On the other hand, from the technical point of view several evaluations
have to be made. The amount of traffic that our network is exposed
to might increase in a short-term period. If one server becomes unavailable,
other servers must perform the firewall protection functions or our
network will be exposed. Fault-tolerance, scalability and ease of
administration are very important technical considerations. Finally,
it is important to evaluate firewalls not only in terms of what they
cost now, but the continuing costs such as technical support and version
upgrades.
Microsoft ISA Server Firewall Design
Microsoft ISA Server can implement server "arrays". An array is a
computer running Microsoft ISA Server, that shares a collection of
most recent web pages and requests made by internet clients (the cache).
The ISA Server cache can be distributed and shared by multiple computers
in arrays or chain of arrays. This helps internet clients obtain content
from the ISA Server cache closest to them, and retrieve web pages
faster.
Caching and hits requirements are very important technical considerations.
ISA Server can be deployed as a caching server, which keeps a cache
of frequently requested objects and pages accessed by clients. In
this scenario, it is very important to consider the amount of internal
web clients the server is going to support.
When planning for hits requirements, for example you might want to
place an ISA Server computer between the corporate network and a Human
Resources intranet application. The more hits that web application
has, the more powerful hardware will be needed.
Memory is dependent of the size of the content you are caching. All
content should fit in memory with additional 256 MB of room for server
operations. For every additional 150 hits add an additional server
according to the content being published.
Microsoft Internet Secuirity and Acceleration Server Features
ISA Server offers several security and firewall features. Access policies
based on user information or IP addresses can be applied throughout
the network. Unauthorized access or malicious content and web sites
can be deployed centrally to prevent branch administrators to change
the corporation firewall rules or information security policies. ISA
Server includes several security options:
IP Packet Filters and Publishing Rules. Site and content publishing
rules can be defined to control how and which internal clients access
internet. Protocol rules and filters can be applied to manage inbound
and outbound communication.
Application Specific Filters. Session information can be accessed
to analyze specific application rules and filters. Application level
protocols and packets can be examined to provide an extra layer of
security. Virus checking filters are commonly used.
Intrusion Detection. This feature helps identify when and who
is trying to attack your network. Alerts and actions can be configured
to inform a security office in case of an attack.
VPN Support. ISA Server can be used to encapsulate private
data over a public network. A VPN Server is often used to provide
internal applications access over the internet, or to securely communicate
with branch offices (Bank Scenario).
Sorry But...Extend The Schema
ISA Server modifies the Windows 2000 schema, if we want to set up
an array chain. An extension to Active Directory must be installed
in the ISA Server domain. Before performing this action, it is recommended
to analyze how this might impact your network and directory services
replication. You can also install ISA Server as a stand-alone server
where all the configuration is saved to the registry.
In order to expand the schema of Active Directory, you must be an
Administrator in the local computer. You must also be a member of
the Enterprise Admins and Schema Admins group. This process copies
the ISA Server schema information to Active Directory. And it is irreversible.
To import Microsoft ISA Server schema into Active Directory:
1. Click Start, and then Click Run. The Run...
dialog box appears.
2. In the Run... dialog box, type drive\ISA\i386\msisaent.
Where drive is the Microsoft ISA Server CD Drive.
3. You can run msisaent -q to expand the schema without
having to click or answer any prompts.
Warning: This process is irreversible because Active Directory
does not support deletion deletion of classes.
Using an array chain has several advantages. You can use "array policies"
to create security rules to apply to a specific group of servers.
"Enterprise Policies" go to higher level rules that can be applied
to any array chain. In a bank scenario, this allows Security Officers
to define corporate wide security policies and branch administrators
to further restrict access (by not changing the corporate restrictions).
Selecting the Features
During the setup process, you can select between different modes:
firewall, cache and integrated. Depending on the mode selected different
features are available.
Selecting between different installation modes:
1. Click Start, and then Click Run. The Run...
dialog box appears.
2. In the Run... dialog box, type drive\ISA\Setup.exe.
Where drive is the Microsoft ISA Server CD Drive.
3. Follow the on-screen instructions and select the installation
Mode.
ISA Server Services are always installed to perform firewall functions.
You can also install different components including ISA Server Management
and ISA Server Extensions. If you are going to use remote administration,
you can install ISA Management tools to manage one or more arrays
of servers. Terminal server can also be used to manage a remote stand
alone server. ISA Server Extensions are default application filters
provided by Microsoft. A Message Screener is provided to filter and
secure e-mail communications and a H.323 Gatekeeper service protocol
filter to manage audio-visual applications and allow conferencing
applications.
About the Author:
Leonard Loro, MCSE, MCSD, ISS, MCT, CCNA, is a recognized e-Business
specialist. His experience includes engaging, managing and implementing
large consulting projects for government agencies and companies like
Microsoft, Nissan as well as other Fortune 500's. Leonard can be reached
at Leonardo.loro@enresource.com.
Read this newsletter at: http://www.securitypronews.com/2004/0204.html |
|
| From the Forum: | | Viruses, worms, and computer platforms | I hate to open a thread that can turn into a big computer platform debate, but every time a new worm or trojan horse runs rampant on the Internet, I'm given a warm, pleasant feeling by the fact that my company (http://www.jlist.com) is an all-Mac company. Happily, the same reasons Macs can't run PC software protects them from damage in times like this. A virus on my computer is just a non-executable file. For the same reasons companies avoid a "one source supplier," I believe it's valid that companies choose a computing system that isn't going to be vulnerable to the same weaknesses as the rest of the world. Our choice of using Macs has been a huge competitive advantage for us during the last 7 years.
I wonder how many on this list do their design with Macs? Since all the tools are cross-platform, I'll bet there are quite a few. |
 |
By
Leonard Loro