ISA Server - synnex download/server/2..pdf · Application layer content appears as “black box ... Extend virtual firewall protection across each ... Supports IIS authentication
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Introduction to ISA Server 2006Introduction to ISA Server 2006Secure Application PublishingSecure Application PublishingBranch Office ProtectionBranch Office ProtectionFirewall and Proxy EnhancementsFirewall and Proxy EnhancementsMonitoring ISA with MOMMonitoring ISA with MOM
Application Layer FirewallApplication Layer FirewallProtects internal resource from the outsideProtects internal resource from the outsideSeparate from the rest of the networkSeparate from the rest of the networkControl how Internet resources are usedControl how Internet resources are usedExamines each network packet against your Examines each network packet against your rulesrules
VPNVPNProxy ServerProxy Server
Makes network requests and forwards dataMakes network requests and forwards dataCaches sites for improved performanceCaches sites for improved performance
Preinstalled on optimized hardwarePreinstalled on optimized hardwarePartner solutions extends ISAPartner solutions extends ISA
Antivirus gateways, URL filtering, availabilityAntivirus gateways, URL filtering, availabilityBoth for Standard and Enterprise EditionBoth for Standard and Enterprise Edition
Enterprise get extended NLB and caching Enterprise get extended NLB and caching functionalitiesfunctionalities
Support for unattended installation using a Support for unattended installation using a USB flash driveUSB flash drive
Easy deploymentEasy deploymentEverything is testedEverything is testedHardened configuration Hardened configuration --> Reduced > Reduced attack surfaceattack surfaceExtra configuration tools and web Extra configuration tools and web administrationadministration
Advantages of AppliancesAdvantages of AppliancesEasier purchase process Easier purchase process –– no separate no separate software licensing complexitysoftware licensing complexityLower cost of deploymentLower cost of deploymentPlug & Play, Set & ForgetPlug & Play, Set & Forget
Controlled components and driversControlled components and driversAutomated patch management (on some Automated patch management (on some offerings)offerings)
Fewer calls to tech supportFewer calls to tech supportEasy rollEasy roll--back to factory configurationback to factory configurationQuick learning curve for IT administratorsQuick learning curve for IT administratorsAppliances are the whole solution, not Appliances are the whole solution, not just partjust part
A Traditional FirewallA Traditional Firewall’’s View of a s View of a PacketPacket
Only packet headers are inspectedOnly packet headers are inspectedApplication layer content appears as Application layer content appears as ““black boxblack box””
IP Header:
Source Address,Dest. Address,
TTL, Checksum
TCP Header:Sequence Number
Source Port,Destination Port,
Checksum
Forwarding decisions based on port numbersForwarding decisions based on port numbersLegitimate traffic and application layer attacks use identical Legitimate traffic and application layer attacks use identical portsports
content="text/html; charset=UTF-8"><title>MSNBC - MSNBC Front Page</title><link rel="stylesheet"
ISA ServerISA Server’’s View of a Packets View of a Packet
Packet headers and application content are Packet headers and application content are inspectedinspected
IP Header:
Source Address,Dest. Address,
TTL, Checksum
TCP Header:Sequence Number
Source Port,Destination Port,
Checksum
Forwarding decisions based on contentForwarding decisions based on contentOnly legitimate and allowed traffic is processedOnly legitimate and allowed traffic is processed
Simplify complexity and administration of Simplify complexity and administration of managing network security managing network security
Subdivide network into multiple segments with a Subdivide network into multiple segments with a single ISA licensesingle ISA licenseExtend virtual firewall protection across each Extend virtual firewall protection across each segmentsegment
Enforce rules on per Enforce rules on per network basisnetwork basis
ISA 2004/2006 Policy ModelISA 2004/2006 Policy Model
Single, ordered rule baseSingle, ordered rule baseLogical and easier to understandLogical and easier to understandEasy to view and to auditEasy to view and to audit
Default System Default System Policy/LockdownPolicy/Lockdown
System Policy System Policy –– a default set of access rules a default set of access rules applied to the ISA Server itselfapplied to the ISA Server itselfLockdown mode:Lockdown mode:
Protects the operating system when firewall Protects the operating system when firewall services are offline becauseservices are offline because……
Security event triggers firewall service shut down Security event triggers firewall service shut down Planned firewall service shut downPlanned firewall service shut downISA Server rebootISA Server reboot
Use internal resources from the InternetUse internal resources from the InternetOutlook Web AccessOutlook Web Access
Publish through one external IP addressPublish through one external IP addressCached content to external clientCached content to external clientSupports IIS authentication methodsSupports IIS authentication methodsPrePre--authenticate users authenticate users Path configurationPath configuration
ISA terminates all connectionsISA terminates all connectionsDecrypts HTTPSDecrypts HTTPSInspects contentInspects contentInspects URL against rulesInspects URL against rulesReRe--encrypts for delivery to OWAencrypts for delivery to OWA
What is Publishing?What is Publishing?ISA Server impersonates internal servers ISA Server impersonates internal servers through a reverse proxy processthrough a reverse proxy process
To make internal sites/services accessible to users To make internal sites/services accessible to users outside the corporate network, including partnersoutside the corporate network, including partnersTo add a layer of security at the network edgeTo add a layer of security at the network edge
BITS caching for Microsoft update platformBITS caching for Microsoft update platformReduce the impact of software updates on network bandwidth Reduce the impact of software updates on network bandwidth in the branch officein the branch officeImprove value of ISA 2006 by reducing daysImprove value of ISA 2006 by reducing days--ofof--risk in branch risk in branch office locationsoffice locations
Compression of HTTP content Compression of HTTP content Compress HTTP content before going over the WAN to Compress HTTP content before going over the WAN to accelerate Web browsing and improve bandwidth usageaccelerate Web browsing and improve bandwidth usageCache compressed and uncompressed contentCache compressed and uncompressed content
DiffservDiffserv (Differentiated Services) to prioritize HTTP and (Differentiated Services) to prioritize HTTP and HTTPS application trafficHTTPS application traffic
Improve response time for critical HTTP and HTTPS Improve response time for critical HTTP and HTTPS applicationsapplicationsDetermine what traffic has priority over other traffic based on Determine what traffic has priority over other traffic based on URL and corresponding configured URL and corresponding configured DiffservDiffserv service levelservice level
Enterprise policies:Enterprise policies:Multiple Multiple ““templatetemplate”” policies for an policies for an organizationorganizationArrays are assigned Enterprise PoliciesArrays are assigned Enterprise Policies
Effective policy:Effective policy:Calculated from Enterprise Policies and Array Calculated from Enterprise Policies and Array PoliciesPoliciesResult: An ordered set of allow/deny rulesResult: An ordered set of allow/deny rules
BITS caching, Background Intelligent BITS caching, Background Intelligent Transfer ServiceTransfer Service
Transfers files between client and serverTransfers files between client and serverUses leftover bandwidthUses leftover bandwidthMaintains transfers if disconnectedMaintains transfers if disconnected
Windows UpdatesWindows UpdatesData is cached on the ISA ServerData is cached on the ISA ServerSubsequent users pull them from the local Subsequent users pull them from the local cachecache
HTTP compressionHTTP compressionWhen someone requests the response are When someone requests the response are compressed at the ISA server at the HQcompressed at the ISA server at the HQIt reaches the branch and gets decompressedIt reaches the branch and gets decompressed
Traffic PrioritizingTraffic PrioritizingControl when bandwidth is limited Control when bandwidth is limited DiffservDiffserv protocolprotocolISA inspects requests and assigns priority ISA inspects requests and assigns priority depending on destinationdepending on destination
Branch Office Connectivity WizardBranch Office Connectivity WizardAnswer files for unattended installationAnswer files for unattended installation
More effective policy propagationMore effective policy propagationReduced server requirementsReduced server requirementsOptimization for low bandwidth useOptimization for low bandwidth useSecure Remote Management is possibleSecure Remote Management is possible
Templates and configuration toolsTemplates and configuration tools
Enhanced worm resiliency, mitigate Enhanced worm resiliency, mitigate the impact on the networkthe impact on the networkFaster alert triggers and responsesFaster alert triggers and responsesTo avoid DOS attacks ISA Server To avoid DOS attacks ISA Server controls:controls:
Log throttling measures the volume of denied Log throttling measures the volume of denied recordsrecordsMemory consumptionMemory consumptionPending DNS queriesPending DNS queries
Flood ResiliencyFlood ResiliencyProtect ISA Server fromProtect ISA Server from——
Worm propagationWorm propagationSynSyn floodsfloodsDenials of serviceDenials of serviceDistributed Distributed DoSDoSHTTP bombingHTTP bombing
In some cases, computers behind In some cases, computers behind ISA are also protected, but this isnISA are also protected, but this isn’’t t the primary goal of the featurethe primary goal of the feature