Internet security and Acceleration 2004

Presented By Jaime Hernandez

Calvin LauNery Leon

Nancy Smith

System requirements

ISA 2000

• Standard Edition– Processor 3000 MHz or higher Pentium II– Memory 256 MB of RAM– One local hard disk partitioned with NTFS– Windows 2000 compatible network adapter– IDSN adapter

ISA 2000

• Enterprise Edition– Same as standard edition

• Add Windows Active Directory

– Difference in editions• Standard only supports four processors.

ISA 2004

• Computers must be running– Microsoft Windows 2000 Server– Windows Server 2003

Hardware Requirements

• Pentium III 500 plus MHz processor

• 256MB of RAM

Network Interface Cards

• Two are needed– External Interface– Internal Interface

• Creates multiple internal networks

ISA Server 2004 Firewall

ISA Server 2004 Firewall

DSL Router

`

SecureNAT client

IP: 10.0.1.2/24DG: 10.0.1.1DNS: 10.0.1.1

IP: 10.0.1.1/24DG: NoneDNS: 10.0.1.1

IP: 192.168.1.49/24DG: 192.168.1.60DNS: None

IP: 192.168.1.60/24DG: NoneDNS: None

IP: PublicDG: ISP RouterDNS: None

Firewall Continued

• Critical Factors– DNS– DHCP

Internet Security and Acceleration

Security Aspect.

Security

Efficiently manage, restrict, and control Internet access

• Act as a circuit-level, packet-filtering, or application-level firewall

Provide tiered firewall and caching policies

Rules of ISA

• Site and content rules specify who can go to which sites during which times of the day

• Protocol rules detail the protocols that can be used

Packet filters restrict or allow passage of data that meets the configuration

More Rules

Application filters coordinate access to special services and provide some intrusion detection

Routing rules specify where data seeking a particular destination is transferred

Mail server proxy rules direct incoming, authorized access by mailbox owners to POP3, SMTP and/or IMAP4 mail

An Example

• Integrating ISA Server with Windows 2004 Active Directory will let you interpret company rules that restrict most employees to free-ranging Internet access only during their prescribed lunch hour and before and after normal work hours. During normal working hours you can block them from all Internet access, restrict them to intranet servers, or permit access to some sites.

Example Cont.

• Another option is to provide a select group of employees unrestricted Internet access, block another group from visiting specific sites, and permit a third group access to specific sites. You can also control access via the IP address of the requesting client machine, or strictly by the destination site or protocol used.

Firewalling with ISA

• In the real world, it's difficult to get firewall configurations correct. What if you could get it right once, and mandate that all firewalls (or selected firewalls) apply the same sets of rules? What if you changed your mind? Would a change in rules at a centralized location propagate to some selected subset of firewalls?

Firewalling with ISA

• Distributed applications need not mean an anarchical approach to firewall policy implementation. ISA Server provides tiered firewall and caching policies that permit strict centralized management and control but also let you define which portions of the network can perform what actions on their own

Internet Security and Acceleration

Acceleration Aspect

High-Performance Web Cache

•Cache of Web objects

•Fast RAM caching

•ISA Server supports both forward caching

-for outgoing requests to the Internet, and reverse caching, for incoming requests to your Web server. Your clients benefit from the full gamut of ISA Server caching and routing features.

•ISA Server includes a Hypertext Transfer Protocol (HTTP) redirector filter

Scalability

• ISA Server Standard Edition is a stand-alone server that is designed to scale up to four processors.

• Internet Security and Acceleration (ISA) Server Enterprise Edition computers can be grouped together in arrays.

Scalability continued

• Other features that enhance the scalability of ISA Server include the following:

-Symmetric Multiprocessing.

-Network Load Balancing.

-CARP.

Distributed and Hierarchical Caching

• Chained/Hierarchical Caching

Distributed and Hierarchical Caching

• Web Proxy Routing

• With ISA Server, you are also able to support chained authentication when routing requests to an upstream server. Requests are chained to an upstream server when the ISA Server routing rules are configured to route to it. Before the request is routed, the downstream ISA Server might require client authentication. In addition, when the request is routed, the upstream server might also require it. In this case, the downstream ISA Server passes the client's authentication information to the upstream one.

• Sometimes, your upstream server may not be able to identify the clients requesting the object. In this case, the downstream ISA Server passes credentials—essentially acting as the client making the request—to the upstream server. When you configure the downstream server settings, you specify the account to use when passing client requests to an upstream server. The upstream server delegates client authentication to the downstream proxy. Then the upstream server authenticates only the downstream server, and successfully authenticates the client.

Chained Authentication

Active Caching

• Active caching is a way to keep objects fresh in the cache by verifying them with the origin Web server before the object actually expires and is accessed by a client.

• Pure popularity is not a good guide because many popular pages never expire due to clients refreshing the pages manually to keep the data fresh

Example of Active Caching

The following list traces the activity of a cached object:

  An object is requested by a client (possibly for the first time) and downloaded.

                      The object expires.

                     If a client accesses that object in a time period of less than n of its time to live (TTL) period, then it is added to the active cache list.

•                    As long as the object is accessed at least once in the n TTL period after being refreshed, it remains on the active cache list.

•                      While on the active cache list, the object will be refreshed before it expires. The exact time it is refreshed depends on how busy the proxy is. If the proxy is relatively idle, the object will be refreshed about 50 percent of the way to expiring. If the proxy is very busy, it will not be refreshed until just before it expires. Intermediate values of "busy" will lead to intermediate times of refreshing.

If the object is not accessed in the specified period, then it is removed from the list and must meet the original criteria to be put back on the list.

Streaming Media Support

• Transparently support popular media formats. Save bandwidth by splitting live media streams on the gateway

Programmable Cache Control

• Load or delete cached objects programmatically with caching application programming interface (API).

Simplified & Robust Managment

Policy-based Access Control

• Client address sets: Internet Protocol (IP) addresses or, with Microsoft Active Directory™, authenticated users and groups.

•   Destination sets: URLs.

•   Protocols.

• Content groups, for Hypertext Transfer Protocol (HTTP) and tunneled File Transfer Protocol (FTP) traffic: multipurpose Internet mail extensions (MIME) types, and file extensions.

• Schedules.

• Bandwidth priorities.

Windows 2004 Integration

• Network Address Translation • Integrated Virtual Private Networking. • Authentication. • System Hardening. • Active Directory Storage with Enterprise Edition. • Tiered-Policy Management for Enterprise Edition. • MMC Administration. • Quality of Service (QoS). • Multiprocessor Support. • Client-Side Auto-Discover. • Administration Component Object Model (COM) Object. • Web Filters. • Alerts.

Integrated Administration

• Unified Policy and Access Control.

• Unified Management.

Intuitive User Interface

Microsoft Management Console (MMC)

Some of the ISA Server wizards include:

• Virtual private network (VPN) configuration: Local, remote, and client-to-server.

• Defining a protocol. • Creating a site and content rule. • Creating a bandwidth rule.• Secure publishing. • Configuring a mail server behind ISA Server, publishing and securing the

mail server,• and configuring policy for the mail services. • Securing the system with system hardening.

Intuitive User Interface continued

Detailed Logging

• W3C Extended File Format (Default).

• ISA Server Text Format.

• ODBC Format.

Built-in Reporting

• Create graphical summary reports showing application usage, security events, and network activity

Monitoring and Alerting

• Track real-time session and performance monitoring data. Define alerts to notify an administrator, stop a service, or execute a script in response to important system events.

Bandwidth Priorities

• Set bandwidth priorities to optimize resource allocation, prioritizing bandwidth by user, group, application, destination site, or content type.

Remote Management

• Administer ISA Server remotely using MMC, Windows 2000 Terminal Services, or Distributed Component Object Model (DCOM) command-line scripts.

Multi-Server Management

• With ISA Server Enterprise Edition, manage an array of servers as a single logical unit.