View
222
Download
0
Category
Preview:
Citation preview
Microsoft Internet Security and Acceleration (ISA) Server 2004Powerful Protection for Microsoft Applications
2
Learning ObjectivesProtecting Microsoft Applications with ISA Server 2004
This training will show the solutions, This training will show the solutions, advantages, benefits, competitive advantages, benefits, competitive
landscape, and selling opportunities landscape, and selling opportunities for Microsoft® ISA Server 2004, as for Microsoft® ISA Server 2004, as
well as provide customer-ready well as provide customer-ready resources.resources.
This training will show the solutions, This training will show the solutions, advantages, benefits, competitive advantages, benefits, competitive
landscape, and selling opportunities landscape, and selling opportunities for Microsoft® ISA Server 2004, as for Microsoft® ISA Server 2004, as
well as provide customer-ready well as provide customer-ready resources.resources.
3
Agenda1. ISA Server 2004 Overview
Advanced Protection, Ease of Use, Fast Secure Access (Slides 4–43)
2. Protecting Microsoft ApplicationsTechnical Details (Slides 44–94)
3. Selling Strategies and Partner Offerings (Slides 95–124)
4. Introduction to Hands-on Labs(Slides 125-127)
1. ISA Server 2004 OverviewAdvanced Protection, Ease of Use, Fast Secure Access (Slides 4–43)
2. Protecting Microsoft ApplicationsTechnical Details (Slides 44–94)
3. Selling Strategies and Partner Offerings (Slides 95–124)
4. Introduction to Hands-on Labs(Slides 125-127)
1. ISA Server 2004 OverviewAdvanced Protection, Ease of Use, Fast Secure Access
5
The State of Network Security
IndustryIndustry
90% detected security breaches90% detected security breaches44
95% of all breaches avoidable with 95% of all breaches avoidable with
an alternative configurationan alternative configuration55
Approximately 70% of all Web Approximately 70% of all Web attacks occur at the application attacks occur at the application layerlayer66
SecuritySecurity
11 Source: Forrester Research Source: Forrester Research 22 Source: Information Week, November Source: Information Week, November 26, 200126, 200133 Source: Netcraft summary Source: Netcraft summary 44 Source: Computer Security Institute (CSI) Source: Computer Security Institute (CSI)
Computer Crime and Security Survey Computer Crime and Security Survey 2002200255 Source: CERT, 2002 Source: CERT, 2002 55 Source: Gartner Source: Gartner
14 billion devices on the 14 billion devices on the Internet by 2010Internet by 201011
35 million remote users by 35 million remote users by 2005200522
65% increase in dynamic Web 65% increase in dynamic Web sitessites33
6
The Role of Firewalls
Firewalls block attacks before they reach their target
Firewalls can protect multiple systems Firewall protection can buy time before all
protected servers are secured Firewalls can help protect client computers
that are not properly protected Firewalls can act as a central access point
Combined firewall and VPN gateway Firewalls provide centralized logging of
network access Crucial component of defense-in-depth
7
Limitations of Traditional Firewalls
Wide open to advanced attacks
Wide open to advanced attacks
Performance vs. security
tradeoff
Performance vs. security
tradeoff
Hard to manageHard to manage
• Bandwidth is limited and expensive.Bandwidth is limited and expensive.• Traffic inspection reduces performance.Traffic inspection reduces performance.
• Security is complex.Security is complex.• IT already overloaded.IT already overloaded.• Security is complex.Security is complex.• IT already overloaded.IT already overloaded.
• Application-layer attacks: Code-Red, Nimda.Application-layer attacks: Code-Red, Nimda.• Encryption to bypass detection: SSL.Encryption to bypass detection: SSL.• Application-layer attacks: Code-Red, Nimda.Application-layer attacks: Code-Red, Nimda.• Encryption to bypass detection: SSL.Encryption to bypass detection: SSL.
Limited capacity
for growth
Limited capacity
for growth
• Growth requires new hardware; old hardware Growth requires new hardware; old hardware can’t be repurposed.can’t be repurposed.
• Growth requires purchase of new license.Growth requires purchase of new license.
8
What Is ISA Server 2004?
Microsoft ISA Server 2004 is Microsoft’s flagship security product and a cornerstone of the company’s Trustworthy Computing initiative. ISA Server 2004 is an application-layer firewall, VPN, and Web-cache solution that provides advanced protection, fast and secure Web access, and is very easy to use. ISA Server 2004 can provide security as a perimeter firewall at the Internet edge, can be used to protect Microsoft applications such as Microsoft Exchange and other servers on the internal network, as well as be configured as a Web-caching server to ensure fast, secure Web access—all in one package.
9
ISA Server 2004 Top Benefits
Securing Securing networks impacts networks impacts performance and performance and productivity productivity
Securing Securing networks impacts networks impacts performance and performance and productivity productivity
Fast, Secure Access
Empowers you to connect users to relevant information on your network in a cost-efficient
manner
Fast, Secure Access
Empowers you to connect users to relevant information on your network in a cost-efficient
manner
Securing theSecuring thenetwork is time network is time consuming consuming and expensiveand expensive
Securing theSecuring thenetwork is time network is time consuming consuming and expensiveand expensive
Ease of Use
Efficiently deploy, manage, and use ISA Server 2004
Ease of Use
Efficiently deploy, manage, and use ISA Server 2004
Threats to Threats to corporate assets corporate assets create financial create financial and legal risksand legal risks
Threats to Threats to corporate assets corporate assets create financial create financial and legal risksand legal risks
Advanced Protection
Application-layer security designed to protect Microsoft applications
Advanced Protection
Application-layer security designed to protect Microsoft applications
CUSTOMER PAIN VALUE PROVIDED BY ISA SERVER 2004
10
Advanced ProtectionLimits of Traditional Firewalls (1) Traditional firewalls only examine headers
Packet filtering, stateful inspection Most of today’s attacks are directed
against applications Web servers (Code Red, Nimda) Web browsers (malicious Java applets) Mail clients (worms, Trojan horse attacks)
Payload:HTTP GET /
TCP:Source port 1121
Destination port 80
IP:Source address
Destination address
Header
11
Applications encapsulate traffic in HTTP traffic Examples: Peer-to-peer, instant messaging
Encrypted traffic can’t be inspected by traditional firewalls
Dynamic port assignments require too many incoming ports to be opened Examples: FTP, RPC
Packet filtering and stateful inspection are not enough to protect against today’s attacks!
Advanced ProtectionLimits of Traditional Firewalls (2)
12
Application-layer filtering in ISA Server 2004 examines the payload
ISA Server 2004 blocks traffic that uses allowed ports but contains disallowed data Example: Traffic to a Web server that contains
a Web server attack ISA Server 2004 allows you to use
complex protocols across a firewall
“To provide edge security in this application-centric world…application-level firewalls will be
required….” —John Pescatore, Gartner
Advanced ProtectionApplication-Layer Filtering with ISA Server 2004
13
Internet traffic never routed to the internal network ISA Server 2004 establishes separate connections to
client and to server Proxy architecture protects against network layer
attacks Built from the ground up for application layer
filtering Great performance!
Extensible architecture for plug-ins
Advanced Protection ISA Server 2004: Proxy Architecture
ISA Server 2004 also performs packet filtering and stateful inspection.
14
Advanced ProtectionWeb Publishing with Traditional Firewalls
Traditional firewalls only evaluate incoming traffic based on IP address and port
All Web traffic is sent to Web server, exposing it to all Web-based attacks
Web Server
Incoming Traffic
Internet
15
Advanced ProtectionSecure Web Publishing with ISA Server 2004
Inspection of Web request and responses and protection of Microsoft Internet Information Services (IIS) from exploits
Blocking of malformed URLs to stop Web-based attacks
Optional inspection of incoming SSL traffic
Web Server
Incoming Traffic
Internet
16
Advanced ProtectionExchange Publishing with Traditional Firewalls
Firewall only evaluates incoming traffic based on IP address and port
All traffic for ports using mail protocols is sent to Exchange Server
Exchange Server is exposed to all application-layer attacks
Exchange Server
Incoming Traffic
Internet
17
Advanced ProtectionSecure Exchange Publishing with ISA Server 2004
ISA Server 2004 defends Exchange Server and enables secure client access Protection of all types of client access
(Microsoft Outlook® Web Access [OWA], SMTP, POP, IMAP, RPC, RPC over HTTP)
Increases OWA performance and enables application of firewall policy to OWA traffic
Allows scanning of e-mail text and attachmentsExchange Server
Incoming Traffic
Internet
18
Advanced ProtectionThe Need to Provide Secure VPN Access Companies need to provide remote access
Branch offices Business partners Home offices and traveling users
VPNs are a cost-effective way to leverage the Internet No dial-up connections or leased lines required VPNs use existing Internet connection
VPNs create security concerns and increase administrative work VPNs create new administration tasks VPNs create new ways to access the corporate network
ISA Server 2004 simplifies VPN ISA Server 2004 simplifies VPN administration and provides VPN administration and provides VPN
securitysecurity
ISA Server 2004 simplifies VPN ISA Server 2004 simplifies VPN administration and provides VPN administration and provides VPN
securitysecurity
19
Advanced ProtectionHow ISA Server 2004 Secures VPN Client Connections
All communications over the Internet are encrypted Broad protocol support
PPTP and L2TP/IPSec IPSec NAT traversal (NAT-T) for connectivity across any
network (requires Microsoft Windows Server™ 2003) Authentication
Microsoft Active Directory® uses existing Microsoft Windows® accounts, supports PKI for two-factor authentication
RADIUS uses non-Windows-based accounts databases with standards-based integration
SecurID provides strong, two-factor authentication using tokens and RSA authentication servers
Integration of VPN traffic into firewall policy Network access quarantine to ensure secure client
configuration
20
Advanced ProtectionHow ISA Server 2004 Connects Networks Broad protocol support
PPTP L2TP/IPSec IPSec tunnel mode for interoperability with existing VPN
gateways: fully tested and supported Authentication and encryption
Uses Windows RRAS capabilities Range of authentication methods
Active Directory, RADIUS, passwords, certificates Configurable encryption methods help ensure
confidentiality of communications Fine-grained control over traffic between networks
21
Summary: Advanced Protection
ISA Server 2004 was designed with most common customer scenarios in mind
ISA Server 2004 protects networks while enabling connectivity
ISA Server 2004 is optimized for application-layer filtering
A broad range of partner offerings extends protection capabilities
ISA Server 2004 is a crucial component ISA Server 2004 is a crucial component in protecting Microsoft networks and in protecting Microsoft networks and
applicationsapplications
ISA Server 2004 is a crucial component ISA Server 2004 is a crucial component in protecting Microsoft networks and in protecting Microsoft networks and
applicationsapplications
22
Ease of UseNew, Easy-to-Use Administration Tools ISA Server 2004 Management Console
completely redesigned from previous version All tools for each task in one place Easy to learn
Ease of use can reduce risk of security breaches due to misconfiguration
Local or remote administration Use the same tool to configure and
monitor the firewall, cache, and VPN gateway
23
Ease of UseOverview Simplified administration tools
Reduces training costs Helps prevent insecure configurations
Unified firewall policy Helps keep administration costs low
24
Ease of UseTask-based Administration
All tools for a task are accessible
when needed
Easy access to common
tasks
25
Ease of UseMonitoring Real-time monitoring for troubleshooting Variety of report formats summarizes
Internet activity and performance
Dashboard is starting point for monitoring
26
Ease of UseReporting Broad range of reporting options
27
Ease of UseEasy Deployment Multiple network support
Works with your existing network infrastructure Leverages previous IT investments
Broad client support Supports any device that uses TCP/IP Firewall Client adds features for Windows clients
Low administrative overhead during initial deployment and network maintenance.
28
Ease of UseAdjusts to Network Changes Flexibility to support most network types Templates to simplify deployments
29
Ease of UseEasy Scalability Scale up
Upgrade to faster hardware and repurpose existing server(s) without the need to purchase a different ISA Server 2004 license
Scale out Easily copy configuration settings with XML
export Maintain existing rules and settings
Choice of options to grow with company needs.
30
Ease of UseAlerting Alerts for large number of events Flexible alerting options New: Connectivity Verification
31
Ease of UseUser-based Access Control
Prevalence of DHCP on internal networks makes IP-based access control obsolete
ISA Server 2004 supports the use of native Windows security credentials to build highly granular firewall access rules
RADIUS for universal integration with non-Windows user accounts and for authentication in perimeter networks
Credentials are passed transparently, eliminating need for additional tedious logon procedures at firewall
32
Ease of UseEasy Extensibility Adding functionality
Easy customization by in-house developers Wide range of partner solutions
• Application Filters
• Caching and Distributions
• Content Security
• High Availability and Load Balancing
• Intrusion Detection
• Monitoring and Administration
• Network Utilities
• Reporting
• SSL Acceleration and Key Management
• Security Resellers
• Security Solution Providers
• URL Filtering
• User Authentication
http://microsoft.com/isaserver/partners
33
Ease of UseExtensible Open Platform
Most administrative tasks can be scripted Scripting automates tasks Scripting saves time and ensures consistency SDK provides access to easy-to-use
procedures for scripting Custom Web and application filters
Custom filters allow secondary inspection and manipulation of traffic Examples: Advanced content inspection,
advanced authorization, etc. Easy object model ensures quick results
34
Summary: Ease of Use
ISA Server 2004 tools make firewall administration easy
Easy configuration can help prevent configuration mistakes
ISA Server 2004 adapts to existing network configurations and changes
Extensive logging, monitoring, and reporting capabilities
ISA Server 2004 is a crucial component ISA Server 2004 is a crucial component in protecting Microsoft networks and in protecting Microsoft networks and
applicationsapplications
ISA Server 2004 is a crucial component ISA Server 2004 is a crucial component in protecting Microsoft networks and in protecting Microsoft networks and
applicationsapplications
35
Fast, Secure AccessIntegrated VPN Secure site-to-site connections Secure remote access conections Broad protocol support
36
Fast, Secure AccessWeb-Caching Benefits Frequently requested Web content is
cached for local delivery Users get faster access to frequently
requested Web content Existing bandwidth is used more efficiently
ISA Server 2004 is the only major ISA Server 2004 is the only major firewall with built-in, state-of-the-art firewall with built-in, state-of-the-art
Web cachingWeb caching
ISA Server 2004 is the only major ISA Server 2004 is the only major firewall with built-in, state-of-the-art firewall with built-in, state-of-the-art
Web cachingWeb caching
37
Fast, Secure AccessInternet Access Without Caching
GET www.microsoft.com11
Object is sent from Internet22
GET www.microsoft.com33
Object is sent from Internet44
Client 1
Client 2
Existing Firewall
Internet
Each client requests Each client requests causes Internet causes Internet
traffictraffic
Each client requests Each client requests causes Internet causes Internet
traffictraffic
38
Fast, Secure AccessHow Does Caching Work?
GET www.microsoft.com11
GET www.microsoft.com33 Object is sent from Internet
and placed in cache44
GET www.microsoft.com55
Object is sent from cache66
Client 1
Client 2
ISA Server 2004
Access controlsare enforced
2
Internet
Client requests for cached Client requests for cached content content
cause no Internet trafficcause no Internet traffic
Client requests for cached Client requests for cached content content
cause no Internet trafficcause no Internet traffic
39
Fast, Secure Access Effects of Caching Reduces bandwidth requirements
Requests from multiple users for an object only require one download from Internet
Reduces server workload Request for published Web content are served from
the cache without additional requests to the published server
Distributes bandwidth Most frequently accessed content can be downloaded
during off hours and before users request it
Ensures that objects are up-to-date ISA Server requests an updated version when the
object has changed on the Web server
40
Fast, Secure AccessBusiness Benefits of Caching Improved productivity
Many Web pages are displayed faster No waiting for Web objects that are cached
Better resource utilization No need to purchase additional bandwidth Fully integrated, minimal administration
41
Fast, Secure Access Scaling Caching for the Enterprise Downstream server
requests content from upstream server
Upstream server retrieves content from Internet
Content can be cachedin both locations
Security settings are enforced centrally
No direct Internet requests required from branch offices
Internet
Cache(upstream)
CorporateNetwork
Cache(downstream)
Branch OfficeBranch Office
Cache(downstream))
42
Fast, Secure Access Granular Access Control Full control over Internet access by users
Enforce corporate policies Control access by protocol, user, location,
destination, schedule Fine-grained control of Web content Partner solutions extend access control All network traffic blocked unless specifically
allowed Flexible firewall policy
Easy to create broad rules or detailed policy Unified firewall policy makes it easy to review
and troubleshoot access rules
43
Summary: Fast, Secure Access
Integrated VPN for secure site-to-site and remote access connections
Optimized for application-layer filtering Caching accelerates access to frequently used
Web content Granular rules allow a high level of Internet
access control Additional filtering is possible with third-part
solutions provided by Microsoft partners
ISA Server 2004 is a crucial component in ISA Server 2004 is a crucial component in protecting Microsoft networks and protecting Microsoft networks and
applicationsapplications
ISA Server 2004 is a crucial component in ISA Server 2004 is a crucial component in protecting Microsoft networks and protecting Microsoft networks and
applicationsapplications
2. Protecting Microsoft ApplicationsTechnical Details
45
Secure Application
Access
Secure Application
Access
Protecting Microsoft Applications
Remote ConnectivityRemote Connectivity Connecting offices, partners,
and users by using ISA Server 2004 and Windows Server 2003
Connecting offices, partners, and users by using ISA Server 2004 and Windows Server 2003
Integrated Branch Office
Solution
Integrated Branch Office
Solution Branch office security Branch office security
Secure Access to
Secure Access to
Allow access to Exchange servers while protecting them
Allow access to Exchange servers while protecting them
Help secure access to IIS, Microsoft SharePoint®, and other application servers
Help secure access to IIS, Microsoft SharePoint®, and other application servers
46
Secure Application Access
Maintain Maintain confidentiality of confidentiality of communicationscommunications
Maintain Maintain confidentiality of confidentiality of communicationscommunications
• Confidentiality requires encryption, which defeats traffic Confidentiality requires encryption, which defeats traffic inspection at the firewallinspection at the firewall
• Attackers may gain access to network even though a firewall Attackers may gain access to network even though a firewall is installedis installed
• Confidentiality requires encryption, which defeats traffic Confidentiality requires encryption, which defeats traffic inspection at the firewallinspection at the firewall
• Attackers may gain access to network even though a firewall Attackers may gain access to network even though a firewall is installedis installed
Provide access to Provide access to SharePoint-based SharePoint-based resourcesresources
Provide access to Provide access to SharePoint-based SharePoint-based resourcesresources
• Allowing access to existing resources requires costly Allowing access to existing resources requires costly redesign or duplication of network infrastructureredesign or duplication of network infrastructure
• Same risks as providing access to all Web serversSame risks as providing access to all Web servers
• Allowing access to existing resources requires costly Allowing access to existing resources requires costly redesign or duplication of network infrastructureredesign or duplication of network infrastructure
• Same risks as providing access to all Web serversSame risks as providing access to all Web servers
Provide fast, Provide fast, secure access to secure access to internal Web internal Web resourcesresources
Provide fast, Provide fast, secure access to secure access to internal Web internal Web resourcesresources
• Web servers are exposed to attacks that threaten business Web servers are exposed to attacks that threaten business resourcesresources
• Attacks can bypass traditional firewalls by using the same Attacks can bypass traditional firewalls by using the same protocols as legitimate Web trafficprotocols as legitimate Web traffic
• Placing a firewall in front of public Web servers can slow Placing a firewall in front of public Web servers can slow down access to Web resourcesdown access to Web resources
• Web servers are exposed to attacks that threaten business Web servers are exposed to attacks that threaten business resourcesresources
• Attacks can bypass traditional firewalls by using the same Attacks can bypass traditional firewalls by using the same protocols as legitimate Web trafficprotocols as legitimate Web traffic
• Placing a firewall in front of public Web servers can slow Placing a firewall in front of public Web servers can slow down access to Web resourcesdown access to Web resources
Business Need Risk to Organization
47
Application-Layer Content:?????????????????????????????????????????????????????????????????????????????????????????????
A Traditional Firewall’s View of a Packet
Only packet headers are inspected Application-layer content appears as a “black box”
IP Header:
Source Address,Destination Address,
TTL, Checksum
TCP Header:Sequence Number
Source Port,Destination Port,
Checksum
Forwarding decisions based on port numbers Legitimate traffic and application-layer attacks use
identical ports
Web Server
Expected HTTP Traffic
Unexpected HTTP Traffic
Web Server AttacksIncoming Traffic
Non-HTTP Traffic
Internet
48
Application-Layer Content:GET www.contoso.com/partners/default.htm
ISA Server 2004’s View of a Packet
Packet headers and application content are inspected
IP Header:
Source Address,Destination Address,
TTL, Checksum
TCP Header:Sequence Number
Source Port,Destination Port,
Checksum
Forwarding decisions based on content Only legitimate HTTP traffic is sent to Web server
Web Server
Expected HTTP Traffic
Unexpected HTTP Traffic
Web Server AttacksIncoming Traffic
Non-HTTP Traffic
Internet
49
Traditional Web Publishing
All traffic using TCP port 80 sent to Web server
One Web server per IP address
Web Server
Incoming Traffic
http://www.contoso.com http://39.1.1.1 http://www.contoso.com/../cmd?.. http://www.contoso.com/%20%20 http://www.contoso.com/scripts/ http://www.contoso.com/partners/
Internet
50
ISA Server 2004 Web Publishing
ISA Server 2004 inspects HTTP request Only allowed requests are forwarded
ISA Server 2004 can publish multiple servers
Web Servers
Incoming Traffic
http://www.contoso.com http://39.1.1.1
http://www.contoso.com/../cmd?..
http://www.contoso.com/%20%20
http://www.contoso.com/scripts/
http://www.fabrikam.com/partners
Internet
ISA Server protects IISISA Server protects IISISA Server protects IISISA Server protects IIS
51
How ISA Server 2004 Secures SSL Traffic
SSL: Confidentiality but No Traffic Inspection
SSL Bridging:1. Client on Internet encrypts communications2. ISA Server 2004 decrypts and inspects
traffic3. ISA Server 2004 sends allowed traffic to
published server, re-encrypting it if required
52
Web Publishing Details
ISA Server 2004 HTTP content inspection is a crucial element of a strategy that employs defense-in-depth ISA Server 2004 provides a a central location to block disallowed
Web requests based on signatures or generic attack patterns ISA Server only processes allowed URLs
Unified view of Web resources ISA Server 2004 can redirect Web requests to one or more internal
servers ISA Server 2004 can protect server farms or entire networks
User authentication Active Directory, RADIUS, or SecurID needed for access to intranet
or extranet resources Credentials can be forwarded to a published server for logging and
customizing content
No IIS deployment is complete No IIS deployment is complete without ISA Server 2004without ISA Server 2004
No IIS deployment is complete No IIS deployment is complete without ISA Server 2004without ISA Server 2004
53
External Access to Internal Links
Absolute references to internal servers cause problems Client can’t resolve
name to address
www.contoso.com
http://www.contoso.com/default.htm
ExternalClient
HREF=http://teams/sales
Teams?
Teams
WebWebPagePage
Internet
Key Point:
54
ISA Server 2004 Link Translation
Link translation solves problemswith absolute references
www.contoso.com
http://www.contoso.com/default.htm
ExternalClient
HREF=http://teams/sales
Teams
WebWebPagePage
Internet
HREF=http://teams.contoso.com/sales
http://teams.contoso.com/sales/
55
Link Translation Details
Link translation is crucial for providing simultaneous internal and external access to SharePoint sites
Translates hyperlinks within Web responses from published server Translates intranet computer names to names that
can be externally resolved Can replace http:// https:// for SSL bridging Automatic translation sufficient for most scenarios,
administrator-defined translation for extended functionality
No SharePoint deployment No SharePoint deployment is complete without ISA Server 2004is complete without ISA Server 2004
No SharePoint deployment No SharePoint deployment is complete without ISA Server 2004is complete without ISA Server 2004
56
Easy Configuration and Administration of Application Access
Web Publishing Wizards make Web Publishing Wizards make configuration easy and prevent configuration easy and prevent
configuration mistakes, monitoring configuration mistakes, monitoring tools show Web usagetools show Web usage
Web Publishing Wizards make Web Publishing Wizards make configuration easy and prevent configuration easy and prevent
configuration mistakes, monitoring configuration mistakes, monitoring tools show Web usagetools show Web usage
57
How ISA Server 2004 Enables Access to Non-Web Resources Access to some corporate resources requires
protocols other than HTTP FTP servers for access to files Database servers in perimeter network or internal
network Public DNS servers to locate company’s servers
Server publishing allows secure access to non-Web resources
ISA Server 2004 supports all IP-based protocols Application-layer filtering for selected protocols:
SMTP, FTP, DNS, RPC, etc.
58
Summary: Secure Application Access
Access to Access to internal Web internal Web
resourcesresources
Access to Access to internal Web internal Web
resourcesresources
Confidentiality Confidentiality of of
communicatiocommunicationsns
Confidentiality Confidentiality of of
communicatiocommunicationsns
Access to Access to SharePoint-SharePoint-
based based resourcesresources
Access to Access to SharePoint-SharePoint-
based based resourcesresources
ISA Server 2004 can provide ISA Server 2004 can provide confidentiality of Web traffic and confidentiality of Web traffic and protection of resources at the same protection of resources at the same time.time.
ISA Server 2004 makes access to ISA Server 2004 makes access to existing internal SharePoint-based existing internal SharePoint-based resources easy. No network redesign resources easy. No network redesign is required.is required.
ISA Server 2004 makes access to ISA Server 2004 makes access to existing internal SharePoint-based existing internal SharePoint-based resources easy. No network redesign resources easy. No network redesign is required.is required.
ISA Server 2004 protects corporate ISA Server 2004 protects corporate Web resources and acts as a central Web resources and acts as a central gateway to allow centralized traffic gateway to allow centralized traffic inspection.inspection.
ISA Server 2004 protects corporate ISA Server 2004 protects corporate Web resources and acts as a central Web resources and acts as a central gateway to allow centralized traffic gateway to allow centralized traffic inspection.inspection.
59
Protecting Microsoft Applications
Secure Application
Access
Secure Application
Access
Remote ConnectivityRemote Connectivity Connecting offices, partners,
and users by using ISA Server 2004 and Windows Server 2003
Connecting offices, partners, and users by using ISA Server 2004 and Windows Server 2003
Integrated Branch Office
Solution
Integrated Branch Office
Solution Branch office security Branch office security
Secure Access to
Secure Access to
Allow access to Exchange servers while protecting them
Allow access to Exchange servers while protecting them
Help secure access to IIS, Microsoft SharePoint®, and other application servers
Help secure access to IIS, Microsoft SharePoint®, and other application servers
60
Secure Access to E-Mail
Maintain Maintain confidentiality of confidentiality of e-maile-mail
Maintain Maintain confidentiality of confidentiality of e-maile-mail
• Traditional client protocols, such as POP and IMAP are Traditional client protocols, such as POP and IMAP are unencrypted.unencrypted.
• Most firewalls can’t provide native Outlook access to Most firewalls can’t provide native Outlook access to Exchange servers in a secure manner.Exchange servers in a secure manner.
• Encrypting Web access to e-mail, such as OWA, defeats Encrypting Web access to e-mail, such as OWA, defeats traffic inspection at the firewall.traffic inspection at the firewall.
• Traditional client protocols, such as POP and IMAP are Traditional client protocols, such as POP and IMAP are unencrypted.unencrypted.
• Most firewalls can’t provide native Outlook access to Most firewalls can’t provide native Outlook access to Exchange servers in a secure manner.Exchange servers in a secure manner.
• Encrypting Web access to e-mail, such as OWA, defeats Encrypting Web access to e-mail, such as OWA, defeats traffic inspection at the firewall.traffic inspection at the firewall.
Users need Users need access to e-mail access to e-mail regardless of their regardless of their locationlocation
Users need Users need access to e-mail access to e-mail regardless of their regardless of their locationlocation
• Allowing access from the Internet also opens the network to Allowing access from the Internet also opens the network to potential attacks from the Internet. potential attacks from the Internet.
• Mail servers are the only defense against attacks that use Mail servers are the only defense against attacks that use client protocols, such as HTTP, POP, RPC.client protocols, such as HTTP, POP, RPC.
• Allowing access from the Internet also opens the network to Allowing access from the Internet also opens the network to potential attacks from the Internet. potential attacks from the Internet.
• Mail servers are the only defense against attacks that use Mail servers are the only defense against attacks that use client protocols, such as HTTP, POP, RPC.client protocols, such as HTTP, POP, RPC.
Receive and send Receive and send e-maile-mailReceive and send Receive and send e-maile-mail
• Traditional firewalls can limit what network traffic is allowed Traditional firewalls can limit what network traffic is allowed to the mail server, but don’t perform deep content to the mail server, but don’t perform deep content inspection. Attacks can succeed by masquerading as inspection. Attacks can succeed by masquerading as legitimate mail traffic.legitimate mail traffic.
• Mail servers are the only defense against SMTP-based Mail servers are the only defense against SMTP-based attacks.attacks.
• Traditional firewalls can limit what network traffic is allowed Traditional firewalls can limit what network traffic is allowed to the mail server, but don’t perform deep content to the mail server, but don’t perform deep content inspection. Attacks can succeed by masquerading as inspection. Attacks can succeed by masquerading as legitimate mail traffic.legitimate mail traffic.
• Mail servers are the only defense against SMTP-based Mail servers are the only defense against SMTP-based attacks.attacks.
Business Need Risk to Organization
61
E-Mail Access: Traditional Firewall
Firewall rules open ports to allow traffic to and from mail server Incoming connections on mail server for SMTP,
POP3, OWA (using SSL) Outgoing connections from mail server for SMTP
Limitation Control over what channels are opened, but no
control over what type of network traffic is sent to mail server over these channels
Exchange Server
Allow: Port 25 (SMTP)
Allow: Port 110 (POP3)
Allow: Port 25Allow: Port 443 (SSL)
Internet
62
Outlook Web Access: Traditional Firewall
Web traffic to OWA is encrypted Standard SSL encryption Security against eavesdropping and impersonation
Limitation OWA server is only defense against application-layer
attacks
Exchange Server
OWA Traffic
Password Guessing
Web Server Attacks
SSL Tunnel
Concept of defense-in-depth requires Concept of defense-in-depth requires inspection of OWA traffic at firewallinspection of OWA traffic at firewall
Concept of defense-in-depth requires Concept of defense-in-depth requires inspection of OWA traffic at firewallinspection of OWA traffic at firewall
Internet
63
Web Server Attacks
Password Guessing
How ISA Server 2004 Protects OWA
Authentication Unauthorized requests are blocked before they reach the Exchange
Server Enforces all OWA authentication methods Enhanced forms-based authentication prevents caching of credentials
Inspection Invalid HTTP requests or requests for non-OWA content are blocked Inspection of SSL traffic before it reaches Exchange Server
Confidentiality Ensures encryption of traffic over the Internet Can prevent the downloading of attachments to client computers
Exchange Server
OWA Traffic
SSL Tunnel
InspectionAuthentication
Internet
64
How RPC Works
Service UUID Port
ExchangeInfo Store
{0E4A0156-DD5D-11D2-8C2F-00CD4FB6BCDE}
4402
Active Directory
{E35114235-4B06-11D1-AB04-00C04C2DCD2}
3544
Performance Monitor
{A00C021C-2BE2-11D2-B678-0000F87A8F8E}
9233
RPC Server (Exchange)
RPC Client (Outlook)
TCP 135:
Port for {
0E4A… ?Port 4402: D
ata
The RPC server maintains a table of Universally Unique Identifiers (UUID) and assigned port
1
The client connects to TCP port 135 on the server to query for the port associated with a UUID
2
The server responds with theassociated port
3
The client reconnects to server on the designated port to access Exchange
4
Server: Port 4
402
Internet
65
RPC and Traditional Firewalls
Open port 135 for incoming traffic
Open every port that RPC might use for incoming traffic
RPC Server (Exchange)
RPC Client (Outlook)
TCP 135:
Port for {
0E4A… ?Port 4402: D
ata
Server: Port 4
402
Traditional firewalls can’t Traditional firewalls can’t provide provide securesecure RPC RPC
accessaccess
Traditional firewalls can’t Traditional firewalls can’t provide provide securesecure RPC RPC
accessaccess
Internet
66
How ISA Server 2004 Protects RPC Traffic
RPC Server (Exchange)
RPC Client (Outlook)
TCP 135:
Port for {
0E4A… ?Port 4402: D
ata
Server: Port 4
402
Internet
Initial connection Only allows valid RPC traffic Blocks non-Exchange queries
Secondary connection Only allows connection
to port used byExchange
Enforces encryption
ISA Server 2004 enables ISA Server 2004 enables secure remote e-mail secure remote e-mail
access by using Outlookaccess by using Outlook
ISA Server 2004 enables ISA Server 2004 enables secure remote e-mail secure remote e-mail
access by using Outlookaccess by using Outlook
67
RPC over HTTP encapsulates RPC traffic inside HTTP Internal Web server (RPC proxy) extracts
RPC traffic from HTTP Advantage: Most firewalls allow HTTP traffic
Problem: Traditional firewalls leave RPC proxy exposed to Web-based attacks
How RPC over HTTP Works
RPC Traffic
Web Server Attacks
InternetHTTP Traffic
68
How ISA Server 2004 Protects RPC over HTTP ISA Server 2004 terminates SSL tunnel
Inspects HTTP traffic for protocol compliance Blocks requests for all URLs except
http://.../rpc/... No direct connections from Internet to
Exchange Server Application-layer protection for HTTP traffic
RPC Traffic
Web Server Attacks
Internet
69
How ISA Server 2004 Protects SMTP Traffic
SMTP-based Attacks Invalid, overly long, or unusual SMTP commands to
attack a mail server or to gather recipient information Attacks against recipients by including malicious
content, such as worms ISA Server 2004 Protects Mail Servers
Enforces compliance of SMTP commands with standards
Blocks disallowed SMTP commands Blocks messages with disallowed attachment types,
content, recipient, or sender Blocks non-SMTP traffic
No Exchange Server deployment is No Exchange Server deployment is complete without ISA Server 2004complete without ISA Server 2004
No Exchange Server deployment is No Exchange Server deployment is complete without ISA Server 2004complete without ISA Server 2004
70
Easy Configuration and Administration of E-Mail Access
Mail Publishing Wizard makes Mail Publishing Wizard makes configuration easy and prevents configuration easy and prevents
configuration mistakesconfiguration mistakes
Mail Publishing Wizard makes Mail Publishing Wizard makes configuration easy and prevents configuration easy and prevents
configuration mistakesconfiguration mistakes
71
Summary: Secure Access to E-Mail
Receive and Receive and send e-mailsend e-mailReceive and Receive and send e-mailsend e-mail
ConfidentialitConfidentiality of e-maily of e-mail
ConfidentialitConfidentiality of e-maily of e-mail
Access Access to e-mail to e-mail from any from any locationlocation
Access Access to e-mail to e-mail from any from any locationlocation
ISA Server 2004 can require that all ISA Server 2004 can require that all traffic be encrypted.traffic be encrypted.
ISA Server 2004 protects mail ISA Server 2004 protects mail servers from malformed commands servers from malformed commands that might that might expose vulnerabilities or reveal too expose vulnerabilities or reveal too much information.much information.
ISA Server 2004 protects mail ISA Server 2004 protects mail servers from malformed commands servers from malformed commands that might that might expose vulnerabilities or reveal too expose vulnerabilities or reveal too much information.much information.
ISA Server 2004 stops attacks ISA Server 2004 stops attacks against against e-mail servers by enforcing proper e-mail servers by enforcing proper traffic patterns at the application traffic patterns at the application level.level.
ISA Server 2004 stops attacks ISA Server 2004 stops attacks against against e-mail servers by enforcing proper e-mail servers by enforcing proper traffic patterns at the application traffic patterns at the application level.level.
72
Protecting Microsoft Applications
Secure Application
Access
Secure Application
Access
Remote ConnectivityRemote Connectivity Connecting offices, partners,
and users by using ISA Server 2004 and Windows Server 2003
Connecting offices, partners, and users by using ISA Server 2004 and Windows Server 2003
Integrated Branch Office
Solution
Integrated Branch Office
Solution Branch office security Branch office security
Secure Access to
Secure Access to
Allow access to Exchange servers while protecting them
Allow access to Exchange servers while protecting them
Help secure access to IIS, Microsoft SharePoint®, and other application servers
Help secure access to IIS, Microsoft SharePoint®, and other application servers
73
Remote Connectivity—Partner Access
Maintain Maintain confidentiality of confidentiality of communicationscommunications
Maintain Maintain confidentiality of confidentiality of communicationscommunications
• When partners access information across the Internet, When partners access information across the Internet, eavesdropping may occureavesdropping may occur
• When partners access information across the Internet, When partners access information across the Internet, eavesdropping may occureavesdropping may occur
Provide network Provide network access to partner access to partner organizationorganization
Provide network Provide network access to partner access to partner organizationorganization
• Employees of partner organization may access inappropriate Employees of partner organization may access inappropriate information on internal networkinformation on internal network
• Segregating allowed and disallowed resources may require Segregating allowed and disallowed resources may require network redesignnetwork redesign
• Employees of partner organization may access inappropriate Employees of partner organization may access inappropriate information on internal networkinformation on internal network
• Segregating allowed and disallowed resources may require Segregating allowed and disallowed resources may require network redesignnetwork redesign
Enable Enable connectivity connectivity between networksbetween networks
Enable Enable connectivity connectivity between networksbetween networks
• Allowing connections for partners requires partially opening Allowing connections for partners requires partially opening corporate networks to the Internetcorporate networks to the Internet
• Lack of interoperability may make connectivity difficult or Lack of interoperability may make connectivity difficult or impossibleimpossible
• Difficult configuration may lead to mistakes that threaten Difficult configuration may lead to mistakes that threaten securitysecurity
• Allowing connections for partners requires partially opening Allowing connections for partners requires partially opening corporate networks to the Internetcorporate networks to the Internet
• Lack of interoperability may make connectivity difficult or Lack of interoperability may make connectivity difficult or impossibleimpossible
• Difficult configuration may lead to mistakes that threaten Difficult configuration may lead to mistakes that threaten securitysecurity
Business Need Risk to Organization
74
Traditional Partner Connectivity
Full access from partner network to all corporate resources May include access to
confidential information Alternative: Extranet
Synchronizationrequired
Internal Network
VPN Gateway
Internet
Partner Network
ExtranetVPN Gateway
75
Partner Connectivity with ISA Server 2004
Controlled access from partner network to selected corporate resources Can limit access to specific servers and
applications Full application-layer protection Third-party compatibility
Internal Network
ISA Server 2004
Internet
Partner Network
76
Summary: Remote Connectivity—Partner Access
Connectivity Connectivity between between networksnetworks
Connectivity Connectivity between between networksnetworks
Confidentiality Confidentiality of of
communicatiocommunicationsns
Confidentiality Confidentiality of of
communicatiocommunicationsns
Network Network access for access for
partner partner organizationorganization
Network Network access for access for
partner partner organizationorganization
ISA Server 2004 VPN uses encryption ISA Server 2004 VPN uses encryption and authentication to ensure that all and authentication to ensure that all traffic between sites is kept traffic between sites is kept confidential and remains unmodified.confidential and remains unmodified.
Access and routing policies limit Access and routing policies limit what resources one partner’s clients what resources one partner’s clients can access on the other partner’s can access on the other partner’s network.network.
Access and routing policies limit Access and routing policies limit what resources one partner’s clients what resources one partner’s clients can access on the other partner’s can access on the other partner’s network.network.
ISA provides interoperability with ISA provides interoperability with existing VPN equipment.existing VPN equipment.ISA provides interoperability with ISA provides interoperability with existing VPN equipment.existing VPN equipment.
77
Connectivity—Remote User Access
Protect corporate Protect corporate resourcesresourcesProtect corporate Protect corporate resourcesresources
• Unmanaged remote clients may introduce viruses or wormsUnmanaged remote clients may introduce viruses or worms
• Insecurely configured remote clients may be used by Insecurely configured remote clients may be used by attackers to gain access to corporate resourcesattackers to gain access to corporate resources
• Unmanaged remote clients may introduce viruses or wormsUnmanaged remote clients may introduce viruses or worms
• Insecurely configured remote clients may be used by Insecurely configured remote clients may be used by attackers to gain access to corporate resourcesattackers to gain access to corporate resources
Provide remote Provide remote access to access to selected selected corporate corporate resourcesresources
Provide remote Provide remote access to access to selected selected corporate corporate resourcesresources
• Employees may access inappropriate information on internal Employees may access inappropriate information on internal networknetwork
• Segregating allowed and disallowed resources may require Segregating allowed and disallowed resources may require network redesignnetwork redesign
• Employees may access inappropriate information on internal Employees may access inappropriate information on internal networknetwork
• Segregating allowed and disallowed resources may require Segregating allowed and disallowed resources may require network redesignnetwork redesign
Enable remote Enable remote users to connect users to connect to corporate to corporate networknetwork
Enable remote Enable remote users to connect users to connect to corporate to corporate networknetwork
• Allowing connections for remote users requires partially Allowing connections for remote users requires partially opening corporate networks to the Internetopening corporate networks to the Internet
• Difficult configuration may lead to mistakes that threaten Difficult configuration may lead to mistakes that threaten securitysecurity
• Confidentiality of corporate information may be Confidentiality of corporate information may be compromisedcompromised
• Allowing connections for remote users requires partially Allowing connections for remote users requires partially opening corporate networks to the Internetopening corporate networks to the Internet
• Difficult configuration may lead to mistakes that threaten Difficult configuration may lead to mistakes that threaten securitysecurity
• Confidentiality of corporate information may be Confidentiality of corporate information may be compromisedcompromised
Business Need Risk to Organization
78
Traditional VPN Infrastructure
VPN gateway and firewall separate devices VPN clients get full access to internal network May require additional client software Optional protection of network through separate
firewall
Internal Network
Firewall
VPN GatewayInternet
79
ISA Server 2004 VPN Infrastructure
Includes VPN gateway and firewall functionality VPN clients get controlled and protected access
to internal network VPN client software included in all recent
versions of Windows
Internal NetworkISA Server 2004
Internet
80
Protecting Networks with ISA Server 2004 Network Access Quarantine
Client script checks whether client meets corporate security policies Personal firewall enabled? Latest virus definitions used? Required patches installed?
If checks succeed, client gets full access If checks fail client gets disconnected after
time-out periodGoal: Prevent VPN clients that don’t Goal: Prevent VPN clients that don’t
meet security requirements from meet security requirements from accessing networkaccessing network
Goal: Prevent VPN clients that don’t Goal: Prevent VPN clients that don’t meet security requirements from meet security requirements from
accessing networkaccessing network
81
VPN Quarantine Process (1)
VPN Client
Internal Network
Quarantine Resources
Client computer connects1
ISA Server 2004 assigns client to Quarantined VPN Clients network, allowing access to limited resources
2
Script on client computer checks configuration settings
3
Script sends “success” notification to ISA Server 2004
4
ISA Server 2004 assigns client to VPN Clients network, providing access to internal network
5
82
VPN Quarantine Process (2)
VPN Client
Quarantine Resources
Client computer connects1
ISA Server 2004 assigns client to Quarantined VPN Clients network, allowing access to limited resources
2
Script on client computer checks configuration settings
3
Script does not send “success” notification to ISA Server 2004
4
ISA Server 2004 disconnects client after time-out expires
5
83
Ease of Use for VPNs
84
Monitoring VPN Connections
ISA Server 2004 tools Dashboard view for big picture Detailed
information for all aspects of network traffic
85
Summary: Connectivity—Remote User Access
Remote Remote connectivityconnectivity
Remote Remote connectivityconnectivity
Protection of Protection of corporate corporate resourcesresources
Protection of Protection of corporate corporate resourcesresources
Access Access to selected to selected corporate corporate resourcesresources
Access Access to selected to selected corporate corporate resourcesresources
ISA Server 2004 protects the ISA Server 2004 protects the corporate network and the VPN corporate network and the VPN clients.clients.
ISA Server 2004 allows control over ISA Server 2004 allows control over which resources corporate resources which resources corporate resources remote users can access.remote users can access.
ISA Server 2004 allows control over ISA Server 2004 allows control over which resources corporate resources which resources corporate resources remote users can access.remote users can access.
ISA Server 2004 allows remote ISA Server 2004 allows remote access to the corporate network from access to the corporate network from anywhere.anywhere.
ISA Server 2004 allows remote ISA Server 2004 allows remote access to the corporate network from access to the corporate network from anywhere.anywhere.
86
Protecting Microsoft Applications
Secure Application
Access
Secure Application
Access
Remote ConnectivityRemote Connectivity Connecting offices, partners,
and users by using ISA Server 2004 and Windows Server 2003
Connecting offices, partners, and users by using ISA Server 2004 and Windows Server 2003
Integrated Branch Office
Solution
Integrated Branch Office
Solution Branch office security Branch office security
Secure Access to
Secure Access to
Allow access to Exchange servers while protecting them
Allow access to Exchange servers while protecting them
Help secure access to IIS, Microsoft SharePoint®, and other application servers
Help secure access to IIS, Microsoft SharePoint®, and other application servers
87
Integrated Branch Office Solution
Utilize limited Utilize limited bandwidth at the bandwidth at the branch office branch office efficientlyefficiently
Utilize limited Utilize limited bandwidth at the bandwidth at the branch office branch office efficientlyefficiently
• Branch office connectivity may not be sufficient to allow for Branch office connectivity may not be sufficient to allow for efficient Internet accessefficient Internet access
• Bandwidth used for Internet access can slow down access to Bandwidth used for Internet access can slow down access to corporate networkcorporate network
• Branch office connectivity may not be sufficient to allow for Branch office connectivity may not be sufficient to allow for efficient Internet accessefficient Internet access
• Bandwidth used for Internet access can slow down access to Bandwidth used for Internet access can slow down access to corporate networkcorporate network
Provide secure Provide secure Internet access Internet access from branch from branch officesoffices
Provide secure Provide secure Internet access Internet access from branch from branch officesoffices
• Employee access at branch offices may expose the network Employee access at branch offices may expose the network to worms, viruses, and hacker attacksto worms, viruses, and hacker attacks
• Employees at branch offices may access inappropriate Employees at branch offices may access inappropriate contentcontent
• Maintaining a consistent configuration is difficultMaintaining a consistent configuration is difficult
• Employee access at branch offices may expose the network Employee access at branch offices may expose the network to worms, viruses, and hacker attacksto worms, viruses, and hacker attacks
• Employees at branch offices may access inappropriate Employees at branch offices may access inappropriate contentcontent
• Maintaining a consistent configuration is difficultMaintaining a consistent configuration is difficult
Connect branch Connect branch office networks to office networks to the main networkthe main network
Connect branch Connect branch office networks to office networks to the main networkthe main network
• Branch office connections must be established across an Branch office connections must be established across an insecure network and confidentiality of corporate insecure network and confidentiality of corporate information may be compromisedinformation may be compromised
• Equipment from multiple vendors may not work with each Equipment from multiple vendors may not work with each otherother
• Site-to-site connectivity can be difficult to configureSite-to-site connectivity can be difficult to configure
• Branch office connections must be established across an Branch office connections must be established across an insecure network and confidentiality of corporate insecure network and confidentiality of corporate information may be compromisedinformation may be compromised
• Equipment from multiple vendors may not work with each Equipment from multiple vendors may not work with each otherother
• Site-to-site connectivity can be difficult to configureSite-to-site connectivity can be difficult to configure
Business Need Risk to Organization
88
How ISA Server 2004 Enables Branch Office Connections Broad protocol support
PPTP L2TP/IPSec IPSec tunnel mode for interoperability with existing
VPN gateways: fully tested and supported Authentication and encryption
Leverages Windows remote access capabilities Range of authentication methods
Active Directory, RADIUS, passwords, certificates Configurable encryption methods help ensure
confidentiality of communications Fine-grained control over traffic between
networks
89
Easy Configuration and Administration of Branch Office Connections Administrators can duplicate existing ISA Server 2004
configuration using XML export/import Easy-to-use wizards simplify administration for branch
office administrators Remote administration using MMC, Terminal Services,
or Remote Desktop Connection Full integration with Active Directory Easy-to-use monitoring tools Unified policy user interface allows administration of all
network access in one location
Administrators can use one tool to Administrators can use one tool to control all network traffic at branch control all network traffic at branch
officeoffice
Administrators can use one tool to Administrators can use one tool to control all network traffic at branch control all network traffic at branch
officeoffice
90
Ease of Use for Branch Office Connections
91
Firewall Integration ISA Server 2004 controls network traffic
to and from branch offices VPN rules integrated with other firewall
rules
92
Fast, Secure Network Access from Branch Offices Caching
Keeps local copies of frequently requested content
Transparent to clients
Easy to configure
93
Integrated Solution
Realize savings through integration One-stop solution for Internet access Provides firewall, access control, publishing,
and VPN in a single solution Provides centralized administration and logging ISA Server 2004 can easily scale as
organization grows Ideal solution for branch offices
94
Summary: Integrated Branch Office Solution
Branch office Branch office network network
connectivityconnectivity
Branch office Branch office network network
connectivityconnectivity
Utilize Utilize limited limited
bandwidth bandwidth efficientlyefficiently
Utilize Utilize limited limited
bandwidth bandwidth efficientlyefficiently
Secure Secure Internet Internet
access from access from branch branch officesoffices
Secure Secure Internet Internet
access from access from branch branch officesoffices
ISA Server 2004 helps corporations ISA Server 2004 helps corporations lower bandwidth costs and improve lower bandwidth costs and improve user productivity.user productivity.
ISA Server 2004 can protect against ISA Server 2004 can protect against advanced attacks.advanced attacks.ISA Server 2004 can protect against ISA Server 2004 can protect against advanced attacks.advanced attacks.
ISA Server 2004 is uniquely ISA Server 2004 is uniquely positioned to deliver an integrated positioned to deliver an integrated firewall, VPN, and cache solution.firewall, VPN, and cache solution.
ISA Server 2004 is uniquely ISA Server 2004 is uniquely positioned to deliver an integrated positioned to deliver an integrated firewall, VPN, and cache solution.firewall, VPN, and cache solution.
3. Selling Strategies and Partner Offerings
96
ISA Server 2004 Sales OpportunitiesWhen to Recommend
Recommend ISA Server 2004 to customers who: Need a new or supplemental firewall Use IIS, SharePoint Portal Server, Exchange Server,
or Windows Server 2003 Experience slow network performance Run ISA Server 2000 Run Microsoft Small Business Server (SBS)
97
ISA Server 2004 Sales OpportunitiesNew or Supplemental Firewall
Advanced Protection Advanced application-layer filtering
Ease of Use Quick and easy to configure Fits into existing Microsoft environment
Fast, Secure Access Implement Internet access control Achieve bandwidth and network efficiency Immediate security and savings
ISA Server 2004 provides the best ISA Server 2004 provides the best protection for Microsoft-based protection for Microsoft-based
networksnetworks
ISA Server 2004 provides the best ISA Server 2004 provides the best protection for Microsoft-based protection for Microsoft-based
networksnetworks
98
ISA Server 2004 Sales OpportunitiesNew or Supplemental Firewall
Use as main firewall ISA Server 2004 provides all the protection customers
expect from a firewall, VPN, and caching solution Add new functionality to existing firewalls
Caching Access control Application-layer inspection
Defense-in-depth by using multiple firewall products
ISA Server 2004 adds value by itself or ISA Server 2004 adds value by itself or when used in conjunction with an when used in conjunction with an
existing traditional firewallexisting traditional firewall
ISA Server 2004 adds value by itself or ISA Server 2004 adds value by itself or when used in conjunction with an when used in conjunction with an
existing traditional firewallexisting traditional firewall
99
Pricing and LicensingFlexible Pricing and Licensing
TBDISA Server 2004 Enterprise Edition
U.S.$1,499ISA Server 2004 Standard Edition
One-time per processor licensing Upgrade hardware for performance at no additional software cost No recurring licensing fees No separate client licenses required Requires Windows 2000 Server or Windows Server 2003 license
Wealth of integrated features ISA Server 2004 contains many integrated features, including
VPN functionality, reporting, caching, URL screening, and multi-processor support These must be purchased as expensive add-ons with other firewalls.
100
ISA Server 2004 Standard Edition
Provides enterprise-class firewall security and Web caching capabilities for small businesses, workgroups, and departmental environments.Provides robust security, fast Web access, intuitive management, and excellent price-to-performance for business-critical environments.Limited to four processors.Each server is administered separately.
ISA Server 2004 Enterprise Edition
Designed to meet the performance, management, and scalability needs of high-volume Internet traffic environments.Available: Later in 2004
Pricing and LicensingEditions
101
Customer BenefitsTechnical and Business Value
Feature Technical Value Business Value
Secure Internet Connectivity
Protect against hackers, viruses, and unauthorized access
Control outgoing Internet access Defend Web servers and
e-mail server
Revenue + Customer retention + Liability -
Fast Web Access
Faster browsing Reduce network bandwidth
costs Reduce stress on Web servers More reliable data access
Performance +Customer satisfaction +
Revenue + Capital expense -
Integrated VPN Single point of control at
network perimeter Operating cost - Customer satisfaction +
Simple Management
Access control to management tasks
Reduced management complexity, reduced staff/server ratio
Reduced time to manage
Operating cost - Customer satisfaction +
Extensible Open Platform
Flexible, customizable solution Liability - Operating cost - Customer satisfaction +
102
Customer BenefitsKey Messages
IT ProfessionalRock-solid firewall security and high-performance Internet connectivity that’s easy to manage
Customer Message
Increase performance and security and reduce costs
Reduce liability and enforce corporate Internet access policies in real time
Protect critical information and manage information access with a single, scalable, easy-to-manage solution
Business Decision Maker
HR Manager
CTO
103
ISA Server 2004 Sales OpportunitiesUse with IIS and SharePoint
Built from the ground up to support Web protocols
Efficient content checking Protection of critical resources Allows controlled, authenticated external
access to SharePoint resources
No IIS or SharePoint deployment is No IIS or SharePoint deployment is complete without ISA Server 2004complete without ISA Server 2004
No IIS or SharePoint deployment is No IIS or SharePoint deployment is complete without ISA Server 2004complete without ISA Server 2004
104
No IIS or SharePoint deployment is complete without ISA Server 2004 protection
The ISA Server 2004 advantage Only ISA Server 2004 solves all of these customer problems Other firewalls are less capable and often more expensive
Evolving Internet threats put Web servers at risk. Port 80 is being used more and more.
Need fast access to Web sites at all times.
SSL traffic is encrypted, introducing additional risk.
Difficult to provide external access to internal SharePoint resources
Application-layer security is necessary to protect Web servers from evolving types of attacks.
Caching speeds access and increases availability.
Inspection of SSL traffic improves network security.
Link translation automatically changes Web pages
CUSTOMER PROBLEM SOLUTION
ISA Server 2004 Sales OpportunitiesUse with IIS and SharePoint
105
ISA Server 2004 Sales OpportunitiesUse with Exchange Server
Support for OWA Secures and accelerates access
Support for secure access to Exchange Server using the native Outlook protocols Users can use their regular client
Support for all major mail protocols Content checking to reduce unwanted and
dangerous e-mail
No Exchange deployment is No Exchange deployment is complete without ISA Server 2004complete without ISA Server 2004
No Exchange deployment is No Exchange deployment is complete without ISA Server 2004complete without ISA Server 2004
106
No Exchange Server deployment is complete without ISA Server 2004 protection
The ISA Server 2004 advantage: Only ISA Server 2004 solves all of these customer problems Other firewalls are more expensive, don’t effectively secure all
Exchange protocols, or are incapable of filtering e-mail
Unwanted e-mail messages are plaguing my network
Productivity is a tradeoff for secure e-mail communication
Concerned about the security of Exchange OWA
Eliminate unwanted e-mail by filtering it at the edge
Enable secure, remote Outlook e-mail access without a VPN
Inspect SSL-encrypted OWA e-mail
CUSTOMER PROBLEM SOLUTION
ISA Server 2004 Sales OpportunitiesUse with Exchange Server
107
ISA Server 2004 Sales OpportunitiesUse with Windows Server 2003
Integrates with Active Directory Uses existing user accounts for access control Centralized, easy administration
Builds on security features of Windows Server 2003 Full-featured VPN capabilities with the ease of use of
ISA Server 2004 Security templates and Group Policy to lock down
computers ISA Server 2004 is built for Windows protocols Support for Network Access Quarantine
108
No Windows Server 2003 deployment is complete without ISA Server 2004 protection
The ISA Server 2004 advantage: Only ISA Server 2004 solves all of these customer problems Other firewalls are more expensive and don’t provide network
quarantine filtering, VPN client policies, or Active Directory integration
Difficult to enforce security policies for VPN clients
VPN clients have full access to corporate network
Authentication for user-based Internet-access policy difficult
Network access quarantine
Firewall policy applies to VPN clients
Integration with Active Directory provides transparent authentication
CUSTOMER PROBLEM SOLUTION
ISA Server 2004 Sales OpportunitiesUse with Windows Server 2003
109
ISA Server 2004 Sales OpportunitiesSlow Network Performance
ISA Server 2004 provides immediate performance enhancements Caching increases response time for Web
requests, increasing user productivity Caching reduces bandwidth requirements,
saving money Can be implemented easily and without
interruption in service Does not require network reconfiguration
Immediate, measurable benefits for Immediate, measurable benefits for existing networksexisting networks
Immediate, measurable benefits for Immediate, measurable benefits for existing networksexisting networks
110
ISA Server 2004 Sales OpportunitiesReasons to Upgrade from ISA Server 2000
Improve on ISA Server 2000 More advanced application-layer protection Improved ease of use High performance
• Multiple network support
• New policy model
• Application-layer filtering
• Better performance
• Integrated policy enforcement for VPN clients
• VPN client quarantine
• Support for more protocols
• Packet filtering on all interfaces
• Better RPC publishing
• New authentication options
• Real-time monitoring
• Easier administration tools
111
ISA Server 2004 Sales OpportunitiesUse with Microsoft Small Business Server ISA Server 2004 is included only with SBS Premium
Edition SBS Standard Edition only includes very limited firewall
functionality SBS limited to 75 users
As organization grows, investment in SBS can be leveraged by moving firewall policies to a separate server that is running the same firewall software
Moving ISA Server 2004 to a separate computer increases security Many customers want firewall to be separate from SBS
Many security professionals recommend moving the firewall functionality to a separate computer to increase security
Added protection for small businessesAdded protection for small businessesAdded protection for small businessesAdded protection for small businesses
112
ISA Server 2004 Partner Products (1)Enhance existing features and add new features Application Filters
Improve security and interoperability for other protocols with application-layer inspection
Caching and Distribution Improve the caching capabilities of ISA Server or create content
distribution networks that store content closer to end users and provide centralized delivery, management, and support for different content types.
Content Security Intercept viruses, malicious code or other inappropriate content at your
network's Internet gateway . High Availability and Load Balancing
Enhance ISA Server with network-level scalability, fault tolerance, and load balancing.
Intrusion Detection Recognize and react in real time to hacking attempts. Monitor incoming
traffic, and trigger responses according to alarms and events. Monitoring and Administration
Extend the maintenance and management features of ISA Server to make day-to-day monitoring and administration tasks easier.
113
ISA Server 2004 Partner Products (2)Enhancing existing features and add new features
Reporting Review traffic through ISA Server, and develop reports that can be used
for calculating departmental charge-backs, identifying inappropriate usage, and categorizing Internet use
SSL Acceleration and Key Management Use these hardware add-ons to improve the performance of SSL
communications and the security of private keys used in creating SSL sessions, server identification, and PKI components
Security Resellers Purchase ISA Server from authorized resellers who have technical
product expertise Security Solution Providers
Engage with authorized service partners to help build your Microsoft secure-connected infrastructure
URL Filtering Restrict access to non-work-related sites, and filter sites that have
objectionable or restricted content User Authentication
Provide support for additional authentication methods and technologies for ISA Server VPN and Web access
114
A Community of PartnersMany Partners Have ISA Server 2000 Track Record
115
ISA Server 2004 Partners (1)A Growing Community ActivCard AAA Server deployed with ISA Server 2004 is expected
to help enterprise customers further protect their digital assets by ensuring and tracking user identities across a network from anywhere, at any time.
Akonix plans to use the application-layer filtering capabilities of ISA Server 2004 to direct all instant messaging traffic to Akonix’s award-winning L7 Enterprise IM gateway to implement usage policies, content filtering, virus scanning, logging, and compliance programs
Authenex plans to integrate AOne™, a two-factor authentication and Web access control solution, with ISA Server 2004 to deliver a powerful, all-in-one suite of two-factor network security applications.
The combination of Cerberian Web Manager and ISA Server 2004 will provide ISA Server 2004 customers with three additional levels of dynamic Internet content-filtering services via Cerberian’s database of more than five million ratings and domains, and Cerberian’s Dynamic Real-Time Rating and Dynamic Background Rating technologies.
Fast Scout VirtualWeb Internet filtering and monitoring software will support ISA Server 2004.
* This page is based on pre-release information.
116
ISA Server 2004 Partners (2)A Growing Community Forum Systems will offer integration of its XWall™ Web Services
Firewall with ISA Server 2004. DynaComm i:filter from FutureSoft is a reliable, feature-rich
enterprise Internet filtering solution for Microsoft ISA Server 2004. GFI DownloadSecurity for ISA Server 2004 enables you to assert
control over what files your users download from HTTP and FTP sites.
nCipher hardware security modules (HSMs) will interoperate with ISA Server 2004 to more securely and more efficiently handle the advanced security functions performed by ISA Server 2004.
Network Associates McAfee SecurityShield for Microsoft ISA Server 2004 is designed to provide anti-virus protection, virus outbreak management, content scanning and, as part of an optional upgrade, anti-spam protection for Microsoft ISA Server 2004.
Panda Software Panda ISASecure Antivirus module has been designed to help further protect Internet traffic passing through ISA Server 2004. * This page is based on pre-
release information.
117
ISA Server 2004 Partners (3)A Growing Community RainConnect from Rainfinity, provides continuous or always-on
Internet access by distributing traffic among multiple independent ISP links.
SurfControl Web Filter puts you in control of Internet usage with a range of flexible, scalable, and high-performance solutions to best fit your Internet content-filtering needs.
Venation V-WEB 4 provides a powerful and cost-effective platform for accelerating business-critical applications and content.
WebSpy facilitates the effective management of an organization's Internet resources.
Whale Communications is planning to use the advanced functionality in the ISA Server 2004 to produce a prototype of a next-generation secure-access appliance.
Check Check www.microsoft.com/isaserver/partners www.microsoft.com/isaserver/partners
for an up-to-date list of available for an up-to-date list of available solutionssolutions
Check Check www.microsoft.com/isaserver/partners www.microsoft.com/isaserver/partners
for an up-to-date list of available for an up-to-date list of available solutionssolutions
* This page is based on pre-release information.
118
ISA Server 2004–Based AppliancesMore Options for Customers
Extending ISA Server 2004 Benefits Hardened configuration for reduced attack surface Easy to purchase, set up, and deploy Benefits of both a hardware and software solution
Added Value and Customer Choice Out-of-box configuration tools Web-based administration Customized and fully integrated deployment options
New Worldwide Industry Partnerships Celestix Networks, Hewlett-Packard, and Network Engines Additional future partners
119
Competitive Benefits Best Integration with Microsoft Windows and Microsoft
Solutions More Technologies Built-in More Advanced Filtering Integrated Firewall and Caching Provides Better Security Better, More Broad Support Faster Learning Curve Lower Total Cost of Ownership
ISA Server 2004 is a viable solution to common ISA Server 2004 is a viable solution to common security and Web performance problems, security and Web performance problems,
with distinct advantages over other available with distinct advantages over other available solutionssolutions
ISA Server 2004 is a viable solution to common ISA Server 2004 is a viable solution to common security and Web performance problems, security and Web performance problems,
with distinct advantages over other available with distinct advantages over other available solutionssolutions
120
Detailed Competitive AnalysisCompetitive Chart (1)
Microsoft ISA Server 2004 Standard Edition Competitive Quick Guide
Feature ISA Server 2004
Check-Point
NG/Nokia 350
Cisco PIX 515E
Netscreen 50
SonicWall Pro 230
Watch-Guard V80
Symantec 5420
Architecture Software or Appliance
Software or Appliance
Appliance Appliance Appliance Appliance Appliance1
Operating System
Windows 2000 or Windows Server 2003
IPSO; also runs on Microsoft
Windows NT® /2000,
Solaris, Linux, AIX
PIX OS (based on IOS)
ScreenOS SonicOS (2 versions, simple and enhanced)
Proprietary Proprietary1
Concurrent Sessions
Unlimited 250,000 130,000 8,000 30,000 128,000 64,000
Firewall Throughput
Tested up to 1.59 Gbps
350 Mbps 188 Mbps 170 Mbps 190 Mbps 200 Mbps 200 Mbps
Interfaces No software limit
4 10/100 6 10/100(10 virtual)
4 10/100 3 10/100 4 10/1002 HA ports
6
VPN Tunnels 1,000 (Standard)
16,000+ PPTP, 30,000 L2TP 2
12,500 2,000 100 500 8,000 *
VPN Support PPTP, L2TP, IPSec, SSL
IPSec, SSL, L2TP
IKE/IPSec, L2TP, PPTP
IPSec, SSL IPSec, PPTP IPSec, L2TP (other models support PPTP)
IPSec
VPN Client Free with all Windows OS
Proprietary or Microsoft L2TP
client3
Proprietary, Microsoft L2TP,
PPTP3
Proprietary, costs extra
Proprietary, bundled (10)
Proprietary, costs extra
Proprietary, per-tunnel license
121
Detailed Competitive AnalysisCompetitive Chart (2)
Feature ISA Server 2004
Check-Point
NG/Nokia 350
Cisco PIX 515E
Netscreen 50
SonicWall Pro 230
Watch-Guard V80
Symantec 5420
IDS Based on technology
licensed from ISS
ISS Real Secure IDS;
inline/passive inspection of TCP stream
Protects against 55 attacks;
separate IDS appliance available
IDS included based on
OneSecure; IDP available
extra
DoS attack detection and
prevention
IDS, IDP included, protocol anomaly
detection
Hybrid anomaly IDS/IDP
(Recourse)
Integrated Microsoft Exchange Support
Yes No No No No No No
Application-Layer Filtering
Deep application -
layer including character string filtering; HTTP, SMTP, DNS, FTP, POP3,
IMAP
NG App Layer Intelligence;
includes application
proxies, content filtering using
UFP
Fixups; ASA; URL filtering
with WebSense or N2H2; CF
blocks Java/Microsoft
ActiveX®
HTTP, POP3, IMAP, SMTP,
FTP, DNS, supports
WebSense
CFS subscription service
SMTP, HTTP proxies
Attack signatures;
HTTP, FTP, and SMTP sent to
virus scan, content filtering
Management User Interface
Familiar Windows MMC
for local and remote
management, CLI, Terminal
Service, or remote desktop
CLI, SNMP, FTP,Telnet, SSH, Web:
Voyager (local) Horizon Manager (remote)
PIX Device Manager
(PDM); CLI, Telnet, SSH, console port, Ciscoworks centralized
management (optional)
Web (HTTP, HTTPS), CLI,
Telnet, SSH,Global Pro (option)
Web UI, CLI, SNMP, Global Management
System (centralized)
Java-based GUI; CLI; Multi-box management
(CPM) optional
Web-based (SSL) UI, Symantec
Management console
Web Caching Included at no extra cost;
forward /reverse
Not included; add-on product
Not included; Cisco Content Engine costs
extra
Not included With CFS subscription
Not included Not included
Microsoft ISA Server 2004 Standard Edition Competitive Quick Guide
122
Detailed Competitive AnalysisCompetitive Chart (3)
Feature ISA Server 2004
Check-Point
NG/Nokia 350
Cisco PIX 515E
Netscreen 50
SonicWall Pro 230
Watch-Guard V80
Symantec 5420
High Availability
Uses load balancing,
failover included in Windows
2000 /2003 at no extra cost
Clustering not supported on
this model
Failover with purchase of
second appliance (at much lower
cost)
Supports active/
passive mode only (A/A on other series)
Hardware failover is a “value-added
service”
Supports active/passive (A/A
optional at extra cost)
A/A, A/P, LB (maximum
cluster size 8)
Spam Filtering Yes, can filter by keywords or
character strings
Does not filter by keyword
Can be done with add-ons
Third party Third party Not included Included in AV
Add-ons (extra cost options)
Wide variety third-party add-
ons for extensibility
Management, IDS, cluster,
content filtering, reports, caching
Content engine (caching), IDS,
anti-virus, content filtering
IDP, spam filtering
(SurfControl), AV
AV, content filtering add-on; GSM for
multi-management
A/A HA, virus scan, live security update services
AV, content filtering,
additional VPN clients, HA/LB
1 Symantec Enterprise Firewall software that runs on 5400 series appliances can also be purchased as a software firewall that will run on Windows or Solaris.
2 Windows Server 2003 Standard edition supports 1,000 PPTP and 1,000 L2TP connections. Windows Server 2003 Enterprise and Datacenter editions theoretically support unlimited VPN connections but registry restricts PPTP to 16,384 and L2TP to 30,000 on these editions.
3 Although Microsoft client software can be used, the proprietary client is required for advanced features such as enforcement of VPN configuration requirements.
*Information unavailable.
Additional details included in Partner Additional details included in Partner GuideGuide
Additional details included in Partner Additional details included in Partner GuideGuide
Microsoft ISA Server 2004 Standard Edition Competitive Quick Guide
123
Partner Guide Resources Plan
Review the Partner Revenue Opportunities with ISA Server 2004 document to determine areas of specialization. Learn about the advantages that ISA Server 2004 brings to Exchange Server, IIS, SharePoint, and Windows Server 2003 deployments. View case studies to learn about the benefits that ISA Server 2004 has brought to customers.
Market/Sell Utilize tools and resources to help you sell ISA Server products and services.
Leverage Microsoft’s customer-ready materials to incorporate into your own presentations and distribute to your customers. Read and leverage various datasheets, sales presentations, telesales scripts, and other marketing materials that will help you communicate the benefits of deploying and using ISA Server 2004.
Service/Support Leverage the ISA Server 2004 Configuration Guide, deployment kits, and white
papers to get the background information you need to plan ISA Server 2004 deployments, complete with the step-by-step procedures needed for proper installation and configuration. Install the ISA Server 2004 evaluation software to test the benefits of ISA Server in a production environment.
Train/Enable Complete the Hands-on Labs on CD 2.
124
Web Resources ISA Server 2004 official site
http://www.microsoft.com/isaserver ISA Server 2004 partners
http://www.microsoft.com/isaserver/partners/ Partner Campaign Kits
http://members.microsoft.com/partner/ ISA Server 2004 user community (not
affiliated with Microsoft) http://www.isaserver.org
4. Introduction to Hands-on Training
126
Hands-on LabsSix Scenarios
Lab A: What's New in ISA Server 2004 Lab B: Configuring Outbound Internet Access Lab C: Publishing Web Servers Lab D: Publishing an Exchange Server Lab E: Enabling VPN Connections Lab F: Using Monitoring, Alerting, and Logging
127
Hands-on LabsFormat
Hands-on Training uses Microsoft Virtual PC Four virtual computers:
Internal computer (Domain Controller, Exchange Server) ISA Server 2004 Web server in perimeter network External computer
Setup guide and instructions included on Partner CD Each scenario can be completed independently in about
30-60 minutes Each scenario contains detailed explanations Each scenario presents a complete solution
128© 2003-2004 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
Recommended