Chapter 1: Evolution of a Firewall: From Proxy 1.0 to ISA 2004 - Dr. Tom Shinderamp;#039;s Configuring ISA Server 1002004 [Electronic resources] نسخه متنی

اینجــــا یک کتابخانه دیجیتالی است

با بیش از 100000 منبع الکترونیکی رایگان به زبان فارسی ، عربی و انگلیسی

جستجو بر اساس ... همه عنوان پدیدآور موضوع یادداشت تمام متن
اصطلاحنامه مجموعه ها مرورالفبایی لغت نامه دهخدا
جستجو در لغت نامه
بیشتر
کتابخانه شخصی پرسش از کتابدار ارسال منبع

Dr. Tom Shinderamp;#039;s Configuring ISA Server 1002004 [Electronic resources] - نسخه متنی

Thomas W. Shinder; Debra Littlejohn Shinder

| نمايش فراداده ، افزودن یک نقد و بررسی
افزودن به کتابخانه شخصی
میخواهم بخوانم
درحال خواندن
خوانده شده
ارسال به دوستان

آدرس پست الکترونیک گیرنده :

آدرس پست الکترونیک فرستنده :

نام و نام خانوارگی فرستنده :

پیغام برای گیرنده ( حداکثر 250 حرف ) :

کد امنیتی را وارد نمایید

ارسال
جستجو در متن کتاب
بیشتر
تنظیمات قلم

فونت

اندازه قلم

+ - پیش فرض

حالت نمایش

روز نیمروز شب
جستجو در لغت نامه
بیشتر
لیست موضوعات

Back Cover Dr. Tom Shinder's Configuring ISA Server 2004 Introduction Acknowledgments About the Authors Technical Editor A Note From the Publisher From Deb and Tom Shinder, Authors Chapter 1: Evolution of a Firewall: From Proxy 1.0 to ISA 2004 The Book: What it Covers and Who It's For It's in the Book: What We Cover This Book's For You: Our Target Audience Security: The New Star of the Show Security: What's Microsoft Got to Do with It? Security: A Policy-Based Approach Security: A Multilayered Approach Firewalls: The Guardians at the Gateway Firewalls: History and Philosophy Firewalls: Understanding the Architecture Firewalls: Features and Functionality Firewalls: Role and Placement on the Network ISA: From Proxy Server to Full-Featured Firewall ISA: A Glint in MS Proxy Server's Eye ISA: A Personal Philosophy Summary Chapter 2: Examining the ISA Server 2004 Feature Set The New GUI: More Than Just a Pretty Interface Examining the Graphical Interface Examining The Management Nodes Teaching Old Features New Tricks Enhanced and Improved Remote Management Enhanced and Improved Firewall Features Enhanced and Improved Virtual Private Networking and Remote Access Enhanced and Improved Web Cache and Web Proxy Enhanced and Improved Monitoring and Reporting Multi-Networking Support New Application Layer Filtering (ALF) Features VPN Quarantine Control Missing in Action: Gone but Not Forgotten Live Media Stream Splitting H.323 Gateway Bandwidth Control Active Caching Summary Solutions Fast Track New GUI: More Than Just a Pretty Face Teaching Old Features New Tricks New Features on the Block Missing in Action: Gone But Not Forgotten Frequently Asked Questions Chapter 3: Stalking the Competition: How ISA 2004 Stacks Up Firewall Comparative Issues The Cost of Firewall Operations Specifications and Features Comparing ISA 2004 to Other Firewall Products ISA Server 2004 Comparative Points Comparing ISA 2004 to Check Point Comparing ISA 2004 to Cisco PIX Comparing ISA 2004 to NetScreen Comparing ISA 2004 to SonicWall Comparing ISA 2004 to WatchGuard Comparing ISA 2004 to Symantec Enterprise Firewall Comparing ISA 2004 to Blue Coat SG Comparing ISA 2004 to Open Source Firewalls Summary Comparing Architecture Comparing Functionality Comparing Cost Solutions Fast Track Firewall Comparative Issues Comparing ISA 2004 to Other Firewall Products Frequently Asked Questions Chapter 4: ISA 2004 Network Concepts and Preparing the Network Infrastructure Our Approach to ISA Firewall Network Design and Defense Tactics Defense in Depth ISA Firewall Fallacies Software Firewalls are Inherently Weak You Can't Trust Any Service Running on the Windows Operating System to be Secure ISA Firewalls Make Good Proxy Servers, but I Need a 'Real Firewall' to Protect My Network ISA Firewalls Run on an Intel Hardware Platform, and Firewalls Should Have 'No Moving Parts' 'I Have a Firewall and an ISA Server' Why ISA Belongs in Front of Critical Assets A Better Network and Firewall Topology Tom and Deb Shinder's Configuring ISA 2004 Network Layout Creating the ISALOCAL Virtual Machine How ISA Firewall’s Define Networks and Network Relationships ISA 2004 Multinetworking The ISA Firewall’s Default Networks Creating New Networks Controlling Routing Behavior with Network Rules The ISA 2004 Network Objects ISA Firewall Network Templates Dynamic Address Assignment on the ISA Firewall’s External Interface Dial-up Connection Support for ISA firewalls, Including VPN Connections to the ISP “Network Behind a Network” Scenarios (Advanced ISA Firewall Configuration) Web Proxy Chaining as a Form of Network Routing Firewall Chaining as a Form of Network Routing Configuring the ISA Firewall as a DHCP Server Summary Solutions Fast Track Our Approach to the ISA Firewall Network Design and Defense Tactics Tom and Deb Shinder's Configuring ISA 2004 Network Layout How ISA Firewalls Define Networks and Network Relationships Frequently Asked Questions Chapter 5: ISA 2004 Client Types and Automating Client Provisioning Understanding ISA 2004 Client Types Understanding theISA 2004 SecureNAT Client Name Resolution for SecureNAT Clients Name Resolution and 'Looping Back' Through the ISA 2004 Firewall Understanding the ISA 2004 Firewall Client ISA 2004 Web Proxy Client ISA 2004 Multiple Client Type Configuration Deciding on an ISA 2004 Client Type Automating ISA 2004 Client Provisioning Configuring DHCP Servers to Support Web Proxy and Firewall Client Autodiscovery Configuring DNS Servers to Support Web Proxy and Firewall Client Autodiscovery Special Considerations for VPN Clients Automating Installation of the Firewall Client Configuring Firewall Client and Web Proxy Client Configuration in the ISA Management Console Group Policy Software Installation Silent Installation Script Systems Management Server (SMS) Summary Solutions Fast Track Understanding the ISA 2004 SecureNAT Client Understanding the ISA 2004 Web Proxy Client Understanding the ISA 2004 Firewall Client Frequently Asked Questions Chapter 6: Installing and Configuring the ISA Firewall Software Pre-installation Tasks and Considerations System Requirements Configuring the Routing Table DNS Server Placement Configuring the ISA Firewall's Network Interfaces Unattended Installation Installation via a Terminal Services Administration Mode Session Performing a Clean Installation on a Multihomed Machine Default Post-installation ISA Firewall Configuration The Post-installation System Policy Performing an Upgrade Installation Performing a Single NIC Installation (Unihomed ISA Firewall) Quick Start Configuration for ISA Firewalls Configuring the ISA Firewall's Network Interfaces Installing and Configuring a DNS Server on the ISA Server Firewall Installing and Configuring a DHCP Server on the ISA Server Firewall Installing and Configuring the ISA Server 2004 Software Configuring the Internal Network Computers Hardening the Base ISA Firewall Configuration and Operating System ISA Firewall Service Dependencies Service Requirements for Common Tasks Performed on the ISA Firewall Client Roles for the ISA Firewall Lockdown Mode Connection Limits DHCP Spoof Attack Prevention Summary Solutions Fast Track Pre-installation considerations Performing a clean installation Default Post-install System Policy and Firewall Configuration Frequently Asked Questions Chapter 7: Creating and Using ISA 2004 Firewall Access Policy Introduction ISA Firewall Access Rule Elements Protocols User Sets Content Types Schedules Network Objects The Rule Action Page The Protocols Page The Access Rule Sources Page The Access Rule Destinations Page The User Sets Page Access Rule Properties The Access Rule Context Menu Options Configuring RPC Policy Configuring FTP Policy Configuring HTTP Policy Ordering and Organizing Access Rules How to Block Logging for Selected Protocols Disabling Automatic Web Proxy Connections for SecureNAT Clients Using Scripts to Populate Domain Name Sets Using the Import Scripts Extending the SSL Tunnel Port Range for Web Access to Alternate SSL Ports Avoiding Looping Back through the ISA Firewall for Internal Resources Anonymous Requests Appear in Log File Even When Authentication is Enforced For Web (HTTP Connections) Blocking MSN Messenger using an Access Rule Allowing Outbound Access to MSN Messenger via Web Proxy Changes to ISA Firewall Policy Only Affects New Connections Configure the Routing Table on the Upstream Router Configure the Network Adaptors Install the ISA Server 2004 Firewall Software Install and Configure the IIS WWW and SMTP Services on the DMZ Server Create the DMZ Network Create the Network Rules Between the DMZ and External Network and for the DMZ and Internal Network Create Server Publishing Rule Allowing DNS from DMZ to Internal Create an Access Rule Allowing DNS from Internal to External Create an Access Rule Allowing DNS from Internal to External Create an Access Rule Allow HTTP from External to DMZ Create an Access Rule Allowing SMTP from External to DMZ Test the Access Rules from External to DMZ Test the DNS Rule from the DMZ to the Internal Network Change the Access Rule Allowing External to DMZ by Disabling the Web Proxy Filter Allowing Intradomain Communications through the ISA Firewall Solutions Fast Track Configuring Access Rules for Outbound Access through the ISA Firewall Using Scripts to Populate Domain Name Sets Creating and Configuring a Public Address Trihomed DMZ Network Frequently Asked Questions Chapter 8: Publishing Network Services with ISA 2004 Firewalls Overview of Web Publishing and Server Publishing Web Publishing Rules Server Publishing Rules The Select Rule Action Page The Define Website to Publish Page The Public Name Details Page The Select Web Listener Page and Creating an HTTP Web Listener The User Sets Page The Web Publishing Rule Properties Dialog Box Creating and Configuring SSL Web Publishing Rules SSL Bridging Importing Web Site Certificates into The ISA Firewall's Machine Certificate Store Requesting a User Certificate for the ISA Firewall to Present to SSL Web Sites Creating an SSL Web Publishing Rule Creating Server Publishing Rules The Server Publishing Rule Properties Dialog Box Server Publishing HTTP Sites Creating Mail Server Publishing Rules The Web Client Access: Outlook Web Access (OWA), Outlook Mobile Access, Exchange Server ActiveSync Option The Client Access: RPC, IMAP, POP3, SMTP Option Summary Solutions Fast Track Overview of Web Publishing and Server Publishing Creating and Configuring Non-SSL Web Publishing Rules Creating and Configuring SSL Web Publishing Rules Frequently Asked Questions Chapter 9: Creating Remote Access and Site-to-Site VPNs with ISA Firewalls Overview of ISA Firewall VPN Networking Firewall Policy Applied to VPN Client Connections Firewall Policy Applied to VPN Site-to-Site Connections VPN Quarantine User Mapping of VPN Clients SecureNAT Client Support for VPN Connections Site-to-Site VPN Using Tunnel Mode IPSec Publishing PPTP VPN Servers Pre-shared Key Support for IPSec VPN Connections Advanced Name Server Assignment for VPN Clients Monitoring of VPN Client Connections Creating a Remote Access PPTP VPN Server Enable the VPN Server Create an Access Rule Allowing VPN Clients Access to Allowed Resources Enable Dial-in Access Test the PPTP VPN Connection Issue Certificates to the ISA Firewall and VPN Clients Test the L2TP/IPSec VPN Connection Monitor VPN Clients Using a Pre-shared Key for VPN Client Remote Access Connections Creating a PPTP Site-to-Site VPN Create the Remote Site Network at the Main Office Create the Network Rule at the Main Office Create the Access Rules at the Main Office Create the VPN Gateway Dial-in Account at the Main Office Create the Remote Site Network at the Branch Office Create the Network Rule at the Branch Office Create the Access Rules at the Branch Office Create the VPN Gateway Dial-in Account at the Branch Office Activate the Site-to-Site Links Enable the System Policy Rule on the Main Office Firewall to Access the Enterprise CA Request and install a Web Site Certificate for the Main Office Firewall Configure the Main Office ISA Firewall to Use L2TP/IPSec for the Site-to-Site Link Enable the System Policy Rule on the Branch Office Firewall to Access the Enterprise CA Request and Install a Web Site Certificate for the Branch Office Firewall Configure the Main Office ISA Firewall to Use L2TP/IPSec for the Site-to-Site Link Activate the L2TP/IPSec Site-to-Site VPN Connection Configuring Pre-shared Keys for Site-to-Site L2TP/IPSec VPN Links IPSec Tunnel Mode Site-to-Site VPNs with Downlevel VPN Gateways Using RADIUS for VPN Authentication and Remote Access Policy Configure the Internet Authentication Services (RADIUS) Server Create a VPN Clients Remote Access Policy Remote Access Permissions and Domain Functional Level Changing the User Account Dial-in Permissions Changing the Domain Functional Level Controlling Remote Access Permission via Remote Access Policy Enable the VPN Server on the ISA Firewall and Configure RADIUS Support Create an Access Rule Allowing VPN Clients Access to Approved Resources Make the Connection from a PPTP VPN Client Using EAP User Certificate Authentication for Remote Access VPNs Configuring the ISA Firewall Software to Support EAP Authentication Enabling User Mapping for EAP Authenticated Users Issuing a User Certificate to the Remote Access VPN Client Machine Supporting Outbound VPN Connections through the ISA Firewall Installing and Configuring the DHCP Server and DHCP Relay Agent on the ISA Firewall Creating a Site-to-Site VPN Between an ISA Server 2000 and ISA Firewall Run the Local VPN Wizard on the ISA Server 2000 firewall Change the Password for the Remote VPN User Account Change the Credentials the ISA Server 2000 Firewall uses for the Demand-dial Connection to the Main Office Change the ISA Server 2000 VPN Gateway's Demand-dial Interface Idle Properties Create a Static Address Pool for VPN Clients and Gateways Run the Remote Site Wizard on the Main Office ISA firewall Create a Network Rule that Defines the Route Relationship Between the Main and Branch Office Create Access Rules Allowing Traffic from the Main Office to the Branch Office Create the User Account for the Remote VPN Router Test the connection A Note on VPN Quarantine Summary Solutions Fast Track Overview of ISA Firewall VPN Networking Creating a Remote Access PPTP VPN Server Creating a Remote Access L2TP/IPSec Server Frequently Asked Questions Chapter 10: ISA 2004 Stateful Inspection and Application Layer Filtering Introduction Application Filters The SMTP Filter and Message Screener The DNS Filter The POP Intrusion Detection Filter The SOCKS V4 Filter The FTP Access Filter The H.323 Filter The MMS Filter The PNM Filter The PPTP Filter The RPC Filter The RTSP Filter Web Filters The HTTP Security Filter (HTTP Filter) The ISA Server Link Translator The Web Proxy Filter The SecurID Filter The OWA Forms-based Authentication Filter The RADIUS Authentication Filter IP Filtering and Intrusion Detection/Intrusion Prevention Common Attacks Detection and Prevention DNS Attacks Detection and Prevention IP Options and IP Fragment Filtering Summary Solutions Fast Track Application Layer Filters Web Filters Intrusion Detection and Prevention Frequently Asked Questions Chapter 11: Accelerating Web Performance with ISA 2004 Caching Capabilities Understanding Caching Concepts Web Caching Types Web Caching Architectures Web Caching Protocols Understanding ISA Server 2004's Web Caching Capabilities Using the Caching Feature Understanding Cache Rules Understanding the Content Download Feature Configuring ISA Server 2004 as a Caching Server Enabling and Configuring Caching How to Configure Caching Properties Creating Cache Rules Configuring Content Downloads Summary Fast Track Frequently Asked Questions Chapter 12: Using ISA Server 2004's Monitoring, Logging, and Reporting Tools Introduction Exploring the ISA Server 2004 Dashboard Dashboard Sections Configuring and Customizing the Dashboard Creating and Configuring ISA Server 2004 Alerts Alert-triggering Events Viewing the Predefined Alerts Creating a New Alert Modifying Alerts Viewing Triggered Alerts Monitoring ISA Server 2004 Connectivity, Sessions, and Services Configuring and Monitoring Connectivity Monitoring Sessions Monitoring Services Working with ISA Server 2004 Logs and Reports Understanding ISA Server 2004 Logs Generating, Viewing, and Publishing Reports with ISA Server 2004 Using ISA Server 2004's Performance Monitor Solutions Fast Track Exploring the ISA Server 2004 Dashboard Creating and Configuring ISA Server 2004 Alerts Monitoring ISA Server 2004 Sessions and Services Working with ISA Server 2004 Logs and Reports 1Using ISA Server 2004's Performance Monitor Frequently Asked Questions Appendix: Network Security Basics Introduction Security Overview Defining Basic Security Concepts Knowledge is Power Think Like a Thief Security Terminology Addressing Security Objectives Controlling Physical Access Preventing Accidental Compromise of Data Preventing Intentional Internal Security Breaches Preventing Unauthorized External Intrusions Recognizing Network Security Threats Understanding Intruder Motivations Classifying Specific Types of Attacks Designing a Comprehensive Security Plan Evaluating Security Needs Understanding Security Ratings Legal Considerations Designating Responsibility for Network Security Designing the Corporate Security Policy Educating Network Users on Security Issues Incorporating ISA Server in your Security Plan ISA Server Intrusion Detection Implementing a System Hardening Plan with ISA Summary Index Numbers Index A Index B Index C Index D Index E Index F Index G Index H Index I Index J Index K Index L Index M Index N Index O Index P Index Q Index R Index S Index T Index U Index V Index W Index Z List of Figures List of Tables List of Sidebars

توضیحات
افزودن یادداشت جدید






















Chapter 1: Evolution of a Firewall: From Proxy 1.0 to ISA 2004





The Book: What it Covers and Who It's For






Our first ISA Server book, Configuring ISA Server 2000: Building Firewalls for Windows 2000 (Syngress Publishing), addressed Microsoft's first attempt at producing an enterprise-level network firewall product. As with most first attempts, ISA 2000 was in many ways a learning experience-both for Microsoft and for those of us who used and managed it.





With ISA 2000, Microsoft provided full-fledged, multilayered firewall functionality that went far beyond the traditional packet filtering firewall, with 'extras' such as intrusion detection and prevention (IDS/IDP) and Web caching - features that many other firewall vendors either don't include at all or offer as add-on modules or separate products at extra cost.





Inevitably, ISA was compared with other popular firewall products such as CheckPoint's Firewall-1/VPN-1 and Cisco's PIX, along with the plethora of low-cost security 'appliances' from vendors such as NetScreen, Watchguard, SonicWall, Symantec, and many others that have flooded the market over the last few years. Although it proved to be a strong competitor, ISA administrators quickly started compiling 'wish lists' of features and functionalities that could make ISA even better.










Note





Some might argue that customer 'wish lists' have even, in some cases, resulted in the inclusion of features that are unnecessary or worse, as well as the elimination of desirable features. According to the product team, features such as the H.323 gateway - included in ISA 2000 - were dropped from ISA 2004 due to lack of customer interest. On the other hand, ISA 2004 added the ability to forward all traffic to an internal server ('all-port forwarding') because of pressure from users of low-cost firewall appliances that included this feature.










As with any software product, there were quirks to be ironed out. And as the security landscape became even more complex and brand new threats appeared, new technologies were needed and old ones needed to be improved. Microsoft set about creating a new incarnation of ISA Server, one that would incorporate many of the features users asked for and that would improve ease of use as well as security.





Some of the changes in ISA 2004 are profound - so profound that Microsoft seriously considered changing the product name completely before deciding to stick with 'Internet Security and Acceleration Server' to better build on the existing user base and avoid market confusion. As we worked with ISA 2004 from the alpha stage through private and public betas, we saw it evolve into a hard-core comprehensive security product that can serve many purposes in a variety of network scenarios.





It's in the Book: What We Cover






Writing the ISA 2000 book, like working with the software itself, was yet another learning experience. As we continued to work with ISA after it was finished, we discovered new questions (and new answers) that we wished we'd included. Readers provided us with valuable feedback about what they wanted to see addressed. We took all of that into consideration as we laid out the game plan for this book on ISA Server 2004.






Two Parts for Two Purposes






In working with ISA 2000 users locally and around the world through www.isaserver.org, www.windowsecurity.com, and other Internet forums, we found that many network administrators' questions about ISA began even before their organizations committed to deploying it. They wanted hard information on ISA's features, how those features work 'under the hood,' and how ISA compares to other popular firewall solutions in the same price categories. Some users, new to the security aspects of networking, expressed a wish for more background information - how firewalls and VPNs work, and even some basic TCP/IP concepts that are essential to understanding firewall functionality.





Thus, we've divided this book into two distinct sections:











Part One: ISA Server 2004 Concepts. This section (consisting of 3) is meant to be an 'appetizer.' It provides a background understanding of computer security in general, firewalls in particular, and ISA Server specifically. We follow the development of ISA from its humble origins in MS Proxy Server. We answer the often-asked question 'Why should I trust Microsoft when it comes to security?' We explain the different firewall models and architectures and describe the ISA 2004 feature set (including 'under the hood' information about how the features work). We even include an entire chapter on comparing ISA 2004 with other popular firewall solutions in the same price category.











Part Two: ISA Server 2004 How-Tos. This longer section (consisting of chapters 4 through 11) provides the 'main course'-step-by-step instructions in how to install and manage ISA Server 2004 in common networking scenarios, taking into account different network configurations, business models, and ISA Server roles. Here you'll find all the details about how to create and use firewall access policies, how to publish network services to the Internet, how to use ISA Server to protect remote access and VPN connections, how ISA Server works in conjunction with Exchange Server, how to make best use of ISA Server's Web caching, and other 'bonus' functionalities that distinguish ISA Server from its competitors.











You'll also find, at the end of the book, an appendix covering some TCP/IP and network security basics. This additional material is for those who need a refresher in TCP/IP security vulnerabilities. Some of this material is taken from Configuring ISA Server 2000 and is most useful for readers who are not familiar with that book. Like dessert, it's optional.





We believe this structure will make the book easier to use and will also make it more valuable to a wider audience.










Tip





Although some readers have asked us for more conceptual information and broader background information, more experienced readers or those with specific questions and problems might want to skip the first chapters and go right to the 'how to' sections.










If you're looking for specific scenarios that address your own situation or answers to troubleshooting problems that occur in your ISA deployment, we have tried to make it easy for you to find and flip to the section of this book that you need. We have put in numerous tips and tricks for dealing with ISA in the real world and provided references to give you more information about related topics that you could come across as you work with ISA. Following the adage that a picture can be worth a thousand words, we've also provided many diagrams and screenshots to illustrate exactly what we're talking about in the text.






Chapter-by-Chapter Game Card






We've laid out the book in such a way that it can be used as a reference, with individual 'how to' sections that are not dependent upon one another. We've also provided a logical order for those who are working through the book progressively, so that you can learn the terminology and concepts first and then proceed to the walk-throughs.






Chapter One: Evolution of a Firewall: Proxy Server to ISA 2004





This first chapter begins with a section entitled Security: The New Star of the Show, an overview of the new, high-profile role of security in the new millennium. In Security: What's Microsoft Got to Do with It? we discuss Microsoft's new commitment to security as a number one priority with their Trustworthy Computing Initiative. We address the ever-changing nature of the security landscape in Security: A Moving Target. Then we look at the best practices for securing your valuables, whether physical or electronic, in Security: A Multilayered Approach, where we examine the popular 'defense-in-depth' concept.





In the Firewalls: The Guardians at the Gateway. We examine the history and philosophy behind today's firewalls and discuss the differences between different firewall models (host vs. network-based, hardware vs. software-based). Next, we look at the features and functionality offered by modern firewall products and how firewalls have evolved from simple packet filtering proxies to comprehensive 'security solutions.'





The last part of the chapter, ISA Server: From Proxy Server to Full-Featured Firewall, zooms in on the focus of the rest of the book: ISA Server. We follow Microsoft's venture into the security market from the time when ISA Server was just a glint in MS Proxy Server's eye to the release of ISA Server 2004. We discuss what it can do for you and your company, how it gives you two products for the price of one, and how caching fits in. We also speculate on what the future holds for ISA Server and Microsoft's increasing integration of security features into their software.






Chapter Two: Examining the ISA Server 2004 Feature Set





This chapter provides an in-depth look at each of ISA 2004's main features: the old (those that were ported over from ISA 2000), the new (and improved), and the missing in action (features included in ISA 2000 that were dropped in the new version).





In the first section, Old Features Get New Functionality, we focus closely on ISA 2000 features that have been enhanced or expanded, such as VPN administration, user authentication, firewall rules, user- and group-based access policies, Outlook Web Access (OWA) publishing and secure Web publishing, FTP support, caching rules, the SMTP message screener, improvements to logging and reporting, and the updated graphical interface.





We also examine, in detail, the many new features built into ISA 2004, including its multinetworking capabilities, VPN quarantine and other new VPN features, firewall user groups, customizable protocol definitions and support for complex protocols, delegation of basic authentication, SecurID authentication support for Web proxy clients, firewall-generated forms for forms-base authentication, PPTP server publishing, SSL VPN for accessing terminal services, forced encryption for secure Exchange RPC connections, new HTTP filtering features, link translation, and new management features.





In the next section, we go Under the Hood to discuss how some of ISA 2004's most important features work, covering the underlying technologies of Application Layer Filtering (ALF), VPN quarantine, and SSL Bridging.





Finally, for those who still aren't satisfied with everything that ISA 2004 can do out of the box, we discuss Adding Features and Functionality with Third Party Products.






Chapter Three: Stalking the Competition: How ISA 2004 Stacks Up





In response to many reader inquiries, we devote an entire chapter to a discussion of the 2004 firewall market and how ISA Server 2004 stacks up against the competition. In this chapter, we discuss the current firewall and caching server market(s) and look at the various points of comparison, including:











Licensing structures, initial costs, and Total Cost of Operations (administrative overhead, support contracts, add-ons, and upgrades).











Specifications











Firewall and IDS/IDP features











VPN features











Web caching features











Certification











We look at how various firewall products implement application-layer filtering, platform support and system requirements, VPN features, capacity and client licensing issues, interoperability and integration with other network components, such as Exchange, SharePoint, Active Directory, and non-Microsoft operating systems and the interface and ease of use.





Specifically, we look at how ISA Server 2004 stacks up against the following popular firewall and/or caching products:











CheckPoint NG software and Nokia appliances (which run CheckPoint)











Cisco PIX firewall/VPN appliances











NetScreen/Juniper Networks firewall/VPN appliances











SonicWall firewall/VPN appliances











Symantec firewall/VPN software and appliances











Watchguard firewall/VPN appliances











Linux-based open source firewall software











BlueCoat firewall/VPN/caching appliances











Novell Volera caching products











Squid open source caching software











We look at the strengths and weaknesses of each competing product in comparison to ISA Server 2004, and we also discuss how ISA 2004 can be effectively used in conjunction with third-party firewall products to provide multilayered security for both inner and outer network perimeters.






Chapter Four: Preparing the Network Infrastructure for ISA 2004





One of the most common problems we've encountered in troubleshooting ISA Server 2000 installations was the lack of an appropriate supporting infrastructure. We anticipate similar problems for ISA Server 2004 installations that do not have the appropriate supporting network infrastructures before installing the ISA Server 2004 firewall.





There are a number of key network infrastructure issues that we discuss in this chapter:











Understanding the ISA Server 2004 networking model











Configuring the routing table on the ISA Server 2004 firewall











DHCP support for the ISA Server 2004 firewall and ISA Server 2004 clients











WINS support for the ISA Server 2004 firewall and ISA Server 2004 clients











DNS support for the ISA Server 2004 firewall and the ISA Server 2004 clients











RADIUS (Internet Authentication Server IAS) support for the ISA Server 2004 firewall and ISA Server 2004 clients











Certificate Services support for the ISA Server 2004 firewall and ISA Server 2004 clients











In Chapter Four, we go over each of the critical network services that must be in place to support your ISA Server 2004 firewall and hosts that connect through the ISA Server 2004 firewall. In addition, we discuss the ISA Server 2004 concepts of Networks, Network Sets, Network Relationships, and access control across networks. We also include a discussion of the 'network within a network configuration' and how to solve the problem it poses using ISA Server 2004 and the internal network router configuration.






Chapter Five: Configuring ISA 2004 Clients and Automating Client Provisioning





This chapter looks at the three ISA 2004 network client types:











The SecureNAT client











The Firewall client











The Web proxy client











Each of these client types works differently to allow the client computer access to the Internet or other outside network through the ISA server. We give detailed explanations of how each client type works 'under the hood.' Each has advantages and disadvantages, and the 'best' client choice depends on a number of factors, including the client operating system, which protocols the client machine needs to access, and whether you want to (or policy or circumstances permit you to) install extra software on the client machines. We provide you with the info you need to make the right decisions concerning which client type(s) should be deployed in a given situation.





After gaining an understanding of the client options, we provide step-by-step instructions that illustrate how to configure each client type, with special considerations to keep in mind for each. We deal with common problems posed by different client types, such as name resolution issues and how to solve the problem of 'loopback' through the ISA server by deploying a split DNS infrastructure.





Because manually installing or configuring a large number of clients in an enterprise environment can be a daunting task, we also provide instructions on how to automate the client provisioning process to reduce administrative overhead. In this section, we cover various ways to automate the configurations of the Web proxy and firewall clients, including:











Configuring DHCP servers to support Web proxy and firewall client autodiscovery











Configuring DNS servers to support Web proxy and firewall client autodiscovery











Automating Web proxy client configuration with group policy











Automating Web proxy client configuration with Internet Explorer Administration Kit (IEAK)











You'll learn how to automate the installation process for the firewall client software, either by using group policy-based software installation and management or by creating and using a silent installation script. We also discuss the use of System Management Server (SMS) to deploy the firewall client software.






Chapter Six: Installing and Configuring the ISA Server 2004 Software





This chapter begins with separate step-by-step instructions on how to install ISA Server in each of two possible configurations:











Installing ISA 2004 on a multihomed server. If the ISA Server is to act as a firewall, either dedicated solely to firewall functions or as a combination firewall and caching server, it must be installed on a machine that has multiple network interfaces.











Installing ISA 2004 on a single-NIC server. Unlike ISA 2000, ISA 2004 no longer has a caching-only installation mode, but by installing the software on a server that has only a single network interface, you accomplish the same thing since the single-adapter server cannot be used as a firewall.











ISA Server 2004 can run on either a Windows 2000 Server or a Windows Server 2003 machine. We discuss some of the differences in functionality based on which operating system you use and point out some of the things you need to watch for during installation, to avoid problems later.





The old Local Address Table (LAT) from ISA Server 2000 is gone, so you can install multiple network interfaces to create multiple internal networks (taking advantage of one of ISA 2004's great new features: multinetworking), in addition to multiple public or private address DMZs. We discuss how to do that in this chapter.





ISA Server 2004 includes a number of network templates that are positioned to help the new ISA Server 2004 firewall administrators get up and running as quickly as possible. We examine the front-end firewall, edge firewall, back-end firewall, trihomed DMZ, and unihomed firewall templates, and see how they can be used to assist the ISA Server 2004 firewall administrator get up and running with simple and complex networking setups. We also explore the new graphical user interface and how to navigate through it to perform the common administrative tasks.





We explore upgrade issues: specifically, we show you how to upgrade an ISA Server 2000 computer to ISA Server 2004, as well as the upgrade procedure for a Microsoft Proxy Server 2.0 machine, which requires first upgrading to ISA Server 2000 and then to ISA Server 2004.





Finally, The chapter includes a 'Quick Start' section that provides the basics on how to get ISA 2004 up and running as quickly as possible, and instructions on how to create a temporary 'all open' outbound access policy to allow you to verify that your ISA server is working after you install it.










Tip





Deployment of ISA Server 2004 on a production network will proceed much more smoothly if you first test the product in a prototype environment; this allows you to determine how ISA Server 2004 will interact with your existing network services and applications. Using virtualization software such as Microsoft's Virtual PC or VMWare is the most cost-effective method to simulate an enterprise-level network with full functionality without investing in additional hardware.











Chapter Seven: Creating and Using ISA 2004 Firewall Access Rules





ISA Server 2004 Access Rules set the new ISA Server 2004 firewall apart from its predecessor, ISA Server 2000. Unlike ISA Server 2000, the ISA Server 2004 firewall uses a unified rule base wherein Access Rules and Publishing Rules are processed from the top down. You no longer need to try to figure out which rule will be active at what time as you did with ISA Server 2000. Now you know that the first rule on the list that matches the connection request parameters will handle the request.





ISA Server 2004 Access Rules control traffic based on a number of parameters, with the core parameters being the following: source, destination, protocol, and user. However, you can fine-tune each rule so that it is applied at a certain time of day, to a specific user set, and/or to a specific server. You can use Access Rules to block sites, files, pop-ups and peer-to-peer applications. ISA Server 2004 Access Rules give you total control over what connections are allowed (and not allowed) through the ISA firewall.





One of the major improvements in ISA Server 2004 is the ability to create virtually any rule element within the Access Rule wizard. The inability to create policy elements 'on the fly' with ISA Server 2000 was a major point of contention. It was a common occurrence that the ISA Server 2000 firewall administrator would begin to create a Protocol Rule and forget that the required Protocol Definition had not yet been created. ISA Server 2004 allows you to create each policy element from within the wizard.





In this chapter, we discuss how ISA Server 2004 Access Rules work and how to configure them to control access through the firewall. In addition, we discuss the procedures required to create your policy elements in advance, and we show you how to use the Access Rule toolset to simplify creation of Access Rules. Specific examples are provided, showing how to allow and deny Instant Messaging (IM) and Peer-to-Peer (P2P) applications, how to allow access to remote Exchange Servers, and much more.






Chapter Eight: Publishing Network Services to the Internet with ISA 2004





Publishing network services allows you to make servers and services on your corporate network accessible to users across the Internet and from other untrusted remote locations. Publishing services on the corporate network is fraught with danger because it exposes valuable network resources to the Internet. The challenge is to provide remote access to your network servers and services without compromising security. This is where the ISA Server 2004 firewall shines. As a sophisticated and stateful application-layer filtering firewall, the ISA Server 2004 firewall can make short work out of attackers who try to compromise your servers.





In this chapter, we discuss Web and Server Publishing rules. Web Publishing Rules allow you to securely publish Web sites and services to the Internet so that Internet users can access these servers. Web Publishing Rules provide the highest level of security available to published Web services because of their unique ability to perform SSL-to-SSL bridging and delegation of basic authentication. In addition, the HTTP Security filter allows you to control virtually any aspect of the HTTP communications moving through the firewall; the filter drops suspicious and dangerous connections before they ever reach the published Web site.





Server Publishing Rules can be used to publish virtually any service. You can use Server Publishing Rules to allow inbound access to HTTP (if you don't want to use a Web Publishing Rule, you can use a Server Publishing Rule), HTTPS, FTP, NNTP, SMTP, POP3, IMAP4. VNC, pcAnywhere, Terminal Services, and more. In addition, you can publish PPTP and L2TP/IPSec VPN servers behind an ISA Server 2004 firewall. You can publish virtually any TCP/UDP based protocol.





In this chapter, we go over the concepts and the step-by-step procedures required to publish virtually any network service using Web and Server Publishing Rules. We provide specific instructions showing you how to publish all the popular Internet protocols, as well as how to publish some more obscure services using customized configurations and using the firewall client on the published server.






Chapter Nine: Creating Remote Access and Site-to-Site VPNs with ISA Firewalls





Probably the most exciting and powerful new feature included with the ISA Server 2004 firewall is its significantly improved VPN server and gateway functionality. ISA Server 2000 could be configured to allow the ISA Server 2000 firewall to be a VPN server and VPN gateway, but the ISA Server 2000 firewall did not expose the VPN connections to firewall policy. In contrast, with ISA Server 2004, VPN remote access and gateway-to-gateway connections are all exposed to firewall policy in the same way as any other connection made through the ISA Server 2004 firewall.





The ISA Server 2004 firewall's VPN features allow you to control what resources VPN clients can connect to on a user/group basis. For example, if you want a group of users to only be able to connect to the Exchange Server using the secure Exchange RPC protocol via the Outlook 2002 client when connected over a VPN, you can create a firewall policy that limits this group to the Exchange Server only, and only when using the protocols required to connect using the full Outlook MAPI client.





The ISA Server 2004 firewall can now create gateway-to-gateway VPN connections using IPSec tunnel mode. This allows you to connect the ISA Server 2004 firewall to other VPN gateways made by third-party vendors using IPSec tunnel mode. Now you can bring the ISA Server 2004 firewall into a branch office and easily connect it to the non-Microsoft VPN server or concentrator at the main office. However, if you choose to use ISA Server 2004 firewalls as VPN gateways at both the main and branch offices, you can benefit from the higher security derived from using L2TP/IPSec as your site-to-site VPN protocol.





In this chapter, we cover the concepts and step-by-step procedures required to make the ISA Server 2004 firewall both a VPN Remote Access Server (RAS) and a VPN gateway (used for site-to-site VPN connections). This includes connecting to third-party VPN gateways and also addresses the special cases of publishing PPTP and L2TP/IPSec VPN servers behind the ISA Server 2004 firewall. Another issue that is addressed is providing outbound access for VPN clients that use PPTP, L2TP/IPSec NAT-T and third-party IPSec NAT-T solutions.






Chapter Ten: Stateful Inspection and Application Layer Filtering





One of the most compelling features of ISA 2004 is its "deep" application layer filtering (ALF) capabilities. With ALF, you can protect against application layer attacks, prevent users from visiting dangerous or offensive Web sites, and even provide first-line defense against spam at the firewall level. With ALF, you can perform protocol-specific tasks and control access to and from your network based on application (FTP, H.323, SOCKS4, etc.).





In this chapter, we discuss the benefits of ALF and how it fits into your network security plan, and provide step-by-step instructions in how to configure the application filters and Web filters that come with ISA 2004, as well as how to use add-in filters to further expand ISA 2004's application layer filtering functionality. Here you will learn how to use the DNS filter, the POP intrusion detection filter, the RPC, PPTP and SMTP filters, the Web Proxy filter, and many more. We'll also discuss filters that enable OWA forms-based authentication, SecurID authentication, and RADIUS authentication, and you'll learn all about link translation and enforcing configurable HTTP policy with the appropriate filters.






Chapter Eleven: Accelerating Web Performance with ISA 2004 Caching Capabilities





One of ISA Server 2004's biggest competitive advantages is that it is not only a firewall and VPN server and gateway; it is also a Web-caching server. The Web-caching component allows you to speed up Web access for your corporate network users and potentially reduce overall bandwidth usage on all your Internet links.





In this chapter, we go over the concepts and step-by-step procedures required to configure the ISA Server 2004 firewall as a Web-caching server. You'll learn about the settings required to optimize Web-caching performance and how to configure Web proxy chaining to improve Web performance for your branch office users and reduce overall bandwidth usage on branch office links to the Main office.






Chapter Twelve: Using ISA 2004: Monitoring, Reports and Logging





The Monitoring node in the ISA Server 2004 management console is a huge improvement over the same feature in ISA Server 2000, providing a handy "Dashboard" view that lets you see the "big picture" of what's happening in various monitoring areas, along with performance information.





An intuitive tabbed interface makes it easy to quickly delve into more details about specific monitoring areas, and we will provide step-by-step instructions on how to configure alerts, how to use session and services information, how to configure logging and generate reports, and how to use the connectivity verification feature.






Appendix: Network Security Basics





In order to understand what a firewall does and how various firewall features work, it is essential that you have an understanding of the TCP/IP protocol stack and how common intrusions and attacks exploit characteristics of the protocols at different layers of the Open Systems Interconnect (OSI) and Department of Defense (DOD) networking models to do their dirty work.





Readers who do not have previous networking experience or who need a quick review of basic TCP/IP concepts and exploits should check out Appendix A before proceeding through the rest of the book.





This Book's For You: Our Target Audience






This book is for anyone who wants to know what ISA Server 2004 is all about, how it differs from ISA 2000 and from third party firewall and caching products, and how to get the most out of it to protect your network and improve Web content performance for your internal and external users.





This book is not designed as an exam prep or study guide. Although it contains useful conceptual information and step-by-step exercises that will provide readers with a better understanding of ISA Server 2004, and can serve as a background supplement to training kits and courses designed to prepare candidates for the MCSA/MCSE exam, the purpose of this book is to address real-world installation, configuration, management, and troubleshooting issues encountered on the job. Its structure and content are not based on exam objectives, and exam candidates should not consider it a primary source of preparation.
















Tools and Traps…Microsoft Certification Exam 70-350





At the time of the writing of this book, Microsoft Certification Exam 70-350, Installing, Configuring and Administering Microsoft Internet Security and Acceleration (ISA) Server 2004, has not been written and objectives are not yet available. Check the Microsoft Learning Web site at www.microsoft.com/learning/mcpexams/default.asp for information about the exam.





For those who want to get a head start on studying for the ISA Server 2004 exam, a good starting place is the exam preparation guide for Exam 70-227, Installing, Configuring and Administering Microsoft Internet Security and Acceleration (ISA) Server 2000, Enterprise Edition. At the time of this writing, Exam 70-227 not only counts as an elective for the Microsoft Certified Systems Administrator (MCSA) and Microsoft Certified Systems Engineer (MCSE) certification paths, but is also a core security exam for the MCSA and MCSE security specialty certification paths. It is expected that Exam 70-350 will similarly count toward the security specialist certifications.





As with all current Microsoft certification exams, the most important preparation will be hands-on work with the product in a variety of networking situations. Deploying ISA Server 2004, either on a home network, on a business network, or in a virtual network environment, and working with it on a daily basis is the best way to gain the intimate familiarity with the interface, concepts, and administrative tasks that are necessary to understand to successfully answer the exam questions.























This book is based in large part on our own trials and tribulations (as well as the occasional 'Eureka!' moment) that we've experienced working with ISA Server 2004. In this book, we are talking to people much like ourselves - experienced Windows network administrators who want to secure their networks and speed up Web access for their users without having to make a full-time vocation of it, learn programming, recompile kernels, or struggle with a brand new command syntax. We're talking to people who want a security solution that is built to interoperate with their Windows domain controllers and Microsoft servers such as Exchange and SharePoint. We're talking to experienced ISA 2000 administrators, those who are brand new to the world of firewalls, and those who are migrating from third-party firewall products.





A book is, by its very nature, a one-way conversation that flows from author to reader. However, we have built each of our books on questions and comments from our readers, and we don't consider the subject closed when the book is finally printed and on the shelves. Rather, that's just the beginning of a dialog, and the input we get from you will help us in writing the next book, article or courseware project. You can reach us through the www.syngress.com Web site and you can find a wealth of additional and updated information about ISA Server 2004 at www.isaserver.org and on our Web site at www.msfirewall.org.





/ 145