Multi-Networking Support - Dr. Tom Shinderamp;#039;s Configuring ISA Server 1002004 [Electronic resources] نسخه متنی

اینجــــا یک کتابخانه دیجیتالی است

با بیش از 100000 منبع الکترونیکی رایگان به زبان فارسی ، عربی و انگلیسی

Dr. Tom Shinderamp;#039;s Configuring ISA Server 1002004 [Electronic resources] - نسخه متنی

Thomas W. Shinder; Debra Littlejohn Shinder

| نمايش فراداده ، افزودن یک نقد و بررسی
افزودن به کتابخانه شخصی
ارسال به دوستان
جستجو در متن کتاب
بیشتر
تنظیمات قلم

فونت

اندازه قلم

+ - پیش فرض

حالت نمایش

روز نیمروز شب
جستجو در لغت نامه
بیشتر
لیست موضوعات
توضیحات
افزودن یادداشت جدید





















previous section, Microsoft has added a number of completely new features to ISA Server 2004. In the following sections, we look at three of the most significant new features:











Multi-networking support











New Application Layer Filtering (ALF) features











VPN Quarantine Control











Multi-Networking Support






A big limitation of ISA 2000 was the fact that it did not support multiple networks. Today's complex networks demand that you be able to work with multiple networks and define the relationships between them. With ISA Server 2004, Microsoft has introduced a multi-networking model that is appropriate for the interconnected networks used by many corporations. Now you can create network rules and control how different networks communicate with one another.





ISA Server 2004 includes several built-in network definitions, including:











The Internal network (includes the addresses on the primary protected network)











The External network (includes addresses that don't belong to any other network)











The VPN clients network (includes the addresses assigned to VPN clients)











The Local host network (includes the IP addresses on the ISA Server)











You can configure one or more networks, each with distinct relationships to each other network. In ISA Server 2000, all traffic was inspected relative to a local address table (LAT), which included only address ranges on the Internal network, but ISA Server 2004 extends the firewall and security features to apply to traffic between any networks or network objects.






Per-network Policies






ISA Server 2004's new multi-networking features make it easy for you to protect your network against internal and external security threats, by limiting communication between clients, even within your own organization. Multi-networking functionality supports sophisticated perimeter network (also known as a DMZ, demilitarized zone, or screened subnet) scenarios, allowing you to configure how clients in different networks access the perimeter network. Access policy between networks can be based on the unique security zone that is represented by each network.






Network Relationships






You can also use ISA Server 2004 to define the routing relationship between networks, depending on the type of access and communication required between the networks. For example, in some cases you would want more secure, less transparent communication between the networks. You can define a network address translation (NAT) relationship for these networks. In other scenarios, you might want to just route traffic through the ISA Server; in this case, you would define a routed relationship. Unlike with ISA Server 2000, the packets that move between the routed networks are all fully exposed to ISA Server 2004's stateful filtering and inspection mechanisms.






Network Templates






ISA Server 2004 provides network templates that you can use to easily configure firewall policy governing the traffic between multiple networks. These are designed to address common scenarios, including:











ISA Server as edge firewall











Perimeter network (DMZ)











ISA as front-end firewall with a third-party back end firewall











ISA Server deployed between a perimeter network and the Internal network











Caching/Web Proxy server with a single NIC











You will learn more about how to configure multi-networking, create networking rules and apply network templates in Chapter 4, Preparing the Network Infrastructure for ISA Server 2004.





New Application Layer Filtering (ALF) Features






Application Layer Filtering is one of ISA Server 2004's strong points; unlike a traditional packet filtering firewall, ISA can delve deep into application layer communications to protect your network from the many modern exploits that occur at this layer. ISA Server 2000's ALF functionality has been enhanced by the addition of the following new features:











Per-rule HTTP filtering











Ability to block access to all executables











Ability to control HTTP downloads by file extension











Application of HTTP filtering to all client connections











Control of HTTP access based on signatures











Control over allowed HTTP methods











Ability to force secure Exchange RPC connections











Policy-based control over FTP











Link Translation











In the following subsections, we'll have a look at each of these.






Per-rule HTTP Filtering






ISA Server 2004's HTTP policy allows the firewall to perform deep HTTP stateful inspection (application layer filtering). You can configure the extent of the inspection on a per-rule basis. This means that you can configure custom constraints for HTTP inbound and outbound access. With ISA Server 2000, HTTP filtering had to be performed globally, using a version of URLscan installed with Feature Pack 1 for ISA Server 2000.






Ability to Block Access to All Executables






You can configure ISA Server 2004's HTTP policy to block all connection attempts to Windows executable content, regardless of the file extension used on the resource. This blocks all responses in which the first word of the downloaded binary is MZ. You can also block by file extension (see the next subsection).










Warning





Blocking all Windows executables does not necessarily block all file types that can be dangerous. For example, .pif and .com files are not blocked by this filter because the first two bytes of the binaries are not MZ. You can block these other potentially dangerous file types by configuring filters to block by file extension.











Note





The first two bytes of the file contain its file signature. The MZ file signature, originally used for MS-DOS executable files, stands for the name of Microsoft programmer Mark Zbikowski.











Ability to Control HTTP Downloads by File Extension






ISA Server 2004's HTTP policy makes it easy for you to allow all files extensions, allow all except a specified group of extensions, or block all extensions except for a specified group. This gives you a lot of flexibility in controlling what types of files can be downloaded by users, especially since this is done on a per-rule basis. This means you can apply the blocking of certain extensions to specific users or groups.






Application of HTTP Filtering to All Client Connections






ISA Server 2000 was able to block content for Web Proxy clients based on HTTP and FTP connections by MIME type (for HTTP) or file extension (for FTP). With ISA Server 2004's HTTP policy, you can control HTTP access for all ISA Server 2004 client connections, regardless of client type. There was no deep inspection of outbound connections, out of the box, with ISA Server 2000.






Control of HTTP Access Based on Signatures






ISA Server 2004's deep HTTP inspection also allows you to create 'HTTP Signatures' that can be compared to the Request URL, Request headers, Request body, Response headers, and Response body. This allows you to exercise extremely precise control over the content that internal and external users can access through the ISA Server 2004 firewall.





A signature is a character string for which ISA Server will search the request body, request header, response body, and/or response header. If the string is found, the data will be blocked. You can search for either a text or binary string. Blocking based on text signatures can only be done if the HTTP requests and responses are UTF-8 encoded.






Control Over Allowed HTTP Methods






You can control which HTTP methods are to be allowed through the firewall by setting access controls on user access to various methods. For example, you can limit the HTTP POST method to prevent users from sending data to Web sites using the HTTP POST method. You can select to allow all methods, allowed selected methods, or block specified methods and allow all others.










Note





HTTP methods are commands that tell the server what action to perform on a given request. They are also sometimes referred to as 'HTTP verbs' because they consist of action words: GET (retrieve the data identified by theURI), PUT (store the data under the URL), POST (create an object linked to the specified object), and so on.











Ability to Force Secure Exchange RPC Connections






ISA Server 2004's Secure Exchange Server Publishing Rules allow remote users to connect to the Exchange server by using the fully functional Outlook MAPI client over the Internet. However, the Outlook client must be configured to use secure RPC so that the connection will be encrypted. ISA Server 2004's RPC policy allows you to block all non-encrypted Outlook MAPI client connections.





With traditional firewalls, you have to open a number of ports to enable remote access to Exchange RPC services with the Outlook MAPI client, creating a security risk. With ISA Server 2004, the RPC filter solves this problem.






Policy-based Control Over FTP






You can configure ISA Server 2004's FTP policy to allow users to upload and download via FTP, or you can limit user FTP access to download only. This gives you more control over FTP activity and more granular security. By selecting Read Only on the Protocols tab when you configure FTP filtering, you block FTP uploads.





The FTP access filter is more functional than a user-defined FTP protocol because it dynamically opens specified ports for the secondary connection and can perform the address translation that is required by the secondary connection. The filter is also able to differentiate between read and write permissions, so you can granularly control access.






Link Translation






Some of your published Web sites might include references to the NetBIOS names of computers. Only the ISA Server 2004 firewall and external namespace, and not the internal network namespace, is available to external clients. That means when external clients try to access the sites via these links, these references will appear to be broken links.





ISA Server 2004 includes a link translation feature, which allows you to create a dictionary of definitions for internal computer names that map to publicly-known names. This is especially useful, for example, when publishing SharePoint Web sites. The link translation directory can also translate requests that are made to ports other than the standard ports, and the link translator will include the port number when it sends the URL back to the client.










Note





Although link translation was not available as a feature of ISA Server 2000 out of the box, it can be added to ISA 2000 by installing Feature Pack 1.











Tip





By default, link translation only works with HTML documents, but you can add other content groups if you wish.











Warning





If your document contains internal links that have not been mapped to their appropriate external links in the link translation dictionary, the internal NetBIOS names will be exposed to external users. This can pose a security risk because it allows outsiders to know what the internal computer names are.










VPN Quarantine Control






This is another feature that was not available in ISA Server 2000. ISA Server 2004 leverages the Network Access Quarantine Control feature built into Windows Server 2003 to provide VPN quarantine, which allows you to quarantine VPN clients on a separate network until they meet a predefined set of security requirements. Even if ISA Server 2004 is installed on Windows 2000, you can still use quarantine control, with some limitations. In either case, you are able to specify conditions that VPN clients must meet in order to be allowed on the Internal network, such as the following:











Security updates and service packs must be installed











Anti-virus software must be installed and enabled











Personal firewall software must be installed and enabled











VPN clients that pass the pre-defined security tests are allowed network access based on the VPN client firewall policies. VPN clients who fail security testing may be provided limited access to servers that will help them meet network security requirements (for example, servers where they can download the patches and updates they need).






Benefits of ISA Server 2004 VPN Quarantine Control






VPN quarantine control is an exciting feature that helps to protect your network from remote users who establish VPN connections from client computers that don't have their security patches and service packs up to date, don't have anti-virus software installed and enabled, and/or don't have personal firewalls to prevent Internet attacks. A number of other firewall vendors offer similar functionality, although usually with a different name-but in most cases, you must use their proprietary VPN client software (at extra cost) to take advantage of this feature. With ISA Server 2004, no special client software is required; clients use the PPTP or L2TP clients built into all modern Windows operating systems.






Options for Using VPN Quarantine Control






To use VPN quarantine control through Routing and Remote Access, ISA Server 2004 needs to be installed on a Windows Server 2003 computer. You are then able to quarantine VPN clients based on RADIUS server policies. If ISA Server 2004 is installed on a Windows 2000 server, you can still enable quarantine mode via the ISA Server and set a firewall policy for the Quarantined VPN clients network.





Quarantine control is great for enforcing compliance with your organization's security policy when users access the network from an outside location using a VPN, but setting it up is not a no-brainer. You must create Connection Manager profiles and connectoids for your VPN clients using the Connection Manager Administration Kit (CMAK) that comes with Windows 2000 server and Windows Server 2004.





You can then enable quarantine on the server, either using RADIUS policy or using ISA Server policy. Microsoft recommends that you use RADIUS policy if you are running ISA on a Windows Server 2003 computer and you have a RADIUS server on the network. Otherwise, you'll have to use ISA Server policy.





You can set the amount of time that a client will stay in quarantine when trying to connect through the VPN. If the client doesn't comply with the security policy requirements within this specified time period, allowing it to move from the Quarantined VPN clients network to the VPN clients network, it will be disconnected. If you have certain clients that should not be quarantined even if they don't pass the security test (the big boss's computer, for example), you can create an exemption list so that quarantine won't be applied to them.






Requirements for Enabling VPN Quarantine Control






To use quarantine control, you have to install a listener component on the ISA Server firewall. This is a software construct that listens for messages from the VPN clients that tell the ISA server that the quarantine control script has been run successfully. The listener listens for messages from the notifier component. The ISA Server 2004 Resource Kit contains a listener, the Remote Access Quarantine Agent service (Rqs.exe), and a notifier component (Rqc.exe) that you can use, or you can create your own listener. When the client computer is in compliance with the security policies, the notifier sends a notification message to the listener, and the client is removed from quarantine.





Here's the tricky part: you have to be adept at scripting to create the quarantine script that will be run on the client computer by the Connection Manager profile.










Warning





The notification message isn't encrypted nor is it authenticated. This means it is possible for a hacker to spoof the message.










What about clients that don't comply with the policy? You can set up a Web server that allows anonymous access for those clients to download instructions and/or software that's needed to come into compliance. The quarantined clients can access this server, but cannot access other resources on the network.





We discuss how to configure ISA Server 2004 quarantine control policies in Chapter 9, Creating Remote Access and Site-to-Site VPNs with ISA Firewalls.





/ 145