Teaching the Boss and the Network Guys About the ISA Firewall (Part 3)

If you missed the other articles in this series please read:



In the first two parts of this series on teaching the boss and the network guys about the ISA Firewall, we discussed a variety of scenarios in which the ISA Firewall could be deployed. These scenarios included ISA Firewall only configurations as well as integrated configurations where the ISA Firewall is used together with other firewalls.


In this, the last part of the three article series, we will look at how the ISA Firewall can be used as a integrated firewall and Web proxy and caching server, how it can be used to protect Exchange Servers and how it protects SharePoint and IIS Web sites.







Discuss this article



How ISA Server Functions as an Integrated Firewall and Web Proxy and Caching Server


Some organizations will choose to deploy ISA as separate firewall and caching components by disabling the Web caching feature. However, one big advantage of ISA 2006 is that your can choose to deploy ISA as a single integrated firewall and Web proxy and caching server to provide both secure and fast Internet connectivity.


Many other popular Web caching solutions require separate hardware and software to provide Web caching, but ISA 2006 tightly integrates these functions to provide a seamless and error-free configuration. Regardless of how you choose to physically deploy ISA 2006, you will benefit from centralized and integrated policy-based management.


Features from which organizations will benefit when they deploy ISA 2006 as an integrated firewall and caching solution include the following:




  • Granular policy-based access rules for both inbound and outbound access.


  • Intelligent application layer inspection filter and stateful packet inspection.


  • Simplified and intuitive firewall configuration interface. No need to learn a complex and difficult to remember command line interface routines. All firewall and Web proxy features are exposed on the ISA Server Firewall Management Console.


  • Detailed logging and reporting provides both a “birds-eye” view and the capabilities to drill down to specific connections.


  • Active Directory service integration via domain members or LDAP queries to the Active Directory database provides seamless access to Active Directory users and groups, greatly simplifying the task of enabling granular user/group based access controls.


  • Centralized Microsoft Management Console (MMC) allows ISA firewall administrators to manage multiple ISA Standard Edition firewalls or thousands of ISA Enterprise Edition firewalls in hundreds of ISA firewall arrays.

ISA 2006 includes the technology to provide secure, fast Internet connectivity with simplified and centralized management, combined with the multi-layer packet and application layer inspection that’s required to meet the needs of today’s Internet-enabled businesses.


How ISA Server Protects Exchange


You need a way to ensure that Exchange data can be secured, without limiting access for those who need it. ISA 2006 is uniquely positioned to protect the customer’s Exchange servers because it can provide native access for client computers that use Microsoft Outlook.


Traditional firewalls are not able to securely process RPC communications because of the requirement for secondary ports. ISA includes an RPC filter that can examine server responses containing secondary ports, and ensure that incoming connections can be made only to the port where the Exchange Server is currently listening. Furthermore, the RPC filter is able to enforce RPC encryption and block invalid RPC requests.


For users running Outlook 2003 or 2007, the ISA firewall is able to provide secure remote access for RPC/HTTP. This method encapsulates the native RPC/MAPI connections in a secure SSL tunnel. The ISA firewall is able to terminate the SSL tunnel, crack open the encrypted communications, inspect that connection for potentially dangerous commands or content, and then re-encrypt the communication and forward it to the Exchange Server.


The ISA firewall is able to do what almost no other firewall on the market today can do: provide a secure SSL communication from end to end and perform both stateful packet and application layer inspection on the contents of the SSL tunnel. This makes the ISA 2006 firewall the firewall of choice for any organization that wants to provide full Outlook access for road warriors.


Protection for Exchange is easy to configure via the wizard that walks you through the steps to set up all types of Exchange access. The Exchange Publishing Wizards take all the guesswork out of what could be a potentially daunting configuration task for even the most experienced of ISA firewall administrators. The Wizards publish all the Exchange Server services including:




  • Outlook Web Access (OWA)


  • Outlook Mobile Access (OMA)


  • Exchange ActiveSync (EAS)


  • Exchange SMTP and secure SMTP services


  • Exchange POP3 and secure POP3 services


  • Exchange IMAP4 and secure IMAP4 services

All popular mail protocols are supported. ISA 2006 includes application inspection filters for POP3 and SMTP protocols, and the HTTP Security Filter provides the highest level of protection for remote access to all Exchange Web services.


Features that ISA 2006 uses to protect Exchange e-mail servers include the following:




  • The SMTP filter allows you to control what SMTP verbs can be used, and then limit the command size allowed for each of those verbs. The POP3 filter protects the Exchange Server’s POP3 service from common buffer overflow attacks.


  • Exchange RPC filters allow users to securely connect with Outlook from remote locations using versions of Outlook prior to Outlook 2003. Old versions of Outlook can benefit from the ISA firewall’s Secure Exchange RPC publishing which provides them secure access using the native MAPI protocol over the Internet. Conventional stateful packet inspection only firewalls are not able to secure the RPC MAPI traffic because they do not understand the Outlook/Exchange RPC MAPI communications; the ISA firewall does understand them and it secures them.


  • The Exchange Web Publishing Wizards provides secure remote access to all Exchange Server services (OWA, OMA, EAS) using a simple and easy to use Wizard. All the complexities of the configuration are taken care of by the wizard, which reduces the risk of a security breach due to a configuration error or typographical error that might take place in a command-line interface environment.


  • Delegation of authentication prevents unauthenticated connections from reaching the Exchange Server and compromising its security. Unauthenticated connections represent a huge security hole that enables attackers to easily reach the customer’s public facing Exchange Server. The ISA firewall shuts this security hole created by conventional stateful packet inspection only hardware firewalls.


  • Advanced delegation of authentication scenarios include Kerberos Constrained Delegation, which allows users to log on via User Certificate authentication and have those credentials delegated as Kerberos credentials.


  • The ISA firewall’s unique SSL bridging feature enables the ISA firewall to perform application layer inspection on SSL encrypted communications. Unlike stateful packet inspection-only firewalls, the ISA firewall is able to break open (in the ISA firewall’s memory) the SSL connection, inspect the HTTP stream for dangerous and suspicious communications, and then re-encrypt the session and forward the communications to the Exchange Server after they pass application layer inspection tests.


  • The HTTP Security Filter is easily customized to provide highly restricted access so that only legitimate methods are used to connect to the Exchange Server Web services, and can be customized for each Exchange Server Web service, including OWA, OMA, Exchange ActiveSync and RPC over HTTP connections for Outlook 2003 and Outlook 2007 clients.


  • Forms-based authentication enables the use conventional user name and password as well as more advanced authentication methods such as User Certificate authentication, Smart Card authentication, RADIUS One-Time Passwords, and RSA SecurID. Forms-based authentication allows the ISA firewall administrator to control uses ability to access attachments and set custom timeout intervals based on public or private computer membership.

How ISA Server Protects IIS


Because web servers are often accessible to the public, they are especially vulnerable to attacks that come over the Internet. Customers need a way to secure public web servers without endangering the internal network, while still ensuring that the web resources are available to public users who need them.


ISA 2006 is designed to work with the HTTP and HTTPS (SSL) protocols and is able to inspect content and requests that are exchanged between the client and server. The ISA firewall sits between the web servers and the Internet, and determines whether requests come from approved addresses according to the customer’s authentication configuration. ISA can also make sure that requested URLs are valid and that the web methods (for example, POST or GET) are approved.


ISA can examine the URL and determine to which web server the request should be forwarded.


Features that ISA Server uses to protect IIS servers include:



  • Ability to inspect source address and user, requested URL, methods, both request and response headers and body by leveraging the security advantages provided by the HTTP Security Filter.
  • Support for SSL encryption to provide security for confidential information as it travels across the Internet
  • SSL bridging that allows the ISA Server to inspect SSL traffic.
  • Pre-authentication to prevent anonymous users from leveraging anonymous connections to attack the IIS Web server.






Discuss this article



How ISA Server Protects SharePoint Sites


A particular type of IIS Web site that you might need to protect is the SharePoint Portal Server (SPS) site. These sites can present a special challenge because SPS may return absolute links (using the server’s NetBIOS name) to internal resources, which cannot be resolved by clients outside the internal network that need to access the SharePoint site across the Internet.


ISA 2006 provides a means for publishing SharePoint servers so that these absolute links are translated to names that can be resolved by DNS, making the resources available to those connecting to the SharePoint server across the Internet.


Features that ISA uses to protect SharePoint sites include the following:




  • Link translation, which maps internal links such as http://bigserver/ to an Internet-valid link in domain name format, such as http://bigserver.microsoft.com. The ISA 2006 link translation feature set has been greatly improved over that included with ISA 2004, with the bulk of the improvements focused on SharePoint Portal Server publishing scenarios.


  • Delegation of authentication prevents unauthenticated connections from reaching the SharePoint Portal Server and compromising its security. Unauthenticated connections represent a huge security hole that enables attackers to easily reach the customer’s public facing SharePoint Portal Server. The ISA firewall shuts this security hole created by conventional stateful packet inspection only hardware firewalls.


  • Advanced delegation of authentication scenarios include Kerberos Constrained Delegation, which allows users to log on via User Certificate authentication and have those credentials delegated as Kerberos credentials.


  • The ISA firewall’s unique SSL bridging feature enables the ISA firewall to perform application layer inspection on SSL encrypted communications. Unlike the customer’s current stateful packet inspection-only firewalls that they already have in place, the ISA firewall is able to break open (in the ISA firewall’s memory) the SSL connection, inspect the HTTP stream for dangerous and suspicious communications, and then re-encrypt the session and forward the communications to the Exchange Server after they pass application layer inspection tests.


  • The HTTP Security Filter is easily customized to provide highly restricted access so that only legitimate methods are used to connect to the Exchange Server Web services, and can be customized for SharePoint Portal Server connections to ensure that only legitimate SPS request and responses are passed through the ISA firewall.


  • Forms-based authentication enables the use conventional user name and password as well as more advanced authentication methods such as User Certificate authentication, Smart Card authentication, RADIUS One-Time Passwords, and RSA SecurID. Forms-based authentication allows the ISA firewall administrator to control uses ability to access attachments and set custom timeout intervals based on public or private computer membership.






Discuss this article



Summary


In this last article in our three part series on teaching the boss and the network guys about the ISA firewall, we went over some specific server scenarios where the ISA Firewall can provide excellent protection. I hope that you found this article series helpful and if you have any questions about the ISA Firewall, please let me know. Also, if you are trying to introduce the ISA firewall into your environment and are having a hard time communicating the benefits and value the ISA Firewall can provide to your network guys or boss, please let me know and I’ll try to help you. Send me a note at [email protected] if you need additional assistance. Thanks!


If you missed the other articles in this series please read:


About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top