isa server 2000 best practices from the field l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
ISA Server 2000 Best Practices from the Field PowerPoint Presentation
Download Presentation
ISA Server 2000 Best Practices from the Field

Loading in 2 Seconds...

play fullscreen
1 / 72

ISA Server 2000 Best Practices from the Field - PowerPoint PPT Presentation


  • 371 Views
  • Uploaded on

ISA Server 2000 Best Practices from the Field. Presenters: Jim Harrison - Microsoft Corp Jim Edwards - Microsoft Corp. Agenda. Introduction (Jim Harrison) Security (Jim Harrison) Reliability (Jim & Jim) Performance (Jim Edwards) Q&A. Security. Windows Configuration Domain Association

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

ISA Server 2000 Best Practices from the Field


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
    Presentation Transcript
    1. ISA Server 2000 Best Practices from the Field Presenters: Jim Harrison - Microsoft Corp Jim Edwards - Microsoft Corp

    2. Agenda • Introduction (Jim Harrison) • Security (Jim Harrison) • Reliability (Jim & Jim) • Performance (Jim Edwards) • Q&A

    3. Security • Windows Configuration • Domain Association • Perimeter Network Scenarios • ISA Configuration • ISA Policies • ISA Logs • References

    4. Windows Configuration • Patches, Patches, PATCHES! • Security checklists on • Technet • ISAServer.org • NSA

    5. Windows Configuration • ISA Service Dependencies • ISA Server Packet Filter Extension (mspfltex) • Remote Access Connection Manager (rasman) • WMI Driver Extensions (wmi) • DCOM is required for ISA

    6. Windows Configuration • Service Dependencies created by ISA • ICS (sharedaccess) depends on Microsoft Firewall (fwsrv) • Routing and Remote Access (remoteaccess) depends on ISA Control (isactrl)

    7. Non-Domain

    8. Separate Domains (Forests)

    9. Same Forest, Separate Domains

    10. Single Domain

    11. Two–Tier Perimeter Network

    12. Third-leg Perimeter Network

    13. LAT Perimeter Network

    14. Cache mode • IP packet filtering NOT Available • LAT / LDT NOT Available • Outgoing and Incoming Web Requests listener configurations • Best behind another (ISA) firewall

    15. Firewall & Integrated modes • IP Filtering makes this the most secure • User- / group-based non-web traffic rules • Single-NIC installation is NOT supported without dialup as external • LAT configuration

    16. LAT Configuration Right Wrong

    17. IP Packet Filtering Right Wrong

    18. IP Packet Filtering Right Wrong

    19. Admin Rights Right Right?

    20. Protocol Rules Right

    21. Protocol Rules Wrong

    22. Site & Content Rules Anonymous

    23. Site & Content Rules Unfiltered

    24. Server Publishing

    25. Incoming Web Listeners Right Right ?

    26. Web Publishing Right Wrong

    27. Web Publishing

    28. Web Publishing

    29. ISA Logs • Other Server Logs • SMTP, DNS, etc. • Forensic Analysis • Securityfocus.com article • Legal Evidence • Computer Forensics • Trail of Evidence

    30. IP Packet Filter Logs • External scans, attacks, spoofs • Log field selections • Payload is limited to the first 256 bytes

    31. source-ip destination-ip proto param#1 param#2 flags 68.124.157.106 123.123.123.10 Tcp 1646 17300 SYN 193.179.148.234 123.123.123.12 Tcp 4738 22 SYN 209.221.223.108 123.123.123.10 ICMP 8 0 209.221.223.108 123.123.123.11 ICMP 8 0 209.221.223.108 123.123.123.12 ICMP 8 0 209.221.223.108 123.123.123.13 ICMP 8 0 62.111.208.195 123.123.123.10 Tcp 2736 135 SYN 62.111.208.195 123.123.123.11 Tcp 2737 135 SYN 62.111.208.195 123.123.123.12 Tcp 2738 135 SYN 62.111.208.195 123.123.123.13 Tcp 2739 135 SYN IP PF Log Examples

    32. 211.41.55.136 123.123.123.11 Tcp 3127 3127 SYN 211.41.55.136 123.123.123.12 Tcp 3135 3127 SYN 211.41.55.136 123.123.123.13 Tcp 3140 3127 SYN IP PF Log Bonus Slide

    33. Firewall Logs • Internal virus / worms detection • Log field selections • WP and FW share many logging options

    34. Firewall Log Examples c-ip r-ip r-port cs-prot s-oper sc-status 192.168.0.1 123.123.123.123 135 TCP Connect13301 192.168.0.1207.46.245.214135 TCP Connect 0 192.168.0.1 207.46.245.21417300 TCP Connect 13301 192.168.0.1 207.46.245.21417300 TCP Connect 0 192.168.0.1 207.46.245.21480 TCP Connect 13301 192.168.0.1 207.46.245.21480 TCP Connect 0

    35. Web Proxy Logs • Internal, external virus / worms detection • Log field selections

    36. Web Proxy Log Examples CodeRed <SourceIP> GET www 12202 <SourceIP> GET www 200 Nimda <SourceIP> GET <ISAExtIP> 12202 <SourceIP> GET <ISAExtIP> 200 Auth Failure <SourceIP> GET http://www.thatsite.tld 12209

    37. Romper-Room No-No’s • IP Packet Filtering off & IP Routing on • Enable IP Routing via RRAS or TCP/IP • LAT includes external (or DMZ) subnets • Same-subnet on internal / external NICs • FW Client installed on the ISA • “All destinations” web publishing rule

    38. Security and Critical Hotfixes • Service Pack 1 • KB 283213 ICMP blocking (Nachi defense) • Post SP1 • KB 319374 & 321846 Web Proxy crash • MS02-027 BO in Gopher protocol handler • MS03-009 DoS in DNS IDS filter • MS03-012 DoS in Firewall Service • MS03-028 XSS in ISA Error pages • MS04-001 H.323 Vulnerability

    39. Security References • Microsoft checklists and guides: http://www.microsoft.com/technet/security/chklist/Default.asp http://www.microsoft.com/technet/security/tools/default.asp • CC configuration https://s.microsoft.com/isaserver/code/commoncriteria/

    40. Security References • NSA configuration http://www.nsa.gov/snac/win2k/guides/w2k-11.pdfhttp://www.nsa.gov/snac/win2k/guides/inf/isa.inf • Log Forensics http://securityfocus.com/infocus/1712

    41. Reliability • Windows Considerations • ISA Server 2000 Firewall Considerations

    42. Reliability Windows Settings • NIC binding order • Routing table • Patch Patch Patch! • Redundancy • System Services • Extraneous Services

    43. Reliability Windows Settings:NIC Binding Order • Internal • Top of list • NO Default gateway • DNS/WINS • External • Default gateway • Dial up issues • RAS • Dial up issues • DMZ • Doesn’t matter

    44. Reliability Windows Settings:Routing Table • Static Routes • Windows routing table • RRAS routing table • Dynamic Routes • VPN issues • VPN Clients • Mystery of the Windows VPN client gateway

    45. Reliability Windows Settings:Patches! • Service Packs • Install them now • Latest OS and ISA SP and FP • Hotfixes • Do you need them? • What about Windows Update? • Security Updates • What’s going to break? • Testing lab • Mirror config in lab • Don’t let the production network be your regression testing lab

    46. Reliability Windows Settings:Redundancy • What are you trying to accomplish? • Web v. Server Publishing Rules • NLB v. Rainwall • Bidirectional what? • Hardware Load Balancers • Pay to play • RainConnect • Redundant Internet connectivity • Outbound and inbound • NextLAND Proturbo 800

    47. Reliability Windows Settings:System Services • Disable Junk Services • (list several of these) • Determining Required Services • Disable and test • Remote Registry Service

    48. Reliability Windows Settings:Extraneous Software • Server Services • It’s a firewall, not a firesale • Not a workstation • No Kaaza • No VPN client connections • Plug In’s • Test test test

    49. Reliability ISA Settings • Test All Policies • Separate Inbound and Outbound Duties • Backing Up • Caching Arrays

    50. Reliability ISA Settings:Field Test All Policies • Protocol Rules • The dreaded “all open” rule • Site and Content Rules • Kill anonymous access Site and Content Rules • Server client address set for anonymous access • Kill the HTTP (Re)Director • Can’t block via Site/Content rules • Packet Filters • This ain’t no pix(en) • Web and Server Publishing Rules • FQDN in Destination Sets • The mystery of the ephemeral outbound IP address • VMware • Buy now or pay later