Presentation is loading. Please wait.

Presentation is loading. Please wait.

Microsoft Internet Security & Acceleration Server Dave Sayers Technical Specialist Microsoft UK.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Microsoft Internet Security & Acceleration Server Dave Sayers Technical Specialist Microsoft UK."— Presentation transcript:

1 Microsoft Internet Security & Acceleration Server Dave Sayers Technical Specialist Microsoft UK

2 Agenda What is a Firewall? What is a Firewall? Typical Firewall Configurations Typical Firewall Configurations Features of Microsoft ISA Server Features of Microsoft ISA Server Secure Internet Access to a Web Server Secure Internet Access to a Web Server ISA Server 2004 ISA Server 2004

3 What is a Firewall? Controlled Point of Access for all traffic that enters the internal network Controlled Point of Access for all traffic that enters the internal network Controlled Point of Access for all traffic that leaves the internal network Controlled Point of Access for all traffic that leaves the internal network Traditional Firewalls allow/deny access to certain IP addresses and ports only Traditional Firewalls allow/deny access to certain IP addresses and ports only

4 Bastion Host Internet Internal Network Firewall

5 Perimeter Network with Three-Homed Firewall Firewall Internet Perimeter Network Internal Network

6 Perimeter Network with Back-to-Back Firewalls External Firewall Internal Firewall Internet

7 Traditional Firewalls Wide open to advanced attacks Code Red, Nimda Code Red, Nimda SSL-based attacks SSL-based attacks Performance vs. security tradeoff Bandwidth too expensive Bandwidth too expensive Too many moving parts Too many moving parts Limited capacity for growth Not easily upgradeable Not easily upgradeable Don’t scale with business Don’t scale with business Hard to manage Security is complex Security is complex IT already overloaded IT already overloaded

8 Perimeter Security Evolution Wide open to advanced attacks Application-level protection Performance vs. security tradeoff Security and performance Limited capacity for growth Extensibility and scalability Hard to manage Easier to use

9 Internet Security and Acceleration Server Industry strength firewall and proxy server Industry strength firewall and proxy server Standard and Enterprise Standard and Enterprise Standalone or arrays Standalone or arrays VPNs VPNs Server and web publishing Server and web publishing Monitoring & reporting Monitoring & reporting www.microsoft.com/isaserverwww.isaserver.org

10 Key Components Policy Elements : Policy Elements :  Schedule, Bandwidth, Destination Set, Client Address Set, Protocol Definitions, Content Groups Protocol Rules Protocol Rules Site and Content Rules Site and Content Rules Packet Filtering Packet Filtering

11 ISA Value Add Server Publishing Server Publishing  Web Server  Exchange Server  Additional Servers Application Filters Application Filters  SMTP  DNS  HTTP  Streaming Media VPN Wizards VPN Wizards Intrusion Detection Intrusion Detection

12 Secure Internet Access to a Corporate Web Site

13 ISA Web Publishing Publishes web site on ISA server Publishes web site on ISA server Content can be cached on ISA server using reverse proxy Content can be cached on ISA server using reverse proxy Keeps the web site secure on the private network Keeps the web site secure on the private network Server publishing vs. web publishing Server publishing vs. web publishing

14 ISA Web Publishing Need to create an Incoming Web Listener first (Reverse proxy) as well as a destination set Need to create an Incoming Web Listener first (Reverse proxy) as well as a destination set Then create a web publishing rule Then create a web publishing rule

15 The advanced application layer firewall, VPN and Web cache solution that enables customers to maximize IT investments by improving network security & performance Introducing: ISA Server 2004 Advanced protection High performance Ease of use

16 Common Scenarios Edge Firewall Edge Firewall  Caching  Chaining Secure Publishing Secure Publishing  Exchange  Web servers Remote Access (VPN) Remote Access (VPN) Branch office Branch office  Remote site security  S2S VPN (IPSec) Integrated Solution Integrated Solution  Single server edge security solution  Easy, unified management Flexible Topologies Flexible Topologies  3-Leg, front/back,...  Asset protection  Multi network support  Partitioning

17 ISA Server 2004 New Features Updated security architecture Advanced protection Application layer security designed to protect Microsoft applications Deep content inspection Enhanced HTTP, customizable prtcl. filters Comprehensive/flexible policies Stateful routing Enhanced Exchange Server Integration Support for Outlook RPC over HTTP Enhanced Outlook Web Access security Easy to use configuration wizards Fully integrated VPN Unified firewall-VPN filtering Built-in support for site-to-site IPsec TM Integrates with Windows Quarantine Comprehensive authentication New support for RADIUS and RSA SecurID User- & group-based access policy Third party extensibility

18 PolicyEngine NDIS TCP/IP Stack ISA 2004 Architecture Firewall Engine Firewallservice Firewall service Application Filter API App Filter Web Proxy Filter Web Filter API (ISAPI) Web filter Web filter User Mode Kernel Mode SMTPFilterRPCFilter DNS Filter Policy Store Packet layer filtering 1 Protocol layer filtering 2 Application layer filtering 3 Kernel mode data pump: Performance optimization 4

19 Application Layer Filtering Modern threats call for deep inspection Modern threats call for deep inspection  Protects network assets from exploits at the application layer: Nimda, Slammer...  Provides the ability to define a fine grain, application level, security policy  Best protection for Microsoft applications Application filtering framework Application filtering framework  Built in filters for common protocols HTTP, SMTP, RPC, FTP, H.323, DNS, POP3, Streaming media HTTP, SMTP, RPC, FTP, H.323, DNS, POP3, Streaming media  Scenario-driven design  Extensible plug-in architecture

20 VPN Protection Detunneled traffic is inspected Detunneled traffic is inspected  Injected back to the stack  Stingray sees traffic on stack hooks VPN traffic is segregated VPN traffic is segregated  VPN network: all addresses allocated to VPN users  IP addresses dynamically added/removed  VPN network available in Stingray admin IPSec Tunnel Mode support IPSec Tunnel Mode support  Provides connectivity to branch office VPN  Simplified tools for administration Quarantine support Quarantine support  Quarantined users placed in quarantine network  IP addresses dynamically added/removed  Quarantine network available in ISA Server admin

21 Engine Security Enhancements Flood-DoS protection Flood-DoS protection  SYN-flood protection  Client connection quota Applicable to Worm/Virus floods Applicable to Worm/Virus floods  Spoofed UDP packet flooding mitigation Attack/Intrusion Detection Attack/Intrusion Detection  IP options, DNS Attacks, IP half-scan, Port scan IP options filtering IP options filtering  Filter out individual options Lockdown mode Lockdown mode  Restrict firewall machine access on service failures

22 Authentication Framework Multi source authentication Multi source authentication  Firewall client authentication Transparent user authentication Transparent user authentication Application transparent, Protocol independent Application transparent, Protocol independent Kerberos/NTLM Kerberos/NTLM  Web proxy authentication Proxy auth, Reverse proxy auth, Pass through auth, SSL bridging Proxy auth, Reverse proxy auth, Pass through auth, SSL bridging Basic, digest, NTLM, Kerberos, Certificates Basic, digest, NTLM, Kerberos, Certificates RADIUS authentication, SecurID authentication RADIUS authentication, SecurID authentication CRL support CRL support Extensible! Extensible!  VPN clients EAP (certificates, smartcards, others), MS-CHAPv2, CHAP, (S-PAP, PAP) EAP (certificates, smartcards, others), MS-CHAPv2, CHAP, (S-PAP, PAP) RADIUS / Windows RADIUS / Windows Extensible authentication/authorization framework Extensible authentication/authorization framework  Third party filters can register their own auth namespaces

23 RADIUS authentication Federation through RADIUS proxies Federation through RADIUS proxies Can be used for centralized authentication services Can be used for centralized authentication services Domain membership not required Domain membership not required  Great for DMZ placement Corpnet Internet 1 HTTP/SSL basic auth. 2 RADIUS request RADIUS Server (IAS) Firewall Server 3 HTTP/SSL request, sent to server Back-end Server Web Client (Browser, HTTP client)

24 ISA Server 2004 New Features New management tools and user interface Multi-network architecture Unlimited network definitions and types Firewall policy applied to all traffic Per network routing relationships Network templates and wizards Wizard automates nwk routing relationships Supports 5 common network topologies Easily customized for sophisticated scenarios Visual policy editor Unified firewall/VPN policy w/one rule-base Drag/drop editing w/scenario-driven wizards XML-based configuration import-export Enhanced trouble- shooting All new monitoring dashboard Real-time log viewer Content sensitive task panes Ease of Use Efficient and cost effective network security

25 ISA 2004 Networking Model CorpNet_1 CorpNet_n Net A Internet VPN ISA 2004 DMZ_n DMZ_1 Local Host Network Any number of networks Any number of networks VPN as network VPN as network Localhost as network Localhost as network Assigned relationships (NAT/Route) Assigned relationships (NAT/Route) Per-Network policy Per-Network policy Packet filtering on all interfaces Packet filtering on all interfaces Any topology, any policy Any topology, any policy Support for uPnP Support for uPnP

26 Network Templates Objective Simplified network config Features 5 templates Automatic routing relationships Customizable Objective Simplified network config Features 5 templates Automatic routing relationships Customizable

27 ISA 2004 Policy Model Single, ordered rule base Single, ordered rule base  More logical and easier to understand  Easier to view and to audit New unified rule structure New unified rule structure  Applicable to all types of policy  Three master types of rules Access rules Access rules Server Publishing rules Server Publishing rules Web Publishing rules Web Publishing rules  Application filtering properties a part of the rule Default System Policy Default System Policy

28 Visual Policy Editor

29 ISA Server 2004 Monitoring Goals Goals  Server Status – It’s a critical service  Troubleshooting – Quick and easy  Investigations – Attacks, mistakes  Future Planning – Performance Benefits Benefits  Real-Time status  Centralized view  Easy to understand  Easy to control

30 ISA 2004 Monitoring Tools Dashboard – Aggregated centralized view Dashboard – Aggregated centralized view Alerts – One place for all problems Alerts – One place for all problems Sessions – Active sessions view Sessions – Active sessions view Services – ISA services status Services – ISA services status Connectivity – Connectivity to network svcs Connectivity – Connectivity to network svcs Logging – Powerful viewer of ISA logs Logging – Powerful viewer of ISA logs Reports – Top users, Top sites, Cache hits… Reports – Top users, Top sites, Cache hits…

31 Dashboard Objective Centralized status view Features Real time Aggregated Easy to spot problems Objective Centralized status view Features Real time Aggregated Easy to spot problems

32 Alerts Objective One place for all problems Features Alerts history Managing alerts Severity & category Objective One place for all problems Features Alerts history Managing alerts Severity & category

33 Sessions Objective Active sessions view Features Powerful query mechanism VPN sessions Disconnect session Objective Active sessions view Features Powerful query mechanism VPN sessions Disconnect session

34 Services Objective ISA and dependent services status Features Start & stop service Objective ISA and dependent services status Features Start & stop service

35 Connectivity Objective Monitor connectivity to critical network services Features Request types Response time & threshold Grouping Objective Monitor connectivity to critical network services Features Request types Response time & threshold Grouping

36 Logging Objective View of ISA traffic activities Features Real-time mode Historical view Powerful query mechanism Objective View of ISA traffic activities Features Real-time mode Historical view Powerful query mechanism

37 Reports Objective Comprehensive set of server activity reports Features Recurring reports Report categories Email notification Report publishing Objective Comprehensive set of server activity reports Features Recurring reports Report categories Email notification Report publishing

38 High Performance Proven ability to maximize application layer filtering speeds ISA Server 2004 New Features Continued commitment to integration Enhanced architecture High speed data transport Utilizes latest Windows and PC hardware SSL bridging unloads downstream servers Web cache Updated policy rules Serve content locally Pre-fetch content during low activity periods Internet access control User- and group-based Web usage policy Extensible by third parties

39 Performance Optimized performance architecture Optimized performance architecture  Optimized for real life usage scenarios  Raw throughput measured using HTTP+NAT benchmark  Kernel-mode data pump; User-mode optimizations  Scale up with additional CPUs Network computing magazine app. level firewalls review (3/03) full inspection performance [Mbps]: Symantec FW 7.0 67 122 127 170 Sidewinder Checkpoint NG FP3 ISA 2000 FP1 Raw throughput performance [Mbps]: ISA 2000 (Dec 2000) 282 1.59Gbps ISA 2004 (Today) * * Beta results How? Design improvements IP Stack improvements Hardware improvements

40 Questions?

41 © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.

Download ppt "Microsoft Internet Security & Acceleration Server Dave Sayers Technical Specialist Microsoft UK."

Similar presentations

Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
Microsoft Internet Security and Acceleration (ISA) Server 2004 Technical Overview

Microsoft Internet Security and Acceleration (ISA) Server 2004 Technical Overview
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
Module 1: Overview of Microsoft ISA Server

Module 1: Overview of Microsoft ISA Server
1.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.

1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.
Module 5: Configuring Access to Internal Resources.

Module 5: Configuring Access to Internal Resources.
Module 5: Configuring Access for Remote Clients and Networks.

Module 5: Configuring Access for Remote Clients and Networks.
1 Configuring Virtual Private Networks for Remote Clients and Networks.

1 Configuring Virtual Private Networks for Remote Clients and Networks.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Introduction to ISA 2004 Dana Epp Microsoft Security MVP.

Introduction to ISA 2004 Dana Epp Microsoft Security MVP.
Module 10: Configuring Virtual Private Network Access for Remote Clients and Networks.

Module 10: Configuring Virtual Private Network Access for Remote Clients and Networks.
Dan Stolts IT Pro Evangelist US DPE - North East Microsoft Corporation

Dan Stolts IT Pro Evangelist US DPE - North East Microsoft Corporation
ISA Server 2004. Microsoft’s Goals Security is a top priority for Microsoft, and we are committed to helping our customers protect their intellectual.

ISA Server Microsoft’s Goals Security is a top priority for Microsoft, and we are committed to helping our customers protect their intellectual.
Hands-On Microsoft Windows Server 2003 Networking Chapter 1 Windows Server 2003 Networking Overview.

Hands-On Microsoft Windows Server 2003 Networking Chapter 1 Windows Server 2003 Networking Overview.
Internet Protocol Security (IPSec)

Internet Protocol Security (IPSec)
1 Enabling Secure Internet Access with ISA Server.

1 Enabling Secure Internet Access with ISA Server.
Winter 2005-2006 Consolidated Server Deployment Guide for Hosted Messaging and Collaboration version 3.5 Philippe Maurent Principal Consultant Microsoft.

Winter Consolidated Server Deployment Guide for Hosted Messaging and Collaboration version 3.5 Philippe Maurent Principal Consultant Microsoft.
Introducing Kerio Control Unified Threat Management Solution Release date: June 1, 2010 Kerio Technologies, Inc.

Introducing Kerio Control Unified Threat Management Solution Release date: June 1, 2010 Kerio Technologies, Inc.
Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.

Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.
Week #10 Objectives: Remote Access and Mobile Computing Configure Mobile Computer and Device Settings Configure Remote Desktop and Remote Assistance for.

Week #10 Objectives: Remote Access and Mobile Computing Configure Mobile Computer and Device Settings Configure Remote Desktop and Remote Assistance for.

Similar presentations

Ads by Google