| Welcome to the ISAserver.org newsletter by Thomas W Shinder MD, MVP. Each month we will bring you interesting and helpful information on ISA Server. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to: tshinder@isaserver.org Bandwidth management plug-in for ISA Server 1204902901875.gif) ISA Server has a rich feature set right out-of-the-box. However, it lacks an integrated bandwidth manager. Bandwidth control is an essential tool, especially if your Internet costs are high. Bandwidth Splitter for ISA Server is a plug-in that covers the lack of Bandwidth management in ISA Server. Its features include traffic shaping (throttling), traffic quotas, and powerful monitoring tool that allows you to control your bandwidth in real-time.
Read more details and download a free trial 1. What is the State of the Art for Perimeter Protection? It has been a long time since we have seen any major changes to the ISA Firewall. It was way back in 2004 when ISA 2004 was released. At that time, ISA 2004 represented a major departure from the Proxy 2.0 and the subsequent ISA Server 2000 products. It was such a big change that you could leverage very little of what you knew about ISA 2000 to understand how ISA 2004 worked. Two years later, ISA 2006 was released and there were relatively few changes or features included with the product. True, there were some significant security enhancements to flood mitigation and new support for Web Farm Load Balancing and Kerberos Constrained Delegation, but nothing that we would consider earth shaking or adding significantly to the overall security posture of the organization who deploys and ISA Firewall. Now we're in the first quarter of 2008. What has changed since then? What would you consider state of the art for a network edge firewall or an internal perimeter firewall? While I don't claim to have any special insights into these issues, here are a few things that I think the next version of the ISA Firewall needs to include to get near to something I'd call state of the art: - Support for multiple WAN connections. While this does not add to security, it adds to high availability, which is a component of security
- Support for static NAT configuration. Again, while this does not add to the overall security of the device, you need to do this to support publishing scenarios where you need to control a specific source port for outbound communications.
- A built-in Content Inspection engine. This is a security issue. What we need is a built-in content inspection engine that allows you to control access based on content and block undesirable content. This includes not only inspecting the content of the communications, but also checking the datastream for malware
- Built in support for site control. While previous versions of the ISA Firewall allowed you to create your own lists of sites to allow or deny, the administrative overhead is just too high for you to create your own lists. The edge security device should have built-in support to access commercial databases of dangerous sites
- Built in support for text based site control lists. There are many public lists of dangerous sites that the community at large maintains that are available for free. While the ISA Firewall provides some out-of-band support for this type of configuration, it's not easy or well documented. There should be built-in interface support for these community maintained lists
- Comprehensive IDS/IPS. While the ISA Firewall's flood protection feature is major advance on the IDS/IPS front, there should be support built-in for a more comprehensive and configurable IDS/IPS solution, akin to Snort but more easily configurable than the Snort application.
- Enhanced support for application control. Windows Server 2008 includes with its Windows Firewall with Advanced Security the ability to control what applications can be used to connect to the network. However, the Windows Firewall with Advanced Security is only available with Windows Server 2008 and Windows Vista, and centralized configuration is only available through Group Policy, which affects only domain joined computers. An advanced network edge security device would allow you to control what applications can connect through the firewall, using perhaps a hash value of the application and leveraging the remoting capabilities of the Firewall client to support this configuration. Non-domain users will be supported with local accounts on the firewall, or if authentication is not required, only the application hash information will be sent to the ISA Firewall
- Per Network Settings for autoconfiguration. In previous versions of the ISA Firewall, the autoconfiguration information returned to clients represented a single store. This made it difficult to deploy multi-homed ISA Firewall with multiple Internal networks.
- Comprehensive change management control and reporting. Security devices like edge firewalls require comprehensive change management, including automatic change management logging and reporting. Is should not be the administrator's duty to manually trigger change management logging. Change management reports should be easy to configure and easy to interpret.
- Support for automatic backup of firewall configuration. While not wholly a security issue, automatic backup of firewall configuration is an important feature because firewall policies have the potential to become complex and recreating firewall policies can end up taking many hours
- Support for outbound SSL bridging. One of the biggest security risks on today's networks is the SSL security hole. Outbound SSL connections are like VPN connections - the firewall can't see the contents of the communication, and thus is powerless to protect against what might be in the SSL tunnel. While previous versions of the ISA Firewall were able to perform inbound SSL bridging and inspection the contents of the communication, they were not able to do so without the help of ClearTunnel from Collective Software
- Coordination with host based security analysis. Most organizations have some type of host based security software installed that can be used to inform the ISA Firewall of the security state of a particular host. For example, Microsoft Forefront Client Security is a host based anti-malware solution that also performs security scanning on all the clients that have the Forefront Client Security client software installed. The edge security device should be able to use this information to prevent communications to and from hosts that violate security policies, such as not having a specific update or who are currently infected with malware. In addition, the ISA Firewall could automatically shut down publishing rules to servers that do not have security updates installed on them that could make them exploitable from the Internet.
- Out of the box support for log on Web page with configurable options such as amount of time allowed online. One of the most popular requests for the ISA Firewall is the ability to provide a user a Web page that they can log on to and then limit the amount of time that the user can stay on long before having to log on again. This is similar to the solutions you see in hotels where users enter a name and a room number and are allowed access for 24 hours. While not strictly a security issue, this would be very handy for users without accounts.
- Full support for SSTP out of the box that allows granular user/group based access controls. This will extend the same powerful access controls already existing in previous versions of the ISA Firewall to the new SSTP SSL VPN protocol
- Simplify support for centralized policy configuration. The current array and CSS method for centralizing configuration makes it difficult to create a centralized configuration management design. As you know, in order to centralized configuration, you need to have all machines with the same configuration be members of the same array. However, array members need to be at the same site. This makes it very difficult to create a single configuration that can be applied to all branch offices. Either the requirements for array management should be changed, or provide another method to distribute a centralized configuration for multiple branch offices or sites
I am sure there are more things that can be included in this list. If you have some additions let me know! Send me a note to tshinder@isaserver.org and I will get that information to the ISA Server Team for consideration. ======================= Quote of the Month - "Change is Inevitable"
-- Anonymous ======================= 2. ISA Server 2006 Migration Guide - Order Today! | Dr. Tom Shinder's best selling books on ISA Server 2000 and 2004 were the "ISA Firewall Bibles" for thousands of ISA Firewall administrators. Dr. Tom and his illustrious team of ISA Firewall experts now present to you , ISA Server 2006 Migration Guide. This book leverages the over two years of experience Tom and his team of ISA Firewall experts have had with ISA 2006, from beta to RTM and all the versions and builds in between. They've logged literally 1000's of flight hours with ISA 2006 and they have shared the Good, the Great, the Bad and the Ugly of ISA 2006 with their no holds barred coverage of Microsoft's state of the art stateful packet and application layer inspection firewall.. Order your copy of ISA Server 2006 Migration Guide. You'll be glad you did. | 
Click here to Order
your copy today
| Bandwidth management plug-in for ISA Server ISA Server has a rich feature set right out-of-the-box. However, it lacks an integrated bandwidth manager. Bandwidth control is an essential tool, especially if your Internet costs are high. Bandwidth Splitter for ISA Server is a plug-in that covers the lack of Bandwidth management in ISA Server. Its features include traffic shaping (throttling), traffic quotas, and powerful monitoring tool that allows you to control your bandwidth in real-time. Read more details and download a free trial 3. ISAserver.org Learning Zone Articles of Interest We have a great group of articles in the Learning Zone that will help you get a handle on your most difficult configuration issues. Here are just a few of the newer and more interesting articles: 4. KB Articles of the Month 5. Tips of the Month This tip of the month is actually based on one of the new KB articles listed in this newsletter. Some of you might have noticed that your SQL server service takes a great amount of memory on your ISA Firewalls. You'll see this when you enable MSDE logging, which is the default logging method used by the ISA Firewall. What's actually happening is that MSDE will use the available physical memory on your computer to optimize MSDE and query processes. SQL is designed to release this memory when other processes request it, so the large amount of memory used by the SQL service shouldn't be a problem. However, if you are running services other than ISA Firewall related services on your ISA Firewall, you might want to reduce the amount of memory available to the SQL service. Check out the KB article over at http://support.microsoft.com/kb/909636 for details on how to reduce the amount of memory required. Bandwidth management plug-in for ISA Server ISA Server has a rich feature set right out-of-the-box. However, it lacks an integrated bandwidth manager. Bandwidth control is an essential tool, especially if your Internet costs are high. Bandwidth Splitter for ISA Server is a plug-in that covers the lack of Bandwidth management in ISA Server. Its features include traffic shaping (throttling), traffic quotas, and powerful monitoring tool that allows you to control your bandwidth in real-time. Read more details and download a free trial 6. ISA Firewall Links of the Month 7. Blog Posts 8. Ask Dr. Tom QUESTION: Tom,
I am currently admin for an ISA 2000 Enterprise Firewall, which installed as a perimeter gateway for the local LAN. The server is a domain member and Active Directory is used for authentication.
Currently I am looking to migrate to ISA server 2006 and continue to use AD as authentication, although I would like ISA server to be in a workgroup and not a domain member for added security. Do you think in this scenario the LDAP is reliable enough? I currently have a lab set up and found I cannot add LDAP objects, such as a user or group to access rules, is there any work around to this?
Kind Regards - Shaun Harding ANSWER: Hi Shaun! I highly recommend the upgrade to ISA 2006. The threat model on which ISA 2000 was based no longer applies to modern networks. The reason for this is that the thread model for ISA 2000 was build on the concept of a trusted network, which was the internal, corporate network at that time. Now, we live in an environment that there are no trusted networks, and that no network can be trusted. That's why ISA 2006 doesn't have the concept of a trusted network and all networks are considered untrusted and all communications moving through all interfaces of the ISA Firewall as submitted to stateful packet inspection, application layer inspection, or both.
First, you need to realize that domain membership actually increases the level of security that your ISA Firewall can provide. The idea that taking the ISA Firewall out of the domain makes it more secure is a widespread misconception. For more information on this issue, check out my article showing that domain-member ISA Firewalls are more secure.
However, if you plan to use your ISA Firewall only for publishing OWA sites (or other types of Web publishing), then taking the ISA Firewall out of the domain and using LDAP authentication is a reasonable compromise. Note that you will not be able to use user certificate authentication or Kerberos Constrained Delegation. However, you will be able to perform basic authentication and use SSL to SSL bridging. Keep in mind that you should use LDAPS, which means you'll need a computer certificate installed on your domain controller, and your ISA Firewall must be configured to trust the certificate presented to it by the domain controller. QUESTION: Hi Dr Tom,
I'm a big fan of yours; I like your writing very much, basically because you explain how to do the things and also why they should be that way. Now, my problem regarding this (as always) comprehensive troubleshooting guide one simply question:
The last few days I'm trying to configure one of my ISA/Exchange RPC implementations with Single Sign On. I think I've read all the info on this matter on the web, and unfortunately I didn't get the straight answer, although at this time I suspect witch it is...
Giving 1 ISA 2006 (AD member), 1 Exchange 2003 (witch is also RPC proxy), 1 or 2 public IP, 1 or 2 web listeners, digital certificates, outlook 2003 or 2007 clients, it is possible to publish RPC over HTTP, securely (only to a subset of AD users) without requiring them to type their password to ISA Server?
As I said, at this time, I think the answer is no. But if I'm wrong please point me some directions.
Thanks! - Luis Barreto, Portugal ANSWER: Hi Luis! Thanks for the kind words on my articles and writing projects. Your question is a common one. Essentially, what you want to do is make it possible for Outlook RPC/HTTP clients to not need to enter credentials when they log on to the RPC/HTTP proxy through the ISA Firewall. The problem is that by default, Outlook uses basic authentication to authenticate with the ISA Firewall, and then the ISA Firewall can delegate those Basic credentials to the RPC/HTTP proxy. This does allow for single sign-on, since the users only need to authenticate once, and that's to the ISA Firewall. But what you want is "zero sign on", where cached credentials can be used by the Outlook client to authenticate with the ISA Firewall. The answer to this, with reservations, is "yes", you can enable "zero sign on" for the Outlook client.
There are two ways to do this. The first is the easy way, which means it's going to be less secure. The second is the hard way, which means it's going to be more secure. The first method is to create a HTTPS Server Publishing Rule on the ISA Firewall. In this case, the Outlook RPC/HTTP client doesn't authenticate with the ISA Firewall at all, it authenticates with the RPC/HTTP proxy directly. A corollary of this first approach is to create a Web Publishing Rule that allows anonymous access through the ISA Firewall and is configured to not delegate credentials but to allow the client to authenticate directly with the RPC/HTTP proxy.
The second method, which is more secure because it requires that the Outlook client authenticate with the ISA Firewall requires that you configure the ISA Firewall, the Web Publishing Rule, and the Exchange Server to support Kerberos Constrained Delegation. When Kerberos Constrained Delegation is enabled, you can use Integrated authentication at the Outlook client (NLTM is the setting on the Outlook client) and the ISA Firewall will delegate those credentials as Kerberos credentials. This requires that the ISA Firewall be configured in Active Directory to trust the ISA Firewall for delegation.
For more information on how to configure Kerberos Constrained Delegation, check out:
Kerberos Constrained Delegation in ISA Server 2006
Configuring ISA Firewalls (ISA 2006 RC) to Support User Certificate Authentication using Kerberos Constrained Delegation (Part 1) - Front-end/Back-end Exchange Server Publishing Scenario
Preparing the ISA Server 2006 for Kerberos Constrained Delegation Got a question for Dr. Tom? Send it to tshinder@isaserver.org. Bandwidth management plug-in for ISA Server ISA Server has a rich feature set right out-of-the-box. However, it lacks an integrated bandwidth manager. Bandwidth control is an essential tool, especially if your Internet costs are high. Bandwidth Splitter for ISA Server is a plug-in that covers the lack of Bandwidth management in ISA Server. Its features include traffic shaping (throttling), traffic quotas, and powerful monitoring tool that allows you to control your bandwidth in real-time. Read more details and download a free trial |
No comments:
Post a Comment