CHAPTER
1
MIS AND ACCELERATION SERVER 2000
ISA Server is an extensible, enterprise-class firewall and Web cache server built on the
Windows 2000 operating system. ISA Server’s multiplayer firewall helps protect network
resources from viruses, hackers, and unauthorized access, and its Web cache server enable
organizations to provide faster Web access for users by serving objects locally rather than
over the Internet.
ISA Server minimizes the difficulty in implementing and administering a robust firewall and
cache server by providing MMC, graphical taskpads, and step-by-step wizards.
Editions of ISA, there are 2:
ISA Server Enterprise Edition. Used for High-volume Internet Traffic environments. If
offers the following features:
ISA Server Standard Edition. Provides enterprise-class firewall security and Web caching
capabilities for small business, workgroups, and departmental environments.
Key Differences
The following are present in both of the above such as:
HOWEVER, the standard edition can run only as a standalone ISA Server computer with
local policy and can support no more than four processors.
=======================================================================
winisa1.html PAGE 2 2002/05/15
The
and array level policy, and limitless scalability.
ISA Server EDITIONS
Comparisons
=======================================================================
ISA Server ISA Server
Standard
Edition
=======================================================================
Server deployment Standalone only Multiserver with
Centralized
management
Policy level support Local only
Hardware scalability 4 CPUs only No limit
Limit
=======================================================================
ISA Server Roles
ISA Server can provide value to information technology IT managers, network administrators and
Information-security professionals in organizations of all sizes who are concerned about the security,
performance management or operating costs of their networks.
ISA Server can be installed in three different modes:
Internet Firewall. Allows you to implement your business Internet security policy by enabling
you to configure a broad set of rules that specify which sites, protocols, and content can be
passed through the ISA Server. ISA Server also controls which computers on the Internet
your internal clients can access.
Secure Server Publishing. You can publish services on the Internet without compromising
the security of your internal network.
Forward Web Caching Server. Centralized cache of frequently requested Internet sites.
Reverse Web Caching Server. ISA Server can act as a Web server by fulfilling incoming
client requests for Web content from its cache and forwarding requests to the Web server
only when the request cannot be served form its cache.
=======================================================================
winisa1.html PAGE 3 2002/05/15
Integrated Firewall and Web Cache Server. Organizations can deploy ISA Server as
separate firewall and caching components, but some administrators will choose to have a single
integrated firewall and Web cache server to provide secure and fast Internet connectivity.
Windows 2000 Integration
The following is a list of Windows 2000 technologies that work with ISA server to provide
better security, performance and management Capabilities.
NAT (network address translation). ISA server extends Windows 2000 NAT
functionality by enforcing ISA Server policy for Secure NAT clients.
Integrated Virtual Private Networking. Windows 2000 based VPN support
PPTP, L2TP and IPSec technology.
Authentication. Basic, NT LAN Manager (NTLM), Kerberos and digital certificates.
System Hardening. ISA Server uses the Windows 2000 security templates to
lock down the operating system at different levels of security.
Active Directory Storage. ISA Server can apply access controls to users and
groups defined in the Active Directory store.
Tiered Policy Management. ISA Server Enterprise Edition allows you to build on
the distributed nature of Active Directory directory services by defining one or more
enterprise policies and applying them to arrays in the enterprise.
MMC Administration. The ISA Server management interface is called ISA Management.
QoS quality of Service. ISA Server provides bandwidth control management, building
on the Windows 2000 Qos technology to prioritize data traffic.
Multiprocessor Support.
Client Side Auto Discovery. Supports WPAD Web Proxy Autodiscovery Protoco
Administration Component Object Model (COM) object.
Web Filters.
Alerts. ISA Server writes alerts to the Windows 2000 Event Log.
=======================================================================
winisa1.html PAGE 4 2002/05/15
Scalability
Computers running ISA Server Enterprise Edition can be grouped together in arrays. In ISA Server,
an array is a group of ISA Server computers used to provide fault tolerance, load balancing, and
distributed caching.
Because load is distributed across all the servers in the array, you can achieve improved performance
even with moderate hardware.
Other feature that enhance the scalability of ISA Server include:
Symmetric Multiprocessing. ISA Server takes advantage of Windows 2000 SMP in
order to use multiple processors in scaling up performance.
Network Load Balancing. NLB is especially useful in the firewall, reverse caching
(Web publishing), and server publishing deployment configurations.
Extensibility
There is a SDK or software development Kit used for developing tools that build on the ISA Server
firewall, caching, and management features. Instead, you can modify the sample script by specifying
the desired protocols, rules, or sites that the script will use for its actions.
ISA Server Architecture
Data that is allowed to pass the packet-filtering layer is passed to the Firewall and Web Proxy
services, where the ISA Server rules are processed to determine whether the request should be services.
There are thee types
of clients:
=======================================================================
winisa1.html PAGE 5 2002/05/15
If the firewall client requests an HTTP object, the HTTP redirector redirects the request to the Web
Proxy service. The Web Proxy service may also cache the requested object, or it may serve the
object from the ISA Server cache.
******* REVIEW CHARTS PAGE 12-15 ******
Lesson Summary:
ISA Server offers an enterprise-class Internet connectivity solution that contains both a robust,
feature-rich firewall and a scalable Web cache for Internet acceleration.
ISA Server is available in two editions, Standard and Enterprise Edition.
ISA Server makes firewall and cache management easy through the use of its console, ISA
Management.
Lesson 2:
Introduction to the ISA Server Firewall
The Internet provides organizations with new opportunities to connect with customers,
partners and employees. While this presents great opportunities, it also opens new risks
and concerns in areas such as security, performance, and manageability.
Filtering Methods
A firewall enhances security by using various filtering methods, including packet filtering,
circuit-level (protocol) filtering and application filtering.
IP Packet Filtering. Allows you to control the flow of IP packets to and from
ISA Server. IP packet filters can filter packets based on service type, port number,
source computer name or destination computer name.
Circuit-Level (Protocol) Filtering. You can configure circuit-level or protocol filtering
in ISA Server through access policy rules and publishing rules.
Dynamic Filtering. Ports open automatically only as required for communications,
and ports close when the communication ends.
Support for Session-based Protocols. Circuit-level filtering provides built-in support
for protocols with secondary connections, such as FTP and streaming media. You
can achieve this by specifying the port number or range, protocol type, TCP or
UDP, and inbound or outbound direction.
=======================================================================
winisa1.html PAGE 6 2002/05/15
Application Filtering. The most sophisticated level of firewall inspection is application-
level security. Good application filters allow you to analyze a data stream for a particular
application and provide application-specific processing including inspecting, screening
or blocking, redirecting, or modifying the data as it passed through the Firewall.
ISA Server includes the following built-in application
filters:
HTTP Redirector Filter. The HTTP redirector filter forwards HTP requests
from the firewall and SecureNAT clients to the Web Proxy service.
FTP Access Filter. The FTP filter intercepts and checks FTP data.
SMTP filter. Intercepts and checks your SMTP e-mail traffic, protecting mail server
from attack. The filter recognized unsafe commands and can screen e-mail messages
for content or size, rejecting unapproved e-mail before it every reaches the mail server.
SOCKS Filter. For clients without Firewall Client Software, the SOCKS filter
forwards requests from SOCKS 4.3 applications to the ISA Firewall service.
RPC Filter. The RPC filter allows sophisticated filtering to RPC requests.
H.323 Filter. The H.323 filter directs H.323 packets used for multimedia
communications and teleconferencing.
Streaming Media Filter. The streaming media filter supports industry standard
media protocols, including Microsoft Windows Media Technologies and both
streaming media protocols from RealNetworks, Progressive Networks Audio
(PNA) and Real-Time Streaming Protocol (RTSP).
POP and DNS Intrusion Detection Filters. These two filters recognize and block
attacks against internal servers, including DNS, DNS Zone Transfer, and Post Office
Protocol (POP) Buffer Overflow.
=======================================================================
winisa1.html PAGE 7 2002/05/15
H.323 Gatekeeper
H.323 Gatekeeper works together with the H.323 protocol filter to provide full
communications capabilities.
Clients registered with H.323 Gatekeeper can use H.323 Gatekeeper to participate in
video, audio, and data conferences in local area networks (LANs) and wide area
networks (WANs): across
multiple firewalls, and over the Internet.
Broad Application Support
ISA Server predefines about 100 applications protocol and allows administrators to
define additional protocols based on port number, type, TCP or UDP and direction.
Bandwidth Rules
Bandwidth rules determine which connection gets priority over another. ISA Server
bandwidth control does not limit how much bandwidth can be used. Rather, it informs
the Windows 2000 QoS packet scheduling service how to prioritize network connections.
Integrated Virtual Private Networking
ISA Server helps administrators set up and secure a virtual private network (VPN).
ISA Server can be configured as a VPN server to support secure, gateway-to-gateway
communications or client-to-gateway remote access communications over the Internet.
The local VPN Wizard runs on ISA Server on the local network. The local ISA VPN
computer connects to its Internet Service Provider (ISP). The remote VPN wizard runs
on the ISA Server on the remote network.
A tunneling protocol such as PPTP and L2TP, is used to manage tunnels and encapsulate
private data. Data that is tunneled must be encrypted to be a VPN connection.
Integrated Intrusion Detection
ISA Server features an integrated intrusion-detection mechanism. This identifies when an
attack is attempted against the network. The firewall administrator can set alerts to trigger
when an intrusion is detected. You can also specify, with alerts, what action the system should
take when the attack is recognized.
=======================================================================
winisa1.html PAGE 8 2002/05/15
Packet Filter Intrusions
All Ports Scan Attack. An Attempt is made to access more than the preconfigured
number of ports.
Enumerated Port Scan Attack. An attempt is made to count the services running
on a computer by probing each port for a response.
IP Half Scan Attack. Repeated attempts are made to connect to a destination
computer, but no corresponding connection is established.
Land Attack. A land attack involves a TCP connection that was requested by a
spoofed source IP address and port number that match the destination IP address and
port number.
Ping of Death Attack. A large number of information is appended to an Internet
control Message Protocol (ICMP) echo request/ping packet. If the attack is
successfully mounted, a kernel buffer overflows when the computer attempts to
respond, and crashes the computer.
UDP Bomb Attack. This is an attempt to send an illegal UDP packet. A UDP
packet that is constructed with illegal values in certain fields causes some older
operating systems to crash when the packet is received.
Windows Out of Band Attack. This means an out-of-band, denial-of-service
attack is attempted against a computer protected by ISA Server.
POP and DNS Application Filters
ISA Server also include POP and DNS application filters that analyze all incoming traffic
for specific intrusions against the corresponding servers. The administrator can configure
the filters to check for the following intrusion attempts:
DNS Hostname Overflow. A DNS hostname overflow occurs when a DNS response
for a host name exceeds a certain fixed length.
DNS Length Overflow. DNS responses for IP addresses contain a length field, which
should be four bytes.
DNS Zone Transfer from Privileged Ports (1-1024). A DNS zone transfer from
privileged ports (1-1024) occurs when a client system uses a DNS client application
to transfer zones from an internal DNS server.
DNS Zone Transfer from High Ports (above 1024). A DNS zone transfer from high
ports (above 1024) occurs when a client system uses a DNS client application to transfer
zones form an internal DNS server.
=======================================================================
winisa1.html PAGE 9 2002/05/15
POP Buffer Overflow. A POP buffer overflow attack occurs when a remote attacker
attempts to gain root access of a POP server by overflowing an internal buffer on the server.
Secure Publishing
ISA Server uses server publishing to process incoming request to internal servers, such as
SMTP servers, FTP servers, database servers, and others.
Server publishing allows virtually any computer on your internal network to publish to the
Internet. Security is not compromised, because all incoming requests and outgoing responses
pass through the ISA Server.
For example, when you use Microsoft Exchange Server with ISA Server, you can create server-
publishing rules that specifically allow the e-mail server to be published to the Internet.
Lesson Summary:
The ISA Server firewall provides filtering at three separate levels.
service type, port number, source computer name, or destination computer name.
publishing rules.
and provide application-specific processing including inspecting, screening or blocking,
redirecting, or modifying the data it passes through the firewall.
powerful and flexible access control policies, intrusion detection, secure server publishing,
bandwidth prioritizing, and VPN integration.
Lesson 3:
Overview of ISA Server Caching
ISA Server implements a cache of frequently requested objects to improve network performance.
You can configure the cache to ensure that it contains the data that is most frequently used by the
organization or accessed by your Internet clients.
=======================================================================
winisa1.html PAGE 10 2002/05/15
High-Performance Web Cache
The Web-Proxy service of ISA Server offers a cache of Web objects that fulfills client requests
form the cache.
Fast RAM caching in ISA Server stores most frequently accessed items in RAM. It optimized
response time by retrieving those items from memory rather than from disk.
Forward Web Caching Server
ISA Server can be deployed as a forward Web caching server that provides internal clients with
access to the Internet. ISA Server maintains a centralized cache of frequently requested Internet
objects that can be accessed by any Web browser behind the firewall.
Reverse Web Caching Server
ISA Server can be deployed in front of the organization’s Web server that is hosting a commercial
Web business or providing access to business partners.
If the request object is not in the ISA Server computer in France, (p30) the request is routed to the
ISA Server computer in Canada. If the object is not in the cache on the array in Canada, the ISA
Server array in Canada retrieves the object from the Web server.
Scheduled Content Download
ISA Server extends your caching performance with a customizable cache download feature.
By using the ISA Server Scheduled Content Download feature, you download the HTTP content
directory to the ISA Server cache, either upon request or as scheduled.
You can download a single URL, multiple URLs, or an entire Web site. When you schedule a
cache content download job, you can limit which content should be downloaded, for example by
limiting the download to a single domain or a certain number of links to be followed.
=======================================================================
winisa1.html PAGE 11 2002/05/15
CARP and Cache Server Scalability
ISA Server Enterprise Edition uses the Cash Array Routing Protocol (CARP) to provide seamless
scaling and improved efficiency when using multiple ISA Server computers arrayed as a single logical
cache.
CARP also provides the following benefits:
between proxy servers that is found with conventional Internet Cache Protocol (ICP) networks, a
process that increases congestion as the number of servers increases.
peer-to-peer pinging, CARP becomes faster and more efficient as more proxy servers are added.
the array, or as specified by the load factor you configure for each server.
Because ISA Server computers in an array may have different hardware, and some computers may be
more powerful than others, you may want to divide the cache load differently.
Hierarchical Caching
With ISA Server Enterprise Edition, you an support chained, or hierarchical, caching. The term
chaining refers to a hierarchical connection between individual ISA Server computers, or arrays, of
ISA Server computers.
Web Proxy Routing
Web Proxy routing rules takes the concept of chaining one step further, by allowing you to route
requests conditionally, depending on the destination.
=======================================================================
winisa1.html PAGE 12 2002/05/15
Lesson Summary:
You can use ISA server to improve communication between your local network and the Internet.
ISA Server caching also includes the following features:
Scheduled caching. You can configure when the ISA Server could fetch commonly requested
content from the Internet to its cache.
Active caching. When this feature is enabled, objects that are accessed frequently are updated
automatically during periods of low network traffic.
Distributed Caching. ISA Server Enterprise Edition uses CARP to enable multiple ISA Server
computers to be arrayed as a single logical cache.
Hierarchical Caching. You can set up a hierarchy of caches, chaining together arrays of ISA
Server Enterprise Edition computers, so that clients can access objects from the cache
geographically nearest to them.
Lesson 4:
ISA Server’s Management Features
Industry research has shown that more security vulnerabilities are caused by poorly configured firewalls
than by design flaws in hardware or software. ISA Server helps to avoid such risks, minimizing the
difficulty in implementing a robust firewall through the use of its intuitive yet powerful management tools.
Intuitive User Interface
ISA Management is an MMC snap-in that provides a familiar and easy-to-navigate interface for all
ISA Server administration tasks.
Some of the functions that ISA Server wizards allow you to perform include the following:
and configuring policy for the mail services.
=======================================================================
winisa1.html PAGE 13 2002/05/15
Integrated Administration
ISA Server combines firewall and cache functions in a single product. From a single interface,
administrators set access policies that are applied to both the firewall and the cache, providing
consistent control over Internet access.
Unified Policy and Access Control. Whether deployed as a firewall, Web cache server, or both
ISA Server allows you to manage Internet access consistently by using access control policies.
Unified Management. There are benefits from using a single management interface for firewall
and Web Caching.
Policy-Based Access Control
ISA Server allows you to define and enforce Internet usage policy for an organization.
ISA Server rules use predefined, customizable, extensible, and reusable policy elements, including the following:
authenticated users and groups.
text, or images; or more specific types, such as .wav, .mp3, .mov or .gif.
Tiered Policy
ISA Server Enterprise Edition supports two levels of policy: array level and enterprise level.
NOTE: ISA Server Standard Edition supports policy at the standalone server level only.
=======================================================================
winisa1.html PAGE 14 2002/05/15
Array Policy. ISA Server Enterprise Edition can be installed as a standalone server or as an array
member.
Enterprise Policy. Enterprise policy takes this centralized management one step further, allowing
you to configure one or more enterprise policies that can be applied to the arrays in your corporate
network.
Lesson Summary:
use of its intuitive yet powerful management tools.
in greater security.