Concepts

 < Day Day Up > 



The main goals of ISA Server are to insulate the network from attack, improve Internet performance for clients on the internal network, and control client access to the Internet.

ISA Server maintains control of connectivity and isolates the internal network by having two completely separate physical connections—one to the Internet and one to the internal network. Each network is connected to a different network card, and all packets must pass through the ISA Server software to get from one connection to the other.

The mechanisms that ISA Server uses to achieve these aims are fairly straightforward. The following three basic techniques are used:

  • Network address translation

  • Packet filtering

  • Caching

The following sections discuss each of these techniques, as well as the different methods available to support clients. They also describe some of the core concepts used with ISA Server.

Network Address Translation

Network Address Translation (NAT) hides your actual IP address from machines beyond the device doing the translation. Only the device doing NAT needs to have a valid Internet IP address; all clients and servers on the internal network are given private addresses from the address ranges reserved for private networks. (See the Real World sidebar, “IP Addresses for Internal Networks.”)

To provide NAT, you can use a stand-alone router or firewall device, a proxy server or firewall software package such as ISA Server, or the built-in NAT functionality of Windows Small Business Server 2003.

Although NAT is the backbone of any Internet connection sharing technique, and the first line of your security perimeter, it isn’t sufficient by itself to truly protect your network. ISA Server supplements NAT with additional security measures, most notably packet filtering.

start sidebar
Real World

IP Addresses for Internal Networks

Back when folks were deciding how to parcel out IP addresses (and long before anyone figured out how to perform NAT), the need for addresses that could be used for test networks was recognized. A special set of IP addresses called private network addresses was defined in RFC 1918 (http://www.faqs.org/rfcs/rfc1918.html) for test networks or other networks not physically connected to the Internet.

These private network addresses allow a much larger address space than would be possible with officially assigned addresses while protecting the integrity of the Internet. If a machine with one of these addresses were to connect to the Internet, it wouldn’t cause a conflict with another machine because routers automatically filter out these addresses.

The following addresses are designated for private networks that won’t be directly connected to the Internet. They can, of course, be connected to the Internet through ISA Server or another method that performs NAT:

  • 10.0.0.0 through 10.255.255.255 (a single “Class A” network)

  • 172.16.0.0 through 172.31.255.255 (16 contiguous “Class B” networks)

  • 192.168.0.0 through 192.168.255.255 (256 contiguous “Class C” networks)

Quotation marks enclose the Class in the preceding list because the Internet Assigned Numbers Authority (IANA) no longer uses classes to define IP address spaces. But the terminology is still in common use to describe the size of the resulting address space.

One other block of addresses is important to NAT and internal networks: the “link local” block, 169.254.0.0 through 169.254.255.255. This block of addresses, defined in RFC 3330 (http://www.faqs.org/rfcs/rfc3330.html), is self-configured by a network device whenever the device fails to get an assigned address from DHCP or other means. As with the private networks defined in RFC 1918, these addresses are locally unique but not globally unique, and should never appear on the public Internet.

ISA Server automatically includes these addresses in its local address table (LAT) when you initially install the program.

end sidebar

Another byproduct of using NAT is that all the machines on a network appear to have the same single address to the outside world—the external address of the Windows Small Business Server machine itself. This allows your company to connect to the Internet with only a single public IP address.

Packet Filtering

Because every packet that passes to or from the Internet must first pass through Windows Small Business Server, ISA Server is in a perfect position to act as a gatekeeper. Besides performing simple NAT, ISA Server can inspect each packet and permit only packets that use approved protocols and ports to enter or leave the internal network. (This process is called packet filtering.) When packet filtering is enabled, you can also restrict access to specific external sites or enable only certain external sites to be seen. In addition, third-party ISA Server plug-ins can add controls and functionality.

In addition to basic packet filtering, ISA provides Stateful Packet Inspection (SPI), which analyzes the origin of every packet and allows only unaltered packets from approved hosts or networks to pass through the firewall. This prevents hackers from tampering with packets and provides the ability to block incoming packets that aren’t specifically requested by network clients.

Caching

Every company has certain Web sites that users visit regularly. ISA Server can cache information from these frequently accessed sites, so when users connect to the site, much of the information is actually delivered by the ISA server, not the remote site. Caching significantly improves the apparent speed of the connection to the Internet and leaves more Internet bandwidth available.

ISA Server uses off hours, when few users are connected to the Internet, to check frequently accessed sites to make sure the information it has stored for those sites is current. This monitoring, called active caching, helps to balance and smooth out demand, providing improved throughput during busier times because fewer pages and images need to be downloaded.

ISA Server also performs fancy tricks like splitting audio or video streams and sharing them with multiple users on the network, and performing reverse caching, which accelerates the perceived performance of the Web servers to Internet clients.

Client Types

Clients can connect to the ISA Server using the Firewall client, the SecureNAT client, or the Web Proxy client. For Windows clients, only the Firewall client is a supported method with Windows Small Business Server, and the ISA Server installation will prompt you to add the Firewall client to the automatically installed client software. For Macintosh and UNIX clients and for network devices, SecureNAT is used. Each client using SecureNAT should have its default gateway set to point to Windows Small Business Server. All systems should have their Web browsers configured to use the Web Proxy service. This is done automatically when installing the Firewall client software, but needs to be done manually for SecureNAT clients.

ISA Server Policies and Policy Elements

ISA Server is customized with rules. Setting an ISA Server rule requires two separate steps: creating the policy elements that define to what protocol, client group, time of day, address, or other element the policy will apply; and then creating the actual policy that will be applied to one or more policy elements. You might define a schedule policy element that is “Weekends”—that is, all day Saturday and Sunday. Then you might create a policy that prohibits the use of FTP. When you combine those two, you have a rule that doesn’t allow anyone to download files onto their computers on the weekend.

So when you create or modify a policy element such as a Client Address Set, Protocol Definition, or Schedule, you aren’t actually creating any rules; you’re just changing the options to which the rules apply. Policies are the rules you actually create, and you apply them to policy elements.



 < Day Day Up > 



Microsoft Windows Small Business Server 2003 Administrator's Companion
Microsoft Windows Small Business Server 2003 Administrators Companion (Pro-Administrators Companion)
ISBN: 0735620202
EAN: 2147483647
Year: 2004
Pages: 224

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net