Microsoft Internet Security & Acceleration Server Dave Sayers Technical Specialist Microsoft UK.

Microsoft Internet Microsoft Internet Security & Acceleration Security & Acceleration ServerServer

Dave SayersDave SayersTechnical SpecialistTechnical Specialist

Microsoft UKMicrosoft UK

AgendaAgenda

What is a Firewall?What is a Firewall? Typical Firewall ConfigurationsTypical Firewall Configurations Features of Microsoft ISA ServerFeatures of Microsoft ISA Server Secure Internet Access to a Web ServerSecure Internet Access to a Web Server ISA Server 2004ISA Server 2004

What is a Firewall?What is a Firewall?

Controlled Point of Access for all traffic Controlled Point of Access for all traffic that enters the internal networkthat enters the internal network

Controlled Point of Access for all traffic Controlled Point of Access for all traffic that leaves the internal networkthat leaves the internal network

Traditional Firewalls allow/deny access Traditional Firewalls allow/deny access to certain IP addresses and ports onlyto certain IP addresses and ports only

Bastion HostBastion Host

InternetInternet

Internal NetworkInternal Network

Firewall

Perimeter Network with Three-Homed Perimeter Network with Three-Homed FirewallFirewall

Firewall

InternetInternet

Perimeter NetworkPerimeter Network

Internal NetworkInternal Network

Perimeter Network with Back-to-Back Perimeter Network with Back-to-Back FirewallsFirewalls

ExternalFirewall

InternalFirewall

InternetInternet

Traditional FirewallsTraditional Firewalls

Wide open to Wide open to advanced advanced attacksattacks

Wide open to Wide open to advanced advanced attacksattacks

Code Red, NimdaCode Red, Nimda SSL-based attacksSSL-based attacks

Code Red, NimdaCode Red, Nimda SSL-based attacksSSL-based attacks

Performance vs. Performance vs. security tradeoffsecurity tradeoffPerformance vs. Performance vs. security tradeoffsecurity tradeoff

Bandwidth too expensiveBandwidth too expensive Too many moving partsToo many moving parts

Bandwidth too expensiveBandwidth too expensive Too many moving partsToo many moving parts

Limited capacityLimited capacityfor growthfor growth

Limited capacityLimited capacityfor growthfor growth

Not easily upgradeableNot easily upgradeable Don’t scale with businessDon’t scale with business

Not easily upgradeableNot easily upgradeable Don’t scale with businessDon’t scale with business

Hard to manageHard to manageHard to manageHard to manage Security is complexSecurity is complex IT already overloadedIT already overloaded

Security is complexSecurity is complex IT already overloadedIT already overloaded

Perimeter Security EvolutionPerimeter Security Evolution

Wide open to Wide open to advanced advanced attacksattacks

Wide open to Wide open to advanced advanced attacksattacks

Application-level protectionApplication-level protectionApplication-level protectionApplication-level protection

Performance vs. Performance vs. security tradeoffsecurity tradeoffPerformance vs. Performance vs. security tradeoffsecurity tradeoff Security Security andand performance performanceSecurity Security andand performance performance

Limited capacityLimited capacityfor growthfor growth

Limited capacityLimited capacityfor growthfor growth Extensibility and scalabilityExtensibility and scalabilityExtensibility and scalabilityExtensibility and scalability

Hard to manageHard to manageHard to manageHard to manage Easier to useEasier to useEasier to useEasier to use

Internet Security and Internet Security and Acceleration ServerAcceleration Server Industry strength firewall and proxy Industry strength firewall and proxy

serverserver Standard and EnterpriseStandard and Enterprise Standalone or arraysStandalone or arrays VPNsVPNs Server and web publishingServer and web publishing Monitoring & reportingMonitoring & reporting

www.microsoft.com/isaserverwww.microsoft.com/isaserverwww.isaserver.orgwww.isaserver.org

Key ComponentsKey Components

Policy Elements :Policy Elements : Schedule, Bandwidth, Destination Set, Schedule, Bandwidth, Destination Set,

Client Address Set, Protocol Definitions, Client Address Set, Protocol Definitions, Content GroupsContent Groups

Protocol RulesProtocol Rules Site and Content RulesSite and Content Rules Packet FilteringPacket Filtering

ISA Value AddISA Value Add

Server Publishing Server Publishing Web ServerWeb Server Exchange ServerExchange Server Additional ServersAdditional Servers

Application FiltersApplication Filters SMTPSMTP DNSDNS HTTPHTTP Streaming MediaStreaming Media

VPN WizardsVPN Wizards Intrusion DetectionIntrusion Detection

Secure Internet Access to a Secure Internet Access to a Corporate Web SiteCorporate Web Site

ISA Server as a FirewallISA Server as a Firewall

IIS as a Web Server

Workstation

Workstation Workstation

WorkstationWorkstation

Internet

The first firewall filterstraffic attempting to

access the web server toonly allow authorised

access

The second firewall hasmore restrictive filters to

protect the corporateenvironment

The web server can be published tothe first firewall to protect its identity

from the internet

Access to corporate machines iscontrolled by the second firewall

ISA Web PublishingISA Web Publishing

Publishes web site on ISA serverPublishes web site on ISA server Content can be cached on ISA server Content can be cached on ISA server

using reverse proxyusing reverse proxy Keeps the web site secure on the Keeps the web site secure on the

private networkprivate network Server publishing vs. web publishingServer publishing vs. web publishing

ISA Web PublishingISA Web Publishing Need to create an Incoming Web Listener first (Reverse proxy) Need to create an Incoming Web Listener first (Reverse proxy)

as well as a destination setas well as a destination set Then create a web publishing ruleThen create a web publishing rule

TheThe advanced application layer firewall, VPN and Web cacheadvanced application layer firewall, VPN and Web cache solution that enables customers to maximize IT investments by solution that enables customers to maximize IT investments by

improving network security & performanceimproving network security & performance

Introducing: ISA Server 2004Introducing: ISA Server 2004

Advanced protectionAdvanced protectionAdvanced protectionAdvanced protection

High performanceHigh performanceHigh performanceHigh performance

Ease of useEase of useEase of useEase of use

Common ScenariosCommon Scenarios

Edge FirewallEdge Firewall CachingCaching ChainingChaining

Secure Publishing Secure Publishing Exchange Exchange Web serversWeb servers

Remote Access Remote Access (VPN)(VPN)

Branch officeBranch office Remote site Remote site

securitysecurity S2S VPN (IPSec)S2S VPN (IPSec)

Integrated SolutionIntegrated Solution Single server edge Single server edge

security solutionsecurity solution Easy, unified Easy, unified

managementmanagement Flexible TopologiesFlexible Topologies

3-Leg, front/back, ...3-Leg, front/back, ... Asset protectionAsset protection Multi network Multi network

supportsupport PartitioningPartitioning

ISA Server 2004 New FeaturesISA Server 2004 New FeaturesUpdated security architectureUpdated security architecture

Advanced protectionAdvanced protectionApplication layer security designed to protect Microsoft applicationsApplication layer security designed to protect Microsoft applications

Advanced protectionAdvanced protectionApplication layer security designed to protect Microsoft applicationsApplication layer security designed to protect Microsoft applications

Deep contentDeep contentinspectioninspection

Deep contentDeep contentinspectioninspection

• Enhanced HTTP, customizable prtcl. filters• Comprehensive/flexible policies• Stateful routing

• Enhanced HTTP, customizable prtcl. filters• Comprehensive/flexible policies• Stateful routing

Enhanced Enhanced Exchange Server Exchange Server

IntegrationIntegration

Enhanced Enhanced Exchange Server Exchange Server

IntegrationIntegration

• Support for Outlook RPC over HTTP• Enhanced Outlook Web Access security• Easy to use configuration wizards

• Support for Outlook RPC over HTTP• Enhanced Outlook Web Access security• Easy to use configuration wizards

Fully integrated Fully integrated VPNVPN

Fully integrated Fully integrated VPNVPN

• Unified firewall-VPN filtering• Built-in support for site-to-site IPsec TM• Integrates with Windows Quarantine

• Unified firewall-VPN filtering• Built-in support for site-to-site IPsec TM• Integrates with Windows Quarantine

Comprehensive Comprehensive authenticationauthentication

Comprehensive Comprehensive authenticationauthentication

• New support for RADIUS and RSA SecurID• User- & group-based access policy• Third party extensibility

• New support for RADIUS and RSA SecurID• User- & group-based access policy• Third party extensibility

PolicyPolicyEngineEngine

NDIS

TCP/IP Stack

ISA 2004 ArchitectureISA 2004 Architecture

Firewall EngineFirewall Engine

FirewallFirewall serviceservice

Application Filter API

AppAppFilterFilter

Web Proxy FilterWeb Proxy Filter

Web Filter API (ISAPI)

Webfilter

Webfilter

User Mode

Kernel Mode

SMTPSMTPFilterFilter

RPCRPCFilterFilter

DNSDNSFilterFilter

PolicyStore

Packet layer filtering

1

Protocol layer filtering

2

Application layer filtering

3

Kernel mode data pump:

Performanceoptimization

4

Application Layer FilteringApplication Layer Filtering Modern threats call for deep Modern threats call for deep

inspectioninspection Protects network assets from exploits at the Protects network assets from exploits at the

application layer: Nimda, Slammer...application layer: Nimda, Slammer... Provides the ability to define a fine grain, Provides the ability to define a fine grain,

application level, security policyapplication level, security policy Best protection for Microsoft applicationsBest protection for Microsoft applications

Application filtering frameworkApplication filtering framework Built in filters for common protocolsBuilt in filters for common protocols

HTTP, SMTP, RPC, FTP, H.323, DNS, POP3, Streaming HTTP, SMTP, RPC, FTP, H.323, DNS, POP3, Streaming mediamedia

Scenario-driven designScenario-driven design Extensible plug-in architectureExtensible plug-in architecture

VPN ProtectionVPN Protection Detunneled traffic is inspectedDetunneled traffic is inspected

Injected back to the stackInjected back to the stack Stingray sees traffic on stack hooksStingray sees traffic on stack hooks

VPN traffic is segregatedVPN traffic is segregated VPN network: all addresses allocated to VPN usersVPN network: all addresses allocated to VPN users IP addresses dynamically added/removedIP addresses dynamically added/removed VPN network available in Stingray adminVPN network available in Stingray admin

IPSec Tunnel Mode supportIPSec Tunnel Mode support Provides connectivity to branch office VPNProvides connectivity to branch office VPN Simplified tools for administrationSimplified tools for administration

Quarantine supportQuarantine support Quarantined users placed in quarantine networkQuarantined users placed in quarantine network IP addresses dynamically added/removedIP addresses dynamically added/removed Quarantine network available in ISA Server adminQuarantine network available in ISA Server admin

Engine Security EnhancementsEngine Security Enhancements Flood-DoS protectionFlood-DoS protection

SYN-flood protectionSYN-flood protection Client connection quotaClient connection quota

Applicable to Worm/Virus floodsApplicable to Worm/Virus floods

Spoofed UDP packet flooding mitigationSpoofed UDP packet flooding mitigation

Attack/Intrusion DetectionAttack/Intrusion Detection IP options, DNS Attacks, IP half-scan, Port scanIP options, DNS Attacks, IP half-scan, Port scan

IP options filteringIP options filtering Filter out individual optionsFilter out individual options

Lockdown modeLockdown mode Restrict firewall machine access on service Restrict firewall machine access on service

failuresfailures

Authentication FrameworkAuthentication Framework Multi source authenticationMulti source authentication

Firewall client authenticationFirewall client authentication Transparent user authenticationTransparent user authentication

Application transparent, Protocol independentApplication transparent, Protocol independent Kerberos/NTLMKerberos/NTLM

Web proxy authenticationWeb proxy authentication Proxy auth, Reverse proxy auth, Pass through auth, SSL Proxy auth, Reverse proxy auth, Pass through auth, SSL

bridgingbridging Basic, digest, NTLM, Kerberos, CertificatesBasic, digest, NTLM, Kerberos, Certificates RADIUS authentication, SecurID authenticationRADIUS authentication, SecurID authentication CRL supportCRL support Extensible!Extensible!

VPN clientsVPN clients EAP (certificates, smartcards, others), MS-CHAPv2, CHAP, EAP (certificates, smartcards, others), MS-CHAPv2, CHAP,

(S-PAP, PAP)(S-PAP, PAP) RADIUS / WindowsRADIUS / Windows

Extensible authentication/authorization frameworkExtensible authentication/authorization framework Third party filters can register their own auth Third party filters can register their own auth

namespacesnamespaces

RADIUS authenticationRADIUS authentication Federation through RADIUS proxiesFederation through RADIUS proxies Can be used for centralized authentication servicesCan be used for centralized authentication services Domain membership not requiredDomain membership not required

Great for DMZ placementGreat for DMZ placement

Corpnet

Internet

1

HTTP/SSL basic auth.

2

RADIUS requestRADIUS Server (IAS)

Firewall Server

3

HTTP/SSL request, sent to

server

Back-endServer

Web Client(Browser, HTTP client)

ISA Server 2004 New FeaturesISA Server 2004 New FeaturesNew management tools and user interfaceNew management tools and user interface

Multi-network Multi-network architecturearchitecture

Multi-network Multi-network architecturearchitecture

• Unlimited network definitions and types• Firewall policy applied to all traffic• Per network routing relationships

• Unlimited network definitions and types• Firewall policy applied to all traffic• Per network routing relationships

Network Network templates and templates and

wizardswizards

Network Network templates and templates and

wizardswizards

• Wizard automates nwk routing relationships• Supports 5 common network topologies• Easily customized for sophisticated scenarios

• Wizard automates nwk routing relationships• Supports 5 common network topologies• Easily customized for sophisticated scenarios

Visual policy Visual policy editoreditor

Visual policy Visual policy editoreditor

• Unified firewall/VPN policy w/one rule-base• Drag/drop editing w/scenario-driven wizards• XML-based configuration import-export

• Unified firewall/VPN policy w/one rule-base• Drag/drop editing w/scenario-driven wizards• XML-based configuration import-export

Enhanced Enhanced trouble-shootingtrouble-shooting

Enhanced Enhanced trouble-shootingtrouble-shooting

• All new monitoring dashboard• Real-time log viewer• Content sensitive task panes

• All new monitoring dashboard• Real-time log viewer• Content sensitive task panes

Ease of UseEase of UseEfficient and cost effective network securityEfficient and cost effective network security

Ease of UseEase of UseEfficient and cost effective network securityEfficient and cost effective network security

ISA 2004 Networking ModelISA 2004 Networking Model

CorpNet_1CorpNet_1

CorpNet_nCorpNet_n

Net ANet A

Internet VPNVPN

ISA 2004

DMZ_nDMZ_n

DMZ_1DMZ_1

Local HostLocal HostNetworkNetwork

Any number of Any number of networksnetworks

VPN as networkVPN as network Localhost as Localhost as

networknetwork Assigned Assigned relationships relationships (NAT/Route)(NAT/Route)

Per-Network policyPer-Network policy Packet filtering on Packet filtering on

all interfacesall interfaces

Any topology, any policyAny topology, any policy

Support for uPnPSupport for uPnP

Network TemplatesNetwork Templates

Objective Simplified network config

Features• 5 templates• Automatic routing relationships• Customizable

Objective Simplified network config

Features• 5 templates• Automatic routing relationships• Customizable

ISA 2004 Policy ModelISA 2004 Policy Model Single, ordered rule baseSingle, ordered rule base

More logical and easier to understandMore logical and easier to understand Easier to view and to auditEasier to view and to audit

New unified rule structureNew unified rule structure Applicable to all types of policy Applicable to all types of policy Three master types of rulesThree master types of rules

Access rulesAccess rules Server Publishing rulesServer Publishing rules Web Publishing rulesWeb Publishing rules

Application filtering properties a part of Application filtering properties a part of the rulethe rule

Default System PolicyDefault System Policy

Visual Policy EditorVisual Policy Editor

ISA Server 2004 MonitoringISA Server 2004 Monitoring

GoalsGoals Server Status – It’s a critical serviceServer Status – It’s a critical service Troubleshooting – Quick and easyTroubleshooting – Quick and easy Investigations – Attacks, mistakesInvestigations – Attacks, mistakes Future Planning – PerformanceFuture Planning – Performance

BenefitsBenefits Real-Time statusReal-Time status Centralized viewCentralized view Easy to understandEasy to understand Easy to controlEasy to control

ISA 2004 Monitoring ToolsISA 2004 Monitoring Tools

DashboardDashboard – Aggregated centralized – Aggregated centralized viewview

AlertsAlerts – One place for all problems– One place for all problemsSessionsSessions – Active sessions view– Active sessions viewServicesServices – ISA services status– ISA services statusConnectivityConnectivity – Connectivity to network – Connectivity to network

svcssvcsLoggingLogging – Powerful viewer of ISA logs– Powerful viewer of ISA logsReportsReports – Top users, Top sites, Cache – Top users, Top sites, Cache

hits…hits…

DashboardDashboard

Objective Centralized status view

Features• Real time• Aggregated• Easy to spot problems

Objective Centralized status view

Features• Real time• Aggregated• Easy to spot problems

AlertsAlerts

Objective One place for all problems

Features• Alerts history• Managing alerts• Severity & category

Objective One place for all problems

Features• Alerts history• Managing alerts• Severity & category

SessionsSessions

Objective Active sessions view

Features• Powerful query mechanism• VPN sessions • Disconnect session

Objective Active sessions view

Features• Powerful query mechanism• VPN sessions • Disconnect session

ServicesServices

Objective ISA and dependent services status

Features• Start & stop service

Objective ISA and dependent services status

Features• Start & stop service

ConnectivityConnectivity

Objective Monitor connectivity to critical network services

Features• Request types• Response time & threshold• Grouping

Objective Monitor connectivity to critical network services

Features• Request types• Response time & threshold• Grouping

LoggingLogging

Objective View of ISA traffic activities

Features• Real-time mode• Historical view • Powerful query mechanism

Objective View of ISA traffic activities

Features• Real-time mode• Historical view • Powerful query mechanism

ReportsReports

Objective Comprehensive set of server activity reports

Features• Recurring reports• Report categories• Email notification• Report publishing

Objective Comprehensive set of server activity reports

Features• Recurring reports• Report categories• Email notification• Report publishing

High PerformanceHigh PerformanceProven ability to maximize application layer filtering speedsProven ability to maximize application layer filtering speeds

High PerformanceHigh PerformanceProven ability to maximize application layer filtering speedsProven ability to maximize application layer filtering speeds

ISA Server 2004 New FeaturesISA Server 2004 New FeaturesContinued commitment to integrationContinued commitment to integration

Enhanced Enhanced architecturearchitectureEnhanced Enhanced

architecturearchitecture• High speed data transport• Utilizes latest Windows and PC hardware • SSL bridging unloads downstream servers

• High speed data transport• Utilizes latest Windows and PC hardware • SSL bridging unloads downstream servers

Web cacheWeb cacheWeb cacheWeb cache• Updated policy rules• Serve content locally• Pre-fetch content during low activity periods

• Updated policy rules• Serve content locally• Pre-fetch content during low activity periods

Internet access Internet access controlcontrol

Internet access Internet access controlcontrol

• User- and group-based Web usage policy• Extensible by third parties• User- and group-based Web usage policy• Extensible by third parties

PerformancePerformance Optimized performance architectureOptimized performance architecture

Optimized for real life usage scenariosOptimized for real life usage scenarios Raw throughput measured using HTTP+NAT benchmarkRaw throughput measured using HTTP+NAT benchmark Kernel-mode data pump; User-mode optimizationsKernel-mode data pump; User-mode optimizations Scale up with additional CPUsScale up with additional CPUs

Network computing magazine app. level firewalls review (3/03)

full inspection performance [Mbps]:

Symantec FW 7.0 67

122

127

170

Sidewinder

Checkpoint NG FP3

ISA 2000 FP1

Raw throughput performance [Mbps]:

ISA 2000 (Dec 2000) 282

1.59GbpsISA 2004 (Today) *

* Beta results

How?•Design improvements•IP Stack improvements•Hardware improvements

Questions?Questions?

© 2003 Microsoft Corporation. All rights reserved.© 2003 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.