based authentication ensures that user credentials are not stored on the client computer; can be used to block access to attachments
Demonstration: Demonstration: Configuring Outlook Web AccessConfiguring Outlook Web Access
Configure an OWA publishing ruleConfigure an OWA publishing rule
Securing Access to Exchange Server: Securing Access to Exchange Server: Best PracticesBest Practices
Enable Outlook RPC connections for pre–Exchange Server 2003 and Outlook 2003 environmentsEnable Outlook RPC connections for pre–Exchange Server 2003 and Outlook 2003 environments
Use forms-based authentication on ISA Server for OWAUse forms-based authentication on ISA Server for OWA
Implement RPC over HTTPS with SSLImplement RPC over HTTPS with SSL
Explore the use of additional ISA Server features to protect computers running Exchange ServerExplore the use of additional ISA Server features to protect computers running Exchange Server
Consider third-party add-ons for ISA Server to protect computers running Exchange ServerConsider third-party add-ons for ISA Server to protect computers running Exchange Server
Virtual Private Networking with ISA Server Virtual Private Networking with ISA Server 20042004
Introduction to ISA Server 2004Introduction to ISA Server 2004 Securing Access to Internal ServersSecuring Access to Internal Servers Implementing Application and Web FilteringImplementing Application and Web Filtering Securing Access to Exchange ServerSecuring Access to Exchange Server Virtual Private Networking with ISA Server 2004Virtual Private Networking with ISA Server 2004
Virtual Private Networking: What Are the Virtual Private Networking: What Are the Challenges?Challenges?
VPNs provide a secure option for communicating across a public network
VPNS are used in two primary scenarios:
VPNs provide a secure option for communicating across a public network
VPNS are used in two primary scenarios:
Network access for remote clients
Network access between sites
Network access for remote clients
Network access between sites
VPN quarantine control provides an additional level of security by providing the ability to check the configuration of the VPN client machines before allowing them access to the organization’s network
VPN quarantine control provides an additional level of security by providing the ability to check the configuration of the VPN client machines before allowing them access to the organization’s network
Enabling Virtual Private Enabling Virtual Private Networking with ISA ServerNetworking with ISA Server
ISA Server enables VPN access:ISA Server enables VPN access:
By including remote-client VPN access for individual clients and site-to-site VPN access to connect multiple sites
By enabling VPN-specific networks, including:
VPN Clients network
Quarantined VPN Clients network
Remote-site network
By using network and access rules to limit network traffic between the VPN networks and the other networks with servers running ISA Server
By extending RRAS functionality
By including remote-client VPN access for individual clients and site-to-site VPN access to connect multiple sites
By enabling VPN-specific networks, including:
VPN Clients network
Quarantined VPN Clients network
Remote-site network
By using network and access rules to limit network traffic between the VPN networks and the other networks with servers running ISA Server
By extending RRAS functionality
Enabling VPN Client ConnectionsEnabling VPN Client Connections
To enable VPN client connections:To enable VPN client connections:
Choose a tunneling protocol
Choose an authentication protocolUse MS-CHAP v2 or EAP if possible
Enable VPN client access in ISA Server Management
Configure user accounts for remote access
Configure remote-access settings
Configure firewall access rules for the VPN Clients network
Choose a tunneling protocol
Choose an authentication protocolUse MS-CHAP v2 or EAP if possible
Enable VPN client access in ISA Server Management
Configure user accounts for remote access
Configure remote-access settings
Configure firewall access rules for the VPN Clients network
Implementing Site-to-Site VPN Implementing Site-to-Site VPN ConnectionsConnections
To enable site-to-site VPN connections:To enable site-to-site VPN connections:
Choose a tunneling protocol
Configure the remote-site network
Configure network rules and access rules to enable:open communications between networks, orcontrolled communications between networks
Configure the remote-site VPN gateway
Choose a tunneling protocol
Configure the remote-site network
Configure network rules and access rules to enable:open communications between networks, orcontrolled communications between networks
Configure the remote-site VPN gateway
How Does Network Quarantine Work?How Does Network Quarantine Work?
ISAServer
ISAServer
DNSServerDNS
Server
WebServerWeb
ServerDomain
ControllerDomain
Controller
FileServer
FileServer
Quarantine scriptQuarantine script
VPN QuarantineClients Network
VPN Clients Network
RQC.exeRQC.exe
Quarantine remote access policy
Quarantine remote access policy
ISAserver
ISAserver
DNSserverDNS
server
WebserverWeb
serverDomain
controllerDomain
controller
Fileserver
Fileserver
Quarantine scriptQuarantine script
Quarantined VPN Clients Network
VPN clients network
Rqc.exeRqc.exe
Quarantine remote access policy
Quarantine remote access policy
Implementing Network QuarantineImplementing Network Quarantine
To implement quarantine control on ISA Server:To implement quarantine control on ISA Server:
Enable quarantine control on ISA ServerEnable quarantine control on ISA Server
Create and install a listener component Create and install a listener component
Configure network rules and access rules for the Quarantined VPN Clients networkConfigure network rules and access rules for the Quarantined VPN Clients network
Use CMAK to create a CM profile for remote-access clientsUse CMAK to create a CM profile for remote-access clients
Create a client-side script that validates client configuration Create a client-side script that validates client configuration 11
44
33
55
22
Configuring VPN Access Using ISA Configuring VPN Access Using ISA Server: Best PracticesServer: Best Practices
Use strongest possible authentication protocolsUse strongest possible authentication protocols
Enforce the use of strong passwords when using PPTPEnforce the use of strong passwords when using PPTP
Avoid the use of pre-shared keys for L2TP/IPSecAvoid the use of pre-shared keys for L2TP/IPSec
Configure access rules to control access for VPN clients and site-to-site VPN connectionsConfigure access rules to control access for VPN clients and site-to-site VPN connections
Use access rules to provide quarantined VPN clients with the means to meet the security requirementsUse access rules to provide quarantined VPN clients with the means to meet the security requirements
Session SummarySession Summary
ISA Server 2004 is secure by default because it blocks all traffic—configure access rules to provide the fewest possible access rights
ISA Server 2004 is secure by default because it blocks all traffic—configure access rules to provide the fewest possible access rights
Many applications now use HTTP as a tunneling protocol—use HTTP filtering to block the applicationsMany applications now use HTTP as a tunneling protocol—use HTTP filtering to block the applications
Implement ISA Server publishing rules to make internal resources accessible from the InternetImplement ISA Server publishing rules to make internal resources accessible from the Internet
Implementing Outlook RPC publishing and RPC over HTTP publishing means that users can use Outlook from anywhere Implementing Outlook RPC publishing and RPC over HTTP publishing means that users can use Outlook from anywhere
Use access rules to limit access for VPN remote-access clients, site-to-site VPN clients, and network quarantine clientsUse access rules to limit access for VPN remote-access clients, site-to-site VPN clients, and network quarantine clients
ISA Server 2004 ResourcesISA Server 2004 Resources
ISAServer.org – ISAServer.org – www.isaserver.orgwww.isaserver.org FREE! TechNet Virtual Lab: ISA ServerFREE! TechNet Virtual Lab: ISA Server
http://www.microsoft.com/technet/trainchttp://www.microsoft.com/technet/traincert/virtuallab/isa.mspxert/virtuallab/isa.mspx
838709 838709 How to use the ISA Server How to use the ISA Server 2004 migration tool 2004 migration tool to migrate from to migrate from ISA Server 2000 to ISA Server 2004ISA Server 2000 to ISA Server 2004
840697 840697 ISA Server 2000 settings and ISA Server 2000 settings and features that are not supported when you features that are not supported when you migrate to ISA Server 2004 migrate to ISA Server 2004
For More Information…For More Information…
The official ISA Server site:The official ISA Server site: www.microsoft.com/isaserverwww.microsoft.com/isaserver
A useful site with a wealth of information:A useful site with a wealth of information: www.isaserver.orgwww.isaserver.org
What is TechNet?What is TechNet? Put the right answers at your fingertipsPut the right answers at your fingertips
The comprehensive collection of resources to help IT prosThe comprehensive collection of resources to help IT prosplan, deploy and manage Microsoft products successfullyplan, deploy and manage Microsoft products successfully
Comprehensive set of resources delivered reliably every month on CD or DVD – The trusted resource for guidance, tools and software to efficiently evaluate, deploy and support Microsoft technologies.
TechNet Subscription
Accessible at www.microsoft.com/technet Online resources and community Subscriber-only Online Services
TechNet Web Site
Biweekly e-newsletter Security updates, new resources, and special offers
TechNet Flash
Briefings on the latest Microsoft products and technologies Hands-on, “how to” information
TechNet Eventsand Webcasts
User GroupsManaged Newsgroups
TechNet Communities
Connect with TechNetConnect with TechNet
Free Technical Briefings: Free Technical Briefings: www.microsoft.com/seminar/eventswww.microsoft.com/seminar/events TechNet Webcasts: TechNet Webcasts: www.microsoft.com/webcastswww.microsoft.com/webcasts TechNet Flash Newsletter: TechNet Flash Newsletter: www.microsoft.com/www.microsoft.com/technettechnet/flash/flash TechNet Online: TechNet Online: www.microsoft.com/www.microsoft.com/technettechnet Security Notification Service Sign-Up:Security Notification Service Sign-Up:
www.microsoft.com/www.microsoft.com/technet/security/signup/default.mspxtechnet/security/signup/default.mspx TechNet Subscription*: TechNet Subscription*: www.microsoft.com/www.microsoft.com/technettechnet/subscriptions/subscriptions
* * Microsoft TechNet Subscription GiveawayMicrosoft TechNet Subscription Giveaway
Complete the webcast survey to be entered to win a one year Complete the webcast survey to be entered to win a one year TechNet Plus subscription. See the official rules TechNet Plus subscription. See the official rules http://www.microsoft.com/seminar/events/officialrules_1.mspxhttp://www.microsoft.com/seminar/events/officialrules_1.mspx for for details. details.
Microsoft’s TechNet programs provide IT professionals with high-Microsoft’s TechNet programs provide IT professionals with high-quality, how-to information and resources to efficiently evaluate, quality, how-to information and resources to efficiently evaluate, deploy, maintain and support their Microsoft technology. To learn more, deploy, maintain and support their Microsoft technology. To learn more, subscribe, or attend a free briefing, please visit:subscribe, or attend a free briefing, please visit:
Questions and AnswersQuestions and Answers
Submit text questions using the “Ask a Submit text questions using the “Ask a Question” buttonQuestion” button
Don’t forget to fill out the surveyDon’t forget to fill out the survey For upcoming and recordings of previous For upcoming and recordings of previous
webcasts: webcasts: www.microsoft.com/webcastswww.microsoft.com/webcasts Have webcast content ideas?Have webcast content ideas?
Send us e-mail at: Send us e-mail at: [email protected]@microsoft.com