SecureNAT Client The SecureNAT client is effectively any device that attempts to communicate through the ISA Server 2004 firewall without being configured as one of the other firewall types. For all intents and purposes, this is the traditional "point to the firewall as the default gateway to communicate" type of a client. Therefore, practically any type of TCP/IP network host can communicate through the firewall as a SecureNAT client. Although easy to implement (there is no special configuration required beyond just enabling network communications on the host), the SecureNAT client is the least secure and capable of the firewall clients. SecureNAT clients cannot be configured to authenticate with the firewall to determine what access should be permitted, nor can they access resources requiring complex protocols (protocols that require multiple connections; for example, standard FTP [port] mode connections) without the use of application filters installed on the firewall itself. Firewall Client The ISA Server 2004 firewall client is one of the components to an ISA Server 2004 solution that really separates it from the competition in terms of the kind of control over access that can be managed. The firewall client software can be installed on any Windows-based client, which is a limitation in environments that use Linux, Sun, UNIX, or Mac computers. Once implemented, however, the firewall client enables you to define access to external resources based on users and groups and authenticate all access requests to ensure that only the users you have specified are allowed to communicate. It also enables you to define how they can communicate. This authentication information is stored in the firewall log files, making it easy to perform a forensic analysis to determine what sites, protocols, and applications the user was running or accessing. Perhaps the most powerful feature of the firewall client is the ability to enforce security controls on the client itself (for example, allowing only applications that you explicitly permit to function on the client or allowing only certain ports on the client to be used for communications). For example, a relatively difficult task to perform with most firewalls is to prevent instant messaging and peer-to-peer applications from being used by the users. Instant messaging applications can almost all use HTTP (or any other protocol) as the transport protocol, making it difficult to effectively block at the firewall. Similarly, many peer-to-peer applications can do the same thing. With the firewall client, you can define the names of applications that should not be allowed to run; they will be blocked by the firewall client software. Keep in mind that if the users can rename the application executable, they can bypass these restrictions. Web Proxy Client The web proxy client is used anytime a computer is configured via its web browser to use a proxy, and the ISA Server 2004 server is specified as the proxy. Although web browsers are the most commonly implemented applications that use proxies, instant messaging software and other applications that support using a proxy can also be configured as web proxy clients. The web proxy client enables you to improve the performance of web access because the data can be cached by the firewall and served to the clients out of cache. This also reduces bandwidth requirements, as discussed in the next section. The web proxy client also supports using authentication for access, similar to the firewall client, thus providing a mechanism to control and track access on a user basis. Web Caching Server Functionality Although technically not a firewall or security feature, the ISA Server 2004 server provides full caching server functionality. This allows the server to transparently cache web request and then service subsequent requests out of cache, thus reducing the amount of bandwidth that is used for client web browsing. This also allows the ISA Server 2004 server to function as a proxy, retrieving content on behalf of clients. Network Services Publishing To provide access to protected resources, ISA Server 2004 implements what are known as publishing rules. These rules are used to provide inbound/ingress filtering functionality to resources that are being protected by the firewall. For example, if you have a web server that needs to provide services to external clients, you would use network services publishing (specifically web server publishing rules) to "publish" or provide access to the protected web server resource. There are four types of publishing rules: • Web server publishing rule • Secure web server publishing rule • E-mail server publishing rule • Server publishing rule As you would expect, the first three rules are specialized to handle the corresponding types of network services. The server publishing rule is the generic catchall rule type for any and all other publishing requirements. VPN Functionality Microsoft ISA Server 2004, like many other firewalls, also provides integrated VPN functionality, allowing you to use the ISA Server 2004 both as a component in a site-to- site VPN as well as a termination point for remote access VPN services. Although previous versions supported Point-to-Point Tunneling Protocol (PPTP) and Layer 2 Tunnel Protocol / IP Security (L2TP/IPsec) VPN protocols, ISA Server 2004 also supports native IPsec tunnel mode VPN implementations. Because the VPN functionality is integrated with the firewall, ISA Server 2004 can also perform stateful packet filtering and inspection on VPN traffic that is passing through the firewall, providing additional security and control of all traffic that is entering or exiting the protected network. Doing so enables you to perform actions such as limiting your remote sales users to a subset of servers and services on the protected network. Management and Administration Features Arguably some of the most deficient aspects of previous versions of ISA Server were the fact that the management interface was not intuitive, the access rule management methodology was contrary to almost every other product out there, and the monitoring and reporting capabilities left a lot to be desired. ISA Server 2004 has gone a long way toward improving these deficiencies. Management Interface As shown in Figure 8-2 , ISA Server 2004 takes advantage of the Microsoft Management Console to provide a management interface. This management console can either be accessed locally on the ISA server by using Terminal Service (TS) or Remote Desktop (RDP) to start a terminal session, or can be installed on a remote system (such as the administrators desktop) to allow for remote management of all ISA Server 2004 resources in the environment. In the case of TS or RDP, the TS/RDP process handles protection and encryption of the data over the network. In the case of installing the management console on a remote system, Microsoft is intentionally vague as to what if any encryption or protection of the data that is transmitted between the management console and the ISA Server 2004 server occurs. Like all Microsoft products, administrative access is granted through the use of Microsoft users and groups, as well as by defining individual or ranges of IP addresses that are allowed to make management connections. Figure 8-2. ISA Server 2004 Management Console [View full size image] In addition, some third-party web-based management interfaces can be implemented, allowing for the management of the ISA server to be performed via a web browser, thus eliminating the need to install a management client for remote management. Access Rule Management Access rule management has also been greatly simplified, following well-defined conventions that have been long established for firewall rule management. Unlike server publishing rules, which are designed for defining inbound/ingress filters, access rules are used to define outbound/egress filters to protect traffic that is sourced from a protected network. Rules have the following components that can be defined in a wizard-driven fashion: • Rule name • Rule action (permit/deny) • Protocol the rule applies to • Source traffic • Destination traffic • Users to which the rule applies An important distinction to be aware of is that for SecureNAT clients, rules that are set to apply to all IP traffic actually only apply to defined protocols, so you need to ensure that you define any protocols that you want to filter based on. Monitoring and Reporting Although monitoring and reporting are some of the less-elegant aspects of firewall management, Microsoft made significant improvements to the monitoring and reporting features of ISA Server 2004, providing the following capabilities: • Real-time monitoring of log entries and firewall sessions • Report customization and publishing • E-mail notification • Configurable log summary start times (the ability to pick any start time, as opposed to having to use a defined start time such as midnight everyday) • Improved SQL logging (the ability to log to a SQL server, thereby allowing for the use of advanced SQL tools to query the database and build custom reports) • Microsoft Data Engine (MSDE) logging capabilities Miscellaneous Features Although the ability to support multiple networks may sound like a given, multinetwork support is actually a new feature of ISA Server 2004, allowing it to be implemented in enterprise environments that contain multiple networks (both internal and perimeter networks such as DMZ segments). In conjunction with this, you can define the relationships between the networks and then use this information during rule creation. By default, ISA Server 2004 supports the following networks: • The internal network (this is the subnet directly connected to the internal interface of the firewall) • The external network (any IP addresses that do not belong to another network) • The VPN clients network (any IP addresses which are assigned to VPN clients) • The local host network (the IP addresses of the firewall itself) Remote VPN users represent one of the bigger security risks for most environments. These users typically connect to all sorts of networks that are outside of the control of the IT department and then attempt to connect to their corporate network. This allows the VPN client to become a carrier of viruses, worms, and other malicious software and content, thereby spreading it to the corporate network when they establish their VPN connection. To help mitigate this risk, ISA Server 2004 includes VPN Quarantine Control. With VPN Quarantine Control, ISA Server 2004 can be configured to enforce policies on the VPN clients, including the following: • All security updates and service packs defined by the administrator must be installed. • The client must have antivirus software installed and enabled. • The client must have personal firewall software installed and enabled. If these conditions are not met, the VPN client will not be connected to the VPN and gain access to the full network resources; instead, they will be connected to a limited-access network where they can download and apply any required patches and updates. Although this does not remove any malicious software from the VPN client computer, by requiring only patched and updated systems to connect you can help ensure that the VPN client computer is less susceptible to threats. Microsoft ISA Server 2004 Requirements and Preparation ISA Server 2004 can be a relatively complex product to implement. A number of system requirements and recommendations should be implemented before installing and configuring ISA Server 2004. Table 8-2 details the system requirements as well as my recommendations beyond the system requirements. Table 8-2. System Requirements Component Minimum Recommended Processor Single Pentium III 550 MHz Single or dual Xeon 3 GHz Memory 256 MB 2 GB Disk space 150 MB Mirrored or RAID5 36-GB capacity with separate disks for caching (if implemented) Network At least two 10/100-Mbps network adapters At least two 100/1000-Mbps network adapters Operating system Microsoft Windows 2000 Server or Advanced Server with SP4 or later Microsoft Windows Server 2003 (Standard or Enterprise Edition) In addition to the system requirements, you need to harden the operating system prior to installing ISA Server 2004 on the system. Use the guides mentioned early in the "Microsoft ISA Server 2004 Firewall" section as a basis for securing the underlying operating system as well as the Microsoft ISA Server 2004 software. Of particular importance is to harden the external network interface (at a minimum) to remove all clients, services, and protocols except TCP/IP itself, as shown in Figure 8-3 . Figure 8-3. External Network Interface Configuration In addition, you also need to configure the routing table on the ISA server accordingly to support all the networks it will need to reach, or you will need to install and configure Routing and Remote Access on the firewall to enable routing protocols such as OSPF or RIPv2. Finally, ensure that you disable any network services or applications that are not explicitly required by ISA Server 2004. Table 8-3 lists the core services that are required by ISA Server 2004, including the startup mode that should be used. All other services should be disabled. Table 8-3. Service Requirements Service Name Function/Purpose Startup Mode COM+Event System Core operating system Manual Cryptographic Services Core operating system (security) Automatic Table 8-3. Service Requirements Service Name Function/Purpose Startup Mode Event Log Core operating system Automatic IPSec Services Core operating system (security) Automatic Logical Disk Manager Core operating system (disk management) Automatic Logical Disk Manager Administrative Service Core operating system (disk management) Manual Microsoft Firewall Required for normal functioning of ISA Server 2004 Automatic Microsoft ISA Server Control Required for normal functioning of ISA Server 2004 Automatic Microsoft ISA Server Job Scheduler Required for normal functioning of ISA Server 2004 Automatic Microsoft ISA Server Storage Required for normal functioning of ISA Server 2004 Automatic MSSQL$MSFW Required when MSDE logging is used for ISA Server 2004 Automatic Network Connections Core operating system (network infrastructure) Manual NTLM Security Support Provider Core operating system (security) Manual Plug and Play Core operating system Automatic Protected Storage Core operating system (security) Automatic Remote Access Connection Manager Required for normal functioning of ISA Server 2004 Manual Remote Procedure Call (RPC) Core operating system Automatic Secondary Logon Core operating system (security) Automatic Security Accounts Manager Core operating system Automatic Server Required for ISA Server 2004 Firewall Client Share Automatic Smart Card Core operating system (security) Manual Table 8-3. Service Requirements Service Name Function/Purpose Startup Mode SQLAgent$MSFW Required when MSDE logging is used for ISA Server 2004 Manual System Event Notification Core operating system Automatic Telephony Required for normal functioning of ISA Server 2004 Manual Virtual Disk Service (VDS) Core operating system (disk management) Manual Windows Management Instrumentation (WMI) Core operating system (WMI) Automatic WMI Performance Adapter Core operating system (WMI) Manual How the Microsoft ISA Server 2004 Firewall Works Almost all management functions for ISA Server 2004 firewalls are performed with the ISA Server management console. This is a Microsoft Management Console (MMC)- based management console that is either run on the ISA server itself (and typically accessed via RDP/TS) or must be installed separately on the remote management workstation (via the ISA Server 2004 installation program). Figure 8-4 shows the ISA Server 2004 management console. . Manual How the Microsoft ISA Server 20 04 Firewall Works Almost all management functions for ISA Server 20 04 firewalls are performed with the ISA Server management. of ISA Server 20 04 Automatic Microsoft ISA Server Job Scheduler Required for normal functioning of ISA Server 20 04 Automatic Microsoft ISA Server Storage