83
SEC407 ISA Server Internals and Infrastructure Design Zachary Gutt and Steve Riley Product Managers Security Business Unit Microsoft Corporation
| Date post: | 01-Jan-2016 |
| Category: |
Documents |
| Upload: | verity-dickerson |
| View: | 221 times |
| Download: | 3 times |
SEC407
ISA Server Internals andInfrastructure DesignZachary Gutt and Steve Riley
Product Managers
Security Business Unit
Microsoft Corporation
Why?Why?
Firewalls are “geeky” toysAdministrators typically are geeks
Intimate knowledge of firewall packet handling is often necessary to fully understand how to secure a protocol
ISA Server documentation lacks sufficient detail
Session’s content discusses many common questions on the newsgroups
Agenda
Packet flows in publishing
DMZ scenarios
SSL handing in web publishing
Packet filters and filtering
Client-type thingsAuthentication, protocol handling, DNS
ISA Server vs. RRAS
IPSec and NAT
Credits
DNSJim Harrison, Microsoft
ISA Server vs. RRAS and Q310888Craig Nelson, Avanade
Some extensibility infoRonald Beekelaar, Beekelaar Consultancy
Interesting design alternativeTom Schinder
Packet flowsand publishing
Packet flows in publishing
Server publishingSimple one-to-one mapping between outside address and LAT member over one particular protocol
“Half-NAT”
Web publishingMultiple servers and sites with one external IP address
Use URLs to direct traffic
“Full-NAT”
Server publishing
1. Packet arrives on external interfaceSADR = client
Rule creates socket Rule creates socket on external i/fon external i/f
2. Payload is extracted (and inspected, if there’s an application filter)
3. New packet created on inside interfaceDifferent sequence number
4. New IP header added; packet is deliveredSADR = client
InternetInternet
ISA ServerISA Serverpublished published computercomputer
IPIP npnp payldpayld IPIP npnp payldpayldIPIP npnp payldpayld
Server publishing
Multiple serversRemember:socket = {IPAddr, port, protocol}
Different protocolsCan reuse same external IP address; port number will be different
{IPAddr, port1, protA} {IPAddr, port2, protB}
Same protocolsMust use additional external IP address; port numbers will be same
{IPAddr1, port, protA} {IPAddr2, port, protA}
Web publishing
1. Packet arrives on external interfaceSADR = client
Listener creates Listener creates socket on external i/fsocket on external i/f
2. Payload is extracted
3. New packet created on inside interfaceDifferent sequence number
4. New IP header added; packet is deliveredSADR = ISA Server inside IP
3. URL is examined to determine destination
InternetInternet
ISA ServerISA Serverpublished published computercomputer
IPIP npnp payldpayld IPIP npnp payldpayldIPIP npnp payldpayldURLURL
Web publishing
Multiple serversThe listener creates the socket
Can have multiple listeners on different external IPs for varying authN needs
Use separate DNS names for each
The rule directs the requestDestination sets indicate which rule
Set contains URL entered in browser
Web publishing
Multiple authN needsRequirements
www.example.com is public
my.example.com has no authN in appUse ISA Server for authN; basic over HTTPS
ComponentsTwo DNS “A” records
Two listeners
Two destination sets
Two publishing rules
Trusted computer certificate
Web publishing
Multiple authN needsDNS records@ example.comwww IN A 131.107.39.56my IN A 131.107.39.57
Listeners131.107.39.56, on port 80, no authN
131.107.39.57, on port 443, use server certificate, basic authN
Web publishing
Multiple authN needsDestination sets
DSPublic: www.example.com
DSPrivate: my.example.com
Publishing rulesWWW: send to inside-web-name for DSPublic
MY: send to inside-internal-name for DSPrivate
Web publishing
Multiple authN needs
Browser requests addressBrowser requests addresswho is “my.example.com”?who is “my.example.com”?
8080
443443
DNS ServerDNS Server
DNS returns answerDNS returns answer131.107.39.57131.107.39.57
Browser creates requestBrowser creates requestIP hdr = 131.107.39.57IP hdr = 131.107.39.57HTTP hdr = my.example.comHTTP hdr = my.example.comListener requires authenticationListener requires authentication
HTTP error 401 - unauthorizedHTTP error 401 - unauthorized
Browser resends requestBrowser resends requestIP hdr = 131.107.39.57IP hdr = 131.107.39.57HTTP hdr = my.example.comHTTP hdr = my.example.comHTTP-auth = HTTP-auth = credentialscredentials
ISA ServerISA Server
AD DCAD DC
wwwintwwwint
myintmyint
creds good?creds good?
yesyesURL?URL?
my.example.com → dest-set: WSPrivatemy.example.com → dest-set: WSPrivate
rule?rule?
dest-set: WSPrivate → send to myintdest-set: WSPrivate → send to myint
ISAS sends requestISAS sends request
DMZ scenarios
DMZ Scenarios
The two traditional kinds
Disadvantages of using “DMZ” interfaces in ISA Server
Best way to design layered networks
Network layering DMZ
InternetInternet InternetInternet
DMZDMZ
corpcorp
DMZDMZ
corpcorp
Layered DMZ characteristics
Multiple firewalls
Each firewall protects its own network
Sometimes use different brandsHeterogeneity can be costly, though
Looks like the world’s only political DMZ
Screened subnet “DMZ”
InternetInternet
DMZDMZ corpcorp
Screened subnet characteristics
Not really a DMZ
More complex to buildToo many rules to wrap your brain around
Opportunities for misconfiguration
Performance problems
ISA Server DMZs
ISA Server calls them “perimeter networks”
TypesBack-to-back (regular DMZ)
Three-homed (screened subnet)
Interesting undocumented third choice
Pretty easy to choose whichBut first…
Network interfaces
Two kindsInternal
External
Two flavors of externalInternet-facing
DMZ
Internal interfaces
Can have more than one
Defined by the LATAny interface whose IP address is in LAT is an internal interface
External interfaces
Internet-facingCan have only one
Should be bound highest
The only NIC with a default gateway
Is connected to the Internet
More than one is unsupported and doesn’t work
DMZAll other interfaces in the computer
Not in LAT, no DG, not connected to Internet
Traffic behavior
InternetInternet
DMZDMZ corpcorp
server publishingserver publishing web publishingweb publishing NATNAT application inspectionapplication inspection
packet packet filteringfiltering routingrouting
server publishingserver publishing web publishingweb publishing
NATNAT application inspectionapplication inspection
Suboptimal design
Traffic into and out of DMZ interfaces isn’t well-protected
Basic packet filtering is just like any other firewall
Has no knowledge of application protocols
Can’t inspect for conformance
Doesn’t use web or application filters
Recommendation—Don’t use three-homed design
Proper design
Back-to-back ISA Servers
LATsOutside: IP address range(s) of DMZ net
Inside: IP address range(s) of corp net
Achieve inspection everywhereInternet to DMZ
DMZ to corp net
It’s this inspection that’s the value
Back-to-back publishing
In DMZNormal publishing method
In corp netPublish resource on inside ISA Server
Publish inside ISA Server on outside ISA Server
Use SSL offload cards for HTTPShttp://www.microsoft.com/isaserver/partners/ssl.asp
AEP Crypto—fast and cheap!
Interesting alternative
Three-homed design
No “DMZ” interface
Two internal interfacesApplication inspection between Internet and all internal interfaces
Need to protect cross-interface communications—how?
Good for constrained budgets
Interesting alternative
InternetInternet
internal 1internal 1
screened screened subnetsubnet
internal 2internal 2
corp netcorp net
server publishingserver publishing web publishingweb publishing NATNAT application inspectionapplication inspection
RRAS packet RRAS packet filtersfilters
server publishingserver publishing web publishingweb publishing NATNAT application inspectionapplication inspection
RRAS filters
Use RRAS filtering to control communications between nets
Think securely!Block all from 1 to 2…
…except that which is necessary
Block all from 2 to 1……except that which is necessary
Don’t allow everything from corp to screened
Not concerned with VPN protocols hereRRAS is just providing the filtering
SSL handlingand certificates
SSL handling
Three options“Passthrough” or “tunneling”
“Termination”
“Regeneration”
2 and 3 sometimes referred to as bridging—but which kind?
SSL handling
Passthrough (server publishing)
InternetInternet ISAISAServerServer
publishedpublishedcomputercomputer
IPIP npnp payldpayld IPIP npnp payldpayldIPIP npnp payldpayld
Payload remains encrypted
No examination occurring here
Can be valuable if policy favors privacy over inspection
SSL handling
Termination (Web publishing)
InternetInternet ISAISAServerServer
publishedpublishedcomputercomputer
IPIP npnp payldpayld IPIP npnp payldpayldIPIP npnp payldpayld
Payload is decrypted
Examination possible
Valuable if policy favors inspection
Insecure: cleartext on inside network
SSL handling
Regeneration (Web publishing)
InternetInternet ISAISAServerServer
publishedpublishedcomputercomputer
IPIP npnp payldpayld IPIP npnp payldpayldIPIP npnp payldpayld
Payload is decrypted
Examination possible
Valuable if policy favors inspection
Payload is then re-encrypted
Secure: ciphertext even on inside
Certificates
Server certificatesWhen ISA Server is an HTTPS server
Obtain from public CA
Choose on the listener tab
Client certificatesWhen published server requires client certs for authN
Obtain from internal CA
Choose on the listener tab
Certs for published web serversIssued from internal CA
Add internal root to ISA Server
Packet filters,packet filteringand IP routing
Does this hurt?
Traffic passing
LAT ↔ external is well-understoodProtocol rules: getting out
Publishing rules: getting in
But…What are packet filters?
What happens when you turn on packet filtering?
What is IP routing?
Access policy
Packet filters allow traffic into and out of the external interface
Are independent of protocol and publishing rules
Should always enable packet filtering to protect ISA Server computer
Blocks nearly everything except…
Some ICMP, outbound DNS questions
Packet filters
From/to ISA Server computerNot recommended! (It’s a firewall, not a workstation)
External ↔ DMZNeed a filter for each protocol allowed into the DMZ
Don’t need response rules
LAT ↔ external/DMZOnly for non-TCP/UDP protocols
IP routing
Needed for non-TCP/UDP access by secureNAT clients
Improves performance by enabling the kernel mode data pump!
Huh?
Checkbox has a completely different meaning than what’s implied by “IP routing”
Secondary connections
“Data channels” negotiated and opened while primary connection still exists
ExamplesSt(r)eaming media
Audio/video conferencing
FTP
KMDP
If:A protocol has secondary connectionsThere is no application filter that wants to inspect the data stream
Then:Enabling IP routing sends secondary connections through the KMDPBig performance boost
Works withAll client typesFilters that are KMDP-aware
A bad configuration
If you:Enable packet filtering
Write packet filters for TCP, UDP, and other IP protocols
Enable routing
Have no protocol or publishing rules
You have a basic, stupid layer 3/layer 4 stateful inspection firewall
Clients
Client types
SecureNATCrazy name—there is no client software or configurationHandled by firewall service
HTTP requests redirected to web proxy service if redirector is enabled
Firewall clientHandled by firewall service
HTTP requests redirected to web proxy service if redirector is enabled
Web proxy clientHandled by web proxy service
“All protocols”
Means different things
SecureNATOnly those where a (simple) protocol definition exists
Need application filter for complex
Firewall clientLiterally everything
Web proxy clientWeb protocols
Authentication
SecureNATNo user authentication; only IP addresses can be used in client address sets
Firewall clientCarries user credentials
Authenticates for all protocols
There’s an exception…
Web proxy clientCarries user credentials
Firewall client authentication
ExemptionScenario
User is FW client only
HTTP redirector filter is onSends FW client HTTP requests to web proxy
User credentials are lostFirewall service doesn’t forward
Logs will show anonymous ID
SolutionConfigure redirector to reject HTTP requests from FW and SecureNAT clients
Firewall client operation
Intercepts all WinSock API calls—calls to external addresses are redirected to ISA Server
Layered service provider; works with all IP protocols
Supports user authentication; can set permissions by protocol and port
No need for address editing
Firewall client operation
Internet Application(TCP/IP)
NIC
Windows Sockets orOther TCP/IP Interface
TCP/IP
Winsock Proxy Service
NIC
Windows Sockets APIWSOCK32.DLL
NIC
TCP/IP
Windows SocketsApplication (TCP/IP)
NIC
Windows Sockets APIWSOCK32.DLL
WSPWSP.DLL
TCP/IP
local host ISA Server remote host
Local Network Internet
Firewall client operation
Establishing a connection
InternetServer
77.1.1.2
WS app
WSPWinsockProvider
ISAServer
10.1.1.2
connect to 77.1.1.2:23
[OK - 10.1.1.2:1200]
WinSock
connect {77.1.1.2:23}
connect {10.1.1.2:1200}
Firewall client operation
Port usage1745/TCP: configuration refreshes
MSPCLNT.INI and MSPLAT.TXT
1745/UDP: control connectionNegotiation of data channel
Ephemeral: data connection
DNS
SecureNATMust have access to DNS server—ISA Server won’t proxy DNS
Need DNS protocol rule
Firewall clientISA Server or the client perform DNS
Depends on settings in MSPCLNT.INI
Web proxy clientISA Server performs DNS
DNS configuration
Must have proper DNS configurationON ISA Server external interface if no DNS forwarding available
On inside interface if server in LAT can forward to Internet
Bind NIC with DNS settings higherhttp://isaserver.org/pages/article.asp?id=239
Incorrect defaults for DNS cachehttp://isaserver.org/pages/article.asp?id=238
Firewall clients are “special”…
DNS configuration
Firewall clientResolution obeys setting for each application in MSPCLNT.INI
Local or proxied
“Common configuration” is localJust like SecureNAT
Error 14120Occurs if FW client is accessing a published server
Traffic leaves then re-enters ISA Server
http://isaserver.org/pages/article.asp?id=236
http://isaserver.org/pages/article.asp?id=353
ISA Server vs. RRAS
Terminology
Remote access VPNClient on Internet connects to VPN server
Network VPNTwo networks create VPN over Internet
Gateway server on each network
Often called “site-to-site VPN”
IPSecTransport mode: used in L2TP+IPSec remote access and network VPNs
Tunnel mode: designed for network VPNs
RRAS
RRAS handles all VPN work
ISA Server’s wizard simplifies configuration for typical scenarios
Inbound remote-access
Network
Doesn’t eliminate need to understand RRAS
ISA Server
Can—Originate and terminate PPTP and L2TP+IPSec VPNs
For remote access and network
Permit outbound PPTP
Can’t—Terminate IPSec tunnel mode VPNs
Permit outbound L2TP+IPSec
Server-publish any VPN protocol
NAT-T improves situation; stay tuned
Enabling outbound PPTP
UI: packet filter properties<server>\Access Policy\IP Packet Filterscontext menu: Properties
Sets up packet filter to allow outbound PPTP
Filter type: “PPTP call”
IP protocol 47, both directions
Enabling inbound VPN
ISA Server terminates incoming VPN connections
Can’t server-publish any VPN protocol
Enables PPTP and L2TP+IPSecConfigures RRAS
Enforces authentication and encryption
Opens packet filters
Inbound VPN packet filters
Allow IKE (Internet Key Exchange)any-ip:500/udp ↔ external-ip:500/udp
Allow L2TPany-ip:1701/udp ↔ external-ip:1701/udp
Application filters handle PPTP“PPTP receive”: accepts inbound PPTP
“PPTP call”: allows responses
IP protocol 47, both directions
RRAS configuration
Both routing and remote access
MS-CHAP and MS-CHAPv2 authNDisable MS-CHAP on RRAS and in policy profile
DHCP address assignment
128 PPTP and 128 L2TP ports
No RRAS packet filtering
40-, 56-, and 128-bit encryptionChange policy profile to allow only “Strongest” = 128-bit
Recall the limitations
Can’t—Terminate IPSec tunnel mode VPNs
Permit outbound L2TP+IPSec
Server-publish any VPN protocol
Various architectural and protocol reasons
But first…
IPSec background
Security association (SA)Alice and Bob have a secure “channel” between their computers
Authenticates and optionally encrypts
Transport modeSA between two nodes
Tunnel modeSA between two gateways
Node-to-node is secure because it passes through gateways
IPSec background
IPSec alone not sufficient for remote access VPNs
No user authentication
No endpoint address assignment
L2TP performs these functions
IPSec protects trafficAuthenticates machines
Encrypts L2TP
IPSec background
L2TP+IPSec suitable for both remote access and network VPNs
Supported in product
Well-documented
Compare to pure IPSec tunnel modeSupported only for network VPNs
Difficult to configure
No routable interfaces in RRAS
Not possible today with ISA Server
L2TP+IPSec packet behavior
When an L2TP+IPSec VPN server receives traffic—1. IPSec packet arrives at ISA Server
2. Packet filter driver hands to IPSec
3. IPSec decrypts then reinjects L2TP into receive path
4. Packet filter driver sees L2TP and accepts
5. Packet goes to L2TP driver in RRAS
6. Packet decapsulated
L2TP+IPSec packet behavior
Say we tried pure IPSec tunnel mode1. Packet arrives at ISA Server
2. Packet filter driver hands to IPSec
3. IPSec decrypts and passes up the stack
Packet has destination IP address other than ISA server’s own, so—1. Packet placed on stack’s send path—this is
normal Windows behavior
2. Packet goes back out ISA Server, rather than delivered to client behind
L2TP+IPSec limitations
Therefore: can’t use IPSec tunnel mode
Can’t also allow outbound L2TP+IPSec at all
NAT issue; see NAT-T info later
VPN server publishing
Not possible in current version of ISA Server
Server publishing understands only TCP and UDP
VPNs use other IP protocols
PPTP: 47, generic routing encapsulation
IPSec ESP: 50, encapsulated security payload
IPSec AH: 51, authenticated header
Q310888
RRAS “Internal” interface is server-side tunnel termination point
Can NAT this interface to treat incoming tunnels as private interfaces
NATing them allows easy outbound access either back through RRAS or through some other firewall
Also allows NATing between RRAS sites
Article explains how to set this up
Functionality issue
ISA Server replaces RRAS’s NAT driverRRAS “Internal” interface can no longer be NATed
Breaks Q310888
RRAS NAT GUI makes no sense
NETSH NAT settings ignored
Do you want VPN users to be able to get back out to the Internet?
Yes: need separate RRAS and ISA Server computers
Do Q310888 on RRAS computer
Recommendations
RAVPN
NetVPN
OutboundInternet Q310888 RRAS
ISAServer Both Separate
RRAS security
Don’t forget RRAS packet filters if using RRAS alone
External interface—PPTP: from any:any to ext-ip:1723/tcp
L2TP: from any:any to ext-ip:1701/udp
LAN interface—PPTP: from lan-ip:1723/tcp to any:any
L2TP: from lan-ip:1701/udp to any:any
No IPSec filterspecs neededTraffic is L2TP once RRAS sees it
Next StepsNext Steps
Complete the evaluation of ISA Server that you’ve already been doing
Right?
Consider where adding application-aware inspection can increase security
Exchange RPC
Outlook Web Access
SharePoint Servers of various flavors
Anything built on any web server
Deploy it!
Suggested Reading And Resources
The tools you need to put technology to work!The tools you need to put technology to work!
TITLETITLE AvailableAvailable
Microsoft® Internet Security and Microsoft® Internet Security and Acceleration (ISA) Server 2000 Acceleration (ISA) Server 2000 Administrator's Pocket Administrator's Pocket Consultant: 0-7356-1442-3Consultant: 0-7356-1442-3
TodayToday
Writing Secure Code, Second Writing Secure Code, Second Edition: 0-7356-1722-8Edition: 0-7356-1722-8
TodayToday
Microsoft Press books are 20% off at the TechEd Bookstore
Also buy any TWO Microsoft Press books and get a FREE T-Shirt
Community Resources
Community Resourceshttp://www.microsoft.com/communities/default.mspx
Most Valuable Professional (MVP)http://www.mvp.support.microsoft.com/
NewsgroupsConverse online with Microsoft Newsgroups, including Worldwidehttp://www.microsoft.com/communities/newsgroups/default.mspx
User GroupsMeet and learn with your peershttp://www.microsoft.com/communities/usergroups/default.mspx
evaluationsevaluations
© 2003 Microsoft Corporation. All rights reserved.© 2003 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.
