Building a Better Firewall

1
Building a Better Firewall

• Optimizing ISA Server 2000

Thomas W. Shinder, M.D. TACTEAM - DALLAS
2
Firewall Methodologies

• Packet Filtering
• Circuit Filtering
• Application Layer Filtering

3
Packet Filtering

• Source Address
• Destination Address
• Directional
• Static and Stateful
• Dynamic Packet Filtering

4
Circuit Filtering

• Reads Transport Layer Header
• TCP and UDP Based Protocols
• Simple and Complex Protocols Sessions
• Example SOCKS and Winsock Proxy

5
Application Layer Filtering

• Examines Application Layer Headers
• True Proxying of Requests
• Example Web Site/Page Filtering
• Example DNS/SMTP/POP3 IDS

6
Firewall Network Architectures

• Packet Filtering Router
• Internet Gateway behind Router
• Screened Host (Bastion Host)
• Screened Subnet (DMZ)

7
Packet Filtering Router

• Examines TCP and UDP Headers
• Supports ICMP Filtering
• Stateful and Static Filters
• Directional Conditional Statements
• Simple Solution

8
Internet Gateway Behind Router

• Dual or Multihomed Gateway
• Firewall/Proxy Server
• Multiple Gateways
• Multiple Routers with Gateway Sandwich
• Combine Router Filtering and Gateway Inspection

9
Screened Host (Bastion Host)

• Protected Host on DMZ
• Stripped Down Operating System
• Run Essential Services
• Router Packet Filters/Host Filtering

10
Screened Subnet (DMZ)

• Protected by Packet Filtering Router/Firewall
• Public Services Placed on DMZ
• Split DNS Servers/SMTP Relay/Public Webs
• Separate Security Zone!
• No Trust Between DMZ and CorpNet

11
ISA Server Best Practices

• ISA Server Client Best Practices
• ISA Server Configuration Best Practices
• Network Services Best Practices

12
ISA Server Client Best Practices

• SecureNAT Client
• Firewall Client
• Web Proxy Client

13
SecureNAT Client

• Routing Infrastructure
• DNS Host Name Resolution
• Protocol Requirements/Expectations
• Authentication
• HTTP Redirector

14
Firewall Client

• DNS Host Name Resolution
• Deployment
• Automatic Configuration
• Autodetection

15
Web Proxy Client

• DNS Host Name Resolution
• Automatic Configuration with FW Client
• Autodetection
• Autoconfiguration Script
• HTTP Redirector Filter
• Backup Routes

16
ISA Server Configuration Best Practices

• Web Proxy Listeners
• Site and Content Rules
• Packet Filters
• Protocol Rules
• Web Publishing Rules
• Server Publishing Rules

17
Web Proxy Listeners

• Incoming Web Requests Listener
• Outgoing Web Requests Listener
• Authentication
• Certificates

18
Site and Content Rules

• Anonymous Access Rules
• Create Exceptions
• Content Rules HTTP/Tunneled FTP
• Redirect to Internal Server

19
Packet Filters

• Default Packet Filters OK
• Applications/Services on ISA Server itself
• Trihomed DMZ Traffic Control
• Publish DMZ Hosts
• Not for Outbound Access Control!

20
Protocol Rules

• Start with Proof of Concept All Open
• Least Privilege when LIVE
• User/Group Access for FW Clients
• Client Address Sets for non-FW Clients
• Client Address Sets for Servers

21
Web Publishing Rules

• Best Way to Publish Webs
• Watch Out for the Dreaded 14120!
• Send Original Host Header
• One Listener per Certificate
• Authentication Options are GLOBAL

22
Server Publishing Rules

• Create Protocol Definitions First
• No Port Redirection
• Proxy 2.0/FW Client Reqd for Redirection
• One IP per Published Service

23
Network Services Best Practices

• DNS
• WINS
• DHCP
• RADIUS

24
DNS

• Do Not Install on ISA Server!
• Use Split DNS when Publishing
• Configure WPAD DNS Entries
• Keep VPN Clients in Mind
• Dont Mix Internal and External Zones

25
WINS

• Do Not Install on ISA Server!
• Not Required
• Helps with VPN Client Browsing
• Helps with FW Client Name Resolution
• Reduces Overall Network Traffic

26
DHCP

• Do not Install on ISA Server!
• Helpful for VPN Clients
• Not for ISA Server interfaces
• Issues with SecureNAT Access Controls

27
RADIUS

• VPN Clients
• Web Request Listeners
• Server Publishing Rules
• Future Directions

28
Summary

• ISA Server is a REAL Enterprise Firewall
• Planning is Required
• Security is Configuration Dependent
• No Firewall Supplants Host Security

29
Do you have a firewall problem?

• Click on the Ask-a-Question button on the left
  side of your presentation screen.