Introduction to ISA 2004

Introduction to ISA 2004 Itai Almog Software development Engineer ISA 2004 Team Microsoft Corporation itaia@microsoft.com Agenda Your needs from a firewall Introduction to ISA 2004 Demo… You Need To… protect my clients from malicious Internet traffic Securely make e-mail available to outside employees Securely make internal applications available on the Internet ISA 2004 Delivers! Advanced Multi-layer filtering Exchange publishing Web and Server Publishing Enable remote clients connect to my corporate network Securely connect my branch offices to the corporate office Ensure fast access even with deep inspection Remote Access VPN Site to Site VPN Caching, Advanced Architecture Introducing ISA 2004 Introducing ISA 2004 Advanced protection Application level Filtering - ALF :-) Best firewall to secure IIS Best firewall to secure Exchange Firewall resiliency Application Level Filtering In the beginning… Applications started to use the HTTP The deep HTTP protocol inspection Your firewall can blockprotocol. Applications got fix fixed applications usedsmarter… protocol as a transport ports ports. ISA 2004 Web Server Internet Internal User Conventional Firewall IM Administrators had you ISA 2004 control Administrators lost gives control Blocks tunneled traffic at the edge of networks control back that of their their networks traffic File Sharing Best Firewall to Secure IIS HTTP filtering Limit header length, query and URL length, Verify normalization. Allow only specified methods: GET, HEAD, POST Block specified extensions: .exe, .bat, .cmd, .com… Block content by signatures: .. , ./ , \ , : , % , & URL scan URL canonicalization, URL length… Link Translation A variety of authentication methods SSL Bridging… Best Firewall to Secure IIS Authentication delegation ISA Server with HTTP Filtering ISA Server can ISA Server pre-authenticates and inspect prompts for stop URLScan for ISA decrypt Web server Server can authentication — users, eliminating multiple …which allows viruses any edge, Web attacks at the network SSL traffic HTTP Filter Internet user dialog boxes and only allowing even over encrypted SSL and worms to pass can valid traffic through throughaccess this prompt undetected… SSL SSL SSL or HTTP Internet client Traditional ISA Server 2004 firewall SSL tunnels through traditional firewalls inspected …and infect internal servers! traffic can be sent to the internal because it is encrypted… server re-encrypted or in the clear. Web Srv/ OWA Securing Exchange OWA Publishing Based on IIS OWA filter – Form based authentication Outlook RPC over Http Native Outlook - RPC Publishing Based on advanced RPC filter Only Exchange interfaces are exposed Transparent to the client Firewall Resiliency Flood-DoS protection SYN-flood protection Client connection quota Applicable to Worm/Virus floods Spoofed UDP packet flooding mitigation Attack/Intrusion Detection IP spoofing, DNS cache poisoning, DHCP poisoning, IP half-scan, Port scan IP options filtering Filter out individual options Lockdown mode Introducing ISA 2004 Integrated VPN Remote client access The Internet Remote client Firewall gateway Corporate Network Integrated VPN Site to Site VPN The Internet Firewall gateway Main office Firewall gateway Branch office Integrated VPN Firewall + VPN = Better together Unified Policy VPN traffic inspection Unified management and monitoring Comprehensive Authentication Basic Digest NTLM Kerberos EAP (certificates, smartcards, others) RADIUS SecurID VPN: MS-CHAPv2, CHAP, (S-PAP, PAP) High Performance Web caching Optimized for application level filtering Network Computing Magazine app. layer firewall review (3/03): Full inspection performance [Mbps] Symantec FW 7.0 Sidewinder Checkpoint NG FP3 ISA 2000 FP1 67 122 127 170 Introducing ISA 2004 Easy to deploy Any number of networks VPN as network Localhost as network NAT/Route relatioships Per-Network policy VPN ISA 2004 Interne t CorpNet_1 DMZ_1 Local Host Network CorpNet_n DMZ_n Net A Any topology, any policy! Easy to Manage & troubleshoot Network templates Visual policy editor Rich monitoring tools Dashboard Powerful log viewer Sessions viewer Connectivity verifier Reports Network Templates Policy Editor Monitoring tools Resources Microsoft Israel ISA Server Home Page: http://www.microsoft.com/israel/isaserver/ Microsoft ISA Server Home Page: http://www.microsoft.com/isaserver/ Tom Shinder's “Unofficial” ISA Server Home Page http://www.isaserver.org/ Itai Almog itaia@microsoft.com Get Secured!