ISA Server 2004 EE Training

1
(No Transcript)
2
Microsoft Internet Security and Acceleration
(ISA) Server 2004 Technical Training

• Kent NordströmXP Services AB

3
Agenda

• Introduction to ISA Server 2004
• Concepts
• How does it work?
• Advanced Application Filtering
• SSL Bridging
• Achieving Fault Tolerance and High Availability
• Providing Secure Remote Access
• QA

4
ISA Server 2004
The advanced application layer firewall, VPN and
Web cache solution that enables customers to
maximize IT investments by improving network
security and performance
5
ISA Server 2004 New FeaturesUpdated Security
Architecture
Enhanced Exchange Server Integration
6
ISA Server 2004 New FeaturesNew management tools
and user interface
Network templates and wizards
7
ISA Server 2004 Editions
8
Arrays

• An array is
• The fundamental management entity in ISA 2004
  Enterprise Editions
• A collection of co-located and symmetrically
  configured servers
• An array provides
• A single management entity
• Integration with Enterprise Policies
• Load balancing with NLB
• Distributed caching with CARP

9
Enterprise Policy Structure

• An enterprise policy consists of
• Enterprise rules (before)
• Array policy Place Holder
• Enterprise rules (after)

10
Single rule base

• Destination network
• Destination IP
• Destination site

• Any user
• Authenticated users
• Specific User/Group

• Allow
• Deny

action on traffic from user from source to
destination with conditions

• Source network
• Source IP
• Originating user

• Published server
• Published web site
• Schedule
• Filtering properties

• Protocol
• IP Port / Type

11
ISA Configuration Stores
12
ISA Configuration Storage Server (CSS)

• What is it?
• A dedicated ISA configuration store
• Installed from the ISA Server 2004 EE CD
• Based on AD/AM technology
• Can be co-hosted on the ISA Server computer
• Directory database
• Stores configuration and policy for all arrays in
  the Enterprise
• Management console writes to it securely
• Array members fetch from it securely
• Replicated, multi-master
• No single master copy
• Can be edited anywhere
• Supports backup and restore

13
Configuration Storage Server
Management Console
ISA 2004 Server Array
ISA 2004 Server Array
ISA 2004 Server Array
Local configuration copy
Local configuration copy
Local configuration copy
Replication
CSS
CSS
14
ISA 2004 Networking Model

• Any number of networks
• VPN as network
• Localhost as network
• Assigned relationships (NAT/Route)
• Per-network policy
• Packet filtering on all interfaces
• Support for Plug-and-Play and Dial-on-Demand

ISA 2004
Local HostNetwork
15
Firewall Engine SE
ISA console
Apply
Firewall Service
User mode
Kernel mode
Firewall Engine
Mail
25
2x
IIS
FWsrv
80
User mode
2x
Kernel mode
3x
FWeng
Lockdown mode, Port Stealing
Firewall Rules
2nd
TCP/UDP
IP
Connections
1st
Assembly
FWeng
ID, Spoof, IP Options, Quota
IPSec
16
Firewall Engine EE
Rules
ISA console
CSS
Firewall Service
User mode
Kernel mode
Firewall Engine
Mail
25
2x
IIS
FWsrv
80
- Application filters - User authentication
User mode
2x
Kernel mode
3x
FWeng
Lockdown mode, Port Stealing
Firewall Rules
2nd
TCP/UDP
IP
Connections
1st
Assembly
FWeng
ID, Spoof, Quota
IPSec
17
Agenda

• Introduction to ISA Server 2004
• Concepts
• How does it work?
• Advanced Application Filtering
• SSL Bridging
• Achieving Fault Tolerance and High Availability
• Providing Secure Remote Access
• QA

18
Why Application Layer Security Is Crucial

• Most of todays attacks are directed against
  applications
• Examples Mail clients (worms, Trojan horse
  attacks), Web browsers (malicious Java applets)
• Applications encapsulate traffic in HTTP traffic
• Examples Peer-to-peer, instant messaging
• Traditional firewalls cannot determine what
  traffic is sent or received
• Dynamic port assignments require too many
  incoming ports to be opened
• Examples FTP, RPC

19
A Traditional Firewalls View of a Packet

• Only packet headers are inspected
• Application layer content appears as black box

IP Header Source Address,Dest. Address,TTL,
Checksum
TCP Header Sequence Number Source
Port, Destination Port, Checksum
Application Layer Content ???????????????????????
???????? ??????????????????????????????? ?????????
??????????????????????

• Forwarding decisions based on port numbers
• Legitimate traffic and application layer attacks
  use identical ports

Expected HTTP Traffic
Unexpected HTTP Traffic
Internet
Attacks
Non-HTTP Traffic
20
ISA Servers View of a Packet

• Packet headers and application content are
  inspected

IP Header Source Address,Dest. Address,TTL,
Checksum
TCP Header Sequence Number Source
Port, Destination Port, Checksum
Application Layer Content lthtmlgtltheadgtltmeta
http-equiv"content-type" content"text/html
charsetUTF-8"gtlttitlegtMSNBC - MSNBC Front
Pagelt/titlegtltlink rel"stylesheet"

• Forwarding decisions based on content
• Only legitimate and allowed traffic is processed

Allowed HTTP Traffic
Prohibited HTTP Traffic
Internet
Attacks
Non-HTTP Traffic
21
HTTP Filtering

• Fine-grained control over allowed content

22
Agenda

• Introduction to ISA Server 2004
• Concepts
• How does it work?
• Advanced Application Filtering
• SSL Bridging
• Achieving Fault Tolerance and High Availability
• Providing Secure Remote Access
• QA

23
Securing SSL Traffic

• SSL Confidentiality But No Traffic Inspection
• SSL Bridging
• Client on Internet encrypts communications
• ISA Server decrypts and inspects traffic
• ISA Server sends allowed traffic to published
  server, re-encrypting it if required

24
Outlook Web Access (OWA)

• Using SSL Bridging
• Use forms-based authentication

25
Agenda

• Introduction to ISA Server 2004
• Concepts
• How does it work?
• Advanced Application Filtering
• SSL Bridging
• Achieving Fault Tolerance and High Availability
• Providing Secure Remote Access
• QA

26
High Availability with Enterprise Edition

• Firewall access methods
• Firewall Clients
• Web Proxy clients
• SecureNAT clients (transparent access)
• Methods for providing load balancing, high
  availability, fault tolerance
• Round-robin DNS
• Web clients CARP
• Firewall Clients Client-provided fault tolerance
• SecureNAT clients NLB

27
Network Load Balancing

• What Is It?
• A Windows service
• Uses IP address-based hashing
• Several affinity modes
• Unicast or multicast support
• New with Windows Server 2003
• Support for multiple NICs
• Bidirectional affinity

28
NLB Provisions for ISA

• Bidirectional Affinity
• Clustering for stateful routers and firewalls
  (ISA)
• Multiple NLB instances work in parallel
• Bi-directional Affinity ensures connections
  routed through an ISA Server in an array are load
  balanced back to the same server
• Additional features
• Management hook (ISA Server can configure NLB
  settings in Windows Server)
• Unicast mode without additional NIC (Requires
  Windows Server SP1)

29
Balancing Published Servers
ISA- 1 - InternalDIP 10.10.10.2 VIP
10.10.10.100
External Client 172.1.1.1
ISA- 1 - External DIP 128.1.1.2VIP
128.1.1.100
Published Server 1 11.11.11.1
ISA 1
Internet
NLB Cluster
NLB Cluster
ISA 2
Published Server 2 11.11.11.2
ISA- 2 - InternalDIP 10.10.10.1 VIP
10.10.10.100
ISA- 2 - ExternalDIP 128.1.1.1 VIP
128.1.1.100
30
Balancing Published Servers

• External Client -gt ISA Array (VIP)
• NLB load balances the connection to ISA-1
• ISA-1 -gt Published Server-1
• Source IP 172.1.1.1 (External Client)
• Published Server-1 responds to the request.
• Destination IP 172.1.1.1 (External Client)
• NLB/BDA ensures connection is only balanced to
  ISA-1

1-2
3
4
5-6
31
Balancing Outbound Access
ISA- 1 - InternalDIP 10.10.10.2VIP
10.10.10.100
ISA- 1 - External DIP 128.1.1.2VIP
128.1.1.100
ftp.microsoft.com157.31.56.100
NLB Cluster
NLB Cluster
ISA 1
Internet
Internal Client 12.12.12.1
ISA 2
ISA- 2 - InternalDIP 10.10.10.1VIP
10.10.10.100
ISA-2 - ExternalDIP 128.1.1.1VIP 128.1.1.100
32
Balancing Outbound Access

• Internal Client -gt ftp.microsoft.com
• Destination address external server
• NLB load balances the connection to ISA-2
• ISA-2 -gt ftp.microsoft.com
• Src. IP 128.1.1.1 (ISA-2 DIP)
• ftp.microsoft.com -gt ISA-2
• Destination. IP 128.1.1.1 (ISA-2 DIP)
• Response sent to the DIP (128.1.1.1) gt NLB dos
  not load balance
• ISA-2 -gt Internal Client
• Source. IP 157.31.56.100 (ftp.microsoft.com)

1
2-3
4-5
6
33
NLB Modes in ISA Server

• Non-integrated mode
• Integrated mode (Windows 2003 only)

34
NLB Integrated Mode

• Leverages full platform capabilities
• Bidirectional Affinity
• Multi-network support
• VPN load balancing
• Enhanced failover control
• Monitors firewall health
• Monitors NIC state
• Provides troubleshooting information

35
NLB Integrated Mode

• NLB settings
• Unicast mode
• Single affinity
• Deployment recommendation
• Load balance all networks
• Deploy Windows 2003 SP1
• No need for intra-array traffic NIC

36
Easy Configuration and Administration
37
Agenda

• Introduction to ISA Server 2004
• Concepts
• How does it work?
• Advanced Application Filtering
• SSL Bridging
• Achieving Fault Tolerance and High Availability
• Providing Secure Remote Access
• QA

38
Traditional VPN Infrastructure

• VPN gateway and firewall separate devices
• VPN clients get full access to the internal
  network
• Optional protection of network via a separate
  firewall

VPN Gateway
Internet
Internal Network
Firewall
39
ISA Server VPN Infrastructure

• Includes VPN gateway and firewall functionality
• VPN clients get controlled and protected access
  to internal network

Internet
Internal Network
ISA Server
40
How ISA Server Secures Client Connections

• Broad protocol support
• PPTP and L2TP/IPSec
• IPSec NAT traversal (NAT-T) for connectivity
  across any network
• Authentication
• Active Directory uses existing Windows accounts
  and supports PKI for two-factor authentication
• RADIUS uses non-Windows-based accounts databases
  with standards-based integration
• SecurID provides strong, two-factor
  authentication using tokens and RSA
  authentication servers
• All communications over the Internet are encrypted

41
Network Access Quarantine

• Client script checks whether client meets
  corporate security policies
• Personal firewall enabled?
• Latest virus definitions used?
• Required patches installed?
• If checks succeed, client gets full access
• If checks fail, client gets disconnected after
  timeout period

42
VPN Quarantine Process (1)
Quarantine Resources
?
VPN Client
Client computer connects.
1
43
VPN Quarantine Process (2)
Quarantine Resources
?
VPN Client
Client computer connects.
1
44
VPN Quarantine Components
Connection Manager Administration Kit(CMAK)
Connection Manager profile
ISA 2004
VPN client
VPN tunnel
Dial up
RRAS
Script
Firewall Service
RQC.exe
RQS svc
TCP 7250
45
VPN Integration with NLB

• Network Load Balancing Features
• Fault tolerance mechanism
• Detects and reports server status changes
• Invokes ISA Servers automatic tunnel
  redistribution
• Load Balancing
• Automatic routing of traffic into the array

46
Tunnel Assignment

• Automatic Tunnel Distribution Redistribution
• NLB reports changes in servers availability
• ISA Server distributes tunnels accordingly
• Disconnected site-to-site sessions are
  automatically re-established with a different
  server
• Existing sessions are not terminated for the sake
  of redistribution
• Configuration alerts are issued when the array
  becomes unbalanced

47
Array to Array VPN
NLB
NLB
X
10.0.0.2
X
20.0.0.2
Branch
Internet
Headquarter
VIP 192.168.0.1
VIP 192.167.0.1
VIP 20.0.0.1
VIP 10.0.0.1
48
Routing

• Incoming traffic redirection
• Incoming traffic is automatically directed to
  relevant tunnel on the relevant server
• Intra-array routing
• ISA adds relevant static routes for intra-array
  routing, according to tunnel distribution

49
Agenda

• Introduction to ISA Server 2004
• Concepts
• How does it work?
• Advanced Application Filtering
• SSL Bridging
• Achieving Fault Tolerance and High Availability
• Providing Secure Remote Access
• QA