1

INTERNSHIP REPORT.

By

VÕ VĂN VƯƠNG VŨ

School of Computer Science and Engineering.

International University, VNU-HCM.

September 2014

Organization/Company: Athena Network Security Center.

Duration of the internship: 8 weeks (8-7-2014 to 5/09/2014).

Supervisors during the internship: Mr Võ Đỗ Thắng.

Position: Director of Athena.

Address: 92 Nguyen Dinh Chieu Street, District 1, HCMC, Vietnam.

Tell: 08 3910 4925

Fax: 08 3910 4926

Email: office_cnmn@vncert.vn

2

A photo with Mr Vo Do Thang.

3

ACKNOWLEDGMENTS

To complete the internship, I would like to sincerely thank the Athena for creating conditions for

students to have a suitable working environment.

I would like to express my honor to Mr Võ Đỗ Thắng (Director of Athena Network

Administration and Security center) who is the manager of Athena and also my supervisor. He

make me having a chance to apply what I have learned into the real situtation.

I want to thank all my teachers of School of Computer Science and Engineering who taught and

provided knowledge for me during 4 years. Until now, this knowledge helped me having abilities

and skills that supported me during internship. I would like to thanks Mr. Tran Manh Ha. He

helped me with the introduction into many companies and provided information about

internship.

In addition, thanks to another student for helping me at the center during practice. The siblings of

the company employees have enthusiastically helped new student to complete this internship

program.

4

TABLE OF CONTENTS.

I. DESCRIPTION OF ATHENA......................................................................................5

1. The Emplement and The Development of ATHENA.

2. Main activities.

3. Services.

II. SUMMARY OF THE INTERNSHIP.........................................................................6

III. PLANNING………………………………………………………………………….7

IV. INTERNSHIP ACTIVITIES AND ACHIEVEMENTS………………………….8

V. INTERNSHIP ASSESSMENT……………………………………………………..64

VI. REFERENCES…………………………………………………………………….64

5

I. DESCRIPTION OF ATHENA:

1. The Implement and The Development of ATHENA.

The International Training Center of Network Administration Network Security ATHENA was

etablished in 2004 , which is an organization that gathers many young intellectuals Vietnam

energetic, enthusiastic and experienced in the IT fields, with enthusiasm contribute to the

process to promote information technology as a key economic sector, contributing to the

country's development.

The headquarters of Athena located at Hồ Chí Minh city

Contact address: 92 Nguyễn Đình Chiểu St,Đakao ward, Dist 1, HCM city

Phone number: (08)38244041 - 090 78 79 477-094 323 00 99

Email: support@athena.edu.vn - tuvan@athena.edu.vn

Website: http://athena.edu.vn

he organi ation ranch located at Hồ Ch Minh city

Contact address: 2 is Đinh iên Hoàng Đakao ward, Dist 1, HCM city

Phone number: (08)22103801 - 094 320 00 88

Email: support@athena.edu.vn - tuvan@athena.edu.vn

2. Main activities.

Athena focus on intensive training about network administrator, network security, ecommerce

with international criterion of popular company like Microsoft, Cisco, Oracle, Linux LPI, CEH...

Beside that, Athena also has other premium training programs follow the orders of Ministry of

6

National Defence, Ministry of Public Security, banks, companies, government companies,

financial institutions.

After 10 year from the beginning, many students have graduate in Athena and be the experts in

network administrator and security for government like Ministry of National Defence and

Ministry of Public Security.

Beside training programs, Athena also has some cooperative programs about IT with many

university like HoChiMinh City University of echnology, VNISA, …

3. Services.

Ensuring the career for gradutes:

-Introduce suitables job for all students

-Good student will have chance to get salary when they internship

-Technical Support indefinitely in all fields related to computers, computer networks, network

security.

- Certification Exam Support International.

II. SUMMARY ABOUT THE INTERNSHIP.

In 8 weeks of the internship I have to compelete many activities:

1) Install ISA Server 2006

- Install ISA Server 2006.

- Create access rule.

7

- Template.

- Server Publishing – Config.

- Server Publishing – HTTP, HTTPS.

- VPN Client to Gateway.

- VNP Gateway to Gateway.

- Caching

2) Installing and Running on VPS.

- Install Web server.

- Installing ISA Server on VPS.

- Create access rule to manage and sercure Web server.

III. PLANNING.

Content Comment.

Week 1 Athena get to know my supervisor, receive work and schedule.

Start my work: research and deployment ISA Server 2006

Week 2 Start create Access Rule.

Week 3 Create Access Rule, Application & Web Filter.

Week 4 Server Publishing, DNS Publishing, Mail Exchange Publishing,

OWA, HTTP, HTTPS.

Week 5 VPN Caching.

Week 6 Deployment on VPS.

Week 7 Compelete and submit report.

8

IV. INTERNSHIP ACTIVITIES AND ACHIEVEMENTS:

1) Introduction and the need for ISA Server 2006.

The rise in the prevalence of computer viruses, threats, and exploits on the Internet has made it

necessary for organizations of all shapes and sizes to reevaluate their protection strategies. No

longer is it possible to ignore or minimize these threats because the damage they can cause can

cripple a company’s usiness functions. A solution to the increased sophistication and

pervasiveness of thes viruses and exploits is becoming increasingly necessary.

Corresponding with the growth of these threats has been the development and maturation of the

Internet Security and Acceleration (ISA) Server product from Microsoft. The latest release of the

product, ISA Server 2006, is fast becoming a business-critical component for many organizations

who are finding that many of the traditional packetfiltering firewalls and technologies don’t

necessarily stand up to modern threats. The ISA Server 2006 product provides for that higher

level of application security required, particularly for common tools such as Outlook Web

Access (OWA), SharePoint Products and Technologies, and web applications.

2) Detailing the Additional Advantages of ISA Server.

In addition to being a fully functional firewall solution, ISA Server contains a host of other

security and productivity features. ISA Server is often deployed for other nonfirewall tasks such

as Virtual Private Network (VPN) access, web caching, and intrusion detection.

Allowing for More Intelligent Remote Access with Virtual Private Networks (VPNs)

In addition to having robust firewall capabilities, ISA Server is also a fully capable Virtual

9

Private Network (VPN) solution. Built into the functionality of the product, VPN capabilities

allow trusted users that exist outside a network to authenticate with ISA Server and gain elevated

access to internal network resources. In addition to authenticating against Active Directory

domains, ISA Server 2006 can utilize RADIUS (Remote Authentication Dial-In User Service) to

authenticate users.

An added advantage to the Virtual Private Network support in ISA Server 2006 is the capability

to treat VPN users as a separate network. This allows for a more granular policy control.

Using Web Caching to Improve and Control Web Browsing.

The acceleration portion of the Internet Security and Acceleration product refers to ISA

Server’s capa ility to act as a proxy for network clients, caching commonly used we sites and

their associated graphics, text, and media, and serving them up to end users more quickly than if

they had to access the content across the Internet. An additional benefit to this approach is the

fact that all outbound web and FTP traffic is then scanned by ISA for threats, exploits, and

restricted content. ISA has long been a product of choice for those seeking web-caching

capabilities. In fact, the previous iteration of the product, Microsoft Proxy Server, was primarily

used for that capability by itself in many organizations. ISA Server 2006 caching builds upon

this success y further improving the system’s caching capa ilities. Utilizing the caching

capabilities of ISA Server 2006 is a straightforward and easy-todeploy method of getting more

bandwidth out of an Internet connection. In addition to the capability to cache requests made to

web and FTP sites, ISA Server also provides for the capacity to provide commonly used content

from web sites for caching by downloading it on a regular basis. Content download rules can be

10

set up easily to update the cache on a regular basis for sites that administrators designate. This

concept can further improve the speed and reliability of web and FTP browsing.

3) The History of ISA Server 2006

- ISA Server 2000

Although Proxy Server 2.0 provided for a wide array of security features, it did not enjoy broad

industry acceptance as a security device for one reason or another. Microsoft wanted to focus

more attention on the product’s security capa ilities, so it added more to the 3.0 version, and

rebranded it as the Internet Security and Acceleration (ISA) Server 2000. This rebranding

directed attention to its security capabilities, while still giving a nod to the web acceleration

component, the caching capabilities. ISA Server 2000 introduced an impressive new array of

features, nearly all of which focused on turning it into a full-functioned security device. This

version of the product was the first that marketed it as a firewall by and of itself. It was this claim

that was greeted with skepticism by the security community, given the somewhat shaky track

record that Microsoft products had at that time. The politics of the security community being

what they were, ISA Server 2000 faced an uphill battle for acceptance. In addition, deficiencies

such as the lack of multi-network support, confusing firewall rules, and a haphazard interface

limited the large-scale deployment of ISA 2000

- ISA Server 2004.

While ISA Server 2000 was slowly gaining ground, the ISA Server team started work on the

next version, code-named Stingray. The result of this project was the product released as the

Internet Security and Acceleration Server 2004. This version of ISA was vastly improved over

the previous versions of the product, and it quickly became noticed in the wider security

11

community. In addition to fine-tuning and honing the capabilities it inherited from ISA Server

2000, ISA Server 2004 introduced a wide variety of new and improved security features that

further extended its capabilities. ISA Server 2004 was originally released with only a standard

edition of the product. The Enterprise edition debuted the following year, expanding upon ISA’s

capabilities even further. Finally, predating the release of ISA Server 2006, Service Pack 2 for

ISA Server 2004 added many of the same pieces of functionality recently included in ISA Server

2006, such as HTTP compression support, DiffServ, and other enhancements.

- ISA Server 2006.

Microsoft released the next interim build of ISA Server 2004 as a new generation and relabeled it

as ISA Server 2006. This version is similar in many ways to ISA Server 2004, with specific

enhancements made to several key areas. In a way, it really can be thought of as ISA Server 2004

Service Pack 3, but instead it has been relabeled. The learning curve between ISA 2004 and ISA

2006 is not steep, however, and administrators familiar with ISA 2004 will immediately be

familiar with the 2006 model. That said, the evolution of the ISA Server 2006 product to the spot

that it inha its today is impressive. What’s extremely important to note a out ISA Server 2006 is

that it is one of the first security products released by Microsoft that has really been taken

seriously by the broader Internet Security community. ISA Server 2006 is a full-fledged Internet

firewall, with Virtual Private Network (VPN) and web-caching capabilities to boot. The debate

between pro-Microsoft and anti-Microsoft forces is far from over, but politics aside, the product

that has been released is an impressive one.

- ISA Server 2006’s New Features

Multiple network support and per-network policies.

12

Support for complex and customizable protocols.

New server and OWA publishing rules.

Remote Procedure Call (RPC) filtering support.

End-to-end secure web publishing capabilities.

RADIUS and SecurID authentication support.

Stateful inspection for VPN connections.

VPN quarantine control features.

Enhanced monitoring, logging, and reporting.

Forms-based authentication for all web sites.

Enhanced branch office support tools.

- Choosing Between ISA Server 2006 Enterprise or Standard Editions.

ISA Server 2006 comes in two versions: an Enterprise version and a Standard version. Each

version offers different functionality, with the Standard version of the product geared toward

small and mid-sized organizations, and the Enterprise version designed for medium to large

organizations. The Enterprise version of the software includes all the functionality of the

Standard edition, but with the addition of the following:

Array Capabilities—ISA Server 2006 Enterprise edition includes the capability to create

arrays, which allow multiple servers connected to the same networks to act in tandem to

process firewall, VPN, and cache requests. These arrays use the Cache Array Routing

Protocol (CARP) to communicate changes and topology information.

Integrated Network Load Balancing (NLB)—In addition to the general NLB support

provided by the Standard version, the Enterprise version of ISA Server includes advanced

13

integrated support for NLB, allowing an administrator to make changes and manage NLB

directly from the ISA Management Console.

ADAM Centralized Storage—A huge improvement over ISA Server 2000 Enterprise

edition is the added capability for Enterprise Configuration information to be stored in a

separate instance of Active Directory in Application Mode (ADAM), rather than in the

internal Active Directory forest schema. This enables the external-facing ISA Enterprise

servers to maintain their configuration in an isolated environment, without unnecessarily

exposing internal Active Directory services to attack.

Centralized Management and Monitoring—ISA Server Enterprise edition allows for

management of a highly scalable ISA solution, with multiple ISA arrays in multiple

locations. This allows for centralized management of a complex network infrastructure.

14

- Installing ISA Server 2006.

Figure 1: Model of ISA.

Install ISA Server 2006.

Step 1: Click install ISA Server 2006.

15

16

Step 2: Click Next.

Step 3: Select I accept the terms in the license agreement , and click Next.

17

Step 4: Fill User Name and Organization and click Next.

Step 5: Select Typical and click Next.

18

Step 6: Click Add and select Network Adapter.

Step 7: Click OK.

19

Step 8: Click Next.

Step 9: Click Next.

20

Step 10: Click Install to start Install ISA Server.

Step 11: After finish installing, click Finish.

21

ACCESS RULE

1. Definition:

Access rules determine how clients on a source network access resources on a destination

network.

You can configure access rules to apply to all IP traffic, to a specific set of protocol

definitions, or to all IP traffic except selected protocols.

ISA Server includes a list of preconfigured, well-known protocol definitions, including the

Internet protocols that are most widely used. You can also add or modify additional

protocols.

When a client requests an object, ISA Server checks the access rules. A request is processed

only if an access rule specifically allows the client to communicate using the specific

protocol and also allows access to the requested object.

Controlling Internet access depends primarily on the design and order of access rules.

After you create an access rule, you can view and edit all of its properties by double-clicking

the rule in the Firewall Policy details pane. One of these properties is HTTP policy, in which

you can configure HTTP settings for requests that match a specific allow access rule. You

can also access HTTP policy settings by right-clicking a rule and selecting Configure HTTP.

ISA Server is an application-layer firewall, and applies an application filter to HTTP traffic.

Because ISA Server can examine HTTP requests, applications that are tunneled through

HTTP can be blocked, depending on how you configure the HTTP application filter. The

HTTP application filter provides granular control over the HTTP requests allowed by your

firewall policy.

22

2. Create a Access Rule to allow all clients connect to Internet.

Step 1: In ISA interface, right click on Firewall Policy New Access Rule.

Step 2: Type name for the access rule, and click Next.

23

Step 3: Select Allow to allow clients connect to Internet, and click Next.

Step 4: Select All outbound traffic and click Next.

24

Step 5: In Access Rule Source, select Internal and Localhost AddClose.

Step 5: Click Next.

25

Step 6: In Access Rule Destination, select External and click Next.

Step 7: In User sets, select All user and click Next.

26

Step 8: Click Finish to compelete.

Step 9: Click Apply Ok to apply access rule.

27

3. Create Access Rule to manage users:

Step 1: On Users menu, click New.

Step 2: Fill User name and click Next.

28

Step 3: Click Add Windows users and groups, and click Next.

Step 4: Select Location and select Domain Controller.

29

Step 5: Fill Object name and click Check Name.

Step 6: Select User and click OK.

30

Step 7: Click Next.

Step 8: Click Finish.

31

4. Create Access Rule to deny clients access Internet during working hours:

Step 1: Define working hour: On Schedules menu, click New.

Step 2: Fill the Name and Description, select working hour range and click Active Ok.

32

Step 3: Add URL you want to deny by right click on URL Sets New URL Set.

Step 4: Fill the name, Description(optional), click Add to add URL address, and click OK.

33

Step 5: Create an access rule with Action=Dene, Protocol= HTTP, HTTPS, Source=Internal,

Destination= URL that we have created before, user from Users.

Step 6: Right click on newly created Access Rule Properties Tab Schedule Select

Working hour Apply Ok.

34

5. Application and Web Filter:

Create an Access Rule that deny users download documents, listen, watch online music and

movies.

Step 1: Create an Access Rule with Action=Allow; Protocol=All outbound traffic;

Source=Internal, Localhost; Destination= External; User= User you want to deny.

Step 2: Right click on above Access Rule Configure HTTP.

35

Step 3: On Extensions Tab, select Block specified extensions( allow all others), click Add to

add extensions that you want to deny. Then click Apply Ok.

Step 4: Right click on above Access Rule Properties select Content Types tab, select all

except video and audio. Then click Apply Ok.

36

SERVER PUBLISHING:

ISA Server uses server publishing to process incoming requests to internal servers, such as

File ransfer Protocol (F P) servers, computers running Microsoft SQL Server™, and

others. Requests are forwarded downstream to an internal server, located behind the ISA

Server computer.

Server publishing allows virtually any computer on your Internal network to publish to the

Internet. Security is not compromised because all incoming requests and outgoing responses

pass through ISA Server. When a server is published by an ISA Server computer, the IP

addresses that are published are actually the IP addresses of the ISA Server computer. Users

who request objects assume that they are communicating with the ISA Server computer—

whose name or IP address they specify when requesting the object—while they are actually

requesting the information from the publishing server. This is true when the network on

which the published server is located has a network address translation (NAT) relationship

from the network on which the clients accessing the published server are located. When you

configure a route network relationship, the clients use the actual IP address of the published

server to access it.

1. Publish DNS:

a. Intstall DNS servive on ISA Server machine

- Install DNS servive on ISA Server machine.

- Create a Forward Lookup Zones with domain name: athena.com.vn .

- Create a Reverse Lookup Zones with network address 192.168.1.0 /24.

b. Configure DNS Publishing:

Create a Non- Web Server Protocol Publishing Rule that allow clients from internet can resolve.

37

Step 1: Right click on Firewall Policy New Non-Web Server Protocol Publishing Rule.

Step 2: Fill the name, and click Next.

38

Step 3: Fill IP address of ISA Server, and click Next.

Step 4: Select DNS Server protocol, and click Next.

39

Step 5: On Network Listener IP Addresses, select External, and click Next.

Step 6: Click Finish to compelete Publishing DNS creating process. Clients from external

network can resolve.

40

c. Web Publishing.

Web Publishing allow a client from internet can connect to a local web server.

a. Create a Web Publishing Rule:

Step 1: Right click on Firewall Policy New Website Publishing Rule.

Step 2: Fill name and click Next.

41

Step 3: Select Allow, and click Next.

Step 4: Select Publish a single Web site or load balancer.

42

Step 5: Select Use non-secured connections to connect the publised Web server or server farm.

Step 6: Fill website name, and click on Use a computer name or IP address to connect to the

published server, and fill IP address of Web server.

43

Step 7: Choose the path for the web site. Fill * to select all sites. Then click Next.

Step 8: Fill the public name of the website and click Next.

44

Step 9: Create a New Listener ( or select for a already created). Click New.

Step 10: Set name for the Web Listener, and click Next.

45

Step 11: Select Do not require SSL secured connections with clients, and click Next.

Step 12: Select Exteral for Web Listener IP address, and click Next.

46

Step 13: Select No Authentication, and click Next.

Step 14: Click Next to continue.

47

Step 15: Click Next to continue.

Step 16: Click Finish to compelete.

48

2. Mail Publishing:

a. Installing mail server.

Install mail server exchange on DC machine.

Run Exchange Management Console.

Create Send Connectors , Recieve Connectors and users: PC1, PC2.

Start Services Microsoft Exchange POP3.

In Computer Management( Run services.msc), find Microsoft Exchange POP3, click

Start.

Create an Access Rule allow mailing out external.

The steps to create mail Access Rule are same with creating Access Rule to connect to

the internet, but in Protocols we select Mail Protocols.

49

b. Create Mail Server Publishing Rule.

Step 1: Right click on Firewall Policy New Mail Server Publishing Rule.

Step 2: Set name and click Next.

50

Step 3: Select Client access: RPC, IMAP, POP3, SMTP. And click Next.

Step 4: Select all servives except Outlook( RPC). And click Next.

51

Step 5: Fill IP address of Exchange (Domain Controller PC). And click Next.

Step 6: Select External for Network Listener IP Address. And click Next.

52

Step 7: Click Finish to compelete.

53

3. VPN( Virtual Private Network).

a. VPN.

A virtual private network (VPN) extends a private network across a public network, such

as the Internet. It enables a computer to send and receive data across shared or public

networks as if it is directly connected to the private network, while benefiting from the

functionality, security and management policies of the private network.[1] A VPN is

created by establishing a virtual point-to-point connection through the use of dedicated

connections, virtual tunneling protocols, or traffic encryptions.

VPNs allow employees to securely access their company's intranet while traveling

outside the office. Similarly, VPNs securely connect geographically separated offices of

an organization, creating one cohesive network. VPN technology is also used by Internet

users to connect to proxy servers for the purpose of protecting personal identity and

location.

Figure 1.0 VPN connection model.

54

b. VPN configuration:

Create a VNP connection.

Step 1: On Virtual Private Networks (VPN). Click Define Address Assignments.

Step 2: On tab Address Assignment, slect IP address ranges. Click Apply.

55

Step 3: On Authentication tab, select Microsoft encrypted authentication (MS-CAHP). Click

Apply Ok.

Create user on Domain Controller (DC).

Create UserVPN user and CPNClient group with password is Vuongvu123.

Allow access.

Step 1: Create user and group on DC.

Step 2: Right click on UserVPN Properties Dial-in tab Select Allow access.

56

Configure VPN connection on client.

Step 1: Control PanelNetwork Connections Create new connection.

Step 2: Click Next.

57

Step 3: Select Connect to the network at my workplace.

Step 4: Select Virtual Private Network connetion.

58

Step 5: Enter Company Name. Click Next.

Step 6: Enter IP address of ISA Server.

59

Step 7: Enter VNP acount that you have created before.

Step 7: Check VPN connection. Run CMD. Ipconfig /all.

60

4. Caching.

a. Caching.

The Web proxy service of ISA Server maintains a cache of Web objects and attempts to

fulfill Web requests from the cache. If the request cannot be fulfilled from the cache, the ISA

Server computer initiates a new request on behalf of the client. Once the remote Web server

responds to the ISA Server computer, the ISA Server computer caches the response to the

original client request and sends a response to the client.

ISA Server supports forward caching, used for outgoing requests, and reverse caching, used

for incoming requests. Clients in both forward caching and reverse caching benefit from the

full gamut of ISA Server caching features.

ISA Server includes HTTP redirector filter, which allows Firewall and secure network

address translation (SecureNAT) clients to also benefit from the caching features. When the

HTTP redirector is enabled, Web requests from Firewall and SecureNAT clients can also be

cached.

b. Configuring a Caching policy.

Enable Web Procy

Step 1: Right click on Internal, select Properties.

61

Step 2: Select Web Proxy tab, select Enable Web Proxy clients for this network.

Step 3: On Authentication, select Integrated. Click Ok Apply Ok.

62

Create a memory cache.

Step 1: Click Difine Drive Task(Enable Caching). And set capacity for memory cach.

Click Set Ok.

Create Ram memory:

Step 1: Right click on Cache Properties. On Advanced tab, we set capacity for Ram.

63

Enable Web Proxy for Localhost client.

Step 1: Right click on Localhost Properties. On Web Proxt tab, we select Enable

Web Proxy client for this network. Click Apply Ok.

64

V. INTERNSHIP ASSESSMENT:

When I finising the internship program at ATHENA, a got more knowledge and

experiences about network management. After two months there are many skills that

I achived for my selt. I understand clearly about network security and network

management with ISA Server 2006.

In the other hand, I have the change to apply what I have learnt in shool into working

environment.

I think the internship program with help me gain more experience for the future jobs.

VI. REFERENCE:

Athena website: www.athena.edu.vn .

Athena ‘s document + CD video a out ISA Server 2006.

Website upload and download documents: www.slideshare.net

Video introduction about myself, advantages and disavantages, work process

was uploaded to: https://www.youtube.com/user/vovanvuongvuiu/videos

Website about ISA Server:

http://en.wikipedia.org/wiki/Virtual_private_network

http://www.isaserver.org/articles-tutorials/articles/What-is-ISA-2006-

Firewall.html

http://msdn.microsoft.com/en-us/library/ms811827.aspx .