Introduction to ISA 2004

Dana Epp

Microsoft Security MVP

Who am I?

Microsoft Windows Security MVP

Information Security Professional

Computer Security Software Architect

Small Business Owner

What do I know about firewalls?

I’ve written firewall code

I’ve deployed firewalls(big and small)

• 100’s of small businesses• Many different verticals

• Manufacturing• Medical• Professional Services• Educational• Financial• etc

I’ve invented new firewalls

I know a bit about them.

caching

Content filtering

application publishing

advanced application layer firewall

caching

content filtering

application publishing

advanced application layer firewall / vpn

ISA Server 2004

What’s the differencebetween ISA and other

SMB firewalls?

Simple Ingress Filtering

Simple Egress Filtering

Complex Ingress Filtering

Complex Egress Filtering

Application Content Filtering

Virtual Private Networking

Web Caching

MicrosoftISA 2004

NATDevice

Typical HardwareFirewall

Some have limited VPN

AD Authentication

Advanced HardwareFirewall

Rarelyavailable

Differences in SMB Firewalls

Patch management issues for the firewall

What’s the important difference?

A traditional firewall’s view of a packet

Application Layer Application Layer ContentContent

????????????????????????????????????????????

• Only packet headers are inspected– Application layer content appears as “black box”

IP HeaderIP HeaderSource Address,Dest. Address,

TTL, Checksum

TCP TCP HeaderHeaderSequence Number

Source Port,Destination Port,

Checksum

• Forwarding decisions based on port numbers– Legitimate traffic and application layer attacks use identical ports

Internet

Expected HTTP Traffic

Unexpected HTTP Traffic

Attacks

Non-HTTP Traffic

Corporate Network

Problem. UFBP!

ISA Server’s view of a packet• Packet headers and application content are inspected

Application Layer ContentApplication Layer Content<html><head><meta http-

quiv="content-type" content="text/html; charset=UTF-8"><title>MSNBC - MSNBC Front Page</title><link rel="stylesheet"

IP HeaderIP Header

Source Address,Dest. Address,

TTL, Checksum

TCP TCP HeaderHeader

Sequence NumberSource Port,

Destination Port,Checksum

• Forwarding decisions based on content– Only legitimate and allowed traffic is processed

Internet Expected HTTP Traffic

Unexpected HTTP Traffic

Attacks

Non-HTTP Traffic

Corporate Network

What’s new in ISA 2004?

Updated security architecture

Advanced ProtectionApplication layer security designed to protect

Microsoft applications

Deep content inspection Enhanced, customizable HTTP protocol filters Comprehensive and flexible policies Stateful routing for all IP protocols

Enhanced Exchange Server Integration

Support for Outlook RPC over HTTP Enhanced Outlook Web Access security Easy to use configuration wizards

Fully integrated VPN Unified firewall -- VPN filtering Site-to-site IPsec Tunnel Mode support Network access quarantine

Secure Internet Information Server

and SPS

SSL Bridging for IIS and SPS Easy to use Web publishing wizards AD, RADIUS, SecurID authentication

New management tools and UI

Ease of UseEfficient and cost effective network security

Multi-network architecture

Unlimited network definitions and types Firewall policy applied to all traffic Per network routing relationships

Network templates and wizards

Wizard simplifies routing configuration Easy setup for common network topologies Easily customized for sophisticated scenarios

Visual policy editor Firewall policy with single, ordered rule-base Drag and drop editing, scenario-driven wizards XML-based configuration import and export

Enhanced trouble-shooting

Monitoring dashboard Real-time log viewer Content sensitive task panes

Commitment to integration

Fast, Secure AccessEmpowers you to connect users to relevant information on

yournetwork in a cost efficient manner

Enhanced architecture High speed data transport Utilizes latest Windows and PC hardware High speed application filtering platform

Web cache Updated policy rules Serve content locally Pre-fetch content during low activity periods

Internet access control User- and group-based Web usage policy Extensible by third parties

Comprehensive authentication

New support for RADIUS and RSA SecurID User- and group-based access policy Third-party extensibility

Sample Scenarios

Scenario: Securely make email available to outside employees

Solution: Outlook over RPC, OMA, Virtual Private Networking

Scenario: Control Internet access and protect clients from malicious

Internet traffic

Solution: Content filtering, scheduled access, firewall client

Scenario: Ensure fast access to the most frequently used web content

Solution: Web Proxy

Call to Action

• Give ISA 2004 a try

• Consider buying SBS Premium instead of SBS Standard.

• If managing hardware firewalls, CHECK FOR FIRMWARE UPDATES.

For more information:• Amy’s ISA in SBS blog: http://isainsbs.blogspot.com• ISA Server Resource site http://www.isaserver.org• Dana’s security blog: http://silverstr.ufies.org• Firewall Dashboard http://www.scorpionsoft.com

Dana Epp

Microsoft Security MVP