Tài liệu hạn chế xem trước, để xem đầy đủ mời bạn chọn Tải xuống
1
/ 30 trang
THÔNG TIN TÀI LIỆU
Thông tin cơ bản
Định dạng
Số trang
30
Dung lượng
0,96 MB
Nội dung
Chapter 9 ISA VIRTUAL PRIVATE NETWORKS 303
A PPLY YOUR K NOWLEDGE
Evaluation of Proposed Solution:
Which results(s) does the proposed solution produce?
A. The proposed solution produces the required
result but neither of the optional results.
B. The proposed solution produces the required
result and one of the optional results.
C. The proposed solution produces the required
result and both of the optional results.
D. The proposed solution does not produce the
required result.
6. CrystaBell Productions has hired you to improve
communication security between their two loca-
tions. Each location has an ISAServer sitting
between their internal private network and the
Internet.
Required Result:
All communications between the offices must be
encrypted.
Optional Desired Results:
Either office can initiate the connection.
The best security algorithms should be used for
the job.
Proposed Solution:
Obtain server certificates and be sure they are
loaded appropriately on the ISAServer comput-
ers. Use the VPN local and remote wizards on
the corresponding ISA Servers to create VPN
connections. Use all default settings, but select
L2TP/IPSec as the tunnel type.
Evaluation of Proposed Solution:
Which results(s) does the proposed solution produce?
A. The proposed solution produces the required
result but neither of the optional results.
B. The proposed solution produces the required
result and one of the optional results.
C. The proposed solution produces the required
result and both of the optional results.
D. The proposed solution does not produce the
required result.
Answers to Review Questions
1. Making changes in authentication methods, for
example, removing MS-CHAP, or requiring cer-
tificates or smart cards. See the sections,
“Examining Wizard Results” and “Making
Additional Configurations.”
2. Well, Sam could be requiring more restrictive
authentication methods and setting up certificates
and such. But those things can be done after the
wizards. Actually, the wizard does one thing that
Sam can’t do. The wizard creates a strong pass-
word for the user accounts and does not make
this available. Any password that Sam uses must
somehow be communicated to the person config-
uring the remote VPN endpoint. Even if Sam
does both connections, he knows the password
(the setup person knows the tunnel password).
When the wizard creates the password, no one
knows it. This is not to say that the wizard can
create a stronger password than Sam, or that the
password can’t be hacked, just that initially, the
tunnel password is not available to anyone. See
the section, “Using the Wizard.”
12 mcse CH09 6/5/01 12:07 PM Page 303
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
304 Part II CONFIGURING AND TROUBLESHOOTING ISASERVER SERVICES
A PPLY YOUR K NOWLEDGE
3. No static route has been created. See the section,
“Without the VPN Wizard.”
4. Each private network is using the same network.
Change one of the private networks to something
else. See the section, ”Without the VPN Wizard.”
5. You must obtain certificates for the tunnel end-
points. You can do so by setting up MS
Certificate Services and installing server certifi-
cates on each ISA Server. See the section,
“Configuring Microsoft Certificate Services.”
6. Yes. The certificates must be from a source
trusted by both endpoints. See the section,
“Configuring Microsoft Certificate Services.”
Answers to Exam Questions
1. A. Using Windows VPN client software and con-
figuring the ISAServer to allow client connec-
tions is the way to go. B is wrong because client
systems cannot use the disk. C is wrong. It is not
necessary to purchase third-party software. D is
wrong. There are no other offices!
2. B. A is incorrect, there already is a VPN set up
and they do not want to change it. C is incorrect,
the ISAServer will not allow PPTP to pass-
through by default. D is incorrect, they do not
want to remove the existing gateways. See the
section, “Configure VPN Pass-Through.”
3. D. A is incorrect The wizard creates user
accounts and passwords. B is incorrect. The wiz-
ard configures RRAS with user accounts. C is
incorrect. The wizard does this. See the section,
“Configure ISAServer as a VPN Endpoint.”
4. A. B and C are incorrect, the default sets up only
the remote VPN as the initiator of the connec-
tion. PPTP is not as secure as L2TP/IPSEc. See
the section, “Configure ISAServer as a VPN
Endpoint.”
5. B. Configuring server info on the alternative page
during the wizard allows both sides to initiate a
connection. C is wrong because PPTP is not as
secure as L2TP/IPSec. See the section. “Local ISA
VPN Wizard—Connection Receiver.”
6. C. Adding L2TP/IPSec makes the tunnel more
secure. See the section, “Local ISA VPN
Wizard—Connection Receiver.”
12 mcse CH09 6/5/01 12:07 PM Page 304
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Chapter 9 ISA VIRTUAL PRIVATE NETWORKS 305
A PPLY YOUR K NOWLEDGE
Thaddeus Fortenberry Windows 2000 Virtual
Private Networking, New Riders Publishing. 2001.
ISBN: 1-57870-246-1.
Roberta Bragg. Windows 2000 Security, Chapters 4,
15, and 17; New Riders. 2000.
ISBN: 0-7357-0991-2.
Microsoft Windows 2000 Server Internetworking
Guide, a book in the Windows 2000 Resource Kit,
Microsoft Press, 2000. Chapter 6, “Demand-Dial
Routing,” Chapter 9, “Virtual Private Networking.”
ISBN: 1-57231-805-8.
Microsoft Windows 2000 Server Distributed Systems
Guide, a book in the Windows 2000 Resource Kit,
Microsoft Press, 2000. Chapter 14, “Cryptography
for Network and Information System Security,” and
Chapter 16, “Windows 2000 Certificate Services
and Public Key Infrastructure.” ISBN: 1-57231-
805-8.
“Virtual Private Networking, an Overview,” white
paper at http://www.microsoft.com/
windows2000/library/howitworks/
communications/remoteaccess/vpnoverview.asp.
“Windows 2000 Virtual Private Networking
Supporting Interoperability,” a white paper at
http://www.microsoft.com/windows2000/library/
howitworks/communications/remoteaccess/l2tp.asp.
“Windows 2000 Virtual Private Networking
Scenario,” a white paper at
http://www.microsoft.com/windows2000/library/
howitworks/communications/remoteaccess/
w2kvpnscenario.asp.
Suggested Readings and Resources
12 mcse CH09 6/5/01 12:07 PM Page 305
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
12 mcse CH09 6/5/01 12:07 PM Page 306
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
III
CONFIGURING,MANAGING, AND
TROUBLESHOOTING POLICIES AND
RULES
10 Firewall Configuration
11 Manage ISAServer in the Enterprise
12 Access Control in the Enterprise
PART
13 mcse Pt 3 6/5/01 12:07 PM Page 307
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
13 mcse Pt 3 6/5/01 12:07 PM Page 308
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
O
BJECTIVES
10
CHAPTER
Firewall
Configuration
This chapter covers the following Microsoft-specified
objectives for the
Configuring, Managing, and
Troubleshooting Policies and Rules
section of the
Installing, Configuring, and Administering Microsoft
Internet Security and Acceleration (ISA) Server 2000
exam:
Configure and secure the firewall in accor-
dance with corporate standards.
. Configure the packet filter rules for different levels
of security, including system hardening.
Packet filter rules are written to control communi-
cation between networks. The ISA Server, by
default, does not allow any communication
between its networks until some combination of
the following allows access:
. Protocol rules and site and content rules—
outbound access.
. Publishing rules—inbound access.
. Packet filters—inbound and/or outbound traffic.
. Routing rules—move packets from some interface
to another.
The security administrator uses these objects to ful-
fill a security policy developed by management.
System hardening consists of applying security fea-
tures of the underlying operating system and then
supporting their configuration by applying appro-
priate packet filters and other mechanisms that can
keep that configuration stable.
14 mcse CH10 6/5/01 12:08 PM Page 309
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
O
UTLINE
S
TUDY STRATEGIES
Introduction 311
Understanding Packet Filters 312
Configuring Packet Filter Rules 312
Examining Default Packet Filters 313
Configuring New Packet Filters 314
Configuring/Enabling IP Packet
Filter Properties 316
Configuring and Using Application
Filters/Extensions 318
FTP Access Filter 318
HTTP Redirector Filter 319
RPC Filter 320
SOCKS V4 Filter 321
Configuring for System Hardening 321
Pre-Installation Considerations,
Lifetime Chores 321
Authentication Rules 322
Outgoing and Incoming Web
Requests 322
Authentication Methods 323
The ISAServer Security Configuration
Wizard 325
Special Considerations for Perimeter
Networks 328
Configuring the LAT 329
Publishing Perimeter Network Servers 330
Troubleshooting Access 330
Chapter Summary 331
Apply Your Knowledge 332
Exercises 332
Review Questions 332
Exam Questions 332
Answers to Review Questions 334
Answers to Exam Questions 334
. If you are not clear on the use of site and con-
tent rules, protocol rules, and publishing rules
to allow and deny access through the firewall,
revisit earlier chapters.
. Examine default packet filters and understand
their meaning and use.
. Examine default application filters and under-
stand their meaning and use.
. Keep the following question in your mind: When
would I need to use packet filters?
. Go further than the exercises, create many
packet filters, and test them. Did they respond
the way you felt they should? Can you think of
another way to obtain the same effect?
14 mcse CH10 6/5/01 12:08 PM Page 310
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Chapter 10 FIREWALL CONFIGURATION 311
INTRODUCTION
Configure and secure the firewall in accordance with
corporate policies.
Make no mistake, the ultimate responsibility for information system
security lies with management. That’s right. Although IT is charged
with securing the information system infrastructure, it does so only
at the direction and blessing of management. Management sets the
policy; IT puts it into place.
It is important to realize this fact and determine the corporate policy
for security, before configuring and securing the firewall. What type
of access to the Internet does policy allow? What types of externally
originating communications are allowed to enter the internal net-
work? If you do not know the answers to these questions, you can-
not set the proper filters on the firewall, nor do you know how to set
alerts or intrusion detect devices to let you know when attackers are
present. You cannot simply use your own judgment as to what com-
munications to block, which to allow and which outside contact to
get excited about. Although your knowledge of typical settings,
warnings, bells and whistles is paramount to management’s under-
standing of the problem, it is management directive that colors your
implementation.
That said, it is important to know how to put management’s plan
into action on the ISA Server. Chapter 5, “Outbound Internet
Access” described how to use policy elements to construct site and
content rules, and protocol rules to allow or deny internal users
access to the Internet. Chapter 6, “ISA Server Hosting Roles” illus-
trated how to provide access for external users to internal resources,
in the most secure fashion.
This chapter addresses the protection of the internal network from
external access and covers these issues:
á Understanding packet filters
á Configuring packet filters
á Configuring and using application filters and extensions
á Configuring for system hardening
á Special considerations for perimeter networks
á Troubleshooting access
14 mcse CH10 6/5/01 12:08 PM Page 311
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
312 Part III CONFIGURING, MANAGING AND TROUBLESHOOTING POLICIES AND RULES
UNDERSTANDING
PACKET FILTERS
Packet filters are written to allow or block the passage of packets on
external interfaces (or perimeter network computers). Decisions are
made based on the following information in the packet:
á Protocol and or ports
á Direction (inbound, outbound, both)
á Which direction?
á The remote computer it came from or is directed to
These decisions can sometimes be accomplished by other means,
and it is desirable to do so; however, there are situations where you
must use packet filters:
á Publishing servers in a 3-home perimeter network.
á Running services, such as mail servers and Web servers on the
ISA server. Packet filters direct the traffic received for the
appropriate port to the service.
á Running applications on the ISAServer that need to connect
to the Internet. You create direct connections to the Internet
for these applications.
á Using protocols other than UDP or TCP. Web proxy handles
HTTP, HTTPS, and FTP. Firewall handles TCP and UDP. All
others (examine the ICMP default filters) must be handled by
packet filers.
CONFIGURING PACKET FILTER RULES
Configure the packet filter rules for different levels of
security, including system hardening.
Although packet filters are generally thought of as devices to control
access from the outside, in practice, they are used to control the
transfer of packets in either direction. They examine the protocol
used, and allow or deny (drop the packet) its passage. Packet filter-
ing is enabled by default in Firewall mode and in Integrated mode
TIP
IP Routing and Packet Filtering If nei-
ther packet filtering or routing is enabled,
no rules are applied to incoming packets,
and there is no security. Packet filtering
alone causes the ISAServer to drop all
packets on the external interface unless
they are explicitly allowed. You can com-
bine IP routing and packet filtering to route
between the Internet and a 3-homed
perimeter network. You should never enable
IP routing and not enable packet filtering.
In this case the ISAServer is no longer a
firewall, but a router.
EXAM
14 mcse CH10 6/5/01 12:08 PM Page 312
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
[...]... (authentication required) 3 The ISAServer passes this request to the client 4 The client returns authentication info to the ISAServer 5 The ISAServer passes this on to the Web server 6 The client and the Web server communicate directly with each other Certificates SSL Server certificates can be used to authenticate the ISAServer to the client when the client requests an object The server must have a certificate... to an external or internal server, the ISAServer can pass the client authentication information to the other server It works like this: Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark 14 mcse CH10 6/5/01 12:08 PM Page 325 Chapter 10 FIREWALL CONFIGURATION 1 The client sends a GET request to a Web server and the ISAServer sends it on 2 The Web server receives the request... Web servers available for SSL connections on port 443 NetBIOS (WINS client only) Both directions Allows NetBIOS clients to access NetBIOS ports across the ISAServer NetBIOS (all) Both directions Determine the IP address Access to Web servers listening on port 80 HTTPS server (port 443) FIGURE 10.3 Allows access by all to NetBIOS ports across the ISAServer Please purchase PDF Split-Merge on www.verypdf.com... setup of ISAServer drops all packets at the external interface unless it’s configured to do otherwise, several default rules exist, including á ICMP outbound The ISA computer can send ICMP messages á ICMP ping response(in) The ISAServer can receive inbound ping responses á ICMP source quench The ISAServer receives instructions to slow its packet-sending rate á ICMP timeout (in) The ISAServer can... are necessary when setting up ISAServer VPNs PPTP receive Inbound and outbound port 47 Both PPTP call and PPTP receive are necessary when setting up ISAServer VPNs SMTP Inbound port 25 Access to internal SMTP mail POP3 Inbound port 110 Access to internal POP3 servers Identd Inbound port 113 Access to Identd server An Identd service can be installed on the ISA server HTTP server (port 80) Inbound port... Security Configuration Wizard Limited Services ISA Server in Integrated mode or servers as a caching server behind another firewall Securews.inf or Hisecdc.inf Dedicated Hisecws.inf or Hisecdc.inf ISA Server as a dedicated firewall STEP BY STEP 10.4 Configuring System Hardening with the Security Configuration Wizard 1 Right-click the ISA Server in the Details pane of Servers and Arrays\name\Computers and select... Intrusion Detection Disabled This option is fully described in the section, “Configuring Intrusion Detection” later in this chapter Disabled Allows the PPTP packets to pass through the ISA Server firewall Use this option to allow packets to and from internal PPTP endpoints to pass PPTP Through PPTP ISA Firewall Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark 317 14 mcse CH10 318... should not stop once the ISAServer is installed, but should continue for the lifetime of the server Each new security Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark 321 14 mcse CH10 322 6/5/01 12:08 PM Par t III Page 322 CONFIGURING, MANAGING AND TROUBLESHOOTING POLICIES AND RULES related W2K advisory should be examined to see if it affects the ISA Server, and corresponding... unreachable The ISAServer can receive notice of an unreachable address á DHCP Client The external interface can act as a DHCP client This rule is disabled by default á DNS filter Requests for DNS lookup can pass These default rules can be enabled or disabled by right-clicking on the rule and selecting Disable or Enable Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark 313 14 mcse CH10... choices are • Default IP addresses for each external interface on the ISAServer computer Data traveling through all external interfaces is inspected and the filter applied FIGURE 10.1 Allowing block transmission • This ISAserver s external IP address Indicate the IP address of a particular ISAServer in the array, or of one of the ISAServer s external IP addresses • This computer (on the perimeter network) . packet filters:
á Publishing servers in a 3-home perimeter network.
á Running services, such as mail servers and Web servers on the
ISA server. Packet filters. case the ISA Server is no longer a
firewall, but a router.
EXAM
14 mcse CH10 6/5/01 12:08 PM Page 312
Please purchase PDF Split-Merge on www.verypdf.com