Introduction
to ISA 2004
Dana Epp
Microsoft Security MVP
Who am I?
Microsoft Windows
Security MVP
Information Security
Professional
Computer Security
Software Architect
Small Business Owner
What do I know about
firewalls?
I’ve written firewall
code
I’ve deployed firewalls
(big and small)
• 100’s of small businesses
• Many different verticals
• Manufacturing
• Medical
• Professional Services
• Educational
• Financial
• etc
I’ve invented new
firewalls
I know a bit about
them.
ISA Server 2004
caching
caching
applicatio Content
application content
n filtering
publishing filtering
publishing
advanced application layer
advanced application layer
firewall
firewall / vpn
What’s the difference
between ISA and other
SMB firewalls?
Differences in SMB Firewalls
Typical Advanced
NAT Hardware Hardware Microsoft
Device Firewall Firewall ISA 2004
Simple Ingress Filtering
Simple Egress Filtering
Complex Ingress Filtering
Rarely
available
Complex Egress Filtering
Application Content Filtering
Virtual Private Networking
Web Caching Some have
limited VPN
AD Authentication
Patch management
issues for the firewall
What’s the important
difference?
A traditional firewall’s view of a packet
• Only packet headers are inspected
– Application layer content appears as “black box”
IP Header TCP Header Application Layer
Source Address, Sequence Number Content
Dest. Address, Source Port, ??????????????????????
TTL, Destination Port, ??????????????????????
Checksum Checksum
• Forwarding decisions based on port numbers
– Legitimate traffic and application layer attacks use identical ports
Corporate
Internet Expected HTTP Traffic Network
Unexpected HTTP Traffic
Attacks
Non-HTTP Traffic
Problem. UFBP!
ISA Server’s view of a packet
• Packet headers and application content are inspected
IP Header TCP Header Application Layer Content
Source Address, Sequence Number MSNBC - MSNBC Front
Checksum Checksum Page
• Forwarding decisions based on content
– Only legitimate and allowed traffic is processed
Corporate
Internet Expected HTTP Traffic Network
Unexpected HTTP Traffic
Attacks
Non-HTTP Traffic
What’s new in
ISA 2004?
Updated security architecture
Advanced Protection
Application layer security designed to protect
Microsoft applications
Enhanced, customizable HTTP protocol filters
Deep content inspection Comprehensive and flexible policies
Stateful routing for all IP protocols
Support for Outlook RPC over HTTP
Enhanced Exchange Server
Enhanced Outlook Web Access security
Integration
Easy to use configuration wizards
Unified firewall -- VPN filtering
Fully integrated VPN Site-to-site IPsec Tunnel Mode support
Network access quarantine
SSL Bridging for IIS and SPS
Secure Internet Information
Easy to use Web publishing wizards
Server and SPS
AD, RADIUS, SecurID authentication
New management tools and UI
Ease of Use
Efficient and cost effective network security
Unlimited network definitions and types
Multi-network architecture Firewall policy applied to all traffic
Per network routing relationships
Wizard simplifies routing configuration
Network templates and Easy setup for common network topologies
wizards
Easily customized for sophisticated scenarios
Firewall policy with single, ordered rule-base
Visual policy editor Drag and drop editing, scenario-driven wizards
XML-based configuration import and export
Monitoring dashboard
Enhanced trouble-shooting Real-time log viewer
Content sensitive task panes
Commitment to integration
Fast, Secure Access
Empowers you to connect users to relevant information on your
network in a cost efficient manner
High speed data transport
Enhanced architecture Utilizes latest Windows and PC hardware
High speed application filtering platform
Updated policy rules
Web cache Serve content locally
Pre-fetch content during low activity periods
User- and group-based Web usage policy
Internet access control Extensible by third parties
New support for RADIUS and RSA SecurID
Comprehensive User- and group-based access policy
authentication
Third-party extensibility
Sample Scenarios
Scenario: Securely make email
available to outside employees
Solution: Outlook over RPC, OMA,
Virtual Private Networking
Scenario: Control Internet access
and protect clients from malicious
Internet traffic
Solution: Content filtering,
scheduled access, firewall client
Scenario: Ensure fast access to the
most frequently used web content
Solution: Web Proxy
Call to Action
• Give ISA 2004 a try
• Consider buying SBS Premium
instead of SBS Standard.
• If managing hardware firewalls,
CHECK FOR FIRMWARE UPDATES.
For more information:
• Amy’s ISA in SBS blog:
http://isainsbs.blogspot.com
• ISA Server Resource site
http://www.isaserver.org
• Dana’s security blog:
http://silverstr.ufies.org
• Firewall Dashboard
http://www.scorpionsoft.com
Dana Epp
Microsoft Security MVP