Firewall, Why?

Firewalls are usually seen as a requirement if you are going to attach your network to other networks, especially the Internet. Unfortunately, some network administrators and managers do not understand the strengths a firewall can offer, resulting in poor product choice, deployment, configuration and management. Like any security technology, firewalls are only effective if the implementation is done properly and there is proper maintenance and response to security events.

Additionally, with the proper deployment of firewalls other security strategies are often much easier to integrate, such as VPNs and IDS systems. So what makes firewalls good, and what can you do to ensure they are used properly?

Perimeter Defence

One of firewalls' weaknesses is also one of their strengths. Firewalls are typically deployed as a perimeter defence, usually intersecting network links that connect your network to others. If the firewall is properly deployed on all paths into your network, you can control what enters and leaves your network.

Of course, as with any form of perimeter defence, if an attack is launched from inside, firewalls are not too effective. However, this deployment on your network perimeter allows you to prevent certain kinds of data from entering your network, such as scans and probes, or even malicious attacks against services you run.

Conversely, it allows you to restrict outbound information. It would be nearly impossible to configure every workstation to disallow IRC, but blocking ports 6667-7000 (the most common IRC ports) is relatively easy on your perimeter firewalls.

While you can employ access control lists on servers internally, this still allows attackers to scan them, and possibly talk to the network portion of the OS on the server — making a number of attacks possible. This perimeter also allows you to deploy IDS systems much more easily, since "chokepoints" will have already been created, and you can monitor all data coming in or leaving.

VPN deployment also becomes easy. Instead of loading up VPN software on every desktop that might need it, you can simply employ VPN servers at those network access points, either as separate servers or directly on your firewall, which is becoming increasingly popular.

Concentrated Security

Controlling one, or even multiple firewalls is a much easier job than maintaining access control lists on numerous separate internal servers that are probably not all running the same operating system or services. With firewalls you can simply block all inbound mail access except for the official mail server. If someone forgets to disable email server software on a newly installed server, you do not need to worry about an external attacker connecting to it and exploiting any flaws.

Most modern firewall products are administered from a central console. You get an overall view of your network and can block or allow services as needed very quickly and efficiently.

With VPN-capable firewalls you can easily specify that access to certain networks must be done via encrypted tunnels, or otherwise blocked. With VPN software on each client, you would have more to worry about with misconfiguration or user interference. This results in sensitive data being accidentally sent out unencrypted. If your firewall is set up to block all but a few specific outbound services, then no matter what a user does - even to bring in their own laptop - they will probably not be able to access the blocked services. Enforcing this without firewalls and instead on each client machine is nearly impossible.

Enforcement of Security Policies

You may have a set of corporate guidelines for network usage that include such items as:

1. Chat clients such as IRC, AIM, and Yahoo IM are strictly forbidden, as they can transfer files.
2. Accessing external mail servers is forbidden (antivirus policy); only use the internal server to send or receive.
3. Network games, such as Doom or Quake, are forbidden, except between 8 a.m. and 6 p.m. all weekdays for members of management.
4. Websites such as playboy.com are forbidden for legal reasons.

Enforcing the first policy without a firewall would be possible, but difficult. In theory, if you managed to secure every single desktop machine and prevent users from installing software, it would be possible. Then you would need to prevent people from attaching "rogue" laptops and so forth to the internal LAN with software preinstalled. While possible, this is a Herculean task compared to configuring a dozen rules (or even a hundred rules) on your firewalls to prevent access to the ports and servers that IRC, AIM and the rest use.

The second policy would be very difficult to enforce without a firewall. You would need to do the above steps to prevent people from installing their own email software or using rogue machines such as laptops with it preinstalled. Moreover, any email software you do use (such as Outlook or Eudora) would need to be configured so that users could not modify any preferences, add new accounts and so on. This is not possible in almost all email clients.

The third policy is virtually impossible to enforce without a firewall. You would need to take the above steps to prevent any user except for management installing the software. One possibility would be to place the software on a network share and only make it available from 6 p.m. to 8 a.m., and on weekends to users of the management group. However, many network games would not function properly, and you would have to prevent the software from being copied off, etc.

Even with all this, the software may still continue to function after 8 a.m. if it is running on the client machine (or it might crash horribly). In any event, this is much easier to enforce with a firewall such as FW-1: enable user authentication, then define a policy that allows users of the management group access to the ports used by these games at the appropriate times.

Enforcing policy number four is basically impossible as well without a firewall. While some Web clients do allow you to list sites that are off limits, keeping the browsers on multiple workstations up to date would be a virtually impossible task. Compare that with configuring the firewall to force WWW access through an application-level.

A Secure Network Is a Healthy Network

Generally speaking, any security implementation done in a network will help with its overall health. Cataloguing systems and software versions to decide what needs upgrading first, implementing automated software upgrade procedures, and so on all helps with the overall health of your network and its systems.

A network configuration that creates chokepoints for firewall deployment also means you can easily implement a DMZ, a zone with servers to handle inbound and outbound information with the public. These servers can typically run a hardened and stripped down OS and application software. A proxy email server, for example, only needs to be able to accept and send email. There is no need for user accounts, POP or IMAP services, or GroupWare software integration.

Usually the simpler a system is, the easier it is to secure, and hence the harder it is for an attacker to break into. Securing a messy network is almost impossible. You must find out what you have, which versions, where the servers are deployed, what network links exist, and so on

Secure Socket Tunneling Protocol

SSTP (Secure Socket Tunnelling Protocol) and the VPN capabilities it will offer in future

The article will give a clear understanding of SSTP and compare standard VPN vs SSTP VPN. The article will also cover the advantages of utilizing both SSTP and VPN simultaneously and what the benefits of using SSTP will be.

VPN

Virtual private network, also referred to as VPN, is a network that is constructed with the use of public wires to join nodes, enabling the user to create networks for the transfer of data. The systems use encryption and various other security measures to ensure that the data is not intercepted by unauthorized users. For years VPN has been used successfully but has recently become problematic due to the increase in the number of organizations encouraging roaming user access. Alternative measures have been looked at to enable this type of access. Many organizations have begun to utilize IPSec and SSL VPN as an alternative. The other new alternative being SSTP, also referred to as ‘Microsoft’s SSL VPN’.

Problems with typical VPN

VPNs typically use an encrypted tunnel that keeps the tunneled data confidential. By doing this when the tunnel routes through typical NATed paths the VPN tunnel stops working. VPNs typically connect a node to an endpoint. It may happen that both the node and the endpoint have the same internal LAN address and, if NAT is involved, all sorts of complications can arise.

SSL VPN

Secure Socket Layer, also referred to as SSL, uses a cryptographic system that uses two keys to encrypt data, the public and private key. The public key is known to everyone and the private only to the recipient. Through this SSL a secure connection between a client and a server is created. SSL VPN allows users to establish secure remote-access from virtually any internet connected web browser, unlike with VPN. The hurdle of unstable connectivity is removed. With SSL VPN an entire session is secured, whereas with only SSL this is not accomplished.

SSTP

Secure socket tunneling protocol, also referred to as SSTP, is by definition an application-layer protocol. It is designed to employ a synchronous communication in a back and forth motion between two programs. It allows many application endpoints over one network connection, between peer nodes, thereby enabling efficient usage of the communication resources that are available to that network.

SSTP protocol is based on SSL instead of PPTP or IPSec and uses TCP Port 443 for relaying SSTP traffic. Although it is closely related to SSL, a direct comparison can not be made between SSL and SSTP as SSTP is only a tunneling protocol unlike SSL. Many reasons exist for choosing SSL and not IPSec as the basis for SSTP. IPSec is directed at supporting site- to-site VPN connectivity and thus SSL was a better base for SSTP development, as it supports roaming. Other reasons for not basing it on IPSec are:

• It does not force strong authentication,
• User clients are a must have,
• Differences exist in the quality and coding of user clients from vendor to vendor,
• Non-IP protocols are not supported by default,
• Because IPSec was developed for site to site secure connections, it is likely to present problems for remote users attempting to connect from a location with a limited number of IP addresses.

SSL VPN proved to be a more compatible basis for the development of SSTP

SSL VPN addresses these issues and more. Unlike basic SSL, SSL VPN secures an entire session. No static IPs are required, and a client is unnecessary in most cases. Since connections are made via a browser over the Internet, the default connection protocol is TCP/IP. Clients connecting via SSL VPN can be presented with a desktop for accessing network resources. Transparent to the user, traffic from their laptop can be restricted to specific resources based on business defined criteria.

SSTP - an extension of VPN

The development of SSTP was brought about by the lack of capability of VPN. The main shortcoming of VPN is its unstable connectivity. This is a consequence of its insufficient coverage areas. SSTP increases the coverage area of VPN connection ubiquitously, rendering this problem no more. SSTP establishes a connection over secure HTTPS; this allows clients to securely access networks behind NAT routers, firewalls and web proxies, without the concern for typical port blocking issues.

SSTP is not designed for site to site VPN connections but is intended to be used for client to site VPN connections.

The success of SSTP can be found in the following features:

• SSTP uses HTTPS to establish a secure connection
• The SSTP (VPN) tunnel will function over Secure-HTTP. The problems with VPN connections based on the Point-to-Point Tunneling Protocol (PPTP) or Layer 2 Tunneling Protocol (L2TP) will be eliminated. Web proxies, firewalls and Network Address Translation (NAT) routers located on the path between clients and servers will no longer block VPN connections.
• Typical port blocking is decreased
• Blocking issues involving connections in relation to PPTP GRE port blocking or L2TP ESP port blocking via a firewall or NAT router preventing the client from reaching the server will no longer be a problem as ubiquitous connectivity is achieved. Clients will be able to connect from anywhere on the internet.
• SSTP will be built into Longhorn server
• SSTP Client will be built into Windows Vista SP1
• SSTP won't require retraining issues as the end-user VPN controls remain unchanged. The SSTP based VPN tunnel plugs directly into current interfaces for Microsoft VPN client and server software.
• Full support for IPv6. SSTP VPN tunnel can be established across IPv6 internet.
• It uses integrated network access protection support for client health-check.
• Strong integration into MS RRAS client and server, with two factor authentication capabilities.
• Increases the VPN coverage from just a few points to almost any internet connection.
• SSL encapsulation for traversal over port 443.
• Can be controlled and managed using application layer firewalls like ISA server.
• Full network VPN solution, not just an application tunnel for one application.
• Integration in NAP.
• Policy integration and configuration possible to help with client health checks.
• Single session created for the SSL tunnel.
• Application independent.
• Stronger forced authentication than IPSec
• Support for non IP protocols, this is a major improvement over IPSec.
• No need to buy expensive, hard to configure hardware firewalls that do not support Active directory integration and integrated two factor authentication.

How SSTP based VPN connection works in seven steps

1. The SSTP client needs internet connectivity. Once this internet connectivity is verified by the protocol, a TCP connection is established to the server on port 443.
2. SSL negotiation now takes place on top of the already established TCP connection whereby the server certificate is validated. If the certificate is valid, the connection is established, if not the connection is torn down.
3. The client sends an HTTPS request on top of the encrypted SSL session to the server.
4. The client now sends SSTP control packets within the HTTPS session. This in turn establishes the SSTP state machine on both sides for control purposes, both sides now intiate the PPP layer communication.
5. PP negotiation using SSTP over HTTPS now takes place at both ends. The client is now required to authenticate to the server.
6. The session now binds to the IP interface on both sides and an IP address assigned for routing of traffic.
7. Traffic can now traverse the connection being either IP traffic or otherwise.

Microsoft is confident that this protocol will help alleviate VPN connection issues, The RRAS team are now readying RRAS for SSTP integration and the protocol will be part of the solution going forward. The only prerequisite at present is that the client runs Vista and Longhorn server. The feature set provided by this little protocol is both rich and flexible and the protocol will enhance the user and administrator experience. I predict that devices will start to incorporate this protocol into the stack for secure communication and the headaches of NAT will soon be forgotten as we move into a 443/SSL incorporated solution.

Conclusion

SSTP is a great addition to the VPN toolkit to enable users to remotely and securely connect to the corporate network. Blocking of remote access and NAT issues seem to be forgotten when using this protocol and the technology is stable, well documented and working. This is a great product and it is very welcome in this time of remote access.

Internet Security Article

Internet Security is something that has grown to be a main concern among society. Companies have come out with Identity Theft prevention services, but often, by the time you get those, it is already too late or doesn’t help. The purpose of this guide is to help you try and develop safe internet habits and to keep you as safe as possible from unwanted problems relating to your personal security.

Many of you probably hear on the news, every so often, “A popular website has been compromised and many people have had their personal data stolen!” When a website is compromised, it puts thousands at risk for one of many possible types of identity theft. It is rare that a site is hacked to this extent: usually, the data is collected through look alike sites, through spyware, or through other means of collection; most of which happen on a single-user basis. It makes many people nervous when giving out personal information to anyone online because they are not sure what can really happen, and they do not have all the facts.

The goal of this article is to help you understand internet security, so you can protect yourself from thieves. We will take a look at how you can protect yourself, what websites are doing to protect you, and what laws are in place to help protect you. The best way to be safe is to understand what common tricks are, and how to avoid getting exploited.

There are two important terms, which are very commonly misused (even among the “experts” at Microsoft), that need to be defined, so you do not get confused later in the article. These words are: Hacker and Cracker

Hackers are commonly thought of as the bad guys, the people who make your computer go as slow as heck, and the people who steal your identity. In reality, they are actually the opposite. Hackers are the good guys who test security vulnerabilities and fix them. Government agencies, software companies (including Microsoft), and internet security companies employ hundreds of hackers (a few too little, maybe!) to test their software before its release. They try to hack the software to make sure that when it ships, people are not going to be able to use it for malicious purposes.

As a webmaster, even I am a hacker. I have to know how to test my website’s security so the bad guys don’t get through. I also have to ensure that when I make a website for a customer, that any data on the site is safe, secure, and that everything related to security is quite bulletproof. When I use the term “hacking” in this article, it refers to the testing of security, whether for good or bad, for sake of common terminology.

Cracker is a term that isn’t used much outside of the security world. A cracker is someone who exploits holes in a program for malicious use. For example, the people who create game keygens are crackers, meaning what they do is illegal. For continuity, I will refer to both hackers and crackers as hackers, unless a distinction needs to be made; most people think of the two as the same.

Let’s also get a common stereotype out of the way. Hackers are not always some teenager working out of their garage. Most hackers are professional people who know what they are doing. The only reason the “My 15 year old neighbour is a hacker” myth is around is that teenagers tend to be more vocal about what they accomplish. Let’s face it, there are thousands of viruses out there (to be exact, Symantec currently protects users from 69,481 viruses), and a very limited number of the authors ever get caught. Of the very few who do get caught, most of them are probably teenagers. The reason for this is quite simple: they have big mouths. They go to school and yell “Guess what! I cracked Microsoft’s web server this weekend!” and someone gets a sizable reward when they turn the youngster in. Professional hackers tend to be more covert about their actions, and therefore, rarely get caught (until they get too greedy).

A Brief History of Cracking / Hacking: Until the early 1980s, hacking had not been a household term. Prior to this time, the Personal Computer was not a widely available or feasible option for most home users. Most of the computer market consisted of million dollar mainframes the size of a warehouse, which only government and major corporations could afford. Finally in the Mid-1980s, personal computers finally became affordable to most users, and began to find their way into the home.

In 1983, a movie called “War Games” portrayed a teenager who could hack just about anything in the world. He was able to hack through his schools computer network, as well as many other malicious tasks. This movie caught the imagination of the teenagers who saw it, and sparked an evolution of hackers.

This shift caught the computing industry by surprise, so they were unprepared to take on the new breed of hacker. With time, the teenagers gained experience and many gang-like groups of hackers formed. They started to share their exploits with friends in the group, and word got around quick. Almost overnight, hacking came to the forefront of personal computer uses.

At first, hackers mainly wished to gain access to systems, not to damage them. The first hacker to be prosecuted in the United States was Pat Riddle. Pat had been known to regularly gain unauthorized access to U.S. Department of Defence computers; a major problem to the security of the United States. He was arrested, but could not be charged with anything relating to hacking, because at the time, there were no anti-hacking laws. He was charged with theft of phone service instead, putting him in jail for a very limited period of time.

To prevent similar problems in the future, the Computer Fraud and Abuse Act was passed in 1984. It provided a legal means to prosecute hackers for certain things. A more in depth detail of laws and regulations will be covered later in the article.

Internet Security Article

Internet Security is something that has grown to be a main concern among society. Companies have come out with Identity Theft prevention services, but often, by the time you get those, it is already too late or doesn’t help. The purpose of this guide is to help you try and develop safe internet habits and to keep you as safe as possible from unwanted problems relating to your personal security.

Many of you probably hear on the news, every so often, “A popular website has been compromised and many people have had their personal data stolen!” When a website is compromised, it puts thousands at risk for one of many possible types of identity theft. It is rare that a site is hacked to this extent: usually, the data is collected through look alike sites, through spyware, or through other means of collection; most of which happen on a single-user basis. It makes many people nervous when giving out personal information to anyone online because they are not sure what can really happen, and they do not have all the facts.

The goal of this article is to help you understand internet security, so you can protect yourself from thieves. We will take a look at how you can protect yourself, what websites are doing to protect you, and what laws are in place to help protect you. The best way to be safe is to understand what common tricks are, and how to avoid getting exploited.

There are two important terms, which are very commonly misused (even among the “experts” at Microsoft), that need to be defined, so you do not get confused later in the article. These words are: Hacker and Cracker

Hackers are commonly thought of as the bad guys, the people who make your computer go as slow as heck, and the people who steal your identity. In reality, they are actually the opposite. Hackers are the good guys who test security vulnerabilities and fix them. Government agencies, software companies (including Microsoft), and internet security companies employ hundreds of hackers (a few too little, maybe!) to test their software before its release. They try to hack the software to make sure that when it ships, people are not going to be able to use it for malicious purposes.

As a webmaster, even I am a hacker. I have to know how to test my website’s security so the bad guys don’t get through. I also have to ensure that when I make a website for a customer, that any data on the site is safe, secure, and that everything related to security is quite bulletproof. When I use the term “hacking” in this article, it refers to the testing of security, whether for good or bad, for sake of common terminology.

Cracker is a term that isn’t used much outside of the security world. A cracker is someone who exploits holes in a program for malicious use. For example, the people who create game keygens are crackers, meaning what they do is illegal. For continuity, I will refer to both hackers and crackers as hackers, unless a distinction needs to be made; most people think of the two as the same.

Let’s also get a common stereotype out of the way. Hackers are not always some teenager working out of their garage. Most hackers are professional people who know what they are doing. The only reason the “My 15 year old neighbour is a hacker” myth is around is that teenagers tend to be more vocal about what they accomplish. Let’s face it, there are thousands of viruses out there (to be exact, Symantec currently protects users from 69,481 viruses), and a very limited number of the authors ever get caught. Of the very few who do get caught, most of them are probably teenagers. The reason for this is quite simple: they have big mouths. They go to school and yell “Guess what! I cracked Microsoft’s web server this weekend!” and someone gets a sizable reward when they turn the youngster in. Professional hackers tend to be more covert about their actions, and therefore, rarely get caught (until they get too greedy).

A Brief History of Cracking / Hacking: Until the early 1980s, hacking had not been a household term. Prior to this time, the Personal Computer was not a widely available or feasible option for most home users. Most of the computer market consisted of million dollar mainframes the size of a warehouse, which only government and major corporations could afford. Finally in the Mid-1980s, personal computers finally became affordable to most users, and began to find their way into the home.

In 1983, a movie called “War Games” portrayed a teenager who could hack just about anything in the world. He was able to hack through his schools computer network, as well as many other malicious tasks. This movie caught the imagination of the teenagers who saw it, and sparked an evolution of hackers.

This shift caught the computing industry by surprise, so they were unprepared to take on the new breed of hacker. With time, the teenagers gained experience and many gang-like groups of hackers formed. They started to share their exploits with friends in the group, and word got around quick. Almost overnight, hacking came to the forefront of personal computer uses.

At first, hackers mainly wished to gain access to systems, not to damage them. The first hacker to be prosecuted in the United States was Pat Riddle. Pat had been known to regularly gain unauthorized access to U.S. Department of Defence computers; a major problem to the security of the United States. He was arrested, but could not be charged with anything relating to hacking, because at the time, there were no anti-hacking laws. He was charged with theft of phone service instead, putting him in jail for a very limited period of time.

To prevent similar problems in the future, the Computer Fraud and Abuse Act was passed in 1984. It provided a legal means to prosecute hackers for certain things. A more in depth detail of laws and regulations will be covered later in the article.

Securing your network, from home users to small business up to enterprise.

With computers being a critical component in running a business, it is more valuable than ever to ensure the security of your networks particularly where there is sensitive data. News headlines announcing that networks have experienced security breaches are all too prevalent. This is where you need a service that checks for those vulnerabilities and prevents from future attacks. Better yet, you need a service that prevents it before it ever happens to your company. Imagine the embarrassment at having to explain to your customers that someone has stolen their credit card information.

We continue to read headline after headline with news stories that credit card information or social security numbers were exploited. Some companies perform security audits on a regular basis. Certainly institutions like hospitals are required to perform these. But it's mostly small to mid-sized companies that are the most vulnerable.

Hackers employ various methods for gaining access to systems. An audit often looks at replicating those methods, looking for vulnerabilities and weaknesses in the infrastructure. Affectionately known as Penetration Testing, it involves isolating mild, moderate and critical security threats and then determining the best course of action. When performing a Penetration test, a couple of key areas need to be targeted to ensure that a secure network system helps companies to avoid: - Preventing financial loss through fraud (hackers, extortionists and disgruntled employees) or through lost revenue due to unreliable business systems and processes. - Legal problems. Non-compliance can result in your organization losing business, receiving heavy fines, gathering bad PR or ultimately failing. At a personal level it can also mean the loss of your job, prosecution and sometimes even imprisonment. Poorly protecting your brand by avoiding loss of consumer confidence and business reputation.

From an operational perspective, penetration testing helps shape information security strategy through identifying vulnerabilities and quantifying their impact and likelihood so that they can be managed proactively; budgets can be allocated and corrective measures implemented.

For the average home user, there are some basic things, especially when setting up a wireless network at home that you can easily do to prevent users piggybacking on your network or even hacking in to it.

Add a little security
Change the SSID (name) of your network and disable the SSID broadcast. Disable DHCP Control MAC Address Filtering
Add more security
WEP Encrypt - adds an extra blocking mechanism for hackers
Even more Security

WPA - setting up a random pre-shared key of 10 characters ensures your network is practically rock-solid. This is a random string of numbers and letters, just make sure you can remember it yourself.

These are some very basic steps to securing your data and ensuring your privacy. Keep in mind that small to medium business should do a little more to keep their information secure as there is even more valuable data ie. other people's.

What is the ISA 2006 Firewall?

I’ve had a number of encounters with customers and consultants lately that remind me of a situation that I’ve been aware of for years. Did you know that most people don’t actually know what the ISA firewall is and what it does? I think some of the confusion is related to the name of the product. First, there is the “Internet Security and Acceleration” which doesn’t really give you a good idea as to the product’s purpose and function, and second, appending the term “Server” at the end of the product name is confusing, because most people don’t associate firewalls as “firewall servers”.

Of course, people could go to the Microsoft Web site and try to figure out what the ISA firewall is and does. But like most of the home pages on the Microsoft.com Web site, it’s very hard to determine what the product is and does from the information on those pages. You see it promoted as a “security gateway”, which is the latest buzz term in the business. You also see it promoted as a “secure application publishing” solution. OK, what’s that in the big scheme of things? The problem that customers and consultants have is that they don’t understand the marketing speak and just need to know what the ISA firewall is and does.

ISA Server 2006 is Microsoft’s newest version of its Internet Security and Acceleration Server product line. Initially introduced in December 2000, ISA Server 2000 was the first version of the ISA Server product. A major revamp of ISA Server was released in May 2004 and christened ISA Server 2004. This major overhaul included significant improvements and put it on par with other major firewall and security gateway products, such as Check Point NG, Cisco PIX/ASA and Blue Coat. ISA Server 2006 was released to the general public in August of 2006.

ISA Server 2006 is a multi-featured and multi-purpose product that can be deployed in a variety of ways to meet the unique requirements of virtually any organization. As an integrated firewall, Web proxy and VPN server and gateway, ISA Server 2006 can be configured to act in each of these roles or be set up to provide only a subset. This flexibility enables you to introduce ISA Server into your network with minimal disruption to your current infrastructure and provide the security services you need.

In order to help you understand what ISA Server or an NS9200 series security gateway appliance can do for you in securing your core network applications and servers, we’ll discuss the following topics:

• What is ISA Server 2006?
• What’s new and improved in ISA Server 2006
• What’s the difference between ISA Server 2006 Standard Edition and Enterprise Edition?

What is ISA Server 2006?

ISA Server 2006 is many products in one. In a single software package you get:

• A network layer firewall
• An application layer inspection security gateway
• Forward and reverse Web proxy and caching server
• Remote access VPN server
• Site to site VPN gateway

A Network Layer Firewall

ISA Server 2006, like Check Point NG and the Cisco PIX/ASA firewall product lines, is a stateful packet inspection firewall. A stateful packet inspection firewall is able to look at the IP (Internet Protocol) information and make sure that attackers don’t take advantage of inherent security vulnerabilities at the network layer. ISA 2006 is able to check and prevent prevalent network layer attacks so that attackers on the Internet, or even in your own organization, are not able to disable or take over the ISA 2006 firewall.

Stateful packet inspection firewalls were state of the art in the 1990s. However, the threat landscape has changed significantly since that time. While malicious users at the end of the 20th century were interested in disabling the firewall and defacing Web sites for personal ego gratification, modern day hackers are more interested in obtaining or destroying corporate information for personal gain. Today’s network criminal is not interested in attacking the firewall or defacing a Web server; he’s more interested is “going under the radar” to steal, change, or destroy data.

Application Layer Inspection Security Gateway

Stateful packet inspection firewalls are unable to determine if there is an attack against a Web server, mail server, FTP server or any other kind of network application. All the stateful packet inspection-only firewall can do is protect you against simple network layer attacks. For this reason, an application layer inspection firewall or security gateway is required.

After ISA Server 2000 was released in December 2000, it quickly became the thought leader in application layer inspection space. Prior to the release of ISA Server 2000, the Gold Standard for firewalls was the Cisco PIX. The PIX was a simple stateful packet inspection firewall and could not protect networks against complex application layer attacks that modern hackers were using to steal, change and destroy corporate data.

ISA 2006 continues in the tradition of ISA Server as the leading edge application layer inspection firewall and security gateway. In fact, you’ll see ISA Server described as a “secure gateway” instead of a firewall, because the term firewall is losing it’s luster due to it’s heritage as a stateful packet inspection-only device. The ISA 2006 firewall takes both stateful packet inspection and application layer inspection and combines them into a powerful network security gateway solution.

Forward and Reverse Web Proxy and Caching Server

A Web proxy server is a machine that accepts Web connections from Web browsers and other Web enabled applications and forwards those connections to the destination Web server on the behalf of the user making the request. The Web proxy server can accept connections from users on your corporate network and forward them to an Internet Web server or it can accept incoming connections to Web servers and services on your corporate network and forward them to company servers.

When the ISA Server 2006 firewall acts as a Web proxy server, it has full knowledge of the communications being made through it. This enables the ISA firewall’s Web proxy services to provide a significant level of security for Web connections and protects your network from viruses, worms, hacking attempts and more, including identifying and authorizing users before allowing Web connections through the ISA firewall and Web proxy and caching server.

When the ISA firewall’s Web proxy service intercepts Web connections, it can perform many security checks to protect your network. Some of these include:

• Pre-authenticating the user at the ISA firewall and Web proxy and caching server for incoming connections to corporate Web and mail servers. When pre-authentication is enforced by the ISA firewall, it prevents anonymous users on the Internet from connecting to your corporate assets. Since attackers don’t have access to legitimate user credentials, they are unable to attack your Web servers
• Transparently authenticate users on the corporate network before their connections are allowed to the Internet. This allows the ISA Server to record the user names for all connections made through the ISA firewall and includes this information in logs and reports for forensics and regulatory purposes
• Perform deep application layer inspection on all the Web connections made through the ISA firewall using ISA’s HTTP Security Filter. This application layer inspection filter enables the ISA firewall to “scrub” Web sessions to make sure suspicious and potentially dangerous HTTP commands and data do not compromise your network
• Control what Web sites users are allowed to access, the time of day the users are able to connect, and even control the types of information users can download from the Web. For example, you can use the ISA firewall’s Web proxy features to block access to executable files, streaming media, and documents, such as Microsoft Word files
• Cache information requested by users to accelerate the Internet experience. When a user on the corporate network requests a Web page, ISA 2006 places that Web page in its Web cache. The ISA firewall stores that information and when another user makes a request for the same Web page, the Web page is returned to the user from the Web cache. This removes the requirement of having to connect to the Internet Web server to retrieve the same page again and reduces the amount of bandwidth needed on the Internet connection and provides users much faster access to the information.

This is just a short list of what the ISA 2006 Web proxy and caching component can do for your company. For comprehensive information on how the ISA firewall’s Web proxy component can secure and accelerate your organization.

Remote Access VPN Server

An increasing number of employees need access to information contained on the corporate network when they’re out of the office. Employees need to access Word documents, PowerPoint files, databases and more when on the road or when working from home. Even more important to business continuity is the ability to provide off-site workers access to corporate information in the event of an emergency, when workers might not be able to leave their homes. One of the most secure ways you can provide employees access to this information is by using a remote access VPN server.

A VPN (virtual private networking) server allows users outside the office to connect to the corporate network from a laptop or workstation from anywhere in the world. Once the user creates the secure VPN connection, that user’s computer is like a computer located at the office and can potentially access information from any server within the corporate network.

One of the drawbacks of traditional VPN solutions sold by major VPN server vendors is that once the user connects to the VPN server, that user has access to any resource on the corporate network. The problem with this is that the computers remote access users used to connect to the corporate network are typically not managed machines and therefore are at a higher liability for worm, virus and trojan infection.

The ISA Server 2006 plugs this security hole found in typical “hardware” VPN servers using three powerful methods:

• Strong user/group-based access control and least privilege access for remote access VPN connections
• Application layer inspection on all remote access VPN connections
• ISA 2006 VPN Quarantine Control

Strong User/Group based Access and Least Privilege for Remote Access VPN Connections

ISA 2006 allows you to control user access based on the user account or the users group membership. Access policy is enforced on the user so that, in contrast to traditional “hardware” VPN servers, users are allowed access only to applications the user is given permission to use and no more. VPN users aren’t allowed free access to the entirety of the corporate network – only to resources they require to get their work done

Application Layer Inspection on all Remote Access VPN Connections

Survivors of the Blaster worm might recall that they had a false sense of security when they configured their Internet firewalls to block the worm from gaining entry to their network from the Internet. These companies were still infected by Blaster, not from the Internet, but from VPN users. These companies used traditional “hardware” remote access VPN servers that could not perform application layer inspection on the VPN users.

In contrast to the traditional remote access VPN server, ISA 2006 performs both stateful packet and application layer inspection on all traffic moving over the VPN link. Worms like Blaster cannot infect the corporate network over ISA 2006 VPN connection because the ISA firewall’s smart RPC application layer inspection filter blocks the worm traffic. This ability to inspect application traffic enables the ISA firewall to protect you against compromised VPN client computers in the same way that it protects you from Internet based exploits.

ISA Server 2006 VPN Quarantine Control

For a comprehensive remote access VPN client defense in depth solution, the remote access VPN server should be able to pre-qualify the security status and general system health of the machine connecting through the remote access VPN link. This enables you to be more confident that even unmanaged machines meet minimal security configuration requirements before being allowed to connect to the corporate network.

ISA Server 2006 solves this problem by implementing Remote Access VPN Quarantine (VPN-Q). The VPN-Q feature allows you to configure a set of parameters that the VPN client systems must meet before being allowed to access resources on the corporate network. If the VPN client system is not able to pass these security and health checks, you can configure the VPN-Q feature to automatically update and configure the VPN clients so that they pass inspection and then allow them into the system. If the VPN clients are unable to be completely updated, then the connection is dropped. This protects your company from fatally flawed and compromised computers that could attack and destroy your company’s core information assets.

Site to Site VPN Gateway

We all hope that our companies grow large enough to require branch offices. But with the expansion into branch offices is the increased complexity and expense required to connect those branch offices to the main office network’s resources.

There are a number of options available to provide branch office connectivity to the main office, these include:

• Dedicated WAN links provided by telco providers
• Managed VPN networks provided by telco providers and ISPs
• Corporate managed VPN site to site VPN networks terminated at company VPN gateways
• Limited connectivity via “publishing” of corporate resources

Dedicated WAN links and managed VPNs are a good solution for companies who are immune from cost considerations. These options can be prohibitively expensive and organizations who are interested in cost-control prefer to use corporate managed site to site VPN connections between corporate managed VPN gateways.

A VPN gateway allows you to connect your main office to all of your branch offices over inexpensive Internet connections and do so in a secure fashion. Each ISA firewall and security gateway, at the branch offices and the main office, enforce strong stateful packet and application layer inspection over the information moving over the site to site VPN links. In addition, all connections made by branch office users is logged and recorded so that you have a comprehensive history of what users at the branch offices have been doing with main office resources.

The ISA 2006 site to site VPN feature set is an integral part of the ISA 2006 branch office gateway role. For a detailed discussion of the using ISA 2006 as a branch office security gateway.

What’s New and Improved in ISA Server 2006?

ISA Server’s roots were originally in Microsoft Proxy Server 2.0. ISA Server 2000 represented a major revamp of the Microsoft Proxy Server product and transformed it from a simple proxy server to a full featured network firewall and application layer security gateway. Another major reconstruction of the ISA firewall product line took place, with over 100 improvements and changes, with the introduction of the ISA 2004 firewall. In contrast to previous versions of ISA Server, the new ISA 2006 firewall and Web proxy and caching product represents an incremental change.

The major improvements included with ISA 2006 are focused on secure Web publishing, enhanced branch office performance and reliability and worm/flood protection. Table 1 provides some details of these improvements.

New and Improved in ISA 2006	Details
Secure Web Publishing	ISA 2006 includes a number of improvements in providing secure remote access to Web servers and services on the corporate network. Some of these include: New SharePoint Portal Server Publishing Wizard Improved Outlook Web Access (OWA), Outlook Mobile Access (OMA), Exchange ActiveSync (EAS) and Outlook 2003+ RPC/HTTP Web Publishing Wizard Increased options for two factor authentication, including SecureID and RADIUS One-time passwords New Kerberos constrained delegation enables remote users with laptops and Windows mobile-enable devices to use secure user certificates to authenticate to the ISA firewall New LDAP authentication allows ISA 2006 to be placed in a high security DMZ and leverage Active Directory users/groups Web farm load balancing. This new feature enables you to publish a collection of Web servers that perform the same function or contain the same content and have the ISA 2006 firewall automatically load balance the connections. ISA Server is about to do this without requiring NLB or an hardware load balancer, with great increases the simplicity of deployment and greatly reduces the cost by removing the hardware load balancer
Branch office security gateway	ISA 2006 includes a number of new and improved features that makes it the ideal selection for a branch office security gateway. These include: HTTP compression of the link connecting the branch office to the main office Diffserv Quality of Service (QoS) enables the ISA firewall to participate in Diffserv service groups and provide preferential treatment to connections to mission critical servers BITS caching reduces the cost and the load on links connecting the main office to the branch office by reducing the number of requests required for Microsoft updates The new site to site VPN wizard makes it easy for a non-technical user to provision a branch office ISA firewall with the help of an answer file created by the main office ISA firewall administrator
Worm and flood protection	ISA 2004 included a basic worm and flood protection feature that prevented the ISA firewall and ISA firewall protected networks from being compromised by worm flood attacks. The ISA 2006 firewall builds on this flood protection and increases the level of security against network flooding by adding many new configurable worm flood protection settings.

Table 1: New and Improved Features in ISA 2006

Standard Edition or Enterprise Edition?

There are two versions of ISA Server 2006. These are:

• ISA Server 2006 Standard Edition
• ISA Server 2006 Enterprise Edition

ISA 2006 Standard Edition is aimed at the small and medium sized business market of 75-500 users. ISA 2006 Standard Edition is comparable to a PIX or ASA firewall that is being used at a single site either in a lone firewall configuration or a lone firewall with a hot or cold standby. Management of ISA 2006 Standard Edition firewalls is done on a per machine basis.

In contrast, ISA 2006 Enterprise Edition is designed with medium to enterprise sized businesses in mind, where there are several ISA firewalls located at the main office and potentially thousands of ISA firewall located in branch offices all over the world servicing 500-100,000 users. The Enterprise Edition of the ISA 2006 firewall and Web proxy and caching server provides features required for medium and enterprises sized business alike, including centralized management and configuration, throughput in the multi-gigabyte range, and intelligent load balancing and caching leading to optimal uptime and performance for even the largest enterprise environments.

Summary

The goal of this article was to let you know about the ISA firewall and help you define its features and capabilities. The ISA firewall is a comprehensive network security solution that provides network edge and perimeter firewall, remote access VPN server, site to site VPN gateway, and Web proxy and caching in a single product.

All of these features can be deployed at the same time on a single device, or you can deploy the ISA firewall using only one or two of these roles. At it’s core, the ISA firewall is a network firewall on par with Cisco PIX/ASA or Check Point, but with the additional Web proxy and caching functionality that the Cisco and Check Point offerings do not have (unless you want to pay rapacious licensing fees).

The ISA firewall is also a high performance solution, easily supporting over 1.5Gbps stateful packet inspection and over 300Mbps Web proxy application layer inspection. ISA firewalls come in two versions: a Standard Edition for mid-sized businesses without branch offices or HA requirements, and Enterprise Edition, designed for mid-sized to enterprise businesses, who require centralized support for deployment, configuration and management of a globally distributed firewall and Web proxy/caching solution.