Securing the Network Perimeter with ISA Server 2004

Securing the Network Perimeter with ISA Server 2004 Martin Boller Principal Consultant Session Prerequisites Hands-on experience with Microsoft Windows Server Basic understanding of internal and remote network security fundamentals Experience implementing network resources such as Web servers, FTP servers, and computers running Microsoft Exchange Server Level 200 Session Overview Introduction to ISA Server 2004 Securing Access to Internal Servers Implementing Application and Web Filtering Securing Access to Exchange Server Virtual Private Networking with ISA Server 2004 What is new in ISA Server 2004 Introduction to ISA Server 2004 Introduction to ISA Server 2004 Securing Access to Internal Servers Implementing Application and Web Filtering Securing Access to Exchange Server Virtual Private Networking with ISA Server 2004 What is new in ISA Server 2004 Securing the Network Perimeter: What Are the Challenges? Business partner Main office Challenges Include: Determining proper firewall design Access to resources for remote users Effective monitoring and reporting Need for enhanced packet inspection Security standards compliance Internet Wireless Remote user Branch office Securing the Network Perimeter: What Are the Design Options? Bastion host Internal network Three-legged configuration Internal network Web server Perimeter network Back-to-back configuration Internal network Perimeter network Internet Configuring ISA Server to Secure the Network Perimeter Use ISA Server to: Provide firewall functionality Publish internal resources such as Web or Exchange servers Implement multilayer packet inspection and filtering Provide VPN access for remote users and sites Provide proxy and caching services LAN Web Server ISA Server VPN Server Exchange Server Internet User Remote User Web Server Installing ISA Server 2004 RAM Windows 2000 Server or Windows Server 2003 CPU 256 MB 500 MHz Hard Disk Format Internal NIC External NIC Hard Disk Space NTFS 150 MB Choose an installation type and installation components Configure the internal network What Is the ISA Server 2004 Default Configuration? The ISA Server default configuration blocks all network traffic between networks connected to ISA Server  administrative permissions Only members of the local Administrators group have  Default networks are created  default access rule Access rules include system policy rules and the  No servers are published  Caching is disabled  installed The Firewall Client Installation Share is accessible if Managing ISA Server 2004 Monitoring ISA Server 2004 Components Alerts Sessions Logging Reports Connectivity Performance Explanation Monitors ISA Server for configured events and then performs actions when the specified events occur Provides information on the current client sessions Provides detailed information about the Web proxy, Microsoft Firewall service, or SMTP Message Screener Summarizes information about the usage patterns on ISA Server Enables monitoring of connections from the computer running ISA Server to any other computer or URL on any network Monitors server performance in real time, creates a log file of server performance, or configures performance alerts Configuring Access Rules Types of access rule elements used to create access rules are: Protocols User sets Content types Schedules Network objects Access rules always define: Allow Deny User Destination network Destination IP Destination site an action on traffic from user from source to destination with conditions Protocol IP port/type Source network Source IP Schedule Content type Configuring ISA Server to Enable Access to Internet Resources Is the… User allowed access? Computer allowed access? Protocol allowed? Destination allowed? Content allowed? ISA server Web server Proxy server Implementing Network Templates to Configure ISA Server 2004 Bastion host Internal network Three-legged configuration Internal network Perimeter network Web server Deploy the Edge Firewall template Deploy the 3-Leg Perimeter template Back-to-back configuration Internal network Internet Deploy the Front end or Back end template Perimeter network Deploy the Single Network Adapter template for Web proxy and caching only Deploying ISA Server 2004: Best Practices To deploy ISA Server to provide Internet access: Plan for DNS name resolution Create the required access rule elements and configure the access rules Plan the access rule order Implement the appropriate authentication mechanisms Test access rules before deployment Deploy the Firewall Client for maximum security and functionality Use ISA Server logging to troubleshoot Internet connectivity issues Securing Access to Internal Servers Introduction to ISA Server 2004 Securing Access to Internal Servers Implementing Application and Web Filtering Securing Access to Exchange Server Virtual Private Networking with ISA Server 2004 What is new in ISA Server 2004 Enterprise Edition Securing Access to Internal Servers: What Are the Challenges? The challenges vary depending on the type of access that is required: Access to public Web sites Access to secure Web sites Access to non-Web resources • Ensure that only the specified Web sites are accessible • Filter traffic at the application layer • Hide the complexity of the internal network • Enable authentication • Enable data encryption • Ensure that only the specified servers are accessible • Filter traffic at the application layer What Is ISA Server Publishing? ISA Server enables three types of publishing rules: Web publishing rules for publishing Web sites using HTTP Secure Web publishing rules for publishing Web sites that require SSL for encryption Server publishing rules for publishing servers that do not use HTTP or HTTPS Implementing ISA Server Web Publishing Rules To create a Web publishing rule, configure: Action Name or IP address Users Web listener Path mappings Bridging Link translation Traffic source Public name Implementing ISA Server Secure Web Publishing Rules To create a secure Web publishing rule: Choose an SSL bridging mode or SSL tunneling Install a digital certificate on ISA Server, on a Web server, or on both Configure a Web listener for SSL Configure a secure Web publishing rule SSL Bridging – Understand the Certificates Client creates SSL Tunnel with ISA Servers Cert, ISA Server pre-authenticates users, Terminates the SSL Tunnel ISA Server creates new tunnel with OWA Servers Cert SSL SSL 505 Cert chain broken Internet Get OWA Cert client Verify Trust Cert OK Get ISA Cert ISA Verify Trust Cert BAD Cert OK OWA Server Trusted Root Certification Authorities VeriSign . Root CA already on Client Trusted Root Trusted Root Certification Authorities Certification Authorities VeriSign VeriSign My Root CA Root CA CA Add RootNOT on ISA Server Local System! Implementing Server Publishing Rules To create a server publishing rule, configure: Action Traffic Traffic source To enable secure server publishing, configure ISA Server to publish a secure protocol, and then install a server certificate on the published server Traffic destination Networks Securing Access to Internal Servers: Best Practices To enable access to internal servers: Implement a split DNS for internal and external access to the resources Become familiar with Web access error messages Implement SSL certificates correctly Implementing Application and Web Filtering Introduction to ISA Server 2004 Securing Access to Internal Servers Implementing Application and Web Filtering Securing Access to Exchange Server Virtual Private Networking with ISA Server 2004 What is new in ISA Server 2004 Enterprise Edition Firewall Requirements: Multiple-Layer Filtering Packet filtering: Filters packets based on information in the network and transport layer headers Enables fast packet inspection, but cannot detect higher-level attacks Stateful filtering: Filters packets based on the TCP session information Ensures that only packets that are part of a valid session are accepted, but cannot inspect application data Application filtering: Filters packets based on the application payload in network packets Can prevent malicious attacks and enforce user policies Application and Web Filters in ISA Server 2004 Application filters: Are add-ons to the firewall service Enable firewall traversal for complex protocols Enable application-layer intrusion detection Enable application-layer content filtering Web filters: Are DLLs based on the ISAPI model Enable request and response scanning and modification Enable blocking of specific responses Enable traffic logging and analysis Enable data encryption and compression Enable custom authentication schemes Implementing HTTP Web Filtering in ISA Server 2004 Use HTTP Web filtering to: Filter traffic from internal clients to other networks Filter traffic from Internet clients to internal Web servers HTTP Web filtering is rule-specific—you can configure different filters for each access or publishing rule HTTP Web filtering can block HTTP packets based on: Length of request headers and payload Length of URL HTTP request method HTTP request file name extension HTTP request or response header Signature or pattern in the response header or body Implementing the HTTP Web Filter: Best Practices To configure a baseline HTTP filter: Configure maximum header, payload, URL, and query lengths Verify normalization, and do not block high-bit characters Allow only GET, HEAD, and POST Block executable and server-side includes extensions Block potentially malicious signatures Use the HTTPFilterConfig.vbs script from the ISA Server CD to import and export HTTP filter configurations Securing Access to Exchange Server Introduction to ISA Server 2004 Securing Access to Internal Servers Implementing Application and Web Filtering Securing Access to Exchange Server Virtual Private Networking with ISA Server 2004 What is new in ISA Server 2004 Enterprise Edition Secure Client Access to Exchange Server: What Are the Challenges? Outlook mobile access XHTML, cHTML, HTML ActiveSync-Enabled mobile devices Exchange front-end server Wireless network Outlook web access Outlook using RPC Outlook using RPC over HTTP Outlook express using IMAP4 or POP3 ISA server Exchange back-end servers Configuring Secure Outlook RPC Client Access ISA server Port 135 Exchange UUID = 3000 Outlook client Exchange servers Exchange UUID = 2000 Use the mail server publishing rule to enable Outlook RPC connections Configuring RPC over HTTP Client Access RPC over HTTP requires: Outlook 2003 running on Windows XP Exchange Server 2003 running on Windows Server 2003 and Windows Server 2003 global catalog servers Windows Server 2003 server running RPC proxy server Modifying the Outlook profile to use RPC over HTTP to connect to the Exchange server To enable RPC over HTTP connections through ISA Server, use the Secure Web Publishing Wizard to publish the /rpc/*virtual directory Configuring ISA Server for Outlook Web Access To configure ISA Server to enable OWA access: 1 2 3 Use the Mail Server Publishing Wizard to publish the OWA server Configure a bridging mode. For best security, secure the connection from client to ISA Server and from ISA Server to OWA server Configure a Web listener for OWA publishing. Choose forms-based authentication for the Web listener Forms-based authentication ensures that user credentials are not stored on the client computer; can be used to block access to attachments Securing Access to Exchange Server: Best Practices  Enable Outlook RPC connections for pre–Exchange Server 2003 and Outlook 2003 environments  Use forms-based authentication on ISA Server for OWA  Implement RPC over HTTP with SSL  Explore the use of additional ISA Server features to protect computers running Exchange Server  Consider third-party add-ons for ISA Server to protect computers running Exchange Server Virtual Private Networking with ISA Server 2004 Introduction to ISA Server 2004 Securing Access to Internal Servers Implementing Application and Web Filtering Securing Access to Exchange Server Virtual Private Networking with ISA Server 2004 Virtual Private Networking: What Are the Challenges? VPNs provide a secure option for communicating across a public network VPNS are used in two primary scenarios: Network access for remote clients Network access between sites VPN quarantine control provides an additional level of security by providing the ability to check the configuration of the VPN client machines before allowing them access to the organization’s network Enabling Virtual Private Networking with ISA Server ISA Server enables VPN access: By including remote-client VPN access for individual clients and site-to-site VPN access to connect multiple sites By enabling VPN-specific networks, including: VPN Clients network Quarantined VPN Clients network Remote-site network By using network and access rules to limit network traffic between the VPN networks and the other networks with servers running ISA Server By extending RRAS functionality Enabling VPN Client Connections To enable VPN client connections: Choose a tunneling protocol Choose an authentication protocol  Use MS-CHAP v2 or EAP if possible Enable VPN client access in ISA Server Management Configure user accounts for remote access Configure remote-access settings Configure firewall access rules for the VPN Clients network Implementing Site-to-Site VPN Connections To enable site-to-site VPN connections: Choose a tunneling protocol Configure the remote-site network Configure network rules and access rules to enable:   open communications between networks, or controlled communications between networks Configure the remote-site VPN gateway How Does Network Quarantine Work? VPN Clients network VPN clients Network Domain Controller controller Web Server server Quarantine script Quarantine remote access policy RQC.exe Rqc.exe ISA Server server DNS Server server File Server server Quarantined VPN VPN Quarantine Clients Network Implementing Network Quarantine To implement quarantine control on ISA Server: 1 Create a client-side script that validates client configuration 2 Use CMAK to create a CM profile for remote-access clients 3 Create and install a listener component 4 Enable quarantine control on ISA Server 5 Configure network rules and access rules for the Quarantined VPN Clients network Configuring VPN Access Using ISA Server: Best Practices  Use strongest possible authentication protocols  Enforce the use of strong passwords when using PPTP  Avoid the use of pre-shared keys for L2TP/IPSec  Configure access rules to control access for VPN clients and site-to-site VPN connections  Use access rules to provide quarantined VPN clients with the means to meet the security requirements What is new in ISA Server 2004 Enterprise Edition Introduction to ISA Server 2004 Securing Access to Internal Servers Implementing Application and Web Filtering Securing Access to Exchange Server Virtual Private Networking with ISA Server 2004 What is new in ISA Server 2004 Enterprise Edition What is new in ISA Server 2004 Enterprise Edition What is new in ISA Server 2004 Enterprise Edition Management Console ISA Server 2004 Array ISA Server 2004 Array ISA Server 2004 Array Local configuration copy Local configuration copy Local configuration copy Replication CSS (ADAM) CSS (ADAM) What is new in ISA Server 2004 Enterprise Edition Methods for providing Load Balancing, High Availability and Fault Tolerance: Everybody supports Round-robin DNS Web clients support CARP Firewall clients support Client FT Transparent clients support NLB! NLB only officially supported on ISA Server 2004 EE Built-In Wizard provides Bi-Directional Affinity Multi-network support VPN load balancing What is new in ISA Server 2004 Enterprise Edition ISA1 Internal ISA1 External Client NLB Cluster Internet NLB Cluster ISA1 ISA2 External ISA2 Internal ISA2 Session Summary  ISA Server 2004 is secure by default because it blocks all traffic—configure access rules to provide the fewest possible access rights  Many applications now use HTTP as a tunneling protocol—use HTTP filtering to block the applications  Implementing Outlook RPC publishing and RPC over HTTP publishing means that users can use Outlook from anywhere resources accessible from the Internet  Implement ISA Server publishing rules to make internal  Use access rules to limit access for VPN remote-access clients, site-to-site VPN clients, and network quarantine clients Next Steps Find additional security training events: http://www.microsoft.com/seminar/events/security.mspx Sign up for security communications: http://www.microsoft.com/technet/security/signup/default. mspx Attend Course 2824A: Implementing Microsoft Internet Security and Acceleration Server 2004 http://www.microsoft.com/learning/syllabi/en-us/ 2824afinal.mspx Get additional security information on ISA Server: http://www.microsoft.com/technet/security/prodtech/isa/ default.mspx Questions and Answers