??????--- ISA Server ??????????

1
??????--- ISA Server??????????
MICROSOFT
2
INTRUCTIONS
?? Aaron. Alone ISA SERVER ????
3
ISA ?????Secure, fast Internet connectivity
Security
Secure Internet Connectivity Through a
Multilayered Firewall
Acceleration
Fast Web Access with a High-Performance Cache
Management
Unified Management with Integrated Administration
Extensibility
Extensible and Open Platform
4
The ISA Initiative
5
Perimeter Network with Three-Homed Firewall
Perimeter Network
Internet
Firewall
Internal Network
6
Perimeter Network with Back-to-Back Firewalls
Perimeter Network
Internet
ISA SRV
ISA SRV
7
??????????

• 1 ???Internet??
• 2 ???Web??
• 3 ????????
• 4 ?????????

8
??1 ???Internet??

• ??????????? (Multilayer)
• ?????? (Intrusion Detection)
• ??DMZ? (DMZ Zone)
• ??????? (Server Publishing)
• ???VPN?? (Integration VPN)
• ??????? (Dynamic Filter)
• ??NAT
• ?????? (System Harden)
• ??????

9
???????????

• ???? ??????
• IP?
• ????
• ??????
• ???
• ???????
• ???????
• ???
• ???????

??? Applicationlevel
??? Circuitlevel
IP? Packetlevel
10
IP???
IP Header
Payload
UDP/TCP HDR
Src
Dst
payload
port

• ??IP????
• ??IP???

11
????????
???
???

• ??????????
• ???????????

12
????????
Internet
Client
Company server

• ????
• ??????????
• ?????????

13
Filters and Network Access
Access Policy Allow ?HTTP ?All
Destinations?
Rules Applied
Streaming Media SMTP DNS Intrusion
Streaming Media SMTP
?
Firewall
External Network
Internal Network
14
Processing Outgoing Client Requests
Request from internal client
Is there a protocol rule that allows the request?
Is there a site and content rule that allows
the request?
Does a routing rule specify routing to an
upstream server?
No
No
No
Yes
No
No
No
Is there a site and content rule that denies
the request?
Is there a protocol rule that denies the request?
Does an IP packet filterblock the request?
Yes
Yes
Yes
Yes
Yes
Deny request
Retrieve object
Route to upstream server
15
??????Intrusion Detection

• ?????
• All types of Port Scan
• Ping of death
• UDP bomb attack
• WinNuke
• Land attacks
• DNS attacks
• POP3 attacks
• Others
• ?????????????

16
Configuring Intrusion Detection
IP Packet Filters Properties
General
Packet Filters
PPTP
Intrusion Detection
DNS intrusion detection filter Properties
General
Attacks
Enable detection of the selected attacks
Select Attacks
Filter incoming traffic for the following
Windows out-of-band (WinNuke) Land Ping of
death IP half scan UDP bomb Port scan
DNS host name overflow DNS length overflow DNS
zone transfer from privileged ports (1-1024) DNS
zone transfer from high ports (above 1024)
Select the options that are required to implement
your monitoring strategy.
Detect after attacks on 10 well-known
ports Detect after attacks on 20 ports
To receive alerts about intrusion attacks, see
the properties for specific alerts in the Alerts
folder. Intrusion detection functionality based
on technology from Internet Security Systems,
Inc., Atlanta, GA, USA, www.iss.net
OK
Cancel
Apply
OK
Cancel
Apply
17
?????????????

1. ??????
2. ????
3. ?????????
4. ???????
5. ???????

18
ISA ?Proxy2.0???????

• ISA
• ?????????, ?????IIS???
• ????????????????(???Secure NET ???)
• ???????? (Port Mapping)
• ??SSL???? (SSL Bridging)

• Proxy2.0
• ??IIS ??
• ???????????Proxy Client.
• ???SSL????

19
Publishing
Internal Network
External Adapter
Internal Adapter
131.107.3.1
Internet
192.168.9.1
Web Server
www.bjwne.com
20
Publishing a Web Server
www.nwtraders.msft/africa
www.nwtraders.msft/europe
Internet
ISA Server
europe.internal.nwtraders.msft
africa.internal.nwtraders.msft
Internal Network
21
Publishing a Mail Server
Select to apply content filtering to incoming
SMTP traffic.
22
Network Load Balancing
ISA Server Array
Internet
Published Server
23
??2 ???Web??

• ??????????
• ???? (RAM caching)
• ???????????
• ???? (Array CARP)
• ????????

24
?????
????
Internal Network
Internet
????
Internet
Web Server
?????
Internal Network
Internet
25
The Forward Caching Process
2
GET www.bjwne.com
Internet
3
Object is sent from Internet
5
Object is sent from cache
ISA Server
Cache
1
GET www.bjwne.msft
4
GET www.bjwne.msft
Client 1
Client 2
26
Reverse Caching (??? ??)
?? Web?????
ISA ?? Web ?????
27
??????????

• ????????????
• ???????Proxy2.0
• ??????????
• http//www.measurement-factory.com/results/

28
RAM Caching
RAM
http//URL A
http//URL A
Cache Entry 1
Disk
29
???????????

• ?TTL???
• ISA???????????
• ISA???????????
• ??????Internet?????????????????

30
??3????????

• ?????????
• ???????????
• ?????Win2000??????
• ??MMC?????
• ?????, ????
• ????????
• ??????(QoS)
• ??????
• ???????

31
?????????

• ?????(Rule)????
• Firewall
• Cache
• integrated
• ???????
• ????????????
• ???????????
• ???Win2000??????

32
???????????

• ?????
• Enterprise
• Array
• Stand-alone
• ????
• ??
• ??
• ??

33
???????????????
34
Combining Enterprise Policies and Array Policies

Select this option to allow array-level settings.
35
Cach Arry Routing Protocol
Array Membership List
Server 1 Server 2Server 3Server 4 Server 5
Internet
array.dll?Get.Info.v1
Web Proxy Client
36
Configuring CARP
LONDON Properties
LONDON Properties
General
Array Memberships
Identification
Use the same listener configuration for all
internal IP addresses. Configure listeners
individually per IP address
Intra-array communication
Use this IP address for intra-array communication
Server IP Address Display N Authentic Server C
LONDON ltAll inter Integrated
Find
131 . 107 . 3 . 1
Add
Remove
Edit
Load Factor
TCP port 8080 SSL port 8443
Specify the load factor for this server. This
number indicates the relative cache availability
of this server compared to the rest of the array
members
Enable SSL listeners
Connections
100
Connection settings
Configure
Type a number to set the load factor.
Ask unauthenticated users for identification Resol
ve requests within array before routing
Select to enable CARP.
OK
Cancel
Apply
OK
Cancel
Apply
37
ISA ??????

• 3??????
• Web Proxy Client
• Secure NAT Client
• Firewall Client

38
Internet
SecureNAT Client Do not require you to deploy
client software or configure client computers.
ISA Server
Web Proxy Client Improve the performance of Web
requests for internal clients.
Firewall Client Allow Internet access only for
authenticated users.
39
ISA Client
40
??????

• ???????????
• ????????
• ??????
• ??????
• ??????????
• ?????????????????
• ?????????????

41
ISA Server Alert Events
Intrusion detected Properties
General
Events
Actions
Name Intrusion detected
Description An external user attempted an
intrusion atta(optional)
Enable
OK
Cancel
Apply
42
Configuring Alerts
Intrusion detected Properties
Intrusion detected Properties
General
Events
Actions
General
Events
Actions
Event Intrusion detected Description An
intrusion was attempted by an external Additional
condition Any intrusion
Send e-mail
Browse
SMTP server europe.london.msft To administrator_at_
nwtraders.msft Cc From administrator_at_nwtraders.m
sft
Actions will be executed when the selected
conditions occur
Test
Number of occurrences before the alert is
issued 1 Number of events per second before the
alert is issued 0
Program
Run this program
Recurring actions are performed
Browse
Immediately After manual reset of alert If time
since last execution is more than minutes
Set Account
Use this account
Report to Windows 2000 event log Stop selected
services Start selected services
Select
Select
OK
Cancel
Apply
OK
Cancel
Apply
ISA Administrator
43
ISA????????

• ???????
• Summary
• Web usage
• App usage
• Traffic
• Security
• ? HTML????
• ???????

44
Managing the EnvironmentComprehensive Reporting
Capabilities
Web-based report on top users
45
Monitoring Real-Time Activity

• Viewing and Disconnecting ISA Server Sessions
• Using Performance Objects
• Monitoring H.323 Gatekeeper Sessions

46
??4?????????

• ???????????
• ??????Web filters
• ????????COM????
• ??Cache ??????API
• ????UI (MMC)
• ??SDK???

47
What is ISA server?

• ISA Server ???????
• ???????????????

48
Microsoft ISA Server 2000????????????
?? ??? ???
??????? ???? ???????
??????(policy support) ????? ?????
????? 4?CPU ???
Web?? Web?? Web??
???? ?????? ???????
?????????? ???? ??
????? ????? ?????
?Windows 2000 Active Directory?? ?? ??
?????? ? ?
??????? ? ?
49
Firewall Product Comparison
Microsoft ISA Server Check Point FW-1 Cisco PIX Symantec Raptor NAI Gauntlet
Packet Filtering Stateless, Stateful Stateless, Stateful Stateless, Stateful Stateless, Stateful Stateless, Stateful
Network Address Translation ? ? ? ? ?
Application Level Proxy ? Limited Limited ? ?
Centralized Policy Management ? ? Limited Limited ?
Integrated Web Cache ? ? ? ? ?
Embedded Intrusion Detection ? separate separate separate ?
Embedded VPN ? ? Limited ? ?
Bandwidth Management ? separate separate separate separate
Built-in Reporting ? separate Limited ? ?
50
ISA???

• ???BSH (owned by Bosch and Siemens, 3rd largest
  WW appliance manufacturer)
• 37000 employees
• DMZ Firewall, Internal Firewall
• NSCP -gt ISA Reliability, performance,
  Authentication
• ????Shell
• 75,000 Win2k desktops running ISA firewall client
• 6 ISA servers be deployed on Win2k DC in 3 data
  centers around the world.
• Evaluating ISA over Firewall-1
• ?????Celestial Asia Securities Holdings (Cash)
• Win over Firewall-1 for e-commerce scenario
  (publishing)
• Win over PIX for DMZ scenario (secure internet
  access)
• ???University of Texas( ????)
• ISA in production as Firewall 10K users

51
ISA ?????

• ????????
• ??????????
• ?????????
• ???????????
• ????????????
• ?????????, ????
• ????????
• ?? ?????

52
ISA Server It is not alone
53
A Community of ISVs
54
??????
????? ?? TEL 82625355 62527162
62610585
E-Mail aaronalone_at_bjwne.com