1 / 128

Microsoft Internet Security and Acceleration (ISA) Server 2004 Powerful Protection for Microsoft Applications

Microsoft Internet Security and Acceleration (ISA) Server 2004 Powerful Protection for Microsoft Applications. Learning Objectives Protecting Microsoft Applications with ISA Server 2004.

makayla
Download Presentation

Microsoft Internet Security and Acceleration (ISA) Server 2004 Powerful Protection for Microsoft Applications

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Microsoft Internet Security and Acceleration (ISA) Server 2004Powerful Protection for Microsoft Applications

  2. Learning ObjectivesProtecting Microsoft Applications with ISA Server 2004 This training will show the solutions, advantages, benefits, competitive landscape, and selling opportunities for Microsoft® ISA Server 2004, as well as provide customer-ready resources.

  3. Agenda • ISA Server 2004 OverviewAdvanced Protection, Ease of Use, Fast Secure Access(Slides 4–43) • Protecting Microsoft ApplicationsTechnical Details(Slides 44–94) • Selling Strategies and Partner Offerings (Slides 95–124) • Introduction to Hands-on Labs(Slides 125-127) • ISA Server 2004 OverviewAdvanced Protection, Ease of Use, Fast Secure Access(Slides 4–43) • Protecting Microsoft ApplicationsTechnical Details(Slides 44–94) • Selling Strategies and Partner Offerings (Slides 95–124) • Introduction to Hands-on Labs(Slides 125-127)

  4. 1. ISA Server 2004 OverviewAdvanced Protection, Ease of Use, Fast Secure Access

  5. Industry Security The State of Network Security 14 billion devices on the Internet by 20101 35 million remote users by 20052 65% increase in dynamic Web sites3 90% detected security breaches4 95% of all breaches avoidable with an alternative configuration5 Approximately 70% of all Web attacks occur at the application layer6 1 Source: Forrester Research 2 Source: Information Week, November 26, 2001 3 Source: Netcraft summary 4 Source: Computer Security Institute (CSI) Computer Crime and Security Survey 2002 5 Source: CERT, 2002 5 Source: Gartner

  6. The Role of Firewalls • Firewalls block attacks before they reach their target • Firewalls can protect multiple systems • Firewall protection can buy time before all protected servers are secured • Firewalls can help protect client computers that are not properly protected • Firewalls can act as a central access point • Combined firewall and VPN gateway • Firewalls provide centralized logging of network access • Crucial component of defense-in-depth

  7. Wide open to advanced attacks • Application-layer attacks: Code-Red, Nimda. • Encryption to bypass detection: SSL. Hard to manage Performance vs. security tradeoff Limited capacity for growth Limitations of Traditional Firewalls • Security is complex. • IT already overloaded. • Bandwidth is limited and expensive. • Traffic inspection reduces performance. • Growth requires new hardware; old hardware can’t be repurposed. • Growth requires purchase of new license.

  8. What Is ISA Server 2004? Microsoft ISA Server 2004 is Microsoft’s flagship security product and a cornerstone of the company’s Trustworthy Computing initiative. ISA Server 2004 is an application-layer firewall, VPN, and Web-cache solution that provides advanced protection, fast and secure Web access, and is very easy to use. ISA Server 2004 can provide security as a perimeter firewall at the Internet edge, can be used to protect Microsoft applications such as Microsoft Exchange and other servers on the internal network, as well as be configured as a Web-caching server to ensure fast, secure Web access—all in one package.

  9. ISA Server 2004 Top Benefits CUSTOMER PAIN VALUE PROVIDED BY ISA SERVER 2004 Threats to corporate assets create financial and legal risks Advanced Protection Application-layer security designed to protect Microsoft applications Ease of Use Efficiently deploy, manage, and use ISA Server 2004 Securing thenetwork is time consuming and expensive Securing networks impacts performance and productivity Fast, Secure Access Empowers you to connect users to relevant information on your network in a cost-efficient manner

  10. Advanced ProtectionLimits of Traditional Firewalls (1) • Traditional firewalls only examine headers • Packet filtering, stateful inspection • Most of today’s attacks are directed against applications • Web servers (Code Red, Nimda) • Web browsers (malicious Java applets) • Mail clients (worms, Trojan horse attacks) IP:Source addressDestination address TCP: Source port 1121Destination port 80 Payload: HTTP GET / Header

  11. Advanced ProtectionLimits of Traditional Firewalls (2) • Applications encapsulate traffic in HTTP traffic • Examples: Peer-to-peer, instant messaging • Encrypted traffic can’t be inspected by traditional firewalls • Dynamic port assignments require too many incoming ports to be opened • Examples: FTP, RPC Packet filtering and stateful inspection are not enough to protect against today’s attacks!

  12. Advanced ProtectionApplication-Layer Filtering with ISA Server 2004 • Application-layer filtering in ISA Server 2004 examines the payload • ISA Server 2004 blocks traffic that uses allowed ports but contains disallowed data • Example: Traffic to a Web server that contains a Web server attack • ISA Server 2004 allows you to use complex protocols across a firewall “To provide edge security in this application-centric world…application-level firewalls will be required….”—John Pescatore, Gartner

  13. Advanced Protection ISA Server 2004: Proxy Architecture • Internet traffic never routed to the internal network • ISA Server 2004 establishes separate connections to client and to server • Proxy architecture protects against network layer attacks • Built from the ground up for application layer filtering • Great performance! • Extensible architecture for plug-ins ISA Server 2004 also performs packet filtering and stateful inspection.

  14. Advanced ProtectionWeb Publishing with Traditional Firewalls • Traditional firewalls only evaluate incoming traffic based on IP address and port • All Web traffic is sent to Web server, exposing it to all Web-based attacks Web Server Incoming Traffic Internet

  15. Advanced ProtectionSecure Web Publishing with ISA Server 2004 • Inspection of Web request and responses and protection of Microsoft Internet Information Services (IIS) from exploits • Blocking of malformed URLs to stop Web-based attacks • Optional inspection of incoming SSL traffic Web Server Incoming Traffic Internet

  16. Advanced ProtectionExchange Publishing with Traditional Firewalls • Firewall only evaluates incoming traffic based on IP address and port • All traffic for ports using mail protocols is sent to Exchange Server • Exchange Server is exposed to all application-layer attacks Exchange Server Incoming Traffic Internet

  17. Advanced ProtectionSecure Exchange Publishing with ISA Server 2004 • ISA Server 2004 defends Exchange Server and enables secure client access • Protection of all types of client access (Microsoft Outlook® Web Access [OWA], SMTP, POP, IMAP, RPC, RPC over HTTP) • Increases OWA performance and enables application of firewall policy to OWA traffic • Allows scanning of e-mail text and attachments Exchange Server Incoming Traffic Internet

  18. ISA Server 2004 simplifies VPN administration and provides VPN security Advanced ProtectionThe Need to Provide Secure VPN Access • Companies need to provide remote access • Branch offices • Business partners • Home offices and traveling users • VPNs are a cost-effective way to leverage the Internet • No dial-up connections or leased lines required • VPNs use existing Internet connection • VPNs create security concerns and increase administrative work • VPNs create new administration tasks • VPNs create new ways to access the corporate network

  19. Advanced ProtectionHow ISA Server 2004 Secures VPN Client Connections • All communications over the Internet are encrypted • Broad protocol support • PPTP and L2TP/IPSec • IPSec NAT traversal (NAT-T) for connectivity across any network (requires Microsoft Windows Server™ 2003) • Authentication • Microsoft Active Directory® uses existing Microsoft Windows® accounts, supports PKI for two-factor authentication • RADIUS uses non-Windows-based accounts databases with standards-based integration • SecurID provides strong, two-factor authentication using tokens and RSA authentication servers • Integration of VPN traffic into firewall policy • Network access quarantine to ensure secure client configuration

  20. Advanced ProtectionHow ISA Server 2004 Connects Networks • Broad protocol support • PPTP • L2TP/IPSec • IPSec tunnel mode for interoperability with existing VPN gateways: fully tested and supported • Authentication and encryption • Uses Windows RRAS capabilities • Range of authentication methods • Active Directory, RADIUS, passwords, certificates • Configurable encryption methods help ensure confidentiality of communications • Fine-grained control over traffic between networks

  21. ISA Server 2004 is a crucial component in protecting Microsoft networks and applications Summary: Advanced Protection • ISA Server 2004 was designed with most common customer scenarios in mind • ISA Server 2004 protects networks while enabling connectivity • ISA Server 2004 is optimized for application-layer filtering • A broad range of partner offerings extends protection capabilities

  22. Ease of UseNew, Easy-to-Use Administration Tools • ISA Server 2004 Management Console completely redesigned from previous version • All tools for each task in one place • Easy to learn • Ease of use can reduce risk of security breaches due to misconfiguration • Local or remote administration • Use the same tool to configure and monitor the firewall, cache, and VPN gateway

  23. Ease of UseOverview • Simplified administration tools • Reduces training costs • Helps prevent insecure configurations • Unified firewall policy • Helps keep administration costs low

  24. Ease of UseTask-based Administration Easy access to common tasks All tools for a task are accessible when needed

  25. Ease of UseMonitoring • Real-time monitoring for troubleshooting • Variety of report formats summarizes Internet activity and performance Dashboard is starting point for monitoring

  26. Ease of UseReporting • Broad range of reporting options

  27. Ease of UseEasy Deployment • Multiple network support • Works with your existing network infrastructure • Leverages previous IT investments • Broad client support • Supports any device that uses TCP/IP • Firewall Client adds features for Windows clients Low administrative overhead during initial deployment and network maintenance.

  28. Ease of UseAdjusts to Network Changes • Flexibility to support most network types • Templates to simplify deployments

  29. Ease of UseEasy Scalability • Scale up • Upgrade to faster hardware and repurpose existing server(s) without the need to purchase a different ISA Server 2004 license • Scale out • Easily copy configuration settings with XML export • Maintain existing rules and settings Choice of options to grow with company needs.

  30. Ease of UseAlerting • Alerts for large number of events • Flexible alerting options • New: Connectivity Verification

  31. Ease of UseUser-based Access Control • Prevalence of DHCP on internal networks makes IP-based access control obsolete • ISA Server 2004 supports the use of native Windows security credentials to build highly granular firewall access rules • RADIUS for universal integration with non-Windows user accounts and for authentication in perimeter networks • Credentials are passed transparently, eliminating need for additional tedious logon procedures at firewall

  32. Application Filters • Caching and Distributions • Content Security • High Availability and Load Balancing • Intrusion Detection • Monitoring and Administration • Network Utilities Ease of UseEasy Extensibility • Adding functionality • Easy customization by in-house developers • Wide range of partner solutions http://microsoft.com/isaserver/partners • Reporting • SSL Acceleration and Key Management • Security Resellers • Security Solution Providers • URL Filtering • User Authentication

  33. Ease of UseExtensibleOpen Platform • Most administrative tasks can be scripted • Scripting automates tasks • Scripting saves time and ensures consistency • SDK provides access to easy-to-use procedures for scripting • Custom Web and application filters • Custom filters allow secondary inspection and manipulation of traffic • Examples: Advanced content inspection,advanced authorization, etc. • Easy object model ensures quick results

  34. ISA Server 2004 is a crucial component in protecting Microsoft networks and applications Summary: Ease of Use • ISA Server 2004 tools make firewall administration easy • Easy configuration can help prevent configuration mistakes • ISA Server 2004 adapts to existing network configurations and changes • Extensive logging, monitoring, and reporting capabilities

  35. Fast, Secure AccessIntegrated VPN • Secure site-to-site connections • Secure remote access conections • Broad protocol support

  36. ISA Server 2004 is the only major firewall with built-in, state-of-the-art Web caching Fast, Secure AccessWeb-Caching Benefits • Frequently requested Web content is cached for local delivery • Users get faster access to frequently requested Web content • Existing bandwidth is used more efficiently

  37. 4 Object is sent from Internet 2 Object is sent from Internet Each client requests causes Internet traffic 1 GET www.microsoft.com 3 GET www.microsoft.com Fast, Secure AccessInternet Access Without Caching Internet Existing Firewall Client 2 Client 1

  38. 3 GET www.microsoft.com 4 Object is sent from Internet and placed in cache 2 Access controlsare enforced 6 Object is sent from cache Client requests for cached content cause no Internet traffic 1 GET www.microsoft.com 5 GET www.microsoft.com Fast, Secure AccessHow Does Caching Work? Internet ISA Server 2004 Client 1 Client 2

  39. Fast, Secure Access Effects of Caching • Reduces bandwidth requirements • Requests from multiple users for an object only require one download from Internet • Reduces server workload • Request for published Web content are served from the cache without additional requests to the published server • Distributes bandwidth • Most frequently accessed content can be downloaded during off hours and before users request it • Ensures that objects are up-to-date • ISA Server requests an updated version when the object has changed on the Web server

  40. Fast, Secure AccessBusiness Benefits of Caching • Improved productivity • Many Web pages are displayed faster • No waiting for Web objects that are cached • Better resource utilization • No need to purchase additional bandwidth • Fully integrated, minimal administration

  41. Fast, Secure Access Scaling Caching for the Enterprise • Downstream server requests content from upstream server • Upstream server retrieves content from Internet • Content can be cachedin both locations • Security settings are enforced centrally • No direct Internet requests required from branch offices Cache (upstream) Corporate Network Internet Cache (downstream) Cache (downstream) Branch Office Branch Office

  42. Fast, Secure Access Granular Access Control • Full control over Internet access by users • Enforce corporate policies • Control access by protocol, user, location, destination, schedule • Fine-grained control of Web content • Partner solutions extend access control • All network traffic blocked unless specifically allowed • Flexible firewall policy • Easy to create broad rules or detailed policy • Unified firewall policy makes it easy to review and troubleshoot access rules

  43. ISA Server 2004 is a crucial component in protecting Microsoft networks and applications Summary: Fast, Secure Access • Integrated VPN for secure site-to-site and remote access connections • Optimized for application-layer filtering • Caching accelerates access to frequently used Web content • Granular rules allow a high level of Internet access control • Additional filtering is possible with third-part solutions provided by Microsoft partners

  44. 2. Protecting Microsoft ApplicationsTechnical Details

  45. Protecting Microsoft Applications Secure Application Access • Help secure access to IIS, Microsoft SharePoint®, and other application servers • Allow access to Exchange servers while protecting them Secure Access to E-Mail Remote Connectivity • Connecting offices, partners, and users by using ISA Server 2004 and Windows Server 2003 • Branch office security Integrated Branch Office Solution

  46. Secure Application Access Business Need Risk to Organization Provide fast, secure access to internal Web resources • Web servers are exposed to attacks that threaten business resources • Attacks can bypass traditional firewalls by using the same protocols as legitimate Web traffic • Placing a firewall in front of public Web servers can slow down access to Web resources • Allowing access to existing resources requires costly redesign or duplication of network infrastructure • Same risks as providing access to all Web servers Provide access to SharePoint-based resources Maintain confidentiality of communications • Confidentiality requires encryption, which defeats traffic inspection at the firewall • Attackers may gain access to network even though a firewall is installed

  47. A Traditional Firewall’s View of a Packet • Only packet headers are inspected • Application-layer content appears as a “black box” IP Header: Source Address,Destination Address,TTL, Checksum TCP Header: Sequence Number Source Port, Destination Port, Checksum Application-Layer Content: ??????????????????????????????? ??????????????????????????????? ??????????????????????????????? • Forwarding decisions based on port numbers • Legitimate traffic and application-layer attacks use identical ports Expected HTTP Traffic Unexpected HTTP Traffic Incoming Traffic Internet Web Server Attacks Web Server Non-HTTP Traffic

  48. ISA Server 2004’s View of a Packet • Packet headers and application content are inspected IP Header: Source Address,Destination Address,TTL, Checksum TCP Header: Sequence Number Source Port, Destination Port, Checksum Application-Layer Content: GET www.contoso.com/partners/default.htm • Forwarding decisions based on content • Only legitimate HTTP traffic is sent to Web server Expected HTTP Traffic Unexpected HTTP Traffic Incoming Traffic Web Server Attacks Internet Web Server Non-HTTP Traffic

  49. Traditional Web Publishing • All traffic using TCP port 80 sent to Web server • One Web server per IP address http://www.contoso.com  http://39.1.1.1  http://www.contoso.com/../cmd?..  http://www.contoso.com/%20%20  http://www.contoso.com/scripts/  http://www.contoso.com/partners/  Incoming Traffic Internet Web Server

  50. ISA Server protects IIS ISA Server 2004 Web Publishing • ISA Server 2004 inspects HTTP request • Only allowed requests are forwarded • ISA Server 2004 can publish multiple servers http://www.contoso.com  http://39.1.1.1 http://www.contoso.com/../cmd?.. http://www.contoso.com/%20%20 http://www.contoso.com/scripts/ http://www.fabrikam.com/partners  Incoming Traffic Internet Web Servers

More Related