Chapter 9 ISA VIRTUAL PRIVATE NETWORKS 303 A PPLY YOUR K NOWLEDGE Evaluation of Proposed Solution: Which results(s) does the proposed solution produce? A. The proposed solution produces the required result but neither of the optional results. B. The proposed solution produces the required result and one of the optional results. C. The proposed solution produces the required result and both of the optional results. D. The proposed solution does not produce the required result. 6. CrystaBell Productions has hired you to improve communication security between their two loca- tions. Each location has an ISA Server sitting between their internal private network and the Internet. Required Result: All communications between the offices must be encrypted. Optional Desired Results: Either office can initiate the connection. The best security algorithms should be used for the job. Proposed Solution: Obtain server certificates and be sure they are loaded appropriately on the ISA Server comput- ers. Use the VPN local and remote wizards on the corresponding ISA Servers to create VPN connections. Use all default settings, but select L2TP/IPSec as the tunnel type. Evaluation of Proposed Solution: Which results(s) does the proposed solution produce? A. The proposed solution produces the required result but neither of the optional results. B. The proposed solution produces the required result and one of the optional results. C. The proposed solution produces the required result and both of the optional results. D. The proposed solution does not produce the required result. Answers to Review Questions 1. Making changes in authentication methods, for example, removing MS-CHAP, or requiring cer- tificates or smart cards. See the sections, “Examining Wizard Results” and “Making Additional Configurations.” 2. Well, Sam could be requiring more restrictive authentication methods and setting up certificates and such. But those things can be done after the wizards. Actually, the wizard does one thing that Sam can’t do. The wizard creates a strong pass- word for the user accounts and does not make this available. Any password that Sam uses must somehow be communicated to the person config- uring the remote VPN endpoint. Even if Sam does both connections, he knows the password (the setup person knows the tunnel password). When the wizard creates the password, no one knows it. This is not to say that the wizard can create a stronger password than Sam, or that the password can’t be hacked, just that initially, the tunnel password is not available to anyone. See the section, “Using the Wizard.” 12 mcse CH09 6/5/01 12:07 PM Page 303 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 304 Part II CONFIGURING AND TROUBLESHOOTING ISA SERVER SERVICES A PPLY YOUR K NOWLEDGE 3. No static route has been created. See the section, “Without the VPN Wizard.” 4. Each private network is using the same network. Change one of the private networks to something else. See the section, ”Without the VPN Wizard.” 5. You must obtain certificates for the tunnel end- points. You can do so by setting up MS Certificate Services and installing server certifi- cates on each ISA Server. See the section, “Configuring Microsoft Certificate Services.” 6. Yes. The certificates must be from a source trusted by both endpoints. See the section, “Configuring Microsoft Certificate Services.” Answers to Exam Questions 1. A. Using Windows VPN client software and con- figuring the ISA Server to allow client connec- tions is the way to go. B is wrong because client systems cannot use the disk. C is wrong. It is not necessary to purchase third-party software. D is wrong. There are no other offices! 2. B. A is incorrect, there already is a VPN set up and they do not want to change it. C is incorrect, the ISA Server will not allow PPTP to pass- through by default. D is incorrect, they do not want to remove the existing gateways. See the section, “Configure VPN Pass-Through.” 3. D. A is incorrect The wizard creates user accounts and passwords. B is incorrect. The wiz- ard configures RRAS with user accounts. C is incorrect. The wizard does this. See the section, “Configure ISA Server as a VPN Endpoint.” 4. A. B and C are incorrect, the default sets up only the remote VPN as the initiator of the connec- tion. PPTP is not as secure as L2TP/IPSEc. See the section, “Configure ISA Server as a VPN Endpoint.” 5. B. Configuring server info on the alternative page during the wizard allows both sides to initiate a connection. C is wrong because PPTP is not as secure as L2TP/IPSec. See the section. “Local ISA VPN Wizard—Connection Receiver.” 6. C. Adding L2TP/IPSec makes the tunnel more secure. See the section, “Local ISA VPN Wizard—Connection Receiver.” 12 mcse CH09 6/5/01 12:07 PM Page 304 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Chapter 9 ISA VIRTUAL PRIVATE NETWORKS 305 A PPLY YOUR K NOWLEDGE Thaddeus Fortenberry Windows 2000 Virtual Private Networking, New Riders Publishing. 2001. ISBN: 1-57870-246-1. Roberta Bragg. Windows 2000 Security, Chapters 4, 15, and 17; New Riders. 2000. ISBN: 0-7357-0991-2. Microsoft Windows 2000 Server Internetworking Guide, a book in the Windows 2000 Resource Kit, Microsoft Press, 2000. Chapter 6, “Demand-Dial Routing,” Chapter 9, “Virtual Private Networking.” ISBN: 1-57231-805-8. Microsoft Windows 2000 Server Distributed Systems Guide, a book in the Windows 2000 Resource Kit, Microsoft Press, 2000. Chapter 14, “Cryptography for Network and Information System Security,” and Chapter 16, “Windows 2000 Certificate Services and Public Key Infrastructure.” ISBN: 1-57231- 805-8. “Virtual Private Networking, an Overview,” white paper at http://www.microsoft.com/ windows2000/library/howitworks/ communications/remoteaccess/vpnoverview.asp. “Windows 2000 Virtual Private Networking Supporting Interoperability,” a white paper at http://www.microsoft.com/windows2000/library/ howitworks/communications/remoteaccess/l2tp.asp. “Windows 2000 Virtual Private Networking Scenario,” a white paper at http://www.microsoft.com/windows2000/library/ howitworks/communications/remoteaccess/ w2kvpnscenario.asp. Suggested Readings and Resources 12 mcse CH09 6/5/01 12:07 PM Page 305 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 12 mcse CH09 6/5/01 12:07 PM Page 306 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. III CONFIGURING,MANAGING, AND TROUBLESHOOTING POLICIES AND RULES 10 Firewall Configuration 11 Manage ISA Server in the Enterprise 12 Access Control in the Enterprise PART 13 mcse Pt 3 6/5/01 12:07 PM Page 307 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 13 mcse Pt 3 6/5/01 12:07 PM Page 308 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. O BJECTIVES 10 CHAPTER Firewall Configuration This chapter covers the following Microsoft-specified objectives for the Configuring, Managing, and Troubleshooting Policies and Rules section of the Installing, Configuring, and Administering Microsoft Internet Security and Acceleration (ISA) Server 2000 exam: Configure and secure the firewall in accor- dance with corporate standards. . Configure the packet filter rules for different levels of security, including system hardening. Packet filter rules are written to control communi- cation between networks. The ISA Server, by default, does not allow any communication between its networks until some combination of the following allows access: . Protocol rules and site and content rules— outbound access. . Publishing rules—inbound access. . Packet filters—inbound and/or outbound traffic. . Routing rules—move packets from some interface to another. The security administrator uses these objects to ful- fill a security policy developed by management. System hardening consists of applying security fea- tures of the underlying operating system and then supporting their configuration by applying appro- priate packet filters and other mechanisms that can keep that configuration stable. 14 mcse CH10 6/5/01 12:08 PM Page 309 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. O UTLINE S TUDY STRATEGIES Introduction 311 Understanding Packet Filters 312 Configuring Packet Filter Rules 312 Examining Default Packet Filters 313 Configuring New Packet Filters 314 Configuring/Enabling IP Packet Filter Properties 316 Configuring and Using Application Filters/Extensions 318 FTP Access Filter 318 HTTP Redirector Filter 319 RPC Filter 320 SOCKS V4 Filter 321 Configuring for System Hardening 321 Pre-Installation Considerations, Lifetime Chores 321 Authentication Rules 322 Outgoing and Incoming Web Requests 322 Authentication Methods 323 The ISA Server Security Configuration Wizard 325 Special Considerations for Perimeter Networks 328 Configuring the LAT 329 Publishing Perimeter Network Servers 330 Troubleshooting Access 330 Chapter Summary 331 Apply Your Knowledge 332 Exercises 332 Review Questions 332 Exam Questions 332 Answers to Review Questions 334 Answers to Exam Questions 334 . If you are not clear on the use of site and con- tent rules, protocol rules, and publishing rules to allow and deny access through the firewall, revisit earlier chapters. . Examine default packet filters and understand their meaning and use. . Examine default application filters and under- stand their meaning and use. . Keep the following question in your mind: When would I need to use packet filters? . Go further than the exercises, create many packet filters, and test them. Did they respond the way you felt they should? Can you think of another way to obtain the same effect? 14 mcse CH10 6/5/01 12:08 PM Page 310 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Chapter 10 FIREWALL CONFIGURATION 311 INTRODUCTION Configure and secure the firewall in accordance with corporate policies. Make no mistake, the ultimate responsibility for information system security lies with management. That’s right. Although IT is charged with securing the information system infrastructure, it does so only at the direction and blessing of management. Management sets the policy; IT puts it into place. It is important to realize this fact and determine the corporate policy for security, before configuring and securing the firewall. What type of access to the Internet does policy allow? What types of externally originating communications are allowed to enter the internal net- work? If you do not know the answers to these questions, you can- not set the proper filters on the firewall, nor do you know how to set alerts or intrusion detect devices to let you know when attackers are present. You cannot simply use your own judgment as to what com- munications to block, which to allow and which outside contact to get excited about. Although your knowledge of typical settings, warnings, bells and whistles is paramount to management’s under- standing of the problem, it is management directive that colors your implementation. That said, it is important to know how to put management’s plan into action on the ISA Server. Chapter 5, “Outbound Internet Access” described how to use policy elements to construct site and content rules, and protocol rules to allow or deny internal users access to the Internet. Chapter 6, “ISA Server Hosting Roles” illus- trated how to provide access for external users to internal resources, in the most secure fashion. This chapter addresses the protection of the internal network from external access and covers these issues: á Understanding packet filters á Configuring packet filters á Configuring and using application filters and extensions á Configuring for system hardening á Special considerations for perimeter networks á Troubleshooting access 14 mcse CH10 6/5/01 12:08 PM Page 311 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 312 Part III CONFIGURING, MANAGING AND TROUBLESHOOTING POLICIES AND RULES UNDERSTANDING PACKET FILTERS Packet filters are written to allow or block the passage of packets on external interfaces (or perimeter network computers). Decisions are made based on the following information in the packet: á Protocol and or ports á Direction (inbound, outbound, both) á Which direction? á The remote computer it came from or is directed to These decisions can sometimes be accomplished by other means, and it is desirable to do so; however, there are situations where you must use packet filters: á Publishing servers in a 3-home perimeter network. á Running services, such as mail servers and Web servers on the ISA server. Packet filters direct the traffic received for the appropriate port to the service. á Running applications on the ISA Server that need to connect to the Internet. You create direct connections to the Internet for these applications. á Using protocols other than UDP or TCP. Web proxy handles HTTP, HTTPS, and FTP. Firewall handles TCP and UDP. All others (examine the ICMP default filters) must be handled by packet filers. CONFIGURING PACKET FILTER RULES Configure the packet filter rules for different levels of security, including system hardening. Although packet filters are generally thought of as devices to control access from the outside, in practice, they are used to control the transfer of packets in either direction. They examine the protocol used, and allow or deny (drop the packet) its passage. Packet filter- ing is enabled by default in Firewall mode and in Integrated mode TIP IP Routing and Packet Filtering If nei- ther packet filtering or routing is enabled, no rules are applied to incoming packets, and there is no security. Packet filtering alone causes the ISA Server to drop all packets on the external interface unless they are explicitly allowed. You can com- bine IP routing and packet filtering to route between the Internet and a 3-homed perimeter network. You should never enable IP routing and not enable packet filtering. In this case the ISA Server is no longer a firewall, but a router. EXAM 14 mcse CH10 6/5/01 12:08 PM Page 312 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. [...]... (authentication required) 3 The ISA Server passes this request to the client 4 The client returns authentication info to the ISA Server 5 The ISA Server passes this on to the Web server 6 The client and the Web server communicate directly with each other Certificates SSL Server certificates can be used to authenticate the ISA Server to the client when the client requests an object The server must have a certificate... to an external or internal server, the ISA Server can pass the client authentication information to the other server It works like this: Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark 14 mcse CH10 6/5/01 12:08 PM Page 325 Chapter 10 FIREWALL CONFIGURATION 1 The client sends a GET request to a Web server and the ISA Server sends it on 2 The Web server receives the request... Web servers available for SSL connections on port 443 NetBIOS (WINS client only) Both directions Allows NetBIOS clients to access NetBIOS ports across the ISA Server NetBIOS (all) Both directions Determine the IP address Access to Web servers listening on port 80 HTTPS server (port 443) FIGURE 10.3 Allows access by all to NetBIOS ports across the ISA Server Please purchase PDF Split-Merge on www.verypdf.com... setup of ISA Server drops all packets at the external interface unless it’s configured to do otherwise, several default rules exist, including á ICMP outbound The ISA computer can send ICMP messages á ICMP ping response(in) The ISA Server can receive inbound ping responses á ICMP source quench The ISA Server receives instructions to slow its packet-sending rate á ICMP timeout (in) The ISA Server can... are necessary when setting up ISA Server VPNs PPTP receive Inbound and outbound port 47 Both PPTP call and PPTP receive are necessary when setting up ISA Server VPNs SMTP Inbound port 25 Access to internal SMTP mail POP3 Inbound port 110 Access to internal POP3 servers Identd Inbound port 113 Access to Identd server An Identd service can be installed on the ISA server HTTP server (port 80) Inbound port... Security Configuration Wizard Limited Services ISA Server in Integrated mode or servers as a caching server behind another firewall Securews.inf or Hisecdc.inf Dedicated Hisecws.inf or Hisecdc.inf ISA Server as a dedicated firewall STEP BY STEP 10.4 Configuring System Hardening with the Security Configuration Wizard 1 Right-click the ISA Server in the Details pane of Servers and Arrays\name\Computers and select... Intrusion Detection Disabled This option is fully described in the section, “Configuring Intrusion Detection” later in this chapter Disabled Allows the PPTP packets to pass through the ISA Server firewall Use this option to allow packets to and from internal PPTP endpoints to pass PPTP Through PPTP ISA Firewall Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark 317 14 mcse CH10 318... should not stop once the ISA Server is installed, but should continue for the lifetime of the server Each new security Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark 321 14 mcse CH10 322 6/5/01 12:08 PM Par t III Page 322 CONFIGURING, MANAGING AND TROUBLESHOOTING POLICIES AND RULES related W2K advisory should be examined to see if it affects the ISA Server, and corresponding... unreachable The ISA Server can receive notice of an unreachable address á DHCP Client The external interface can act as a DHCP client This rule is disabled by default á DNS filter Requests for DNS lookup can pass These default rules can be enabled or disabled by right-clicking on the rule and selecting Disable or Enable Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark 313 14 mcse CH10... choices are • Default IP addresses for each external interface on the ISA Server computer Data traveling through all external interfaces is inspected and the filter applied FIGURE 10.1 Allowing block transmission • This ISA server s external IP address Indicate the IP address of a particular ISA Server in the array, or of one of the ISA Server s external IP addresses • This computer (on the perimeter network) . packet filters: á Publishing servers in a 3-home perimeter network. á Running services, such as mail servers and Web servers on the ISA server. Packet filters. case the ISA Server is no longer a firewall, but a router. EXAM 14 mcse CH10 6/5/01 12:08 PM Page 312 Please purchase PDF Split-Merge on www.verypdf.com