microsoft internet security and acceleration (isa) server 2004 powerful protection for microsoft...

Microsoft Internet Security and Acceleration (ISA) Server 2004Powerful Protection for Microsoft Applications

2

Learning ObjectivesProtecting Microsoft Applications with ISA Server 2004

This training will show the solutions, This training will show the solutions, advantages, benefits, competitive advantages, benefits, competitive

landscape, and selling opportunities landscape, and selling opportunities for Microsoft® ISA Server 2004, as for Microsoft® ISA Server 2004, as

well as provide customer-ready well as provide customer-ready resources.resources.

This training will show the solutions, This training will show the solutions, advantages, benefits, competitive advantages, benefits, competitive

landscape, and selling opportunities landscape, and selling opportunities for Microsoft® ISA Server 2004, as for Microsoft® ISA Server 2004, as

well as provide customer-ready well as provide customer-ready resources.resources.

3

Agenda1. ISA Server 2004 Overview

Advanced Protection, Ease of Use, Fast Secure Access (Slides 4–43)

2. Protecting Microsoft ApplicationsTechnical Details (Slides 44–94)

3. Selling Strategies and Partner Offerings (Slides 95–124)

4. Introduction to Hands-on Labs(Slides 125-127)

1. ISA Server 2004 OverviewAdvanced Protection, Ease of Use, Fast Secure Access (Slides 4–43)

2. Protecting Microsoft ApplicationsTechnical Details (Slides 44–94)

3. Selling Strategies and Partner Offerings (Slides 95–124)

4. Introduction to Hands-on Labs(Slides 125-127)

1. ISA Server 2004 OverviewAdvanced Protection, Ease of Use, Fast Secure Access

5

The State of Network Security

IndustryIndustry

90% detected security breaches90% detected security breaches44

95% of all breaches avoidable with 95% of all breaches avoidable with

an alternative configurationan alternative configuration55

Approximately 70% of all Web Approximately 70% of all Web attacks occur at the application attacks occur at the application layerlayer66

SecuritySecurity

11 Source: Forrester Research Source: Forrester Research 22 Source: Information Week, November Source: Information Week, November 26, 200126, 200133 Source: Netcraft summary Source: Netcraft summary 44 Source: Computer Security Institute (CSI) Source: Computer Security Institute (CSI)

Computer Crime and Security Survey Computer Crime and Security Survey 2002200255 Source: CERT, 2002 Source: CERT, 2002 55 Source: Gartner Source: Gartner

14 billion devices on the 14 billion devices on the Internet by 2010Internet by 201011

35 million remote users by 35 million remote users by 2005200522

65% increase in dynamic Web 65% increase in dynamic Web sitessites33

6

The Role of Firewalls

Firewalls block attacks before they reach their target

Firewalls can protect multiple systems Firewall protection can buy time before all

protected servers are secured Firewalls can help protect client computers

that are not properly protected Firewalls can act as a central access point

Combined firewall and VPN gateway Firewalls provide centralized logging of

network access Crucial component of defense-in-depth

7

Limitations of Traditional Firewalls

Wide open to advanced attacks

Wide open to advanced attacks

Performance vs. security

tradeoff

Performance vs. security

tradeoff

Hard to manageHard to manage

• Bandwidth is limited and expensive.Bandwidth is limited and expensive.• Traffic inspection reduces performance.Traffic inspection reduces performance.

• Security is complex.Security is complex.• IT already overloaded.IT already overloaded.• Security is complex.Security is complex.• IT already overloaded.IT already overloaded.

• Application-layer attacks: Code-Red, Nimda.Application-layer attacks: Code-Red, Nimda.• Encryption to bypass detection: SSL.Encryption to bypass detection: SSL.• Application-layer attacks: Code-Red, Nimda.Application-layer attacks: Code-Red, Nimda.• Encryption to bypass detection: SSL.Encryption to bypass detection: SSL.

Limited capacity

for growth

Limited capacity

for growth

• Growth requires new hardware; old hardware Growth requires new hardware; old hardware can’t be repurposed.can’t be repurposed.

• Growth requires purchase of new license.Growth requires purchase of new license.

8

What Is ISA Server 2004?

Microsoft ISA Server 2004 is Microsoft’s flagship security product and a cornerstone of the company’s Trustworthy Computing initiative. ISA Server 2004 is an application-layer firewall, VPN, and Web-cache solution that provides advanced protection, fast and secure Web access, and is very easy to use. ISA Server 2004 can provide security as a perimeter firewall at the Internet edge, can be used to protect Microsoft applications such as Microsoft Exchange and other servers on the internal network, as well as be configured as a Web-caching server to ensure fast, secure Web access—all in one package.

9

ISA Server 2004 Top Benefits

Securing Securing networks impacts networks impacts performance and performance and productivity productivity

Securing Securing networks impacts networks impacts performance and performance and productivity productivity

Fast, Secure Access

Empowers you to connect users to relevant information on your network in a cost-efficient

manner

Fast, Secure Access

Empowers you to connect users to relevant information on your network in a cost-efficient

manner

Securing theSecuring thenetwork is time network is time consuming consuming and expensiveand expensive

Securing theSecuring thenetwork is time network is time consuming consuming and expensiveand expensive

Ease of Use

Efficiently deploy, manage, and use ISA Server 2004

Ease of Use

Efficiently deploy, manage, and use ISA Server 2004

Threats to Threats to corporate assets corporate assets create financial create financial and legal risksand legal risks

Threats to Threats to corporate assets corporate assets create financial create financial and legal risksand legal risks

Advanced Protection

Application-layer security designed to protect Microsoft applications

Advanced Protection

Application-layer security designed to protect Microsoft applications

CUSTOMER PAIN VALUE PROVIDED BY ISA SERVER 2004

10

Advanced ProtectionLimits of Traditional Firewalls (1) Traditional firewalls only examine headers

Packet filtering, stateful inspection Most of today’s attacks are directed

against applications Web servers (Code Red, Nimda) Web browsers (malicious Java applets) Mail clients (worms, Trojan horse attacks)

Payload:HTTP GET /

TCP:Source port 1121

Destination port 80

IP:Source address

Destination address

Header

11

Applications encapsulate traffic in HTTP traffic Examples: Peer-to-peer, instant messaging

Encrypted traffic can’t be inspected by traditional firewalls

Dynamic port assignments require too many incoming ports to be opened Examples: FTP, RPC

Packet filtering and stateful inspection are not enough to protect against today’s attacks!

Advanced ProtectionLimits of Traditional Firewalls (2)

12

Application-layer filtering in ISA Server 2004 examines the payload

ISA Server 2004 blocks traffic that uses allowed ports but contains disallowed data Example: Traffic to a Web server that contains

a Web server attack ISA Server 2004 allows you to use

complex protocols across a firewall

“To provide edge security in this application-centric world…application-level firewalls will be

required….” —John Pescatore, Gartner

Advanced ProtectionApplication-Layer Filtering with ISA Server 2004

13

Internet traffic never routed to the internal network ISA Server 2004 establishes separate connections to

client and to server Proxy architecture protects against network layer

attacks Built from the ground up for application layer

filtering Great performance!

Extensible architecture for plug-ins

Advanced Protection ISA Server 2004: Proxy Architecture

ISA Server 2004 also performs packet filtering and stateful inspection.

14

Advanced ProtectionWeb Publishing with Traditional Firewalls

Traditional firewalls only evaluate incoming traffic based on IP address and port

All Web traffic is sent to Web server, exposing it to all Web-based attacks

Web Server

Incoming Traffic

Internet

15

Advanced ProtectionSecure Web Publishing with ISA Server 2004

Inspection of Web request and responses and protection of Microsoft Internet Information Services (IIS) from exploits

Blocking of malformed URLs to stop Web-based attacks

Optional inspection of incoming SSL traffic

Web Server

Incoming Traffic

Internet

16

Advanced ProtectionExchange Publishing with Traditional Firewalls

Firewall only evaluates incoming traffic based on IP address and port

All traffic for ports using mail protocols is sent to Exchange Server

Exchange Server is exposed to all application-layer attacks

Exchange Server

Incoming Traffic

Internet

17

Advanced ProtectionSecure Exchange Publishing with ISA Server 2004

ISA Server 2004 defends Exchange Server and enables secure client access Protection of all types of client access

(Microsoft Outlook® Web Access [OWA], SMTP, POP, IMAP, RPC, RPC over HTTP)

Increases OWA performance and enables application of firewall policy to OWA traffic

Allows scanning of e-mail text and attachmentsExchange Server

Incoming Traffic

Internet

18

Advanced ProtectionThe Need to Provide Secure VPN Access Companies need to provide remote access

Branch offices Business partners Home offices and traveling users

VPNs are a cost-effective way to leverage the Internet No dial-up connections or leased lines required VPNs use existing Internet connection

VPNs create security concerns and increase administrative work VPNs create new administration tasks VPNs create new ways to access the corporate network

ISA Server 2004 simplifies VPN ISA Server 2004 simplifies VPN administration and provides VPN administration and provides VPN

securitysecurity

ISA Server 2004 simplifies VPN ISA Server 2004 simplifies VPN administration and provides VPN administration and provides VPN

securitysecurity

19

Advanced ProtectionHow ISA Server 2004 Secures VPN Client Connections

All communications over the Internet are encrypted Broad protocol support

PPTP and L2TP/IPSec IPSec NAT traversal (NAT-T) for connectivity across any

network (requires Microsoft Windows Server™ 2003) Authentication

Microsoft Active Directory® uses existing Microsoft Windows® accounts, supports PKI for two-factor authentication

RADIUS uses non-Windows-based accounts databases with standards-based integration

SecurID provides strong, two-factor authentication using tokens and RSA authentication servers

Integration of VPN traffic into firewall policy Network access quarantine to ensure secure client

configuration

20

Advanced ProtectionHow ISA Server 2004 Connects Networks Broad protocol support

PPTP L2TP/IPSec IPSec tunnel mode for interoperability with existing VPN

gateways: fully tested and supported Authentication and encryption

Uses Windows RRAS capabilities Range of authentication methods

Active Directory, RADIUS, passwords, certificates Configurable encryption methods help ensure

confidentiality of communications Fine-grained control over traffic between networks

21

Summary: Advanced Protection

ISA Server 2004 was designed with most common customer scenarios in mind

ISA Server 2004 protects networks while enabling connectivity

ISA Server 2004 is optimized for application-layer filtering

A broad range of partner offerings extends protection capabilities

ISA Server 2004 is a crucial component ISA Server 2004 is a crucial component in protecting Microsoft networks and in protecting Microsoft networks and

applicationsapplications



22

Ease of UseNew, Easy-to-Use Administration Tools ISA Server 2004 Management Console

completely redesigned from previous version All tools for each task in one place Easy to learn

Ease of use can reduce risk of security breaches due to misconfiguration

Local or remote administration Use the same tool to configure and

monitor the firewall, cache, and VPN gateway

23

Ease of UseOverview Simplified administration tools

Reduces training costs Helps prevent insecure configurations

Unified firewall policy Helps keep administration costs low

24

Ease of UseTask-based Administration

All tools for a task are accessible

when needed

Easy access to common

tasks

25

Ease of UseMonitoring Real-time monitoring for troubleshooting Variety of report formats summarizes

Internet activity and performance

Dashboard is starting point for monitoring

26

Ease of UseReporting Broad range of reporting options

27

Ease of UseEasy Deployment Multiple network support

Works with your existing network infrastructure Leverages previous IT investments

Broad client support Supports any device that uses TCP/IP Firewall Client adds features for Windows clients

Low administrative overhead during initial deployment and network maintenance.

28

Ease of UseAdjusts to Network Changes Flexibility to support most network types Templates to simplify deployments

29

Ease of UseEasy Scalability Scale up

Upgrade to faster hardware and repurpose existing server(s) without the need to purchase a different ISA Server 2004 license

Scale out Easily copy configuration settings with XML

export Maintain existing rules and settings

Choice of options to grow with company needs.

30

Ease of UseAlerting Alerts for large number of events Flexible alerting options New: Connectivity Verification

31

Ease of UseUser-based Access Control

Prevalence of DHCP on internal networks makes IP-based access control obsolete

ISA Server 2004 supports the use of native Windows security credentials to build highly granular firewall access rules

RADIUS for universal integration with non-Windows user accounts and for authentication in perimeter networks

Credentials are passed transparently, eliminating need for additional tedious logon procedures at firewall

32

Ease of UseEasy Extensibility Adding functionality

Easy customization by in-house developers Wide range of partner solutions

• Application Filters

• Caching and Distributions

• Content Security

• High Availability and Load Balancing

• Intrusion Detection

• Monitoring and Administration

• Network Utilities

• Reporting

• SSL Acceleration and Key Management

• Security Resellers

• Security Solution Providers

• URL Filtering

• User Authentication

http://microsoft.com/isaserver/partners

33

Ease of UseExtensible Open Platform

Most administrative tasks can be scripted Scripting automates tasks Scripting saves time and ensures consistency SDK provides access to easy-to-use

procedures for scripting Custom Web and application filters

Custom filters allow secondary inspection and manipulation of traffic Examples: Advanced content inspection,

advanced authorization, etc. Easy object model ensures quick results

34

Summary: Ease of Use

ISA Server 2004 tools make firewall administration easy

Easy configuration can help prevent configuration mistakes

ISA Server 2004 adapts to existing network configurations and changes

Extensive logging, monitoring, and reporting capabilities





35

Fast, Secure AccessIntegrated VPN Secure site-to-site connections Secure remote access conections Broad protocol support

36

Fast, Secure AccessWeb-Caching Benefits Frequently requested Web content is

cached for local delivery Users get faster access to frequently

requested Web content Existing bandwidth is used more efficiently

ISA Server 2004 is the only major ISA Server 2004 is the only major firewall with built-in, state-of-the-art firewall with built-in, state-of-the-art

Web cachingWeb caching

ISA Server 2004 is the only major ISA Server 2004 is the only major firewall with built-in, state-of-the-art firewall with built-in, state-of-the-art

Web cachingWeb caching

37

Fast, Secure AccessInternet Access Without Caching

GET www.microsoft.com11

Object is sent from Internet22


Object is sent from Internet44

Client 1

Client 2

Existing Firewall

Internet

Each client requests Each client requests causes Internet causes Internet

traffictraffic

Each client requests Each client requests causes Internet causes Internet

traffictraffic

38

Fast, Secure AccessHow Does Caching Work?


GET www.microsoft.com33 Object is sent from Internet

and placed in cache44


Object is sent from cache66

Client 1

Client 2

ISA Server 2004

Access controlsare enforced

2

Internet

Client requests for cached Client requests for cached content content

cause no Internet trafficcause no Internet traffic

Client requests for cached Client requests for cached content content

cause no Internet trafficcause no Internet traffic

39

Fast, Secure Access Effects of Caching Reduces bandwidth requirements

Requests from multiple users for an object only require one download from Internet

Reduces server workload Request for published Web content are served from

the cache without additional requests to the published server

Distributes bandwidth Most frequently accessed content can be downloaded

during off hours and before users request it

Ensures that objects are up-to-date ISA Server requests an updated version when the

object has changed on the Web server

40

Fast, Secure AccessBusiness Benefits of Caching Improved productivity

Many Web pages are displayed faster No waiting for Web objects that are cached

Better resource utilization No need to purchase additional bandwidth Fully integrated, minimal administration

41

Fast, Secure Access Scaling Caching for the Enterprise Downstream server

requests content from upstream server

Upstream server retrieves content from Internet

Content can be cachedin both locations

Security settings are enforced centrally

No direct Internet requests required from branch offices

Internet

Cache(upstream)

CorporateNetwork

Cache(downstream)

Branch OfficeBranch Office

Cache(downstream))

42

Fast, Secure Access Granular Access Control Full control over Internet access by users

Enforce corporate policies Control access by protocol, user, location,

destination, schedule Fine-grained control of Web content Partner solutions extend access control All network traffic blocked unless specifically

allowed Flexible firewall policy

Easy to create broad rules or detailed policy Unified firewall policy makes it easy to review

and troubleshoot access rules

43

Summary: Fast, Secure Access

Integrated VPN for secure site-to-site and remote access connections

Optimized for application-layer filtering Caching accelerates access to frequently used

Web content Granular rules allow a high level of Internet

access control Additional filtering is possible with third-part

solutions provided by Microsoft partners

ISA Server 2004 is a crucial component in ISA Server 2004 is a crucial component in protecting Microsoft networks and protecting Microsoft networks and


ISA Server 2004 is a crucial component in ISA Server 2004 is a crucial component in protecting Microsoft networks and protecting Microsoft networks and


2. Protecting Microsoft ApplicationsTechnical Details

45

Secure Application

Access

Secure Application

Access

Protecting Microsoft Applications

Remote ConnectivityRemote Connectivity Connecting offices, partners,

and users by using ISA Server 2004 and Windows Server 2003

Connecting offices, partners, and users by using ISA Server 2004 and Windows Server 2003

Integrated Branch Office

Solution


Solution Branch office security Branch office security

Secure Access to

E-Mail

Secure Access to

E-Mail

Allow access to Exchange servers while protecting them


Help secure access to IIS, Microsoft SharePoint®, and other application servers


46

Secure Application Access

Maintain Maintain confidentiality of confidentiality of communicationscommunications


• Confidentiality requires encryption, which defeats traffic Confidentiality requires encryption, which defeats traffic inspection at the firewallinspection at the firewall

• Attackers may gain access to network even though a firewall Attackers may gain access to network even though a firewall is installedis installed

• Confidentiality requires encryption, which defeats traffic Confidentiality requires encryption, which defeats traffic inspection at the firewallinspection at the firewall

• Attackers may gain access to network even though a firewall Attackers may gain access to network even though a firewall is installedis installed

Provide access to Provide access to SharePoint-based SharePoint-based resourcesresources

Provide access to Provide access to SharePoint-based SharePoint-based resourcesresources

• Allowing access to existing resources requires costly Allowing access to existing resources requires costly redesign or duplication of network infrastructureredesign or duplication of network infrastructure

• Same risks as providing access to all Web serversSame risks as providing access to all Web servers

• Allowing access to existing resources requires costly Allowing access to existing resources requires costly redesign or duplication of network infrastructureredesign or duplication of network infrastructure

• Same risks as providing access to all Web serversSame risks as providing access to all Web servers

Provide fast, Provide fast, secure access to secure access to internal Web internal Web resourcesresources

Provide fast, Provide fast, secure access to secure access to internal Web internal Web resourcesresources

• Web servers are exposed to attacks that threaten business Web servers are exposed to attacks that threaten business resourcesresources

• Attacks can bypass traditional firewalls by using the same Attacks can bypass traditional firewalls by using the same protocols as legitimate Web trafficprotocols as legitimate Web traffic

• Placing a firewall in front of public Web servers can slow Placing a firewall in front of public Web servers can slow down access to Web resourcesdown access to Web resources

• Web servers are exposed to attacks that threaten business Web servers are exposed to attacks that threaten business resourcesresources

• Attacks can bypass traditional firewalls by using the same Attacks can bypass traditional firewalls by using the same protocols as legitimate Web trafficprotocols as legitimate Web traffic

• Placing a firewall in front of public Web servers can slow Placing a firewall in front of public Web servers can slow down access to Web resourcesdown access to Web resources

Business Need Risk to Organization

47

Application-Layer Content:?????????????????????????????????????????????????????????????????????????????????????????????

A Traditional Firewall’s View of a Packet

Only packet headers are inspected Application-layer content appears as a “black box”

IP Header:

Source Address,Destination Address,

TTL, Checksum

TCP Header:Sequence Number

Source Port,Destination Port,

Checksum

Forwarding decisions based on port numbers Legitimate traffic and application-layer attacks use

identical ports

Web Server

Expected HTTP Traffic

Unexpected HTTP Traffic

Web Server AttacksIncoming Traffic

Non-HTTP Traffic

Internet

48

Application-Layer Content:GET www.contoso.com/partners/default.htm

ISA Server 2004’s View of a Packet

Packet headers and application content are inspected

IP Header:

Source Address,Destination Address,

TTL, Checksum

TCP Header:Sequence Number

Source Port,Destination Port,

Checksum

Forwarding decisions based on content Only legitimate HTTP traffic is sent to Web server

Web Server

Expected HTTP Traffic

Unexpected HTTP Traffic

Web Server AttacksIncoming Traffic

Non-HTTP Traffic

Internet

49

Traditional Web Publishing

All traffic using TCP port 80 sent to Web server

One Web server per IP address

Web Server

Incoming Traffic

http://www.contoso.com http://39.1.1.1 http://www.contoso.com/../cmd?.. http://www.contoso.com/%20%20 http://www.contoso.com/scripts/ http://www.contoso.com/partners/

Internet

50

ISA Server 2004 Web Publishing

ISA Server 2004 inspects HTTP request Only allowed requests are forwarded

ISA Server 2004 can publish multiple servers

Web Servers

Incoming Traffic

http://www.contoso.com http://39.1.1.1

http://www.contoso.com/../cmd?..

http://www.contoso.com/%20%20

http://www.contoso.com/scripts/

http://www.fabrikam.com/partners

Internet

ISA Server protects IISISA Server protects IISISA Server protects IISISA Server protects IIS

51

How ISA Server 2004 Secures SSL Traffic

SSL: Confidentiality but No Traffic Inspection

SSL Bridging:1. Client on Internet encrypts communications2. ISA Server 2004 decrypts and inspects

traffic3. ISA Server 2004 sends allowed traffic to

published server, re-encrypting it if required

52

Web Publishing Details

ISA Server 2004 HTTP content inspection is a crucial element of a strategy that employs defense-in-depth ISA Server 2004 provides a a central location to block disallowed

Web requests based on signatures or generic attack patterns ISA Server only processes allowed URLs

Unified view of Web resources ISA Server 2004 can redirect Web requests to one or more internal

servers ISA Server 2004 can protect server farms or entire networks

User authentication Active Directory, RADIUS, or SecurID needed for access to intranet

or extranet resources Credentials can be forwarded to a published server for logging and

customizing content

No IIS deployment is complete No IIS deployment is complete without ISA Server 2004without ISA Server 2004

No IIS deployment is complete No IIS deployment is complete without ISA Server 2004without ISA Server 2004

53

External Access to Internal Links

Absolute references to internal servers cause problems Client can’t resolve

name to address

www.contoso.com

http://www.contoso.com/default.htm

ExternalClient

HREF=http://teams/sales

Teams?

Teams

WebWebPagePage

Internet

Key Point:

54

ISA Server 2004 Link Translation

Link translation solves problemswith absolute references

www.contoso.com

http://www.contoso.com/default.htm

ExternalClient

HREF=http://teams/sales

Teams

WebWebPagePage

Internet

HREF=http://teams.contoso.com/sales

http://teams.contoso.com/sales/

55

Link Translation Details

Link translation is crucial for providing simultaneous internal and external access to SharePoint sites

Translates hyperlinks within Web responses from published server Translates intranet computer names to names that

can be externally resolved Can replace http:// https:// for SSL bridging Automatic translation sufficient for most scenarios,

administrator-defined translation for extended functionality

No SharePoint deployment No SharePoint deployment is complete without ISA Server 2004is complete without ISA Server 2004

No SharePoint deployment No SharePoint deployment is complete without ISA Server 2004is complete without ISA Server 2004

56

Easy Configuration and Administration of Application Access

Web Publishing Wizards make Web Publishing Wizards make configuration easy and prevent configuration easy and prevent

configuration mistakes, monitoring configuration mistakes, monitoring tools show Web usagetools show Web usage

Web Publishing Wizards make Web Publishing Wizards make configuration easy and prevent configuration easy and prevent

configuration mistakes, monitoring configuration mistakes, monitoring tools show Web usagetools show Web usage

57

How ISA Server 2004 Enables Access to Non-Web Resources Access to some corporate resources requires

protocols other than HTTP FTP servers for access to files Database servers in perimeter network or internal

network Public DNS servers to locate company’s servers

Server publishing allows secure access to non-Web resources

ISA Server 2004 supports all IP-based protocols Application-layer filtering for selected protocols:

SMTP, FTP, DNS, RPC, etc.

58

Summary: Secure Application Access

Access to Access to internal Web internal Web

resourcesresources

Access to Access to internal Web internal Web

resourcesresources

Confidentiality Confidentiality of of

communicatiocommunicationsns



Access to Access to SharePoint-SharePoint-

based based resourcesresources

Access to Access to SharePoint-SharePoint-

based based resourcesresources

ISA Server 2004 can provide ISA Server 2004 can provide confidentiality of Web traffic and confidentiality of Web traffic and protection of resources at the same protection of resources at the same time.time.

ISA Server 2004 makes access to ISA Server 2004 makes access to existing internal SharePoint-based existing internal SharePoint-based resources easy. No network redesign resources easy. No network redesign is required.is required.

ISA Server 2004 makes access to ISA Server 2004 makes access to existing internal SharePoint-based existing internal SharePoint-based resources easy. No network redesign resources easy. No network redesign is required.is required.

ISA Server 2004 protects corporate ISA Server 2004 protects corporate Web resources and acts as a central Web resources and acts as a central gateway to allow centralized traffic gateway to allow centralized traffic inspection.inspection.

ISA Server 2004 protects corporate ISA Server 2004 protects corporate Web resources and acts as a central Web resources and acts as a central gateway to allow centralized traffic gateway to allow centralized traffic inspection.inspection.

59


Secure Application

Access

Secure Application

Access





Solution



Secure Access to

E-Mail

Secure Access to

E-Mail





60

Secure Access to E-Mail

Maintain Maintain confidentiality of confidentiality of e-maile-mail

Maintain Maintain confidentiality of confidentiality of e-maile-mail

• Traditional client protocols, such as POP and IMAP are Traditional client protocols, such as POP and IMAP are unencrypted.unencrypted.

• Most firewalls can’t provide native Outlook access to Most firewalls can’t provide native Outlook access to Exchange servers in a secure manner.Exchange servers in a secure manner.

• Encrypting Web access to e-mail, such as OWA, defeats Encrypting Web access to e-mail, such as OWA, defeats traffic inspection at the firewall.traffic inspection at the firewall.

• Traditional client protocols, such as POP and IMAP are Traditional client protocols, such as POP and IMAP are unencrypted.unencrypted.

• Most firewalls can’t provide native Outlook access to Most firewalls can’t provide native Outlook access to Exchange servers in a secure manner.Exchange servers in a secure manner.

• Encrypting Web access to e-mail, such as OWA, defeats Encrypting Web access to e-mail, such as OWA, defeats traffic inspection at the firewall.traffic inspection at the firewall.

Users need Users need access to e-mail access to e-mail regardless of their regardless of their locationlocation

Users need Users need access to e-mail access to e-mail regardless of their regardless of their locationlocation

• Allowing access from the Internet also opens the network to Allowing access from the Internet also opens the network to potential attacks from the Internet. potential attacks from the Internet.

• Mail servers are the only defense against attacks that use Mail servers are the only defense against attacks that use client protocols, such as HTTP, POP, RPC.client protocols, such as HTTP, POP, RPC.

• Allowing access from the Internet also opens the network to Allowing access from the Internet also opens the network to potential attacks from the Internet. potential attacks from the Internet.

• Mail servers are the only defense against attacks that use Mail servers are the only defense against attacks that use client protocols, such as HTTP, POP, RPC.client protocols, such as HTTP, POP, RPC.

Receive and send Receive and send e-maile-mailReceive and send Receive and send e-maile-mail

• Traditional firewalls can limit what network traffic is allowed Traditional firewalls can limit what network traffic is allowed to the mail server, but don’t perform deep content to the mail server, but don’t perform deep content inspection. Attacks can succeed by masquerading as inspection. Attacks can succeed by masquerading as legitimate mail traffic.legitimate mail traffic.

• Mail servers are the only defense against SMTP-based Mail servers are the only defense against SMTP-based attacks.attacks.

• Traditional firewalls can limit what network traffic is allowed Traditional firewalls can limit what network traffic is allowed to the mail server, but don’t perform deep content to the mail server, but don’t perform deep content inspection. Attacks can succeed by masquerading as inspection. Attacks can succeed by masquerading as legitimate mail traffic.legitimate mail traffic.

• Mail servers are the only defense against SMTP-based Mail servers are the only defense against SMTP-based attacks.attacks.


61

E-Mail Access: Traditional Firewall

Firewall rules open ports to allow traffic to and from mail server Incoming connections on mail server for SMTP,

POP3, OWA (using SSL) Outgoing connections from mail server for SMTP

Limitation Control over what channels are opened, but no

control over what type of network traffic is sent to mail server over these channels

Exchange Server

Allow: Port 25 (SMTP)

Allow: Port 110 (POP3)

Allow: Port 25Allow: Port 443 (SSL)

Internet

62

Outlook Web Access: Traditional Firewall

Web traffic to OWA is encrypted Standard SSL encryption Security against eavesdropping and impersonation

Limitation OWA server is only defense against application-layer

attacks

Exchange Server

OWA Traffic

Password Guessing

Web Server Attacks

SSL Tunnel

Concept of defense-in-depth requires Concept of defense-in-depth requires inspection of OWA traffic at firewallinspection of OWA traffic at firewall

Concept of defense-in-depth requires Concept of defense-in-depth requires inspection of OWA traffic at firewallinspection of OWA traffic at firewall

Internet

63

Web Server Attacks

Password Guessing

How ISA Server 2004 Protects OWA

Authentication Unauthorized requests are blocked before they reach the Exchange

Server Enforces all OWA authentication methods Enhanced forms-based authentication prevents caching of credentials

Inspection Invalid HTTP requests or requests for non-OWA content are blocked Inspection of SSL traffic before it reaches Exchange Server

Confidentiality Ensures encryption of traffic over the Internet Can prevent the downloading of attachments to client computers

Exchange Server

OWA Traffic

SSL Tunnel

InspectionAuthentication

Internet

64

How RPC Works

Service UUID Port

ExchangeInfo Store

{0E4A0156-DD5D-11D2-8C2F-00CD4FB6BCDE}

4402

Active Directory

{E35114235-4B06-11D1-AB04-00C04C2DCD2}

3544

Performance Monitor

{A00C021C-2BE2-11D2-B678-0000F87A8F8E}

9233

RPC Server (Exchange)

RPC Client (Outlook)

TCP 135:

Port for {

0E4A… ?Port 4402: D

ata

The RPC server maintains a table of Universally Unique Identifiers (UUID) and assigned port

1

The client connects to TCP port 135 on the server to query for the port associated with a UUID

2

The server responds with theassociated port

3

The client reconnects to server on the designated port to access Exchange

4

Server: Port 4

402

Internet

65

RPC and Traditional Firewalls

Open port 135 for incoming traffic

Open every port that RPC might use for incoming traffic



TCP 135:

Port for {

0E4A… ?Port 4402: D

ata

Server: Port 4

402

Traditional firewalls can’t Traditional firewalls can’t provide provide securesecure RPC RPC

accessaccess

Traditional firewalls can’t Traditional firewalls can’t provide provide securesecure RPC RPC

accessaccess

Internet

66

How ISA Server 2004 Protects RPC Traffic



TCP 135:

Port for {

0E4A… ?Port 4402: D

ata

Server: Port 4

402

Internet

Initial connection Only allows valid RPC traffic Blocks non-Exchange queries

Secondary connection Only allows connection

to port used byExchange

Enforces encryption

ISA Server 2004 enables ISA Server 2004 enables secure remote e-mail secure remote e-mail

access by using Outlookaccess by using Outlook

ISA Server 2004 enables ISA Server 2004 enables secure remote e-mail secure remote e-mail

access by using Outlookaccess by using Outlook

67

RPC over HTTP encapsulates RPC traffic inside HTTP Internal Web server (RPC proxy) extracts

RPC traffic from HTTP Advantage: Most firewalls allow HTTP traffic

Problem: Traditional firewalls leave RPC proxy exposed to Web-based attacks

How RPC over HTTP Works

RPC Traffic

Web Server Attacks

InternetHTTP Traffic

68

How ISA Server 2004 Protects RPC over HTTP ISA Server 2004 terminates SSL tunnel

Inspects HTTP traffic for protocol compliance Blocks requests for all URLs except

http://.../rpc/... No direct connections from Internet to

Exchange Server Application-layer protection for HTTP traffic

RPC Traffic

Web Server Attacks

Internet

69

How ISA Server 2004 Protects SMTP Traffic

SMTP-based Attacks Invalid, overly long, or unusual SMTP commands to

attack a mail server or to gather recipient information Attacks against recipients by including malicious

content, such as worms ISA Server 2004 Protects Mail Servers

Enforces compliance of SMTP commands with standards

Blocks disallowed SMTP commands Blocks messages with disallowed attachment types,

content, recipient, or sender Blocks non-SMTP traffic

No Exchange Server deployment is No Exchange Server deployment is complete without ISA Server 2004complete without ISA Server 2004

No Exchange Server deployment is No Exchange Server deployment is complete without ISA Server 2004complete without ISA Server 2004

70

Easy Configuration and Administration of E-Mail Access

Mail Publishing Wizard makes Mail Publishing Wizard makes configuration easy and prevents configuration easy and prevents

configuration mistakesconfiguration mistakes

Mail Publishing Wizard makes Mail Publishing Wizard makes configuration easy and prevents configuration easy and prevents

configuration mistakesconfiguration mistakes

71

Summary: Secure Access to E-Mail

Receive and Receive and send e-mailsend e-mailReceive and Receive and send e-mailsend e-mail

ConfidentialitConfidentiality of e-maily of e-mail

ConfidentialitConfidentiality of e-maily of e-mail

Access Access to e-mail to e-mail from any from any locationlocation

Access Access to e-mail to e-mail from any from any locationlocation

ISA Server 2004 can require that all ISA Server 2004 can require that all traffic be encrypted.traffic be encrypted.

ISA Server 2004 protects mail ISA Server 2004 protects mail servers from malformed commands servers from malformed commands that might that might expose vulnerabilities or reveal too expose vulnerabilities or reveal too much information.much information.

ISA Server 2004 protects mail ISA Server 2004 protects mail servers from malformed commands servers from malformed commands that might that might expose vulnerabilities or reveal too expose vulnerabilities or reveal too much information.much information.

ISA Server 2004 stops attacks ISA Server 2004 stops attacks against against e-mail servers by enforcing proper e-mail servers by enforcing proper traffic patterns at the application traffic patterns at the application level.level.

ISA Server 2004 stops attacks ISA Server 2004 stops attacks against against e-mail servers by enforcing proper e-mail servers by enforcing proper traffic patterns at the application traffic patterns at the application level.level.

72


Secure Application

Access

Secure Application

Access





Solution



Secure Access to

E-Mail

Secure Access to

E-Mail





73

Remote Connectivity—Partner Access



• When partners access information across the Internet, When partners access information across the Internet, eavesdropping may occureavesdropping may occur

• When partners access information across the Internet, When partners access information across the Internet, eavesdropping may occureavesdropping may occur

Provide network Provide network access to partner access to partner organizationorganization

Provide network Provide network access to partner access to partner organizationorganization

• Employees of partner organization may access inappropriate Employees of partner organization may access inappropriate information on internal networkinformation on internal network

• Segregating allowed and disallowed resources may require Segregating allowed and disallowed resources may require network redesignnetwork redesign

• Employees of partner organization may access inappropriate Employees of partner organization may access inappropriate information on internal networkinformation on internal network


Enable Enable connectivity connectivity between networksbetween networks

Enable Enable connectivity connectivity between networksbetween networks

• Allowing connections for partners requires partially opening Allowing connections for partners requires partially opening corporate networks to the Internetcorporate networks to the Internet

• Lack of interoperability may make connectivity difficult or Lack of interoperability may make connectivity difficult or impossibleimpossible

• Difficult configuration may lead to mistakes that threaten Difficult configuration may lead to mistakes that threaten securitysecurity

• Allowing connections for partners requires partially opening Allowing connections for partners requires partially opening corporate networks to the Internetcorporate networks to the Internet

• Lack of interoperability may make connectivity difficult or Lack of interoperability may make connectivity difficult or impossibleimpossible



74

Traditional Partner Connectivity

Full access from partner network to all corporate resources May include access to

confidential information Alternative: Extranet

Synchronizationrequired

Internal Network

VPN Gateway

Internet

Partner Network

ExtranetVPN Gateway

75

Partner Connectivity with ISA Server 2004

Controlled access from partner network to selected corporate resources Can limit access to specific servers and

applications Full application-layer protection Third-party compatibility

Internal Network

ISA Server 2004

Internet

Partner Network

76

Summary: Remote Connectivity—Partner Access

Connectivity Connectivity between between networksnetworks

Connectivity Connectivity between between networksnetworks





Network Network access for access for

partner partner organizationorganization

Network Network access for access for

partner partner organizationorganization

ISA Server 2004 VPN uses encryption ISA Server 2004 VPN uses encryption and authentication to ensure that all and authentication to ensure that all traffic between sites is kept traffic between sites is kept confidential and remains unmodified.confidential and remains unmodified.

Access and routing policies limit Access and routing policies limit what resources one partner’s clients what resources one partner’s clients can access on the other partner’s can access on the other partner’s network.network.

Access and routing policies limit Access and routing policies limit what resources one partner’s clients what resources one partner’s clients can access on the other partner’s can access on the other partner’s network.network.

ISA provides interoperability with ISA provides interoperability with existing VPN equipment.existing VPN equipment.ISA provides interoperability with ISA provides interoperability with existing VPN equipment.existing VPN equipment.

77

Connectivity—Remote User Access

Protect corporate Protect corporate resourcesresourcesProtect corporate Protect corporate resourcesresources

• Unmanaged remote clients may introduce viruses or wormsUnmanaged remote clients may introduce viruses or worms

• Insecurely configured remote clients may be used by Insecurely configured remote clients may be used by attackers to gain access to corporate resourcesattackers to gain access to corporate resources

• Unmanaged remote clients may introduce viruses or wormsUnmanaged remote clients may introduce viruses or worms

• Insecurely configured remote clients may be used by Insecurely configured remote clients may be used by attackers to gain access to corporate resourcesattackers to gain access to corporate resources

Provide remote Provide remote access to access to selected selected corporate corporate resourcesresources

Provide remote Provide remote access to access to selected selected corporate corporate resourcesresources

• Employees may access inappropriate information on internal Employees may access inappropriate information on internal networknetwork


• Employees may access inappropriate information on internal Employees may access inappropriate information on internal networknetwork


Enable remote Enable remote users to connect users to connect to corporate to corporate networknetwork

Enable remote Enable remote users to connect users to connect to corporate to corporate networknetwork

• Allowing connections for remote users requires partially Allowing connections for remote users requires partially opening corporate networks to the Internetopening corporate networks to the Internet


• Confidentiality of corporate information may be Confidentiality of corporate information may be compromisedcompromised

• Allowing connections for remote users requires partially Allowing connections for remote users requires partially opening corporate networks to the Internetopening corporate networks to the Internet


• Confidentiality of corporate information may be Confidentiality of corporate information may be compromisedcompromised


78

Traditional VPN Infrastructure

VPN gateway and firewall separate devices VPN clients get full access to internal network May require additional client software Optional protection of network through separate

firewall

Internal Network

Firewall

VPN GatewayInternet

79

ISA Server 2004 VPN Infrastructure

Includes VPN gateway and firewall functionality VPN clients get controlled and protected access

to internal network VPN client software included in all recent

versions of Windows

Internal NetworkISA Server 2004

Internet

80

Protecting Networks with ISA Server 2004 Network Access Quarantine

Client script checks whether client meets corporate security policies Personal firewall enabled? Latest virus definitions used? Required patches installed?

If checks succeed, client gets full access If checks fail client gets disconnected after

time-out periodGoal: Prevent VPN clients that don’t Goal: Prevent VPN clients that don’t

meet security requirements from meet security requirements from accessing networkaccessing network

Goal: Prevent VPN clients that don’t Goal: Prevent VPN clients that don’t meet security requirements from meet security requirements from

accessing networkaccessing network

81

VPN Quarantine Process (1)

VPN Client

Internal Network

Quarantine Resources

Client computer connects1

ISA Server 2004 assigns client to Quarantined VPN Clients network, allowing access to limited resources

2

Script on client computer checks configuration settings

3

Script sends “success” notification to ISA Server 2004

4

ISA Server 2004 assigns client to VPN Clients network, providing access to internal network

5

82

VPN Quarantine Process (2)

VPN Client

Quarantine Resources

Client computer connects1

ISA Server 2004 assigns client to Quarantined VPN Clients network, allowing access to limited resources

2

Script on client computer checks configuration settings

3

Script does not send “success” notification to ISA Server 2004

4

ISA Server 2004 disconnects client after time-out expires

5

83

Ease of Use for VPNs

84

Monitoring VPN Connections

ISA Server 2004 tools Dashboard view for big picture Detailed

information for all aspects of network traffic

85

Summary: Connectivity—Remote User Access

Remote Remote connectivityconnectivity

Remote Remote connectivityconnectivity

Protection of Protection of corporate corporate resourcesresources

Protection of Protection of corporate corporate resourcesresources

Access Access to selected to selected corporate corporate resourcesresources

Access Access to selected to selected corporate corporate resourcesresources

ISA Server 2004 protects the ISA Server 2004 protects the corporate network and the VPN corporate network and the VPN clients.clients.

ISA Server 2004 allows control over ISA Server 2004 allows control over which resources corporate resources which resources corporate resources remote users can access.remote users can access.

ISA Server 2004 allows control over ISA Server 2004 allows control over which resources corporate resources which resources corporate resources remote users can access.remote users can access.

ISA Server 2004 allows remote ISA Server 2004 allows remote access to the corporate network from access to the corporate network from anywhere.anywhere.

ISA Server 2004 allows remote ISA Server 2004 allows remote access to the corporate network from access to the corporate network from anywhere.anywhere.

86


Secure Application

Access

Secure Application

Access





Solution



Secure Access to

E-Mail

Secure Access to

E-Mail





87

Integrated Branch Office Solution

Utilize limited Utilize limited bandwidth at the bandwidth at the branch office branch office efficientlyefficiently

Utilize limited Utilize limited bandwidth at the bandwidth at the branch office branch office efficientlyefficiently

• Branch office connectivity may not be sufficient to allow for Branch office connectivity may not be sufficient to allow for efficient Internet accessefficient Internet access

• Bandwidth used for Internet access can slow down access to Bandwidth used for Internet access can slow down access to corporate networkcorporate network

• Branch office connectivity may not be sufficient to allow for Branch office connectivity may not be sufficient to allow for efficient Internet accessefficient Internet access

• Bandwidth used for Internet access can slow down access to Bandwidth used for Internet access can slow down access to corporate networkcorporate network

Provide secure Provide secure Internet access Internet access from branch from branch officesoffices

Provide secure Provide secure Internet access Internet access from branch from branch officesoffices

• Employee access at branch offices may expose the network Employee access at branch offices may expose the network to worms, viruses, and hacker attacksto worms, viruses, and hacker attacks

• Employees at branch offices may access inappropriate Employees at branch offices may access inappropriate contentcontent

• Maintaining a consistent configuration is difficultMaintaining a consistent configuration is difficult

• Employee access at branch offices may expose the network Employee access at branch offices may expose the network to worms, viruses, and hacker attacksto worms, viruses, and hacker attacks

• Employees at branch offices may access inappropriate Employees at branch offices may access inappropriate contentcontent

• Maintaining a consistent configuration is difficultMaintaining a consistent configuration is difficult

Connect branch Connect branch office networks to office networks to the main networkthe main network

Connect branch Connect branch office networks to office networks to the main networkthe main network

• Branch office connections must be established across an Branch office connections must be established across an insecure network and confidentiality of corporate insecure network and confidentiality of corporate information may be compromisedinformation may be compromised

• Equipment from multiple vendors may not work with each Equipment from multiple vendors may not work with each otherother

• Site-to-site connectivity can be difficult to configureSite-to-site connectivity can be difficult to configure

• Branch office connections must be established across an Branch office connections must be established across an insecure network and confidentiality of corporate insecure network and confidentiality of corporate information may be compromisedinformation may be compromised

• Equipment from multiple vendors may not work with each Equipment from multiple vendors may not work with each otherother

• Site-to-site connectivity can be difficult to configureSite-to-site connectivity can be difficult to configure


88

How ISA Server 2004 Enables Branch Office Connections Broad protocol support

PPTP L2TP/IPSec IPSec tunnel mode for interoperability with existing

VPN gateways: fully tested and supported Authentication and encryption

Leverages Windows remote access capabilities Range of authentication methods

Active Directory, RADIUS, passwords, certificates Configurable encryption methods help ensure

confidentiality of communications Fine-grained control over traffic between

networks

89

Easy Configuration and Administration of Branch Office Connections Administrators can duplicate existing ISA Server 2004

configuration using XML export/import Easy-to-use wizards simplify administration for branch

office administrators Remote administration using MMC, Terminal Services,

or Remote Desktop Connection Full integration with Active Directory Easy-to-use monitoring tools Unified policy user interface allows administration of all

network access in one location

Administrators can use one tool to Administrators can use one tool to control all network traffic at branch control all network traffic at branch

officeoffice

Administrators can use one tool to Administrators can use one tool to control all network traffic at branch control all network traffic at branch

officeoffice

90

Ease of Use for Branch Office Connections

91

Firewall Integration ISA Server 2004 controls network traffic

to and from branch offices VPN rules integrated with other firewall

rules

92

Fast, Secure Network Access from Branch Offices Caching

Keeps local copies of frequently requested content

Transparent to clients

Easy to configure

93

Integrated Solution

Realize savings through integration One-stop solution for Internet access Provides firewall, access control, publishing,

and VPN in a single solution Provides centralized administration and logging ISA Server 2004 can easily scale as

organization grows Ideal solution for branch offices

94

Summary: Integrated Branch Office Solution

Branch office Branch office network network

connectivityconnectivity

Branch office Branch office network network

connectivityconnectivity

Utilize Utilize limited limited

bandwidth bandwidth efficientlyefficiently

Utilize Utilize limited limited

bandwidth bandwidth efficientlyefficiently

Secure Secure Internet Internet

access from access from branch branch officesoffices

Secure Secure Internet Internet

access from access from branch branch officesoffices

ISA Server 2004 helps corporations ISA Server 2004 helps corporations lower bandwidth costs and improve lower bandwidth costs and improve user productivity.user productivity.

ISA Server 2004 can protect against ISA Server 2004 can protect against advanced attacks.advanced attacks.ISA Server 2004 can protect against ISA Server 2004 can protect against advanced attacks.advanced attacks.

ISA Server 2004 is uniquely ISA Server 2004 is uniquely positioned to deliver an integrated positioned to deliver an integrated firewall, VPN, and cache solution.firewall, VPN, and cache solution.

ISA Server 2004 is uniquely ISA Server 2004 is uniquely positioned to deliver an integrated positioned to deliver an integrated firewall, VPN, and cache solution.firewall, VPN, and cache solution.

3. Selling Strategies and Partner Offerings

96

ISA Server 2004 Sales OpportunitiesWhen to Recommend

Recommend ISA Server 2004 to customers who: Need a new or supplemental firewall Use IIS, SharePoint Portal Server, Exchange Server,

or Windows Server 2003 Experience slow network performance Run ISA Server 2000 Run Microsoft Small Business Server (SBS)

97

ISA Server 2004 Sales OpportunitiesNew or Supplemental Firewall

Advanced Protection Advanced application-layer filtering

Ease of Use Quick and easy to configure Fits into existing Microsoft environment

Fast, Secure Access Implement Internet access control Achieve bandwidth and network efficiency Immediate security and savings

ISA Server 2004 provides the best ISA Server 2004 provides the best protection for Microsoft-based protection for Microsoft-based

networksnetworks

ISA Server 2004 provides the best ISA Server 2004 provides the best protection for Microsoft-based protection for Microsoft-based

networksnetworks

98

ISA Server 2004 Sales OpportunitiesNew or Supplemental Firewall

Use as main firewall ISA Server 2004 provides all the protection customers

expect from a firewall, VPN, and caching solution Add new functionality to existing firewalls

Caching Access control Application-layer inspection

Defense-in-depth by using multiple firewall products

ISA Server 2004 adds value by itself or ISA Server 2004 adds value by itself or when used in conjunction with an when used in conjunction with an

existing traditional firewallexisting traditional firewall

ISA Server 2004 adds value by itself or ISA Server 2004 adds value by itself or when used in conjunction with an when used in conjunction with an

existing traditional firewallexisting traditional firewall

99

Pricing and LicensingFlexible Pricing and Licensing

TBDISA Server 2004 Enterprise Edition

U.S.$1,499ISA Server 2004 Standard Edition

One-time per processor licensing Upgrade hardware for performance at no additional software cost No recurring licensing fees No separate client licenses required Requires Windows 2000 Server or Windows Server 2003 license

Wealth of integrated features ISA Server 2004 contains many integrated features, including

VPN functionality, reporting, caching, URL screening, and multi-processor support These must be purchased as expensive add-ons with other firewalls.

100

ISA Server 2004 Standard Edition

Provides enterprise-class firewall security and Web caching capabilities for small businesses, workgroups, and departmental environments.Provides robust security, fast Web access, intuitive management, and excellent price-to-performance for business-critical environments.Limited to four processors.Each server is administered separately.

ISA Server 2004 Enterprise Edition

Designed to meet the performance, management, and scalability needs of high-volume Internet traffic environments.Available: Later in 2004

Pricing and LicensingEditions

101

Customer BenefitsTechnical and Business Value

Feature Technical Value Business Value

Secure Internet Connectivity

Protect against hackers, viruses, and unauthorized access

Control outgoing Internet access Defend Web servers and

e-mail server

Revenue + Customer retention + Liability -

Fast Web Access

Faster browsing Reduce network bandwidth

costs Reduce stress on Web servers More reliable data access

Performance +Customer satisfaction +

Revenue + Capital expense -

Integrated VPN Single point of control at

network perimeter Operating cost - Customer satisfaction +

Simple Management

Access control to management tasks

Reduced management complexity, reduced staff/server ratio

Reduced time to manage

Operating cost - Customer satisfaction +

Extensible Open Platform

Flexible, customizable solution Liability - Operating cost - Customer satisfaction +

102

Customer BenefitsKey Messages

IT ProfessionalRock-solid firewall security and high-performance Internet connectivity that’s easy to manage

Customer Message

Increase performance and security and reduce costs

Reduce liability and enforce corporate Internet access policies in real time

Protect critical information and manage information access with a single, scalable, easy-to-manage solution

Business Decision Maker

HR Manager

CTO

103

ISA Server 2004 Sales OpportunitiesUse with IIS and SharePoint

Built from the ground up to support Web protocols

Efficient content checking Protection of critical resources Allows controlled, authenticated external

access to SharePoint resources

No IIS or SharePoint deployment is No IIS or SharePoint deployment is complete without ISA Server 2004complete without ISA Server 2004

No IIS or SharePoint deployment is No IIS or SharePoint deployment is complete without ISA Server 2004complete without ISA Server 2004

104

No IIS or SharePoint deployment is complete without ISA Server 2004 protection

The ISA Server 2004 advantage Only ISA Server 2004 solves all of these customer problems Other firewalls are less capable and often more expensive

Evolving Internet threats put Web servers at risk. Port 80 is being used more and more.

Need fast access to Web sites at all times.

SSL traffic is encrypted, introducing additional risk.

Difficult to provide external access to internal SharePoint resources

Application-layer security is necessary to protect Web servers from evolving types of attacks.

Caching speeds access and increases availability.

Inspection of SSL traffic improves network security.

Link translation automatically changes Web pages

CUSTOMER PROBLEM SOLUTION

ISA Server 2004 Sales OpportunitiesUse with IIS and SharePoint

105

ISA Server 2004 Sales OpportunitiesUse with Exchange Server

Support for OWA Secures and accelerates access

Support for secure access to Exchange Server using the native Outlook protocols Users can use their regular client

Support for all major mail protocols Content checking to reduce unwanted and

dangerous e-mail

No Exchange deployment is No Exchange deployment is complete without ISA Server 2004complete without ISA Server 2004

No Exchange deployment is No Exchange deployment is complete without ISA Server 2004complete without ISA Server 2004

106

No Exchange Server deployment is complete without ISA Server 2004 protection

The ISA Server 2004 advantage: Only ISA Server 2004 solves all of these customer problems Other firewalls are more expensive, don’t effectively secure all

Exchange protocols, or are incapable of filtering e-mail

Unwanted e-mail messages are plaguing my network

Productivity is a tradeoff for secure e-mail communication

Concerned about the security of Exchange OWA

Eliminate unwanted e-mail by filtering it at the edge

Enable secure, remote Outlook e-mail access without a VPN

Inspect SSL-encrypted OWA e-mail


ISA Server 2004 Sales OpportunitiesUse with Exchange Server

107

ISA Server 2004 Sales OpportunitiesUse with Windows Server 2003

Integrates with Active Directory Uses existing user accounts for access control Centralized, easy administration

Builds on security features of Windows Server 2003 Full-featured VPN capabilities with the ease of use of

ISA Server 2004 Security templates and Group Policy to lock down

computers ISA Server 2004 is built for Windows protocols Support for Network Access Quarantine

108

No Windows Server 2003 deployment is complete without ISA Server 2004 protection

The ISA Server 2004 advantage: Only ISA Server 2004 solves all of these customer problems Other firewalls are more expensive and don’t provide network

quarantine filtering, VPN client policies, or Active Directory integration

Difficult to enforce security policies for VPN clients

VPN clients have full access to corporate network

Authentication for user-based Internet-access policy difficult

Network access quarantine

Firewall policy applies to VPN clients

Integration with Active Directory provides transparent authentication


ISA Server 2004 Sales OpportunitiesUse with Windows Server 2003

109

ISA Server 2004 Sales OpportunitiesSlow Network Performance

ISA Server 2004 provides immediate performance enhancements Caching increases response time for Web

requests, increasing user productivity Caching reduces bandwidth requirements,

saving money Can be implemented easily and without

interruption in service Does not require network reconfiguration

Immediate, measurable benefits for Immediate, measurable benefits for existing networksexisting networks

Immediate, measurable benefits for Immediate, measurable benefits for existing networksexisting networks

110

ISA Server 2004 Sales OpportunitiesReasons to Upgrade from ISA Server 2000

Improve on ISA Server 2000 More advanced application-layer protection Improved ease of use High performance

• Multiple network support

• New policy model

• Application-layer filtering

• Better performance

• Integrated policy enforcement for VPN clients

• VPN client quarantine

• Support for more protocols

• Packet filtering on all interfaces

• Better RPC publishing

• New authentication options

• Real-time monitoring

• Easier administration tools

111

ISA Server 2004 Sales OpportunitiesUse with Microsoft Small Business Server ISA Server 2004 is included only with SBS Premium

Edition SBS Standard Edition only includes very limited firewall

functionality SBS limited to 75 users

As organization grows, investment in SBS can be leveraged by moving firewall policies to a separate server that is running the same firewall software

Moving ISA Server 2004 to a separate computer increases security Many customers want firewall to be separate from SBS

Many security professionals recommend moving the firewall functionality to a separate computer to increase security

Added protection for small businessesAdded protection for small businessesAdded protection for small businessesAdded protection for small businesses

112

ISA Server 2004 Partner Products (1)Enhance existing features and add new features Application Filters

Improve security and interoperability for other protocols with application-layer inspection

Caching and Distribution Improve the caching capabilities of ISA Server or create content

distribution networks that store content closer to end users and provide centralized delivery, management, and support for different content types.

Content Security Intercept viruses, malicious code or other inappropriate content at your

network's Internet gateway . High Availability and Load Balancing

Enhance ISA Server with network-level scalability, fault tolerance, and load balancing.

Intrusion Detection Recognize and react in real time to hacking attempts. Monitor incoming

traffic, and trigger responses according to alarms and events. Monitoring and Administration

Extend the maintenance and management features of ISA Server to make day-to-day monitoring and administration tasks easier.

113

ISA Server 2004 Partner Products (2)Enhancing existing features and add new features

Reporting Review traffic through ISA Server, and develop reports that can be used

for calculating departmental charge-backs, identifying inappropriate usage, and categorizing Internet use

SSL Acceleration and Key Management Use these hardware add-ons to improve the performance of SSL

communications and the security of private keys used in creating SSL sessions, server identification, and PKI components

Security Resellers Purchase ISA Server from authorized resellers who have technical

product expertise Security Solution Providers

Engage with authorized service partners to help build your Microsoft secure-connected infrastructure

URL Filtering Restrict access to non-work-related sites, and filter sites that have

objectionable or restricted content User Authentication

Provide support for additional authentication methods and technologies for ISA Server VPN and Web access

114

A Community of PartnersMany Partners Have ISA Server 2000 Track Record

http://www.f5.com/ISAServer

http://www.burstek.com/isaserver

http://www.8e6technologies.com/isaserver

http://www.cornerpostsw.com/isaserver/

http://www.gfi.com/isaserver

http://www.n2h2.com/ISAServer

http://www.surfcontrol.com/isaserver/

http://www.chutneytech.com/ISAserver/

http://www.finjan.com/isaserver

http://www.antivirus.com/isaserver

http://www.stonesoft.com/isaserver/

http://www.netiq.com/isaserver

115

ISA Server 2004 Partners (1)A Growing Community ActivCard AAA Server deployed with ISA Server 2004 is expected

to help enterprise customers further protect their digital assets by ensuring and tracking user identities across a network from anywhere, at any time.

Akonix plans to use the application-layer filtering capabilities of ISA Server 2004 to direct all instant messaging traffic to Akonix’s award-winning L7 Enterprise IM gateway to implement usage policies, content filtering, virus scanning, logging, and compliance programs

Authenex plans to integrate AOne™, a two-factor authentication and Web access control solution, with ISA Server 2004 to deliver a powerful, all-in-one suite of two-factor network security applications.

The combination of Cerberian Web Manager and ISA Server 2004 will provide ISA Server 2004 customers with three additional levels of dynamic Internet content-filtering services via Cerberian’s database of more than five million ratings and domains, and Cerberian’s Dynamic Real-Time Rating and Dynamic Background Rating technologies.

Fast Scout VirtualWeb Internet filtering and monitoring software will support ISA Server 2004.

* This page is based on pre-release information.

116

ISA Server 2004 Partners (2)A Growing Community Forum Systems will offer integration of its XWall™ Web Services

Firewall with ISA Server 2004. DynaComm i:filter from FutureSoft is a reliable, feature-rich

enterprise Internet filtering solution for Microsoft ISA Server 2004. GFI DownloadSecurity for ISA Server 2004 enables you to assert

control over what files your users download from HTTP and FTP sites.

nCipher hardware security modules (HSMs) will interoperate with ISA Server 2004 to more securely and more efficiently handle the advanced security functions performed by ISA Server 2004.

Network Associates McAfee SecurityShield for Microsoft ISA Server 2004 is designed to provide anti-virus protection, virus outbreak management, content scanning and, as part of an optional upgrade, anti-spam protection for Microsoft ISA Server 2004.

Panda Software Panda ISASecure Antivirus module has been designed to help further protect Internet traffic passing through ISA Server 2004. * This page is based on pre-

release information.

117

ISA Server 2004 Partners (3)A Growing Community RainConnect from Rainfinity, provides continuous or always-on

Internet access by distributing traffic among multiple independent ISP links.

SurfControl Web Filter puts you in control of Internet usage with a range of flexible, scalable, and high-performance solutions to best fit your Internet content-filtering needs.

Venation V-WEB 4 provides a powerful and cost-effective platform for accelerating business-critical applications and content.

WebSpy facilitates the effective management of an organization's Internet resources.

Whale Communications is planning to use the advanced functionality in the ISA Server 2004 to produce a prototype of a next-generation secure-access appliance.

Check Check www.microsoft.com/isaserver/partners www.microsoft.com/isaserver/partners

for an up-to-date list of available for an up-to-date list of available solutionssolutions

Check Check www.microsoft.com/isaserver/partners www.microsoft.com/isaserver/partners

for an up-to-date list of available for an up-to-date list of available solutionssolutions

* This page is based on pre-release information.

118

ISA Server 2004–Based AppliancesMore Options for Customers

Extending ISA Server 2004 Benefits Hardened configuration for reduced attack surface Easy to purchase, set up, and deploy Benefits of both a hardware and software solution

Added Value and Customer Choice Out-of-box configuration tools Web-based administration Customized and fully integrated deployment options

New Worldwide Industry Partnerships Celestix Networks, Hewlett-Packard, and Network Engines Additional future partners

119

Competitive Benefits Best Integration with Microsoft Windows and Microsoft

Solutions More Technologies Built-in More Advanced Filtering Integrated Firewall and Caching Provides Better Security Better, More Broad Support Faster Learning Curve Lower Total Cost of Ownership

ISA Server 2004 is a viable solution to common ISA Server 2004 is a viable solution to common security and Web performance problems, security and Web performance problems,

with distinct advantages over other available with distinct advantages over other available solutionssolutions

ISA Server 2004 is a viable solution to common ISA Server 2004 is a viable solution to common security and Web performance problems, security and Web performance problems,

with distinct advantages over other available with distinct advantages over other available solutionssolutions

120

Detailed Competitive AnalysisCompetitive Chart (1)

Microsoft ISA Server 2004 Standard Edition Competitive Quick Guide

Feature ISA Server 2004

Check-Point

NG/Nokia 350

Cisco PIX 515E

Netscreen 50

SonicWall Pro 230

Watch-Guard V80

Symantec 5420

Architecture Software or Appliance

Software or Appliance

Appliance Appliance Appliance Appliance Appliance1

Operating System

Windows 2000 or Windows Server 2003

IPSO; also runs on Microsoft

Windows NT® /2000,

Solaris, Linux, AIX

PIX OS (based on IOS)

ScreenOS SonicOS (2 versions, simple and enhanced)

Proprietary Proprietary1

Concurrent Sessions

Unlimited 250,000 130,000 8,000 30,000 128,000 64,000

Firewall Throughput

Tested up to 1.59 Gbps

350 Mbps 188 Mbps 170 Mbps 190 Mbps 200 Mbps 200 Mbps

Interfaces No software limit

4 10/100 6 10/100(10 virtual)

4 10/100 3 10/100 4 10/1002 HA ports

6

VPN Tunnels 1,000 (Standard)

16,000+ PPTP, 30,000 L2TP 2

12,500 2,000 100 500 8,000 *

VPN Support PPTP, L2TP, IPSec, SSL

IPSec, SSL, L2TP

IKE/IPSec, L2TP, PPTP

IPSec, SSL IPSec, PPTP IPSec, L2TP (other models support PPTP)

IPSec

VPN Client Free with all Windows OS

Proprietary or Microsoft L2TP

client3

Proprietary, Microsoft L2TP,

PPTP3

Proprietary, costs extra

Proprietary, bundled (10)

Proprietary, costs extra

Proprietary, per-tunnel license

121



Check-Point

NG/Nokia 350

Cisco PIX 515E

Netscreen 50

SonicWall Pro 230

Watch-Guard V80

Symantec 5420

IDS Based on technology

licensed from ISS

ISS Real Secure IDS;

inline/passive inspection of TCP stream

Protects against 55 attacks;

separate IDS appliance available

IDS included based on

OneSecure; IDP available

extra

DoS attack detection and

prevention

IDS, IDP included, protocol anomaly

detection

Hybrid anomaly IDS/IDP

(Recourse)

Integrated Microsoft Exchange Support

Yes No No No No No No

Application-Layer Filtering

Deep application -

layer including character string filtering; HTTP, SMTP, DNS, FTP, POP3,

IMAP

NG App Layer Intelligence;

includes application

proxies, content filtering using

UFP

Fixups; ASA; URL filtering

with WebSense or N2H2; CF

blocks Java/Microsoft

ActiveX®

HTTP, POP3, IMAP, SMTP,

FTP, DNS, supports

WebSense

CFS subscription service

SMTP, HTTP proxies

Attack signatures;

HTTP, FTP, and SMTP sent to

virus scan, content filtering

Management User Interface

Familiar Windows MMC

for local and remote

management, CLI, Terminal

Service, or remote desktop

CLI, SNMP, FTP,Telnet, SSH, Web:

Voyager (local) Horizon Manager (remote)

PIX Device Manager

(PDM); CLI, Telnet, SSH, console port, Ciscoworks centralized

management (optional)

Web (HTTP, HTTPS), CLI,

Telnet, SSH,Global Pro (option)

Web UI, CLI, SNMP, Global Management

System (centralized)

Java-based GUI; CLI; Multi-box management

(CPM) optional

Web-based (SSL) UI, Symantec

Management console

Web Caching Included at no extra cost;

forward /reverse

Not included; add-on product

Not included; Cisco Content Engine costs

extra

Not included With CFS subscription

Not included Not included


122



Check-Point

NG/Nokia 350

Cisco PIX 515E

Netscreen 50

SonicWall Pro 230

Watch-Guard V80

Symantec 5420

High Availability

Uses load balancing,

failover included in Windows

2000 /2003 at no extra cost

Clustering not supported on

this model

Failover with purchase of

second appliance (at much lower

cost)

Supports active/

passive mode only (A/A on other series)

Hardware failover is a “value-added

service”

Supports active/passive (A/A

optional at extra cost)

A/A, A/P, LB (maximum

cluster size 8)

Spam Filtering Yes, can filter by keywords or

character strings

Does not filter by keyword

Can be done with add-ons

Third party Third party Not included Included in AV

Add-ons (extra cost options)

Wide variety third-party add-

ons for extensibility

Management, IDS, cluster,

content filtering, reports, caching

Content engine (caching), IDS,

anti-virus, content filtering

IDP, spam filtering

(SurfControl), AV

AV, content filtering add-on; GSM for

multi-management

A/A HA, virus scan, live security update services

AV, content filtering,

additional VPN clients, HA/LB

1 Symantec Enterprise Firewall software that runs on 5400 series appliances can also be purchased as a software firewall that will run on Windows or Solaris.

2 Windows Server 2003 Standard edition supports 1,000 PPTP and 1,000 L2TP connections. Windows Server 2003 Enterprise and Datacenter editions theoretically support unlimited VPN connections but registry restricts PPTP to 16,384 and L2TP to 30,000 on these editions.

3 Although Microsoft client software can be used, the proprietary client is required for advanced features such as enforcement of VPN configuration requirements.

*Information unavailable.

Additional details included in Partner Additional details included in Partner GuideGuide

Additional details included in Partner Additional details included in Partner GuideGuide


123

Partner Guide Resources Plan

Review the Partner Revenue Opportunities with ISA Server 2004 document to determine areas of specialization. Learn about the advantages that ISA Server 2004 brings to Exchange Server, IIS, SharePoint, and Windows Server 2003 deployments. View case studies to learn about the benefits that ISA Server 2004 has brought to customers.

Market/Sell Utilize tools and resources to help you sell ISA Server products and services.

Leverage Microsoft’s customer-ready materials to incorporate into your own presentations and distribute to your customers. Read and leverage various datasheets, sales presentations, telesales scripts, and other marketing materials that will help you communicate the benefits of deploying and using ISA Server 2004.

Service/Support Leverage the ISA Server 2004 Configuration Guide, deployment kits, and white

papers to get the background information you need to plan ISA Server 2004 deployments, complete with the step-by-step procedures needed for proper installation and configuration. Install the ISA Server 2004 evaluation software to test the benefits of ISA Server in a production environment.

Train/Enable Complete the Hands-on Labs on CD 2.

124

Web Resources ISA Server 2004 official site

http://www.microsoft.com/isaserver ISA Server 2004 partners

http://www.microsoft.com/isaserver/partners/ Partner Campaign Kits

http://members.microsoft.com/partner/ ISA Server 2004 user community (not

affiliated with Microsoft) http://www.isaserver.org

4. Introduction to Hands-on Training

126

Hands-on LabsSix Scenarios

Lab A: What's New in ISA Server 2004 Lab B: Configuring Outbound Internet Access Lab C: Publishing Web Servers Lab D: Publishing an Exchange Server Lab E: Enabling VPN Connections Lab F: Using Monitoring, Alerting, and Logging

127

Hands-on LabsFormat

Hands-on Training uses Microsoft Virtual PC Four virtual computers:

Internal computer (Domain Controller, Exchange Server) ISA Server 2004 Web server in perimeter network External computer

Setup guide and instructions included on Partner CD Each scenario can be completed independently in about

30-60 minutes Each scenario contains detailed explanations Each scenario presents a complete solution

microsoft internet security and acceleration (isa) server 2004 powerful protection for microsoft...

Documents