Download presentation
Presentation is loading. Please wait.
Published byPhebe Hopkins Modified over 8 years ago
1
SEC304 Enhancing Exchange, OWA and IIS Security with ISA Server Feature Pack 1 Steve Riley Microsoft Corporation steriley@microsoft.com
2
Agenda The problem Enhancing Outlook-to-Exchange communication Enhancing Exchange OWA and IIS deployments More ISA Server Feature Pack 1
3
The Problem Packet filtering & stateful inspection are not enough to protect against today’s attacks! Traditional firewalls focus on packet filtering & stateful inspection Today’s attacks bypass this protection Ports & protocols cannot be trusted to indicate user intent Port 80 yesterday—Web browsing only Port 80 today—Web browsing, OWA, MSN Messenger, XML Web Services…
4
Internet to internal network Application-layer firewall Traditional firewall Application-layer Firewalls Are Necessary Required to protect against today’s attacks Enables deep content inspection Understanding what’s in the payload is a requirement
5
ISA Server = Application-Layer Security Packet filtering & stateful inspection Application-layer filtering Deep content inspection Advanced proxy architecture Extensible/pluggable architecture 30+ partners Best firewall for Microsoft environments
6
Enhancing Outlook-To- Exchange Security
7
Enhanced SMTP Filter Uses ISA Server application-layer filtering ability Filter e-mail with increased reliability and security on several attributes Sender Domain Keyword Attachment extension, name, size Any SMTP command and its length
8
RPC server (Exchange) RPC client (Outlook) ServiceUUIDPort Exchange {12341234-1111 … 4402 AD replication {01020304-4444 … 3544 MMC {19283746-7777 … 9233 RPC services grab random high ports when they start, server maintains table RPC 101135/tcp Client connects to portmapper on server (port 135/tcp) Client knows UUID of service it wants Client accesses application over learned port Client asks, “What port is associated with my UUID?” Server matches UUID to the current port… 4402/tcp Portmapper responds with the port and closes the connection 4402/tcp{12341234-1111…}
9
Exchange Server Outlook ISA Server Internet Exchange RPC Filter ISA Server Exchange RPC filter Only port 135 (portmapper) is open High ports are opened and closed for Outlook clients as necessary Inspects portmapper traffic at application- layer Only Exchange UUIDs allowed
10
ISA Server with Feature Pack 1 Exchange Server OutlookOutlook RPCRPC Internal network External network Exchange RPC Filter Enforce RPC encryption Outlook RPC encryption enforced centrally Enable outbound RPC communication Outlook clients behind ISA Server can now access external Exchange Servers
11
Enhancing Exchange OWA And IIS Security
12
URLScan 2.5 For ISA Server Filters incoming requests based on rules set Helps protect from attacks which Request unusual actions Have a large number of characters Are encoded using an alternate character set Can be used in conjunction with SSL inspection to detect attacks over SSL
13
RSA SecurID Authentication ISA Server prompts user for SecurID username and PASSCODE RSA ACE/Agent on ISA Server passes credentials to the RSA ACE/Server for validation When credentials are validated User is granted access to the protected content Cookie is delivered to the user's browser for subsequent activity during the session
14
Web server ISA Server Internet clientclient Client requests protected content from Web server ISA Server pre-authenticates users and logs their activity ISA Server forwards the credentials to the protected Web or OWA server Authentication Delegation For basic and SecurID authentication Authentication happens at ISA Server Eliminates multiple authentication dialogs Only valid traffic allowed past ISA Server Enabled per Web publishing rule
15
Protecting OWA Traditional firewall OWAOWA clientclient OWA server prompts for authentication — any Internet user can access this prompt SSLSSL SSL tunnels through traditional firewalls because it is encrypted… …which allows viruses and worms to pass through undetected… …and infect internal servers! ISA Server with Feature Pack 1 Basic authentication delegation ISA Server pre-authenticates users, eliminating multiple dialog boxes and only allowing valid traffic through URLScan for ISA Server SSL or HTTP SSLSSL ISA Server can decrypt and inspect SSL traffic inspected traffic can be sent to the internal server re-encrypted or in the clear. URLScan for ISA Server URLScan for ISA Server can stop Web attacks at the network edge, even over encrypted SSL InternetInternet
16
ISA Server Feature Pack 1 demo demo
17
Used in combination with the additional OWA deployment docs 1. Documentation = correct cert deployment 2. Wizard = easily configures ISA Server settings Generates destination set and Web publishing rule with correct elements Adds the correct listeners to external interface Selects correct certificate OWA Wizard
18
More ISA Server Feature Pack 1
19
New Documentation ISA Server Feature Pack 1 walkthroughs OWA, link translation, RSA SecurID Web Publishing Many scenarios & troubleshooting information Exchange Server Publishing Includes Exchange RPC filter, POP and IMAP & troubleshooting information Additional Documentation Including client types and digital certificates
20
ISA Server: ISA Server with Feature Pack 1: RPC Filter Wizard Create RPC service definitions used in server publishing rules Enumerates services on a given server UUID’s can also be entered manually
21
http:// ISA Server Feature Pack 1 Web server (www.example.com) www.example.com Web server (int-mktg) http:// http://int-mktg/sales.html int-mktg/ mktg.example.com/ LINK TRANSLATOR http:// http://mktg.example.com/sales.html clientclient Client requests www.example.com/index.html InternetInternet Link Translator Translates hyperlinks within responses Intranet computer names to those of externally available computers Including HTTP HTTPS; SPS
22
Allows removal of path prefix Details in 331069 http://www.example.com/site1 translated to http://internal http://www.example.com/site1/site2/ translated to http://internal/site2 ISA Server clientclient Internet Partial URL Path Translation site1.ex.comsite1.ex.com site2.ex.comsite2.ex.com
23
No Exchange Server or IIS deployment is complete without ISA Server protection! New firewall security designed to help protect Exchange Server and IIS Great fit into existing deployments Evaluate Security of your current Exchange Server or IIS deployment ISA Server Download ISA Server Feature Pack 1 What Can You Do Today?
24
Community Resources http://www.microsoft.com/communities/default.mspx Most Valuable Professional (MVP) http://www.mvp.support.microsoft.com/ Newsgroups Converse online with Microsoft Newsgroups, including Worldwide http://www.microsoft.com/communities/newsgroups/default.mspx User Groups Meet and learn with your peers http://www.microsoft.com/communities/usergroups/default.mspx
25
Suggested Reading And Resources The tools you need to put technology to work! TITLE Available Microsoft® Internet Security and Acceleration (ISA) Server 2000 Administrator's Pocket Consultant: 0-7356-1442-3 Today Internet Information Services (IIS) 6.0 Resource Kit: 0-7356- 1420-2 8/27/03 Microsoft Press books are 20% off at the TechEd Bookstore Also buy any TWO Microsoft Press books and get a FREE T-Shirt
26
evaluations evaluations
27
© 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY. Steve Riley steriley@microsoft.com
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.