|
DeepakG_[MS]: Good Evening Everyone! Welcome to the experienceDotNet
online chat... today we will be talking about Microsoft ISA Server
DeepakG_[MS]: we have with us today Shivaram Venkatesh who works
as a Technical Specialist at Microsoft India. Over to you Shiv,
since I don't have any questions from the audience yet, lets start
with a brief intro to ISA
Shivaram_MS: Folks, Microsoft has always been known to deliver
products that meet the demands of all users, be it Enterprise user
to home users. ISA is the new generation product for secure and
fast internet connectivity
Shivaram_MS: ISA is a proxy server, active cache server and
a multi layer firewall
Shivaram_MS: Many of you familiar with IT infrastructure
would be knowing that to connect to the Internet from a LAN, I need
a "proxy" server or a server capable of multiplexing many requests
into a single connections
Shivaram_MS: We had a product called "MS Proxy Server" which
served just this purpose
Shivaram_MS: ISA is the successor to that and now provides
additional related services such as Firewalling, Intrusion detection
and active caching
Shivaram_MS: It is part of the .NET server family of products
from Microsoft
DeepakG_[MS]: Could you please elaborate on the Intrusion Detection
capabilities of ISA
Shivaram_MS: Yes, Intrusion detection in ISA focuses on trying
to determine which packets are allowed in, depending on rules set.
We have licensed a portion of the IDS detection code from ISS systems
and this protects against well known attacks such as UDP bombs,
pings of death, etc. This is always recommended during the ISA install.
DeepakG_[MS]: (Saurabh_MVP): Hi Shivaram, could you highlight at
what layers of the OS does ISA provide protection ?
Shivaram_MS: Saurabh, could you be a little more precise
by "layers"
Shivaram_MS: ISA by default modifies the standard TCP stack
of Windows server and intercepts all incoming and outgoing packets
and inspects them. It works more on the core stack and kernel "layer".
DeepakG_[MS]: (Saurabh_MVP): Shivram.. well I am not an expert on
Firewalls ...but there are different kinds of Firewalls .. some
block Ports, some block Applications ..I guess ISA basically works
by blocking Ports ?
Shivaram_MS: ISA is a multi layered firewall: It works with
circuits (N/Ws), packets and then also with applications. Hence
it not only blocks ports, but even for allowed ports, it determines
which applications can be allowed in or out and then opens the ports
dynamically. Thus you can say that "I do not want MSN messenger"
to work through the Firewall and then ISA knows which ports to disallow
from that and also understand the these are MSN packets and then
either opens or does not open the ports.
Shivaram_MS: All ports are closed by default unless ISA determines
that they need to be opened, based on the rules set
DeepakG_[MS]: (Rahul): Yahoo messenger works on port 80, the default
internet port. As a network administrator if I want to restrict
Yahoo chat, how can I?
Shivaram_MS: Chat software like MSN, Yahoo etc work not just
on Port 80, but also work with associated ports. Like for e.g. MSN
messanger works on 3863 as well. Now in ISA you can say that I want
to block "Yahoo messenger" and create a rule that will then apply
to those ports that Yahoo messenger will use. Once you mention that
this chat uses secondary connections or not, and then set the rule,
ISA will then determine what the traffic is and then block access
to those chat software
DeepakG_[MS]: I would like to add to that question - I think what
Rahul is trying to ask is that does ISA have protocol intelligence
built in - can it sniff the traffic and tell that this is HTTP traffic
and this is Yahoo chat?
Shivaram_MS: Yes Yahoo chat will use secondary connections
and ISA understands that this particular software uses these ports
and then decides to block them. If Yahoo uses pure port 80 then,
within ISA you can set a rule which determines the type of payload
and then ISA will then block it. Adding to that, ISA not just sniffs
packets, but then inspects the header, footer AND payload to determine
in real time to allow or disallow. If allowed, it then determines
which port the packets needs to move into and then dynamically opens
it
DeepakG_[MS]: (Rahul): Can you please explain the concept of payload
and how can I determine it for Yahoo chat packets.
Shivaram_MS: sure, payload of a packet is the actual data
contained in the packet. It is the so called "information" from
the data many firewall simply inspect the header, footer and then
allow or block the packet. ISA actually scans the payload also.
DeepakG_[MS]: (Saurabh_MVP):just for curiosity sake, how many security
alerts have been issued (if any) for the latest ISA Product?
Shivaram_MS: well, so far there have been only 3 alerts on
ISA. They are essentially minor ones and are based on malformed
packets on the HTTP protocol issued from a browser under special
conditions. It is actually a very very secure product with excellent
throughput.
DeepakG_[MS]: (Rahul): Why is ISA server called a .Net server?
Shivaram_MS: Well ISA server's rules and 3'rd party applications
use XML to communicate with ISA. Also more importantly, ISA is probably
the only Firewall capable of understanding and filtering SOAP based
packets for web services and web service apps.
DeepakG_[MS]: (Saurabh_MVP): you mentioned a good point about SOAP
.. can you elaborate on what kind of filtering does ISA do for SOAP
packets ?
Shivaram_MS: well let us say that inside a http-get, I have
the payload that has encrypted remote calls. Now the firewall should
understand firstly what kind of packet it is, what destination is
it looking for, does it need any UDDI services on the other side,
is it..
using any Integrated Windows authentication information etc. Now
a normal firewall will not have that intelligence, ISA does and
understands this very well. So a rogue SOAP embedded packet cannot
cause damage with ISA
DeepakG_[MS]: Can ISA work in a fail-safe environment?
Shivaram_MS: sure, ISA can work in an NLB environment, where
the caching can be load balanced. It can also work in what is called
" CARP" where a heirarchy of ISA servers caches certain types of
data and downstream ISA servers connect to those to fetch HTTP data
for their local requests. ISA rules and configurations can be set
into the AD for extensibility when you add in a new ISA server into
the existing ISA array of servers, when you use this method (NLB
or CARP), ISA can not only be fail safe but also load balance very
well.
DeepakG_[MS]: Can you share with us some common configuration mistakes
that you come across…
Shivaram_MS: well the most common one is just after the setup
where administrator not familiar with ISA complain that there is
no internet access, nothing seems to work etc. Another one I have
seen is the addition of custom applications... using their specific
ports - e.g. SAP users ports 3000 and above etc. Many of these applications
require secondary connections and when the rules are set, people
forget this step and it does not work
Shivaram_MS: I have also seen people forgetting to set the
active cache properly and then complain that the internet access
is too slow.
Shivaram_MS: One thing which I have seen very often is that
administrators do not publish their mail servers properly and SMTP
mails do not either come in or go out
DeepakG_[MS]: (Saurabh_MVP): you mentioned about ability to filter
SOAP packets... what other features of ISA make it stand out from
the competition ?
Shivaram_MS: great question: 1: Performence - ISA has been
benchmarked at 280 on a 300 line, which is amazing.
Shivaram_MS: 2: ISA is not just a firewall, it is an active
cache, NAT box, IDS protection, mail filter for Spam mails, and
very few if not negligible cracks against it
Shivaram_MS: but I think what makes it stand out is its performance
and integration with all types of clients
Shivaram_MS: I can add applications to ISA which do custom
reporting, web content filtering etc. Huge extensibility. There
are plenty more, but these would suffice for now.
Shivaram_MS: One thing I would like to add is that even though
ISA is a very secure firewall, care should be taken not to open
unnecessary ports, install applications on the firewall box etc.
Shivaram_MS: Also the OS has to be hardened so that nothign
is left open there as well. ALso care should be taken to ensure
that no service except what is needed should be running. For e.g...
Shivaram_MS: No IIS, no FTP, no SMTP, no Infrared service,
no Net DDE etc.
Shivaram_MS: also ISA when configured as a firewall should
always be configured with IDS turned on and alerts set to the administrator.
Shivaram_MS: There are plenty more, but you can refer to
the ISA security configuration guide found at technet and also in
the ISA support site of Microsoft
DeepakG_[MS]: (pan25): Can ISA Server be integrated with a hierarchy
of Web Caches?
Shivaram_MS: ISA can be integrated with web caches, but what
has to be borne in mind is that ISA itself is a great cache and
whether the time spent in requesting the other cache for the page
will justify not using ISA
Shivaram_MS: you can always configure ISA to route requests
to an upstream server which is a web cache
DeepakG_[MS]: (pan25): What protocol does ISA use??
Shivaram_MS: well ISA to communicate with caches usually
uses CARP
Shivaram_MS: CARP is a worldwide standard for web caches
DeepakG_[MS]: ok then, with this we come to end of today's chat
session
DeepakG_[MS]: Thanks everyone for Joining in
DeepakG_[MS]: Thanks Shivaram for taking time out for this chat
from your busy schedule
DeepakG_[MS]: Do tune in to next week's chat
DeepakG_[MS]: we discuss Visual Studio.NET roadmap next Friday 4:00
PM
DeepakG_[MS]: till then, Good Bye
|
