Post on 06-Jan-2016
description
1
Configuring Access to Internal Resources
2
What is ISA server publishing?
• Publish internal servers to the Internet, so that users on the Internet can access those internal resources
• Making internal resources accessible to the Internet increases the security risks for the organization.
• ISA Server uses Web and server publishing Web and server publishing rules rules to publish internal network resources to the Internet
3
What is ISA server publishing?
Client Internet
Web ServerWeb Server
Mail ServerMail Server
File ServerFile Server
Remote UserRemote User
4
What is ISA server publishing?
Web ServerWeb Server
Mail ServerMail ServerFile ServerFile Server
ISA server
Internal Network
Using a perimeter network is to Using a perimeter network is to provide an additional layer ofprovide an additional layer ofSecurity!!!Security!!!
5
What Are Web Publishing Rules?
• Make Web sites on protected networks available to users on other networks, such as the Internet
• A Web publishing rule is a firewall rule that specifies how ISA Server will route incoming requests to internal Web servers
• Web Publishing is sometimes referred to as “reverse proxyingreverse proxying”.
6
What do Web publishing rules provide?
• Access to Web servers running HTTP protocol• HTTP application-layer filtering• Path mapping• User authentication• Content caching• Support for publishing multiple Web sites
using a single IP address• Link translation
7
What Are Server Publishing Rules
• Web publishing and secure Web publishing rules can grant access only to Web servers using HTTP or HTTPS.
• To grant access to internal resources using any other protocol, you must configure server publishing rulesserver publishing rules!!!!!!
8
What do Server publishing rules provide?
• Access to multiple protocols• Application-layer filtering for
specified protocols• Support for encryption• IP address logging for the client
computer
9
Considerations for Configuring DNS for Web and Server Publishing
Web ServerWeb Server
ISA server
Internal Network
IP address 172.16.10.1IP address 172.16.10.1
External IP address
131.107.1.1
External IP address
131.107.1.1
http://isalab.com
A split DNS uses two different DNS servers with the same DNS domain name to providename resolution for internally and externally accessible resources!
10
Configuring Web Publishing Rules
• Web Listener• Non-SSL Web Publishing Rules• SSL Web Publishing Rules
11
Web Listener• Web listeners are used by Web and secure
Web publishing rules• A Web listener is an ISA Server configuration
object that defines how the ISA Server computer listens for HTTP requests and SSL requests
• All incoming Web requests must be received by a Web listener
• A Web listener may be used in multiple Web publishing rules
12
Web Listener
Web ServerWeb Server
ISA server
Internal Network
IP address 172.16.10.1IP address 172.16.10.1
External IP address
131.107.1.1
External IP address
131.107.1.1
http://isalab.com
Web ListenerWeb Listener
Web ListenerWeb Listener
13
How to Configure Web Listeners
• Network• Port numbers• Client authentication methods• Client Connection Settings
14
NetworkIf you have multiple network adapters or multiple IP addressesIf you have multiple network adapters or multiple IP addresses
15
Port numbers
By default, the Web listener will listen on for HTTP requests on Port 80By default, the Web listener will listen on for HTTP requests on Port 80
16
How to Configure Web ListenersWeb listener “listens” on aninterface or IP address that you choose for incoming connections to the port you define
Web listener “listens” on aninterface or IP address that you choose for incoming connections to the port you define
17
Configuring Non-SSL Web Publishing Rules
18
Configuring Non-SSL Web Publishing Rules
Rule Action PageRule Action Page
19
Configuring Non-SSL Web Publishing Rules
• Publishing Type Page– Publish a single Web
site or load balancer– Publish a server farm
of load balanced Web Servers
– Publish multiple web sites
20
Configuring Non-SSL Web Publishing Rules
• The Server Connection Security Page:
21
Configuring Non-SSL Web Publishing Rules
• The Internal Publishing Details Page:– Internal Site Name– Computer name or IP
address
22
Configuring Non-SSL Web Publishing Rules
• The Internal Publishing Details Page:– Path Name– Forward the original
host header instead of the actual one
23
Configuring Non-SSL Web Publishing Rules
• The Public Name Details Page– Accept requests
for– Public Name– Path (optional
24
Configuring Non-SSL Web Publishing Rules
• The Select Web Listener Page and Creating an HTTP Web Listener:– Edit– New
25
Configuring Non-SSL Web Publishing Rules
• The Authentication Settings Page
26
Web Listener Authentication Methods
• Basic• Digest• Integrated• RADIUS• RADIUS OTP• SecurID• OWA Forms-based• Forms-Based Authentication• SSL Certificate
27
Configuring Non-SSL Web Publishing Rules
• The Single Sign on Settings Page
28
Configuring Non-SSL Web Publishing Rules
• The Authentication Delegation Page
29
Secure Web Publishing
Client Internet
Web ServerWeb Server
Remote UserRemote User
Encrypted content
Encrypted content
More More secure!!secure!!
More More secure!!secure!!
30
Cryptography issues• Only sender, intended receiver should
“understand” message contents– sender encrypts message– receiver decrypts message
ReceiverReceiver
SenderSender DecryptDecryptEncryptEncrypt
31
Types of Cryptography
• Crypto often uses keys:– Algorithm is known to everyone– Only “keys” are secret
• Public key cryptography – Involves the use of two keys
• Symmetric key cryptography– Involves the use one key
• Hash functions– Involves the use of no keys– Nothing secret: How can this be useful?
32
Secret-Key or Symmetric Cryptography
Sender and Receiver agree on an encryption method and a shared key
Sender and Receiver agree on an encryption method and a shared key
Send encrypted message
Sender uses the key and the encryption
method to encrypt (or encipher) a message
Sender uses the key and the encryption
method to encrypt (or encipher) a message
Receiver uses the same key and the related decryption method to decrypt (or decipher) the message.
Receiver uses the same key and the related decryption method to decrypt (or decipher) the message.
33
Public key or Asymmetric Cryptography
Use public key to determine a
private key.
Use public key to determine a
private key.
use sender’s public key to
encrypt a message
use sender’s public key to
encrypt a message
Sender generates a public key
Sender generates a public key
Send encrypted message
Send public key
use private key to decrypt this message
use private key to decrypt this message
sendersender receiverreceiver
No-one without access to Sender’s private No-one without access to Sender’s private key (or the information used to construct it) key (or the information used to construct it)
can easily decrypt the message!!can easily decrypt the message!!
No-one without access to Sender’s private No-one without access to Sender’s private key (or the information used to construct it) key (or the information used to construct it)
can easily decrypt the message!!can easily decrypt the message!!
34
Hash Function Algorithms
• A hash function is a math equation that create a message digest from message.
• A message digest is used to create a unique digital signature from a particular document.
• MD5 example
Hash Function
Original Message(Document, E-mail)
Digest
35
digital signature
Send encrypted message
receiverreceiver
sendersender
Public keyPublic key
Private keyPrivate key
Decrypt messageDecrypt message
How can Receiver determine that How can Receiver determine that the message received was indeed the message received was indeed
sent by Sender?sent by Sender?
How can Receiver determine that How can Receiver determine that the message received was indeed the message received was indeed
sent by Sender?sent by Sender?
36
digital signatureData
Hash
VerifySignature
Public Key
?
37
Man in MiddleMan in Middle
receiverreceiversendersender
Modify Modify
38
Digital certificate
• A digital certificate (DC) is a digital file that certifies the identity of an individual or institution, or even a router seeking access to computer- based information. It is issued by a Certification Authority (CA), and serves the same purpose as a driver’s license or a passport
39
Digital certificate
CERTIFICATE
IssuerIssuer
SubjectSubject
Issuer DigitalIssuer DigitalSignatureSignature
Subject Public Subject Public KeyKey
40
Certification Authorities
• A trusted agent who certifies public keys for general use (Corporation or Bank).– User has to decide which CAs can be trusted.
• The model for key certification based on friends and friends of friends is called “Web of Trust”.– The public key is passing from friend to friend.– Works well in small or high connected worlds.– What if you receive a public key from someone you don’t
know?
41
CA model
Root Certificate
CA Certificate
Browser Cert.
CA Certificate
Server Cert.
42
What is the Process of obtaining a certificate
CA
Sender Receiver
generates a public/private
key pair
generates a public/private
key pair
Verify sender’s identity and issues digital certificate
containing the public key
Verify sender’s identity and issues digital certificate
containing the public key
Privatekey
Publickey
EncryptEncrypt Verify and Decrypt
Verify and Decrypt
CertificateCertificate
OK!!OK!!
43
Secure Sockets Layer
• Secure Sockets Layer (SSL) is used to validate the identities of two computers involved in a connection across a public network, and to ensure that the data sent between the two computers is encrypted
• SSL uses digital certificates and public and digital certificates and public and privateprivate keyskeys
44
Secure Sockets Layer
Application
SSL
TCP
IP
Application
SSL
TCP
IPIP
45
Advantages of SSL
• Independent of application layer• Includes support for negotiated encryption
techniques.– easy to add new techniques.
• Possible to switch encryption algorithms in the middle of a session
46
HTTPS Usage
• HTTPS is HTTP running over SSL.– used for most secure web transactions.– HTTPS server usually runs on port 443.– Include notion of verification of server via a
certificate.– Central trusted source of certificates
47
SSL and ISA server 2006
• SSL bridging
SSL tunneling
48
Configuring SSL-to-SSL Bridging for Secured Websites
• Working with Third-Party Certificate Authorities
• Installing a Local Certificate Authority and Using Certificates
• Modifying a Rule to Allow for End-to-End SSL Bridging
49
Configuring SSL-to-SSL Bridging for Secured Websites
• Installing an SSL Certificate on a SharePoint Server
• Exporting and Importing the SharePoint SSL Certificate to the ISA Server
50
Configuring SSL-to-SSL Bridging for Secured Websites
• Creating a SharePoint Publishing Rule
51
Configuring SSL-to-SSL Bridging for Secured Websites
• Choosing a certificate for the listener
52
Configuring Server Publishing Rule