1 / 72

ISA Server 2000 Best Practices from the Field

ISA Server 2000 Best Practices from the Field. Presenters: Jim Harrison - Microsoft Corp Jim Edwards - Microsoft Corp. Agenda. Introduction (Jim Harrison) Security (Jim Harrison) Reliability (Jim & Jim) Performance (Jim Edwards) Q&A. Security. Windows Configuration Domain Association

peigi
Download Presentation

ISA Server 2000 Best Practices from the Field

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ISA Server 2000 Best Practices from the Field Presenters: Jim Harrison - Microsoft Corp Jim Edwards - Microsoft Corp

  2. Agenda • Introduction (Jim Harrison) • Security (Jim Harrison) • Reliability (Jim & Jim) • Performance (Jim Edwards) • Q&A

  3. Security • Windows Configuration • Domain Association • Perimeter Network Scenarios • ISA Configuration • ISA Policies • ISA Logs • References

  4. Windows Configuration • Patches, Patches, PATCHES! • Security checklists on • Technet • ISAServer.org • NSA

  5. Windows Configuration • ISA Service Dependencies • ISA Server Packet Filter Extension (mspfltex) • Remote Access Connection Manager (rasman) • WMI Driver Extensions (wmi) • DCOM is required for ISA

  6. Windows Configuration • Service Dependencies created by ISA • ICS (sharedaccess) depends on Microsoft Firewall (fwsrv) • Routing and Remote Access (remoteaccess) depends on ISA Control (isactrl)

  7. Non-Domain

  8. Separate Domains (Forests)

  9. Same Forest, Separate Domains

  10. Single Domain

  11. Two–Tier Perimeter Network

  12. Third-leg Perimeter Network

  13. LAT Perimeter Network

  14. Cache mode • IP packet filtering NOT Available • LAT / LDT NOT Available • Outgoing and Incoming Web Requests listener configurations • Best behind another (ISA) firewall

  15. Firewall & Integrated modes • IP Filtering makes this the most secure • User- / group-based non-web traffic rules • Single-NIC installation is NOT supported without dialup as external • LAT configuration

  16. LAT Configuration Right Wrong

  17. IP Packet Filtering Right Wrong

  18. IP Packet Filtering Right Wrong

  19. Admin Rights Right Right?

  20. Protocol Rules Right

  21. Protocol Rules Wrong

  22. Site & Content Rules Anonymous

  23. Site & Content Rules Unfiltered

  24. Server Publishing

  25. Incoming Web Listeners Right Right ?

  26. Web Publishing Right Wrong

  27. Web Publishing

  28. Web Publishing

  29. ISA Logs • Other Server Logs • SMTP, DNS, etc. • Forensic Analysis • Securityfocus.com article • Legal Evidence • Computer Forensics • Trail of Evidence

  30. IP Packet Filter Logs • External scans, attacks, spoofs • Log field selections • Payload is limited to the first 256 bytes

  31. source-ip destination-ip proto param#1 param#2 flags 68.124.157.106 123.123.123.10 Tcp 1646 17300 SYN 193.179.148.234 123.123.123.12 Tcp 4738 22 SYN 209.221.223.108 123.123.123.10 ICMP 8 0 209.221.223.108 123.123.123.11 ICMP 8 0 209.221.223.108 123.123.123.12 ICMP 8 0 209.221.223.108 123.123.123.13 ICMP 8 0 62.111.208.195 123.123.123.10 Tcp 2736 135 SYN 62.111.208.195 123.123.123.11 Tcp 2737 135 SYN 62.111.208.195 123.123.123.12 Tcp 2738 135 SYN 62.111.208.195 123.123.123.13 Tcp 2739 135 SYN IP PF Log Examples

  32. 211.41.55.136 123.123.123.11 Tcp 3127 3127 SYN 211.41.55.136 123.123.123.12 Tcp 3135 3127 SYN 211.41.55.136 123.123.123.13 Tcp 3140 3127 SYN IP PF Log Bonus Slide

  33. Firewall Logs • Internal virus / worms detection • Log field selections • WP and FW share many logging options

  34. Firewall Log Examples c-ip r-ip r-port cs-prot s-oper sc-status 192.168.0.1 123.123.123.123 135 TCP Connect13301 192.168.0.1207.46.245.214135 TCP Connect 0 192.168.0.1 207.46.245.21417300 TCP Connect 13301 192.168.0.1 207.46.245.21417300 TCP Connect 0 192.168.0.1 207.46.245.21480 TCP Connect 13301 192.168.0.1 207.46.245.21480 TCP Connect 0

  35. Web Proxy Logs • Internal, external virus / worms detection • Log field selections

  36. Web Proxy Log Examples CodeRed <SourceIP> GET www 12202 <SourceIP> GET www 200 Nimda <SourceIP> GET <ISAExtIP> 12202 <SourceIP> GET <ISAExtIP> 200 Auth Failure <SourceIP> GET http://www.thatsite.tld 12209

  37. Romper-Room No-No’s • IP Packet Filtering off & IP Routing on • Enable IP Routing via RRAS or TCP/IP • LAT includes external (or DMZ) subnets • Same-subnet on internal / external NICs • FW Client installed on the ISA • “All destinations” web publishing rule

  38. Security and Critical Hotfixes • Service Pack 1 • KB 283213 ICMP blocking (Nachi defense) • Post SP1 • KB 319374 & 321846 Web Proxy crash • MS02-027 BO in Gopher protocol handler • MS03-009 DoS in DNS IDS filter • MS03-012 DoS in Firewall Service • MS03-028 XSS in ISA Error pages • MS04-001 H.323 Vulnerability

  39. Security References • Microsoft checklists and guides: http://www.microsoft.com/technet/security/chklist/Default.asp http://www.microsoft.com/technet/security/tools/default.asp • CC configuration https://s.microsoft.com/isaserver/code/commoncriteria/

  40. Security References • NSA configuration http://www.nsa.gov/snac/win2k/guides/w2k-11.pdfhttp://www.nsa.gov/snac/win2k/guides/inf/isa.inf • Log Forensics http://securityfocus.com/infocus/1712

  41. Reliability • Windows Considerations • ISA Server 2000 Firewall Considerations

  42. Reliability Windows Settings • NIC binding order • Routing table • Patch Patch Patch! • Redundancy • System Services • Extraneous Services

  43. Reliability Windows Settings:NIC Binding Order • Internal • Top of list • NO Default gateway • DNS/WINS • External • Default gateway • Dial up issues • RAS • Dial up issues • DMZ • Doesn’t matter

  44. Reliability Windows Settings:Routing Table • Static Routes • Windows routing table • RRAS routing table • Dynamic Routes • VPN issues • VPN Clients • Mystery of the Windows VPN client gateway

  45. Reliability Windows Settings:Patches! • Service Packs • Install them now • Latest OS and ISA SP and FP • Hotfixes • Do you need them? • What about Windows Update? • Security Updates • What’s going to break? • Testing lab • Mirror config in lab • Don’t let the production network be your regression testing lab

  46. Reliability Windows Settings:Redundancy • What are you trying to accomplish? • Web v. Server Publishing Rules • NLB v. Rainwall • Bidirectional what? • Hardware Load Balancers • Pay to play • RainConnect • Redundant Internet connectivity • Outbound and inbound • NextLAND Proturbo 800

  47. Reliability Windows Settings:System Services • Disable Junk Services • (list several of these) • Determining Required Services • Disable and test • Remote Registry Service

  48. Reliability Windows Settings:Extraneous Software • Server Services • It’s a firewall, not a firesale • Not a workstation • No Kaaza • No VPN client connections • Plug In’s • Test test test

  49. Reliability ISA Settings • Test All Policies • Separate Inbound and Outbound Duties • Backing Up • Caching Arrays

  50. Reliability ISA Settings:Field Test All Policies • Protocol Rules • The dreaded “all open” rule • Site and Content Rules • Kill anonymous access Site and Content Rules • Server client address set for anonymous access • Kill the HTTP (Re)Director • Can’t block via Site/Content rules • Packet Filters • This ain’t no pix(en) • Web and Server Publishing Rules • FQDN in Destination Sets • The mystery of the ephemeral outbound IP address • VMware • Buy now or pay later

More Related