isa server 2004 introduction Владимир Александров mct, mcse, mcsd, mcdba...
TRANSCRIPT
ISA Server 2004 ISA Server 2004 IntroductionIntroductionISA Server 2004 ISA Server 2004 IntroductionIntroduction
Владимир АлександровВладимир АлександровMCT, MCSE, MCSD, MCDBAMCT, MCSE, MCSD, MCDBAКорусКорус, , Управител Управител [email protected]@chorus-bg.com
AgendaAgenda
Firewall evolutionFirewall evolution
ISA2004 OverviewISA2004 Overview
More features drilldownMore features drilldown
Scenarios and demosScenarios and demos
Firewall EvolutionFirewall EvolutionFirewall EvolutionFirewall Evolution
Traditional FirewallsTraditional Firewalls
Wide open to Wide open to advanced advanced attacksattacks
Wide open to Wide open to advanced advanced attacksattacks
Code Red, NimdaCode Red, Nimda SSL-based attacksSSL-based attacks
Code Red, NimdaCode Red, Nimda SSL-based attacksSSL-based attacks
Performance vs. Performance vs. security tradeoffsecurity tradeoffPerformance vs. Performance vs. security tradeoffsecurity tradeoff
Bandwidth too expensiveBandwidth too expensive Too many moving partsToo many moving parts
Bandwidth too expensiveBandwidth too expensive Too many moving partsToo many moving parts
Limited capacityLimited capacityfor growthfor growth
Limited capacityLimited capacityfor growthfor growth
Not easily upgradeableNot easily upgradeable Don’t scale with businessDon’t scale with business
Not easily upgradeableNot easily upgradeable Don’t scale with businessDon’t scale with business
Hard to manageHard to manageHard to manageHard to manage Security is complexSecurity is complex IT already overloadedIT already overloaded
Security is complexSecurity is complex IT already overloadedIT already overloaded
ProblemProblemProblemProblem ImplicationsImplications ImplicationsImplications
ISA2004 OverviewISA2004 OverviewISA2004 OverviewISA2004 Overview
What is ISA2004What is ISA2004Full blown edge firewallFull blown edge firewall
Wide variety of firewall edge scenariosWide variety of firewall edge scenariosVPN, Proxy & CacheVPN, Proxy & Cache
Very easy to useVery easy to useEasy installation & setupEasy installation & setupEasy policy configuration Easy policy configuration Reduced risk of configuration mistakes Reduced risk of configuration mistakes
Advanced protection for MS Advanced protection for MS applicationsapplications
Built in MS-specific filtersBuilt in MS-specific filtersDefense in DepthDefense in Depth
High performanceHigh performanceHighly secure platformHighly secure platform
ScenariosScenarios
Edge FirewallEdge FirewallMulti NetworksMulti NetworksDMZDMZWeb CachingWeb Caching
Secure PublishingSecure Publishing Exchange Exchange Web serversWeb serversOthersOthers
Remote Access Remote Access (VPN)(VPN)
Branch officeBranch officeRemote site Remote site securitysecurity
S2S VPN – Including S2S VPN – Including IPSec (for interop)IPSec (for interop)
Integrated SolutionIntegrated SolutionSingle edge Single edge security solutionsecurity solution
EasyEasy
Unified Unified managementmanagement
What’s new vs. ISA2000 ?What’s new vs. ISA2000 ?
Support for multiple networksSupport for multiple networks
New integrated single policy model New integrated single policy model
Intuitive UIIntuitive UI
Application Layer Filtering Application Layer Filtering improvementsimprovements
Logging & monitoringLogging & monitoring
Integrated VPNIntegrated VPN
Security EnhancementsSecurity Enhancements
And more…And more…
Multiple NetworksMultiple NetworksMultiple NetworksMultiple Networks
ISA 2000 networking ISA 2000 networking modelmodel
InternalNetwork
Internet
DMZ 1• Single “outbound” policySingle “outbound” policy
• ““In” (LAT) and “out” In” (LAT) and “out” (Internet, DMZ)(Internet, DMZ)
ISA 2000
Static PF
• Only Static filtering Only Static filtering from DMZ to Internetfrom DMZ to Internet
The new networking modelThe new networking model
Network A
Internet
DMZ 1
DMZ 2Network B
VPNNetwork
• Any number of networksAny number of networks• Assigned relationshipsAssigned relationships
• Per network policyPer network policy
• VPN represented as networkVPN represented as network ISA 2004
Isolation of the Isolation of the firewall hostfirewall host
Demo 1: Connecting Demo 1: Connecting networksnetworks
New Policy ModelNew Policy ModelNew Policy ModelNew Policy Model
ISA 2000 rulesISA 2000 rules
Basic ISA 2000 rules:Basic ISA 2000 rules:Protocol rulesProtocol rules
Site and Content rulesSite and Content rules
Static packet filtersStatic packet filters
Publishing rulesPublishing rules
Web publishing rulesWeb publishing rules
Other filtering configurationOther filtering configuration
Other ISA 2000 rules:Other ISA 2000 rules:Address translation rulesAddress translation rules
Web routing rulesWeb routing rules
Cache rulesCache rules
Configuration policy
Firewall policy
ISA 2004 Policy RulesISA 2004 Policy Rules
Single rule baseSingle rule base
Rules evaluated in orderRules evaluated in order
Support for multiple networksSupport for multiple networks
Integration with application filtering – Integration with application filtering – part of rulepart of rule
System rules for built in policiesSystem rules for built in policies
Rich set of building blocksRich set of building blocks
User InterfaceUser InterfaceUser InterfaceUser Interface
The User InterfaceThe User InterfaceDrag & Drop toolboxDrag & Drop toolbox
Task pane for common tasksTask pane for common tasks
WizardsWizards
Network templatesNetwork templates
Dashboard Dashboard Policy Editor Policy Editor Toolbox Toolbox Network Templates Network Templates Task Bars Task Bars
MMC…On Steroids!MMC…On Steroids!
Application Layer Application Layer FilteringFiltering
Application Layer Application Layer FilteringFiltering
IP/Port filtering is not enoughIP/Port filtering is not enough
Hackers attack via application layer Hackers attack via application layer vulnerabilities (Nimda, Slammer...)vulnerabilities (Nimda, Slammer...)
HTTP - the carrier protocolHTTP - the carrier protocol
Users need the ability to define a Users need the ability to define a fine grain, application level security fine grain, application level security policies.policies.
Firewalls need to understand Firewalls need to understand applications, beyond TCP/IPapplications, beyond TCP/IP
ISA 2004’s application ISA 2004’s application filteringfiltering
Open platform for app layer filteringOpen platform for app layer filtering
Built in filters for common protocols Built in filters for common protocols
Scenario-driven design (protect Scenario-driven design (protect Exchange, IIS)Exchange, IIS)
Rich partners communityRich partners community
Logging and MonitoringLogging and MonitoringLogging and MonitoringLogging and Monitoring
ISA Server 2004 ISA Server 2004 MonitoringMonitoring
GoalsGoals
Server Status – It’s a critical serviceServer Status – It’s a critical service
Troubleshooting – Quick and easyTroubleshooting – Quick and easy
Investigations – Attacks, mistakesInvestigations – Attacks, mistakes
Future Planning – optimizing network Future Planning – optimizing network performanceperformance
ISA 2004 Monitoring ToolsISA 2004 Monitoring ToolsDashboardDashboard – centralized view– centralized view
AlertsAlerts – One place for all problems– One place for all problems
SessionsSessions – Active sessions view– Active sessions view
ServicesServices – ISA services status– ISA services status
ConnectivityConnectivity – Connectivity to – Connectivity to network svcsnetwork svcs
LoggingLogging – Powerful viewer of ISA logs– Powerful viewer of ISA logs
ReportsReports – Top users, Top sites, Cache – Top users, Top sites, Cache hits…hits…
DashboardDashboard
LoggingLogging
ReportsReports
Security EnhancementsSecurity EnhancementsSecurity EnhancementsSecurity Enhancements
Engine Security Engine Security EnhancementsEnhancements
Session quota restrictionsSession quota restrictionsRestriction of user sessions (protection against Restriction of user sessions (protection against Denial of Service attacks)Denial of Service attacks)
IP options filteringIP options filteringFilter out individual optionsFilter out individual options
Lockdown modeLockdown modeRestrict firewall machine access on service Restrict firewall machine access on service failuresfailures
Fail to most secure modeFail to most secure mode
And there’s more…And there’s more…Authentication improvementsAuthentication improvements
RADIUSRADIUS
OWA Form authenticationOWA Form authentication
Secure IDSecure ID
Integrated VPNIntegrated VPNIPSec tunnel mode for interoperabilityIPSec tunnel mode for interoperability
Quarantine supportQuarantine support
Full control over RRASFull control over RRAS
Performance ImprovementsPerformance ImprovementsKernel and user mode improvementsKernel and user mode improvements
Web proxy improvements due to integration Web proxy improvements due to integration into the firewallinto the firewall
Demo 2: Secure publishingDemo 2: Secure publishing
Publishing Internal Mail ServerPublishing Internal Mail ServerSMTPSMTP
POP3/IMAP4POP3/IMAP4
RPCRPC
Publishing Internal Exchange 2003 Publishing Internal Exchange 2003 ServerServer
Publishing Outlook web accessPublishing Outlook web access
Publishing RPC over HTTPPublishing RPC over HTTP
Publishing RPC interfaces (NtFrs etc.)Publishing RPC interfaces (NtFrs etc.)
QuestionsQuestionsQuestionsQuestions
© 2003 Microsoft Corporation. All rights reserved.© 2003 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.