Presentation is loading. Please wait.

Presentation is loading. Please wait.

Module 1: Overview of Microsoft ISA Server

Published byAlejandra Pyne Modified over 9 years ago

Similar presentations

Presentation on theme: "Module 1: Overview of Microsoft ISA Server"— Presentation transcript:

1 Module 1: Overview of Microsoft ISA Server

2 Overview Introducing ISA Server Using Caching Using Firewalls
Deployment Scenarios for ISA Server

3 The Internet enables organizations to connect with customers, partners, and employees. Although this presents new business opportunities, it can also cause concerns about security, performance, and manageability. Microsoft® Internet Security and Acceleration (ISA) Server 2000 is designed to address the needs of today's Internet-enabled organizations. ISA Server includes caching features that enable organizations to save network bandwidth and provide faster Web access for users. ISA Server also includes a firewall service that helps protect network resources against unauthorized access from outside of the organization's network, while enabling efficient authorized access. Finally, ISA Server includes management and administration features that enable organizations to centrally control and manage Internet use and access.

4 After completing this module, you will be able to:
Explain the use of ISA Server. Describe the use of Web caching. Describe the use of firewalls. Identify common deployment scenarios for ISA Server.

5 Introducing ISA Server
ISA Server Editions Benefits of ISA Server Installation Modes

6 ISA Server is an enterprise firewall and cache server running on the Microsoft Windows® 2000 Server operating system that provides policy-based access control, acceleration, and management of internetworking. ISA Server is available in two editions that are designed to meet the business and networking needs of your organization. Whether deployed as separate components or as an integrated firewall and caching server, ISA Server provides organizations with a unified management console that is designed to simplify security and access management.

7 In this lesson you will learn about the following topics:
ISA Server editions Benefits of ISA Server Installation modes

8 ISA Server Editions ISA Server Standard Edition
ISA Server Enterprise Edition

9 ISA Server is available in two editions that are designed to meet the business and networking needs of your organization

10 ISA Server Standard Edition
The standard edition provides firewall security and Web caching capabilities for small businesses, workgroups, and departmental environments. The standard edition provides robust security, fast Web access, intuitive management, and excellent price and performance for business-critical environments.

11 ISA Server Enterprise Edition
The enterprise edition is designed to meet the performance, management, and scalability needs of high-volume Internet traffic environments with centralized server management, multiple levels of access policy, and fault-tolerant capabilities. The enterprise edition provides secure, scalable, and fast Internet connectivity for mission-critical environments.

12 Benefits of ISA Server Acceleration Security Management Extensibility
Fast Web Access with a High-Performance Cache Security Secure Internet Connectivity Through a Multilayered Firewall Management Unified Management with Integrated Administration Extensibility Extensible and Open Platform

13 ISA Server is a key member of the. NET Enterprise Server family
ISA Server is a key member of the .NET Enterprise Server family. The products in .NET Enterprise Server family are Microsoft's comprehensive family of server applications for building, deploying, and managing scalable, integrated, Web-based solutions and services. ISA Server offers several benefits to organizations that want fast, secure, and manageable Internet connectivity.

14 Fast Web Access with a High-Performance Cache
ISA Server provides the following Web performance benefits: Provides faster Web access for users by retrieving objects locally rather than over a slower connection to the potentially congested Internet. Reduces bandwidth costs by reducing network traffic from the Internet. Distributes the content of Web servers and e?commerce applications efficiently and cost-effectively to reach customers worldwide. Note: The capability for distributing Web content is available only in the ISA Server Enterprise Edition.

15 Secure Internet Connectivity Through a Multilayered Firewall
ISA Server provides the following security benefits: Protects networks from unauthorized access by inspecting network traffic at several layers. Protects Web, , and other application servers from external attacks by using Web publishing and server publishing to securely process incoming requests to internal servers. Filters incoming and outgoing network traffic to ensure security. Enables secure access for authorized users from the Internet to the internal network by using virtual private networks (VPNs).

16 Unified Management with Integrated Administration
ISA Server provides the following management benefits: Controls access centrally to ensure and enforce corporate policies. Improves productivity by limiting Internet use to approved applications and destinations. Allocates bandwidth to match business priorities. Provides monitoring tools and produces reports that show how Internet connectivity is used. Automates commonly performed tasks by using scripts.

17 Extensible and Open Platform
ISA Server provides the following extensibility and customization benefits: Addresses security and performance needs that are specific to an organization by using the ISA Server Software Development Kit (SDK) for in-house development of add-on components. Extends security and management functionality with third-party solutions. Automates administrative tasks with scriptable Component Object Model (COM) objects.

18 Installation Modes Cache Mode Firewall Mode Integrated Mode
Features Available with Each Mode

19 You can install ISA Server in three different modes:
cache mode, firewall mode, integrated mode.

20 Cache Mode In cache mode, you can improve network performance and save bandwidth by storing frequently accessed Web objects closer to the user. You can then route requests from clients to a cache server that holds the cached objects.

21 Firewall Mode In firewall mode, you can secure network traffic by configuring rules that control communication between an internal network and the Internet. You can also publish internal servers, which enables an organization to share data on its network with partners or customers.

22 Integrated Mode In integrated mode, you can combine the firewall and cache services on a single host computer. Although organizations can deploy ISA Server as a separate firewall or as a separate caching server, you can combine the firewall and cache server by choosing integrated mode. Many organizations can benefit from unified administration of caching and firewall functions.

23 Features Available with Each Mode
Depending on which mode you select, different features are available. The table below lists the features that are available for the firewall and cache modes. In integrated mode, all of the features are available. Features Available with Each Mode

24 Using Caching The Caching Process Types of Caching Cache

25 Caching improves network performance by maintaining a cache of frequently accessed Web objects. You can deploy ISA Server as a forward caching server to improve the speed at which users on your internal network can access Internet resources. You can also deploy ISA Server as a reverse caching server to improve the speed at which external users can access selected Web resources that you make available to the Internet. In addition, you can distribute the cache across multiple ISA Server computers. By distributing the cache, a client can access content from the ISA Server computer that is closest to the client. Distributed caching also provides load balancing and fault tolerance in a network that has multiple ISA Server computers.

26 In this lesson you will learn about the following topics:
The caching process Types of caching

27 Object is sent from Internet Object is sent from cache
The Caching Process 2 GET Internet 3 Object is sent from Internet ISA Server 5 Object is sent from cache Cache 1 GET 4 GET Client 1 Client 2

28 The process that ISA Server uses to cache content is similar to the process that a Web browser uses to save temporary Internet files. Most Web browsers cache objects locally, storing requested Web pages in a folder on a computer's hard disk. The Web browser then gains subsequent access to the same objects by retrieving the objects from the local hard disk. ISA Server takes this concept one step further and maintains a centralized cache of frequently requested Web objects to improve performance for multiple users.

29 The following steps describe the caching process that ISA Server uses to retrieve Web objects for clients: Client 1 requests a Web object. If the object is not already in the ISA Server cache, ISA Server retrieves the object from the Web server on the Internet. The Web server on the Internet returns the object to the ISA Server computer. ISA Server retains a copy of the object in its cache and returns the object to Client 1. The time that it takes the client to receive the object and the resulting Internet traffic are approximately the same as if the client had assessed to the object directly. Client 2 requests the same Web object. ISA Server returns the object from its cache rather than obtaining it from the Web server on the Internet. The client receives the object much quicker and the request requires no Internet traffic.

30 Types of Caching Forward Caching Reverse Caching Distributed Caching
Internal Network Cache Internet Reverse Caching Cache Internet Web Server Distributed Caching Cache Internal Network Cache Cache Internet

31 The caching service accelerates Web performance for both internal and external clients. ISA Server supports both forward caching for outgoing requests and reverse caching for incoming requests. In addition, the cache can be distributed across multiple ISA Server computers.

32 Forward Caching You can use forward caching to provide internal clients with access to Web objects on the Internet. The ISA Server computer maintains a centralized cache of frequently requested Web objects that can be accessed by any Web browser. Objects served from the cache require significantly less processing than objects served from the Internet.

33 Reverse Caching You can use reverse caching to provide external clients with access to Web objects from an internal Web server. The ISA Server computer, which is located in front of the Web server, forwards requests to the internal Web server only when it cannot retrieve a requested object from its cache. ISA Server improves the speed at which external clients receive Web objects.

34 Distributed Caching You set up an array of ISA Server computers to perform distributed caching. An array is a group of ISA Server computers that that you manage as a single, logical entity. Distributing cached objects enhances caching performance through load balancing and provides fault tolerance if an ISA Server computer is unavailable. You can distribute both forward caching and reverse caching. Note: Distributed caching is available in only the ISA Server Enterprise Edition.

35 Using Firewalls Firewall Overview Bastion Host
Perimeter Network with Three-Homed Firewall Perimeter Network with Back-to-Back Firewalls Filters and Network Access

36 A firewall is a system, consisting of hardware, software, or a combination of both, that is designed to protect private networks from unauthorized access. There are several types of firewall designs, including bastion hosts and perimeter networks with a three-homed firewall or with back-to-back firewalls. Firewalls use packet filtering and other types of filtering to control network access.

37 In this lesson you will learn about the following topics:
Firewall overview Bastion host Perimeter network with three-homed firewall Perimeter network with back-to-back firewalls Filters and network access

38 Firewall Overview A Firewall is:
A Controlled Point of Access for All Traffic that Enters the Internal Network A Controlled Point of Access for All Traffic that Leaves the Internal Network

39 In a building, you construct a firewall to keep a fire in one area of the building from spreading to another area of a building. A firewall on a network provides a similar purpose—it prevents the potential dangers of the Internet from spreading to your internal network. A firewall is typically installed at the point where an internal network connects to the Internet.

40 A firewall serves two primary functions:
It is a controlled point of access for all traffic that enters the internal network. A firewall prevents unauthorized users from gaining access to your network data and resources. It is a controlled point of access for all traffic that leaves the internal network. A firewall ensures that interactions between the Internet and your internal network conform to the security rules and policies of your organization

41 Bastion Host Internet Firewall Internal Network

42 A bastion host is a computer that is the main point of contact for clients of internal networks to gain access to the Internet. As a firewall, the bastion host is designed to defend against attacks aimed at the internal network. A bastion host is typically used for smaller networks to protect the internal network from the intruders.

43 Configuration of a Bastion Host
A bastion host has two network adapters, one connected to the internal network and one connected to the Internet. This configuration physically isolates the internal network from potential intruders on the Internet. Because a bastion host configuration is a single point of defense, it is important to make sure that the computer is well secured.

44 Advantage of a Bastion Host
The advantage of using a bastion host is that it minimizes the cost and the amount of administration that is required for a firewall. However, a bastion host depends on a single firewall to secure the entire network. If an Internet user compromises the firewall, that Internet user can gain access to the organization's internal network, including any resources that are not sufficiently secured. Important: Because a bastion host allows Internet users to have direct access to your internal network, you must use additional means to protect your internal resources, such as setting strict access permissions on networks resources.

45 Perimeter Network with Three-Homed Firewall
Internet Firewall Internal Network

46 A perimeter network is a small network that contains resources that you want to make available to users on the Internet while maintaining the security of these resources. A perimeter network is separate from both your internal network and the Internet. A perimeter network allows external clients to gain access to specific servers located in the perimeter network, while completely preventing access to the internal network. You typically use a perimeter network to deploy Internet- accessible resources, such as and Web servers. A perimeter network can be set up in one of two configurations: a perimeter network with a three-homed firewall or a perimeter network with back-to-back firewalls.

47 Configuration of Perimeter Network with Three-Homed Firewall
In a perimeter network configuration with a three-homed firewall, the firewall is set up with three network adapters. One adapter is connected to each of the following networks: The Internet The internal network servers located in the perimeter network The internal network clients

48 Configuration of Perimeter Network with Three-Homed Firewall (continue)
Although the servers in the perimeter network each have Internet protocol (IP) addresses that can be accessed by external clients which is specific to ISA server, the firewall computer does not allow direct access to resources that are located on the internal network. Note: An organization's security policy may also allow limited and very controlled network traffic between computers in the perimeter network and selected computers on the internal network.

49 Advantages of a Perimeter Network with Three-Homed Firewall
A three-homed firewall provides more security than a bastion host because it allows secure access to some network resources from the Internet without allowing network traffic between the Internet and your internal network. A three-homed firewall gives you a single point of administration to configure access to both your perimeter network and your internal network. However, a three-homed firewall also presents a single point of access to all parts of your network, which means that you must be especially careful in designing your access rules and monitoring for security breaches.

50 Perimeter Network with Back-to-Back Firewalls
Internet External Firewall Internal Firewall

51 In addition to a perimeter network with a three-homed firewall, you can also configure a perimeter network with back-to-back firewalls.

52 Configuration of Back-to-Back Firewalls
In a perimeter network with back-to-back firewalls, two firewalls are located on either side of the perimeter network. The two firewalls are connected to the perimeter network, with one also connected to the Internet and the other one also connected to the internal network. In this configuration, there is no single point of access. To reach the internal network, a user would need to get past both firewalls which is called Defense in Depth.

53 Advantages of Back-to-Back Firewalls
You can configure more restrictive security rules on back-to back firewalls than on a three-homed firewall, which helps you to protect your internal network more reliably. It is also easier to configure rules for a back-to-back firewall design if an organization's access policy allows limited and very controlled network traffic between computers in the perimeter network and selected computers on the internal network. Important: The back-to-back firewall configuration is the safest and most commonly used firewall design. Some organizations use variations of this design to achieve even higher levels of security.

54 Filters and Network Access
Access Policy Allow  HTTP  All Destinations Streaming Media SMTP DNS Intrusion Rules Applied Streaming Media SMTP Firewall External Network Internal Network

55 ISA Server enables you to control network access for both outgoing and incoming traffic. To control outgoing traffic, you can use access policies and rules. To control incoming traffic, you can use IP packet filters, application filters, and intrusion detection filters.

56 Controlling Outgoing Traffic
You can use access policies and rules to control outgoing traffic. An access policy consists of the following rules: Protocol rules. Define which protocols users can use for communication between the internal network and the Internet. For example, a protocol rule might allow clients to use Hypertext Transfer Protocol (HTTP). Site and content rules. Define the content and the Internet sites that users can gain access to. For example, a site and content rule might allow users to gain access to any destination on the Internet.

57 ISA Server also masks the IP addresses on your internal network when clients are connected to the Internet. Masking these IP addresses makes it more difficult for outside users to discover the structure of your internal network or to gain access to your internal network.

58 Controlling Incoming Traffic
You can use IP packet filters and application filters to control incoming traffic.

59 IP Packet Filters Packet filters control network access based on the characteristics of network packets. IP packet filters work by parsing the headers of each IP packet and then applying rules to determine whether to route or drop the packet based on the header information. ISA Server allows you to allow or deny network packets based on the characteristics of an IP packet, including the: Source address or destination address. Network protocol, such as the Internet Control Message Protocol (ICMP), TCP or UDP. Source port or destination port.

60 Application Filters Application filters accept or deny data from specific applications or data with specific content. Application filters examine network traffic that spans more than one IP packet, such as an entire e?mail message. ISA Server includes several application filters that are automatically installed with ISA Server, including: Streaming media filter. Enables you to control client access to data that uses streaming media protocols to gain access to media streaming servers, such as Microsoft Windows Media™ Technology (WMT) Server. Simple Mail Transfer Protocol (SMTP) filter. Filters incoming based on source, user, or domain, and then generates the corresponding alert. The filter maintains a list of rejected users and domains from which e?mail messages are not accepted.

61 Intrusion Detection Filters
Intrusion detection filters filter IP packet filters or application filters that analyze all incoming traffic for specific intrusions. ISA Server includes several intrusion detection filters, including: DNS intrusion detection filter. Intercepts and analyzes Domain Name System (DNS) traffic destined for the internal network. This filter checks for several known attacks on DNS servers and prevents them from reaching the DNS server. POP intrusion detection filter. Intercepts and analyzes Post Office Protocol (POP) traffic destined for the internal network and prevents the attacks from reaching the POP server.

62 Deployment Scenarios for ISA Server
Branch Office/Small Business Cache Server Branch Office/Small Business Firewall Enterprise Cache Enterprise Firewall

63 You can configure ISA Server to correspond with different deployment scenarios. Although organizations of all sizes can benefit from a combination of the caching and firewall services, the specific configurations that an organization uses can vary depending on scale, resources, budget, and the organization's approach to security and management.

64 In this lesson you will learn about the following topics:
Branch offices/small business cache server Branch office/small business firewall Enterprise cache Enterprise firewall

65 Branch Office/Small Business Office Cache Server
Main Office Cache ISA Server Branch Office Internet Cache ISA Server Small Business

66 In this scenario, you set up ISA Server as a cache server to reduce network traffic between a branch office and the main office or between a small business and the Internet. The ISA Server computer stores local copies of the most frequently accessed Web objects from the main office or from the Internet in RAM and on a hard disk. Because you use less network bandwidth when accessing Web content, more bandwidth remains available for other applications. By caching the Web content, you can also reduce long-distance telephone charges that you would incur because of demand dialing between a branch office and the main office or between a small business and an Internet Service Provider (ISP).

67 The following steps describe the process that ISA Server uses when a user requests Web objects:
A user at a branch office or small business requests a Web object. This request may be an object that is located on a Web server at the main office or on the Internet. The client computer sends the request to the ISA Server computer. If the Web object is not in the cache, the ISA Server computer forwards the request to the main office or to the Internet. The server at the main office or the server on the Internet sends the Web object to the ISA Server computer at the branch office or the small business. The ISA Server computer caches the object and then sends it to the client computer. The ISA Server computer fulfills subsequent requests for the same Web object from its local cache.

68 Branch Office/Small Business Firewall
Internet Branch Office or Small Business ISA Server Actual Connection Perceived Connection

69 In this scenario, you set up an ISA Server computer as a dedicated firewall that acts as the secure gateway to the Internet for internal clients. The ISA Server computer is placed between the internal network and the Internet. In a small network, a single ISA Server computer can provide Internet connectivity and security for the entire network. The ISA Server computer is transparent to the other parties in the communication path. The branch office or small business users do not recognize that a firewall is in the communication path unless a user attempts to gain access to a service or a site in which you configure an access policy that specifically denies access. The ISA Server computer blocks all attempts to gain access to the internal network from the Internet and hides the internal network from the users on the Internet.

70 Enterprise Cache Server
ISA Server Array Cache Internet Cache Corporate Network

71 In this scenario, caching is distributed among an array of ISA Server computers in an enterprise environment. By distributing the load of cached objects, ISA Server enhances caching performance and provides fault tolerance if an ISA Server computer becomes unavailable. ISA Server arrays enable you to scale ISA Server to accelerate Internet access for a very large number of users. When deploying an enterprise-caching scenario, you can centrally administer all caching and access restrictions.

72 ISA Server also supports chained, or hierarchical, caching
ISA Server also supports chained, or hierarchical, caching. Chained caching is a hierarchical connection between individual ISA Server computers or between arrays of ISA Server computers. Requests from clients are sent upstream through the chain until the requested object is found. If the object is not cached, the ISA Server retrieves the object from the Internet. Chained caching is also an effective means of distributing server load and providing fault tolerance. Note: Chained caching can be useful in a scenario in which an ISA Server computer at a main office caches all of the Web objects that are retrieved from the Internet. The ISA Server computer at the branch office retrieves Web objects from the ISA Server computer at the main office and then caches them locally at the branch office.

73 Enterprise Firewall Perimeter Network Internet ISA Server ISA Server

74 In this scenario, two ISA Server computers that are configured as firewalls are located on either side of a perimeter network. The servers in the perimeter network each have IP addresses that can be accessed by external clients. The ISA Server firewalls prevent external clients from gaining access to resources that are located on the internal network. When you deploy an enterprise caching solution, you can centrally administer all of the firewall settings. Note: An enterprise firewall configuration may include multiple ISA Server computers to handle a large amount of network traffic. You can configure multiple ISA Server computers centrally as an array.

75 Review Introducing ISA Server Using Caching Using Firewalls
Deployment Scenarios for ISA Server

Download ppt "Module 1: Overview of Microsoft ISA Server"

Similar presentations

Module 13: Implementing ISA Server 2004 Enterprise Edition: Site-to-Site VPN Scenario.

Module 13: Implementing ISA Server 2004 Enterprise Edition: Site-to-Site VPN Scenario.
Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
Module 5: Configuring Access to Internal Resources.

Module 5: Configuring Access to Internal Resources.
Module 5: Configuring Access for Remote Clients and Networks.

Module 5: Configuring Access for Remote Clients and Networks.
Module 9: Configuring ISA Server for the Enterprise

Module 9: Configuring ISA Server for the Enterprise
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Firewall Configuration Strategies

Firewall Configuration Strategies
Principles of Information Security, 2nd Edition1 Firewalls and VPNs.

Principles of Information Security, 2nd Edition1 Firewalls and VPNs.
Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.

Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
Implementing ISA Server Caching. Caching Overview ISA Server supports caching as a way to improve the speed of retrieving information from the Internet.

Implementing ISA Server Caching. Caching Overview ISA Server supports caching as a way to improve the speed of retrieving information from the Internet.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Installing and Maintaining ISA Server. Planning an ISA Server Deployment Understand the current network infrastructure Review company security policies.

Installing and Maintaining ISA Server. Planning an ISA Server Deployment Understand the current network infrastructure Review company security policies.
Faten Yahya Ismael.  It is technology creates a network that is physically public, but virtually it’s private.  A virtual private network (VPN) is a.

Faten Yahya Ismael.  It is technology creates a network that is physically public, but virtually it’s private.  A virtual private network (VPN) is a.
Firewall Slides by John Rouda

Firewall Slides by John Rouda
Lecture slides prepared for “Business Data Communications”, 7/e, by William Stallings and Tom Case, Chapter 8 “TCP/IP”.

Lecture slides prepared for “Business Data Communications”, 7/e, by William Stallings and Tom Case, Chapter 8 “TCP/IP”.

Similar presentations

Ads by Google