Firewalls: The Guardians at the Gateway - Dr. Tom Shinderamp;#039;s Configuring ISA Server 1002004 [Electronic resources] نسخه متنی

اینجــــا یک کتابخانه دیجیتالی است

با بیش از 100000 منبع الکترونیکی رایگان به زبان فارسی ، عربی و انگلیسی

جستجو بر اساس ... همه عنوان پدیدآور موضوع یادداشت تمام متن
اصطلاحنامه مجموعه ها مرورالفبایی لغت نامه دهخدا
جستجو در لغت نامه
بیشتر
کتابخانه شخصی پرسش از کتابدار ارسال منبع

Dr. Tom Shinderamp;#039;s Configuring ISA Server 1002004 [Electronic resources] - نسخه متنی

Thomas W. Shinder; Debra Littlejohn Shinder

| نمايش فراداده ، افزودن یک نقد و بررسی
افزودن به کتابخانه شخصی
میخواهم بخوانم
درحال خواندن
خوانده شده
ارسال به دوستان

آدرس پست الکترونیک گیرنده :

آدرس پست الکترونیک فرستنده :

نام و نام خانوارگی فرستنده :

پیغام برای گیرنده ( حداکثر 250 حرف ) :

کد امنیتی را وارد نمایید

ارسال
جستجو در متن کتاب
بیشتر
تنظیمات قلم

فونت

اندازه قلم

+ - پیش فرض

حالت نمایش

روز نیمروز شب
جستجو در لغت نامه
بیشتر
لیست موضوعات

Back Cover Dr. Tom Shinder's Configuring ISA Server 2004 Introduction Acknowledgments About the Authors Technical Editor A Note From the Publisher From Deb and Tom Shinder, Authors Chapter 1: Evolution of a Firewall: From Proxy 1.0 to ISA 2004 The Book: What it Covers and Who It's For It's in the Book: What We Cover This Book's For You: Our Target Audience Security: The New Star of the Show Security: What's Microsoft Got to Do with It? Security: A Policy-Based Approach Security: A Multilayered Approach Firewalls: The Guardians at the Gateway Firewalls: History and Philosophy Firewalls: Understanding the Architecture Firewalls: Features and Functionality Firewalls: Role and Placement on the Network ISA: From Proxy Server to Full-Featured Firewall ISA: A Glint in MS Proxy Server's Eye ISA: A Personal Philosophy Summary Chapter 2: Examining the ISA Server 2004 Feature Set The New GUI: More Than Just a Pretty Interface Examining the Graphical Interface Examining The Management Nodes Teaching Old Features New Tricks Enhanced and Improved Remote Management Enhanced and Improved Firewall Features Enhanced and Improved Virtual Private Networking and Remote Access Enhanced and Improved Web Cache and Web Proxy Enhanced and Improved Monitoring and Reporting Multi-Networking Support New Application Layer Filtering (ALF) Features VPN Quarantine Control Missing in Action: Gone but Not Forgotten Live Media Stream Splitting H.323 Gateway Bandwidth Control Active Caching Summary Solutions Fast Track New GUI: More Than Just a Pretty Face Teaching Old Features New Tricks New Features on the Block Missing in Action: Gone But Not Forgotten Frequently Asked Questions Chapter 3: Stalking the Competition: How ISA 2004 Stacks Up Firewall Comparative Issues The Cost of Firewall Operations Specifications and Features Comparing ISA 2004 to Other Firewall Products ISA Server 2004 Comparative Points Comparing ISA 2004 to Check Point Comparing ISA 2004 to Cisco PIX Comparing ISA 2004 to NetScreen Comparing ISA 2004 to SonicWall Comparing ISA 2004 to WatchGuard Comparing ISA 2004 to Symantec Enterprise Firewall Comparing ISA 2004 to Blue Coat SG Comparing ISA 2004 to Open Source Firewalls Summary Comparing Architecture Comparing Functionality Comparing Cost Solutions Fast Track Firewall Comparative Issues Comparing ISA 2004 to Other Firewall Products Frequently Asked Questions Chapter 4: ISA 2004 Network Concepts and Preparing the Network Infrastructure Our Approach to ISA Firewall Network Design and Defense Tactics Defense in Depth ISA Firewall Fallacies Software Firewalls are Inherently Weak You Can't Trust Any Service Running on the Windows Operating System to be Secure ISA Firewalls Make Good Proxy Servers, but I Need a 'Real Firewall' to Protect My Network ISA Firewalls Run on an Intel Hardware Platform, and Firewalls Should Have 'No Moving Parts' 'I Have a Firewall and an ISA Server' Why ISA Belongs in Front of Critical Assets A Better Network and Firewall Topology Tom and Deb Shinder's Configuring ISA 2004 Network Layout Creating the ISALOCAL Virtual Machine How ISA Firewall’s Define Networks and Network Relationships ISA 2004 Multinetworking The ISA Firewall’s Default Networks Creating New Networks Controlling Routing Behavior with Network Rules The ISA 2004 Network Objects ISA Firewall Network Templates Dynamic Address Assignment on the ISA Firewall’s External Interface Dial-up Connection Support for ISA firewalls, Including VPN Connections to the ISP “Network Behind a Network” Scenarios (Advanced ISA Firewall Configuration) Web Proxy Chaining as a Form of Network Routing Firewall Chaining as a Form of Network Routing Configuring the ISA Firewall as a DHCP Server Summary Solutions Fast Track Our Approach to the ISA Firewall Network Design and Defense Tactics Tom and Deb Shinder's Configuring ISA 2004 Network Layout How ISA Firewalls Define Networks and Network Relationships Frequently Asked Questions Chapter 5: ISA 2004 Client Types and Automating Client Provisioning Understanding ISA 2004 Client Types Understanding theISA 2004 SecureNAT Client Name Resolution for SecureNAT Clients Name Resolution and 'Looping Back' Through the ISA 2004 Firewall Understanding the ISA 2004 Firewall Client ISA 2004 Web Proxy Client ISA 2004 Multiple Client Type Configuration Deciding on an ISA 2004 Client Type Automating ISA 2004 Client Provisioning Configuring DHCP Servers to Support Web Proxy and Firewall Client Autodiscovery Configuring DNS Servers to Support Web Proxy and Firewall Client Autodiscovery Special Considerations for VPN Clients Automating Installation of the Firewall Client Configuring Firewall Client and Web Proxy Client Configuration in the ISA Management Console Group Policy Software Installation Silent Installation Script Systems Management Server (SMS) Summary Solutions Fast Track Understanding the ISA 2004 SecureNAT Client Understanding the ISA 2004 Web Proxy Client Understanding the ISA 2004 Firewall Client Frequently Asked Questions Chapter 6: Installing and Configuring the ISA Firewall Software Pre-installation Tasks and Considerations System Requirements Configuring the Routing Table DNS Server Placement Configuring the ISA Firewall's Network Interfaces Unattended Installation Installation via a Terminal Services Administration Mode Session Performing a Clean Installation on a Multihomed Machine Default Post-installation ISA Firewall Configuration The Post-installation System Policy Performing an Upgrade Installation Performing a Single NIC Installation (Unihomed ISA Firewall) Quick Start Configuration for ISA Firewalls Configuring the ISA Firewall's Network Interfaces Installing and Configuring a DNS Server on the ISA Server Firewall Installing and Configuring a DHCP Server on the ISA Server Firewall Installing and Configuring the ISA Server 2004 Software Configuring the Internal Network Computers Hardening the Base ISA Firewall Configuration and Operating System ISA Firewall Service Dependencies Service Requirements for Common Tasks Performed on the ISA Firewall Client Roles for the ISA Firewall Lockdown Mode Connection Limits DHCP Spoof Attack Prevention Summary Solutions Fast Track Pre-installation considerations Performing a clean installation Default Post-install System Policy and Firewall Configuration Frequently Asked Questions Chapter 7: Creating and Using ISA 2004 Firewall Access Policy Introduction ISA Firewall Access Rule Elements Protocols User Sets Content Types Schedules Network Objects The Rule Action Page The Protocols Page The Access Rule Sources Page The Access Rule Destinations Page The User Sets Page Access Rule Properties The Access Rule Context Menu Options Configuring RPC Policy Configuring FTP Policy Configuring HTTP Policy Ordering and Organizing Access Rules How to Block Logging for Selected Protocols Disabling Automatic Web Proxy Connections for SecureNAT Clients Using Scripts to Populate Domain Name Sets Using the Import Scripts Extending the SSL Tunnel Port Range for Web Access to Alternate SSL Ports Avoiding Looping Back through the ISA Firewall for Internal Resources Anonymous Requests Appear in Log File Even When Authentication is Enforced For Web (HTTP Connections) Blocking MSN Messenger using an Access Rule Allowing Outbound Access to MSN Messenger via Web Proxy Changes to ISA Firewall Policy Only Affects New Connections Configure the Routing Table on the Upstream Router Configure the Network Adaptors Install the ISA Server 2004 Firewall Software Install and Configure the IIS WWW and SMTP Services on the DMZ Server Create the DMZ Network Create the Network Rules Between the DMZ and External Network and for the DMZ and Internal Network Create Server Publishing Rule Allowing DNS from DMZ to Internal Create an Access Rule Allowing DNS from Internal to External Create an Access Rule Allowing DNS from Internal to External Create an Access Rule Allow HTTP from External to DMZ Create an Access Rule Allowing SMTP from External to DMZ Test the Access Rules from External to DMZ Test the DNS Rule from the DMZ to the Internal Network Change the Access Rule Allowing External to DMZ by Disabling the Web Proxy Filter Allowing Intradomain Communications through the ISA Firewall Solutions Fast Track Configuring Access Rules for Outbound Access through the ISA Firewall Using Scripts to Populate Domain Name Sets Creating and Configuring a Public Address Trihomed DMZ Network Frequently Asked Questions Chapter 8: Publishing Network Services with ISA 2004 Firewalls Overview of Web Publishing and Server Publishing Web Publishing Rules Server Publishing Rules The Select Rule Action Page The Define Website to Publish Page The Public Name Details Page The Select Web Listener Page and Creating an HTTP Web Listener The User Sets Page The Web Publishing Rule Properties Dialog Box Creating and Configuring SSL Web Publishing Rules SSL Bridging Importing Web Site Certificates into The ISA Firewall's Machine Certificate Store Requesting a User Certificate for the ISA Firewall to Present to SSL Web Sites Creating an SSL Web Publishing Rule Creating Server Publishing Rules The Server Publishing Rule Properties Dialog Box Server Publishing HTTP Sites Creating Mail Server Publishing Rules The Web Client Access: Outlook Web Access (OWA), Outlook Mobile Access, Exchange Server ActiveSync Option The Client Access: RPC, IMAP, POP3, SMTP Option Summary Solutions Fast Track Overview of Web Publishing and Server Publishing Creating and Configuring Non-SSL Web Publishing Rules Creating and Configuring SSL Web Publishing Rules Frequently Asked Questions Chapter 9: Creating Remote Access and Site-to-Site VPNs with ISA Firewalls Overview of ISA Firewall VPN Networking Firewall Policy Applied to VPN Client Connections Firewall Policy Applied to VPN Site-to-Site Connections VPN Quarantine User Mapping of VPN Clients SecureNAT Client Support for VPN Connections Site-to-Site VPN Using Tunnel Mode IPSec Publishing PPTP VPN Servers Pre-shared Key Support for IPSec VPN Connections Advanced Name Server Assignment for VPN Clients Monitoring of VPN Client Connections Creating a Remote Access PPTP VPN Server Enable the VPN Server Create an Access Rule Allowing VPN Clients Access to Allowed Resources Enable Dial-in Access Test the PPTP VPN Connection Issue Certificates to the ISA Firewall and VPN Clients Test the L2TP/IPSec VPN Connection Monitor VPN Clients Using a Pre-shared Key for VPN Client Remote Access Connections Creating a PPTP Site-to-Site VPN Create the Remote Site Network at the Main Office Create the Network Rule at the Main Office Create the Access Rules at the Main Office Create the VPN Gateway Dial-in Account at the Main Office Create the Remote Site Network at the Branch Office Create the Network Rule at the Branch Office Create the Access Rules at the Branch Office Create the VPN Gateway Dial-in Account at the Branch Office Activate the Site-to-Site Links Enable the System Policy Rule on the Main Office Firewall to Access the Enterprise CA Request and install a Web Site Certificate for the Main Office Firewall Configure the Main Office ISA Firewall to Use L2TP/IPSec for the Site-to-Site Link Enable the System Policy Rule on the Branch Office Firewall to Access the Enterprise CA Request and Install a Web Site Certificate for the Branch Office Firewall Configure the Main Office ISA Firewall to Use L2TP/IPSec for the Site-to-Site Link Activate the L2TP/IPSec Site-to-Site VPN Connection Configuring Pre-shared Keys for Site-to-Site L2TP/IPSec VPN Links IPSec Tunnel Mode Site-to-Site VPNs with Downlevel VPN Gateways Using RADIUS for VPN Authentication and Remote Access Policy Configure the Internet Authentication Services (RADIUS) Server Create a VPN Clients Remote Access Policy Remote Access Permissions and Domain Functional Level Changing the User Account Dial-in Permissions Changing the Domain Functional Level Controlling Remote Access Permission via Remote Access Policy Enable the VPN Server on the ISA Firewall and Configure RADIUS Support Create an Access Rule Allowing VPN Clients Access to Approved Resources Make the Connection from a PPTP VPN Client Using EAP User Certificate Authentication for Remote Access VPNs Configuring the ISA Firewall Software to Support EAP Authentication Enabling User Mapping for EAP Authenticated Users Issuing a User Certificate to the Remote Access VPN Client Machine Supporting Outbound VPN Connections through the ISA Firewall Installing and Configuring the DHCP Server and DHCP Relay Agent on the ISA Firewall Creating a Site-to-Site VPN Between an ISA Server 2000 and ISA Firewall Run the Local VPN Wizard on the ISA Server 2000 firewall Change the Password for the Remote VPN User Account Change the Credentials the ISA Server 2000 Firewall uses for the Demand-dial Connection to the Main Office Change the ISA Server 2000 VPN Gateway's Demand-dial Interface Idle Properties Create a Static Address Pool for VPN Clients and Gateways Run the Remote Site Wizard on the Main Office ISA firewall Create a Network Rule that Defines the Route Relationship Between the Main and Branch Office Create Access Rules Allowing Traffic from the Main Office to the Branch Office Create the User Account for the Remote VPN Router Test the connection A Note on VPN Quarantine Summary Solutions Fast Track Overview of ISA Firewall VPN Networking Creating a Remote Access PPTP VPN Server Creating a Remote Access L2TP/IPSec Server Frequently Asked Questions Chapter 10: ISA 2004 Stateful Inspection and Application Layer Filtering Introduction Application Filters The SMTP Filter and Message Screener The DNS Filter The POP Intrusion Detection Filter The SOCKS V4 Filter The FTP Access Filter The H.323 Filter The MMS Filter The PNM Filter The PPTP Filter The RPC Filter The RTSP Filter Web Filters The HTTP Security Filter (HTTP Filter) The ISA Server Link Translator The Web Proxy Filter The SecurID Filter The OWA Forms-based Authentication Filter The RADIUS Authentication Filter IP Filtering and Intrusion Detection/Intrusion Prevention Common Attacks Detection and Prevention DNS Attacks Detection and Prevention IP Options and IP Fragment Filtering Summary Solutions Fast Track Application Layer Filters Web Filters Intrusion Detection and Prevention Frequently Asked Questions Chapter 11: Accelerating Web Performance with ISA 2004 Caching Capabilities Understanding Caching Concepts Web Caching Types Web Caching Architectures Web Caching Protocols Understanding ISA Server 2004's Web Caching Capabilities Using the Caching Feature Understanding Cache Rules Understanding the Content Download Feature Configuring ISA Server 2004 as a Caching Server Enabling and Configuring Caching How to Configure Caching Properties Creating Cache Rules Configuring Content Downloads Summary Fast Track Frequently Asked Questions Chapter 12: Using ISA Server 2004's Monitoring, Logging, and Reporting Tools Introduction Exploring the ISA Server 2004 Dashboard Dashboard Sections Configuring and Customizing the Dashboard Creating and Configuring ISA Server 2004 Alerts Alert-triggering Events Viewing the Predefined Alerts Creating a New Alert Modifying Alerts Viewing Triggered Alerts Monitoring ISA Server 2004 Connectivity, Sessions, and Services Configuring and Monitoring Connectivity Monitoring Sessions Monitoring Services Working with ISA Server 2004 Logs and Reports Understanding ISA Server 2004 Logs Generating, Viewing, and Publishing Reports with ISA Server 2004 Using ISA Server 2004's Performance Monitor Solutions Fast Track Exploring the ISA Server 2004 Dashboard Creating and Configuring ISA Server 2004 Alerts Monitoring ISA Server 2004 Sessions and Services Working with ISA Server 2004 Logs and Reports 1Using ISA Server 2004's Performance Monitor Frequently Asked Questions Appendix: Network Security Basics Introduction Security Overview Defining Basic Security Concepts Knowledge is Power Think Like a Thief Security Terminology Addressing Security Objectives Controlling Physical Access Preventing Accidental Compromise of Data Preventing Intentional Internal Security Breaches Preventing Unauthorized External Intrusions Recognizing Network Security Threats Understanding Intruder Motivations Classifying Specific Types of Attacks Designing a Comprehensive Security Plan Evaluating Security Needs Understanding Security Ratings Legal Considerations Designating Responsibility for Network Security Designing the Corporate Security Policy Educating Network Users on Security Issues Incorporating ISA Server in your Security Plan ISA Server Intrusion Detection Implementing a System Hardening Plan with ISA Summary Index Numbers Index A Index B Index C Index D Index E Index F Index G Index H Index I Index J Index K Index L Index M Index N Index O Index P Index Q Index R Index S Index T Index U Index V Index W Index Z List of Figures List of Tables List of Sidebars

توضیحات
افزودن یادداشت جدید





















Firewalls: The Guardians at the Gateway





The CERT Coordination Center Web site documents the fact that the number of reported security breaches is increasing at a rate of 50 to 100 percent every year. More sophisticated attack tools are being created by hackers to automate the attack process, and thus, reduce the level of technical expertise needed to launch network attacks. 'Script kiddies' don't have to have programming knowledge to attack your servers and networks, but wide access to these tools makes 'script kiddies' a growing and significant threat. We can only expect this to get worse in the future. Because of the growing threat, every network or individual computer that is connected to the Internet should have protection from hack attacks, viruses and unwanted e-mail (spam).





At the same time the attacker base is increasing, businesses and individuals are relying more and more on fast, secure communications. They need the ability to conduct research on the Web, to send messages to co-workers, customers and partners over the Internet, and to access their company networks from home or when they're on the road via dial-in remote access or virtual private networking (VPN). All this must be done securely, without sacrificing performance.





A firewall provides the protection that today's businesses must have by filtering incoming and outgoing packets and blocking the ones that are not authorized so they cannot enter the network. Many firewall vendors extend the functionality of their firewall products by including other features, such as VPN gateways and Web-caching proxies. These combination products, often referred to as comprehensive security solutions, and often incorporated in a turn-key hardware appliance, protect from attacks while at the same time providing secure remote VPN access and speeding up Web access.





A firewall creates a point through which all data must pass in order to move from one network or computer to another. The firewall software can examine, log, and block particular packets based on criteria set by administrators, such as packet size, source address, and even file type or data content.





Firewalls: History and Philosophy






The term 'firewall' was around long before the advent of computer networks. It was used to describe a fireproof barrier that prevents a fire in one part of a building or a vehicle from crossing over to another part. To network professionals, a firewall is a software program (which may be installed on a regular computer or on a dedicated hardware appliance) that is able to block undesirable network packets (for example, those that contain attacks, viruses or unwanted commercial email). The firewall serves as a barrier that prevents these packets from crossing over from the Internet or another network to the local network. In the case of 'personal' firewalls (also called 'host-based' firewalls), the protection is provided to the local computer, especially when it is directly connected to the Internet via a modem or broadband connection.





In the beginning of computer networking, networks were closed systems, with only the computers within a building or small geographic area connected to each other. However, soon networks grew and became more complex, and computers in widely separated geographic locations were able to communicate with one another over wide area networking links. The first attempt at a wide-spread network was the ARPANET, which was made up of a small, elite community of government and university computer users. Eventually, it expanded and became the Internet. In the 1990s, Internet access became easier and more affordable. Commercial Internet Service Providers (ISPs) sprang up everywhere, enabling computer owners to access the Internet from home at a reasonable cost. Soon commercial and individual users all over the world who were not known to one another were able to communicate and transact business. E-commerce became a viable way to purchase products and services, and online banking and other financial services heightened the need for protective mechanisms.





One of the first Internet viruses, the Morris Worm, hit a number of major educational institutions in 1988. This made companies and individual Internet users more aware of the dangers posed by information entering the network from outside. Necessity soon mothered the invention of the firewall.





The first firewalls were routers. A router connects two networks and is the logical place to set up a 'checkpoint' where packets could be evaluated and blocked or allowed through. These first router-based firewalls were designed more for the purpose of keeping data in than for keeping it out. Routers separated networks into segments called subnets (for example, different departments in a company or university). There are several advantages in doing this, one of which is so that problems in one segment won't affect computers in the other segments. IP routers with filtering capabilities designed to keep intruders or unauthorized users out soon followed. These were very rudimentary firewalls by today's standards. They could only block or allow packets based on IP address or TCP/UDP port numbers. They had no way to examine the content of the data because they worked at the network layer of the OSI networking model.





A 'bastion host' is a gateway designed specifically for the purpose of defending an internal network from external attacks. One of the first commercial firewalls of this type, which used filters and application gateways (application proxies), was made by DEC in the early 1990s. In 1993, an open source firewall from Trusted Information System (TIS) called the Firewall Toolkit (FWTK) was released, and TIS also produced a commercial firewall based on the same code, which it called Gauntlet. CheckPoint came out with the Firewall-1 (FW-1) software in 1994. It was the first popular firewall to use a friendly graphical interface, and was later used as the basic for firewall appliances made by Nokia.





Over the years, network attackers have grown more sophisticated and network protocols have grown more numerous and complex. This has caused firewalls to evolve from simple packet-filtering routers into dedicated multilevel security devices.





Firewalls: Understanding the Architecture






Firewalls can be classified in several different ways: by vendor/brand, by features, or by architectural model. In the following subsections, we look at a couple of important architectural elements:











Hardware vs. software models











Host-based vs. network models












Hardware vs. Software Model






The first architectural consideration we discuss is the physical architecture: firewalls can be either software- or hardware-based. Although this is standard terminology, it's not completely accurate. All firewalls consist of both software and hardware. The real distinction lies in how the product is marketed. 'Software firewalls' are sold as software applications that can be installed on a standard operating system and hardware platform. 'Hardware firewalls' are sold only as a 'package deal,' with the firewall software preinstalled on specific hardware, often running on a proprietary operating system designed for no purpose other than to run the firewall application.






Understanding the Hardware Firewall Model





You buy a hardware-based firewall as one unit: hardware (often called an 'appliance') with the firewall software preinstalled. Most hardware firewalls run on proprietary operating systems designed specifically to run the firewall software, although some appliances run the firewall on Linux or BSD. Proprietary operating systems don't include many of the networking services that would be found on a general purpose OS. This is considered a security advantage in that the operating system is already automatically 'hardened' and not vulnerable to some of the exploits that can be used against a general purpose OS.





An appliance is a self-contained box designed for a specific purpose. Some appliances actually serve more than one purpose, and these are often referred to as 'security appliances' instead of 'firewall appliances' by their vendors. Many appliances include VPN gateway functionality along with the firewall, and some also include other functionalities such as Web caching. Some vendors sell different hardware components (called security blades) that plug into the firewall chassis. For instance, NetScreen's IDP blade plugs into their firewall box.





Some firewall appliances are basically PCs, with the same types of hard disks, memory, and other components as a standard PC. Others are called 'solid state' because they have virtually no moving parts. They use flash memory and no hard disks. Since high-speed solid-state circuits are used instead of mechanical disks, which are constrained by the need to physically rotate, solid-state storage is faster.





An Application Specific Integrated Circuit (ASIC) is a chip that is created to control the functions of a particular application. ASIC-based firewalls use a chip designed for the firewall application.





Hardware-based firewalls have both advantages and disadvantages. Solid state technology and the use of optimized operating systems with no unnecessary services allows for faster performance. Solid state technology also makes for greater reliability because there is no mechanical point of failure as with hard disk-based firewalls.





However, hardware-based firewalls are less adaptable and more difficult to upgrade. Because ASIC chips are mass-produced, and because of the cost of hardware redesigns, it takes longer for these products to be changed to adapt to new threats. It's difficult for appliance vendors to keep up with the increases in computer processing power. A standard PC to run firewall software almost always costs less than an appliance with the same processing power and memory. In addition, software-based firewalls can more easily be integrated with other network devices, which use the same technologies as the firewall. The proprietary operating systems used by ASIC-based firewalls make it harder to port add-on programs.





Another advantage of ASIC technology, encryption algorithms for VPN and SSL burned into the chip, is being countered by the fact that Intel has started building encryption algorithms into their regular chips that can be utilized by software-based firewalls.





Finally, the dynamic nature and complexity of algorithms used for deep application-layer filtering makes it less suitable for ASIC technology. Some performance comparisons have shown that software-based products had both performance and reliability advantages over ASIC-based firewalls.






Understanding the Software Firewall Model





A so-called 'software firewall' is a firewall product that is marketed as a software program that can be installed on one or more different operating systems and one or more different hardware platforms. ISA Server 2004 is a software firewall that can be installed on a PC running either Windows 2000 Server or Windows Server 2003.





Some firewall products are marketed both as software programs and preinstalled on appliances. CheckPoint NG is a software firewall that can be installed on PCs running Windows NT or 2000 or Linux, on Sun's Solaris or IBM's AIX variety of UNIX. It is also the basis of Nokia firewall appliances.










Note





ISA Server 2004 is expected to be available preinstalled on a turnkey appliance product, in addition to being sold as a software firewall. At the time of this writing, several hardware vendors had already built ISA-based appliances or were discussing licensing ISA 2004 from Microsoft to do so. The authors have had the opportunity to beta test some of these appliances, and in fact, are running two of them on our production network.










The key point is that you buy these firewalls as a software package and install them on a supported operating system, which can serve other functions besides running the firewall software.





Like its hardware counterpart, the software firewall model has both advantages and disadvantages. Because the software firewall usually runs on a standard general purpose network operating system such as Windows, UNIX/Linux or Solaris, you may already have a system on which you can install it, saving the cost of hardware.





Configuration and management is usually easy, since the software runs on an OS familiar to the administrator. Another major advantage is the ability to upgrade the hardware easily. You can add a new processor or more memory relatively inexpensively. You can also replace the box completely and install the software on a new system (licensing agreement permitting).





Yet another advantage is that, in many cases, you can download an evaluation version of the software firewall to try out before you buy (just try getting a hardware vendor to loan you an appliance to try out for a while, unless you're a high priority customer).





Software firewalls also have disadvantages. They are generally slower than hardware-based firewalls, and because they run on standard operating systems, the underlying OS may be more vulnerable to exploits than a proprietary OS, if it has not been properly hardened.






Host-based vs. Network-based Model






Another way to categorize firewalls depends on whether the firewall product is designed to run on a single host computer that it protects, or is designed to sit in front of a group of computers and protect the entire network or subnet. This distinction determines whether the firewall is built on a host-based or network-based model.






Understanding the Host-based Firewall Model





The more common marketing term for the low-cost host-based firewall is 'personal firewall.' A personal firewall is installed on a workstation or portable computer to protect it from common network attacks. Personal firewalls generally sell for under $100, and there are many freeware personal firewalls, as well. Windows XP and Windows Server 2003 include a built-in personal firewall, the Internet Connection Firewall (ICF).





A simple host-based firewall blocks incoming packets based on source or destination IP address and port number, using preconfigured rules that take into account the normal behavior of installed applications and operating system components. More sophisticated versions can also filter packets based on content (see the section titled Multilayered Filtering later in this chapter).





Any computer that connects directly to the Internet without a network-based firewall should have a host-based firewall installed. This would include almost all computers that connect to the Internet over an analog modem connection, as well as those that have direct broadband connections (unless the broadband 'modem' or 'router' has built-in firewall software that is enabled).





Many company policies require that any computer connecting to their networks via dial-in remote access or virtual private networking (VPN) have a personal firewall installed and enabled. This is to prevent Internet-based attacks from being spread from the remote clients to the corporate network. The corporate network-based firewall is usually the entity that enforces these policies.






Understanding the Network-based Firewall Model





Network-based firewalls, as the name implies, protect entire networks or subnets rather than individual computers. A network-based firewall is usually a dedicated computer or appliance that runs no software other than the firewall software, and perhaps related programs or 'modules' such as caching, intrusion detection/prevention, and network anti-virus software. There are two approaches to adding these extra features:











'On box.' The extra features are either integrated into the firewall application or are installed on the same machine via add-on programs.











'Off box.' The extra features are implemented on separate computers that work in conjunction with the firewall computer or appliance.











Virtual private networking and some level of intrusion detection are integrated into most network firewall applications. Caching, anti-virus, and other 'extras' can be integrated in the firewall software (as with ISA Server), can be installed as add-ons on the same machine (as with CheckPoint), or can be implemented as separate computers or appliances (as with Cisco PIX).





Network-based firewalls are much more expensive than personal firewalls, due to their increased complexity and functionality. Network-based firewalls are constructed to handle much more traffic than a personal firewall and support more protocols and simultaneous connections. Most are designed to use sophisticated management tools that allow for remote administration, centralized administration of multiple firewalls, and detailed, configurable monitoring, reporting and logging functions. Network-based firewalls range from relatively simple 'edge' firewalls designed to operate as the network's only firewall to enterprise-level firewalls that can be chained together in an hierarchical structure to provide multiple layers of protection from the packet level to the application level, or that can provide load-balancing across a cluster of firewalls at the same level of the network.





Firewalls: Features and Functionality






The firewall's primary function is simple: protecting the network. Modern firewalls use multiple sophisticated methods to accomplish that mission.











First line of defense against network attacks. In addition to blocking packets that originate from particular source IP addresses or particular domains or specific e-mail addresses, an effective firewall can recognize the 'signatures' or specific characteristics of packets that comprise common types of network attacks, such as Denial of Service (DOS) attacks or IP spoofing (forgery of the source address in an IP packet). This is a function of the firewall's intrusion detection system/intrusion prevention system (IDS/IPS).











First line of defense against viruses and spam. An effective firewall must also be able to recognize viruses, worms, Trojan horses, and other malicious code designed to do damage to computer programs or data on your network, send data back to an unauthorized party without your knowledge or consent, and/or use the systems on your network as intermediaries (zombies) to launch attacks against other remote computers.











'After the fact' forensic tool. The firewall's primary role is to prevent attackers, malicious code, and unauthorized users from entering the network, but it also fills an important secondary role as a forensic tool after an attack or attempted attack. Modern firewalls record events in logs that can be used to generate reports used in incident response and as evidence in prosecuting security breach cases. A good logging/reporting system is essential to provide a usable audit trail and fill any existing security holes.










Note





A good firewall is an effective means of preventing many types of security breaches, but no firewall will guarantee 100 percent security for your network. Hackers have ways to breach network security, such as social engineering, that circumvent the protections provided by firewalls. Thus, it is important that a true multilayered approach to security also focus on training, user education, human resource policies and practices, and so forth.












Some important features included in modern firewalls include:











Multilayered filtering











VPN gateways











Intrusion detection and prevention











Anti-virus











Web caching











Advanced management tools











In the following sections, we'll discuss each in more detail.






Multilayered Filtering






There are three basic firewall types, based on the level at which the firewall performs filtering actions. Early firewalls filtered only at one level, usually the packet level. Most modern firewalls use multilayered filtering to provide for better security. A multilayered firewall is sometimes called a hybrid firewall. A multilayered firewall performs two or more of the following levels of filtering:











Packet filtering











Circuit filtering











Application-layer filtering











These three layers of filtering and their relationships to the Open Systems Interconnection (OSI) networking model are illustrated in Figure 1.1 and discussed in more detail in the following subsections.














Figure 1.1: Three Layers of Filtering with OSI Networking










Note





The OSI model was developed by the International Organization for Standardization (ISO) to provide a multilayered model that vendors of networking software and hardware products could use to ensure better compatibility between their products. For more information, see www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/introint.











Packet Filtering





The first firewalls were packet-filtering firewalls that work at the Network layer of the OSI networking model. They examine the packet headers that contain IP addresses and packet options and block or allow traffic through the firewall based on that information. A packet filtering firewall can use one of three technologies:











Static-packet filtering: rules are set manually and particular ports stay open or closed until changed manually











Dynamic-packet filtering: more intelligent filtering in which rules can be changed dynamically based on events or conditions, and thus ports are opened only when needed and then closed











Stateful-packet filtering: uses a table to maintain connection states of sessions so that packets must pass through in sequence as authorized by the filter policies.










Note





Stateful inspection is a technology by which a deeper analysis of the information contained in the packets (up to the application layer) is performed, and subsequent filtering decisions are based on what the firewall 'learned' from packets that it examined previously.













Circuit Filtering





A circuit-filtering firewall (also called a circuit-level gateway) works at the transport and session layers of the OSI model. It can examine the TCP handshake information that is sent between computers to verify that a session request is legitimate.





Circuit filters operate at a higher layer of the OSI model, the Transport layer (Host-to-Host layer in the DOD model). Circuit filters restrict access on the basis of host machines (not users) by processing the information found in the TCP and UDP packet headers. This allows administrators to create filters that would, for example, prohibit anyone using Computer A from using FTP to access Computer B.





When circuit filters are used, access control is based on TCP data streams or UDP datagrams. Circuit filters can act based on TCP and UDP status flags and sequencing information, in addition to source and destination addresses and port numbers. Circuit-level filtering allows administrators to inspect sessions, rather than packets. A session is sometimes thought of as a connection, but actually a session can be made up of more than one connection. Sessions are established only in response to a user request, which adds to security.





Circuit filters don't restrict access based on user information; they also cannot interpret the meanings of the packets. That is, they cannot distinguish between a GET command and a PUT command sent by an application program. To do this, application filtering must be used.






Application-Layer Filtering





Application-layer filtering (ALF) is performed by application gateways, also called application proxies. ALF firewalls operate at the application layer of the OSI model and can actually examine the content of the data (for example, a URL contained in an HTTP communication or a command contained in an FTP communication).





There are times when the best tactic is to filter packets based on the information contained in the data itself. Packet filters and circuit filters don't use the contents of the data stream in making filtering decisions, but this can be done with application filtering. An application filter operates at the top layer of the networking model, the (appropriately named) Application layer. Application filters can use the packet header information, but are also able to allow or reject packets on the basis of the data contents and the user information.





Administrators can use application filtering to control access based on the identity of the user, and/or based on the particular task the user is attempting to perform. With application filters, criteria can be set based on commands issued by the application. This means, for example, the administrator could restrict a particular user from downloading files to a specified computer, using FTP. At the same time, he/she could allow that user to upload files via FTP to that same computer. This is possible because different commands are issued depending on whether the user is retrieving files from the server or depositing them there.





Application gateways are considered by many firewall experts to be the most secure of the filtering technologies. This is because the criteria they use for filtering covers a broader span than the other methods. Sometimes hackers write malicious programs that use the port address of an authorized application, such as port 53, which is the DNS address. A packet or circuit filter would not be able to recognize that the packet is not a valid DNS request or response, and would allow it to pass through. An application filter, however, is able to examine the contents of the packet and determine that it should not be allowed.





There are drawbacks to this filtering type. The biggest problem is that there must be a separate application gateway for every Internet service that the firewall needs to support. This makes for more configuration work; however, this weakness is also a strength that adds to the security of the firewall. Since a gateway for each service must be explicitly enabled, an administrator won't accidentally allow services that pose a threat to the network. Application filtering is the most sophisticated level of filtering performed by the firewall service and is especially useful in protecting the network against specific types of attacks such as malicious SMTP commands or attempts to penetrate the local DNS servers.





Another drawback to application filtering is performance-or the lack thereof. Application filtering is a slow process because the data inside the packets must be examined. Consequently, you probably would not want to place an ALF firewall on the network edge when you have a very fast incoming connection (such as an OC-3 line). Instead, simple (and fast) packet-filtering firewalls should be placed there, and application filtering can be done further downstream, closer to the application itself.






VPN Gateway






Most modern firewalls include integrated VPN gateways. VPN gateways allow remote users to connect to a VPN server or the entire internal network via a virtual private networking 'tunnel' that goes through the public Internet, or alternatively, allows two local area networks in different locations to connect to one another securely over the Internet. These two types of VPNs are referred to as client-to-server VPNs and site-to-site VPNs.






Client-to-Server VPN





The client-to-server VPN is used when individual remote computers (such as those of employees working from home or executives who are on the road with their laptop computers) connect to the company LAN by first establishing a connection to the Internet and then using VPN client software, VPN tunneling protocols (such as PPTP or L2TP) to establish a connection to the company LAN that is also connected to the Internet. Because the data sent through this 'tunnel' is encrypted (using protocols such as MPPE or IPSec), the connection is also private.






Site-to-Site VPN





A site-to-site VPN is used to connect entire networks to each other. As in the case of client-to-server VPNs, both sides of the 'virtual network' must be connected to the Internet. The same tunneling and encryption protocols are used. The difference is that with the site-to-site VPN, there is a gateway at both ends of the connection (instead of an individual client computer at one end). Some firewalls support only site-to-site VPNs.






ISA Server VPN Support





ISA Server 2004 supports the following VPN protocols:











Point-to-Point Tunneling Protocol (PPTP)











Layer 2 Tunneling Protocol/IPSec (L2TP/IPSec)











IPSec Tunnel Mode











PPTP and L2TP/IPSec VPN protocols can be used in both remote access and site-to-site VPN connections. IPSec Tunnel Mode can be used only in site-to-site VPN connections.





IPSec Tunnel Mode is used only for compatibility with third-party VPN servers. It should not be used when site-to-site connections are created between an ISA Server 2004 firewall and another Microsoft VPN product (Windows 2000/Windows Server 2003 RRAS or ISA Server 2000).





The ISA Server 2004 VPN feature supports both types of VPN connections: client-to-server (also called Remote Access VPN) and site-to-site.





The Remote Access VPN allows individual computers configured as VPN clients to connect to the ISA Server 2004 firewall and access resources on the corporate network.





Remote Access VPN clients can use either the PPTP or L2TP/IPSec VPN protocol. Advanced authentication mechanisms, such as SecurID, RADIUS, EAP/TLS certificates, biometric, and others are supported by the ISA Server 2004 VPN Remote Access Server.





Site-to-Site VPNs allow the ISA Server 2004 firewall to connect to another VPN server and join entire networks to each other over the Internet. Site-to-site VPNs allow organizations to remove expensive dedicated leased lines, which leads to significant cost reductions.





A major competitive advantage for ISA Server 2004 is that firewall access policies are applied to VPN remote access and site-to-site connections. In contrast to competitors' products that allow VPN clients full access to the corporate network, the ISA Server 2004 VPN connections are exposed to the firewall's access policies. The enables the ISA Server 2004 firewall administrator to set restrictive access controls on VPN connections on a per-user basis. When the user establishes a VPN connection with the ISA Server 2004 firewall, that user can only access resources he needs to get the job done. No other network resources will be available.





All Windows operating systems include the Windows VPN client software. Advantages of using the Windows VPN client include:











No need to install third party software











No need to troubleshoot compatibility issues between the third-party VPN client software and the Windows operating system











Simplified configuration and deployment of the VPN client using the Connection Manager Administration Kit (CMAK)











Support for IETF RFC Internet standard IPSec NAT Traversal











ISA Server 2004 also includes VPN security features such as VPN quarantine, which we discuss in Chapter 2, The ISA Server 2004 Feature Set.






Intrusion Detection and Prevention






Many firewalls (including ISA Server) incorporate an intrusion detection system (IDS) that can recognize that an attack of a specific type is being attempted and can perform a predefined action when such an intrusion is identified.





Intrusion detection systems can recognize many different common forms of network intrusion, such as port scans, LAND attacks, Ping of Death, UDP bombs, out of band attacks, and others. Special detection filters may also be built in, such as a POP (Post Office Protocol) intrusion detection filter that analyzes POP mail traffic to guard against POP buffer overflows, or a DNS intrusion detection filter that can be configured to look for DNS hostname overflow or length overflow attacks.





ISA Server 2004 includes a collection of intrusion detection filters that are licensed from Internet Security Systems (ISS). These intrusion detection filters are focused on detecting and blocking network layer attacks. In addition, ISA Server 2004 includes intrusion detection filters that detect and block application layer attacks.





ISA Server 2004 can detect the follow intrusions or attacks:











Windows out-of-band (WinNuke)











Land











Ping of Death











IP half scan











UDP bomb











Port scan











DNS host name overflow











DNS length overflow











DNS zone transfer











POP3 buffer overflow











SMTP buffer overflow











When the ISA Server 2004 firewall detects one of these attacks, the following actions can be carried out:











An alert is sent to the ISA Server 2004 Event Log











ISA Server 2004 services can be stopped or restarted











An administrative script or program can be run











An e-mail message can be sent to an administrator's mailbox or pager











One disadvantage is that the intrusion detection system included with ISA Server 2004 is not configurable, and you cannot create your own intrusion signatures. However, third-party applications, such as Internet Security System's Real Secure IDS, can be used to extend the intrusion detection features at an additional cost to the customer.






Web Caching






Web caching is another important feature that can be built into the firewall software. ISA Server is one of only a few popular firewalls that include Web caching functionality at no extra charge. Many firewall vendors require that you either purchase an add-on module (CheckPoint), purchase a separate hardware appliance (Cisco), or use a third-party caching solution in conjunction with their firewalls. ISA Server is one of the only major firewall products (with BlueCoat being the other) that combines firewall and Web caching.





The amount of Web traffic has been growing consistently within most Internet-connected organizations. In many cases, users visit the same Web sites on a regular basis, or multiple users within the organization visit the same sites and view the same pages. At the same time, overall network and Internet traffic is steadily increasing, often to the point of near saturation of available Internet bandwidth.





Web caching provides a way to reduce network traffic for both outbound Web requests from your internal users to Web servers on the Internet and inbound Web requests from external users to the Web servers you host on your internal network.





In the following subsections, we discuss these caching methods:











Forward caching











Reverse caching











Distributed caching











Hierarchical caching












Forward Caching





Some ISPs charge T-1 and T-3 users on a usage basis. One way to reduce Internet bandwidth consumption is to store frequently-accessed Web objects on the local network, where they can be retrieved by internal users without going out to a server on the Internet. This is forward Web caching, and it has the added advantage of making access for internal users faster because they are retrieving the Web objects (pages, graphics, sound files, and others) over a fast LAN connection, typically 100Mbps or more, instead of a slower Internet connection at perhaps 1.5Mbps.






Reverse Caching





Another type of Web caching, called reverse caching, reduces traffic on the internal network and speeds access for external users when the company hosts its own Web sites. In this case, frequently requested objects on the internal Web servers are cached at the network edge, on a proxy server, so that the load on the Web servers is reduced.






Distributed Caching





Multiple Web-caching servers can be used together to provide for more efficient caching. As the name implies, distributed caching distributes the cached Web objects across two or more caching servers. These servers are all on the same level on the network. Figure 1.2 illustrates how distributed caching works.














Figure 1.2: Distributed Caching Uses Multiple Servers at the Same Level of the Network.






Hierarchical Caching





Hierarchical caching is another way of using multiple Web-caching servers. Caching servers are placed at different levels on the network. Upstream caching servers communicate with downstream proxies. For example, a caching server is placed at each branch office. These servers communicate with the caching array at the main office. This is illustrated in Figure 1.3.














Figure 1.3: Hierarchical Caching Uses Multiple Web Proxy Servers at Different Levels





Hierarchical caching uses bandwidth more efficiently than distributed caching. However, distributed caching has lower disk space requirements. The best of both worlds, hybrid-caching schemes combine distributed and hierarchical caching. This improves performance and efficiency. Figure 1.4 illustrates a hybrid-caching scheme.














Figure 1.4: Hybrid Caching Combines Distributed and Hierarchical Caching Methods





Firewalls: Role and Placement on the Network






Firewalls can be simple or sophisticated. There are a number of different roles that firewalls can play on the network, depending on where they're placed within the network infrastructure and what they're expected to do there.





A small organization might have only a single firewall that protects the internal network from attacks coming from the external network. Large organizations usually deploy multiple firewalls in different locations and roles. This provides more complete coverage, as well as allowing you to take advantage of the strengths of different firewall types and achieve better performance. Firewalls can be placed in a number of different roles, including the following:











Front-end firewalls The front-end firewall is also called an 'edge' firewall because it sits at the edge of the internal network, between the LAN and the Internet. The front-end firewall has a network interface on the corporate network and another network interface that connects directly to the Internet. All data that comes into and goes out of the corporate network will be exposed to the firewall and must be examined by its filters before being blocked or allowed to pass in or out.











Back-end firewalls A back-end firewall also sits at the edge of the internal network, but not at the edge of the Internet. Instead, it is placed behind one or more front-end firewalls. A typical scenario has the front-end firewall(s) performing packet filtering, and after packets have been allowed through, they then must go through the back-end firewall that performs deeper application-layer filtering. This spreads the processing load and allows both the front and back-end firewalls to perform their respective duties at higher speed.











Perimeter networks Servers that need to be available to the Internet (such as Web servers) can be placed between a front-end and a back-end firewall so that the internal network is not directly exposed to them. The area in between the firewalls is called a perimeter network, screened network, or demilitarized zone (DMZ).











Application-filtering gateway within the perimeter network An application-layer filtering (ALF) capable firewall can be placed within the perimeter network between the front-end and back-end firewalls to reduce the attack surface and provide a very high level of security. Because it takes the burden of content filtering off the edge firewalls, their performance is enhanced. The edge firewalls can be simple, fast packet-filtering firewalls.











Departmental firewalls Firewalls can be deployed within the internal network to protect individual subnets. This protects particular departments or other divisions of the network, not only from the Internet, but from other departments or divisions. In this scenario, a firewall sits between a departmental subnet and the rest of the internal network.











Branch office firewalls Branch offices that are connected to the larger internal network, for example via a site-to-site VPN connection, should be protected by a firewall at their own Internet edge.











Telecommuter firewalls Remote users such as telecommuters or traveling executives who connect back to the corporate network via remote access VPN should have firewall protection for their remote machines. This can be accomplished via personal firewall software or simple low-cost firewall appliances designed for this purpose.











Multiple firewall configurations Firewalls from different vendors may have to work together in multiple firewall configurations. For effective protection, firewalls must be designed to interoperate with one another and with network operating systems and application servers deployed on the network.











Firewall placement and roles will be discussed in more detail in Chapter 4, Preparing the Network Infrastructure to Support ISA Server 2004 Firewalls.





/ 145