Securing the Network Perimeter with ISA Server 2004

1
Securing the Network Perimeter with ISA Server
2004

• Ravi Sankar
• IT Professional Evangelist
• Microsoft

2
Session Prerequisites

• Hands-on experience with Microsoft Windows Server
• Basic understanding of internal and remote
  network security fundamentals
• Experience implementing network resources such as
  Web servers, FTP servers, and computers running
  Microsoft Exchange Server

Level 200
3
Session Overview

• Introduction to ISA Server 2004
• Securing Access to Internal Servers
• Implementing Application and Web Filtering
• Securing Access to Exchange Server
• Virtual Private Networking with ISA Server 2004

4
Introduction to ISA Server 2004

• Introduction to ISA Server 2004
• Securing Access to Internal Servers
• Implementing Application and Web Filtering
• Securing Access to Exchange Server
• Virtual Private Networking with ISA Server 2004

5
Securing the Network Perimeter What Are the
Challenges?


Business partner
Main office

• Challenges Include
• Determining proper firewall design
• Access to resources for remote users
• Effective monitoring and reporting
• Need for enhanced packet inspection
• Security standards compliance

Internet

Wireless

Branch office
Remote user
6
Securing the Network Perimeter What Are the
Design Options?
Three-legged configuration
Bastion host
Internal network
Internal network
Perimeternetwork
Web server
Back-to-back configuration
Internal network
Perimeternetwork
Internet
7
Configuring ISA Server to Secure the Network
Perimeter

• Use ISA Server to
• Provide firewall functionality
• Publish internal resources such as Web or
  Exchange servers
• Implement multilayer packet inspection and
  filtering
• Provide VPN access for remote users and sites
• Provide proxy and caching services

WebServer
LAN
WebServer
ISAServer
VPN
Server
Internet
ExchangeServer
Remote User
User
8
Installing ISA Server 2004
RAM
CPU
Windows 2000 Server or Windows Server 2003
256 MB
500 MHz
Hard Disk Space
Hard Disk Format
External NIC
Internal NIC
150 MB
NTFS

• Choose an installation type and installation
  components
• Configure the internal network

9
What Is the ISA Server 2004 Default Configuration?
The ISA Server default configuration blocks all
network traffic between networks connected to ISA
Server
Only members of the local Administrators group
have administrative permissions
ü
Default networks are created
ü
Access rules include system policy rules and the
default access rule
ü
No servers are published
ü
Caching is disabled
ü
The Firewall Client Installation Share is
accessible if installed
ü
10
Managing ISA Server 2004
11
Monitoring ISA Server 2004
12
Configuring Access Rules

• Types of access rule elements used to create
  access rules are
• Protocols
• User sets
• Content types
• Schedules
• Network objects

13
Configuring ISA Server to Enable Access to
Internet Resources
ISAserver
Webserver
Proxy server
14
Implementing Network Templates to Configure ISA
Server 2004
Bastion host
Three-legged configuration
Internal network
Internal network
Perimeternetwork
Web server
Deploy the 3-Leg Perimeter template
Back-to-back configuration
Deploy the EdgeFirewall template
Internal network
Deploy theFront end or Back endtemplate
Perimeternetwork
Internet
Deploy the Single Network Adapter template for
Web proxy and caching only
15
Demonstration 1 Applying a Network Template

• Use a network template to configure ISA Server
  2004 as an edge firewall

16
Deploying ISA Server 2004 Best Practices
To deploy ISA Server to provide Internet access

• Plan for DNS name resolution
• Create the required access rule elements and
  configure the access rules
• Plan the access rule order
• Implement the appropriate authentication
  mechanisms
• Test access rules before deployment
• Deploy the Firewall Client for maximum security
  and functionality
• Use ISA Server logging to troubleshoot Internet
  connectivity issues

17
Securing Access to Internal Servers

• Introduction to ISA Server 2004
• Securing Access to Internal Servers
• Implementing Application and Web Filtering
• Securing Access to Exchange Server
• Virtual Private Networking with ISA Server 2004

18
Securing Access to Internal Servers What Are the
Challenges?
The challenges vary depending on the type of
access that is required

• Ensure that only the specified Web sites are
  accessible
• Filter traffic at the application layer
• Hide the complexity of the internal network

Access to public Web sites

• Enable authentication
• Enable data encryption

Access to secure Web sites

• Ensure that only the specified servers are
  accessible
• Filter traffic at the application layer

Access to non-Web resources
19
What Is ISA Server Publishing?
ISA Server enables three types of publishing
rules

• Web publishing rules for publishing Web sites
  using HTTP
• Secure Web publishing rules for publishing Web
  sites that require SSL for encryption
• Server publishing rules for publishing servers
  that do not use HTTP or HTTPS

20
Implementing ISA Server Web Publishing Rules

To create a Web publishing rule, configure

• Action
• Name or IP address
• Users
• Traffic source
• Public name

• Web listener
• Path mappings
• Bridging
• Link translation

21
Implementing ISA Server Secure Web Publishing
Rules

To create a secure Web publishing rule

• Choose an SSL bridging mode or SSL tunneling
• Install a digital certificate on ISA Server, on a
  Web server, or on both
• Configure a Web listener for SSL
• Configure a secure Web publishing rule

22
Demonstration 2 Configuring a Secure Web
Publishing Rule

• Configure a secure Web publishing rule to an
  internal Web server

23
Implementing Server Publishing Rules
24
Securing Access to Internal Servers Best
Practices
25
Implementing Application and Web Filtering

• Introduction to ISA Server 2004
• Securing Access to Internal Servers
• Implementing Application and Web Filtering
• Securing Access to Exchange Server
• Virtual Private Networking with ISA Server 2004

26
Firewall Requirements Multiple-Layer Filtering
27
Application and Web Filters in ISA Server 2004
Application filters

• Are add-ons to the firewall service
• Enable firewall traversal for complex protocols
• Enable application-layer intrusion detection
• Enable application-layer content filtering

28
Implementing HTTP Web Filtering in ISA Server 2004
Use HTTP Web filtering to

• Filter traffic from internal clients to other
  networks
• Filter traffic from Internet clients to internal
  Web servers

HTTP Web filtering is rule-specificyou can
configure different filters for each access or
publishing rule
29
Demonstration 3 Application Filtering in ISA
Server 2004

• Edit the default application filtering that is
  performed by ISA Server 2004

30
Implementing the HTTP Web Filter Best Practices
To configure a baseline HTTP filter

• Configure maximum header, payload, URL, andquery
  lengths
• Verify normalization, and do not block high-bit
  characters
• Allow only GET, HEAD, and POST
• Block executable and server-side includes
  extensions
• Block potentially malicious signatures

Use the HTTPFilterConfig.vbs script from the ISA
Server CD to import and export HTTP filter
configurations
31
Securing Access to Exchange Server

• Introduction to ISA Server 2004
• Securing Access to Internal Servers
• Implementing Application and Web Filtering
• Securing Access to Exchange Server
• Virtual Private Networking with ISA Server 2004

32
Secure Client Access to Exchange Server What Are
the Challenges?
Outlook mobile accessXHTML, cHTML, HTML
ActiveSync-Enabled mobile devices
Exchange front-end server
Wireless network
Outlook web access Outlook using RPC Outlook
using RPC over HTTP Outlook express using IMAP4
or POP3
ISAserver
Exchange back-end servers
33
Configuring Secure Outlook RPC Client Access
Port 135
ISAserver
Exchange UUID 3000
Outlook client
Exchange UUID 2000
Exchange servers
Use the mail server publishing rule to enable
Outlook RPC connections
34
Configuring RPC over HTTP Client Access
RPC over HTTP requires

• Outlook 2003 running on Windows XP

• Exchange Server 2003 running on Windows Server
  2003 and Windows Server 2003 global catalog
  servers

• Windows Server 2003 server running RPC proxy
  server

• Modifying the Outlook profile to use RPC over
  HTTP to connect to the Exchange server

To enable RPC over HTTP connections through ISA
Server, use the Secure Web Publishing Wizard to
publish the /rpc/virtual directory
35
Configuring ISA Server for Outlook Web Access
To configure ISA Server to enable OWA access
Use the Mail Server Publishing Wizard to
publishthe OWA server
1
Configure a bridging mode. For best security,
secure the connection from client to ISA Server
and from ISA Server to OWA server
2
Configure a Web listener for OWA publishing.
Choose forms-based authentication for the Web
listener
3
Forms-based authentication ensures that user
credentials are not stored on the client
computer can be used to block access to
attachments
36
Demonstration 4 Configuring Outlook Web Access

• Configure an OWA publishing rule and forms-based
  authentication

37
Securing Access to Exchange Server Best Practices
Enable Outlook RPC connections for preExchange
Server 2003 and Outlook 2003 environments
ü
Use forms-based authentication on ISA Server for
OWA
ü
Implement RPC over HTTP with SSL
ü
Explore the use of additional ISA Server features
to protect computers running Exchange Server
ü
Consider third-party add-ons for ISA Server to
protect computers running Exchange Server
ü
38
Virtual Private Networking with ISA Server 2004

• Introduction to ISA Server 2004
• Securing Access to Internal Servers
• Implementing Application and Web Filtering
• Securing Access to Exchange Server
• Virtual Private Networking with ISA Server 2004

39
Virtual Private Networking What Are the
Challenges?
VPNs provide a secure option for communicating
across a public network VPNS are used in two
primary scenarios

• Network access for remote clients
• Network access between sites

VPN quarantine control provides an additional
level of security by providing the ability to
check the configuration of the VPN client
machines before allowing them access to the
organizations network
40
Enabling Virtual Private Networking with ISA
Server
ISA Server enables VPN access

• By including remote-client VPN access for
  individual clients and site-to-site VPN access to
  connect multiple sites
• By enabling VPN-specific networks, including
• VPN Clients network
• Quarantined VPN Clients network
• Remote-site network
• By using network and access rules to limit
  network traffic between the VPN networks and the
  other networks with servers running ISA Server
• By extending RRAS functionality

41
Enabling VPN Client Connections
To enable VPN client connections

• Choose a tunneling protocol
• Choose an authentication protocol
• Use MS-CHAP v2 or EAP if possible
• Enable VPN client access in ISA Server Management
• Configure user accounts for remote access
• Configure remote-access settings
• Configure firewall access rules for the VPN
  Clients network

42
Implementing Site-to-Site VPN Connections
To enable site-to-site VPN connections

• Choose a tunneling protocol
• Configure the remote-site network
• Configure network rules and access rules to
  enable
• open communications between networks, or
• controlled communications between networks
• Configure the remote-site VPN gateway

43
How Does Network Quarantine Work?
VPN Clients Network
WebServer
DomainController
Quarantine script
Quarantine remote access policy
RQC.exe
ISAServer
DNSServer
FileServer
VPN QuarantineClients Network
44
Implementing Network Quarantine
To implement quarantine control on ISA Server
Create a client-side script that validates client
configuration
1
Use CMAK to create a CM profile for remote-access
clients
2
Create and install a listener component
3
Enable quarantine control on ISA Server
4
Configure network rules and access rules for the
Quarantined VPN Clients network
5
45
Demonstration 5 Configuring Site-to-Site VPN
Connections

• Configure ISA Server on one site to enable
  site-to-site VPN connections

46
Configuring VPN Access Using ISA Server Best
Practices
Use strongest possible authentication protocols
ü
Enforce the use of strong passwords when using
PPTP
ü
Avoid the use of pre-shared keys for L2TP/IPSec
ü
Configure access rules to control access for VPN
clients and site-to-site VPN connections
ü
Use access rules to provide quarantined VPN
clients with the means to meet the security
requirements
ü
47
Session Summary
ISA Server 2004 is secure by default because it
blocks all trafficconfigure access rules to
provide the fewest possible access rights
ü
Many applications now use HTTP as a tunneling
protocoluse HTTP filtering to block the
applications
ü
Implementing Outlook RPC publishing and RPC over
HTTP publishing means that users can use Outlook
from anywhere
ü
Implement ISA Server publishing rules to make
internal resources accessible from the Internet
ü
Use access rules to limit access for VPN
remote-access clients, site-to-site VPN clients,
and network quarantine clients
ü
48
Next Steps

• Find additional security training events
• http//www.microsoft.com/seminar/events/security.
  mspx
• Sign up for security communications
• http//www.microsoft.com/technet/security/signup/
  default.mspx
• Attend Course 2824 Implementing Microsoft
  Internet Security and Acceleration Server 2004
• http//www.microsoft.com/learning/syllabi/en-us/
  2824afinal.mspx
• Get additional security information on ISA
  Server
• http//www.microsoft.com/technet/security/prodtec
  h/isa/default.mspx

49
Questions and Answers