IKON Presentation - Raven Computers Ltd
Download
Report
Transcript IKON Presentation - Raven Computers Ltd
Microsoft Internet
Security & Acceleration
Server
Dave Sayers
Technical Specialist
Microsoft UK
Agenda
What is a Firewall?
Typical Firewall Configurations
Features of Microsoft ISA Server
Secure Internet Access to a Web Server
ISA Server 2004
What is a Firewall?
Controlled Point of Access for all traffic
that enters the internal network
Controlled Point of Access for all traffic
that leaves the internal network
Traditional Firewalls allow/deny access
to certain IP addresses and ports only
Bastion Host
Internet
Firewall
Internal Network
Perimeter Network with Three-Homed
Firewall
Perimeter Network
Internet
Firewall
Internal Network
Perimeter Network with Back-to-Back
Firewalls
Internet
External
Firewall
Internal
Firewall
Traditional Firewalls
Wide open to
advanced attacks
Hard to manage
Code Red, Nimda
SSL-based attacks
Security is complex
IT already overloaded
Bandwidth too expensive
Too many moving parts
Performance vs.
security tradeoff
Limited capacity
for growth
Not easily upgradeable
Don’t scale with business
Perimeter Security Evolution
Wide open to
advanced attacks
Application-level protection
Hard to manage
Easier to use
Performance vs.
security tradeoff
Security and performance
Limited capacity
for growth
Extensibility and scalability
Internet Security and
Acceleration Server
Industry strength firewall and proxy
server
Standard and Enterprise
Standalone or arrays
VPNs
Server and web publishing
Monitoring & reporting
www.microsoft.com/isaserver
www.isaserver.org
Key Components
Policy Elements :
Schedule, Bandwidth, Destination Set,
Client Address Set, Protocol Definitions,
Content Groups
Protocol Rules
Site and Content Rules
Packet Filtering
ISA Value Add
Server Publishing
Application Filters
Web Server
Exchange Server
Additional Servers
SMTP
DNS
HTTP
Streaming Media
VPN Wizards
Intrusion Detection
Secure Internet Access to a
Corporate Web Site
ISA Web Publishing
Publishes web site on ISA server
Content can be cached on ISA server
using reverse proxy
Keeps the web site secure on the
private network
Server publishing vs. web publishing
ISA Web Publishing
Need to create an Incoming Web Listener first (Reverse proxy)
as well as a destination set
Then create a web publishing rule
Introducing: ISA Server 2004
The advanced application layer firewall, VPN and Web cache
solution that enables customers to maximize IT investments by
improving network security & performance
Advanced protection
Ease of use
High performance
Common Scenarios
Edge Firewall
Exchange
Web servers
Remote Access
(VPN)
Branch office
Remote site
security
S2S VPN (IPSec)
Integrated Solution
Caching
Chaining
Secure Publishing
Single server edge
security solution
Easy, unified
management
Flexible Topologies
3-Leg, front/back, ...
Asset protection
Multi network
support
Partitioning
ISA Server 2004 New Features
Updated security architecture
Advanced protection
Application layer security designed to protect Microsoft applications
Deep content
inspection
• Enhanced HTTP, customizable prtcl. filters
• Comprehensive/flexible policies
• Stateful routing
Enhanced Exchange
Server Integration
• Support for Outlook RPC over HTTP
• Enhanced Outlook Web Access security
• Easy to use configuration wizards
Fully integrated VPN
• Unified firewall-VPN filtering
• Built-in support for site-to-site IPsec TM
• Integrates with Windows Quarantine
Comprehensive
authentication
• New support for RADIUS and RSA SecurID
• User- & group-based access policy
• Third party extensibility
ISA 2004 Architecture
Application
layer filtering
Web
filter
Policy
Store
Web
filter
Web Filter API (ISAPI)
SMTP
Filter
Web Proxy Filter
Protocol layer
filtering
RPC
Filter
DNS
Filter
App
Filter
Application Filter API
Policy
Engine
3
Firewall service
2
Kernel mode
data pump:
Performance
optimization
User
Mode
Kernel
Mode
TCP/IP Stack
Firewall Engine
4
NDIS
1
Packet layer
filtering
Application Layer Filtering
Modern threats call for deep
inspection
Protects network assets from exploits at the
application layer: Nimda, Slammer...
Provides the ability to define a fine grain,
application level, security policy
Best protection for Microsoft applications
Application filtering framework
Built in filters for common protocols
HTTP, SMTP, RPC, FTP, H.323, DNS, POP3, Streaming
media
Scenario-driven design
Extensible plug-in architecture
VPN Protection
Detunneled traffic is inspected
VPN traffic is segregated
VPN network: all addresses allocated to VPN users
IP addresses dynamically added/removed
VPN network available in Stingray admin
IPSec Tunnel Mode support
Injected back to the stack
Stingray sees traffic on stack hooks
Provides connectivity to branch office VPN
Simplified tools for administration
Quarantine support
Quarantined users placed in quarantine network
IP addresses dynamically added/removed
Quarantine network available in ISA Server admin
Engine Security Enhancements
Flood-DoS protection
SYN-flood protection
Client connection quota
IP options, DNS Attacks, IP half-scan, Port scan
IP options filtering
Spoofed UDP packet flooding mitigation
Attack/Intrusion Detection
Applicable to Worm/Virus floods
Filter out individual options
Lockdown mode
Restrict firewall machine access on service
failures
Authentication Framework
Multi source authentication
Firewall client authentication
Web proxy authentication
Proxy auth, Reverse proxy auth, Pass through auth, SSL
bridging
Basic, digest, NTLM, Kerberos, Certificates
RADIUS authentication, SecurID authentication
CRL support
Extensible!
VPN clients
Transparent user authentication
Application transparent, Protocol independent
Kerberos/NTLM
EAP (certificates, smartcards, others), MS-CHAPv2, CHAP,
(S-PAP, PAP)
RADIUS / Windows
Extensible authentication/authorization framework
Third party filters can register their own auth namespaces
RADIUS authentication
Federation through RADIUS proxies
Can be used for centralized authentication services
Domain membership not required
Great for DMZ placement
Corpnet
HTTP/SSL
request, sent to
server
HTTP/SSL basic
auth.
3
Web Client
(Browser, HTTP client)
1
Back-end
Server
2
Internet
Firewall Server
RADIUS Server (IAS)
RADIUS request
ISA Server 2004 New Features
New management tools and user interface
Ease of Use
Efficient and cost effective network security
Multi-network
architecture
• Unlimited network definitions and types
• Firewall policy applied to all traffic
• Per network routing relationships
Network templates
and wizards
• Wizard automates nwk routing relationships
• Supports 5 common network topologies
• Easily customized for sophisticated scenarios
Visual policy editor
• Unified firewall/VPN policy w/one rule-base
• Drag/drop editing w/scenario-driven wizards
• XML-based configuration import-export
Enhanced troubleshooting
• All new monitoring dashboard
• Real-time log viewer
• Content sensitive task panes
ISA 2004 Networking Model
Any number of
networks
VPN as network
Localhost as
network
Assigned
relationships
(NAT/Route)
Per-Network policy
Packet filtering on
all interfaces
Support for uPnP
Any topology, any policy
VPN
Internet
ISA 2004
CorpNet_1
DMZ_1
Local Host
Network
DMZ_n
CorpNet_n
Net A
Network Templates
Objective
Simplified network
config
Features
• 5 templates
• Automatic routing
relationships
• Customizable
ISA 2004 Policy Model
Single, ordered rule base
More logical and easier to understand
Easier to view and to audit
New unified rule structure
Applicable to all types of policy
Three master types of rules
Access rules
Server Publishing rules
Web Publishing rules
Application filtering properties a part of
the rule
Default System Policy
Visual Policy Editor
ISA Server 2004 Monitoring
Goals
Server Status – It’s a critical service
Troubleshooting – Quick and easy
Investigations – Attacks, mistakes
Future Planning – Performance
Benefits
Real-Time status
Centralized view
Easy to understand
Easy to control
ISA 2004 Monitoring Tools
Dashboard – Aggregated centralized
view
Alerts – One place for all problems
Sessions – Active sessions view
Services – ISA services status
Connectivity – Connectivity to network
svcs
Logging – Powerful viewer of ISA logs
Reports – Top users, Top sites, Cache
hits…
Dashboard
Objective
Centralized status view
Features
• Real time
• Aggregated
• Easy to spot problems
Alerts
Objective
One place for all
problems
Features
• Alerts history
• Managing alerts
• Severity & category
Sessions
Objective
Active sessions view
Features
• Powerful query
mechanism
• VPN sessions
• Disconnect session
Services
Objective
ISA and dependent
services status
Features
• Start & stop service
Connectivity
Objective
Monitor connectivity to
critical network services
Features
• Request types
• Response time &
threshold
• Grouping
Logging
Objective
View of ISA traffic
activities
Features
• Real-time mode
• Historical view
• Powerful query
mechanism
Reports
Objective
Comprehensive set of
server activity reports
Features
• Recurring reports
• Report categories
• Email notification
• Report publishing
ISA Server 2004 New Features
Continued commitment to integration
High Performance
Proven ability to maximize application layer filtering speeds
Enhanced
architecture
• High speed data transport
• Utilizes latest Windows and PC hardware
• SSL bridging unloads downstream servers
Web cache
• Updated policy rules
• Serve content locally
• Pre-fetch content during low activity periods
Internet access
control
• User- and group-based Web usage policy
• Extensible by third parties
Performance
Optimized performance architecture
Optimized for real life usage scenarios
Raw throughput measured using HTTP+NAT benchmark
Kernel-mode data pump; User-mode optimizations
Scale up with additional CPUs
Raw throughput performance [Mbps]:
ISA 2000 (Dec 2000)
282
ISA 2004 (Today) *
1.59Gbps
Network computing magazine
app. level firewalls review (3/03)
full inspection performance [Mbps]:
Symantec FW 7.0
67
* Beta results
Sidewinder
122
How?
•Design improvements
•IP Stack improvements
•Hardware improvements
Checkpoint NG FP3
127
ISA 2000 FP1
170
Questions?
© 2003 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.