لطفا منتظر باشید ...
ISA: From Proxy Server to Full-Featured Firewall
ISA Server did not spring, full-formed, from Microsoft's development teams. Instead, it is a product that evolved slowly, becoming more of a full-fledged firewall, and then a comprehensive security solution with each incarnation. ISA Server had its roots in MS Proxy Server. In less than a decade, it has grown into something quite different.
ISA: A Glint in MS Proxy Server's Eye
Proxy servers have been around for quite a while. Despite its new name, ISA Server is a proxy server, but it is also much more. The original meaning of proxy was 'one who is authorized to act for another.' Perhaps the most famous-or infamous-use of the word came about in relation to the practice of marriage by proxy, in which a substitute 'stood in' for one of the parties, allowing a wedding ceremony to be performed even though the groom (or less commonly, the bride) was not physically present. Proxy weddings at one time were a popular way for a couple to get 'hitched' while the groom was serving in the military.
Proxy servers are so named because they, like the hapless stand-in who says, 'I do,' when it's really someone else who does, act as go-betweens to allow something to take place (in this case, network communications) between systems that must remain separate.
Proxy servers 'stand in' between the computers on a LAN and those on the public network outside. Another good analogy is the gatekeeper who is stationed at the entrance to an estate to check all incoming visitors to ensure that they are on the list of invited guests. The proxy can actually hide the computers on the LAN from outsiders. Only the IP address of the proxy server is 'visible' to others on the Internet; internal computers use private IP addresses (nonroutable over the Internet) that cannot be seen from the other side of the proxy.
In fact, a proxy can go further and function more like a prison guard, who not only makes certain that only authorized persons get in, but also sees that only those who have permission go out. Just as the guard checks his list before letting anyone in or out, the proxy filters outgoing and incoming data according to predefined criteria. At this point, the proxy is behaving as a firewall.
In the Beginning: MS Proxy Server
Microsoft released its first version of a proxy server in November 1996. It included some unique features such as Winsock proxy capability, which allowed for the use of applications that traditional proxy servers didn't support.
Unfortunately, though, version 1.0 suffered from some significant limitations that prevented it from becoming popular as a caching and security solution for large enterprise networks. One big drawback was the lack of redundancy. While its rivals, such as Netscape's proxy server, used distributed caching across multiple servers to provide fault tolerance, the first version of the Microsoft proxy did not include such a feature. The Microsoft proxy seemed better suited to smaller networks and perhaps to those in which its caching and security features were less mission critical.
The redundancy issue was addressed in Proxy Server, version 2. In fact, Microsoft surpassed Netscape's implementation by introducing the concept of proxy server arrays. An array is a group of two or more proxy servers that run as mirrors of one another and function as one entity under a common name. With version 2, multiple proxies could be chained together for better load balancing, and Microsoft even developed a new protocol, called Cache Array Routing Protocol (CARP), for sharing data between proxy servers.
| Note | CARP is a proprietary (Microsoft-only) protocol. It is used for management of multiple user Web requests across an array of proxy servers. The Internet Cache Protocol (ICP) is a similar protocol used by vendors of other proxy solutions (for example, Novell's Border Manager). Although the functionality of CARP and ICP are similar, they use different hashing algorithms. CARP offers some advantages over ICP, especially in terms of performance, because CARP does not exchange query messages between servers, as does ICP. In addition, CARP eliminates the problem of unnecessary redundancy of content on the servers in an array. |
Automatic synchronization was added to propagate configuration changes to all the servers in an array. Caching capabilities were expanded to include support for both File Transfer Protocol (FTP) and HyperText Transfer Protocol (HTTP) caching. All these services were easily configured.
Also new to version 2 was the reverse proxy feature, which allowed for publishing Web content from protected Web servers. Multiple Web sites could be published on a single proxy server, using multihoming support. In addition, version 2 included reverse hosting (in which the proxy server listens for and responds to incoming Web requests on behalf of multiple servers sitting behind it) and the ability to publish other services through server binding.
From the beginning, Microsoft's Proxy Server got high marks for ease of setup and configuration, compared with competing products. The second version also included the snap-in administration module for the Internet Information Server (IIS) 4.0 Microsoft Management Console (MMC), which gave administrators a convenient and powerful way to manage individual or multiple proxy servers.
Microsoft's First Real Firewall: ISA Server 2000
The third implementation of Microsoft's Proxy Server got a whole new name because it included a number of enhancements that go beyond the definition of a proxy server. Released with the beginning of the new millennium, Internet Security and Acceleration (ISA) Server 2000 was, at least, a full-fledged firewall solution in addition to its caching and acceleration abilities.
| Note | What is or is not a firewall is a matter of contention within the network security community. All agree that firewalls are programs (or groups of programs) located at the gateway to a network and that they protect the resources of that internal network from the outside. The National Institute of Standards and Technology (NIST), in SP-800-10, defines a firewall as an approach to security that helps implement a larger security policy by creating a perimeter defense through which all incoming and outgoing traffic must pass, thus controlling access to or from a protected network or site. Some industry players use a broad definition of firewall that includes proxy servers. Under this premise, Microsoft marketed Proxy Server 2.0 as a firewall, but some security experts argued that it was not and that in order to meet the standard of 'firewall,' there must be more than just a router, bastion host, or other device(s) providing security to the network. These purists demand that to be considered a firewall, implementation must be policy-based. |
In addition to its multilayer firewall functionality (packet filtering, circuit filtering, and application filtering), ISA Server 2000 offered such new or improved features as:
Integrated virtual private networking (VPN) ISA Server can be used to set up either a remote access VPN between a client and gateway or a multiple member VPN tunnel from server to server.
Integration with Active Directory ISA access policies and server configuration information are integrated with the Windows 2000 Active Directory for easier and more secure administration.
Intrusion detection This exciting new feature can be set up to send you an alert if or when a particular type of attack is attempted against your network (for example, if an outsider attempts to scan your ports).
Support for Secure Network Address Translation (SecureNAT) The extensible NAT architecture that is implemented by ISA provides a secure connection for clients that don't have the firewall client software installed, including Macintosh and UNIX clients and other non-Microsoft operating systems that are running Transmission Control Protocol/Internet Protocol (TCP/IP).
Bandwidth allocation The amount of bandwidth allocated to a specific user, communication, client, or destination can be controlled by quality-of-service rules that an administrator creates to optimize network traffic usage.
Secure server publishing Internal servers can be made accessible to specific clients while the servers are protected from unauthorized access.
Enterprise management ISA, like Windows 2000, was designed for greater scalability and more focus on the enterprise market than previous Microsoft products. ISA allows you to set enterprise-level policies as well as array-level policies, and management of ISA arrays is easily centralized.
Monitoring and report generation ISA server allows you to monitor its performance and create detailed security and access logs and graphical reports. Report generation can be scheduled, and remote administration lets administrators keep tabs on the use and performance of the ISA server from an off-site location.
E-mail content screening ISA Server provides for screening of e-mail content by keyword to allow administrators to implement and enforce strict security policies.
H.323 Gatekeeper functionality This feature allows for use of videoconferencing software, such as Microsoft NetMeeting, through the proxy, and NetMeeting directory functionality (replacing some of the functionality of ILS).
Enhanced software This software can be used for streaming media, including live stream splitting, and caching of Windows Media content (when using Windows Media Server).
New and Improved: ISA Server 2004
ISA Server 2000 has slowly but surely increased its market share against competitors since its introduction. According to IDC, Microsoft's growth in sales and market share was one of the fastest in the firewall industry in 2002/2003. However, many ISA users compiled 'wish lists' of features and improvements they wanted to see in the next version. Microsoft responded with an intensive effort by the ISA team to provide a friendlier and more intuitive graphical interface, building in better support for key features such as VPN, more flexible and comprehensive policies, support for multiple networks, and easier customization.
ISA Server 2004 added many new features and improved others, along with completely revamping the interface, to greatly increase the functionality, especially at the enterprise level. Chapter 2.
New Feature | What it does |
|---|---|
Multiple Network support | Allows you to configure more than one network, each with distinct relationships to other networks. You can define access policies relative to the networks. Unlike ISA Server 2000, where all network traffic was inspected relative to a local address table (LAT) that only included addresses on the local network, with ISA Server 2004 you can apply the firewall and security features to traffic between any networks or network objects. |
Per-network policies | The new multinetworking features of ISA Server 2004 enable you to protect your network against internal and external security threats, by limiting communication between clients even within your own organization. Multinetworking functionality supports sophisticated perimeter network (also known as a DMZ, demilitarized zone, or screened subnet) scenarios, allowing you to configure how clients in different networks access the perimeter network. Access policy between networks can then be based on the unique security zone represented by each network. |
Routed and NAT network relationships | You can use ISA Server 2004 to define routing relationship between networks, depending on the type of access and communication required between the networks. In some cases, you may want more secure, less transparent communication between the networks; for these scenarios you can define a network address translation (NAT) relationship. In other scenarios, you want to simply route traffic through ISA Server; in this case, you can define a routed relationship. In contrast to ISA Server 2000, packets moving between routed networks are fully exposed to ISA Server 2004 stateful filtering and inspection mechanisms. |
Stateful filtering and inspection for VPN | Virtual private network (VPN) clients are configured as a separate network zone. Therefore, you can create distinct policies for VPN clients. The firewall rule engine discriminately checks requests from VPN clients, statefully filtering and inspecting these requests and dynamically opening connections, based on the access policy. |
Stateful filtering and inspection for traffic moving through site-to-site VPN tunnel | Networks joined by an ISA Server 2000 site-to-site link where considered trusted network and firewall policy was not applied to communication moving through the link. ISA Server 2004 introduces stateful filtering and inspection for all communications moving through a site-to-site VPN connection. This allows you to control resources specific hosts or networks can access on the opposite side of the link. User/group-based access policies can be used to gain granular control over resource utilization via the link. |
Secure NAT client support for VPN clients connected to ISA Server 2004 VPN server | With ISA Server 2000, only VPN clients configured as firewall clients could access the Internet via their connected ISA Server 2000 VPN server. ISA Server 2004 expands VPN client support by allowing SecureNAT clients to access the Internet without the firewall client installed on the client system. You can also enhance corporate network security by forcing user/group-based firewall policy on VPN SecureNAT clients. |
VPN Quarantine | ISA Server 2004 leverages the Windows Server 2003 VPN Quarantine feature. VPN Quarantine allows you to quarantine VPN clients on a separate network until they meet a predefined set of security requirements. VPN clients passing security tests are allowed network access based on VPN client firewall policies. VPN clients who fail security testing may be provided limited access to servers that will help them meet network security requirements. |
Ability to publish PPTP VPN servers | You could only publish L2TP/IPSec NAT-T VPN servers using ISA Server 2000. ISA Server 2004 Server Publishing Rules allow you to publish IP protocols and allow you to publish PPTP servers. The ISA Server 2004 smart PPTP application filter performs the complex connection management. In addition, you can easily publish the Windows Server 2003 NAT-T L2TP/IPSec VPN server using ISA Server 2004 Server Publishing. |
IPSec tunnel mode support for site to site VPN links | ISA Server 2000 could use the PPTP and L2TP/IPSec VPN protocols to join networks over the Internet using a VPN site to site link. ISA Server 2004 improves site-to-site link support by allowing you to use IPSec tunnel mode as the VPN protocol. |
Extended protocol support | ISA Server 2004 extends ISA Server 2000 functionality, by allowing you to control access and usage of any protocol, including IP-level protocols. This enables users to use applications such as ping and tracert and to create VPN connections PPTP.In addition, IPSec traffic can be enabled through ISA Server. |
Support for complex applications protocols requiring multiple primary connections | Many streaming media and voice/video require that the firewall manage complex protocols. ISA Server 2000 was able to manage complex protocols, but required that the firewall administrator create complex scripts to create protocol definitions requiring multiple primary outbound connections. ISA Server 2004 greatly improves this situation by allowing you to create protocol definitions within an easy-to-use New Protocol Wizard. |
Customizable protocol definitions | ISA Server 2004 allows you to control the source and destination port number for any protocol for which you create a Firewall Rule. This allows the ISA Server 2004 firewall administrator a very high level of control over what packets are allowed inbound and outbound through the firewall. |
Firewall user groups | ISA Server 2000 utilized users and groups created in the Active Directory or on the local firewall computer for user/group-based access control. ISA Server 2004 also uses these sources, but allows you to create custom firewall groups that consist of preexisting groups in the local accounts database or Active Directory domain. This increases your flexibility to control access based on user or group membership because the firewall administrator can create custom security groups from these existing groups. This removes the requirement that the firewall administrator be a domain administrator in order to credit custom security groups for inbound or outbound access control. |
Forwarding of firewall client credentials to Web Proxy service | The HTTP Redirector had to forward requests to the Web Proxy service in order for firewall clients to benefit from the Web cache in ISA Server 2000. User credentials were removed during this process and the request failed if user credentials were required. ISA Server 2004 removes the problem by allowing firewall clients to access the Web cache via the HTTP filter. |
RADIUS support for Web Proxy client authentication | In order for ISA Server 2000 to authenticate Web proxy clients, the machine must have been a member of the Active Directory domain, or the user account must exist on the firewall computer's local user database. ISA Server 2004 allows you to authenticate users in the Active Directory and other authentication databases by using RADIUS to query the Active Directory. Web publishing rules can also use RADIUS to authenticate remote |
Delegation of basic unauthenticated | Published Web sites are protected from authentication access by requiring the ISA Server 2004 firewall to authenticate the user before the connection is forwarded to the published Web site. This prevents exploits from unauthenticated users ever reaching the published Web server. |
Preservation of source IP address in Web publishing rules | ISA Server 2000 Web Publishing Rules replaced the source IP address of the remote client with the IP address of the internal interface of the firewall before forwarding the request to the published Web server. ISA Server 2004 corrects this problem by allowing you to choose on a per-rule basis whether the firewall should replace the original IP address with its own, or forward the original IP address of the remote client to the Web server. |
SecurID authentication for Web proxy clients | ISA Server 2004 can authenticate remote connections using SecurID two-factor authentication. This provides a very high level of authentication security because a user must 'know' something and 'have' something to gain access to the published Web server. |
Form-based authentication | ISA Server 2004 can generate the forms used by Outlook Web Access sites for forms-based authentication. This enhances security for remote access to OWA sites by preventing unauthenticated users from contacting the OWA server. |
Remote access to terminal services using SSL VPN | Windows Server 2003 Service Pack 1 machines support RDP over SSL to allow secure SSL VPN connection to Windows Server 2003 Terminal Services. ISA Server 2004 allows you to securely publish your terminal server using secure SSL VPN technology. |
Secure Web Publishing Wizard | The new Secure Web Server Publishing Wizard allows you to create secure SSL VPN tunnels to W eb sites on your internal network. The SSL Bridging option allows ISA Server 2004 to decrypt encrypted traffic and expose the traffic to the HTTP policy's stateful inspection mechanism. The SSL Tunneling option relays unmodified encrypted traffic to the published Web server. |
Forced encryption for secure Exchange RPC connections | RPC policy can be set on the ISA Server 2004 firewall to prevent non-encrypted communications from remote Outlook MAPI clients connecting over the Internet. This enhances network and Exchange security by preventing user credentials and data from being exchanged in a non-encrypted format. |
HTTP filtering on a per-rule basis | ISA Server 2004 HTTP policy allows the firewall to perform deep HTTP stateful inspection (application-layer filtering). The extent of the inspection is con- figured on a per-rule basis. This allows you to configure custom constraints for HTTP inbound and outbound access. |
Ability to block access to all executable content | You can configure ISA Server 2004 HTTP policy to block all connection attempts to Windows executable content, regardless of the file extension used on the resource. |
Ability to control HTTP file downloads by file extension | ISA Server 2004 HTTP policy allows you allow all files extensions, allow all except a specified group of extensions, or block all extensions except for a specified group. |
Application of HTTP filtering to all ISA Server 2004 client connections | ISA Server 2000 could block content for Web Proxy client-based HTTP and FTP connections via MIME type (for HTTP) or file extension (for FTP). ISA Server 2004 HTTP policy allows you to control HTTP access for all ISA Server 2004 client connections. |
Ability to block HTTP content based on keywords or strings (signatures) | ISA Server 2004 deep HTTP inspection allows you to create 'HTTP Signatures' that can be compared against the Request URL, Request headers, Request body, Response headers, and Response body. This allows you precise control over what content internal and external users can access through the ISA Server 2004 firewall. |
Ability to control which HTTP methods are allowed | You can control which HTTP methods (also known as 'HTTP verbs') are allowed through the firewall by setting access controls on user access to various methods. For example, you can limit the HTTP POST method to prevent users from sending data to Web sites using the HTTP POST method. |
Ability to block unencrypted | ISA Server 2004 Secure Exchange Server |
Exchange RPC connections from full Outlook MAPI clients | Publishing Rules allow remote users to connect to Exchange using the fully-functional Outlook MAPI client over the Internet. However, the Outlook client must be configured to use secure RPC, so that the connection is encrypted. ISA Server 2004 RPC policy allows you to block all non-encrypted Outlook MAPI client connections. |
FTP policy | ISA Server 2004 FTP policy can be configured to allow users to upload and download via FTP, or you can limit user FTP access to download only. |
Link Translator | Some published Web sites may include references to internal names of computers. Because only the ISA Server 2004 firewall and external namespace, and not the internal network namespace, is available to external clients, these references will appear as broken links. ISA Server 2004 includes a link translation feature that allows you to create a dictionary of definitions for internal computer names that map to publicly-known names. |
Real-time monitoring of log entries | ISA Server 2004 allows you to see Firewall, Web Proxy and SMTP Message Screener logs in real time. The monitoring console displays the log entries as they are recorded in the firewall's log file. |
Built-in log query facility | You can query the log files using the built-in log query facility. Logs can be queried for information contained in any field recorded in the logs. You can limit the scope of the query to a specific time frame. The results appear in the ISA Server 2004 console and can be copied to the clipboard and pasted into another application for more detailed analysis. |
Connection verifiers | You can verify connectivity by regularly monitoring connections to a specific computer or URL from the ISA Server 2004 computer using Connection Verifiers. You can configure which method to use to determine connectivity: ping, TCP connect to a port, or HTTP GET. You can select which connection to monitor, by specifying an IP address, computer name, or URL. |
Report publishing | ISA Server 2004 report jobs can be configured to automatically save a copy of a report to a local folder or network file share. The folder or file share the reports are saved in can be mapped to Web site virtual directory so that other users can view the report. You can also manually publish reports that have not been configured to automatically publish after report creation. |
E-mail notification of report creation | You can configure a report job to send you an e-mail message after a report job is completed. |
Ability to customize time for log summary creation | ISA Server 2000 was hard-coded to create log summaries at 12:30 A M. Reports are based on information contained in log summaries. ISA Server 2004 allows you to easily customize the time when log summaries are created. This gives you increased flexibility in determining the time of day reports are created. |
Ability to log to an MSDE database | Logs can now be stored in MSDE format. Logging to a local database enhances query speed and flexibility. |
Ability to import and export configuration data | ISA Server introduces the ability to export and import configuration information. You can use this feature to save configuration parameters to an XML file, and then import the information from the file to another server. |
Delegated Permissions Wizard for firewall administrator roles | The Administration Delegation Wizard helps you assign administrative roles to users and to groups of users. These predefined roles delegate the level of administrative control users are allowed over specified ISA Server 2004 services. |
In addition to these new features, there are many enhancements and improvements to features that were already included in ISA Server 2000. In Chapter 2, we delve into those, as well.
| Note | Some of the features mentioned in the table could be added to ISA Server 2000 by means of Feature Pack 1, but were not included 'out of the box' as they are with ISA Server 2004. |
ISA: A Personal Philosophy
As we've worked with the product from alpha stage on, we've been reading a lot of things about the upcoming release of ISA Server 2004. While much of what we read is good, factual information, some just feeds the fallacies we discussed earlier in this chapter. Just check out some of these not-so-quotable quotes:
'It is a good clean up update, but I won't say it is major. It doesn't all of a sudden make them a competitor to CheckPoint.' (www.infoworld.com/article/04/05/03/HNisaserver_1l)
'They insist ISA Server is a firewall, but it is a server. It is Gartner's strong belief that firewalls are gateway packet and stream processing devices and not servers. The market supports that; most new installations are appliances.' (www.infoworld.com/article/04/05/03/HNisaserver_1l)
'I've worked with large enterprises where we've used Cisco [Systems] on the front end with ISA behind it,' said Chris Darrow, a consultant at TCP-IP Inc., a Sacramento, Calif .-based consulting firm. 'It's a good addition to a Checkpoint or Cisco firewall, but I still would not use it alone.' (http://searchwin2000.techtarget.com/originalContent/0,289142,sid1_gci967964,00l)
'Franco, under the subject 'Strange Setup' wondered why a Microsoft ISA server is dual-homed to bypass a firewall. Follow-up posters explained that the ISA Server requires such a setup and that it is a good HTTP proxy/cache/authenticator for a Windows network. (Read: Better than the firewall is.) All other traffic should still go through the firewall.' (http://sandbox.rulemaker.net/ngps/infosec/fwiz/fwiz-2004-02-28)
Common themes that run through these types of comments and discussions include:
Belief in the myth of 'hardware' firewall. We dispelled that myth in the ISAServer.org newsletter last March. (www.isaserver.org/pages/newsletters/march2004.asp)
The assumption that Cisco and Checkpoint (and other traditional firewall) solutions are inherently more secure, without any understanding of the ISA Server 2004 firewall and without stating what precisely it is that controls their belief that these other firewall products provide better protection.
The presumption that software running on a Microsoft Windows operating system can't be trusted (presumably the proponents of this belief don't use Microsoft Exchange or Microsoft SQL servers, since they also run on Microsoft operating systems).
The assumption that you should put your weakest link directly in front of the most valued corporate assets (sort of like putting a security guard with a machine gun in the front of the Bank, and a poodle at the open entrance to the safe)
It's clear that a number of commentators and industry analysts don't understand the nature of firewall security in the 21st century and still cling to the marketing material they received in 1997 from the leaders in the firewall space. The problem with this is that the glorified 'stateful packet filter' of yesteryear just can't stack up to a serious application-layer-aware firewall like ISA Server 2004.
In the following subsections, we discuss our personal firewall philosophy, based on the 'defense in depth' approach to network security, and where we believe ISA Server 2004 should fit into your network security plan.
Defense in Depth
As mentioned previously, 'defense-in-depth' has been adopted in the IT community to describe the multilayered approach to security. In its broadest scope, defense-in-depth focuses not only on technology, but also on operations and people. An example is the design of a castle: the moats, high walls, multiple walls, narrow windows, and lack of straight corridors leading from the perimeter to the center, provide a kind of defense in depth that focuses on technology. However, if the castle administrators did not plan for long sieges (operations) and did not guarantee the loyalty of their soldiers (people), the castle would be vulnerable.
Just about every firewall administrator has heard the old joke: the IT guy's boss asks, 'is our network secure?' and the response is: 'of course, we have a firewall!' Unfortunately, this is the attitude of many real-life network and firewall administrators. They consider the firewall at the edge of the network as the primary mode of defense against all network security issues. From a defense-in-depth point of view, the firewall administrator is not qualified or competent to answer this question. The firewall administrator has no control over the hiring and training practices of the company, which can create just as much risk (or more) than an improperly configured firewall.
Even from a purely technological point of view, the sad fact is that while the Internet edge firewall is a key component of your network security scheme, it is only one part, and that single part does not provide defense in depth - an absolute necessity in today's high risk environment. Technological defense in depth refers to the security philosophy that there are multiple partitions or security zones that must be protected, with the interface between each zone representing a specific edge that requires a customized approach to security and access control.
The number of security zones that require protection varies with the organization and how the organization has its network laid out. Smaller organizations might have just a single network segment sitting behind an Internet edge firewall. Larger organizations often have very complex networks with multiple security zones and security zones within security zones. Regardless of the complexity of your network, the principle of least privilege should be your guiding principle in determining firewall placement and configuration.
Rings of Fire(walls)
To help demonstrate how security zones dictate access control and firewall configuration and placement, we'll go over a typical enterprise-level network and how it segregates its security zones. We will call these zones 'rings.' You can think of each ring as being comparable to a layer in an onion, with the center of the onion representing your core network assets that need to be protected at all costs. These rings are:
Ring 1: The Internet Edge
Ring 2: The Backbone Edge
Ring 3: The Asset Network Edge
Ring 4: Local Host Security
Ring 1: The Internet Edge
Figure 1.5 shows the outermost ring, which is the Internet edge.
Figure 1.5: Ring 1 represents the Internet edge
The Internet edge is the first point of attack for external hosts. Because of this, most network and firewall administrators believe they should put their most intelligent and powerful firewalls at this location. If you don't think about this too much, it makes sense. But if you consider how this approach flies in the face of how you secure anything else in this world, you'll realize that the Internet edge firewall should not be your most secure or sophisticated firewall, it should be your fastest firewall.
Think about how a bank secures the money assets it has inside. First, there are the Federal agencies that hover unseen around all of our lives. This 'outermost' level of bank security doesn't stop too many bank robberies in progress, but it helps deter law-abiding citizens from deciding to rob a bank when they have nothing else to do that day. The next layer of defense, moving inward toward the core band assets, is the local police department. They drive around all day, and maybe they'll be in front of the bank when the bank robber is about to begin the hold-up. This is a little closer to home than the federal agents, but the local police can't be in front of the bank all of the time, and when they do respond, its after the fact when the perpetrator is long gone.
The next ring closer to the core bank assets might be represented by the front door or parking lot cameras. The bank security people monitoring those cameras might be able to stop a robbery from taking place if they are vigilant and identify the criminal right before he begins the robbery attempt. The problem with this approach is they can't really do anything until the robber does something that suggests that the robbery attempt is in progress. However, this method is more sophisticated and more likely to stop a robbery attempt in progress than the Federal security ring or the local policy security ring.
The next ring is between the outside of the bank and the area around the tellers. There is typically an armed guard of some sort located in this area. The armed guard provides a better level of protection because he can stop a robbery as it begins, if he identifies it and captures or shoots the robber before the robber shoots him. The armed guard in the lobby provides a much higher level of security than the cameras watching outside the building, the local police cruising the streets and the Feds miles away at a regional office.
The next ring of security lies at the interface between the bank vault where the money is kept and the lobby and teller area. If the robber flies past the Feds, arrives when there's no police car in sight, looks like a typical customer and isn't flagged by the security cameras, and shoots the armed guard before the armed guard shoots him, the final hurdle is the bank vault door. Unless the guy is a munitions expert or a safe cracker, the bank vault door will stop him every time.
The bank vault door provides the highest level of security, and it's the most 'hardened' and 'impenetrable' of the bank defenses. That's why it's put right in front of the bank's core assets - to protect these assets in the event that an intruder gets past all the other rings of security designed to protect the bank's assets.
However, no ring, no matter how well protected, is impenetrable. Let's assume the robber isn't a munitions expert or a safe cracker. Instead, he'll be likely to use what we in computer security call social engineering. In this case, the social engineering method might consist of threatening the lives of the customers and tellers if the bank vault door is not opened by the bank manager. Since you can always find more money, but human life tickets only have one punch in them, the bank manager opens the vault door. Of course, if the robber has inside help from a disloyal employee, we have another type of security issue. This 'human factor' can render most of the technological defenses useless.
At this point, you might think that the game is over and the robber won. He's penetrated the last defense ring and the money is his (let's overlook the fact that in order to really win the robbery game, you also have to successfully leave the bank with the cash). However, there is the last layer of defense, and that is the defense the money itself can provide. The bags of money might have exploding ink bags in them that will activate if they are moved or removed at the wrong time or the incorrect way, or maybe the money is marked and is easily identified if it is spent in public. This equates to your firewall's auditing and logging mechanisms that can provide a trail by which you might be able to identify and prove the case against the hacker who hacks into your network.
The point of this story is that the bank, and most other entities that secure their core assets, put their most hardened, most sophisticated, and most impenetrable barriers right in front of those assets. The enemy is always at his best at the outermost ring, and by the time he's made it to the innermost ring, he's either completely exhausted his resources or ready to give up. In either case, meeting stronger defensive mechanisms as he continues to get weaker only helps accelerate his ultimate defeat.
Now, with these facts in mind, how do you explain the attitude of network and firewall administrators who claim, 'while I think an ISA firewall is great, I wouldn't feel comfortable if I didn't have a PIX in front of it'? The real irony is that these network and firewall administrators are doing the right thing - but for the wrong reason. They've been beaten over the head for years by 'firewall experts' and 'hardware firewall' marketeers with the idea that only an ASIC ('hardware') firewall can be secure; so-called 'software firewalls' are inherently insecure because of reasons X, Y, and Z. Reason 'X' always has to do with something about the underlying operating system, and after repeating with great enthusiasm, 'Windows is not secure,' for several minutes, they never seem to get around to reasons 'Y' and 'Z'.
The truth is that the hardware firewall does belong at the Internet edge of the network, but not for the reasons the 'firewall experts' proclaim. The actual reason is that while traditional firewalls cannot provide a high level of security for modern Internet connected networks, they can pass packets very quickly and do stateful packet filtering. This speed is very important for organizations that have multigigabit connections to the Internet. High security, application application-layer aware firewalls cannot handle this volume of traffic and provide the deep application-layer stateful inspection required of a modern network firewall.
| Note | Placing a different type of firewall at the Internet edge can also be thought of as an example of 'security through diversity,' as it does confer a security advantage. At the same time, it also introduces complexity that can have disadvantages. For example, administrators will have to be trained on the different products. |
Because of all this, the hardware firewalls should in fact be placed on the Internet edge. They can handle the high volume of traffic, perform basic packet filters and allow inbound traffic only to services that you intend to provide to remote users (outbound access control isn't very effective for high speed packet filtering firewalls at the Internet edge). For example, if you intend to provide only HTTP, HTTPS and IMAP4 access to resources on the corporate network, the high speed stateful packet filtering firewall will only allow new inbound connection requests for TCP ports 80, 143 and 443. The high speed packet filtering firewall can quickly determine the destination port and validity of the layer 4 and below information, and accept or reject the traffic. While this approach provides a small measure of security, it is far from what is required to protect modern networks.
Ring 2: The Backbone Edge
Ring 2 is the Backbone Edge that marks a line between the internal interfaces of the Internet Edge firewalls and the external interfaces of the backbone segment firewalls.
Figure 1.6 shows the placement of the four Backbone Edge firewalls surrounding the edges of the corporate backbone network.
Figure 1.6: The Backbone Edge
The corporate backbone network provides a common network to which all other corporate network segments connect. The total traffic moving inbound and outbound through the backbone firewalls is lower on a per-firewall basis than the Internet Edge firewalls because there are more of them. For example, you might have two high speed packet filtering firewalls on the Internet Edge, with each handling 5 gigabits/second for a total of 10 gigabits/second between them. There are four Backbone Edge firewalls, and assuming that the load is shared equally among these, each of the Backbone Edge firewalls handles 2.5 gigabits/second.
The Backbone Edge firewalls can start to perform the real work of a network firewall: stateful application layer inspection of both inbound and outbound traffic. Because modern exploits are aimed at the application layer (that's where the 'money' is), the backbone application layer firewalls do the job of checking the validity of the communications moving through them. For example, if you allow inbound HTTP, the stateful inspection application layer aware firewalls on the Backbone Edge can start to apply real network security by checking the details of the HTTP communication and blocking suspicious connections through the firewall.
This is a good location for the ISA Server 2004 firewall. Because the ISA Server 2004 firewall is the model of a stateful inspection application layer aware firewall, it can perform the heavy lifting required to protect the corporate-backbone network and the network inside of it, as well as making sure that inappropriate traffic (such as worm-generated traffic) does not cross the Backbone Edge ring. The volume of traffic in this example is not a problem for ISA Server 2004 firewalls, as they have been tested and confirmed to be multigigabit firewalls, based on their hardware configuration and firewall rule base.
Ring 3: The Asset Network Edge
Ring 3 is at the border of the backbone network and the networks that contain the corporate assets. Corporate assets can represent user workstations, servers, departmental LANs, management networks, and anything else you want to protect from unauthorized access. The line between the backbone network and the assets networks is the Asset Network Edge. This is the ring where you need the strongest, most sophisticated level of protection, because if the intruder is able to violate the integrity of this ring, he is in the position to directly access your corporate assets and carry out what might turn out to be a successful attack.
Figure 1.7 shows the location of the Asset Network Edges in ring 3.
Figure 1.7: The Asset Network Edge
It is at this level that an ISA Server 2004 firewall becomes critical. In contrast to a packet filter hardware device, you need real firewall protection when you get this close to the 'money.' Simple packet filtering is inadequate when it comes to protecting resources in the network asset ring. Not only must we ensure that all incoming connections are subjected to deep application layer inspection, we must also control what leaves the asset networks by using strong user/group-based access control.
Strong outbound user/group-based access control is an absolute requirement. In contrast to the typical hardware packet-filtering firewall that lets everything out, the firewalls at the Asset Network Edge must be able to control outbound connections based on user/group membership. Reasons for this include:
You must be able to log the user names of all outbound connections so that you can hold users accountable for their Internet activity.
You must be able to log the application the user used to access Internet content; this allows you to determine if applications not allowed by network-use policy are being used and enables you to take effective countermeasures.
Your organization can be held legally responsible for material leaving your network (pornography, viruses, attacks); therefore, you must be able to block inappropriate material.
Sensitive corporate information can be transferred outside the network from Asset Network locations. You must be able to block this and record user names and applications the users are using to transfer proprietary information to a location outside your network.
The ISA Server 2004 firewall is the ideal firewall for the Asset Network Edge because it meets all of these requirements. When the systems behind the firewall are properly configured as Firewall and Web Proxy clients, you are able to:
Record the user names for all TCP and UDP connections made to the Internet (or any other network to which the user might connect by going through the ISA Server 2004 firewall).
Record the applications the user uses to make these TCP and UDP connections through the ISA Server 2004 firewall.
Block connections to any domain name or IP address based on user name or group membership.
Block access to any content outside the network based on user name or group membership.
Block transfer of information from the Asset Network to any other network based on user name or group membership.
All this deep application-layer stateful inspection and access control requires processing power. You should size your servers appropriately to meet the requirements of powerful stateful application-layer processing. Fortunately, even with complex rule sets, the ISA Server 2004 firewall is able to handle well over 1.5 gigabits/second per server, and even higher traffic volumes with the appropriate hardware configuration.
Ring 4: Local Host Security
The last ring is Ring 4, the Host-based security ring. This represents the junction between the host systems and the network to which they are directly attached. Figure 1.8 shows the position of ring 4.
Figure 1.8: Host-based Security Ring
Approaches to host-based security are somewhat different from what you see with network firewall protection, but the principles are the same. Host-based security requires that you control what is allowed inbound and outbound to the host machine and that the applications on the hosts are designed with security in mind. Some of the things you should consider when dealing with the Host-based Security ring include:
Using a Host-based firewall to control which incoming and outgoing connections are allowed and which applications can send and receive data. This is the typical 'personal firewall' approach, but can be expanded to support server applications in addition to providing personal firewall support for user workstations.
IPSec policy (on systems that support it) can be used to control what is allowed inbound and outbound from and to specific hosts. If a particular workstation or server does not need to connect to all possible computers, you can lock it down using IPSec policies to limit connections to a predefined collection of machines.
Applications and services running on the hosts must be designed with security in mind. That means these applications and services are not vulnerable to common attacks such as buffer overflow and social attacks (such as HTML e-mail exploits and opening attachments).
Anti-virus software must be used to block viruses that come from other network locations or are introduced by compromised hotfixes and software.
Anti-scumware software must be installed to protect the machines and prevent adware and other malicious software from being installed on the machine.
Anti-spam software must be installed on the machine if an e-mail client is installed. Anti-spam software should also be installed on SMTP relays that handle inbound and outbound mail, not only to block spam that carries a potentially dangerous payload, but also to reduce losses in employee productivity related to spam.
The Host-based Security ring is the last defense. The ISA Server 2004 and the Asset Network can help with this to a certain extent, but no firewall can completely make up for weaknesses found at the host layer. Network firewall security is helpful for controlling access from corporate network to corporate network and attacks coming from non-local networks that must traverse the ISA Server 2004 firewall, but only host-based security can handle attacks coming from the local network where the connection does not traverse a network firewall.
Note that for smaller networks that might have a single ring, which is the Internet Edge ring, the entire discussion is moot. The only reason to put a packet-filtering traditional firewall in front of the ISA firewall on a one-perimeter network is to waste money. You'd be better off buying two ISA firewalls, or buying another sophisticated application-layer firewall, with the ISA firewall behind the other application-layer firewall, so that the ISA firewall can implement the strong user/group-based security that is required for an in-depth defense of your network.
