290 likes | 416 Views
RSC North West & Bandwidth Management Advisory Service. Microsoft ISA Server, an Overview Matthew Cook 26 th May 2004. Welcome. Matthew Cook Senior IT Security Specialist Loughborough University Computing Services http://escarpment.net/. Introduction.
E N D
RSC North West &Bandwidth Management Advisory Service Microsoft ISA Server, an Overview Matthew Cook26th May 2004
Welcome Matthew Cook Senior IT Security Specialist Loughborough UniversityComputing Services http://escarpment.net/
Introduction Provide an overview of MS ISA Server: • Background • ISA Server Features • Sizing • Patching • Troubleshooting • Useful links and 3rd party products
Background Microsoft Proxy Server I • Released November 1996 • Win SOCK Proxy facilities • Lack of fault tolerance • Lack of security features • Left behind by rivals such as Netscape Proxy Server.
Background… Microsoft Proxy Server II • Fault tolerance issues addresses with the introduction of proxy server arrays • Cache Array Routing Protocol (Similar to Internet Cache Protocol) • Automatic Synchronisation • Caching support improved (FTP and HTTP) • Reverse Proxy and Hosting • MMC Compliant
Microsoft ISA Server • Microsoft Internet Security & Acceleration Server 2000 is an internet firewall and web cache which is capable of integrating into an existing Windows infrastructure. • Further details and resources are available at:http://www.microsoft.com/isaserver/ • ISA Server is a Firewall and a Cache or just a Cache!
Microsoft ISA Server… • Microsoft ISA Server 2000 is a vast improvement over Microsoft Proxy Server 2.0 in terms of manageability and the fine granular controls available to control internet usage. The inclusion of policy based access controls can restrict access to certain web sites by utilising a number of rules: • Time of day • User name • IP address • Content type • Website address
Microsoft ISA Server… • Integrated Virtual Private Networking • Integration with Active Directory • Intrusion Detection • Secure NAT • Bandwidth Allocation and QoS • Secure Server Publishing • Enterprise Management • Monitoring and Report Generation
Microsoft ISA Server… • Email content screening • H.323 Gatekeeper functionality • Enhanced software for media streaming
What is H.323? H.323 is the standard for the transmission of audio, video and associated data across IP based networks. • Interoperability between systems supporting H.323. • Uses a multitude of ports and many UDP streams. • Very complex to firewall without pre-defined rules
Caching Types • Hierarchical caching - allowing one to setup a hierarchy of caches that requests can pass through all with different or the same policy rule sets. • Reverse caching - with ISA Server accelerating the content of local web or FTP server farms, improving the retrieval rate of objects. • Scheduled caching - where ISA Server will pre-download and refresh content.
Hardware Requirements • Microsoft recommends an Intel Pentium II 300Mhz processor, 20Mb of NTFS disc space and 256Mb RAM. • The test system was an Intel Pentium II 450mhz processor, 2Gb System Disc and for the cache two 4Gb SCSI drives and 256Mb RAM.
Hardware Requirements… • If you are using ISA Server in firewall or integrated mode, two network adapters are required. • The more spindles available the better as disc speed is often the bottle neck. • Baseline server hardware before installing into service.
Software Requirements • Microsoft Windows 2000 (Minimum SP1)Microsoft ISA Server 2000Service Packs and Patches. • A 120 day evaluation copy of Microsoft ISA Server2000 is available for free download from: http://www.microsoft.com/isaserver/evaluation/trial/default.asp
ISA Server Sizing • When installing ISA Server to use as a simple web cache (Forward caching) you need to consider the number of clients accessing the internet at one time. • For up to 500 users, Microsoft recommend a Single PII 300Mhz machine with 256Mb RAM and 2-4Gb of disc storage.
ISA Server Sizing… • For 500 – 1,000 users a Dual PIII 550Mhz machine with 256Mb RAM and 10GB of disc storage is recommended. • For more than 1,000 users, two Dual PIII 550Mhz machines with 256Mb RAM and 10Gb is recommended. Note: If you set up more than one ISA server, you will need to upgrade to ISA Server Enterprise Edition.
Secure the OS • Patch, test, patch and yet more patching! • Install the latest service pack. • Install hot fixes from Windows update or via the links from MSBA. • Microsoft Security Baseline Analyzer is available from:http://www.microsoft.com/security/
Windows 2003 Server ISA Server is supported providing: • ISA Server Service Pack 1 is applied • Isahf255.exe is appliedKnowledge base article 331062 • You are NOT running Web Edition
Patching ISA Server • Patch, test, patch and yet more patching! • ISA Server Service Pack 1 • Other hot fixes: http://www.microsoft.com/isaserver/downloads/ • H.323 Security vulnerability released …
H.323 Vulnerability Released 13th January MS04-001 Critical – Could allow remote code execution. The vulnerability is caused due to errors processing H.323 over TCP (default 1720). The H.323 filter is on by default for integrated or firewall mode.
ISA Server Feature Pack 1 • Released September 2003 (4Mb) Provides: • Enhanced SMTP and Exchange RPC filters • URL Scan 2.5 • RSA SecurID Authentication • Basic Authentication Delegation • OWA and RPC Filter Wizard • Link translator • More documentation
Troubleshooting • Issues on low bandwidth linksBandwidth Rule Wizard KB:302875 • Cache Initialisation ErrorsKB:284550 • ScreensaversBlank screen or Marquee • Background ProcessesSETI@Home and DNetC
GFI Web Monitor • Monitors active connections on ISA Server. • What files are being downloaded or sites being visited. • Installs as an Application filter • Web based access via IIS. • Freeware • http://www.gfisoftware.com/
Akonix Rogue Aware • Monitors IM and P2P traffic passing through your ISA Server. • Supports AOL, Yahoo, MSN, KaZaA, Grokster, Bearshare, Morpheus etc. • Provides reports and security audits. • Freeware • http://www.akonix.com/
Links • http://www.bmas.ja.net/ • http://www.microsoft.com/isaserver/ • http://www.isaserver.org/ • http://www.indepth-tech.com/ISAServer/
The Future Crystal ball time… • Windows 2003 Server • ISA Server 2004 • Patches
ISA Server 2004 • Many firewall improvements in L7 • Improved VPN Technology • New User Interface • Web Caching relativity unchanged • Beta Available Microsoft ISA Server 2004 site: http://www.microsoft.com/isaserver/beta/