Microsoft Internet Security & Acceleration Server Dave Sayers Technical Specialist Microsoft UK.
-
date post
21-Dec-2015 -
Category
Documents
-
view
223 -
download
0
Transcript of Microsoft Internet Security & Acceleration Server Dave Sayers Technical Specialist Microsoft UK.
Microsoft Internet Microsoft Internet Security & Acceleration Security & Acceleration ServerServer
Dave SayersDave SayersTechnical SpecialistTechnical Specialist
Microsoft UKMicrosoft UK
AgendaAgenda
What is a Firewall?What is a Firewall? Typical Firewall ConfigurationsTypical Firewall Configurations Features of Microsoft ISA ServerFeatures of Microsoft ISA Server Secure Internet Access to a Web ServerSecure Internet Access to a Web Server ISA Server 2004ISA Server 2004
What is a Firewall?What is a Firewall?
Controlled Point of Access for all traffic Controlled Point of Access for all traffic that enters the internal networkthat enters the internal network
Controlled Point of Access for all traffic Controlled Point of Access for all traffic that leaves the internal networkthat leaves the internal network
Traditional Firewalls allow/deny access Traditional Firewalls allow/deny access to certain IP addresses and ports onlyto certain IP addresses and ports only
Bastion HostBastion Host
InternetInternet
Internal NetworkInternal Network
Firewall
Perimeter Network with Three-Homed Perimeter Network with Three-Homed FirewallFirewall
Firewall
InternetInternet
Perimeter NetworkPerimeter Network
Internal NetworkInternal Network
Perimeter Network with Back-to-Back Perimeter Network with Back-to-Back FirewallsFirewalls
ExternalFirewall
InternalFirewall
InternetInternet
Traditional FirewallsTraditional Firewalls
Wide open to Wide open to advanced advanced attacksattacks
Wide open to Wide open to advanced advanced attacksattacks
Code Red, NimdaCode Red, Nimda SSL-based attacksSSL-based attacks
Code Red, NimdaCode Red, Nimda SSL-based attacksSSL-based attacks
Performance vs. Performance vs. security tradeoffsecurity tradeoffPerformance vs. Performance vs. security tradeoffsecurity tradeoff
Bandwidth too expensiveBandwidth too expensive Too many moving partsToo many moving parts
Bandwidth too expensiveBandwidth too expensive Too many moving partsToo many moving parts
Limited capacityLimited capacityfor growthfor growth
Limited capacityLimited capacityfor growthfor growth
Not easily upgradeableNot easily upgradeable Don’t scale with businessDon’t scale with business
Not easily upgradeableNot easily upgradeable Don’t scale with businessDon’t scale with business
Hard to manageHard to manageHard to manageHard to manage Security is complexSecurity is complex IT already overloadedIT already overloaded
Security is complexSecurity is complex IT already overloadedIT already overloaded
Perimeter Security EvolutionPerimeter Security Evolution
Wide open to Wide open to advanced advanced attacksattacks
Wide open to Wide open to advanced advanced attacksattacks
Application-level protectionApplication-level protectionApplication-level protectionApplication-level protection
Performance vs. Performance vs. security tradeoffsecurity tradeoffPerformance vs. Performance vs. security tradeoffsecurity tradeoff Security Security andand performance performanceSecurity Security andand performance performance
Limited capacityLimited capacityfor growthfor growth
Limited capacityLimited capacityfor growthfor growth Extensibility and scalabilityExtensibility and scalabilityExtensibility and scalabilityExtensibility and scalability
Hard to manageHard to manageHard to manageHard to manage Easier to useEasier to useEasier to useEasier to use
Internet Security and Internet Security and Acceleration ServerAcceleration Server Industry strength firewall and proxy Industry strength firewall and proxy
serverserver Standard and EnterpriseStandard and Enterprise Standalone or arraysStandalone or arrays VPNsVPNs Server and web publishingServer and web publishing Monitoring & reportingMonitoring & reporting
www.microsoft.com/isaserverwww.microsoft.com/isaserverwww.isaserver.orgwww.isaserver.org
Key ComponentsKey Components
Policy Elements :Policy Elements : Schedule, Bandwidth, Destination Set, Schedule, Bandwidth, Destination Set,
Client Address Set, Protocol Definitions, Client Address Set, Protocol Definitions, Content GroupsContent Groups
Protocol RulesProtocol Rules Site and Content RulesSite and Content Rules Packet FilteringPacket Filtering
ISA Value AddISA Value Add
Server Publishing Server Publishing Web ServerWeb Server Exchange ServerExchange Server Additional ServersAdditional Servers
Application FiltersApplication Filters SMTPSMTP DNSDNS HTTPHTTP Streaming MediaStreaming Media
VPN WizardsVPN Wizards Intrusion DetectionIntrusion Detection
Secure Internet Access to a Secure Internet Access to a Corporate Web SiteCorporate Web Site
ISA Server as a FirewallISA Server as a Firewall
IIS as a Web Server
Workstation
Workstation Workstation
WorkstationWorkstation
Internet
The first firewall filterstraffic attempting to
access the web server toonly allow authorised
access
The second firewall hasmore restrictive filters to
protect the corporateenvironment
The web server can be published tothe first firewall to protect its identity
from the internet
Access to corporate machines iscontrolled by the second firewall
ISA Web PublishingISA Web Publishing
Publishes web site on ISA serverPublishes web site on ISA server Content can be cached on ISA server Content can be cached on ISA server
using reverse proxyusing reverse proxy Keeps the web site secure on the Keeps the web site secure on the
private networkprivate network Server publishing vs. web publishingServer publishing vs. web publishing
ISA Web PublishingISA Web Publishing Need to create an Incoming Web Listener first (Reverse proxy) Need to create an Incoming Web Listener first (Reverse proxy)
as well as a destination setas well as a destination set Then create a web publishing ruleThen create a web publishing rule
TheThe advanced application layer firewall, VPN and Web cacheadvanced application layer firewall, VPN and Web cache solution that enables customers to maximize IT investments by solution that enables customers to maximize IT investments by
improving network security & performanceimproving network security & performance
Introducing: ISA Server 2004Introducing: ISA Server 2004
Advanced protectionAdvanced protectionAdvanced protectionAdvanced protection
High performanceHigh performanceHigh performanceHigh performance
Ease of useEase of useEase of useEase of use
Common ScenariosCommon Scenarios
Edge FirewallEdge Firewall CachingCaching ChainingChaining
Secure Publishing Secure Publishing Exchange Exchange Web serversWeb servers
Remote Access Remote Access (VPN)(VPN)
Branch officeBranch office Remote site Remote site
securitysecurity S2S VPN (IPSec)S2S VPN (IPSec)
Integrated SolutionIntegrated Solution Single server edge Single server edge
security solutionsecurity solution Easy, unified Easy, unified
managementmanagement Flexible TopologiesFlexible Topologies
3-Leg, front/back, ...3-Leg, front/back, ... Asset protectionAsset protection Multi network Multi network
supportsupport PartitioningPartitioning
ISA Server 2004 New FeaturesISA Server 2004 New FeaturesUpdated security architectureUpdated security architecture
Advanced protectionAdvanced protectionApplication layer security designed to protect Microsoft applicationsApplication layer security designed to protect Microsoft applications
Advanced protectionAdvanced protectionApplication layer security designed to protect Microsoft applicationsApplication layer security designed to protect Microsoft applications
Deep contentDeep contentinspectioninspection
Deep contentDeep contentinspectioninspection
• Enhanced HTTP, customizable prtcl. filters• Comprehensive/flexible policies• Stateful routing
• Enhanced HTTP, customizable prtcl. filters• Comprehensive/flexible policies• Stateful routing
Enhanced Enhanced Exchange Server Exchange Server
IntegrationIntegration
Enhanced Enhanced Exchange Server Exchange Server
IntegrationIntegration
• Support for Outlook RPC over HTTP• Enhanced Outlook Web Access security• Easy to use configuration wizards
• Support for Outlook RPC over HTTP• Enhanced Outlook Web Access security• Easy to use configuration wizards
Fully integrated Fully integrated VPNVPN
Fully integrated Fully integrated VPNVPN
• Unified firewall-VPN filtering• Built-in support for site-to-site IPsec TM• Integrates with Windows Quarantine
• Unified firewall-VPN filtering• Built-in support for site-to-site IPsec TM• Integrates with Windows Quarantine
Comprehensive Comprehensive authenticationauthentication
Comprehensive Comprehensive authenticationauthentication
• New support for RADIUS and RSA SecurID• User- & group-based access policy• Third party extensibility
• New support for RADIUS and RSA SecurID• User- & group-based access policy• Third party extensibility
PolicyPolicyEngineEngine
NDIS
TCP/IP Stack
ISA 2004 ArchitectureISA 2004 Architecture
Firewall EngineFirewall Engine
FirewallFirewall serviceservice
Application Filter API
AppAppFilterFilter
Web Proxy FilterWeb Proxy Filter
Web Filter API (ISAPI)
Webfilter
Webfilter
User Mode
Kernel Mode
SMTPSMTPFilterFilter
RPCRPCFilterFilter
DNSDNSFilterFilter
PolicyStore
Packet layer filtering
1
Protocol layer filtering
2
Application layer filtering
3
Kernel mode data pump:
Performanceoptimization
4
Application Layer FilteringApplication Layer Filtering Modern threats call for deep Modern threats call for deep
inspectioninspection Protects network assets from exploits at the Protects network assets from exploits at the
application layer: Nimda, Slammer...application layer: Nimda, Slammer... Provides the ability to define a fine grain, Provides the ability to define a fine grain,
application level, security policyapplication level, security policy Best protection for Microsoft applicationsBest protection for Microsoft applications
Application filtering frameworkApplication filtering framework Built in filters for common protocolsBuilt in filters for common protocols
HTTP, SMTP, RPC, FTP, H.323, DNS, POP3, Streaming HTTP, SMTP, RPC, FTP, H.323, DNS, POP3, Streaming mediamedia
Scenario-driven designScenario-driven design Extensible plug-in architectureExtensible plug-in architecture
VPN ProtectionVPN Protection Detunneled traffic is inspectedDetunneled traffic is inspected
Injected back to the stackInjected back to the stack Stingray sees traffic on stack hooksStingray sees traffic on stack hooks
VPN traffic is segregatedVPN traffic is segregated VPN network: all addresses allocated to VPN usersVPN network: all addresses allocated to VPN users IP addresses dynamically added/removedIP addresses dynamically added/removed VPN network available in Stingray adminVPN network available in Stingray admin
IPSec Tunnel Mode supportIPSec Tunnel Mode support Provides connectivity to branch office VPNProvides connectivity to branch office VPN Simplified tools for administrationSimplified tools for administration
Quarantine supportQuarantine support Quarantined users placed in quarantine networkQuarantined users placed in quarantine network IP addresses dynamically added/removedIP addresses dynamically added/removed Quarantine network available in ISA Server adminQuarantine network available in ISA Server admin
Engine Security EnhancementsEngine Security Enhancements Flood-DoS protectionFlood-DoS protection
SYN-flood protectionSYN-flood protection Client connection quotaClient connection quota
Applicable to Worm/Virus floodsApplicable to Worm/Virus floods
Spoofed UDP packet flooding mitigationSpoofed UDP packet flooding mitigation
Attack/Intrusion DetectionAttack/Intrusion Detection IP options, DNS Attacks, IP half-scan, Port scanIP options, DNS Attacks, IP half-scan, Port scan
IP options filteringIP options filtering Filter out individual optionsFilter out individual options
Lockdown modeLockdown mode Restrict firewall machine access on service Restrict firewall machine access on service
failuresfailures
Authentication FrameworkAuthentication Framework Multi source authenticationMulti source authentication
Firewall client authenticationFirewall client authentication Transparent user authenticationTransparent user authentication
Application transparent, Protocol independentApplication transparent, Protocol independent Kerberos/NTLMKerberos/NTLM
Web proxy authenticationWeb proxy authentication Proxy auth, Reverse proxy auth, Pass through auth, SSL Proxy auth, Reverse proxy auth, Pass through auth, SSL
bridgingbridging Basic, digest, NTLM, Kerberos, CertificatesBasic, digest, NTLM, Kerberos, Certificates RADIUS authentication, SecurID authenticationRADIUS authentication, SecurID authentication CRL supportCRL support Extensible!Extensible!
VPN clientsVPN clients EAP (certificates, smartcards, others), MS-CHAPv2, CHAP, EAP (certificates, smartcards, others), MS-CHAPv2, CHAP,
(S-PAP, PAP)(S-PAP, PAP) RADIUS / WindowsRADIUS / Windows
Extensible authentication/authorization frameworkExtensible authentication/authorization framework Third party filters can register their own auth Third party filters can register their own auth
namespacesnamespaces
RADIUS authenticationRADIUS authentication Federation through RADIUS proxiesFederation through RADIUS proxies Can be used for centralized authentication servicesCan be used for centralized authentication services Domain membership not requiredDomain membership not required
Great for DMZ placementGreat for DMZ placement
Corpnet
Internet
1
HTTP/SSL basic auth.
2
RADIUS requestRADIUS Server (IAS)
Firewall Server
3
HTTP/SSL request, sent to
server
Back-endServer
Web Client(Browser, HTTP client)
ISA Server 2004 New FeaturesISA Server 2004 New FeaturesNew management tools and user interfaceNew management tools and user interface
Multi-network Multi-network architecturearchitecture
Multi-network Multi-network architecturearchitecture
• Unlimited network definitions and types• Firewall policy applied to all traffic• Per network routing relationships
• Unlimited network definitions and types• Firewall policy applied to all traffic• Per network routing relationships
Network Network templates and templates and
wizardswizards
Network Network templates and templates and
wizardswizards
• Wizard automates nwk routing relationships• Supports 5 common network topologies• Easily customized for sophisticated scenarios
• Wizard automates nwk routing relationships• Supports 5 common network topologies• Easily customized for sophisticated scenarios
Visual policy Visual policy editoreditor
Visual policy Visual policy editoreditor
• Unified firewall/VPN policy w/one rule-base• Drag/drop editing w/scenario-driven wizards• XML-based configuration import-export
• Unified firewall/VPN policy w/one rule-base• Drag/drop editing w/scenario-driven wizards• XML-based configuration import-export
Enhanced Enhanced trouble-shootingtrouble-shooting
Enhanced Enhanced trouble-shootingtrouble-shooting
• All new monitoring dashboard• Real-time log viewer• Content sensitive task panes
• All new monitoring dashboard• Real-time log viewer• Content sensitive task panes
Ease of UseEase of UseEfficient and cost effective network securityEfficient and cost effective network security
Ease of UseEase of UseEfficient and cost effective network securityEfficient and cost effective network security
ISA 2004 Networking ModelISA 2004 Networking Model
CorpNet_1CorpNet_1
CorpNet_nCorpNet_n
Net ANet A
Internet VPNVPN
ISA 2004
DMZ_nDMZ_n
DMZ_1DMZ_1
Local HostLocal HostNetworkNetwork
Any number of Any number of networksnetworks
VPN as networkVPN as network Localhost as Localhost as
networknetwork Assigned Assigned relationships relationships (NAT/Route)(NAT/Route)
Per-Network policyPer-Network policy Packet filtering on Packet filtering on
all interfacesall interfaces
Any topology, any policyAny topology, any policy
Support for uPnPSupport for uPnP
Network TemplatesNetwork Templates
Objective Simplified network config
Features• 5 templates• Automatic routing relationships• Customizable
Objective Simplified network config
Features• 5 templates• Automatic routing relationships• Customizable
ISA 2004 Policy ModelISA 2004 Policy Model Single, ordered rule baseSingle, ordered rule base
More logical and easier to understandMore logical and easier to understand Easier to view and to auditEasier to view and to audit
New unified rule structureNew unified rule structure Applicable to all types of policy Applicable to all types of policy Three master types of rulesThree master types of rules
Access rulesAccess rules Server Publishing rulesServer Publishing rules Web Publishing rulesWeb Publishing rules
Application filtering properties a part of Application filtering properties a part of the rulethe rule
Default System PolicyDefault System Policy
Visual Policy EditorVisual Policy Editor
ISA Server 2004 MonitoringISA Server 2004 Monitoring
GoalsGoals Server Status – It’s a critical serviceServer Status – It’s a critical service Troubleshooting – Quick and easyTroubleshooting – Quick and easy Investigations – Attacks, mistakesInvestigations – Attacks, mistakes Future Planning – PerformanceFuture Planning – Performance
BenefitsBenefits Real-Time statusReal-Time status Centralized viewCentralized view Easy to understandEasy to understand Easy to controlEasy to control
ISA 2004 Monitoring ToolsISA 2004 Monitoring Tools
DashboardDashboard – Aggregated centralized – Aggregated centralized viewview
AlertsAlerts – One place for all problems– One place for all problemsSessionsSessions – Active sessions view– Active sessions viewServicesServices – ISA services status– ISA services statusConnectivityConnectivity – Connectivity to network – Connectivity to network
svcssvcsLoggingLogging – Powerful viewer of ISA logs– Powerful viewer of ISA logsReportsReports – Top users, Top sites, Cache – Top users, Top sites, Cache
hits…hits…
DashboardDashboard
Objective Centralized status view
Features• Real time• Aggregated• Easy to spot problems
Objective Centralized status view
Features• Real time• Aggregated• Easy to spot problems
AlertsAlerts
Objective One place for all problems
Features• Alerts history• Managing alerts• Severity & category
Objective One place for all problems
Features• Alerts history• Managing alerts• Severity & category
SessionsSessions
Objective Active sessions view
Features• Powerful query mechanism• VPN sessions • Disconnect session
Objective Active sessions view
Features• Powerful query mechanism• VPN sessions • Disconnect session
ServicesServices
Objective ISA and dependent services status
Features• Start & stop service
Objective ISA and dependent services status
Features• Start & stop service
ConnectivityConnectivity
Objective Monitor connectivity to critical network services
Features• Request types• Response time & threshold• Grouping
Objective Monitor connectivity to critical network services
Features• Request types• Response time & threshold• Grouping
LoggingLogging
Objective View of ISA traffic activities
Features• Real-time mode• Historical view • Powerful query mechanism
Objective View of ISA traffic activities
Features• Real-time mode• Historical view • Powerful query mechanism
ReportsReports
Objective Comprehensive set of server activity reports
Features• Recurring reports• Report categories• Email notification• Report publishing
Objective Comprehensive set of server activity reports
Features• Recurring reports• Report categories• Email notification• Report publishing
High PerformanceHigh PerformanceProven ability to maximize application layer filtering speedsProven ability to maximize application layer filtering speeds
High PerformanceHigh PerformanceProven ability to maximize application layer filtering speedsProven ability to maximize application layer filtering speeds
ISA Server 2004 New FeaturesISA Server 2004 New FeaturesContinued commitment to integrationContinued commitment to integration
Enhanced Enhanced architecturearchitectureEnhanced Enhanced
architecturearchitecture• High speed data transport• Utilizes latest Windows and PC hardware • SSL bridging unloads downstream servers
• High speed data transport• Utilizes latest Windows and PC hardware • SSL bridging unloads downstream servers
Web cacheWeb cacheWeb cacheWeb cache• Updated policy rules• Serve content locally• Pre-fetch content during low activity periods
• Updated policy rules• Serve content locally• Pre-fetch content during low activity periods
Internet access Internet access controlcontrol
Internet access Internet access controlcontrol
• User- and group-based Web usage policy• Extensible by third parties• User- and group-based Web usage policy• Extensible by third parties
PerformancePerformance Optimized performance architectureOptimized performance architecture
Optimized for real life usage scenariosOptimized for real life usage scenarios Raw throughput measured using HTTP+NAT benchmarkRaw throughput measured using HTTP+NAT benchmark Kernel-mode data pump; User-mode optimizationsKernel-mode data pump; User-mode optimizations Scale up with additional CPUsScale up with additional CPUs
Network computing magazine app. level firewalls review (3/03)
full inspection performance [Mbps]:
Symantec FW 7.0 67
122
127
170
Sidewinder
Checkpoint NG FP3
ISA 2000 FP1
Raw throughput performance [Mbps]:
ISA 2000 (Dec 2000) 282
1.59GbpsISA 2004 (Today) *
* Beta results
How?•Design improvements•IP Stack improvements•Hardware improvements
Questions?Questions?
© 2003 Microsoft Corporation. All rights reserved.© 2003 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.