Implementing ISA Server 2004 as a Firewall © Determine perimeter network configuration © Configure networks and network rules © Configure system policy © Configure intrusion detection
Trang 1
Module 4:
Configuring ISA Server
as a Firewall
Trang 2© Using ISA Server as a Firewall
© Examining Perimeter Networks and Templates
© Configuring System Policies
© Configuring Intrusion Detection and IP Preferences
Trang 3Lesson: Using ISA Server as a Firewall
Z
© What Is a TCP/IP Packet?
© What Is Packet Filtering?
© What Is Stateful Filtering?
© What Is Application Filtering?
© What Is Intrusion Detection?
© How ISA Server 2004 Filters Network Traffic
© Implementing ISA Server 2004 as a Firewall
Trang 4
What Is a TCP/IP Packet?
Destination Port: 80
Sequence: 3837066872 payload Acknowledgment: 2982470625
Trang 5What Is Packet Filtering?
Packet Filter
ISA Server
J
Trang 6
What Is Stateful FIltering?
Create connection rule
Web ls packet part of a connection?
server
Trang 7
What Is Application Filtering?
d content and methods?
Trang 8
What Is Intrusion Detection?
Trang 9How ISA Server 2004 Filters Network Traffic
Trang 10Implementing ISA Server 2004 as a Firewall
© Determine perimeter network configuration
© Configure networks and network rules
© Configure system policy
© Configure intrusion detection
© Configure access rule elements and access rules
© Configure server and Web publishing
Trang 11
Practice: Applying Firewall Concepts
⁄
In this practice, you will analyze three
| network security requirements and
determine what firewall functionality is required in each scenario
Trang 12
Lesson: Examining Perimeter Networks and Templates
Z
© What Is a Perimeter Network?
© Why Use a Perimeter Network?
© Network Perimeter Configurations
© About Network Templates
© How to Use the Network Template Wizard
© Modifying Rules Applied by Network Templates
Trang 13
What Is a Perimeter Network?
Trang 14Why Use a Perimeter Network?
© Between the Internet and confidential data or critical
applications stored on servers on the internal network
© Between potentially nonsecure networks such as
wireless networks and the internal network
Use defense in depth in addition to perimeter
network security
Trang 15
Network Perimeter Configurations
Trang 16
About Network Templates
Deploy the Single Network Adapter template for proxy and caching only E==-
Trang 17
How to Use the Network Template Wizard
| Microsoft Internet Security and Acceler pore m
Internal Network ~ Perimeter Network |
J Networks Network Sets X Network Rules X web Chaining \ Name « | Address Ranges | Description ¬ _) External | IP addresses external to the IS Built-in network object representing the Internet
ed Internal 12) 192,168,1.0 - 192.168.1.255 Network representing the internal network
dh Local Host | No IP addresses are associated Built-in network object representing the I54 Server computer, (=) ih Perimeter 9 172.16.1.0 - 172.16.1.255 Network object representing 4 perimeter network (also known as Dh
Si] 172.16.255.255
ed Quarantined YPN Cli << No IP addresses are currently a Built-in dynamic network representing client computers connecting tc
—_ VPN Clients | No IP addresses are currently 4 Built-in dynamic network object representing client computers conne
Trang 18Modifying Rules Applied by Network Templates
© Modify Internet access based on protocols
© Modify network rules to change network relationships
/
& J
You can either change the properties of one of the rules
configured by the network template, or you can create a
new access rule to apply a specific setting
Trang 19
Practice: Implementing Network Templates
© Applying the 3-Legged Network Template
© Reviewing the Access Rules Created by
the 3-Legged Network Template
© Testing Internet Access
Gen-Web-01 Den-ISA-01
Trang 20Lesson: Configuring System Policies
⁄
© What Is System Policy?
© System Policy Settings
© How to Modify System Policy Settings
Trang 21
What Is System Policy?
System policy is:
© A default set of access rules applied to the
ISA Server to enable management of the server
© A set of predefined rules that you can enable or disable
as required
Modify the default set of rules provided by the system
policy to meet your organization’s requirements
Disable all functionality that is not required
Trang 22
System Policy Settings
i
System policy settings include:
Trang 23How to Modify System Policy Settings
NTP (J Authentication Services Active Directory
RADIUS
RSA SecurID
CRL Download
SQ Remote Management Microsoft Manageme Terminal Server ICMP (Ping)
‘From’ tab to specify the trusted DHCP servers
Trang 24Practice: Modifying System Policy
Trang 25Lesson: Configuring Intrusion Detection and IP Preferences
© About Intrusion Detection Configuration Options
© How to Configure Intrusion Detection
© About IP Preferences Configuration Options
© How to Configure IP Preferences
Trang 26
About Intrusion Detection Configuration Options
© Compares network traffic and log entries to
well-known attack methods and raises an alert
when an attack Is detected
© Detects well-known IP attacks
© Includes application filters for DNS and POP that
detect intrusion attempts at the application level
Trang 27
How to Configure Intrusion Detection
Intrusion Detection 2| x
Common Attacks | DNS Attacks
J¥ Enable intrusion detection:
Enable detection of the selected attacks:
J¥ Windows out-of-band (WinNuke)
Detect after attacks on 1ñ =4 well-known port
|¥ Log dropped packets
1 ) alert definitions For these attacks,
Help about alerts
J¥ Enable detection and filtering of DNS attacks:
Filter incoming traffic to check for the Following:
J¥ DNS host name overflow
I¥ DNS length overflow [DNS zone transfer
Help about alerts
Trang 28About IP Preferences Configuration Options
© Block or enable network traffic that has an IP option flag set
You can block all packets with IP options, or selected packets
© Block or enable network traffic where the IP packet has been
split into multiple IP fragments
Blocking IP fragments may affect streaming audio and video, and L2TP over IPSec traffic
© Enable or disable IP routing
With IP routing enabled, ISA Server forwards IP packets between networks without recreating the packet
Trang 29
How to Configure IP Preferences
Time Stamp Security Loose Source Route Stream ID
Strict Source Route
Router Alert Show only selected IP options
Ƒ— Show undefined IP options
Enable this option to black packets containint
[_ Block IP fragments IP Routing allows ISA Server to route IP packets in kernel mode and
Trang 30Practice: Configuring Intrusion Detection
Trang 31Lab: Configuring ISA Server as a Firewall
© Exercise 1: Restoring Firewall