What’s New in
Internet Security &
Acceleration (ISA)
Server 2004
Avinash Lotke
Technology Specialist
Microsoft Corporation
avinashl@microsoft.com
Security Issues Today
At Risk
The Soft
Underbelly
•
•
•
•
14B devices on the Internet by 2010 1
35M remote users by 2005 2
65% increase in dynamic Web sites 3
From 2000 to 2002 reported incidents rose from
21,756 to 82,094 4
• Nearly 80 percent of 445 respondents surveyed
said the Internet has been a frequent point of
attack, up from 57 percent just four years ago 5
• 90% detected security breaches 6
• 85% detected computer viruses 6
• 95% of all breaches avoidable with
an alternative configuration 7
• Approximately 70 percent of all Web attacks
occur at the application layer 8
1 Source: Forrester Research
2 Source: Information Week, 26 November 2001
3 Source: Netcraft summary
4 Source: CERT, 2003
5 Source: CSI/FBI Computer Crime and Security Survey
6 Source: Computer Security Institute (CSI) Computer Crime and Security Survey 2002
7 Source: CERT, 2002
8 Source: Gartner Group
Customer Impact
Application Layer Attacks
Identity Theft
Web Site
Defacement
Unauthorized
Access
Modification of Data,
Logs and Records
Theft of Proprietary
Information
Service Disruption
Implications
Compliance:
Basel 2 (EU)
Data Protection Act (EU)
Sarbanes Oxley
Gramm Leach Blilely
US Patriot Act
HIPAA
The Privacy Act (CA)
Litigation
File Sharing
Piracy
HR Issues
Shareholder Suits
Traditional Firewalls
Wide open to
advanced attacks
Hard to manage
Code Red, Nimda
„ SSL-based attacks
„
Security is complex
„ IT already overloaded
„
Bandwidth too expensive
„ Too many moving parts
Performance vs.
security tradeoff
„
Limited capacity
for growth
„
Not easily upgradeable
„ Don’t scale with business
Perimeter Security Evolution
Wide open to
advanced attacks
Application-level protection
Hard to manage
Easier to use
Performance vs.
security tradeoff
Security and performance
Limited capacity
for growth
Extensibility and scalability
Introducing: ISA Server 2004
The advanced application layer firewall, VPN and Web cache
solution that enables customers to maximize IT investments by
improving network security & performance
Advanced protection
Application layer security designed to protect Microsoft applications
Ease of use
Efficiently deploy, manage, and enable new usage scenarios
Fast, secure access
Empowers you to connect users to relevant information on your
network in a cost efficient manner
You need to…
Securely make e-mail
e-mail
available to outside
employees
Securely make internal
applications available on the
Internet
Enable partners to access
relevant information on my
network
Secure and flexible
remote access, while
protecting my corporate
network
Securely connect my
branch offices to the
corporate office
Control Internet Access
and protect my clients
from malicious Internet
traffic
Ensure fast access to
the most frequently used
web content
ISA Delivers:
Exchange publishing
Web and Server Publishing
Integrated S2S VPN and FW
Integrated RRAS VPN and FW
Integrated FW, VPN, Cache
FW, Web Proxy
Caching
ISA Server 2004 New Features
Updated security architecture
Advanced protection
Application layer security designed to protect Microsoft applications
Deep content
inspection
• Enhanced HTTP, customizable prtcl. filters
• Comprehensive/flexible policies
• Stateful routing for all IP traffic
Enhanced Exchange
Server Integration
• Support for Outlook RPC over HTTP
• Enhanced Outlook Web Access security
• Easy to use configuration wizards
Fully integrated VPN
• Unified firewall-VPN filtering
• Built-in support for site-to-site IPsec TM
• Integrates with Windows Quarantine
Secure IIS and
SPPS
• SSL Bridging for IIS and SPS
• Easy to use Web publishing wizards
• AD, RADIUS, SecurID authentication
A Traditional Firewall’s View
Of A Packet
Only packet headers are inspected
‹
Application layer content appears as “black box”
¾
‹
IP Header
TCP Header
Source Address,
Dest. Address,
TTL,
Checksum
Sequence Number
Source Port,
Destination Port,
Checksum
Application Layer
Content
??????????????????????
??????????????????????
Forwarding decisions based on port numbers
¾
Legitimate traffic and application layer attacks use identical ports
Internet
Expected HTTP Traffic
Unexpected HTTP Traffic
Attacks
Non-HTTP Traffic
Corporate
Network
ISA Server’s View Of A Packet
Packet headers and application content are inspected
‹
IP Header
Source Address,
Dest. Address,
TTL,
Checksum
‹
TCP Header
Sequence Number
Source Port,
Destination Port,
Checksum
Application Layer Content
<html><head><meta httpquiv="content-type"
content="text/html; charset=UTF8"><title>MSNBC - MSNBC Front
Page</title><link rel="stylesheet"
Forwarding decisions based on content
¾
Only legitimate and allowed traffic is processed
Internet
Expected HTTP Traffic
Unexpected HTTP Traffic
Attacks
Non-HTTP Traffic
Corporate
Network
ISA Server 2004 New Features
New management tools and user interface
Ease of Use
Efficiently deploy, manage, and enable new usage scenarios
Multi-network
architecture
• Unlimited network definitions and types
• Firewall policy applied to all traffic
• Per network routing relationships
Network templates
and wizards
• Wizard automates nwk routing relationships
• Supports 5 common network topologies
• Easily customized for sophisticated scenarios
Visual policy editor
• Unified firewall/VPN policy w/one rule-base
• Drag/drop editing w/scenario-driven wizards
• XML-based configuration import-export
Enhanced troubleshooting
• All new monitoring dashboard
• Real-time log viewer
• Content sensitive task panes
ISA Server 2004 New Features
Continued commitment to integration
Fast, secure access
Empowers you to connect users to relevant info. on your network
Enhanced
architecture
• High speed data transport
• Utilizes latest Windows and PC hardware
• SSL bridging unloads downstream servers
Web cache
• Updated policy rules
• Serve content locally
• Pre-fetch content during low activity periods
Internet access
control
• User- and group-based Web usage policy
• Extensible by third parties
Comprehensive
authentication
• New support for RADIUS and RSA SecurID
• User- & group-based access policy
• Third party extensibility
ISA 2004 Architecture
Application
layer filtering
Web
filter
Policy
Store
Web
filter
Web Filter API (ISAPI)
SMTP
Filter
Web Proxy Filter
Protocol layer
filtering
DNS
Filter
App
Filter
Application Filter API
Policy
Engine
Kernel mode
data pump:
Performance
optimization
RPC
Filter
3
2
Firewall service
User
Mode
Kernel
Mode
TCP/IP Stack
Firewall Engine
4
NDIS
1
Packet layer
filtering
Enterprise Edition
‹
Differences for EE over SE
¾
¾
‹
Increased scalability and availability
Distributed Management: large-scale
deployments with array and enterprise policies
Key Features
¾
¾
¾
¾
¾
¾
¾
¾
¾
Bi-directional NLB support for firewall arrays
Enterprise policy distribution and management
Enterprise array monitoring console
AD/AM-based policy store
CARP and hierarchical caching
Unlimited SMP
MOM pack / integration
Automatic array configuration / wizards
Array-level logging / alerting
Subject to change
OS Compatibility and
Migration
‹
ISA 2004 SE
Microsoft Windows® 2000 Server or
Advanced Server with Service Pack 4 or
later, Windows 2000 Datacenter Server
Windows Server 2003 Standard Edition or
Enterprise Edition Recommend
‹
ISA 2004 EE
Windows Server 2003 Standard Edition or
Enterprise Edition only
ISA Server 2004 Top Partners
‹
Antivirus
¾
‹
URL Filtering
¾
‹
AEP
SSL VPN
¾
‹
Rainfinity
SSL Acceleration
¾
‹
WebSpy and NetIQ
Load Balancing / HA
¾
‹
RSA
Reporting
¾
‹
Forum Systems and Akonix
Authentication/ID
¾
‹
SurfControl and Websense
Application Filtering
¾
‹
McAfee and GFI
Everywhere Networks
Deployment
¾
Various Microsoft Partners
Demo
Celestix
MSA Series Appliance
Lee Wei Shun
Product Manager
Celestix Networks Pte Ltd
Product Features
Firewall, VPN and Caching Appliance
‹
‹
‹
‹
‹
‹
‹
‹
True APPLIANTIZED version of ISA 2004
Optimized appliance form factor
Web GUI for remote management
LCD front panel for easy network
configuration and status display
One button system recovery to factory
default
Installs in less than 30 minutes
Powered by Embedded Windows Server
2003
Available in 3 models
MSA Web UI
Market Segments Addressed
Small Business
1-100 users
ƒ One or two sites
ƒ No security staff
ƒ DSL connection
ƒ
MSA2000
Mid-sized Business
ƒ101-500 users
ƒMultiple sites
ƒMay or may not have
ƒ500+ users
ƒDedicated staff
ƒLarge number of
dedicated security staff
ƒT1 or T3 connection
sites
ƒT3 or OC-3 connection
MSA4000
Enterprise
MSA5000
Contacts
Asia Pacific
+65 6-844-1301
sales@celestix.com
‹
North America
510-668-0700
sales@us.celestix.com
‹
For more information, please visit www.celestix.com
Session Summary
‹
ISA Server 2004 provides many benefits
¾
¾
¾
‹
Advanced application layer firewall
VPN
Web cache solution
ISA Server 2004 offers many
improvements over ISA Server 2000
¾
¾
¾
Enhanced user interface
New features
Improved functionality
Key takeaways
‹
‹
Downloadable 120-day eval at
www.microsoft.com/isaserver
Product availability / pricing
¾
¾
‹
‹
August 2004
Per-processor license, $1499 ERP (USD)
Best protection for Microsoft
applications
Helps protect against the growing
number of application layer-based
security threats
© 2004 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
Additional Ref.
Application Layer Filtering
‹
Modern threats call for deep
inspection
¾
¾
¾
‹
Protects network assets from exploits at the
application layer: Nimda, Slammer...
Provides the ability to define a fine grain,
application level, security policy
Best protection for Microsoft applications
Application filtering framework
¾
Built in filters for common protocols
¾
¾
¾
HTTP, SMTP, RPC, FTP, H.323, DNS, POP3, Streaming
media
Scenario-driven design
Extensible plug-in architecture
VPN Protection
‹
Detunneled traffic is inspected
¾
¾
‹
VPN traffic is segregated
¾
¾
¾
‹
VPN network: all addresses allocated to VPN users
IP addresses dynamically added/removed
VPN network available in ISA Server admin
IPSec Tunnel Mode support
¾
¾
‹
Injected back to the stack
ISA Server sees traffic on stack hooks
Provides connectivity to branch office VPN
Simplified tools for administration
Quarantine support
¾
¾
¾
Quarantined users placed in quarantine network
IP addresses dynamically added/removed
Quarantine network available in ISA Server admin
VPN Quarantine
‹
‹
VPN Quarantine ensures the security
and configuration of clients connected
via remote user VPN
Compliments Patch Management
Strategy
¾
¾
Helps “buy time” for patch management
Enables patch management outside of
Windows administrative boundaries
Customer example: VPN Quarantine
‹
Consists of five components
¾
¾
¾
¾
Quarantine Policy Service – Server
Quarantine Release Service – Server
QuarantineClient.EXE – Client
ISA Configuration
¾
¾
ISA Server 2004 – Firewall Rules + Enforcement
RRAS – Integrated with ISA
Engine Security Enhancements
‹
Flood-DoS protection
¾
¾
SYN-flood protection
Client connection quota
¾
¾
‹
IP options, DNS Attacks, IP half-scan, Port scan
IP options filtering
¾
‹
Spoofed UDP packet flooding mitigation
Attack/Intrusion Detection
¾
‹
Applicable to Worm/Virus floods
Filter out individual options
Lockdown mode
¾
Restrict firewall machine access on service
failures
Authentication Framework
‹
Multi source authentication
¾
Firewall client authentication
¾
¾
¾
Web proxy authentication
¾
¾
¾
¾
¾
¾
¾
Proxy auth, Reverse proxy auth, Pass through auth
SSL bridging
Basic, digest, NTLM, Kerberos, Certificates
RADIUS authentication, SecurID authentication
CRL support
Extensible!
VPN clients
¾
¾
¾
‹
Transparent user authentication
LSP is loaded in user context
¾
Application transparent, Protocol independent
¾
Kerberos/NTLM
EAP (certificates, smartcards, others)
MS-CHAPv2, CHAP, (S-PAP, PAP)
RADIUS / Windows
Extensible authentication/authorization framework
¾
Third party filters can register their own auth namespaces
RADIUS Authentication
‹
‹
‹
Federation through RADIUS proxies
Can be used for centralized authentication services
Domain membership not required
¾
Great for DMZ placement
Corpnet
HTTP/SSL
request, sent to
server
HTTP/SSL
basic auth.
3
Web Client
(Browser, HTTP client)
1
Back-end
Server
2
Internet
Firewall Server
RADIUS Server (IAS)
RADIUS request
ISA 2000 (old) Networking Model
‹
Fixed zones
¾
¾
‹
‹
Packet filter only on
external interfaces
Single outbound
policy
¾
‹
“IN” = LAT
“OUT” = DMZ, Internet
Internet
Static PF
DMZ 1
ISA 2000
NAT always
Static filtering from
DMZ to Internet
Internal
Network
ISA 2004 Networking Model
‹
‹
‹
‹
‹
‹
‹
‹
Any number of
networks
VPN as network
Localhost as
network
Assigned
relationships
(NAT/Route)
Per-Network policy
Packet filtering on
all interfaces
Support for PnP &
DoD
Any topology, any
policy
VPN
VPN
Internet
ISA 2004
CorpNet_1
CorpNet_1
DMZ_1
DMZ_1
Local Host
Network
DMZ_n
DMZ_n
CorpNet_n
CorpNet_n
Net
Net A
A
Network Templates
Objective
Simplified network
config
Features
• 5 templates
• Automatic routing
relationships
• Customizable
ISA 2004 Policy Model
‹
Single, ordered rule base
¾
¾
‹
More logical and easier to understand
Easier to view and to audit
New unified rule structure
¾
¾
Applicable to all types of policy
Three master types of rule “templates”
¾
¾
¾
¾
‹
Access rules
Server Publishing rules
Web Publishing rules
Application filtering properties a part of
the rule
Default System Policy
Rule Structure & Policy Mapping
ƒƒAny
Anyuser
user
ƒƒAuthenticated
Authenticatedusers
users
ƒƒSpecific
User/Group
Specific User/Group
ƒAllow
ƒAllow
ƒDeny
ƒDeny
ƒDestination
ƒDestinationnetwork
network
ƒDestination
IP
ƒDestination IP
ƒDestination
ƒDestinationsite
site
action
actionon
ontraffic
trafficfrom
fromuser
userfrom
fromsource
sourceto
todestination
destinationwith
withconditions
conditions
ƒProtocol
ƒProtocol
ƒIP
ƒIPPort
Port/ /Type
Type
‹
•Published
•Publishedserver
server
•Published
web
•Published website
site
•Schedule
•Schedule
•Filtering
•Filteringproperties
properties
Basic ISA 2004 rules:
¾
¾
¾
¾
¾
¾
‹
ƒSource
ƒSourcenetwork
network
ƒSource
IP
ƒSource IP
ƒOriginating
ƒOriginatinguser
user
Protocol rules
Site and Content rules
Static packet filters
Publishing rules
Web publishing rules
Selected filtering configuration
Other ISA 2004 rules:
¾
¾
Address translation rules
Web routing rules
Firewall policy
Configuration policy
Visual Policy Editor
Dashboard
Objective
Centralized status view
Features
• Real time
• Aggregated
• Easy to spot problems
Alerts
Objective
One place for all
problems
Features
• Alerts history
• Managing alerts
• Severity & category
Sessions
Objective
Active sessions view
Features
• Powerful query
mechanism
• VPN sessions
• Disconnect session
Services
Objective
ISA and dependent
services status
Features
• Start & stop service
Reports
Objective
Comprehensive set of
server activity reports
Features
• Recurring reports
• Report categories
• Email notification
• Report publishing
Connectivity
Objective
Monitor connectivity to
critical network services
Features
• Request types
• Response time &
threshold
• Grouping
Logging
Objective
View of ISA traffic
activities
Features
• Real-time mode
• Historical view
• Powerful query
mechanism
Performance
Enhanced Architecture
‹
‹
Optimized for real life usage scenarios
Improvements since ISA Server 2000
¾
¾
¾
¾
¾
‹
Kernel-mode data pump
User-mode optimizations
Up to +150% (2.5X faster) for firewall (SecureNAT) traffic
Up to +250% (3.5X faster) for Web (transparent) proxy traffic
1,000,000+ concurrent connections
Scale up with additional CPUs
Raw throughput performance
Test
Results
Details
KM tput, 1500 MTU
1.65 Gbps
2-proc, 4 NICs
KM tput, 9000 MTU
4.6 Gbps
4-proc, 6 NICs
HTTP Filtering
250 Mbps
@ 600 cps
2-proc, 4 NICs
How?
• Design improvements
• IP Stack improvements
• Hardware improvements
(raw thru-put measured using HTTP+NAT benchmark)
Network Computing Magazine
app. layer firewall review (3/03):
Full inspection performance [Mbps]
Symantec FW 7.0
67
Sidewinder
122
Checkpoint NG FP3
127
ISA 2000 FP1
170
Updated Firewall Client
‹
What is the ISA Firewall Client?
¾
¾
Enables / disables Winsock application connectivity to the
Internet
Provides network access across ISA for Winsockcompatible applications.
¾
¾
‹
Makes intelligent decisions about the destination of traffic
based on destination address
Will automatically detect the available firewall on the network
What is new in ISA Firewall Client 2004?
¾
¾
Uses a secure encrypted channel with ISA Server 2004
Supports multiple users’ settings preferences
¾
Allows two profile users to configure the firewall client to use
different proxy servers
Migration Planning
‹
ISA 2000 SE > ISA 2004 SE
¾
¾
‹
ISA 2000 EE > ISA 2004 EE
¾
‹
Configuration migration capabiltiy
ISA 2004 EE Beta > ISA 2004 EE RTM
¾
‹
Policy migration tool
Recommend fresh approach
Upgrade capability to be confirmed
ISA 2004 SE > ISA 2004 EE
¾
Policy extraction tool to be confirmed
Subject to change