Microsoft ISA Server 2004 is a hybrid stateful packet-inspecting, circuit-filtering, and application layer proxy firewall. By hybrid, we mean that it can provide any of those functionalities at any given time based on the traffic it is receiving. If it has an application filter for the given protocol or application, it will function as an application proxy firewall for that traffic. If it does not, it will resort to either stateful packet inspecting or circuit filtering as required. In addition, ISA Server 2004 includes virtual private networking (VPN) and caching capabilities, allowing it to function as an all-in-one device that, as one would expect, integrates pretty cleanly with Microsoft-centric environments. Before we look at the features of Microsoft ISA Server 2004, let's talk about the elephant in the room, namely the perception that ISA Server 2004 is not a "real" firewall. This perception is largely the result of misinformation, lack of education regarding the product, and simple dislike/disregard of anything Microsoft being remotely considered as a security solution. When you look at ISA Server 2004 with an honest and skeptical eye, it is relatively easy to cut through many of the fallacies and realize that Microsoft ISA Server 2004 is an effective and practical firewall solution. First on the list of misconceptions is the statement that any firewall running on a Windows platform cannot be secure. This is just not factually accurate. All firewalls run on some operating system. In the case of firewalls such as the Cisco PIX Firewall or Check Point SecurePlatform, the operating system is specialized and hardened for use on a firewall. Windows, out of the box, is not designed to be run on a firewall, but it can be effectively secured and hardened following the principles of running the minimum required services and functionality necessary to operate as a firewall alone. Some excellent resources detail how to effectively secure the underlying Windows operating system:
Note Keep in mind that many of the procedures for Windows 2000 are applicable to Windows 2003 and vice versa, so do not hesitate using both the Windows 2000 and 2003 guides regardless of your actual operating system Another frequent misconception is that ISA Server 2004 is "just" an upgrade to Microsoft Proxy Server 2.0. Although ISA Server 2004 is indeed the logical upgrade to Proxy Server 2.0 (technically, ISA Server 2000 is the direct upgrade to Proxy Server 2.0), that is not to say that ISA Server 2004 is just a proxy server. Proxy Server 2.0 had absolutely no advanced firewall features. It was primarily a caching engine with basic packet-filtering capabilities. Microsoft ISA Server 2004 is a fully featured firewall, capable of performing stateful packet inspection as well as application layer filtering and proxying. In addition, it can function as a caching engine. Simply put, trying to claim that because ISA Server 2004 is an upgrade to Proxy Server it is therefore not a "real" firewall has absolutely no technical merit. Microsoft ISA Server 2004 FeaturesMicrosoft ISA Server 2004 consists of two editions: Standard Edition and Enterprise Edition. The predominant differences between the Standard and Enterprise editions relate to scalability. Table 8-1 summarizes the differences between the Standard and Enterprise editions.
As you can see, if you need multiple ISA servers working in tandem, or need additional memory and processors, you need to use the Enterprise Edition. Similarly, if you need a high-availability solution, use Enterprise Edition. In general, Microsoft ISA Server 2004's firewall features can be categorized as follows:
Security and Filtering FeaturesThe Microsoft ISA Server 2004 firewall is a hybrid firewall capable of performing the following:
Microsoft ISA Server 2004 can perform these filtering functions in a multidirectional method, supporting as many network interfaces as the physical hardware can contain. This allows for the creation of multiple demilitarized (DMZ) segments, allowing for the creation of unique filtering rulesets on a per-DMZ segment basis. Of course, filtering of traffic for/from the internal and external networks is also available. Microsoft ISA Server 2004 also supports basic intrusion detection functionality, although full intrusion detection system (IDS) functionality is best provided through the integration of third-party products such as ISS RealSecure or similar products. Currently, ISA Server 2004 can natively detect the following intrusion/attack attempts:
Firewall Clients and AuthenticationMicrosoft ISA Server 2004 supports the following three types of firewall clients for systems that are attempting to access resources outside the protected network:
SecureNAT ClientThe SecureNAT client is effectively any device that attempts to communicate through the ISA Server 2004 firewall without being configured as one of the other firewall types. For all intents and purposes, this is the traditional "point to the firewall as the default gateway to communicate" type of a client. Therefore, practically any type of TCP/IP network host can communicate through the firewall as a SecureNAT client. Although easy to implement (there is no special configuration required beyond just enabling network communications on the host), the SecureNAT client is the least secure and capable of the firewall clients. SecureNAT clients cannot be configured to authenticate with the firewall to determine what access should be permitted, nor can they access resources requiring complex protocols (protocols that require multiple connections; for example, standard FTP [port] mode connections) without the use of application filters installed on the firewall itself. Firewall ClientThe ISA Server 2004 firewall client is one of the components to an ISA Server 2004 solution that really separates it from the competition in terms of the kind of control over access that can be managed. The firewall client software can be installed on any Windows-based client, which is a limitation in environments that use Linux, Sun, UNIX, or Mac computers. Once implemented, however, the firewall client enables you to define access to external resources based on users and groups and authenticate all access requests to ensure that only the users you have specified are allowed to communicate. It also enables you to define how they can communicate. This authentication information is stored in the firewall log files, making it easy to perform a forensic analysis to determine what sites, protocols, and applications the user was running or accessing. Perhaps the most powerful feature of the firewall client is the ability to enforce security controls on the client itself (for example, allowing only applications that you explicitly permit to function on the client or allowing only certain ports on the client to be used for communications). For example, a relatively difficult task to perform with most firewalls is to prevent instant messaging and peer-to-peer applications from being used by the users. Instant messaging applications can almost all use HTTP (or any other protocol) as the transport protocol, making it difficult to effectively block at the firewall. Similarly, many peer-to-peer applications can do the same thing. With the firewall client, you can define the names of applications that should not be allowed to run; they will be blocked by the firewall client software. Keep in mind that if the users can rename the application executable, they can bypass these restrictions. Web Proxy ClientThe web proxy client is used anytime a computer is configured via its web browser to use a proxy, and the ISA Server 2004 server is specified as the proxy. Although web browsers are the most commonly implemented applications that use proxies, instant messaging software and other applications that support using a proxy can also be configured as web proxy clients. The web proxy client enables you to improve the performance of web access because the data can be cached by the firewall and served to the clients out of cache. This also reduces bandwidth requirements, as discussed in the next section. The web proxy client also supports using authentication for access, similar to the firewall client, thus providing a mechanism to control and track access on a user basis. Web Caching Server FunctionalityAlthough technically not a firewall or security feature, the ISA Server 2004 server provides full caching server functionality. This allows the server to transparently cache web request and then service subsequent requests out of cache, thus reducing the amount of bandwidth that is used for client web browsing. This also allows the ISA Server 2004 server to function as a proxy, retrieving content on behalf of clients. Network Services PublishingTo provide access to protected resources, ISA Server 2004 implements what are known as publishing rules. These rules are used to provide inbound/ingress filtering functionality to resources that are being protected by the firewall. For example, if you have a web server that needs to provide services to external clients, you would use network services publishing (specifically web server publishing rules) to "publish" or provide access to the protected web server resource. There are four types of publishing rules:
As you would expect, the first three rules are specialized to handle the corresponding types of network services. The server publishing rule is the generic catchall rule type for any and all other publishing requirements. VPN FunctionalityMicrosoft ISA Server 2004, like many other firewalls, also provides integrated VPN functionality, allowing you to use the ISA Server 2004 both as a component in a site-to-site VPN as well as a termination point for remote access VPN services. Although previous versions supported Point-to-Point Tunneling Protocol (PPTP) and Layer 2 Tunnel Protocol / IP Security (L2TP/IPsec) VPN protocols, ISA Server 2004 also supports native IPsec tunnel mode VPN implementations. Because the VPN functionality is integrated with the firewall, ISA Server 2004 can also perform stateful packet filtering and inspection on VPN traffic that is passing through the firewall, providing additional security and control of all traffic that is entering or exiting the protected network. Doing so enables you to perform actions such as limiting your remote sales users to a subset of servers and services on the protected network. Management and Administration FeaturesArguably some of the most deficient aspects of previous versions of ISA Server were the fact that the management interface was not intuitive, the access rule management methodology was contrary to almost every other product out there, and the monitoring and reporting capabilities left a lot to be desired. ISA Server 2004 has gone a long way toward improving these deficiencies. Management InterfaceAs shown in Figure 8-2, ISA Server 2004 takes advantage of the Microsoft Management Console to provide a management interface. This management console can either be accessed locally on the ISA server by using Terminal Service (TS) or Remote Desktop (RDP) to start a terminal session, or can be installed on a remote system (such as the administrators desktop) to allow for remote management of all ISA Server 2004 resources in the environment. In the case of TS or RDP, the TS/RDP process handles protection and encryption of the data over the network. In the case of installing the management console on a remote system, Microsoft is intentionally vague as to what if any encryption or protection of the data that is transmitted between the management console and the ISA Server 2004 server occurs. Like all Microsoft products, administrative access is granted through the use of Microsoft users and groups, as well as by defining individual or ranges of IP addresses that are allowed to make management connections. Figure 8-2. ISA Server 2004 Management ConsoleIn addition, some third-party web-based management interfaces can be implemented, allowing for the management of the ISA server to be performed via a web browser, thus eliminating the need to install a management client for remote management. Access Rule ManagementAccess rule management has also been greatly simplified, following well-defined conventions that have been long established for firewall rule management. Unlike server publishing rules, which are designed for defining inbound/ingress filters, access rules are used to define outbound/egress filters to protect traffic that is sourced from a protected network. Rules have the following components that can be defined in a wizard-driven fashion:
An important distinction to be aware of is that for SecureNAT clients, rules that are set to apply to all IP traffic actually only apply to defined protocols, so you need to ensure that you define any protocols that you want to filter based on. Monitoring and ReportingAlthough monitoring and reporting are some of the less-elegant aspects of firewall management, Microsoft made significant improvements to the monitoring and reporting features of ISA Server 2004, providing the following capabilities:
Miscellaneous FeaturesAlthough the ability to support multiple networks may sound like a given, multinetwork support is actually a new feature of ISA Server 2004, allowing it to be implemented in enterprise environments that contain multiple networks (both internal and perimeter networks such as DMZ segments). In conjunction with this, you can define the relationships between the networks and then use this information during rule creation. By default, ISA Server 2004 supports the following networks:
Remote VPN users represent one of the bigger security risks for most environments. These users typically connect to all sorts of networks that are outside of the control of the IT department and then attempt to connect to their corporate network. This allows the VPN client to become a carrier of viruses, worms, and other malicious software and content, thereby spreading it to the corporate network when they establish their VPN connection. To help mitigate this risk, ISA Server 2004 includes VPN Quarantine Control. With VPN Quarantine Control, ISA Server 2004 can be configured to enforce policies on the VPN clients, including the following:
If these conditions are not met, the VPN client will not be connected to the VPN and gain access to the full network resources; instead, they will be connected to a limited-access network where they can download and apply any required patches and updates. Although this does not remove any malicious software from the VPN client computer, by requiring only patched and updated systems to connect you can help ensure that the VPN client computer is less susceptible to threats. Microsoft ISA Server 2004 Requirements and PreparationISA Server 2004 can be a relatively complex product to implement. A number of system requirements and recommendations should be implemented before installing and configuring ISA Server 2004. Table 8-2 details the system requirements as well as my recommendations beyond the system requirements.
In addition to the system requirements, you need to harden the operating system prior to installing ISA Server 2004 on the system. Use the guides mentioned early in the "Microsoft ISA Server 2004 Firewall" section as a basis for securing the underlying operating system as well as the Microsoft ISA Server 2004 software. Of particular importance is to harden the external network interface (at a minimum) to remove all clients, services, and protocols except TCP/IP itself, as shown in Figure 8-3. Figure 8-3. External Network Interface Configuration
In addition, you also need to configure the routing table on the ISA server accordingly to support all the networks it will need to reach, or you will need to install and configure Routing and Remote Access on the firewall to enable routing protocols such as OSPF or RIPv2. Finally, ensure that you disable any network services or applications that are not explicitly required by ISA Server 2004. Table 8-3 lists the core services that are required by ISA Server 2004, including the startup mode that should be used. All other services should be disabled.
How the Microsoft ISA Server 2004 Firewall WorksAlmost all management functions for ISA Server 2004 firewalls are performed with the ISA Server management console. This is a Microsoft Management Console (MMC)-based management console that is either run on the ISA server itself (and typically accessed via RDP/TS) or must be installed separately on the remote management workstation (via the ISA Server 2004 installation program). Figure 8-4 shows the ISA Server 2004 management console. Figure 8-4. ISA Server 2004 Management ConsoleTo perform remote administration of ISA Server 2004 firewalls using the management console, the management workstation must be added to the Enterprise Remote Management Computers (to manage all firewalls in the enterprise) or the Remote Management Computers (to manage a single firewall in the enterprise) computer set, and then remote management must be enabled. The easiest way to do this is to right-click the Firewall Policy object in the management console and choose Edit System Policy. Under the Remote Management configuration group, select Microsoft Management Console and ensure that Enable is checked on the General tab. Next, click the From tab and choose the appropriate group that you want to update, as shown in Figure 8-5, and then click Edit. Figure 8-5. Modifying Remote Management RulesAt the Properties screen, add, edit, or delete systems that will be allowed to perform remote management on the firewalls. When you have finished, click OK to close any open windows, returning to the management console. Before any configuration changes are actually performed on the ISA servers, the last task is to select to either apply or discard the changes, as shown in Figure 8-6. Figure 8-6. Applying Configuration ChangesNote Keep in mind that any time you are applying or discarding changes you make, if you have made multiple changes then you are selecting to apply or discard all of the changes, or in the event of firewall policy changes, you are selecting to apply or discard the entire firewall policy. Make sure you are comfortable with any and all changes you have opted to make before you decide to click Apply. To understand how the Microsoft ISA Server 2004 firewall works, it is important to identify the specific functions that an ISA Server 2004 firewall can perform:
Filtering Outbound AccessISA Server 2004 manages and applies all rules in what is known as a firewall policy. Two general classifications of rules, publishing rules, are used to define access from external sources to internal/protected resources, to external destinations. Access rules consist of the following policy elements:
Building the access rule is a largely wizard-driven process, with the exception of configuring the content types and schedule, which must be done by editing the properties of an existing rule. Just right-click the firewall policy and choose New > Access Rule, as shown in Figure 8-7. Figure 8-7. Creating an Access RuleThis will begin the New Access Rule Wizard. At the Welcome screen, assign an appropriate access rule name and click Next. At the Rule Action screen, select to Allow or Deny the traffic as appropriate and click Next. At the Protocols screen, you can select to apply the rule to All Outbound Traffic, Selected Traffic, or All Outbound Traffic Except Selected Traffic. If you choose the latter, you must click Add to specify the protocols that the rule applies to. For example, Figure 8-8 shows a rule being created that applies to the HTTP protocol only. Figure 8-8. Protocols ScreenWhen you have finished, click Next to be presented with the Access Rule Sources screen. Click Add to specify the traffic source that this rule will apply to. Figure 8-9 shows the Add Network Entities screen that is accessed by clicking Add. Figure 8-9. Add Network Entities Screen
After you have specified the appropriate source, click Next to be taken to the Access Rule Destinations screen. Once again, click Add and specify the destination traffic that the rule will apply to. When you have finished, click Next. At the User Sets screen, specify the users that the rule will apply to. Keep in mind that only web proxy clients and firewall clients perform authentication; so if you want the rule to apply to everyone, including unauthenticated users, just accept the default value of All Users, as shown in Figure 8-10. Figure 8-10. User Sets ScreenReview the rule configuration and click Finish. At this point, the rule has been created but not applied to the firewall. Just click Apply in the MMC as previously discussed. If you need to change any of the rule settings, including editing the content type or schedule configuration, just right-click the rule and choose Properties or Edit System Rule as appropriate for the corresponding rule. Publishing Internal ResourcesPublishing internal resources follows largely the same process as creating an access rule. It is a wizard-driven process, but the focus of a publishing rule is allowing access to protected resources, as opposed to access rules (which allow access from protected resources). Regardless of which type of publishing rule you need to create, the process is fairly similar. The first step is to right-click the firewall policy and select to create a new publishing rule (for example, a web publishing rule) and follow the wizard. At the Welcome screen, enter the appropriate rule name and click Next. At the Select Rule Action screen, specify whether traffic that matches the rule should be permitted or denied and click Next. Figure 8-11 shows the Define Website to Publish screen. This is where you specify the information for the internal server that is hosting the website. Enter the appropriate information and click Next. For example, if you use host headers to allow multiple websites to exist on the same physical server, you will want to check the box to Forward the original host header instead of the actual one (specified above). This will cause the ISA server to actually keep the host header information, instead of just routing all web requests to the default website on the internal web server. One of the nice features of the web publishing rule is the ability to specify individual folders on the website that the rule will apply to. When you have finished, click Next. Figure 8-11. Define Website to Publish ScreenAt the Public Name Details screen, you enter the information that the website will be known to the public as (for example www.cisco.com). You can also define the public path that the Microsoft ISA Server 2004 server will advertise. Figure 8-12 illustrates this screen. Figure 8-12. Public Name Details ScreenWhen you have finished, click Next. Doing so brings you to the Select Web Listener screen. The web listener allows you to define the external IP address and port number that the firewall will listen for requests for this rule on. If you do not already have a listener defined, you can click New to launch the New Web Listener Definition Wizard. Doing so enables you to define the interfaces and IP addresses as well as the port numbers that the rule will use. You can also define the internal path that the web request will be directed to on the internal web server. In most cases, the internal and external paths will match; if you want the external path to redirect to a different internal path, however, you can specify different settings. For example, if you want http://www.cisco.com/sales.htm to redirect on the internal web server to http://www.cisco.com, you specify an external path of http://www.cisco.com/sales.htm and an internal path of /*. After you have defined the listener, just select it from the Web Listener drop-down dialog box, as shown in Figure 8-13, and click Next. Figure 8-13. Select Web Listener ScreenAt the User Sets screen, select the users who the rule will apply to and click Next. Review the configuration and click Finish to create the rule. Once again, if you want to apply the rule to the firewall, you must then click Apply in the management console. Performing Application FilteringISA Server 2004 contains a number of built-in application filters to provide for application layer inspection of the corresponding traffic. Configuring the application filters is performed in various locations within the management console. For web filters, just right-click an HTTP or HTTPS rule and select Configure HTTP. By default, Microsoft ISA Server 2004 supports the following HTTP application-filtering options:
For application filters, most can be managed from the add-ins screen, as shown in Figure 8-14. Figure 8-14. Application FiltersA notable exception to this is the DNS filtering, which is configured under the General section of the management console by clicking Enable Intrusion Detection and DNS Attack Detection (by default, both intrusion detection and DNS attack detection is enabled). Configuring System Policy RulesAccess rules and server publishing rules control the access to and from networks protected by the firewall. To control access to the firewall itself, system policy rules have been created. These rules do not show up by default when you view the firewall policy, but they can be enabled by selecting the firewall policy and then clicking Show System Policy Rules. Doing so causes all system policy rules to display in addition to any access and publishing rules, as shown in Figure 8-15. Figure 8-15. Displaying the System Policy RulesYou can add, change, and delete the system policy rules manually, or you can edit the system policy via a graphical user interface (GUI) by right-clicking the firewall policy and selecting Edit System Policy. Doing so launches the System Policy Editor screen, as shown in Figure 8-16. Figure 8-16. System Policy Editor ScreenThe System Policy Editor enables you to configure everything from what systems are allowed to remotely manage the firewall to how the firewall performs its authentication tasks. Configuring Client Access MethodsAs previously mentioned, Microsoft ISA Server 2004 supports three firewall clients: the SecureNAT client, the firewall client, and the web proxy client. The SecureNAT client really is not a client at all. Instead, any system that accesses the firewall via TCP/IP that is not one of the other client types is a SecureNAT client. Configuring the Web Proxy ClientThe web proxy client is any system that has been configured to use a proxy for Winsock applications. This is typically done in the client web browser settings, specifying the IP address and port number that should be used to access the proxy server. From the ISA server side, the web proxy configuration is performed by clicking Networks in the management console to open the Networks configuration screen and then right-clicking the internal network and selecting Properties, as shown in Figure 8-17. Figure 8-17. Selecting the Internal Network PropertiesFrom the Internal Network Properties screen, select the Web Proxy tab and specify whether to enable web proxy clients (by default, they are enabled) and define the port number that the clients will connect on. You can click Authentication to define which users will/will not be permitted access. Figure 8-18 shows the Web Proxy tab. Figure 8-18. Web Proxy Configuration
Configuring the Firewall ClientConfiguring the firewall client is a little bit more involved than the other client configurations. First, the firewall client must be installed on the client computers. This can be done in the following manners:
During the firewall client installation, you must specify the ISA server that the firewall client will get its configuration from. This step allows you to manage the firewall client configuration at a single location, the ISA Server 2004 firewall itself, and ensure that all firewall clients receive the same configuration settings. On the ISA server itself, two general firewall client configuration tasks need to be performed.
The firewall client general configuration is performed in a similar fashion to the web proxy client configuration. Just right-click the appropriate network in the management console, choose Properties, and then select the Firewall Client tab, as shown in Figure 8-19. Figure 8-19. Firewall Client Tab
Doing so enables you to define settings such as the configuration script that should be used and whether the client should use a proxy server. In addition, you can specify the names of domains that the firewall client should not apply to by selecting the Domains tab and entering the domain name. The firewall client application settings can be configured by clicking General in the management console then clicking Define Firewall Client Settings. Doing so launches the Firewall Client Settings screen, as shown in Figure 8-20. On this screen, you can define applications that will or will not be permitted to run on the client computer and how permitted applications will be allowed to communicate on the network. An important thing to keep in mind is that the application name is a constant; so if the users change the name of the application (for example, from kazaa.exe to happy.exe), the firewall client settings no longer apply, because the application name no longer matches the name that was defined. An alternative is to use third-party products that integrate with Microsoft ISA Server 2004. Figure 8-20. Firewall Client Settings Screen
Caching Web DataConfiguring the firewall to cache web data is a straightforward process. In the management console, navigate to the Cache screen, right-click the server, and choose Properties to launch the Server Cache Properties screen, as shown in Figure 8-21. Notice how the Cache icon has a red arrow pointing down, denoting that caching is not currently enabled. Figure 8-21. Launching the Cache Properties ScreenTo enable caching, just select the drives and the maximum cache size and click Set. When you have finished, click OK and then click Apply to apply the configuration change to the firewall. You must restart the ISA services before the caching functionality will be enabled. When caching has been enabled, you can define rules regarding what data should be cached and how it should be cached by selecting the Cache Rules tab from the Cache screen and defining an appropriate rule. Like most other tasks in Microsoft ISA Server 2004, this is a wizard-driven process that is relatively straightforward and easy to understand. Microsoft ISA Server 2004 ChecklistEnabling and configuring Microsoft ISA Server 2004 can be a relatively complex task. It is not something that should be performed without extensive planning and design prior to implementation. To get a basic ISA Server 2004 implementation in place and operational, the following tasks should be performed:
|