The proposed solution produces the requiredresult but neither of the optional results.. The proposed solution produces the requiredresult and one of the optional results.. If you are not
Trang 1C h a p t e r 9 I S A V I R T UA L P R I VAT E N E T WO R K S 303
AP P L Y YO U R KN O W L E D G E
Evaluation of Proposed Solution:
Which results(s) does the proposed solution produce?
A The proposed solution produces the requiredresult but neither of the optional results
B The proposed solution produces the requiredresult and one of the optional results
C The proposed solution produces the requiredresult and both of the optional results
D The proposed solution does not produce therequired result
6 CrystaBell Productions has hired you to improvecommunication security between their two loca-tions Each location has an ISA Server sittingbetween their internal private network and theInternet
Required Result:
All communications between the offices must beencrypted
Optional Desired Results:
Either office can initiate the connection
The best security algorithms should be used forthe job
Proposed Solution:
Obtain server certificates and be sure they areloaded appropriately on the ISA Server comput-ers Use the VPN local and remote wizards onthe corresponding ISA Servers to create VPNconnections Use all default settings, but selectL2TP/IPSec as the tunnel type
Evaluation of Proposed Solution:
Which results(s) does the proposed solution produce?
A The proposed solution produces the requiredresult but neither of the optional results
B The proposed solution produces the requiredresult and one of the optional results
C The proposed solution produces the requiredresult and both of the optional results
D The proposed solution does not produce therequired result
Answers to Review Questions
1 Making changes in authentication methods, forexample, removing MS-CHAP, or requiring cer-tificates or smart cards See the sections,
“Examining Wizard Results” and “MakingAdditional Configurations.”
2 Well, Sam could be requiring more restrictiveauthentication methods and setting up certificatesand such But those things can be done after thewizards Actually, the wizard does one thing thatSam can’t do The wizard creates a strong pass-word for the user accounts and does not makethis available Any password that Sam uses mustsomehow be communicated to the person config-uring the remote VPN endpoint Even if Samdoes both connections, he knows the password(the setup person knows the tunnel password).When the wizard creates the password, no oneknows it This is not to say that the wizard cancreate a stronger password than Sam, or that thepassword can’t be hacked, just that initially, thetunnel password is not available to anyone Seethe section, “Using the Wizard.”
Trang 2304 Pa r t I I C O N F I G U R I N G A N D T R O U B L E S H O OT I N G I S A S E RV E R S E RV I C E S
AP P L Y YO U R KN O W L E D G E
3 No static route has been created See the section,
“Without the VPN Wizard.”
4 Each private network is using the same network
Change one of the private networks to somethingelse See the section, ”Without the VPN Wizard.”
5 You must obtain certificates for the tunnel points You can do so by setting up MSCertificate Services and installing server certifi-cates on each ISA Server See the section,
end-“Configuring Microsoft Certificate Services.”
6 Yes The certificates must be from a sourcetrusted by both endpoints See the section,
“Configuring Microsoft Certificate Services.”
Answers to Exam Questions
1 A Using Windows VPN client software and
con-figuring the ISA Server to allow client tions is the way to go B is wrong because clientsystems cannot use the disk C is wrong It is notnecessary to purchase third-party software D iswrong There are no other offices!
connec-2 B A is incorrect, there already is a VPN set up
and they do not want to change it C is incorrect,the ISA Server will not allow PPTP to pass-through by default D is incorrect, they do notwant to remove the existing gateways See thesection, “Configure VPN Pass-Through.”
3 D A is incorrect The wizard creates user
accounts and passwords B is incorrect The ard configures RRAS with user accounts C isincorrect The wizard does this See the section,
wiz-“Configure ISA Server as a VPN Endpoint.”
4 A B and C are incorrect, the default sets up only
the remote VPN as the initiator of the tion PPTP is not as secure as L2TP/IPSEc Seethe section, “Configure ISA Server as a VPNEndpoint.”
connec-5 B Configuring server info on the alternative page
during the wizard allows both sides to initiate aconnection C is wrong because PPTP is not assecure as L2TP/IPSec See the section “Local ISAVPN Wizard—Connection Receiver.”
6 C Adding L2TP/IPSec makes the tunnel more
secure See the section, “Local ISA VPNWizard—Connection Receiver.”
Trang 3C h a p t e r 9 I S A V I R T UA L P R I VAT E N E T WO R K S 305
AP P L Y YO U R KN O W L E D G E
Thaddeus Fortenberry Windows 2000 Virtual
Private Networking, New Riders Publishing 2001
ISBN: 1-57870-246-1
Roberta Bragg Windows 2000 Security, Chapters 4,
15, and 17; New Riders 2000
and Public Key Infrastructure.” ISBN: 805-8
1-57231-“Virtual Private Networking, an Overview,” whitepaper at http://www.microsoft.com/
windows2000/library/howitworks/
communications/remoteaccess/vpnoverview.asp.
“Windows 2000 Virtual Private NetworkingSupporting Interoperability,” a white paper athttp://www.microsoft.com/windows2000/library/ howitworks/communications/remoteaccess/l2tp.asp.
“Windows 2000 Virtual Private NetworkingScenario,” a white paper at
http://www.microsoft.com/windows2000/library/ howitworks/communications/remoteaccess/
w2kvpnscenario.asp.
Suggested Readings and Resources
Trang 5R ULES
10 Firewall Configuration
11 Manage ISA Server in the Enterprise
12 Access Control in the Enterprise
P A R T
Trang 7OB J E C T I V E S
10
C H A P T E R
Firewall Configuration
This chapter covers the following Microsoft-specifiedobjectives for the Configuring, Managing, andTroubleshooting Policies and Rulessection of theInstalling, Configuring, and Administering MicrosoftInternet Security and Acceleration (ISA) Server 2000exam:
Configure and secure the firewall in dance with corporate standards
accor- Configure the packet filter rules for different levels
of security, including system hardening
Packet filter rules are written to control cation between networks The ISA Server, bydefault, does not allow any communicationbetween its networks until some combination ofthe following allows access:
communi- Protocol rules and site and content rules—
outbound access
Publishing rules—inbound access
Packet filters—inbound and/or outbound traffic
Routing rules—move packets from some interface
Trang 8fea-OU T L I N E ST U D Y ST R AT E G I E SIntroduction 311
Understanding Packet Filters 312Configuring Packet Filter Rules 312
Publishing Perimeter Network Servers 330
If you are not clear on the use of site and tent rules, protocol rules, and publishing rules
con-to allow and deny access through the firewall,revisit earlier chapters
Examine default packet filters and understandtheir meaning and use
Examine default application filters and stand their meaning and use
under- Keep the following question in your mind: Whenwould I need to use packet filters?
Go further than the exercises, create manypacket filters, and test them Did they respondthe way you felt they should? Can you think ofanother way to obtain the same effect?
Trang 9at the direction and blessing of management Management sets thepolicy; IT puts it into place
It is important to realize this fact and determine the corporate policyfor security, before configuring and securing the firewall What type
of access to the Internet does policy allow? What types of externallyoriginating communications are allowed to enter the internal net-work? If you do not know the answers to these questions, you can-not set the proper filters on the firewall, nor do you know how to setalerts or intrusion detect devices to let you know when attackers arepresent You cannot simply use your own judgment as to what com-munications to block, which to allow and which outside contact toget excited about Although your knowledge of typical settings,warnings, bells and whistles is paramount to management’s under-standing of the problem, it is management directive that colors yourimplementation
That said, it is important to know how to put management’s planinto action on the ISA Server Chapter 5, “Outbound InternetAccess” described how to use policy elements to construct site andcontent rules, and protocol rules to allow or deny internal usersaccess to the Internet Chapter 6, “ISA Server Hosting Roles” illus-trated how to provide access for external users to internal resources,
in the most secure fashion
This chapter addresses the protection of the internal network fromexternal access and covers these issues:
á Understanding packet filters
á Configuring packet filters
á Configuring and using application filters and extensions
á Configuring for system hardening
á Special considerations for perimeter networks
á Troubleshooting access
Trang 10312 Pa r t I I I C O N F I G U R I N G , M A N AG I N G A N D T R O U B L E S H O OT I N G P O L I C I E S A N D R U L E S
Packet filters are written to allow or block the passage of packets onexternal interfaces (or perimeter network computers) Decisions aremade based on the following information in the packet:
á Protocol and or ports
á Direction (inbound, outbound, both)
á Which direction?
á The remote computer it came from or is directed to
These decisions can sometimes be accomplished by other means,and it is desirable to do so; however, there are situations where youmust use packet filters:
á Publishing servers in a 3-home perimeter network
á Running services, such as mail servers and Web servers on theISA server Packet filters direct the traffic received for theappropriate port to the service
á Running applications on the ISA Server that need to connect
to the Internet You create direct connections to the Internetfor these applications
á Using protocols other than UDP or TCP Web proxy handlesHTTP, HTTPS, and FTP Firewall handles TCP and UDP Allothers (examine the ICMP default filters) must be handled bypacket filers
Configure the packet filter rules for different levels ofsecurity, including system hardening
Although packet filters are generally thought of as devices to controlaccess from the outside, in practice, they are used to control thetransfer of packets in either direction They examine the protocolused, and allow or deny (drop the packet) its passage Packet filter-ing is enabled by default in Firewall mode and in Integrated mode
IP routing and not enable packet filtering.
In this case the ISA Server is no longer a firewall, but a router.
Trang 11C h a p t e r 1 0 F I R E WA L L C O N F I G U R AT I O N 313
but not in Caching mode (In Caching mode, access to external sites
is managed using protocol rules and site and content rules.) Whenpacket filtering is enabled, all packets on the external interface aredropped unless packet filters, access policy, or publishing rules allowthem To help you understand packet filters and how to use them tocontrol access to your network, the following sections are provided:
á Examining Default Packet Filters
á Configuring New Packet Filters
á Configuring/Enabling IP Packet Filter Properties
Examining Default Packet FiltersBecause the default setup of ISA Server drops all packets at theexternal interface unless it’s configured to do otherwise, severaldefault rules exist, including
messages
á ICMP ping response(in) The ISA Server can receive
inbound ping responses
á ICMP source quench The ISA Server receives instructions to
slow its packet-sending rate
á ICMP timeout (in) The ISA Server can receive messages
relating to timeouts, for example of ping requests
á ICMP unreachable The ISA Server can receive notice of an
unreachable address
á DHCP Client The external interface can act as a DHCP
client This rule is disabled by default
á DNS filter Requests for DNS lookup can pass
These default rules can be enabled or disabled by right-clicking onthe rule and selecting Disable or Enable
Trang 12314 Pa r t I I I C O N F I G U R I N G , M A N AG I N G A N D T R O U B L E S H O OT I N G P O L I C I E S A N D R U L E S
Configuring New Packet FiltersThe New Filter wizard configures new rules This wizard is run fromthe Access Policy\IP Packet Filters folder of the ISA Server
Management console To create a new packet filter, follow Step by Step 10.1
S T E P B Y S T E P10.1 Creating a New Packet Filter
1 In the ISA Management Console, right-click Servers and
Arrays\name\Access Policy\IP Packet Filters Select
New\Filter
2 Enter a name for the new packet filter and click Next
3 Select Allow Packet Transmission or Block PacketTransmission (see Figure 10.1) Click Next
4 Select a predefined filter or a custom filter and click Next
5 If Predefined is selected, select the filter from the down box Skip to step 7 Predefined filters are described
drop-in Table 10.1
6 If Custom is selected, complete the Filter Settings page(see Figure 10.2) Choices are listed and described in Table10.2 Click Next
7 On the Local Computer page, select the IP address towhich the Packet filter is applied (see Figure 10.3) thechoices are
• Default IP addresses for each external interface onthe ISA Server computer Data traveling throughall external interfaces is inspected and the filterapplied
• This ISA server’s external IP address Indicate the
IP address of a particular ISA Server in the array,
or of one of the ISA Server’s external IP addresses
• This computer (on the perimeter network) If aperimeter network has been set up using a thirdnetwork interface card, enter the IP address of thecomputer for which to filter traffic
Packet Filter or Not? When should packet filters be used? Packet filters stati- cally open ports It is always preferable to open ports dynamically—when the request arrives You use ISA Server access policy rules (site and content rules, protocol rules) to allow internal clients access to the Internet and create publishing rules to allow external clients access to internal servers However, packet filters can be cre- ated when it is necessary to route data between networks The firewall service can forward packets between networks without changing header information Packet filters create the rules that determine what type
of data can be routed where.
F I G U R E 1 0 1
Allowing block transmission.
Trang 13C h a p t e r 1 0 F I R E WA L L C O N F I G U R AT I O N 315
8 Click Next
9 On the Remote Computers page, select the remote puter whose packets to which you want to apply the filter,either all remote computers, or the IP address of a partic-ular computer If a single computer is chosen, only pack-ets with a source address of that computer will be blocked
com-or allowed Click Next
10 Review your selections and click Finish
TA B L E 1 0 1
remote port 53
up ISA Server VPNs
up ISA Server VPNs
Identd service can be installed on the ISA server
on port 80
Server
ports across the ISA Server
Trang 14316 Pa r t I I I C O N F I G U R I N G , M A N AG I N G A N D T R O U B L E S H O OT I N G P O L I C I E S A N D R U L E S
TA B L E 1 0 2
UDP
protocol Other choices enter the appropriate number for you
be used?
number if the Fixed port choice is made
Trang 15C h a p t e r 1 0 F I R E WA L L C O N F I G U R AT I O N 317
TA B L E 1 0 3
I P PA C K E T FI LT E R PR O P E R T I E S
outbound access
Intrusion preconfigured intrusion
enabled unless Packet Filtering is enabled
This blocks a known attack, which sends fragmented packets and then reassembles them in a harmful way.
well-Do not enable if video streaming is allowed through the ISA Server
can be logged Normally, all dropped packets are logged and all “allow”
packets are not logged.
Selecting this option logs them, creating additional load on the ISA Server resources
Detection” later in this chapter
Server firewall Use this option to allow packets
to and from internal PPTP endpoints to pass.