ISA Server 2004. Microsoft’s Goals Security is a top priority for Microsoft, and we are committed to helping our customers protect their intellectual.

ISA Server 2004ISA Server 2004

Microsoft’s GoalsMicrosoft’s Goals

Security is a top priority for Microsoft, and we Security is a top priority for Microsoft, and we are committed to helping our customers are committed to helping our customers

protect their intellectual property and dataprotect their intellectual property and data

RemediationRemediationInnovationInnovation

Approximately 70 percent of all Web attacksoccur at the application layer - Gartner

From 2000 to 2002 reported incidents rose from 21,756 to 82,094 – CERT, 2003

Nearly 80 percent of 445 respondents surveyed said the Internet has been a frequent point of attack, up from 57 percent just four years ago

– CSI/FBI Computer Crime and Security Survey

Security Issues TodaySecurity Issues Today

At RiskAt Risk

The SoftThe SoftUnderbellyUnderbelly

Customer ImpactCustomer Impact

Application Layer AttacksApplication Layer AttacksApplication Layer AttacksApplication Layer Attacks

Identity TheftIdentity Theft

Web Site Web Site DefacementDefacement

Unauthorized Unauthorized AccessAccess

Modification of Data, Modification of Data, Logs and RecordsLogs and Records

Theft of Proprietary Theft of Proprietary InformationInformation

Service DisruptionService Disruption

ImplicationsImplicationsImplicationsImplicationsCompliance:Compliance:

Sarbanes OxleySarbanes OxleyGramm Leach BlileyGramm Leach BlileyUS Patriot US Patriot HIPPAHIPPAThe Privacy Act (CA)The Privacy Act (CA)

LitigationLitigation File SharingFile Sharing

PiracyPiracy HR IssuesHR Issues Shareholder SuitsShareholder Suits

Security - Defense In DepthSecurity - Defense In Depth

Data and ResourcesData and Resources

Application DefensesApplication Defenses

Host DefensesHost Defenses

Network DefensesNetwork Defenses

Perimeter DefensesPerimeter Defenses

Ass

um

e P

rior

Layers

Fail

Ass

um

e P

rior

Layers

Fail

Perimeter Defenses:Perimeter Defenses: Packet Filtering, Stateful Packet Filtering, Stateful Inspection of Packets, Inspection of Packets, Intrusion DetectionIntrusion Detection

Network Defenses:Network Defenses: VLAN Access Control Lists, VLAN Access Control Lists, Internal Firewall, Auditing, Internal Firewall, Auditing, Intrusion DetectionIntrusion Detection

Host Defenses:Host Defenses: Server Server Hardening, Host Intrusion Hardening, Host Intrusion Detection, AuditingDetection, Auditing

Application Defenses:Application Defenses: Validation Checks, Verify Validation Checks, Verify HTML / Cookies Source, HTML / Cookies Source, Secure IISSecure IIS

Data and Resources:Data and Resources: Databases, Network Databases, Network Services and Applications, Services and Applications, File SharesFile Shares

TWC At The PerimeterTWC At The Perimeter

SecuritySecurity in depth begins at the perimeter in depth begins at the perimeterLimits access from outside to known portsLimits access from outside to known portsBlocks reconnaissanceBlocks reconnaissanceBlocks casual trespassBlocks casual trespassThe central place to enforce network policyThe central place to enforce network policy

PrivacyPrivacy in depth ends at the perimeter in depth ends at the perimeterCan block known ports used by TrojansCan block known ports used by Trojans

ReliabilityReliability enabled at the perimeter enabled at the perimeterKeeps DoS attacks on the “outside”Keeps DoS attacks on the “outside”Manages network load with proxy cacheManages network load with proxy cache

Integrity Integrity enabled at the perimeterenabled at the perimeterVPN termination creates “virtual” company VPN termination creates “virtual” company networknetwork

Traditional FirewallsTraditional Firewalls

Wide open to Wide open to advanced advanced attacksattacks

Wide open to Wide open to advanced advanced attacksattacks

Code Red, NimdaCode Red, Nimda SSL-based attacksSSL-based attacks

Code Red, NimdaCode Red, Nimda SSL-based attacksSSL-based attacks

Performance vs. Performance vs. security tradeoffsecurity tradeoffPerformance vs. Performance vs. security tradeoffsecurity tradeoff

Bandwidth too expensiveBandwidth too expensive Too many moving partsToo many moving parts

Bandwidth too expensiveBandwidth too expensive Too many moving partsToo many moving parts

Limited capacityLimited capacityfor growthfor growth

Limited capacityLimited capacityfor growthfor growth

Not easily upgradeableNot easily upgradeable Don’t scale with businessDon’t scale with business

Not easily upgradeableNot easily upgradeable Don’t scale with businessDon’t scale with business

Hard to manageHard to manageHard to manageHard to manage Security is complexSecurity is complex IT already overloadedIT already overloaded

Security is complexSecurity is complex IT already overloadedIT already overloaded

Perimeter Security EvolutionPerimeter Security Evolution

Wide open to Wide open to advanced advanced attacksattacks

Wide open to Wide open to advanced advanced attacksattacks

Application-level protectionApplication-level protectionApplication-level protectionApplication-level protection

Performance vs. Performance vs. security tradeoffsecurity tradeoffPerformance vs. Performance vs. security tradeoffsecurity tradeoff Security Security andand performance performanceSecurity Security andand performance performance

Limited capacityLimited capacityfor growthfor growth

Limited capacityLimited capacityfor growthfor growth Extensibility and scalabilityExtensibility and scalabilityExtensibility and scalabilityExtensibility and scalability

Hard to manageHard to manageHard to manageHard to manage Easier to useEasier to useEasier to useEasier to use

““TheThe advanced application layer firewall, VPN and Web cacheadvanced application layer firewall, VPN and Web cache solution that enables customers to maximize IT investments by solution that enables customers to maximize IT investments by

improving network security & performance”improving network security & performance”

Introducing: ISA Server 2004Introducing: ISA Server 2004

Advanced protectionAdvanced protectionAdvanced protectionAdvanced protection

Fast, Secure AccessFast, Secure AccessFast, Secure AccessFast, Secure Access

Ease of useEase of useEase of useEase of use

Microsoft ISA Server 2004Microsoft ISA Server 2004Multi-layer firewall, VPN and Web cache solution

Secures the network edge with advanced application-layer protection

Application-aware intelligent security with stateful inspection protects against the latest types of threatsEasy to use and rich management tools reduce TCO and help prevent firewall misconfigurationAn integrated solution that enabled diverse deployment scenarios with secure anytime / anywhere access to applications and dataEnhances user productivity with fast web access, protects network infrastructure investments

What it What it isis

What it What it doesdoes

Key Key FeaturesFeatures

Microsoft ISA Server 2004Microsoft ISA Server 2004Next-generation securityNext-generation security

Application-Application-awareaware

Simplified Simplified managementmanagement

Integrated Integrated solutionsolution

Enables diverse Enables diverse scenariosscenarios

Multi-layer Multi-layer protectionprotection

All-new user interfaceAll-new user interface

Secure, fast access to Secure, fast access to business applicationsbusiness applications

Government Government certificationcertification

New featuresNew features

Application Layer FilteringApplication Layer FilteringModern threats call for deep Modern threats call for deep inspectioninspection

Protects network assets from exploits Protects network assets from exploits at the application layer: Nimda, at the application layer: Nimda, Slammer...Slammer...Provides the ability to define a fine Provides the ability to define a fine grain, application level, security policygrain, application level, security policyBest protection for Microsoft Best protection for Microsoft applicationsapplications

Application filtering frameworkApplication filtering frameworkBuilt in filters for common protocolsBuilt in filters for common protocols

HTTP, SMTP, RPC, FTP, H.323, DNS, POP3, HTTP, SMTP, RPC, FTP, H.323, DNS, POP3, Streaming mediaStreaming media

Scenario-driven designScenario-driven designExtensible plug-in architectureExtensible plug-in architecture

Industry-Leading Industry-Leading PerformancePerformance

Optimized performance architectureOptimized performance architectureIndustry-leading application filtering Industry-leading application filtering performanceperformanceOptimized for real life usage scenariosOptimized for real life usage scenariosScale up with additional CPUsScale up with additional CPUs

Network computing magazine app. level firewalls review (3/03)

full inspection performance [Mbps]:

Symantec FW 7.0 67

122

127

170

Sidewinder

Checkpoint NG FP3

ISA 2000 FP1

Raw throughput performance [Mbps]:

ISA 2000 (Dec 2000) 282

1.59GbpsISA 2004 (Today) *

* Beta results

How?•Design improvements•IP Stack improvements•Hardware improvements

Ease of UseEase of Use

Unified firewall policyUnified firewall policyKeeps administration costs lowKeeps administration costs low

Simplified administration toolsSimplified administration toolsReduces training costsReduces training costs

Task-Based AdministrationTask-Based Administration

All tools for common tasks in one All tools for common tasks in one placeplaceReduced risk of misconfigurationReduced risk of misconfiguration

Monitoring and ReportingMonitoring and Reporting

Real-time monitoring for Real-time monitoring for troubleshootingtroubleshootingVariety of report formats summarizes Variety of report formats summarizes Internet activity and performanceInternet activity and performance

Adjusts to Network Adjusts to Network ChangesChanges

Flexibility to support most network Flexibility to support most network typestypesTemplates simplify many Templates simplify many deploymentsdeploymentsFast, easy deploymentFast, easy deployment

ISA Server 2004ISA Server 2004ArchitectureArchitecture

Network DesignNetwork Design

Any number of networksAny number of networksPacket filteringPacket filteringon all interfaceson all interfacesNAT or routingNAT or routingbetween networks between networks VPN as networkVPN as networkLocal host asLocal host asnetworknetworkPer-network policiesPer-network policiesAny topology, any policyAny topology, any policy

CorpNet_1CorpNet_1

CorpNet_nCorpNet_n

Net ANet A

Internet VPNVPN

ISA 2004

DMZ_nDMZ_n

DMZ_1DMZ_1

Local HostLocal HostNetworkNetwork

Comprehensive ProtectionComprehensive Protection

Filtering at all levelsFiltering at all levels

TCP/IPFirewall Engine

Firewall Service

Application Filters

Web ProxyFilter

PolicyEngine

LocalPolicyStore

EnterprisePolicy

Store (EE)

WebFilters

Packet layer filtering

1

Protocol layer filtering

2

Application layer filtering

3

ISAServer

ExtensibilityExtensibility

NDIS

PolicyEngine

Firewall Engine IP Stack

Firewall Service

Application Filter API

ApplicationFilterWeb Proxy Filter

Web Filter API

ApplicationFilter

ApplicationFilter

ApplicationFilter

WebFilter

WebFilter

Firewall PoliciesFirewall Policies

Flexible Rule StructureFlexible Rule Structure

AllowDeny

Source networkSource IP address

Destination networkDestination IP addressDestination site

ProtocolIP Port / Type

•Published server•Published Web site•Schedule•Filtering properties

action on traffic from user from source to destination with conditions

UserGroup

Enabling DiverseEnabling DiverseCustomer ScenariosCustomer Scenarios

Such As…Such As…

Secure e-mail access via the InternetSecure e-mail access via the InternetEnable web applications on the Enable web applications on the InternetInternetSecure partner connectivitySecure partner connectivitySecure remote accessSecure remote accessRemote branch officeRemote branch officeRich internet access policiesRich internet access policiesFast user web accessFast user web accessProtect users from malicious trafficProtect users from malicious traffic

Controlling E-Mail TrafficControlling E-Mail Traffic

The challenges of controlling e-mail The challenges of controlling e-mail traffic:traffic:

VPN? Outlook? OWA? IMAP4? POP3?VPN? Outlook? OWA? IMAP4? POP3?Malformed SMTP, malicious attachmentsMalformed SMTP, malicious attachments

ISA Server helps protect mail servers:ISA Server helps protect mail servers:Easy configuration of client access using a Easy configuration of client access using a wizardwizardSupport for all major Support for all major mail protocolsmail protocolsContent filtering of Content filtering of SMTP-based e-mailSMTP-based e-mailSupport for Outlook Web Support for Outlook Web Access (OWA):Access (OWA):

Content inspection Content inspection Attachment blockingAttachment blockingStrong authenticationStrong authentication

Outlook Client AccessOutlook Client Access

The challenge of providing access for The challenge of providing access for Outlook clientsOutlook clients

RPC cannot pass securely across traditional firewalls RPC cannot pass securely across traditional firewalls because requires secondary portsbecause requires secondary ports

ISA Server helps secure RPC traffic:ISA Server helps secure RPC traffic:Application-layer filtering allows only traffic that is Application-layer filtering allows only traffic that is negotiated between client and servernegotiated between client and serverISA Server can enforce RPC encryptionISA Server can enforce RPC encryption

RPC server RPC server (Exchange)(Exchange)RPC server RPC server (Exchange)(Exchange)

RPC client RPC client (Outlook)(Outlook)

RPC client RPC client (Outlook)(Outlook)

ServiceService UUIDUUID PortPort

ExchangeExchange {12341234-1111-2222-3333-{12341234-1111-2222-3333-aabbcc…aabbcc…

44044022

AD AD replicationreplication

{01020304-4444-5555-6666-{01020304-4444-5555-6666-ddeeff-…ddeeff-…

35435444

MMCMMC {19283746-7777-8888-9999-{19283746-7777-8888-9999-gghhii-…gghhii-…

92392333

Server maintains table Server maintains table of RPC servicesof RPC services

Client: Port for {12341234-1111-2222-3333-11bb... ?Client: Port for {12341234-1111-2222-3333-11bb... ?

Server: Port 4402Server: Port 4402Server: Port 4402Server: Port 4402

TCP 135

Client: Data Exchange over port 4402Client: Data Exchange over port 4402

Blocking Web Server Blocking Web Server AttacksAttacks

InternetInternet

ISA ServerISA Server

The challenge of securing Web servers:The challenge of securing Web servers:Web servers are under constant attack from the InternetWeb servers are under constant attack from the InternetMost of today’s attacks against Web servers are contained in Most of today’s attacks against Web servers are contained in HTTP requestsHTTP requests

ISA Server blocks attacks before they ISA Server blocks attacks before they reach Web serversreach Web serversApplication-layer filtering inspects the Application-layer filtering inspects the content of HTTP requests and responsescontent of HTTP requests and responses

Administrator-defined filters can block virtually any traffic Administrator-defined filters can block virtually any traffic pattern while allowing legitimate trafficpattern while allowing legitimate traffic

Blocking Embedded Blocking Embedded ProtocolsProtocolsHTTP deep content inspection exampleHTTP deep content inspection example

P2PP2P

IMIM

Tunneling Tunneling SoftwareSoftware

InternetInternet

Conventional Conventional FirewallFirewall

ISA Server 2004ISA Server 2004

InternalInternal

UserUser

InternalInternal

UserUser

In the beginning…In the beginning…P2P apps used fix ports P2P apps used fix ports Your Firewall can block fixed ports.Your Firewall can block fixed ports.

Admins had granular control Admins had granular control of their networks trafficof their networks traffic

Applications got smarter…Applications got smarter…Applications started to use the HTTPApplications started to use the HTTPProtocol as a transport protocol.Protocol as a transport protocol.

While good for users, administrators While good for users, administrators lost granular control of their networkslost granular control of their networks

ISA Server 2004 gives youISA Server 2004 gives youback that controlback that control

The deep HTTP protocol inspectionThe deep HTTP protocol inspection

Blocks tunneled traffic at the edgeBlocks tunneled traffic at the edge

Inspecting Encrypted Inspecting Encrypted TrafficTraffic

The challenge of encrypted Web traffic:The challenge of encrypted Web traffic:Traffic to Web servers must be encrypted to ensure Traffic to Web servers must be encrypted to ensure confidentiality, but encrypted traffic bypasses confidentiality, but encrypted traffic bypasses firewall inspectionfirewall inspection

ISA Server SSL BridgingISA Server SSL BridgingSSL Traffic to your Web server is encrypted across SSL Traffic to your Web server is encrypted across the Internet, ensuring confidentialitythe Internet, ensuring confidentialityISA Server decrypts the traffic, performing ISA Server decrypts the traffic, performing application-layer inspection to help secure the Web application-layer inspection to help secure the Web serverserverISA Server forwards allowed traffic to Web serverISA Server forwards allowed traffic to Web server

InternetInternet

ISA ServerISA Server Web ServerWeb ServerTraditional

FirewallTraditional

Firewall

SSLSSL

SSLSSL SSL or HTTPSSL or HTTP

VPN AccessVPN Access

The challenge of providing VPN The challenge of providing VPN access:access:

Configuring secure remote access is time-Configuring secure remote access is time-consuming, difficult and expensive. Remote consuming, difficult and expensive. Remote clients extend the perimeter of the corporate clients extend the perimeter of the corporate network.network.

VPNs with ISA Server VPNs with ISA Server Client or site-to-site VPN connectionsClient or site-to-site VPN connectionsUtilizes VPN features in Windows Server 2003Utilizes VPN features in Windows Server 2003Supports PPTP and L2TP/IPsec, IPsec Tunnel Supports PPTP and L2TP/IPsec, IPsec Tunnel ModeModeIntegration with third-party VPN serversIntegration with third-party VPN serversFull integration with Full integration with firewall policyfirewall policyEasy configuration Easy configuration using wizardsusing wizardsNetwork quarantineNetwork quarantine

Accelerating Internet Accelerating Internet AccessAccess

The challenge of providing fast Internet access:The challenge of providing fast Internet access:Insufficient bandwidth hampers productivity, providing Insufficient bandwidth hampers productivity, providing more bandwidth is expensivemore bandwidth is expensive

ISA Server accelerates access to Web content and ISA Server accelerates access to Web content and decreases bandwidth needs:decreases bandwidth needs:

Web caching keeps local copies of Web contentWeb caching keeps local copies of Web contentServing content from the cache accelerates responses to Serving content from the cache accelerates responses to user requests and saves bandwidthuser requests and saves bandwidthNo configuration required, but extensive customization No configuration required, but extensive customization possible, if desiredpossible, if desired

GET www.microsoft.com11

GET www.microsoft.com22

GET www.microsoft.com33

Client

Client 2

Internet

ISA Server

Integrated SolutionIntegrated Solution

Enterprise-class features for any Enterprise-class features for any businessbusinessRealize savings through integrationRealize savings through integration

One-stop solution for Internet accessOne-stop solution for Internet accessFirewall, access control, caching, Firewall, access control, caching, publishing, and VPN in a single publishing, and VPN in a single componentcomponentCentralized administrationCentralized administrationFull logging and extensive reportingFull logging and extensive reportingReal-time monitoringReal-time monitoring

Call to ActionCall to Action

No IIS, Exchange or SQL Server No IIS, Exchange or SQL Server deployment is complete without deployment is complete without Microsoft ISA ServerMicrosoft ISA ServerProtect your network from the Protect your network from the Internet and accelerate Internet Internet and accelerate Internet accessaccessSave time and resources by securely Save time and resources by securely connecting any size office to the connecting any size office to the InternetInternetTrust a firewall with an excellent Trust a firewall with an excellent track recordtrack record

Reasons to UpgradeReasons to Upgrade

Improve on Microsoft Internet Improve on Microsoft Internet Security and Acceleration Server Security and Acceleration Server 20002000

Advanced application-layer protectionAdvanced application-layer protectionImproved ease of useImproved ease of useHigh performanceHigh performance• Multiple network support

• New policy model

• Application-layer filtering

• Better performance

• Integrated policy enforcement for VPN clients

• VPN client quarantine

• Multiple network support

• New policy model

• Application-layer filtering

• Better performance

• Integrated policy enforcement for VPN clients

• VPN client quarantine

• Support for more protocols

• Packet filtering on all interfaces

• Better RPC publishing

• New authentication options

• Real-time monitoring

• Easier administration tools

• Support for more protocols

• Packet filtering on all interfaces

• Better RPC publishing

• New authentication options

• Real-time monitoring

• Easier administration tools

SummarySummaryISA Server 2004 DeliversISA Server 2004 Delivers

Next-generation edge securityNext-generation edge securityApplication-awareApplication-awareIntegrated solutionIntegrated solutionSimplified managementSimplified managementEnables diverse scenariosEnables diverse scenarios

Key featuresKey featuresMulti-layer protectionMulti-layer protectionSecure access to business applicationsSecure access to business applicationsSimplified managementSimplified management