introduction to isa 2004 dana epp microsoft security mvp
Post on 18-Dec-2015
230 views
TRANSCRIPT
Introduction to ISA 2004
Dana Epp
Microsoft Security MVP
Who am I?
Microsoft Windows Security MVP
Information Security Professional
Computer Security Software Architect
Small Business Owner
What do I know about firewalls?
I’ve written firewall code
I’ve deployed firewalls(big and small)
• 100’s of small businesses• Many different verticals
• Manufacturing• Medical• Professional Services• Educational• Financial• etc
I’ve invented new firewalls
I know a bit about them.
caching
Content filtering
application publishing
advanced application layer firewall
caching
content filtering
application publishing
advanced application layer firewall / vpn
ISA Server 2004
What’s the differencebetween ISA and other
SMB firewalls?
Simple Ingress Filtering
Simple Egress Filtering
Complex Ingress Filtering
Complex Egress Filtering
Application Content Filtering
Virtual Private Networking
Web Caching
MicrosoftISA 2004
NATDevice
Typical HardwareFirewall
Some have limited VPN
AD Authentication
Advanced HardwareFirewall
Rarelyavailable
Differences in SMB Firewalls
Patch management issues for the firewall
What’s the important difference?
A traditional firewall’s view of a packet
Application Layer Application Layer ContentContent
????????????????????????????????????????????
• Only packet headers are inspected– Application layer content appears as “black box”
IP HeaderIP HeaderSource Address,Dest. Address,
TTL, Checksum
TCP TCP HeaderHeaderSequence Number
Source Port,Destination Port,
Checksum
• Forwarding decisions based on port numbers– Legitimate traffic and application layer attacks use identical ports
Internet
Expected HTTP Traffic
Unexpected HTTP Traffic
Attacks
Non-HTTP Traffic
Corporate Network
Problem. UFBP!
ISA Server’s view of a packet• Packet headers and application content are inspected
Application Layer ContentApplication Layer Content<html><head><meta http-
quiv="content-type" content="text/html; charset=UTF-8"><title>MSNBC - MSNBC Front Page</title><link rel="stylesheet"
IP HeaderIP Header
Source Address,Dest. Address,
TTL, Checksum
TCP TCP HeaderHeader
Sequence NumberSource Port,
Destination Port,Checksum
• Forwarding decisions based on content– Only legitimate and allowed traffic is processed
Internet Expected HTTP Traffic
Unexpected HTTP Traffic
Attacks
Non-HTTP Traffic
Corporate Network
What’s new in ISA 2004?
Updated security architecture
Advanced ProtectionApplication layer security designed to protect
Microsoft applications
Deep content inspection Enhanced, customizable HTTP protocol filters Comprehensive and flexible policies Stateful routing for all IP protocols
Enhanced Exchange Server Integration
Support for Outlook RPC over HTTP Enhanced Outlook Web Access security Easy to use configuration wizards
Fully integrated VPN Unified firewall -- VPN filtering Site-to-site IPsec Tunnel Mode support Network access quarantine
Secure Internet Information Server
and SPS
SSL Bridging for IIS and SPS Easy to use Web publishing wizards AD, RADIUS, SecurID authentication
New management tools and UI
Ease of UseEfficient and cost effective network security
Multi-network architecture
Unlimited network definitions and types Firewall policy applied to all traffic Per network routing relationships
Network templates and wizards
Wizard simplifies routing configuration Easy setup for common network topologies Easily customized for sophisticated scenarios
Visual policy editor Firewall policy with single, ordered rule-base Drag and drop editing, scenario-driven wizards XML-based configuration import and export
Enhanced trouble-shooting
Monitoring dashboard Real-time log viewer Content sensitive task panes
Commitment to integration
Fast, Secure AccessEmpowers you to connect users to relevant information on
yournetwork in a cost efficient manner
Enhanced architecture High speed data transport Utilizes latest Windows and PC hardware High speed application filtering platform
Web cache Updated policy rules Serve content locally Pre-fetch content during low activity periods
Internet access control User- and group-based Web usage policy Extensible by third parties
Comprehensive authentication
New support for RADIUS and RSA SecurID User- and group-based access policy Third-party extensibility
Sample Scenarios
Scenario: Securely make email available to outside employees
Solution: Outlook over RPC, OMA, Virtual Private Networking
Scenario: Control Internet access and protect clients from malicious
Internet traffic
Solution: Content filtering, scheduled access, firewall client
Scenario: Ensure fast access to the most frequently used web content
Solution: Web Proxy
Call to Action
• Give ISA 2004 a try
• Consider buying SBS Premium instead of SBS Standard.
• If managing hardware firewalls, CHECK FOR FIRMWARE UPDATES.
For more information:• Amy’s ISA in SBS blog: http://isainsbs.blogspot.com• ISA Server Resource site http://www.isaserver.org• Dana’s security blog: http://silverstr.ufies.org• Firewall Dashboard http://www.scorpionsoft.com
Dana Epp
Microsoft Security MVP