Microsoft’s GoalsMicrosoft’s Goals
Security is a top priority for Microsoft, and we Security is a top priority for Microsoft, and we are committed to helping our customers are committed to helping our customers
protect their intellectual property and dataprotect their intellectual property and data
RemediationRemediationInnovationInnovation
Approximately 70 percent of all Web attacksoccur at the application layer - Gartner
From 2000 to 2002 reported incidents rose from 21,756 to 82,094 – CERT, 2003
Nearly 80 percent of 445 respondents surveyed said the Internet has been a frequent point of attack, up from 57 percent just four years ago
– CSI/FBI Computer Crime and Security Survey
Security Issues TodaySecurity Issues Today
At RiskAt Risk
The SoftThe SoftUnderbellyUnderbelly
Customer ImpactCustomer Impact
Application Layer AttacksApplication Layer AttacksApplication Layer AttacksApplication Layer Attacks
Identity TheftIdentity Theft
Web Site Web Site DefacementDefacement
Unauthorized Unauthorized AccessAccess
Modification of Data, Modification of Data, Logs and RecordsLogs and Records
Theft of Proprietary Theft of Proprietary InformationInformation
Service DisruptionService Disruption
ImplicationsImplicationsImplicationsImplicationsCompliance:Compliance:
Sarbanes OxleySarbanes OxleyGramm Leach BlileyGramm Leach BlileyUS Patriot US Patriot HIPPAHIPPAThe Privacy Act (CA)The Privacy Act (CA)
LitigationLitigation File SharingFile Sharing
PiracyPiracy HR IssuesHR Issues Shareholder SuitsShareholder Suits
Security - Defense In DepthSecurity - Defense In Depth
Data and ResourcesData and Resources
Application DefensesApplication Defenses
Host DefensesHost Defenses
Network DefensesNetwork Defenses
Perimeter DefensesPerimeter Defenses
Ass
um
e P
rior
Layers
Fail
Ass
um
e P
rior
Layers
Fail
Perimeter Defenses:Perimeter Defenses: Packet Filtering, Stateful Packet Filtering, Stateful Inspection of Packets, Inspection of Packets, Intrusion DetectionIntrusion Detection
Network Defenses:Network Defenses: VLAN Access Control Lists, VLAN Access Control Lists, Internal Firewall, Auditing, Internal Firewall, Auditing, Intrusion DetectionIntrusion Detection
Host Defenses:Host Defenses: Server Server Hardening, Host Intrusion Hardening, Host Intrusion Detection, AuditingDetection, Auditing
Application Defenses:Application Defenses: Validation Checks, Verify Validation Checks, Verify HTML / Cookies Source, HTML / Cookies Source, Secure IISSecure IIS
Data and Resources:Data and Resources: Databases, Network Databases, Network Services and Applications, Services and Applications, File SharesFile Shares
TWC At The PerimeterTWC At The Perimeter
SecuritySecurity in depth begins at the perimeter in depth begins at the perimeterLimits access from outside to known portsLimits access from outside to known portsBlocks reconnaissanceBlocks reconnaissanceBlocks casual trespassBlocks casual trespassThe central place to enforce network policyThe central place to enforce network policy
PrivacyPrivacy in depth ends at the perimeter in depth ends at the perimeterCan block known ports used by TrojansCan block known ports used by Trojans
ReliabilityReliability enabled at the perimeter enabled at the perimeterKeeps DoS attacks on the “outside”Keeps DoS attacks on the “outside”Manages network load with proxy cacheManages network load with proxy cache
Integrity Integrity enabled at the perimeterenabled at the perimeterVPN termination creates “virtual” company VPN termination creates “virtual” company networknetwork
Traditional FirewallsTraditional Firewalls
Wide open to Wide open to advanced advanced attacksattacks
Wide open to Wide open to advanced advanced attacksattacks
Code Red, NimdaCode Red, Nimda SSL-based attacksSSL-based attacks
Code Red, NimdaCode Red, Nimda SSL-based attacksSSL-based attacks
Performance vs. Performance vs. security tradeoffsecurity tradeoffPerformance vs. Performance vs. security tradeoffsecurity tradeoff
Bandwidth too expensiveBandwidth too expensive Too many moving partsToo many moving parts
Bandwidth too expensiveBandwidth too expensive Too many moving partsToo many moving parts
Limited capacityLimited capacityfor growthfor growth
Limited capacityLimited capacityfor growthfor growth
Not easily upgradeableNot easily upgradeable Don’t scale with businessDon’t scale with business
Not easily upgradeableNot easily upgradeable Don’t scale with businessDon’t scale with business
Hard to manageHard to manageHard to manageHard to manage Security is complexSecurity is complex IT already overloadedIT already overloaded
Security is complexSecurity is complex IT already overloadedIT already overloaded
Perimeter Security EvolutionPerimeter Security Evolution
Wide open to Wide open to advanced advanced attacksattacks
Wide open to Wide open to advanced advanced attacksattacks
Application-level protectionApplication-level protectionApplication-level protectionApplication-level protection
Performance vs. Performance vs. security tradeoffsecurity tradeoffPerformance vs. Performance vs. security tradeoffsecurity tradeoff Security Security andand performance performanceSecurity Security andand performance performance
Limited capacityLimited capacityfor growthfor growth
Limited capacityLimited capacityfor growthfor growth Extensibility and scalabilityExtensibility and scalabilityExtensibility and scalabilityExtensibility and scalability
Hard to manageHard to manageHard to manageHard to manage Easier to useEasier to useEasier to useEasier to use
““TheThe advanced application layer firewall, VPN and Web cacheadvanced application layer firewall, VPN and Web cache solution that enables customers to maximize IT investments by solution that enables customers to maximize IT investments by
improving network security & performance”improving network security & performance”
Introducing: ISA Server 2004Introducing: ISA Server 2004
Advanced protectionAdvanced protectionAdvanced protectionAdvanced protection
Fast, Secure AccessFast, Secure AccessFast, Secure AccessFast, Secure Access
Ease of useEase of useEase of useEase of use
Microsoft ISA Server 2004Microsoft ISA Server 2004Multi-layer firewall, VPN and Web cache solution
Secures the network edge with advanced application-layer protection
Application-aware intelligent security with stateful inspection protects against the latest types of threatsEasy to use and rich management tools reduce TCO and help prevent firewall misconfigurationAn integrated solution that enabled diverse deployment scenarios with secure anytime / anywhere access to applications and dataEnhances user productivity with fast web access, protects network infrastructure investments
What it What it isis
What it What it doesdoes
Key Key FeaturesFeatures
Microsoft ISA Server 2004Microsoft ISA Server 2004Next-generation securityNext-generation security
Application-Application-awareaware
Simplified Simplified managementmanagement
Integrated Integrated solutionsolution
Enables diverse Enables diverse scenariosscenarios
Multi-layer Multi-layer protectionprotection
All-new user interfaceAll-new user interface
Secure, fast access to Secure, fast access to business applicationsbusiness applications
Government Government certificationcertification
New featuresNew features
Application Layer FilteringApplication Layer FilteringModern threats call for deep Modern threats call for deep inspectioninspection
Protects network assets from exploits Protects network assets from exploits at the application layer: Nimda, at the application layer: Nimda, Slammer...Slammer...Provides the ability to define a fine Provides the ability to define a fine grain, application level, security policygrain, application level, security policyBest protection for Microsoft Best protection for Microsoft applicationsapplications
Application filtering frameworkApplication filtering frameworkBuilt in filters for common protocolsBuilt in filters for common protocols
HTTP, SMTP, RPC, FTP, H.323, DNS, POP3, HTTP, SMTP, RPC, FTP, H.323, DNS, POP3, Streaming mediaStreaming media
Scenario-driven designScenario-driven designExtensible plug-in architectureExtensible plug-in architecture
Industry-Leading Industry-Leading PerformancePerformance
Optimized performance architectureOptimized performance architectureIndustry-leading application filtering Industry-leading application filtering performanceperformanceOptimized for real life usage scenariosOptimized for real life usage scenariosScale up with additional CPUsScale up with additional CPUs
Network computing magazine app. level firewalls review (3/03)
full inspection performance [Mbps]:
Symantec FW 7.0 67
122
127
170
Sidewinder
Checkpoint NG FP3
ISA 2000 FP1
Raw throughput performance [Mbps]:
ISA 2000 (Dec 2000) 282
1.59GbpsISA 2004 (Today) *
* Beta results
How?•Design improvements•IP Stack improvements•Hardware improvements
Ease of UseEase of Use
Unified firewall policyUnified firewall policyKeeps administration costs lowKeeps administration costs low
Simplified administration toolsSimplified administration toolsReduces training costsReduces training costs
Task-Based AdministrationTask-Based Administration
All tools for common tasks in one All tools for common tasks in one placeplaceReduced risk of misconfigurationReduced risk of misconfiguration
Monitoring and ReportingMonitoring and Reporting
Real-time monitoring for Real-time monitoring for troubleshootingtroubleshootingVariety of report formats summarizes Variety of report formats summarizes Internet activity and performanceInternet activity and performance
Adjusts to Network Adjusts to Network ChangesChanges
Flexibility to support most network Flexibility to support most network typestypesTemplates simplify many Templates simplify many deploymentsdeploymentsFast, easy deploymentFast, easy deployment
Network DesignNetwork Design
Any number of networksAny number of networksPacket filteringPacket filteringon all interfaceson all interfacesNAT or routingNAT or routingbetween networks between networks VPN as networkVPN as networkLocal host asLocal host asnetworknetworkPer-network policiesPer-network policiesAny topology, any policyAny topology, any policy
CorpNet_1CorpNet_1
CorpNet_nCorpNet_n
Net ANet A
Internet VPNVPN
ISA 2004
DMZ_nDMZ_n
DMZ_1DMZ_1
Local HostLocal HostNetworkNetwork
Comprehensive ProtectionComprehensive Protection
Filtering at all levelsFiltering at all levels
TCP/IPFirewall Engine
Firewall Service
Application Filters
Web ProxyFilter
PolicyEngine
LocalPolicyStore
EnterprisePolicy
Store (EE)
WebFilters
Packet layer filtering
1
Protocol layer filtering
2
Application layer filtering
3
ISAServer
ExtensibilityExtensibility
NDIS
PolicyEngine
Firewall Engine IP Stack
Firewall Service
Application Filter API
ApplicationFilterWeb Proxy Filter
Web Filter API
ApplicationFilter
ApplicationFilter
ApplicationFilter
WebFilter
WebFilter
Firewall PoliciesFirewall Policies
Flexible Rule StructureFlexible Rule Structure
AllowDeny
Source networkSource IP address
Destination networkDestination IP addressDestination site
ProtocolIP Port / Type
•Published server•Published Web site•Schedule•Filtering properties
action on traffic from user from source to destination with conditions
UserGroup
Such As…Such As…
Secure e-mail access via the InternetSecure e-mail access via the InternetEnable web applications on the Enable web applications on the InternetInternetSecure partner connectivitySecure partner connectivitySecure remote accessSecure remote accessRemote branch officeRemote branch officeRich internet access policiesRich internet access policiesFast user web accessFast user web accessProtect users from malicious trafficProtect users from malicious traffic
Controlling E-Mail TrafficControlling E-Mail Traffic
The challenges of controlling e-mail The challenges of controlling e-mail traffic:traffic:
VPN? Outlook? OWA? IMAP4? POP3?VPN? Outlook? OWA? IMAP4? POP3?Malformed SMTP, malicious attachmentsMalformed SMTP, malicious attachments
ISA Server helps protect mail servers:ISA Server helps protect mail servers:Easy configuration of client access using a Easy configuration of client access using a wizardwizardSupport for all major Support for all major mail protocolsmail protocolsContent filtering of Content filtering of SMTP-based e-mailSMTP-based e-mailSupport for Outlook Web Support for Outlook Web Access (OWA):Access (OWA):
Content inspection Content inspection Attachment blockingAttachment blockingStrong authenticationStrong authentication
Outlook Client AccessOutlook Client Access
The challenge of providing access for The challenge of providing access for Outlook clientsOutlook clients
RPC cannot pass securely across traditional firewalls RPC cannot pass securely across traditional firewalls because requires secondary portsbecause requires secondary ports
ISA Server helps secure RPC traffic:ISA Server helps secure RPC traffic:Application-layer filtering allows only traffic that is Application-layer filtering allows only traffic that is negotiated between client and servernegotiated between client and serverISA Server can enforce RPC encryptionISA Server can enforce RPC encryption
RPC server RPC server (Exchange)(Exchange)RPC server RPC server (Exchange)(Exchange)
RPC client RPC client (Outlook)(Outlook)
RPC client RPC client (Outlook)(Outlook)
ServiceService UUIDUUID PortPort
ExchangeExchange {12341234-1111-2222-3333-{12341234-1111-2222-3333-aabbcc…aabbcc…
44044022
AD AD replicationreplication
{01020304-4444-5555-6666-{01020304-4444-5555-6666-ddeeff-…ddeeff-…
35435444
MMCMMC {19283746-7777-8888-9999-{19283746-7777-8888-9999-gghhii-…gghhii-…
92392333
Server maintains table Server maintains table of RPC servicesof RPC services
Client: Port for {12341234-1111-2222-3333-11bb... ?Client: Port for {12341234-1111-2222-3333-11bb... ?
Server: Port 4402Server: Port 4402Server: Port 4402Server: Port 4402
TCP 135
Client: Data Exchange over port 4402Client: Data Exchange over port 4402
Blocking Web Server Blocking Web Server AttacksAttacks
InternetInternet
ISA ServerISA Server
The challenge of securing Web servers:The challenge of securing Web servers:Web servers are under constant attack from the InternetWeb servers are under constant attack from the InternetMost of today’s attacks against Web servers are contained in Most of today’s attacks against Web servers are contained in HTTP requestsHTTP requests
ISA Server blocks attacks before they ISA Server blocks attacks before they reach Web serversreach Web serversApplication-layer filtering inspects the Application-layer filtering inspects the content of HTTP requests and responsescontent of HTTP requests and responses
Administrator-defined filters can block virtually any traffic Administrator-defined filters can block virtually any traffic pattern while allowing legitimate trafficpattern while allowing legitimate traffic
Blocking Embedded Blocking Embedded ProtocolsProtocolsHTTP deep content inspection exampleHTTP deep content inspection example
P2PP2P
IMIM
Tunneling Tunneling SoftwareSoftware
InternetInternet
Conventional Conventional FirewallFirewall
ISA Server 2004ISA Server 2004
InternalInternal
UserUser
InternalInternal
UserUser
In the beginning…In the beginning…P2P apps used fix ports P2P apps used fix ports Your Firewall can block fixed ports.Your Firewall can block fixed ports.
Admins had granular control Admins had granular control of their networks trafficof their networks traffic
Applications got smarter…Applications got smarter…Applications started to use the HTTPApplications started to use the HTTPProtocol as a transport protocol.Protocol as a transport protocol.
While good for users, administrators While good for users, administrators lost granular control of their networkslost granular control of their networks
ISA Server 2004 gives youISA Server 2004 gives youback that controlback that control
The deep HTTP protocol inspectionThe deep HTTP protocol inspection
Blocks tunneled traffic at the edgeBlocks tunneled traffic at the edge
Inspecting Encrypted Inspecting Encrypted TrafficTraffic
The challenge of encrypted Web traffic:The challenge of encrypted Web traffic:Traffic to Web servers must be encrypted to ensure Traffic to Web servers must be encrypted to ensure confidentiality, but encrypted traffic bypasses confidentiality, but encrypted traffic bypasses firewall inspectionfirewall inspection
ISA Server SSL BridgingISA Server SSL BridgingSSL Traffic to your Web server is encrypted across SSL Traffic to your Web server is encrypted across the Internet, ensuring confidentialitythe Internet, ensuring confidentialityISA Server decrypts the traffic, performing ISA Server decrypts the traffic, performing application-layer inspection to help secure the Web application-layer inspection to help secure the Web serverserverISA Server forwards allowed traffic to Web serverISA Server forwards allowed traffic to Web server
InternetInternet
ISA ServerISA Server Web ServerWeb ServerTraditional
FirewallTraditional
Firewall
SSLSSL
SSLSSL SSL or HTTPSSL or HTTP
VPN AccessVPN Access
The challenge of providing VPN The challenge of providing VPN access:access:
Configuring secure remote access is time-Configuring secure remote access is time-consuming, difficult and expensive. Remote consuming, difficult and expensive. Remote clients extend the perimeter of the corporate clients extend the perimeter of the corporate network.network.
VPNs with ISA Server VPNs with ISA Server Client or site-to-site VPN connectionsClient or site-to-site VPN connectionsUtilizes VPN features in Windows Server 2003Utilizes VPN features in Windows Server 2003Supports PPTP and L2TP/IPsec, IPsec Tunnel Supports PPTP and L2TP/IPsec, IPsec Tunnel ModeModeIntegration with third-party VPN serversIntegration with third-party VPN serversFull integration with Full integration with firewall policyfirewall policyEasy configuration Easy configuration using wizardsusing wizardsNetwork quarantineNetwork quarantine
Accelerating Internet Accelerating Internet AccessAccess
The challenge of providing fast Internet access:The challenge of providing fast Internet access:Insufficient bandwidth hampers productivity, providing Insufficient bandwidth hampers productivity, providing more bandwidth is expensivemore bandwidth is expensive
ISA Server accelerates access to Web content and ISA Server accelerates access to Web content and decreases bandwidth needs:decreases bandwidth needs:
Web caching keeps local copies of Web contentWeb caching keeps local copies of Web contentServing content from the cache accelerates responses to Serving content from the cache accelerates responses to user requests and saves bandwidthuser requests and saves bandwidthNo configuration required, but extensive customization No configuration required, but extensive customization possible, if desiredpossible, if desired
GET www.microsoft.com11
GET www.microsoft.com22
GET www.microsoft.com33
Client
Client 2
Internet
ISA Server
Integrated SolutionIntegrated Solution
Enterprise-class features for any Enterprise-class features for any businessbusinessRealize savings through integrationRealize savings through integration
One-stop solution for Internet accessOne-stop solution for Internet accessFirewall, access control, caching, Firewall, access control, caching, publishing, and VPN in a single publishing, and VPN in a single componentcomponentCentralized administrationCentralized administrationFull logging and extensive reportingFull logging and extensive reportingReal-time monitoringReal-time monitoring
Call to ActionCall to Action
No IIS, Exchange or SQL Server No IIS, Exchange or SQL Server deployment is complete without deployment is complete without Microsoft ISA ServerMicrosoft ISA ServerProtect your network from the Protect your network from the Internet and accelerate Internet Internet and accelerate Internet accessaccessSave time and resources by securely Save time and resources by securely connecting any size office to the connecting any size office to the InternetInternetTrust a firewall with an excellent Trust a firewall with an excellent track recordtrack record
Reasons to UpgradeReasons to Upgrade
Improve on Microsoft Internet Improve on Microsoft Internet Security and Acceleration Server Security and Acceleration Server 20002000
Advanced application-layer protectionAdvanced application-layer protectionImproved ease of useImproved ease of useHigh performanceHigh performance• Multiple network support
• New policy model
• Application-layer filtering
• Better performance
• Integrated policy enforcement for VPN clients
• VPN client quarantine
• Multiple network support
• New policy model
• Application-layer filtering
• Better performance
• Integrated policy enforcement for VPN clients
• VPN client quarantine
• Support for more protocols
• Packet filtering on all interfaces
• Better RPC publishing
• New authentication options
• Real-time monitoring
• Easier administration tools
• Support for more protocols
• Packet filtering on all interfaces
• Better RPC publishing
• New authentication options
• Real-time monitoring
• Easier administration tools
SummarySummaryISA Server 2004 DeliversISA Server 2004 Delivers
Next-generation edge securityNext-generation edge securityApplication-awareApplication-awareIntegrated solutionIntegrated solutionSimplified managementSimplified managementEnables diverse scenariosEnables diverse scenarios
Key featuresKey featuresMulti-layer protectionMulti-layer protectionSecure access to business applicationsSecure access to business applicationsSimplified managementSimplified management