isa server - synnex download/server/2..pdf · application layer content appears as “black box ......
Post on 06-Feb-2018
217 Views
Preview:
TRANSCRIPT
© 2005 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
ISA ServerISA Server
LeevenLeeven ChangChangGJUN CTEKGJUN CTEKleevenchang@msn.comleevenchang@msn.com
© 2005 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
AgendaAgenda
Introduction to ISA Server 2006Introduction to ISA Server 2006Secure Application PublishingSecure Application PublishingBranch Office ProtectionBranch Office ProtectionFirewall and Proxy EnhancementsFirewall and Proxy EnhancementsMonitoring ISA with MOMMonitoring ISA with MOM
© 2005 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
Guidance
Developer Tools
SystemsManagementActive Directory Active Directory
Federation Services Federation Services (ADFS)(ADFS)
IdentityManagement
Services
Information Protection
Encrypting File System (EFS)
Encrypting File System (EFS)BitLockerBitLocker™™
Network Access Protection (NAP)
Client and Server OS
Server Applications
Edge
© 2005 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
ISA Server 2006ISA Server 2006
Application Layer FirewallApplication Layer FirewallProtects internal resource from the outsideProtects internal resource from the outsideSeparate from the rest of the networkSeparate from the rest of the networkControl how Internet resources are usedControl how Internet resources are usedExamines each network packet against your Examines each network packet against your rulesrules
VPNVPNProxy ServerProxy Server
Makes network requests and forwards dataMakes network requests and forwards dataCaches sites for improved performanceCaches sites for improved performance
© 2005 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
ISA Server 2006 EditionsISA Server 2006 Editions
ISA Server 2006ISA Server 2006Standard EditionStandard Edition
ISA Server 2006ISA Server 2006Enterprise EditionEnterprise Edition
© 2005 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
AppliancesAppliances
Preinstalled on optimized hardwarePreinstalled on optimized hardwarePartner solutions extends ISAPartner solutions extends ISA
Antivirus gateways, URL filtering, availabilityAntivirus gateways, URL filtering, availabilityBoth for Standard and Enterprise EditionBoth for Standard and Enterprise Edition
Enterprise get extended NLB and caching Enterprise get extended NLB and caching functionalitiesfunctionalities
Support for unattended installation using a Support for unattended installation using a USB flash driveUSB flash drive
© 2005 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
Appliances Appliances -- BenefitsBenefits
Easy deploymentEasy deploymentEverything is testedEverything is testedHardened configuration Hardened configuration --> Reduced > Reduced attack surfaceattack surfaceExtra configuration tools and web Extra configuration tools and web administrationadministration
© 2005 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
Advantages of AppliancesAdvantages of AppliancesEasier purchase process Easier purchase process –– no separate no separate software licensing complexitysoftware licensing complexityLower cost of deploymentLower cost of deploymentPlug & Play, Set & ForgetPlug & Play, Set & Forget
Controlled components and driversControlled components and driversAutomated patch management (on some Automated patch management (on some offerings)offerings)
Fewer calls to tech supportFewer calls to tech supportEasy rollEasy roll--back to factory configurationback to factory configurationQuick learning curve for IT administratorsQuick learning curve for IT administratorsAppliances are the whole solution, not Appliances are the whole solution, not just partjust part
© 2005 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
Application Layer Content:?????????????????????????????????????????????????????????????????????????????????????????????
A Traditional FirewallA Traditional Firewall’’s View of a s View of a PacketPacket
Only packet headers are inspectedOnly packet headers are inspectedApplication layer content appears as Application layer content appears as ““black boxblack box””
IP Header:
Source Address,Dest. Address,
TTL, Checksum
TCP Header:Sequence Number
Source Port,Destination Port,
Checksum
Forwarding decisions based on port numbersForwarding decisions based on port numbersLegitimate traffic and application layer attacks use identical Legitimate traffic and application layer attacks use identical portsports
Internet
Expected HTTP Traffic
Unexpected HTTP Traffic
Attacks
Non-HTTP Traffic Corporate NetworkCorporate Network
© 2005 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
Application Layer Content:<html><head><meta http-equiv="content-type"
content="text/html; charset=UTF-8"><title>MSNBC - MSNBC Front Page</title><link rel="stylesheet"
ISA ServerISA Server’’s View of a Packets View of a Packet
Packet headers and application content are Packet headers and application content are inspectedinspected
IP Header:
Source Address,Dest. Address,
TTL, Checksum
TCP Header:Sequence Number
Source Port,Destination Port,
Checksum
Forwarding decisions based on contentForwarding decisions based on contentOnly legitimate and allowed traffic is processedOnly legitimate and allowed traffic is processed
Internet
Allowed HTTP Traffic
Prohibited HTTP Traffic
AttacksNon-HTTP Traffic
Corporate NetworkCorporate Network
© 2005 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
Simplify complexity and administration of Simplify complexity and administration of managing network security managing network security
Subdivide network into multiple segments with a Subdivide network into multiple segments with a single ISA licensesingle ISA licenseExtend virtual firewall protection across each Extend virtual firewall protection across each segmentsegment
Enforce rules on per Enforce rules on per network basisnetwork basis
Easy setupEasy setupNetwork templates Network templates
MultiMulti--Network SupportNetwork Support
Net A
DMZ_1
Internet VPNISA 2006
DMZ_n
Local AreaNetwork
CorpNet_1
CorpNet_n
QUARANTINE VPN
© 2005 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
ISA 2004/2006 Policy ModelISA 2004/2006 Policy Model
Single, ordered rule baseSingle, ordered rule baseLogical and easier to understandLogical and easier to understandEasy to view and to auditEasy to view and to audit
Default System PolicyDefault System Policy
© 2005 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
Default System Default System Policy/LockdownPolicy/Lockdown
System Policy System Policy –– a default set of access rules a default set of access rules applied to the ISA Server itselfapplied to the ISA Server itselfLockdown mode:Lockdown mode:
Protects the operating system when firewall Protects the operating system when firewall services are offline becauseservices are offline because……
Security event triggers firewall service shut down Security event triggers firewall service shut down Planned firewall service shut downPlanned firewall service shut downISA Server rebootISA Server reboot
© 2005 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
Exploring some basic Exploring some basic taskstasks
© 2005 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
Application PublishingApplication Publishing
Use internal resources from the InternetUse internal resources from the InternetOutlook Web AccessOutlook Web Access
Publish through one external IP addressPublish through one external IP addressCached content to external clientCached content to external clientSupports IIS authentication methodsSupports IIS authentication methodsPrePre--authenticate users authenticate users Path configurationPath configuration
© 2005 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
ISA terminates all connectionsISA terminates all connectionsDecrypts HTTPSDecrypts HTTPSInspects contentInspects contentInspects URL against rulesInspects URL against rulesReRe--encrypts for delivery to OWAencrypts for delivery to OWA
OWAOWA
ISA ServerISA Server
ExchangeExchange ADAD
x36dj23sx36dj23s2oipn49v2oipn49v<a <a hrefhref……http://...http://...
OWA PublishingOWA Publishing
ISA Server is the hostISA Server is the host
© 2005 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
What is Publishing?What is Publishing?ISA Server impersonates internal servers ISA Server impersonates internal servers through a reverse proxy processthrough a reverse proxy process
To make internal sites/services accessible to users To make internal sites/services accessible to users outside the corporate network, including partnersoutside the corporate network, including partnersTo add a layer of security at the network edgeTo add a layer of security at the network edge
Exchange
Intranet Web Server
SharePoint
Active Directory
External Web Server
Internal Network
Internet
RADIUS
DMZHEAD QUARTERS
Administrator
© 2005 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
ISA 2006 Active
Directory
SharePoint
ExchangeFarm
Internal Network
Internet link
Single sign-on for access to multiple servers
Exchange & SharePoint publishing tools
Automatic translation of links to internal shares
NTLM, Kerberos authentication support
Smartcard & one-time password support
Authentication with Active directory via LDAP
Load balancing of server farms
Pre-authentication so only valid traffic reaches servers
Strong user/group based access controls
Remote User
Hacker
Inspection of encrypted traffic using SSL Bridging
18
The SolutionThe Solution
© 2005 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
Branch Office GatewayBranch Office GatewayKey Differentiating PointsKey Differentiating Points
Easy Integration with Existing Branch Office Infrastructure
Integrated Application-Layer Firewall Provides Added Protection
Integrated Cache Functionality Increases Speed
Integrated S2S VPN Functionality Lowers TCO
Centralized Management from HQ
© 2005 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
BITS caching for Microsoft update platformBITS caching for Microsoft update platformReduce the impact of software updates on network bandwidth Reduce the impact of software updates on network bandwidth in the branch officein the branch officeImprove value of ISA 2006 by reducing daysImprove value of ISA 2006 by reducing days--ofof--risk in branch risk in branch office locationsoffice locations
Compression of HTTP content Compression of HTTP content Compress HTTP content before going over the WAN to Compress HTTP content before going over the WAN to accelerate Web browsing and improve bandwidth usageaccelerate Web browsing and improve bandwidth usageCache compressed and uncompressed contentCache compressed and uncompressed content
DiffservDiffserv (Differentiated Services) to prioritize HTTP and (Differentiated Services) to prioritize HTTP and HTTPS application trafficHTTPS application traffic
Improve response time for critical HTTP and HTTPS Improve response time for critical HTTP and HTTPS applicationsapplicationsDetermine what traffic has priority over other traffic based on Determine what traffic has priority over other traffic based on URL and corresponding configured URL and corresponding configured DiffservDiffserv service levelservice level
Branch Office Branch Office Performance ImprovementsPerformance Improvements
© 2005 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
HeadquartersHeadquarters
Branch 1Branch 1
Branch Office ScenarioBranch Office Scenario
Branch 2Branch 2
Branch 3Branch 3
Leased Leased lineslines
© 2005 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
Branch Office GatewayBranch Office Gateway
Flexible Branch Office Network TopologyFlexible Branch Office Network Topology
Integrated S2S VPN GatewayIntegrated S2S VPN Gateway
HTTP CachingHTTP Caching
Distributed Caching & Web Proxy ChainingDistributed Caching & Web Proxy Chaining
Easy Deployment
Better Protection
Better Management
Lower Connectivity Costs
Bandwidth Optimization
Integrated FirewallIntegrated Firewall
BITS Caching Complements R2 Remote Differential CachingWindows Server R2
ISA Server 2004/2006 Features
© 2005 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
Enterprise PoliciesEnterprise Policies
Enterprise policies:Enterprise policies:Multiple Multiple ““templatetemplate”” policies for an policies for an organizationorganizationArrays are assigned Enterprise PoliciesArrays are assigned Enterprise Policies
Effective policy:Effective policy:Calculated from Enterprise Policies and Array Calculated from Enterprise Policies and Array PoliciesPoliciesResult: An ordered set of allow/deny rulesResult: An ordered set of allow/deny rules
© 2005 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
Enterprise Policy StructureEnterprise Policy StructureAn enterprise policy consists of:An enterprise policy consists of:
Enterprise rules Enterprise rules (before)(before)Array policy Array policy ““Place HolderPlace Holder””Enterprise rules Enterprise rules (after)(after)
© 2005 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
Configuration Storage ServerConfiguration Storage Server
CSSCSS
Management Management ConsoleConsole
ISA 2006 Server ISA 2006 Server ArrayArray
CSSCSS
Replication
ISA 2006 Server ISA 2006 Server ArrayArray
Local Local configuration configuration
copy copy
Local Local configuration configuration
copy copy
ISA 2006 Server ISA 2006 Server ArrayArray
Local Local configuration configuration
copy copy
© 2005 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
Published Server 1 : 11.11.11.1
Published Server 2 : 11.11.11.2
ISA- 1 - InternalDIP : 10.10.10.2VIP : 10.10.10.100
ISA- 2 - InternalDIP : 10.10.10.1VIP : 10.10.10.100
ISA- 1 - External DIP : 128.1.1.2VIP : 128.1.1.100
ISA- 2 - ExternalDIP : 128.1.1.1 VIP : 128.1.1.100
External Client : 192.168.1.8
Internet
NL
B C
lust
er
NL
B C
luster
11
2244
33
5566
ISA 1ISA 1
ISA 2ISA 2
Balancing Published ServersBalancing Published Servers
© 2005 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
Laptop
ftp.microsoft.com157.31.56.100
Internal Client : 12.12.12.1
ISA- 1 - InternalDIP : 10.10.10.2VIP : 10.10.10.100
ISA- 2 - InternalDIP : 10.10.10.1VIP : 10.10.10.100
ISA- 1 - External DIP : 128.1.1.2VIP : 128.1.1.100
ISA- 1 - ExternalDIP : 128.1.1.1VIP : 128.1.1.100
Internet
44
5566
1122
33
NL
B C
lust
er
NL
B C
lusterISA 1ISA 1
ISA 2ISA 2
Balancing Outbound AccessBalancing Outbound Access
© 2005 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
Integrated securityIntegrated securityApplication filtering, BITS cachingApplication filtering, BITS caching
Secure accessSecure accessHTTP compression, traffic prioritizationHTTP compression, traffic prioritization
Efficient managementEfficient managementEasy deployment, fast propagation of policiesEasy deployment, fast propagation of policies
ISA Server 2006ISA Server 2006
HeadquartersHeadquarters
Branch 1Branch 1
Branch 2Branch 2
Branch 3Branch 3
SiteSite--toto--site VPNsite VPN
© 2005 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
Integrated SecurityIntegrated Security
BITS caching, Background Intelligent BITS caching, Background Intelligent Transfer ServiceTransfer Service
Transfers files between client and serverTransfers files between client and serverUses leftover bandwidthUses leftover bandwidthMaintains transfers if disconnectedMaintains transfers if disconnected
Windows UpdatesWindows UpdatesData is cached on the ISA ServerData is cached on the ISA ServerSubsequent users pull them from the local Subsequent users pull them from the local cachecache
© 2005 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
Secure AccessSecure Access
HTTP compressionHTTP compressionWhen someone requests the response are When someone requests the response are compressed at the ISA server at the HQcompressed at the ISA server at the HQIt reaches the branch and gets decompressedIt reaches the branch and gets decompressed
Traffic PrioritizingTraffic PrioritizingControl when bandwidth is limited Control when bandwidth is limited DiffservDiffserv protocolprotocolISA inspects requests and assigns priority ISA inspects requests and assigns priority depending on destinationdepending on destination
© 2005 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
Effective ManagementEffective Management
Branch Office Connectivity WizardBranch Office Connectivity WizardAnswer files for unattended installationAnswer files for unattended installation
More effective policy propagationMore effective policy propagationReduced server requirementsReduced server requirementsOptimization for low bandwidth useOptimization for low bandwidth useSecure Remote Management is possibleSecure Remote Management is possible
Templates and configuration toolsTemplates and configuration tools
© 2005 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
Configure the Branch Configure the Branch Office GatewayOffice Gateway
© 2005 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
Proxy server featuresProxy server features
Enhanced worm resiliency, mitigate Enhanced worm resiliency, mitigate the impact on the networkthe impact on the networkFaster alert triggers and responsesFaster alert triggers and responsesTo avoid DOS attacks ISA Server To avoid DOS attacks ISA Server controls:controls:
Log throttling measures the volume of denied Log throttling measures the volume of denied recordsrecordsMemory consumptionMemory consumptionPending DNS queriesPending DNS queries
© 2005 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
External Web Site
Attacker
INTERNAL NETWORK
Internet
Integrated application-layer firewall & web proxy
ISA Server 2006 Array
Built-in traffic inspection for over 120 protocols
Enhanced protection against DoS, DDoS & DNS attacks
Integrated Network Load Balancing for high availability
Enhanced worm protection through connection quotas
Comprehensive alert triggers & responses
Security-enhanced remote management using TLS
Fast RAM & on-disk caching for fast web page response times
Customizable cache rules for flexibility
The SolutionThe Solution
© 2005 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
Flood ResiliencyFlood ResiliencyProtect ISA Server fromProtect ISA Server from——
Worm propagationWorm propagationSynSyn floodsfloodsDenials of serviceDenials of serviceDistributed Distributed DoSDoSHTTP bombingHTTP bombing
In some cases, computers behind In some cases, computers behind ISA are also protected, but this isnISA are also protected, but this isn’’t t the primary goal of the featurethe primary goal of the feature
© 2005 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
Web Access ProtectionWeb Access ProtectionKey Differentiating PointsKey Differentiating Points
Deep Content Inspects Actual Content of Traffic
Multi-network Architecture Eases Infrastructure Integration
Flexible SDK allows Easy Development of New Application Filters
CARP Provides High Performance for Caching
Easy-to-Use UI Makes Configuration Easier
© 2005 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
Monitoring ISA Server 2006Monitoring ISA Server 2006
MOM Management packMOM Management packHealth indicatorsHealth indicatorsKnowledge from the designersKnowledge from the designers
© 2005 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
Monitoring and Alarming
Real-time Firewall Status
Alarming Mechanism
© 2005 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
ReportFirewall Active Log
Detail Message
Scheduling
Browseable
Exportable
© 2005 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
SummarySummary
Firewall, VPN, ProxyFirewall, VPN, ProxyApplication PublishingApplication PublishingBranch OfficeBranch Office
CachingCachingCompressionCompressionPrioritizing of trafficPrioritizing of traffic
top related