32
ISA Server 2004 ISA Server 2004 Introduction Introduction Владимир Александров Владимир Александров MCT, MCSE, MCSD, MCDBA MCT, MCSE, MCSD, MCDBA Корус Корус , , Управител Управител [email protected] [email protected]

ISA Server 2004 Introduction Владимир Александров MCT, MCSE, MCSD, MCDBA Корус, Управител [email protected]

Embed Size (px)

Citation preview

Page 1: ISA Server 2004 Introduction Владимир Александров MCT, MCSE, MCSD, MCDBA Корус, Управител jm@chorus-bg.com

ISA Server 2004 ISA Server 2004 IntroductionIntroductionISA Server 2004 ISA Server 2004 IntroductionIntroduction

Владимир АлександровВладимир АлександровMCT, MCSE, MCSD, MCDBAMCT, MCSE, MCSD, MCDBAКорусКорус, , Управител Управител [email protected]@chorus-bg.com

Page 2: ISA Server 2004 Introduction Владимир Александров MCT, MCSE, MCSD, MCDBA Корус, Управител jm@chorus-bg.com

AgendaAgenda

Firewall evolutionFirewall evolution

ISA2004 OverviewISA2004 Overview

More features drilldownMore features drilldown

Scenarios and demosScenarios and demos

Page 3: ISA Server 2004 Introduction Владимир Александров MCT, MCSE, MCSD, MCDBA Корус, Управител jm@chorus-bg.com

Firewall EvolutionFirewall EvolutionFirewall EvolutionFirewall Evolution

Page 4: ISA Server 2004 Introduction Владимир Александров MCT, MCSE, MCSD, MCDBA Корус, Управител jm@chorus-bg.com

Traditional FirewallsTraditional Firewalls

Wide open to Wide open to advanced advanced attacksattacks

Wide open to Wide open to advanced advanced attacksattacks

Code Red, NimdaCode Red, Nimda SSL-based attacksSSL-based attacks

Code Red, NimdaCode Red, Nimda SSL-based attacksSSL-based attacks

Performance vs. Performance vs. security tradeoffsecurity tradeoffPerformance vs. Performance vs. security tradeoffsecurity tradeoff

Bandwidth too expensiveBandwidth too expensive Too many moving partsToo many moving parts

Bandwidth too expensiveBandwidth too expensive Too many moving partsToo many moving parts

Limited capacityLimited capacityfor growthfor growth

Limited capacityLimited capacityfor growthfor growth

Not easily upgradeableNot easily upgradeable Don’t scale with businessDon’t scale with business

Not easily upgradeableNot easily upgradeable Don’t scale with businessDon’t scale with business

Hard to manageHard to manageHard to manageHard to manage Security is complexSecurity is complex IT already overloadedIT already overloaded

Security is complexSecurity is complex IT already overloadedIT already overloaded

ProblemProblemProblemProblem ImplicationsImplications ImplicationsImplications

Page 5: ISA Server 2004 Introduction Владимир Александров MCT, MCSE, MCSD, MCDBA Корус, Управител jm@chorus-bg.com

ISA2004 OverviewISA2004 OverviewISA2004 OverviewISA2004 Overview

Page 6: ISA Server 2004 Introduction Владимир Александров MCT, MCSE, MCSD, MCDBA Корус, Управител jm@chorus-bg.com

What is ISA2004What is ISA2004Full blown edge firewallFull blown edge firewall

Wide variety of firewall edge scenariosWide variety of firewall edge scenariosVPN, Proxy & CacheVPN, Proxy & Cache

Very easy to useVery easy to useEasy installation & setupEasy installation & setupEasy policy configuration Easy policy configuration Reduced risk of configuration mistakes Reduced risk of configuration mistakes

Advanced protection for MS Advanced protection for MS applicationsapplications

Built in MS-specific filtersBuilt in MS-specific filtersDefense in DepthDefense in Depth

High performanceHigh performanceHighly secure platformHighly secure platform

Page 7: ISA Server 2004 Introduction Владимир Александров MCT, MCSE, MCSD, MCDBA Корус, Управител jm@chorus-bg.com

ScenariosScenarios

Edge FirewallEdge FirewallMulti NetworksMulti NetworksDMZDMZWeb CachingWeb Caching

Secure PublishingSecure Publishing Exchange Exchange Web serversWeb serversOthersOthers

Remote Access Remote Access (VPN)(VPN)

Branch officeBranch officeRemote site Remote site securitysecurity

S2S VPN – Including S2S VPN – Including IPSec (for interop)IPSec (for interop)

Integrated SolutionIntegrated SolutionSingle edge Single edge security solutionsecurity solution

EasyEasy

Unified Unified managementmanagement

Page 8: ISA Server 2004 Introduction Владимир Александров MCT, MCSE, MCSD, MCDBA Корус, Управител jm@chorus-bg.com

What’s new vs. ISA2000 ?What’s new vs. ISA2000 ?

Support for multiple networksSupport for multiple networks

New integrated single policy model New integrated single policy model

Intuitive UIIntuitive UI

Application Layer Filtering Application Layer Filtering improvementsimprovements

Logging & monitoringLogging & monitoring

Integrated VPNIntegrated VPN

Security EnhancementsSecurity Enhancements

And more…And more…

Page 9: ISA Server 2004 Introduction Владимир Александров MCT, MCSE, MCSD, MCDBA Корус, Управител jm@chorus-bg.com

Multiple NetworksMultiple NetworksMultiple NetworksMultiple Networks

Page 10: ISA Server 2004 Introduction Владимир Александров MCT, MCSE, MCSD, MCDBA Корус, Управител jm@chorus-bg.com

ISA 2000 networking ISA 2000 networking modelmodel

InternalNetwork

Internet

DMZ 1• Single “outbound” policySingle “outbound” policy

• ““In” (LAT) and “out” In” (LAT) and “out” (Internet, DMZ)(Internet, DMZ)

ISA 2000

Static PF

• Only Static filtering Only Static filtering from DMZ to Internetfrom DMZ to Internet

Page 11: ISA Server 2004 Introduction Владимир Александров MCT, MCSE, MCSD, MCDBA Корус, Управител jm@chorus-bg.com

The new networking modelThe new networking model

Network A

Internet

DMZ 1

DMZ 2Network B

VPNNetwork

• Any number of networksAny number of networks• Assigned relationshipsAssigned relationships

• Per network policyPer network policy

• VPN represented as networkVPN represented as network ISA 2004

Isolation of the Isolation of the firewall hostfirewall host

Page 12: ISA Server 2004 Introduction Владимир Александров MCT, MCSE, MCSD, MCDBA Корус, Управител jm@chorus-bg.com

Demo 1: Connecting Demo 1: Connecting networksnetworks

Page 13: ISA Server 2004 Introduction Владимир Александров MCT, MCSE, MCSD, MCDBA Корус, Управител jm@chorus-bg.com

New Policy ModelNew Policy ModelNew Policy ModelNew Policy Model

Page 14: ISA Server 2004 Introduction Владимир Александров MCT, MCSE, MCSD, MCDBA Корус, Управител jm@chorus-bg.com

ISA 2000 rulesISA 2000 rules

Basic ISA 2000 rules:Basic ISA 2000 rules:Protocol rulesProtocol rules

Site and Content rulesSite and Content rules

Static packet filtersStatic packet filters

Publishing rulesPublishing rules

Web publishing rulesWeb publishing rules

Other filtering configurationOther filtering configuration

Other ISA 2000 rules:Other ISA 2000 rules:Address translation rulesAddress translation rules

Web routing rulesWeb routing rules

Cache rulesCache rules

Configuration policy

Firewall policy

Page 15: ISA Server 2004 Introduction Владимир Александров MCT, MCSE, MCSD, MCDBA Корус, Управител jm@chorus-bg.com

ISA 2004 Policy RulesISA 2004 Policy Rules

Single rule baseSingle rule base

Rules evaluated in orderRules evaluated in order

Support for multiple networksSupport for multiple networks

Integration with application filtering – Integration with application filtering – part of rulepart of rule

System rules for built in policiesSystem rules for built in policies

Rich set of building blocksRich set of building blocks

Page 16: ISA Server 2004 Introduction Владимир Александров MCT, MCSE, MCSD, MCDBA Корус, Управител jm@chorus-bg.com

User InterfaceUser InterfaceUser InterfaceUser Interface

Page 17: ISA Server 2004 Introduction Владимир Александров MCT, MCSE, MCSD, MCDBA Корус, Управител jm@chorus-bg.com

The User InterfaceThe User InterfaceDrag & Drop toolboxDrag & Drop toolbox

Task pane for common tasksTask pane for common tasks

WizardsWizards

Network templatesNetwork templates

Dashboard Dashboard Policy Editor Policy Editor Toolbox Toolbox Network Templates Network Templates Task Bars Task Bars

MMC…On Steroids!MMC…On Steroids!

Page 18: ISA Server 2004 Introduction Владимир Александров MCT, MCSE, MCSD, MCDBA Корус, Управител jm@chorus-bg.com

Application Layer Application Layer FilteringFiltering

Application Layer Application Layer FilteringFiltering

Page 19: ISA Server 2004 Introduction Владимир Александров MCT, MCSE, MCSD, MCDBA Корус, Управител jm@chorus-bg.com

IP/Port filtering is not enoughIP/Port filtering is not enough

Hackers attack via application layer Hackers attack via application layer vulnerabilities (Nimda, Slammer...)vulnerabilities (Nimda, Slammer...)

HTTP - the carrier protocolHTTP - the carrier protocol

Users need the ability to define a Users need the ability to define a fine grain, application level security fine grain, application level security policies.policies.

Firewalls need to understand Firewalls need to understand applications, beyond TCP/IPapplications, beyond TCP/IP

Page 20: ISA Server 2004 Introduction Владимир Александров MCT, MCSE, MCSD, MCDBA Корус, Управител jm@chorus-bg.com

ISA 2004’s application ISA 2004’s application filteringfiltering

Open platform for app layer filteringOpen platform for app layer filtering

Built in filters for common protocols Built in filters for common protocols

Scenario-driven design (protect Scenario-driven design (protect Exchange, IIS)Exchange, IIS)

Rich partners communityRich partners community

Page 21: ISA Server 2004 Introduction Владимир Александров MCT, MCSE, MCSD, MCDBA Корус, Управител jm@chorus-bg.com

Logging and MonitoringLogging and MonitoringLogging and MonitoringLogging and Monitoring

Page 22: ISA Server 2004 Introduction Владимир Александров MCT, MCSE, MCSD, MCDBA Корус, Управител jm@chorus-bg.com

ISA Server 2004 ISA Server 2004 MonitoringMonitoring

GoalsGoals

Server Status – It’s a critical serviceServer Status – It’s a critical service

Troubleshooting – Quick and easyTroubleshooting – Quick and easy

Investigations – Attacks, mistakesInvestigations – Attacks, mistakes

Future Planning – optimizing network Future Planning – optimizing network performanceperformance

Page 23: ISA Server 2004 Introduction Владимир Александров MCT, MCSE, MCSD, MCDBA Корус, Управител jm@chorus-bg.com

ISA 2004 Monitoring ToolsISA 2004 Monitoring ToolsDashboardDashboard – centralized view– centralized view

AlertsAlerts – One place for all problems– One place for all problems

SessionsSessions – Active sessions view– Active sessions view

ServicesServices – ISA services status– ISA services status

ConnectivityConnectivity – Connectivity to – Connectivity to network svcsnetwork svcs

LoggingLogging – Powerful viewer of ISA logs– Powerful viewer of ISA logs

ReportsReports – Top users, Top sites, Cache – Top users, Top sites, Cache hits…hits…

Page 24: ISA Server 2004 Introduction Владимир Александров MCT, MCSE, MCSD, MCDBA Корус, Управител jm@chorus-bg.com

DashboardDashboard

Page 25: ISA Server 2004 Introduction Владимир Александров MCT, MCSE, MCSD, MCDBA Корус, Управител jm@chorus-bg.com

LoggingLogging

Page 26: ISA Server 2004 Introduction Владимир Александров MCT, MCSE, MCSD, MCDBA Корус, Управител jm@chorus-bg.com

ReportsReports

Page 27: ISA Server 2004 Introduction Владимир Александров MCT, MCSE, MCSD, MCDBA Корус, Управител jm@chorus-bg.com

Security EnhancementsSecurity EnhancementsSecurity EnhancementsSecurity Enhancements

Page 28: ISA Server 2004 Introduction Владимир Александров MCT, MCSE, MCSD, MCDBA Корус, Управител jm@chorus-bg.com

Engine Security Engine Security EnhancementsEnhancements

Session quota restrictionsSession quota restrictionsRestriction of user sessions (protection against Restriction of user sessions (protection against Denial of Service attacks)Denial of Service attacks)

IP options filteringIP options filteringFilter out individual optionsFilter out individual options

Lockdown modeLockdown modeRestrict firewall machine access on service Restrict firewall machine access on service failuresfailures

Fail to most secure modeFail to most secure mode

Page 29: ISA Server 2004 Introduction Владимир Александров MCT, MCSE, MCSD, MCDBA Корус, Управител jm@chorus-bg.com

And there’s more…And there’s more…Authentication improvementsAuthentication improvements

RADIUSRADIUS

OWA Form authenticationOWA Form authentication

Secure IDSecure ID

Integrated VPNIntegrated VPNIPSec tunnel mode for interoperabilityIPSec tunnel mode for interoperability

Quarantine supportQuarantine support

Full control over RRASFull control over RRAS

Performance ImprovementsPerformance ImprovementsKernel and user mode improvementsKernel and user mode improvements

Web proxy improvements due to integration Web proxy improvements due to integration into the firewallinto the firewall

Page 30: ISA Server 2004 Introduction Владимир Александров MCT, MCSE, MCSD, MCDBA Корус, Управител jm@chorus-bg.com

Demo 2: Secure publishingDemo 2: Secure publishing

Publishing Internal Mail ServerPublishing Internal Mail ServerSMTPSMTP

POP3/IMAP4POP3/IMAP4

RPCRPC

Publishing Internal Exchange 2003 Publishing Internal Exchange 2003 ServerServer

Publishing Outlook web accessPublishing Outlook web access

Publishing RPC over HTTPPublishing RPC over HTTP

Publishing RPC interfaces (NtFrs etc.)Publishing RPC interfaces (NtFrs etc.)

Page 31: ISA Server 2004 Introduction Владимир Александров MCT, MCSE, MCSD, MCDBA Корус, Управител jm@chorus-bg.com

QuestionsQuestionsQuestionsQuestions

Page 32: ISA Server 2004 Introduction Владимир Александров MCT, MCSE, MCSD, MCDBA Корус, Управител jm@chorus-bg.com

© 2003 Microsoft Corporation. All rights reserved.© 2003 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.