List of Figures | The Best Damn Firewall Book Period

Chapter 1: Introduction to Information Security

Figure 1.1: TCP Uses a "Three-Way Handshake" to Establish a Connection between Client and Server
Figure 1.2: An Intruder with Access to the Hub Can Easily Intercept Data
Figure 1.3: Security Hierarchy

Chapter 2: Firewall Concepts

Figure 2.1: The OSI Model
Figure 2.2: Application Proxy Data Flow
Figure 2.3: A Web Server Located Outside the Firewall
Figure 2.4: A Web Server Located Inside the Firewall
Figure 2.5: A DMZ Network
Figure 2.6: A Two-Firewall Architecture
Figure 2.7: Static Address Translation
Figure 2.8: Dynamic Address Translation
Figure 2.9: VPN Deployment

Chapter 3: DMZ Concepts, Layout, and Conceptual Design

Figure 3.1: Original Basic Firewall Configuration
Figure 3.2: Generic DMZ Configuration
Figure 3.3: A Basic Network with a Single Firewall
Figure 3.4: Basic Network, Single Firewall and Bastion Host (Untrusted Host)
Figure 3.5: A Basic Firewall with a DMZ
Figure 3.6: A Dual Firewall with a DMZ
Figure 3.7: Multi-DMZ Infrastructure
Figure 3.8: An Internal/External Firewall Sandwich
Figure 3.9: Basic Single-Firewall Flow
Figure 3.10: A Basic Firewall with Bastion Host Flow
Figure 3.11: A Basic Single Firewall with DMZ Flow
Figure 3.12: A Dual Firewall with DMZ Flow
Figure 3.13: A Basic Screened Subnet
Figure 3.14: A Method to Provide Out-of-Band Management in the DMZ
Figure 3.15: DMZ Servers in a Conceptual Highly Available Configuration
Figure 3.16: Traditional "Three-Legged" Firewall with Redundancy

Chapter 4: Introduction to Intrusion Detection Systems

Figure 4.1: NIDS Network
Figure 4.2: HIDS Network
Figure 4.3: DIDS Network
Figure 4.4: Directory Traversal Footprint
Figure 4.5: CodeRed Footprint
Figure 4.6: Nimda Footprint

Chapter 5: Implementing a Firewall with Ipchains and Iptables

Figure 5.1: A Linux System Configured as a Forwarding Router
Figure 5.2: Masquerading the 10.1.2.0 Network as the 66.1.5.1 IP Address
Figure 5.3: Firestarter Warning
Figure 5.4: The Firestarter Configuration Wizard Initial Screen
Figure 5.5: The Network Device Configuration Screen
Figure 5.6: The Services Configuration Window
Figure 5.7: The ICMP Configuration Screen
Figure 5.8: Completing the Firewall Generation Process in Firestarter
Figure 5.9: The Firestarter Main Interface
Figure 5.10: Viewing Logged Packet Matches in Firestarter
Figure 5.11: The Add New Rule Dialog Box
Figure 5.12: Allowing SSH and Telnet Service to a System Named "keats"
Figure 5.13: The IP Masquerade Configuration Screen
Figure 5.14: The ToS Configuration Screen

Chapter 6: Maintaining Open Source Firewalls

Figure 6.1: Scanning an Open Router
Figure 6.2: The /etc/firelog.conf File
Figure 6.3: Viewing an fwlogwatch HTML File
Figure 6.4: Viewing a Report in Microsoft Internet Explorer
Figure 6.5: The fwlogwatch Configuration File
Figure 6.6: The /usr/sbin/fwlw_notify File
Figure 6.7: Viewing E-Mail Alerts Generated by fwlogwatch
Figure 6.8: A Windows 2000 Advanced Server "Pop Up" Message
Figure 6.9: The fwlw_Respond File
Figure 6.10: The fwlogsummary.small.cgi File
Figure 6.11: Viewing the Results of the fwlogsummary.small.cgi Script
Figure 6.12: The fwlogsummary.cgi File
Figure 6.13: Viewing the Index Page Generated by fwlogsummary.cgi
Figure 6.14: Viewing the All and Name Resolution Page

Chapter 7: Configuring Solaris as a Secure Router and Firewall

Figure 7.1: A hme0 Interface That Has Been Configured with DHCP
Figure 7.2: Browsing dmesg for Interfaces Detected during Bootstrap
Figure 7.3: A Configured IPv6 Address Attached to the hme0: 1 Interface after a Reboot
Figure 7.4: IPv6 Addresses Specified via the ipnodes File
Figure 7.5: Code from the S69inet Script That Determines the System Is a Router if the ndpd.conf File Is Found
Figure 7.6: System in a Multihomed State
Figure 7.7: An ipnodes File Entry for a Host That Will Boot with IPv6 Configured

Chapter 8: Introduction to PIX Firewalls

Figure 8.1: The IP Header
Figure 8.2: The TCP Header
Figure 8.3: Basic ASA Operations
Figure 8.4: The UDP Header
Figure 8.5: Configuring Hyperterm
Figure 8.6: Port Communication Properties for Hyperterm
Figure 8.7: Sample Output from Boot Sequence

Chapter 9: Passing Traffic

Figure 9.1: A Network Address Translation Example
Figure 9.2: An Identity Network Address Translation Example
Figure 9.3: The Secure Corporation Access List Example
Figure 9.4: Secure Corporation Revised Network Layout
Figure 9.5: A Port Redirection Example
Figure 9.6: A Complex Configuration Example

Chapter 10: Advanced PIX Configurations

Figure 10.1: Client Redirection without Application Inspection
Figure 10.2: Application Inspection in Action
Figure 10.3: Active FTP Connection Flow
Figure 10.4: Passive FTP Connection Flow
Figure 10.5: The DNS Guard Operation
Figure 10.6: RSH Connection Establishment
Figure 10.7: RPC Connection Flow
Figure 10.8: Interaction Among a Client, a Web Server, PIX, and a Filtering Server
Figure 10.09: TCP Intercept in PIX v5.3 and Later
Figure 10.10: IGMP Used to Report Membership in a Multicast Group

Chapter 11: Troubleshooting and Performance Monitoring

Figure 11.1: The OSI Model
Figure 11.2: PIX Firewall Interface Numbering
Figure 11.3: PIX Firewall LED Indicators
Figure 11.4: Ethernet Cable Pinouts
Figure 11.5: Gigabit Ethernet SC Fiber Optic Connector
Figure 11.6: Multimode Fiber Optic Cable
Figure 11.7: IP Addressing Problem
Figure 11.8: Default Route Example
Figure 11.9: Static Routes
Figure 11.10: RIP Routing
Figure 11.11: Failover Cable Pinout
Figure 11.12: Translation in Action
Figure 11.13: Access Scenario
Figure 11.14: IPsec Configuration
Figure 11.15: IKE Process
Figure 11.16: Output of the show processes Command

Chapter 12: Installing and Configuring VPN-1/FireWall-1 Next Generation

Figure 12.1: Check Point's User Center
Figure 12.2: Enable IP Forwarding in WinNT 4.0
Figure 12.3: Welcome Screen
Figure 12.4: License Agreement
Figure 12.5: Product Menu
Figure 12.6: Server/Gateway Components
Figure 12.7: Selected Products
Figure 12.8: Progress Window
Figure 12.9: VPN-1 & FW-1 Installation
Figure 12.10: VPN-1/FW-1 Product Specification
Figure 12.11: Backward Compatibility Screen
Figure 12.12: Choose Destination Location
Figure 12.13: Copying Files
Figure 12.14: Setup Information
Figure 12.15: Management Client Location
Figure 12.16: Select Management Clients to Install
Figure 12.17: Management Clients Copying Files
Figure 12.18: Setup Complete
Figure 12.19: Licenses
Figure 12.20: Adding a License
Figure 12.21: License Added Successfully
Figure 12.22: Configuring Administrators
Figure 12.23: Adding an Administrator
Figure 12.24: Administrators
Figure 12.25: GUI Clients Configuration Window
Figure 12.26: GUI Clients Configuration Window Sample Configuration
Figure 12.27: Key Hit Session
Figure 12.28: Certificate Authority Initialization
Figure 12.29: CA Initialized Successfully
Figure 12.30: Management Server Fingerprint
Figure 12.31: NG Configuration Complete
Figure 12.32: Reboot Computer
Figure 12.33: Check Point Configuration Tool
Figure 12.34: Enforcement Module Configuration Tool
Figure 12.35: Secure Internal Communication
Figure 12.36: High Availability
Figure 12.37: Add/Remove Check Point VPN-1/FW-1 NG
Figure 12.38: Confirm Program Removal
Figure 12.39: Check Point Warning
Figure 12.40: Stopping Services
Figure 12.41: Removing VPN-1/FW-1 Files
Figure 12.42: VPN-1/FW-1 Uninstall Complete
Figure 12.43: Add/Remove Check Point SVN Foundation NG
Figure 12.44: SVN Foundation Maintenance Complete
Figure 12.45: Add/Remove Management Clients NG
Figure 12.46: Maintenance Finished
Figure 12.47: UnixInstallScript
Figure 12.48: Welcome to Check Point NG
Figure 12.49: License Agreement
Figure 12.50: Select Products to Install
Figure 12.51: Choose the Type of Installation
Figure 12.52: Backward Compatibility
Figure 12.53: Validation Screen
Figure 12.54: Installation Progress
Figure 12.55: Welcome to Check Point Configuration Screen
Figure 12.56: Setting Group Permissions
Figure 12.57: Random Pool
Figure 12.58: Configuring Certificate Authority
Figure 12.59: Installation Complete
Figure 12.60: Environment Variables
Figure 12.61: cpconfig
Figure 12.62: Secure Internal Communication Configuration
Figure 12.63: High Availability Configuration
Figure 12.64: Package Removal Choices
Figure 12.65: Uninstall of VPN-1/FW-1
Figure 12.66: Uninstall of VPN-1/FW-1 Continued
Figure 12.67: Management Clients Package Removal
Figure 12.68: Nokia's Voyager GUI
Figure 12.69: cpconfig on Nokia
Figure 12.70: Managing Installed Packages

Chapter 13: Using the Graphical Interface

Figure 13.1: Policy Editor
Figure 13.2: View Selection
Figure 13.3: Topology Map
Figure 13.4: Network Objects Manager
Figure 13.5: Workstation Properties, General Window
Figure 13.6: Workstation Properties with Check Point Products Installed
Figure 13.7: Network Properties—General Window
Figure 13.8: Domain Properties
Figure 13.9: OSE Device—General Window
Figure 13.10: Cisco OSE Setup Window
Figure 13.11: Embedded Device General Properties
Figure 13.12: Group Properties
Figure 13.13: Logical Server Properties Window
Figure 13.14: Address Range Properties Window
Figure 13.15: Gateway Cluster—General Panel
Figure 13.16: Dynamic Object Properties Window
Figure 13.17: TCP Service Properties
Figure 13.18: Advanced TCP Service Properties
Figure 13.19: Advanced UDP Service Properties
Figure 13.20: RPC Service Properties
Figure 13.21: ICMP Service Properties
Figure 13.22: User-Defined Service Properties—General Panel
Figure 13.23: Group Properties
Figure 13.24: DCE-RPC Properties
Figure 13.25: RADIUS Server Properties
Figure 13.26: TACACS Server Properties
Figure 13.27: LDAP Account Unit Properties
Figure 13.28: Time Object—Days Panel
Figure 13.29: Virtual Link Properties—SLA Parameters
Figure 13.30: New Rule
Figure 13.31: Add Object
Figure 13.32: Global Properties
Figure 13.33: Implied Rules
Figure 13.34: SecureUpdate GUI
Figure 13.35: Adding a License
Figure 13.36: License Repository—View All Licenses
Figure 13.37: Expired Licenses
Figure 13.38: Check Point Log Viewer
Figure 13.39: Column Options Window
Figure 13.40: System Status GUI

Chapter 14: Creating a Security Policy

Figure 14.1: Steps to Writing a Security Policy
Figure 14.2: Boot Security
Figure 14.3: Global Properties Implied Rules
Figure 14.4: New Security Policy Dialog
Figure 14.5: Workstation Properties with Check Point Products Installed
Figure 14.6: Topology Window
Figure 14.7: Topology Definition
Figure 14.8: SYNDefender Options
Figure 14.9: The Clean-Up Rule
Figure 14.10: The Stealth Rule
Figure 14.11: Rule Base from Security Policy
Figure 14.12: Context Menu for Manipulating Rules
Figure 14.13: Disabled Rule
Figure 14.14: Hidden Rules
Figure 14.15: Hidden Rules Options
Figure 14.16: Install Policy Progress Window

Chapter 15: Advanced Configurations

Figure 15.1: An HA Cluster
Figure 15.2: Enabling High Availability
Figure 15.3: Add Synchronization Network
Figure 15.4: Enabling Gateway Clusters
Figure 15.5: Gateway Cluster: General Panel
Figure 15.6: Overlapping VPN Domain in an SEP Configuration
Figure 15.7: Gateway Cluster: Topology Panel
Figure 15.8: Gateway Cluster: Cluster Members
Figure 15.9: Gateway Cluster: High Availability Panel
Figure 15.10: Gateway Cluster: Synchronization
Figure 15.11: Simple MEP Illustration
Figure 15.12: Enabling MEP
Figure 15.13: VPN Domain Types
Figure 15.14: Enabling IP Pool NAT
Figure 15.15: Configuring a Backup Gateway
Figure 15.16: Selecting the VPN Domain
Figure 15.17: Fully Overlapping VPN Domain
Figure 15.18: Overlapping VPN Domain Group
Figure 15.19: Overlapping VPN Domain
Figure 15.20: Using IP Pools

Chapter 16: Configuring Virtual Private Networks

Figure 16.1: Local Gateway's FWZ Properties Dialog
Figure 16.2: Topology Tab of the Workstation Properties Window
Figure 16.3: Rule Base Encryption Rules
Figure 16.4: FWZ Properties Window
Figure 16.5: FireWall-1 Implied Rules
Figure 16.6: IKE Properties Dialog
Figure 16.7: Shared Secret Configuration
Figure 16.8: IKE Encryption Rules
Figure 16.9: IKE Properties Dialog
Figure 16.10: Log Viewer Showing Encrypts, Decrypts, and Key Exchanges
Figure 16.11: Address Translation Disabled between VPN Domains with Manual Rules
Figure 16.12: Desktop Security Window from Policy | Global Properties
Figure 16.13: FWZ Properties
Figure 16.14: IKE Properties
Figure 16.15: SecuRemote Client Encrypt Rule
Figure 16.16: Client Encrypt Properties
Figure 16.17: SecuRemote Desktop Security Prompt During Installation
Figure 16.18: SecuRemote Adapter Configuration Screen During Installation
Figure 16.19: Creating a New Site
Figure 16.20: SecureRemote Authentication Window

Chapter 17: Overview of the Nokia Security Platform

Figure 17.1: Interface Configuration Through the Voyager Web Interface
Figure 17.2: Package Management Through the Lynx Interface
Figure 17.3: Displaying VRRP Status Using iclid
Figure 17.4: Output of Common Shell Commands

Chapter 18: Configuring the Check Point Firewall

Figure 18.1: Host Address Assignment
Figure 18.2: Initial Configuration
Figure 18.3: Configuring Licenses
Figure 18.4: Adding an Administrator
Figure 18.5: Setting Customized Permissions
Figure 18.6: Configuring Management Clients
Figure 18.7: Management Client Wildcards
Figure 18.8: Random Pool
Figure 18.9: Configuring Certificate Authority
Figure 18.10: Sending the FQDN to the ICA
Figure 18.11: Saving the Certificate Fingerprint
Figure 18.12: Installation Complete
Figure 18.13: cpconfig
Figure 18.14: SmartDashboard Login
Figure 18.15: Fingerprint Identification
Figure 18.16: Fingerprint Warning
Figure 18.17: Check Point SmartDashboard
Figure 18.18: Check Point Gateway Object
Figure 18.19: SmartDashboard Warning
Figure 18.20: Policy Installation Targets
Figure 18.21: Installation Process
Figure 18.22: Installation Succeeded
Figure 18.23: Verification and Installation Errors
Figure 18.24: Status Icon Legend

Chapter 19: Introducing the Voyager Web Interface

Figure 19.1: The Voyager Front Screen Display
Figure 19.2: The Main Configuration Screen
Figure 19.3: The Interface Configuration Screen
Figure 19.4: Configuring IP Addresses
Figure 19.5: An Applied Interface Address
Figure 19.6: Physical Interface Configuration
Figure 19.7: Interface Status Icons
Figure 19.8: Monitoring Interfaces Screen 1
Figure 19.9: Monitoring Interfaces Screen 2
Figure 19.10: Adding a Default Gateway: Gateway Column Options
Figure 19.11: Adding the Default Gateway: Address Screen
Figure 19.12: Setting Priorities on Default Gateway Route Entries
Figure 19.13: The Time Screen
Figure 19.14: The NTP Configuration Screen
Figure 19.15: NTP Configuration Options
Figure 19.16: The DNS Configuration Screen
Figure 19.17: Adding a New Hostname
Figure 19.18: Mail Relay Configuration
Figure 19.19: System Failure Notification Configuration
Figure 19.20: The Main SSH Configuration Screen
Figure 19.21: Additional SSH Options
Figure 19.22: Default Network Access Settings
Figure 19.23: S/Key Configuration
Figure 19.24: The SSL Certificate Tool
Figure 19.25: The SSL Certificate Tool, Continued
Figure 19.26: Enabling HTTPS
Figure 19.27: Accepting the Certificate

Chapter 20: Basic System Administration

Figure 20.1: System Reboot
Figure 20.2: FTP Packages
Figure 20.3: Selecting a Package for Download
Figure 20.4: Unpacked Package Details
Figure 20.5: Installing the New Package in Voyager
Figure 20.6: Enabling and Disabling Packages
Figure 20.7: Deleting Packages
Figure 20.8: Updating Images through Voyager
Figure 20.9: Voyager IPSO Upgrade Complete
Figure 20.10: Deleting IPSO Images
Figure 20.11: Managing Users
Figure 20.12: Group Management
Figure 20.13: Static Routes Display
Figure 20.14: Managing Configuration Sets
Figure 20.15: Backup Configuration
Figure 20.16: Scheduling Backups
Figure 20.17: Restore from Backup
Figure 20.18: System Logging Configuration
Figure 20.19: Remote System Logging Configuration
Figure 20.20: Configuring Crontab

Chapter 21: High Availability and Clustering

Figure 21.1: A Management Station on a Secured Network
Figure 21.2: A Management Station on an Internal ("Nonsecure") Network
Figure 21.3: NAT Rules That Ensure No NAT for Authenticating Servers
Figure 21.4: Introduction Screen When Running UnixInstallScript
Figure 21.5: The Purchased Product Screen
Figure 21.6: SVN Foundation Installation
Figure 21.7: Selecting Products to Install
Figure 21.8: Module or Management Installation Screen
Figure 21.9: Verifying Your Selections So Far
Figure 21.10: Products Installing…
Figure 21.11: Initial Configuration
Figure 21.12: A Simple Topology for ClusterXL in HA New Mode
Figure 21.13: Gateway Cluster Properties Screen
Figure 21.14: The Cluster Members Screen Before Any Members Have Been Added
Figure 21.15: Defining the Cluster Member
Figure 21.16: Uninitialized Trust between the Management Module and a Cluster Member
Figure 21.17: Trust Established between the Management Module and a } Cluster Member
Figure 21.18: Module Topology
Figure 21.19: Defining the Secured Interface on One Member of the Cluster
Figure 21.20: Antispoofing Properties of the Secure Interface of a Module
Figure 21.21: Cluster Members Screen After First Member Has Been Defined
Figure 21.22: Configuring the ClusterXL Mode of Operation
Figure 21.23: Defining the State Synchronization Network
Figure 21.24: The State Synchronization Window
Figure 21.25: Our Completed Synchronization Network Definition
Figure 21.26: The Topology Screen of Cluster Before Topology Has Been Defined
Figure 21.27: Cluster Topology Definition: Defining the External Virtual IP Address
Figure 21.28: Topology of Cluster: External Interface Definition of the Cluster
Figure 21.29: The Member Network Tab of the Cluster's Interface Properties
Figure 21.30: The Completed ClusterXL Topology Definition
Figure 21.31: The IKE Certificate Message Displayed When You Click OK
Figure 21.32: Policy Install to the Cluster: Single Member Only
Figure 21.33: SmartView Status Showing Cluster with Single Member
Figure 21.34: Existing FireWall-1 Gateway Object
Figure 21.35: Adding a Firewall Gateway to a Cluster Object
Figure 21.36: fw2 Adding to Cluster Warning Message
Figure 21.37: Selecting the Interface That Will Be the Secured Network
Figure 21.38: A Cluster Gateway Showing Two Cluster Members
Figure 21.39: SmartView Status GUI Showing ClusterXL HA New Mode with Member fw2 Active
Figure 21.40: Active Traffic Routing Through the Active Cluster Member
Figure 21.41: Interface Failure on Active Member
Figure 21.42: Gratuitous ARP by fw2 to Take Over from fw1 on Failure
Figure 21.43: ClusterXL in HA New Mode, with Maintain Current Active Gateway Set After Failover
Figure 21.44: Breakdown of a CPHA Packet from Our Example
Figure 21.45: Possible Scenario If Manual ARP Entries Are Used for NAT
Figure 21.46: Using Static Routes on the ISP Router for NATed IP Addresses
Figure 21.47: Automatic NAT Settings for Cluster Member to Issue a Gratuitous ARP on Failover
Figure 21.48: SmartView Status Demonstrating a Problem with an Interface
Figure 21.49: A Load-Sharing Algorithm Hash Can Be Based on These Parameters
Figure 21.50: Packet Structure of a CPHA Packet When a Cluster Is in Load-Sharing Mode
Figure 21.51: Our Example Nokia Clustering Topology Setup
Figure 21.52: Defining General Properties of the Nokia Cluster
Figure 21.53: Topology of a Cluster Member
Figure 21.54: Availability Mode Configuration for a Nokia Cluster
Figure 21.55: Rule Showing Communication between Cluster Members
Figure 21.56: Defining Service for IPSO Cluster Control Protocol 1
Figure 21.57: Defining Service for IPSO Cluster Control Protocol 2
Figure 21.58: A Stealth Rule on a Nokia Cluster Rule Base
Figure 21.59: Installing the Security Policy for the Cluster
Figure 21.60: Voyager's Main Screen
Figure 21.61: The Initial Cluster Configuration Screen
Figure 21.62: Uninitialized Cluster in Voyager
Figure 21.63: Cluster Configuration for the First Cluster Member
Figure 21.64: Bringing Up the First Cluster Member
Figure 21.65: Member fw2 Joining the Cluster
Figure 21.66: Second Member of a Nokia Cluster Is Now Online
Figure 21.67: Analyzing the ICMP Echo Reply for the Source MAC Address
Figure 21.68: SmartView Status Does Not Show an Accurate Interface Status
Figure 21.69: Both Members Are Online as Part of the Cluster
Figure 21.70: Sample of Nokia /var/log/messages After Internal Interface Was Removed, Then Restored
Figure 21.71: One Member Only in Cluster
Figure 21.72: Display of Traffic through SmartView Monitor
Figure 21.73: Display of Traffic through Member fw1 When fw2 Fails
Figure 21.74: Example of Use of the clish Command to Check the Cluster Status
Figure 21.75: Description of a Connection through a Nokia Load-Sharing Cluster
Figure 21.76: Our Example Configuration: A Nokia VRRP Cluster
Figure 21.77: Rule Allowing IGMP Multicasts from the Cluster
Figure 21.78: Voyager's Main Screen
Figure 21.79: Initial VRRP Configuration Page in Voyager
Figure 21.80: Cluster Configuration Defining VRIDs
Figure 21.81: Configuration for One of the Virtual Routers
Figure 21.82: A Virtual Router with Monitored Interfaces Enabled
Figure 21.83: Configuring VRRP Interface Authentication
Figure 21.84: VRRP Monitor on Preferred Member Showing All Three Virtual Routers in Master Mode
Figure 21.85: The VRRP Monitor Interface Page
Figure 21.86: The VRRP Monitor Stats Page
Figure 21.87: VRRP Announcements
Figure 21.88: Turning Off State Synchronization for a Specific Service
Figure 21.89: Advanced Settings of the DNS UDP Service
Figure 21.90: Configuring Capacity Optimization of Your Cluster

Chapter 22: ISA Server Deployment Planning and Design

Figure 22.1: A Trihomed Server with a DMZ Network on the Third Interface
Figure 22.2: An Intermediary DMZ Network
Figure 22.3: A Single-Homed Web-Caching-Only Server
Figure 22.4: Disabling File and Print Sharing on the External Interface
Figure 22.5: Disabling NetBIOS on the External Interface
Figure 22.6: Mirrored Volumes Configured in a Duplex Arrangement
Figure 22.7: A RAID 5 Volume
Figure 22.8: Configuring DNS Round Robin on a Windows 2000 DNS Server

Chapter 23: ISA Server Installation

Figure 23.1: The ISA Server Setup Dialog Box
Figure 23.2: The Setup Welcome Screen
Figure 23.3: CD Key Dialog Box
Figure 23.4: The Product ID Dialog Box
Figure 23.5: The ISA Server End-User License Agreement
Figure 23.6: The ISA Server Installation Options Dialog Box
Figure 23.7: The Custom Installation Dialog Box
Figure 23.8: Add-in Services Change Option Dialog Box
Figure 23.9: The Administrative Tools Options Dialog Box
Figure 23.10: Deciding to Join an Array
Figure 23.11: Selecting the Server Installation Mode
Figure 23.12: Warning Dialog Box about IIS Services
Figure 23.13: Configuring Web Cache Size
Figure 23.14: Configuring the Local Address Table
Figure 23.15: Launch the ISA Admin Tool Dialog Box
Figure 23.16: The ISA Server Management Console
Figure 23.17: Warning about Irreversible Changes to the Active Directory
Figure 23.18: Determining Policy
Figure 23.19: Initializing the Active Directory for ISA Server
Figure 23.20: ISA Server Enterprise Initialization Tool Dialog Box
Figure 23.21: Accessing the Back Up Command
Figure 23.22: The Backup Array Dialog Box
Figure 23.23: Confirmation of a Successful Backup
Figure 23.24: Backup Files Identified in the Root of Drive C:
Figure 23.25: The General Tab in the Server's Properties Dialog Box
Figure 23.26: Beginning the Promotion Process
Figure 23.27: Array Warning Dialog Box
Figure 23.28: Setting Enterprise Policy Settings
Figure 23.29: The Promotion of the Stand-Alone Server to an Array Begins
Figure 23.30: ISA Management Reflects After Promotion to Array Status
Figure 23.31: ISAFINAL Policies Tab
Figure 23.32: The Services Dialog Box
Figure 23.33: The Backup Dialog Box
Figure 23.34: Stopping Proxy Server 2.0-Related Services
Figure 23.35: Information Box Regarding Upgrading Proxy Server
Figure 23.36: Proxy 2.0 Migration Dialog Box
Figure 23.37: The Internet Information Services Console

Chapter 24: Managing ISA Server

Figure 24.1: The ISA Management Programs Are Added to the Windows 2000 Programs Menu
Figure 24.2: The ISA Management Console Allows You to Administer Your ISA Servers and Arrays
Figure 24.3: ISA Management Can Be Added to a Custom MMC
Figure 24.4: When Adding ISA to a Custom Console, You Must Choose from Three Connection Options
Figure 24.5: ISA Management Can Be One of Several Components in a Custom MMC
Figure 24.6: You Can Select the MMC Elements You Want to Display or Hide
Figure 24.7: The Right Detail Pane Displays the Child Objects of the Selected Object in the Left Console Tree
Figure 24.8: A Standalone ISA Server Has No Enterprise Object in the Left Pane
Figure 24.9: From a Stand-Alone ISA Server, You Can Connect to Another Stand-Alone Server
Figure 24.10: You Can Choose the Columns to Display or Hide in the Right Detail Pane
Figure 24.11: The Taskpad View Provides a More Graphical, Tabbed Interface
Figure 24.12: The Advanced View Provides a Simpler, Less Cluttered, Less Intuitive Interface
Figure 24.13: Enterprise Policies Are Explicitly Assigned to Arrays Via the Arrays Tab on Their Properties Boxes
Figure 24.14: Information about Each Enterprise Policy Is Shown in the Right Detail Pane
Figure 24.15: A Check Mark in the Right Detail Pane Indicates the Policy That Is Applied
Figure 24.16: An Enterprise-Level Policy Element Named Custom Has Been Created
Figure 24.17: The Policy Element Created at the Enterprise Level Is Available to Be Applied to Rules at the Array Level
Figure 24.18: You Can Change the Array Name to Avoid Confusion with a Server by the Same Name
Figure 24.19: The Services Folder Contains Information about ISA Services on All Servers in the Array
Figure 24.20: Active Sessions Are Displayed in the Detail Pane When You Select the Sessions Folder
Figure 24.21: You Can View Reports by Double-Clicking the Report Name in the Right Detail Pane
Figure 24.22: Access the Properties Sheet for Each Array Member through the Computers Folder
Figure 24.23: New Web Publishing or Server Publishing Rules Are Created with a Wizard
Figure 24.24: The Scheduled Content Download Wizard Makes It Easy to Create a Job to Automatically Update the Cache of Specified URLs
Figure 24.25: Scheduled Content Download Jobs Appear in the Right Pane When the Folder Is Selected
Figure 24.26: Configure the Amount of Disk Space on Each NTFS Drive to Be Allocated to the ISA Cache
Figure 24.27: The Two Client Configuration Objects: Web Browser and Firewall Client
Figure 24.28: Add and Configure H.323 Gatekeepers Via the Last Second-Level Object in the Console Tree
Figure 24.29: The ISA Wizards Allow You to Check the Information Entered for Accuracy Before You Click Finish
Figure 24.30: Set Permissions on Objects Via the Security Tab on the Object's Properties Sheet
Figure 24.31: Some ISA Objects Have Special Advanced Permissions Such as the Read Alerts Information and Reset Alerts Permissions for the Alerts Object
Figure 24.32: Delete an ISA Server from an Array Via the ISA Management Console
Figure 24.33: When You Install ISA Server, If the Enterprise Has Been Initialized, You Have the Option of Joining an Existing Array
Figure 24.34: Promoting a Stan-Alone Server to Become an Array—An Operation That Cannot Be Reversed
Figure 24.35: Viewing Alerts That Occurred on the ISA Server or Array
Figure 24.36: Some Events Allow You to Specify Additional Conditions to Trigger the Alert
Figure 24.37: You Must Select at Least One Action to Be Performed When an Alert Is Triggered
Figure 24.38: View the Current Active Sessions in the Right Detail Pane of the ISA MMC
Figure 24.39: Install the Appropriate ODBC Driver to Set Up a Data Source
Figure 24.40: Logging Is Configured Via the Properties Sheet for the Service for Which Data Will Be Logged
Figure 24.41: A Name and Description for the Report Job Are Specified Via the General Tab
Figure 24.42: Configure the Reporting Interval by Selecting the Period Tab on the Properties Sheet
Figure 24.43: The Schedule Tab Allows You to Set a Start Time and a Recurrence Pattern
Figure 24.44: You Must Provide the Appropriate Credentials to Run a Report Job on a Report Computer or Array
Figure 24.45: Enter a User Account Name, Domain, and Password to Run the Report Job
Figure 24.46: Information about Each Configured Report Job Appears in the Right Detail Pane
Figure 24.47: The Reports That Have Been Generated Are Accessed from the Reports Folder
Figure 24.48: Summary Reports Include Data from the Web Proxy and Firewall Service Logs Pertaining to Network Usage
Figure 24.49: Web Usage Reports Contain Information Collected from the Web Proxy Service Log Files
Figure 24.50: Application Usage Reports Are Based on Information Collected in the Firewall Service Logs
Figure 24.51: The Traffic and Utilization Reports Combine Information from the Web Proxy and Firewall Service Logs
Figure 24.52: Security Reports Can List Authorization Failures and Other Security-Related Events Recorded in the Web Proxy Service, Firewall Service, and Packet Filter Logs
Figure 24.53: Select the Option to Use to Sort Report Data in the Report Type Properties Sheet
Figure 24.54: Set a Location for Saving Daily and Monthly Summaries, and Specify the Number of Each That Should Be Saved
Figure 24.55: Summary Files Are Saved by Default in the ISA Summaries Folder with an .ILS File Extension
Figure 24.56: To Install ISA Management on a Computer from Which You Want to Administer ISA, Select Custom Installation and Check the Administration Tools Check Box
Figure 24.57: To Manage an ISA Server Remotely, You Must First Connect to It
Figure 24.58: To Manage an Array Remotely, Choose "Connect to Enterprise and Arrays"
Figure 24.59: The Terminal Server Settings Are Configured Via the Terminal Services Configuration Tool
Figure 24.60: Use the Terminal Services Manager to View and Manage Client Sessions
Figure 24.61: Use the Client Connection Manager to Create a Connection to a Terminal Server
Figure 24.62: The Client Connection Wizard Creates a Shortcut to the Terminal Server
Figure 24.63: You Can Use the Terminal Services Client to Connect to a Terminal Server
Figure 24.64: Use the Terminal Server Desktop to Remotely Administer the ISA Server

Chapter 25: Optimizing, Customizing, Integrating, and Backing Up ISA Server

Figure 25.1: The ISA Server Performance Monitor Includes a Set of ISA Server-Specific Default Counters
Figure 25.2: In a Histogram View, Data Is Presented as a Set of Bar Charts
Figure 25.3: Report View Summarizes Data and Presents It in Text Format
Figure 25.4: The System Monitor Tool's Appearance Can Be Customized Using the Properties Sheet
Figure 25.5: Add at Least One Counter to Be Logged to the File
Figure 25.6: Use the Log Files Tab to Set Filename, Location, and Other File Properties
Figure 25.7: Use the Schedule Tab to Define Start and Stop Times for Logging
Figure 25.8: Counters to Be Monitored for Triggering of a Performance Alert Are Added Via the General Tab of the Alert Properties Sheet
Figure 25.9: After Adding Counters, You Must Define the Threshold and Data Sample Interval
Figure 25.10: You Can Select One or More Actions to Be Taken When the Alert Is Triggered
Figure 25.11: You Can Use the Schedule Tab to Schedule the Scan to Start and Stop at a Specified Time and Elect to Start a New Scan When One Finishes
Figure 25.12: A Network Message Is Sent to the Specified Account When the Alert Is Triggered
Figure 25.13: ISA Automatically Optimizes Performance Based on Number of Users Per Day
Figure 25.14: Enable Bandwidth Control and Set Effective Bandwidth for a Dial-Up Entry
Figure 25.15: The Load Factor Is Configured on the Array Membership Tab of the Computer's Properties Sheet
Figure 25.16: You Can Increase Performance by Increasing the Size of Objects That Can Be Cached in RAM
Figure 25.17: Active Caching Balances Client Web Performance Against Network Traffic
Figure 25.18: You Can Change the Cache Drive Settings for Better Performance
Figure 25.19: The Registry Keys Used to Tune ISA Performance Are Found Under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
Figure 25.20: The CacheSettings Script Prompts You to Specify an Array Name
Figure 25.21: The Script Runs and Displays the Results
Figure 25.22: Each Sample Filter Includes a Readme File That Provides More Information
Figure 25.23: GFI LANguard Is a Third-Party Add-On That Creates a Custom Console, Which Includes the ISA Management Snap-In
Figure 25.24: IPsec Policies Are Configured Via Windows 2000 Group Policy
Figure 25.25: You Can Select the IPsec Protocol to Be Used Via the Security Method Wizard
Figure 25.26: The ISA Management Console Provides a Tool for Backing Up Server Information
Figure 25.27: You Can Provide an Identifying Comment for the Backup File
Figure 25.28: You Must Enter a Path to the File in Which You Backed Up the Array Configuration
Figure 25.29: Backup File Information Is Displayed Prior to the Restoration

Chapter 26: Troubleshooting ISA Server

Figure 26.1: Information Gathering Can Take Many Forms
Figure 26.2: ISA Log Files Can Be Useful in Troubleshooting Various Problems
Figure 26.3: The ISA Server Help Files Contain a Special "Troubleshooting" Section
Figure 26.4: Select an Event from the Right Context Pane in the Application Log
Figure 26.5: The Event's Properties Sheet Gives You a Great Deal of Information, Including the Event ID
Figure 26.6: You Can Use the Event Category and ID to Locate the Event Message in the Help Files
Figure 26.7: The Help File Provides Information about the Event Message, an Explanation, and Suggested User Action(s)
Figure 26.8: The Searchable Knowledge Base Provides Technical Support Information and Self-Help Tools
Figure 26.9: Microsoft's ISA Server Newsgroups Provide an Excellent Source of Troubleshooting Information
Figure 26.10: Enable the DHCP Client Rule to Allow a Release and Renew of the DHCP Lease
Figure 26.11: The Authentication Method Is Configured Via the Listeners' Properties Sheet for Incoming and Outgoing Web Requests
Figure 26.12: Disconnect the Sessions of Clients Who Are Using Protocols You Want to Disable
Figure 26.13: You Can Enable IP Packet Filtering and IP Routing to Improve S-NAT Performance
Figure 26.14: Disable the Firewall Client to Allow Direct Dial-Out from the Machine
Figure 26.15: You Can Configure Which Content Will Be Cached Using the Cache Configuration Properties Sheet
Figure 26.16: Use the Secure Mail Server Option to Publish a Mail Server to External Clients

Chapter 27: Advanced Server Publishing with ISA Server

Figure 27.1: Results of netstat –na Before Disabling Socket Pooling
Figure 27.2: Disabling Socket Pooling
Figure 27.3: Running netstat –na After Disabling Socket Pooling
Figure 27.4: Disabling SMTP and NNTP Socket Pooling
Figure 27.5: Selecting the Client Address Sets Option on the Client Type Page
Figure 27.6: Selecting the Client Address Set
Figure 27.7: Configuring Terminal Services to Listen on the Internal Interface
Figure 27.8: Configuring the RDP Packet Filter
Figure 27.9: Creating the TSAC Destination Set
Figure 27.10: Entering the FQDN and Path for the Destination Set
Figure 27.11: Selecting the TSAC Site Destination Set
Figure 27.12: Configuring Authentication Requirements for the Web Publishing Rule
Figure 27.13: Entering Credentials to Access the TSAC Web Site
Figure 27.14: The Security Warning Dialog Box
Figure 27.15: The Remote Desktop Web Connection Page
Figure 27.16: The TSAC Terminal Services Session Running in Full Screen Mode
Figure 27.17: The Terminal Services Session as It Appears in the Browser
Figure 27.18: The Address Mapping Page
Figure 27.19: Change the FTP Site Listening Port
Figure 27.20: Creating the wspcfg.ini File
Figure 27.21: Saving the wspcfg.ini File
Figure 27.22: Using the CREDTOOL
Figure 27.23: Adding the User Account
Figure 27.24: The FTP Server Listening on the Alternate Port
Figure 27.25: Testing the FTP Server
Figure 27.26: Configure Internet Explorer 6.0 to Use PASV Mode
Figure 27.27: Connecting to the FTP Using PASV Mode
Figure 27.28: Confirming the FTP Server's Link with the ISA Server
Figure 27.29: Configuring FTP Packet Filters
Figure 27.30: Configuring the FTP Server Packet Filter
Figure 27.31: The PASV Mode Data Channel Packet Filter
Figure 27.32: Disabling FTP Service Socket Pooling
Figure 27.33: The FTP Service Listens on a Dedicated Address
Figure 27.34: The FTP Service Listens on a Dedicated Address
Figure 27.35: Disabling the EnablePortAttack Entry
Figure 27.36: The Address Mapping Page
Figure 27.37: Configuring Authentication Methods on the Web Requests Listener
Figure 27.38: Configuring an SSL Listener
Figure 27.39: Configuring the Redirect on the Rule Action Page
Figure 27.40: Logging on to the FTP Site
Figure 27.41: The Published FTP Site
Figure 27.42: The Incoming Web Requests Listener Interface
Figure 27.43: TCP Port 80 Listening on All External IP Addresses
Figure 27.44: Configuring Direct Access to Internal Site for Web Proxy Clients
Figure 27.45: Setting the Certification Authority Type
Figure 27.46: The CA Identifying Information Page
Figure 27.47: The Name and Security Settings Page
Figure 27.48: The Site's Common Name Page
Figure 27.49: The Request File Summary Page
Figure 27.50: Selecting the Certificate Request Information
Figure 27.51: The Certificate Server Web Site Welcome Page
Figure 27.52: The Advanced Certificate Requests Page
Figure 27.53: The Submit A Saved Request Page
Figure 27.54: Issuing the Web Site Certificate
Figure 27.55: The Check On A Pending Certificate Request Page
Figure 27.56: Downloading and Installing the Certificate
Figure 27.57: Processing the Pending Request
Figure 27.58: Reviewing the Settings
Figure 27.59: Sending the Certificate Request Directly to the Certificate Server
Figure 27.60: Choosing a Certification Authority
Figure 27.61: The Certificate Store Page
Figure 27.62: Certificates Contained in the ISA Server's Machine Store
Figure 27.63: Selecting the Web Site Server Certificate
Figure 27.64: Selecting the Web Site Server Certificate
Figure 27.65: A Completed Destination Set
Figure 27.66: The Rule Action Page
Figure 27.67: Security Alert Dialog Box Warning of an Untrusted Root Authority
Figure 27.68: Security Alert Dialog Box Warning of a Certificate Mismatch
Figure 27.69: Forcing a Secure Channel to the Web Site
Figure 27.70: The Web Proxy Service Certificate List
Figure 27.71: Configuring the Rule Action
Figure 27.72: Assigning a Client Certificate for the SSL Bridge
Figure 27.73: Security Alert Dialog Box Warning of a Name Mismatch
Figure 27.74: The Client Authentication Dialog Box
Figure 27.75: Error Page Indicating that a Client Certificate Is Required
Figure 27.76: Redirecting SSL Requests as FTP Requests
Figure 27.77: Connecting to the FTP Site
Figure 27.78: The Certificates List
Figure 27.79: CRL Distribution Point Information

Chapter 28: Protecting Mail Services with ISA Server

Figure 28.1: Checking for SMTP Service Socket Pooling
Figure 28.2: Allowing the Internal Network Mail Server to Relay through the SMTP Service on the ISA Server
Figure 28.3: Configuring Advanced Delivery Options
Figure 28.4: Checking Registry Entries for the SMTP Message Screener
Figure 28.5: The SMTP Commands Tab
Figure 28.6: Adding a Keyword to the Message Screener
Figure 28.7: Blocking Messages Based on an E-Mail Address or Domain Name
Figure 28.8: Blocking E-Mail Attachments
Figure 28.9: Entering Your Active Directory Domain Name
Figure 28.10: Configuring the LAT
Figure 28.11: Telnet to the Publishing SMTP Server
Figure 28.12: The CA Identifying Information Page
Figure 28.13: Forcing a Secure Channel to the POP3 Service
Figure 28.14: Internal and External IP Addresses Listen for Secure Communications
Figure 28.15: The Mail Service Selection Page
Figure 28.16: Establishing an Exchange RPC Connection
Figure 28.17: Outbound RPC Protocol Definition
Figure 28.18: The Custom Installation Dialog Box
Figure 28.19: Selecting the Message Screener
Figure 28.20: The SMTPCRED Tool
Figure 28.21: The DCOM Configuration Properties Dialog Box
Figure 28.22
Figure 28.23: Adding the Everyone Group
Figure 28.24: The Welcome Page
Figure 28.25: The Administrator Email Dialog Box
Figure 28.26: The Mail Server Information Page
Figure 28.27: Choosing the Mail Server Type
Figure 28.28: Remote Domain Configuration
Figure 28.29: MailSecurity Configuration
Figure 28.30: Configuring Keywords
Figure 28.31: GFI Monitor Displaying Actions in Real Time
Figure 28.32: The Moderator Client
Figure 28.33: Attachment Checking Options
Figure 28.34: The Virus Checking Engines
Figure 28.35: Configuring FTP Virus Definitions Download Options
Figure 28.36: Checking for E-Mail Exploits
Figure 28.37: Whacking Spam with the Anti-Spam Feature
Figure 28.38: Deciding What Action to Take with Filtered Mail

Chapter 29: Introducing Snort

Figure 29.1: Snort Architecture
Figure 29.2: Snort's Packet Sniffing Functionality
Figure 29.3: Snort's Preprocessor
Figure 29.4: ort's Detection Engine
Figure 29.5: Snort's Alerting Component
Figure 29.6: An IDS Network Architecture with a Screening Router
Figure 29.7: A Firewalled Network with Snort Systems
Figure 29.8: A Firewalled Network with a DMZ
Figure 29.9: A Firewalled Network with a DMZ and Snort
Figure 29.10: A Switched Network
Figure 29.11: A Switched Network with Snort Systems

Chapter 30: Installing Snort

Figure 30.1: Snort IDS Monitoring Internal Traffic
Figure 30.2: Snort IDS Monitoring External Traffic
Figure 30.3: Selecting the Packages Utility from the Panel Menu
Figure 30.4: The Package Management System
Figure 30.5: Completing the Package Install
Figure 30.6: Running the Snort configure Script
Figure 30.7: Editing the snort.conf File in gedit
Figure 30.8: Running Snort with the Verbose Option Enabled
Figure 30.9: The Snort Installer Welcome Screen
Figure 30.10: Confirming a Successful WinPcap Installation
Figure 30.11: Completing the WinPcap Install

Chapter 31: Combining Firewalls and IDS

Figure 31.1: Network Diagram
Figure 31.2: Inline Network Diagram
Figure 31.3: xconfig Linux Kernel Configuration
Figure 31.4: xconfig Networking Options Dialog
Figure 31.5: Portscan from Web Server
Figure 31.6: Portscan from Web Server with Snort Filtering