Microsoft ISA Server 2004 Firewall phần 2

Firewall Client The ISA Server 2004 firewall client is one of the components to an ISA Server 2004 solution that really separates it from the competition in terms of the kind of control

SecureNAT Client

The SecureNAT client is effectively any device that attempts to communicate through the ISA Server 2004 firewall without being configured as one of the other firewall types For all intents and purposes, this is the traditional "point to the firewall as the default gateway

to communicate" type of a client Therefore, practically any type of TCP/IP network host can communicate through the firewall as a SecureNAT client Although easy to

implement (there is no special configuration required beyond just enabling network communications on the host), the SecureNAT client is the least secure and capable of the firewall clients SecureNAT clients cannot be configured to authenticate with the firewall

to determine what access should be permitted, nor can they access resources requiring complex protocols (protocols that require multiple connections; for example, standard FTP [port] mode connections) without the use of application filters installed on the

firewall itself

Firewall Client

The ISA Server 2004 firewall client is one of the components to an ISA Server 2004 solution that really separates it from the competition in terms of the kind of control over access that can be managed The firewall client software can be installed on any

Windows-based client, which is a limitation in environments that use Linux, Sun, UNIX,

or Mac computers Once implemented, however, the firewall client enables you to define access to external resources based on users and groups and authenticate all access

requests to ensure that only the users you have specified are allowed to communicate It also enables you to define how they can communicate This authentication information is stored in the firewall log files, making it easy to perform a forensic analysis to determine what sites, protocols, and applications the user was running or accessing

Perhaps the most powerful feature of the firewall client is the ability to enforce security controls on the client itself (for example, allowing only applications that you explicitly permit to function on the client or allowing only certain ports on the client to be used for communications) For example, a relatively difficult task to perform with most firewalls

is to prevent instant messaging and peer-to-peer applications from being used by the users Instant messaging applications can almost all use HTTP (or any other protocol) as the transport protocol, making it difficult to effectively block at the firewall Similarly, many peer-to-peer applications can do the same thing With the firewall client, you can define the names of applications that should not be allowed to run; they will be blocked

by the firewall client software Keep in mind that if the users can rename the application executable, they can bypass these restrictions

Web Proxy Client

The web proxy client is used anytime a computer is configured via its web browser to use

a proxy, and the ISA Server 2004 server is specified as the proxy Although web

browsers are the most commonly implemented applications that use proxies, instant messaging software and other applications that support using a proxy can also be

configured as web proxy clients

The web proxy client enables you to improve the performance of web access because the data can be cached by the firewall and served to the clients out of cache This also

reduces bandwidth requirements, as discussed in the next section The web proxy client also supports using authentication for access, similar to the firewall client, thus providing

a mechanism to control and track access on a user basis

Web Caching Server Functionality

Although technically not a firewall or security feature, the ISA Server 2004 server

provides full caching server functionality This allows the server to transparently cache web request and then service subsequent requests out of cache, thus reducing the amount

of bandwidth that is used for client web browsing This also allows the ISA Server 2004 server to function as a proxy, retrieving content on behalf of clients

Network Services Publishing

To provide access to protected resources, ISA Server 2004 implements what are known

as publishing rules These rules are used to provide inbound/ingress filtering functionality

to resources that are being protected by the firewall For example, if you have a web server that needs to provide services to external clients, you would use network services publishing (specifically web server publishing rules) to "publish" or provide access to the protected web server resource

There are four types of publishing rules:

• Web server publishing rule

• Secure web server publishing rule

• E-mail server publishing rule

• Server publishing rule

As you would expect, the first three rules are specialized to handle the corresponding types of network services The server publishing rule is the generic catchall rule type for any and all other publishing requirements

VPN Functionality

Microsoft ISA Server 2004, like many other firewalls, also provides integrated VPN functionality, allowing you to use the ISA Server 2004 both as a component in a site-to-site VPN as well as a termination point for remote access VPN services Although

previous versions supported Point-to-Point Tunneling Protocol (PPTP) and Layer 2 Tunnel Protocol / IP Security (L2TP/IPsec) VPN protocols, ISA Server 2004 also

supports native IPsec tunnel mode VPN implementations

Because the VPN functionality is integrated with the firewall, ISA Server 2004 can also perform stateful packet filtering and inspection on VPN traffic that is passing through the firewall, providing additional security and control of all traffic that is entering or exiting the protected network Doing so enables you to perform actions such as limiting your remote sales users to a subset of servers and services on the protected network

Management and Administration Features

Arguably some of the most deficient aspects of previous versions of ISA Server were the fact that the management interface was not intuitive, the access rule management

methodology was contrary to almost every other product out there, and the monitoring and reporting capabilities left a lot to be desired ISA Server 2004 has gone a long way toward improving these deficiencies

Management Interface

As shown in Figure 8-2, ISA Server 2004 takes advantage of the Microsoft Management Console to provide a management interface This management console can either be accessed locally on the ISA server by using Terminal Service (TS) or Remote Desktop (RDP) to start a terminal session, or can be installed on a remote system (such as the administrators desktop) to allow for remote management of all ISA Server 2004

resources in the environment In the case of TS or RDP, the TS/RDP process handles protection and encryption of the data over the network In the case of installing the

management console on a remote system, Microsoft is intentionally vague as to what if any encryption or protection of the data that is transmitted between the management console and the ISA Server 2004 server occurs Like all Microsoft products,

administrative access is granted through the use of Microsoft users and groups, as well as

by defining individual or ranges of IP addresses that are allowed to make management connections

Figure 8-2 ISA Server 2004 Management Console

[View full size image]

In addition, some third-party web-based management interfaces can be implemented, allowing for the management of the ISA server to be performed via a web browser, thus eliminating the need to install a management client for remote management

Access Rule Management

Access rule management has also been greatly simplified, following well-defined

conventions that have been long established for firewall rule management Unlike server publishing rules, which are designed for defining inbound/ingress filters, access rules are used to define outbound/egress filters to protect traffic that is sourced from a protected network Rules have the following components that can be defined in a wizard-driven fashion:

• Rule name

• Rule action (permit/deny)

• Protocol the rule applies to

• Source traffic

• Destination traffic

• Users to which the rule applies

An important distinction to be aware of is that for SecureNAT clients, rules that are set to apply to all IP traffic actually only apply to defined protocols, so you need to ensure that you define any protocols that you want to filter based on

Monitoring and Reporting

Although monitoring and reporting are some of the less-elegant aspects of firewall

management, Microsoft made significant improvements to the monitoring and reporting features of ISA Server 2004, providing the following capabilities:

• Real-time monitoring of log entries and firewall sessions

• Report customization and publishing

• E-mail notification

• Configurable log summary start times (the ability to pick any start time, as

opposed to having to use a defined start time such as midnight everyday)

• Improved SQL logging (the ability to log to a SQL server, thereby allowing for the use of advanced SQL tools to query the database and build custom reports)

• Microsoft Data Engine (MSDE) logging capabilities

Miscellaneous Features

Although the ability to support multiple networks may sound like a given, multinetwork support is actually a new feature of ISA Server 2004, allowing it to be implemented in enterprise environments that contain multiple networks (both internal and perimeter networks such as DMZ segments) In conjunction with this, you can define the

relationships between the networks and then use this information during rule creation By default, ISA Server 2004 supports the following networks:

• The internal network (this is the subnet directly connected to the internal interface

of the firewall)

• The external network (any IP addresses that do not belong to another network)

• The VPN clients network (any IP addresses which are assigned to VPN clients)

• The local host network (the IP addresses of the firewall itself)

Remote VPN users represent one of the bigger security risks for most environments These users typically connect to all sorts of networks that are outside of the control of the

IT department and then attempt to connect to their corporate network This allows the VPN client to become a carrier of viruses, worms, and other malicious software and content, thereby spreading it to the corporate network when they establish their VPN connection To help mitigate this risk, ISA Server 2004 includes VPN Quarantine

Control With VPN Quarantine Control, ISA Server 2004 can be configured to enforce policies on the VPN clients, including the following:

• All security updates and service packs defined by the administrator must be

installed

• The client must have antivirus software installed and enabled

• The client must have personal firewall software installed and enabled

If these conditions are not met, the VPN client will not be connected to the VPN and gain access to the full network resources; instead, they will be connected to a limited-access network where they can download and apply any required patches and updates Although this does not remove any malicious software from the VPN client computer, by requiring only patched and updated systems to connect you can help ensure that the VPN client computer is less susceptible to threats

Microsoft ISA Server 2004 Requirements and Preparation

ISA Server 2004 can be a relatively complex product to implement A number of system requirements and recommendations should be implemented before installing and

configuring ISA Server 2004 Table 8-2 details the system requirements as well as my recommendations beyond the system requirements

Table 8-2 System Requirements

Processor Single Pentium III 550 MHz Single or dual Xeon 3 GHz

Disk space 150 MB Mirrored or RAID5 36-GB capacity

with separate disks for caching (if implemented)

Network At least two 10/100-Mbps

network adapters

At least two 100/1000-Mbps network adapters

Operating

system

Microsoft Windows 2000 Server or Advanced Server with SP4 or later

Microsoft Windows Server 2003 (Standard or Enterprise Edition)

In addition to the system requirements, you need to harden the operating system prior to installing ISA Server 2004 on the system Use the guides mentioned early in the

"Microsoft ISA Server 2004 Firewall" section as a basis for securing the underlying operating system as well as the Microsoft ISA Server 2004 software

Of particular importance is to harden the external network interface (at a minimum) to remove all clients, services, and protocols except TCP/IP itself, as shown in Figure 8-3

Figure 8-3 External Network Interface Configuration

In addition, you also need to configure the routing table on the ISA server accordingly to support all the networks it will need to reach, or you will need to install and configure Routing and Remote Access on the firewall to enable routing protocols such as OSPF or RIPv2

Finally, ensure that you disable any network services or applications that are not

explicitly required by ISA Server 2004 Table 8-3 lists the core services that are required

by ISA Server 2004, including the startup mode that should be used All other services should be disabled

Table 8-3 Service Requirements

Mode

COM+Event System Core operating system Manual Cryptographic Services Core operating system (security) Automatic

Table 8-3 Service Requirements

Mode

IPSec Services Core operating system (security) Automatic Logical Disk Manager Core operating system (disk

management)

Automatic

Logical Disk Manager

Administrative Service

Core operating system (disk management)

Manual

Microsoft Firewall Required for normal functioning of ISA

Server 2004

Automatic

Microsoft ISA Server Control Required for normal functioning of ISA

Server 2004

Automatic

Microsoft ISA Server Job

Scheduler

Required for normal functioning of ISA Server 2004

Automatic

Microsoft ISA Server Storage Required for normal functioning of ISA

Server 2004

Automatic

MSSQL$MSFW Required when MSDE logging is used

for ISA Server 2004

Automatic

Network Connections Core operating system (network

infrastructure)

Manual

NTLM Security Support Provider Core operating system (security) Manual

Protected Storage Core operating system (security) Automatic Remote Access Connection

Manager

Required for normal functioning of ISA Server 2004

Manual

Remote Procedure Call (RPC) Core operating system Automatic Secondary Logon Core operating system (security) Automatic Security Accounts Manager Core operating system Automatic Server Required for ISA Server 2004 Firewall

Client Share

Automatic

Smart Card Core operating system (security) Manual

Table 8-3 Service Requirements

Mode

SQLAgent$MSFW Required when MSDE logging is used

for ISA Server 2004

Manual

System Event Notification Core operating system Automatic Telephony Required for normal functioning of ISA

Server 2004

Manual

Virtual Disk Service (VDS) Core operating system (disk

management)

Manual

Windows Management

Instrumentation (WMI)

Core operating system (WMI) Automatic

WMI Performance Adapter Core operating system (WMI) Manual

How the Microsoft ISA Server 2004 Firewall Works

Almost all management functions for ISA Server 2004 firewalls are performed with the ISA Server management console This is a Microsoft Management Console (MMC)-based management console that is either run on the ISA server itself (and typically accessed via RDP/TS) or must be installed separately on the remote management workstation (via the ISA Server 2004 installation program) Figure 8-4 shows the ISA Server 2004 management console