Category - ISA

What is IPS and IDS and how they provide protection for network environments?

IDS AND IPS PLACEMENT FOR NETWORK PROTECTION

Introduction:
This paper discusses the factors affecting proper placement of Intrusion Detection and Prevention System (IDS/IPS) sensors in computer networks. Differences between IDS and IPS capabilities and limitations of existing systems are explored. Given this background, appropriate deployment scenarios for IDS/IPS technologies are presented as well as some consequences of improper
placement.  Finally, security implications for network design and possible future enhancements to existing IDS/IPS systems are discussed.
IDS and IPS Technologies:
Intrusion Detection and Intrusion Prevention Systems, IDS and IPS respectively, are mature network level defenses deployed in thousands of computer networks worldwide.  The basic difference between the two technologies lies in how they provide protection for network environments. Intrusion Detection Systems, IDS, analyze network traffic and generate alerts when malicious activity is discovered.  They are generally able to reset TCP connections by issuing specially crafted packets after an attack begins and some
are even able to interface with firewall systems to re-write firewall rulesets onthe-fly.  The limitation of Intrusion Detection Systems is that they cannot preempt network attacks because IDS sensors  are based on packet sniffing technologies that only watch network traffic as it passes by. Intrusion Prevention Systems, IPS, perform the same analysis as Intrusion Detection Systems but, because they are inserted in-line,  between other network components, they can preempt malicious activity.  In contrast to IDS sensors,
network traffic flows through an IPS sensor not past it so the IPS sensor can pull or drop traffic from the wire. This is the critical difference between IDS and IPS and it has implications for how both can be used.  Because IPS sensors require traffic to flow through
them, they can only be deployed at network choke points while IDS sensors can provide much broader network coverage.
IDS
Preliminary Information:
Before discussing sensor placement, the target network should be analyzed¬†and choke points identified. ¬†A choke point would be any point in a network where¬†traffic is limited to a small number of connections. ¬†An example is usually a¬†company’s Internet boundary, where traffic crosses only a router and a firewall.¬†The links between the router and firewall are perfect choke points and good
places to consider placing IPS sensors. Another consideration is high-value network assets.  Business critical systems and infrastructure, such as server farms or databases,  may warrant additional protection in the form of dedicated IPS or IDS sensors.  Of course some of these assets can be protected by host-based IDS or IPS software agents in addition to, or instead of, targeted network level sensors.
Intrusion Prevention Sensor Placement:
IPS sensors require network choke points; they are meant to be deployed¬†between other network infrastructure components. ¬†An IPS sensor can only¬†provide protection if traffic flows through it.¬†As we’ve seen, an Internet boundary is usually a good choke point, but
there is another consideration in this case: do we position a sensor inside or¬†outside the firewall? ¬†If we go outside, one sensor will protect the internal¬†network and any DMZ networks behind the firewall. ¬†The downside is that the¬†sensor requires much more tuning to lower the noise level. ¬†Being outside the¬†firewall means the sensor sees everything, even traffic the firewall would block.¬†In this case, the IPS administrator needs to adjust the IPS policy or rule set so¬†traffic that the firewall will block either doesn’t get inspected by the IPS or the¬†IPS doesn’t generate alerts based on it.¬†This assumes that the administrator doesn’t want to know about every
inbound attack. ¬†In most corporate environments, this is true, but there are a few¬†environments where it isn’t, the individual administrator and their superiors must¬†decide.¬†The flip side to this scenario is to place an IPS sensor inside, or behind, the¬†firewall. ¬†Here, the firewall blocks traffic and therefore limits what the IPS needs¬†to inspect, improving efficiency. ¬†The trade off is the number of sensors needed to¬†provide the same level of protection as an externally placed sensor. ¬†Most¬†commercially available sensors offer coverage for ¬†several physical network links¬†in a single chassis or other hardware platform. ¬†Generally, the higher the number
of links, the higher the cost. Highly available networks add cost and complexity to both scenarios by increasing the number of physical links being protected.  The decision of providing protection for the passive or fail-over side of a high availability lies with the
system administrator and their superiors. This discussion was specific to an Internet boundary but other likely choke points may exist.  Many organizations maintain extranet connections to business partners that are consolidated on firewall or VPN protected networks.  Placing an IPS sensor behind such a firewall or VPN concentrator protects one network from the other.  In the case of VPN networks, care must be taken to inspect the unencrypted side of the VPN tunnel. There may even be choke points and boundaries within a network where IPS sensors can be deployed.  Between departments or business units, or between users and critical systems like databases. But what if a given network has no choke points?  What this means is that flat networks are trouble for IPS sensors.  But, in some cases, choke points can be created.  Consider a switched network using one or no VLANs.  On a single switch different ports can be assigned to different VLANs.  Creating two VLANs and bridging them with an IPS sensor, creates a protected choke point .  Network engineers will see this as an oddity and they are right but in a pinch, it works and allows different portions of the network to be protected from each other. Another problem for IPS deployments is the wide-area network or WAN. IPS sensors can be used in wide-area networks but require positioning between distributed local area networks and the WAN cloud.  This most likely translates to one IPS sensor at each remote location and one or more sensors at any central or large sites.  Obviously then IPS deployments in WAN environments can be expensive.  I will leave one possibility up to the network engineers: in a hub-andspoke WAN, it might be possible to leverage VLANS as discussed previously to get all traffic inspected by a single, centralized IPS sensor.  This option is highly dependent on the given network infrastructure and also depends on all WAN traffic traversing the network through a single site.
Intrusion Detection Sensor Placement:
As previously mentioned, Intrusion Detection System (IDS) sensors are more flexible and less capable than IPS sensors.  Nonetheless, IDS sensors can be substituted for IPS sensors in all of the examples previously given and some of the same caveats apply, particularly when considering placement around firewalls.  Importantly, though, IDS sensors forgo the need for in-line placement common to IPS sensors.  IDS sensors can be connected to network taps or switch analysis ports, commonly known as SPAN ports.  Both types of connections simply copy network traffic for presentation to and analysis by the IDS sensor. This means that IDS can provide security event detection with fewer sensors than IPS can, although the level of protection is far less.
For example, switched network backbones are ideal for IDS sensor deployment.  Dependent on the amount of traffic being inspected, a few or perhaps even one IDS sensor can provide coverage for an entire network. Actually, any switch that can enable an analysis port is a possible deployment site for an IDS sensor.
Implications for future IDS/IPS technologies:
Clearly, existing IDS and IPS technologies have some limits, the need to protect at choke points only being chief among them.  Aside from increases in processing speed, yielding the ability to inspect and protect more data per second, it seems that incorporating IDS and IPS technology into the network infrastructure is a logical next step.  Some vendors are already providing something like this in the way of add-on modules or blades for existing switches. But I think we will begin to see a hybridization of switch and security
technologies in the next few years. ¬†A single device that appears to be a switch¬†but has enough intelligence to perform a security analysis of not just every¬†packet crossing the backplane but keep state on and watch every conversation, a¬†session in network parlance. ¬†Such a device eliminates the need for separate IDS¬†or IPS sensors sitting in the network ¬†and can conceivably protect system on¬†adjoining ports from each other which is possible but cost prohibitive using¬†today’s technology.¬†These hybrid devices will be much more than just a switch with IPS. ¬†They¬†will both require new technologies within the switch chassis and enable new¬†network architectures without. ¬†Whenever these devices arrive however, the need¬†for them exists today.¬†Do note however, that the foregoing discussion does not mention firewalls.¬†The merger of firewalls and IPS/IDS technologies isn’t necessarily logical.¬†Firewalls are designed for very rapid inspection of packet headers so they can¬†make very rapid decisions about passing traffic. ¬†Intrusion Detection and¬†Prevention Systems are designed to delve far deeper into packets and entire¬†network sessions. ¬†I think it will be many years before we see network devices¬†that can effectively deal with both of these jobs.

What is Internet Security and Acceleration Server (ISA Server)?

Internet Security & Acceleration Server (2004)

History:  Proxy 1.0, Proxy 2.0, ISA 2000, ISA 2004, ISA 2006

Outline:

  1. Introduction to ISA Server
  2. ISA server Installation
  3. Configuring ISA as Caching Server
  4. Configuring ISA as Firewall
  5. Configuring ISA as VPN Gateway
  6. ISA Server Maintenance

Books: ISA Server and Beyond (Thomas Shinder)

Note:   

  1. netstat ‚Äďr or route print (to see routing table)
  2. paktender.com website by corvit networks
  3. Net view PCNAME or PCNAME To see share folders on computer
  4. dyndns.com site free software to resolve live IP at VPN server
  5. www.who.is site for DNS domain name resolution

ISA SERVER

Internet Assigned Number Authority (IANA.org)

It provides network IDs if you need IP then contact to ISPs

From this web site you can check ports which are being used by application like yahoo messenger or web chat which ports are using etc

Introduction to ISA Server

In a Security language: (Two Network type)

ISA as a Firewall in between trusted and UN trusted network

In ISA name there are two words security and acceleration;

Security word:   By default ISA block all kind of traffic (inbound/outbound) except some ISA own traffic e.g. ISA can ping to any clients on LAN (ping traffic from ISA to client is allowed

Trusted Network:            Secure network, legitimate traffic, no virus, Trojan etc. e.g. LAN

Un-trusted Network:     Unsecure network e.g. Internet

Basic purpose of ISA is a Firewall & caching only server

Installation type Custom:

Firewall Services                                             (selected by default)

ISA server management                               (selected by default)

Firewall client installation share (not select; select it)

It make ‚Äúmspclnt‚ÄĚ share folder to install firewall client

wed by default)

Acceleration word:          It provides high speed cache

ISA server Installation 2004

1-      Message screener                                   (not selected)

Select it if you want to use it to scan incoming SMTP traffic for Exchange

Note; Net view PCNAME or PCNAME

To see s                hare folders on computer and when you install “Firewall client

Installation share‚ÄĚ then mspclnt folder will be available on computer

Internal Network:

Private scheme / address (‚ÄúRFC-1918‚ÄĚInternet Assign Numbers Authority)

Class A:                 10.0.0.0/8                            255.0.0.0

Class B:                 172.16.0.0/12                     255.240.0.0

Class C:                 192.168.0.0/16                   255.255.0.0

Option: Allow computers running earlier versions of firewall client software to connect.

This allows computers that have old version of ISA firewall can be connected.

————End Installation————-

ISA Clients:

Three types of ISA clients

  1. Web proxy client:    (IE-Internet Explorer proxy settings)
  2. Firewall client            (Install firewall client: mspclnt)
  3. Secure NAT client    (Configure default gateway with address of ISA server at client)

This is also call transparent proxy. Recommended way

If security is not main concern then use transparent proxy

Configuring ISA as a Cache Server:

Cashing Type:

Note: By default when we talk about cache its means we talk about RAM, in case of ISA Server cache means space on HD. By default cache is not configure in ISA server & its need NTFS drive to configure when configure ISA server cache then URLCACHE folder created with file name dir1.cdate

Group 1:              Active/Passive Cache: One cache type will be used at a time

Master Site tell ISA how much time you can hold site in his cache e.g. 60 min etc

  1. Active caching                                           Automatic Update of Object
  1. Passive caching (default)                    On demand object update on client request

When object/Page expire it remains in cache until client request; on client request it refresh from master site.

Group2:               Forward/Reverse Cache

  1. 3.        Forward caching     

Forward caching used against out bound or outgoing request by private network

  1. 4.       Reverse caching

Reverse caching used against in bound or incoming request from internet

Group 3:              These both types are different to each other

  1. 5.       Distributed caching

Caching that involves more than one ISA servers is called distributed caching e.g. array or chain

  1. 6.       Negative caching (by default enable)

Definition: Caching of http status code other than 200 is called negative caching

You know Protocols communication is done in form of status code

  • Status code (SMTP):¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬† 250
  • Status code (HTTP):200

When ISA access any site from master server and if it finds that site then its protocol status code will be ok (means 200 in case of http request) and anything other than 200 will be a problem. May be master server available but site not available for 1 hour etc

ISA server caches all error codes in its negative caching and show on client request that error codes description when time span end/reach and again try to get that site on client request.

Cache hit-Ratio:                Reduced internet traffic

Cache Pre-Fetching:       ISA server is configured to populate its cache before client request

ISA Serve -> Configuration -> Networks

Internal Network:           All internal networks e.g. LAN

External Network:           public networks e.g. Internet

Local Host:                          By default ISA is a part of Local host network, means all

ISA LAN cards IPs included.

ISA Serve -> monitoring (ISA help)

Dashboard tab:                                 All information related to ISA server

Report tab:                         User generated reports

ISA Serve -> Configuration -> Cache

(Property of Cache) by default no cache set you can set it

Active Cache tab:¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬† ‚ÄúEnable active caching‚ÄĚ ¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬† by default uncheck mean passive cache is active

When active cache is enabled then these options are available (Cache behavior)

Note:                    Cache-hit ratio means reduced internet traffic

Frequently:        Client cache-hit ration is more important than reduced network traffic

  1. Bandwidth is high
  2. ISA traffic more frequently goes on internet
  3. Mostly client request fulfill by ISA cache

Normally:            By default Client cache-hit ratio and reduced network traffic are both equally important

Less frequently:               Reduced network traffic is more important than client cache-hit ratio

  • Bandwidth is low
  • ISA traffic less frequently goes on internet
  • Less mostly client request fulfill by ISA cache

Advance tab: 

Two ways of TTL calculation:

  1. Age:               Content age is the amount of last time since an object is

Created / modified

  1. Expiration/TTL:         Define by master site; TTL is the amount of time content

Remains valid in cache before it expires

If expiration is disabled or un-defined then age method is used & by default 20 TTL uses by age

Option 1: ¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬† Checked ‚ÄúCache objects that have an unspecified last modification time‚ÄĚ

Option 2:¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬† Checked ‚Äúcache object even if they do not have an HTTP status code of 200‚ÄĚ its means by default negative cache enable (in negative cache store error messages)

Example:             Telnet to SMTP server (SMTP Status Code)

telnet exchange-IP 25

220 EXCH1.mcse.com Microsoft SMTP MAIL Service etc (220 = welcome)

hello

250 EXCH1.mcse.com Hello [EXCH1 IP] (250=ok)

mail from:administrator@mcse.com

250 2.1.0 adminstrator@mcse.com …. Sender ok (250=ok)

rcpt to: administrator

250 2.1.5 administrator@mcse.com

type anything wrong

500 5.3.3 unrecognized command (500=>error)

Data

354 start mail input: end with CRLF (354=start mail)

Quit

220 etc (220=ok)

Maximum size of URL cached in memory (bytes)              12800 defaults

URL structure:   http://                  www.mcse.com                               /index.htm                                                         Protocol                Fully Qualified Domain Name     Path to server

  • URL include all these three things
  • Any application working set / running things are in RAM same in ISA
  • So can define URL length to avoid the buffer flood / overflow attack

If website of expired object cannot be reached:               Object in cache expires and master site un-available

Option1:              Do not return the expired object (return an error page)                                                Option2:                Return the expired object only if expire action was:

  • At less than this percentage of original¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬† 50 (TTL)
  • But no more than (minutes)¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬† 60
  • Percentage of free memory to use for caching¬†¬† 10

Note:    % of free RAM to be used for ISA caching e.g. 20 means to increase ISA processing speed

Cache -> Last Default Rule (properties) -> HTTP tab

This is related to AGE

Enable HTTP caching (by default it is enabled)

Note: unless the source specifies expiration (means if expiration is defined in master site then no need to consider it) suppose if not define expiration/TTL then consider

Set TTL of objects (% of content age):    20 default (this % apply on object as an age & answer will become expiration)

TTL time boundaries:

  • No less than: ¬†¬†¬†¬† lower limit¬†¬†¬†¬†¬†¬†¬†¬†¬†¬† 15 minutes
  • No more than: upper limit¬†¬†¬†¬†¬†¬†¬†¬†¬† 1 day

Option: Also apply these TTL boundaries to sources that specify expiration

(If I select this option then TTL time boundaries will be applied on both TTL & expiration)

Cache -> Right click -> New -> Content Download Job

Using content download job rule we can define Pre-Fetching (population of cache without client request). OR (INCREASING O F  ISA CACHING)

Two conditions for Content Download Job

  1. The local host network is configured to listen for web proxy client requests
  2.  The scheduled download job configuration group is enabled (system policy)

Note: if you proceed with these conditions then you don’t know from where these option rollback. So I will configure them manually.

ISA Serve -> Configuration -> Networks -> Local Host (Property) -> web proxy tab

Condition1 done

Enable web proxy clients (default it is disable, now enable it).

ISA Serve -> Firewall Policy -> show system policy ->

Condition2 is done

29(red mark means disable): allow HTTP from ISA server to selected computers for content download jobs  -> Right click -> Edit system policy -> enable it.

Cache -> Right click -> New -> Content Download Job

Content Download Rule Name:                                 MCSE

Download frequency/time:                         Daily

Job starts / end date & repeat options

Define URL:                                        http://www.mcse.com/

Job limits:

  1. Do not follow link outside the specified URL domain name: (select it)

(Don’t fetch links that are outside links at mcse.com domain page)

  1. Maximum depth of links per page: (select it) 400

(Means on one page it goes up to 400 hyperlinks on it)

  1. Limit number of objects retrieved to maximum of: 200

(When any page same, additional folder created for supporting objects)

  1. Max number of concurrent (concurrent means , Similarity, same decision of several person )TCP connections to create for this job: 4

Defaults can set e.g. 10

Next -> content caching & TTL

Cache content

Cache all content             (Select it)

Time-to-Live (TTL)

  1. Expire content according to the cache rule   (select it)
  2. Set TTL if not defined in response (if TTL not define in master site)
  3. Override objects TTL (if TTL defines in master site and want to override it)

Mask download objects with new TTL in minutes: 60 (this option available with both 2 & 3 options)

If master site does not tell expiration then ISA server have to calculate the age percentage

Configuring ISA as Firewall

  • When ISA install it block all incoming /outgoing traffic for example to see configuration go to

ISAPC-> Firewall Policy -> Last Default Rule (see all networks in from & to tab are deny in Action tab)

  • By default ISA system can ping any computer (ISA traffic allow) but clients cannot ping to ISA.
  • If at ISA you capture remote desktop of any computer even remote access is allowed but you cannot access.
  • Note: by default OR operator in between rules (with in rule AND operator) and checked by upper to down and finally last default rule

New Access Rule (allow remote desktop from ISA to Clients)

Name:                                  Remote desktop

Action:                                  Allow

Protocols:                            Selected protocols -> remote terminal

RDP (Terminal Services) + RDP (Terminal Services) Server

From/Source:                    local host

To/Destination:                                internal network

Users:                                   all users

Note: During new access rule wizard it does not ask for Schedule & Content type. This means these things are not compulsory so these are optional

New Access Rule (allow ping from Clients to ISA)

Name:                                  Ping traffic

Action:                                  Allow

Protocols:                            Selected protocols -> ping

From/Source:                    Internal network

To/Destination:                                Local host

Users:                                   All users

Note: Now you can ping from any client to ISA server

New Access Rule (allow Internet traffic from clients to Internet)

Name:                                  Internet traffic

Action:                                  Allow

Protocols:                            Selected protocols ->                                                                                                     FTP, FTP Server, HTTP, HTTPS, HTTPS Server, MSN Messenger

POP3, POP3 server, SMTP, SMTP server (for exchange traffic)

DNS, DNS Server (allow DNS oriented traffic e.g. in POP or SMTP use name instead of IP like mail.mobiserve.com.pk, DNS server protocol if primary DNS server over the internet available at other site)

By default no protocols for yahoo msn so you have to define

From/Source:                    Internal network

To/Destination:                                External network (internet)

Users:                                   All users

Note: in ISA 2004 some time you select all outbound traffic but still traffic not allow from clients then add manually protocols as per requirements by using selected protocols.

Create new Protocols (For yahoo messenger)

Firewall policy -> Toolbox -> Protocols -> New

  1. Name:                                          Yahoo-TCP

Protocol type:                   TCP

Destination:                       Outbound

Port Range from:                             5000-5010, 5050

  1. Name:                                          Yahoo-UDP

Protocol type:                   UDP

Destination:                       Send Receive

Port Range from:                             5000-5010

New Access Rule (allow yahoo messenger)

Name:                                  Yahoo messenger

Action:                                  Allow

Protocols:¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬† Selected protocols -> User ‚Äď defined ->

Yahoo-TCP & Yahoo-UDP

From/Source:                    Internal network

To/Destination:                                External network (internet)

Users:                                   All users

Define URL for specific Web Sites

Network entities -> URL Set -> new -> URL Set

Name:                                  Yahoo-hotmail

URLs                                      http://www.yahoo.com/*

http://www.hotmail.com/*

New Access Rule (Allow traffic for specific Web Sites)

Name:                                  Allow Yahoo-hotmail

Action:                                  Allow

Protocols:                            All outbound traffic

From/Source:                    Internal network

To/Destination:                                Yahoo-Hotmail

Users:                                   All users

Note: Instead of default all users set in ISA we can define user sets in ISA and map ADS groups & users with it.

Publishing Rules:

You need publishing rules when your resources like exchange or mail server and web server are at private network and user want to access them through public network (internet)

When information receive at ISA through public IP it read port number to decide which service is requested & which server this request redirect; for this purpose we use publishing rule

Publishing rule is also called Reverse Proxy

Note: When you need to live your exchange or web server then need to host at ISP for exchange MX + A Host Record (Reverse DNS/Proxy)

Mail Server (two type of request)

  1. Client to Server
  2. Server to Server

Rule:      This rule allow external client to connect our internal mail server behind the ISA 2004

ISAPC -> Firewall Policy -> New -> Mail Server Publishing Rule

Name:                                  Publish Email

Access Type:                      Client access: RPC, IMAP, POP3, And SMTP (for outlook)                               Services:                              Client access      Standard ports  secure ports

Outlook (RPC)

POP3                                     yes

IMAP4                                  yes

SMTP                                    yes

Servers:                                              Define IP addresses which you want to publish

192.168.100.1 (Mail server IP)

IP Addresses:                    listen for request from these networks

External

Finish (Standard port means for http use 80 & secure means for https use 443)

Note:    Client access: RPC, IMAP, POP3, And SMTP (for ms outlook)

Web client access: outlook web access (OWA) ->              for web email

Server to server communication: SMTP, NNTP -> for srv to srv

Now three rules automatically created in ISA firewall policy

  1. Name            : Publish Email SMTP Server (Server Publishing Rule)

Action           : Allow

Traffic           : SMTP server

From             : Anywhere

To                   : 192.168.100.1 + Request appear to come from original client

Network      : External

  1. Name            : Publish Email POP3 Server (Server Publishing Rule)

Action           : Allow

Traffic           : POP3 server

From             : Anywhere

To                   : 192.168.100.1 + Request appear to come from original client

Network      : External

  1. Name            : Publish Email IMAP4 Server (Server Publishing Rule)

Action           : Allow

Traffic           : IMAP4 server

From             : Anywhere

To                   : 192.168.100.1 + Request appear to come from original client

Network      : External + Internal

Rule:      Rule to access outlook web access from clients over internet

ISAPC -> Firewall Policy -> New -> Mail Server Publishing Rule

Name:                  OWA Publish Mail Server

Action:                  Allow

From:                    Anywhere

To:                          exch.mobiserve.com.pk

Forward Original host header instead of actual (specified above)

Request appear to come from ISA server computer

Traffic:                  Http

Listener:              OWA Listener

Publish Name:   All requests

Paths                     /exchange/*                      same a published folder

/exchweb/*                       same a published folder

/public/*                             same a published folder

Bridging:              Web Server

Redirect request to Http port 80

Users                    All users

Web Listener for web client access (outlook web access ‚Äď OWA)

When you create mail server publishing rule for outlook web access then this listener will be used.

ISAPC -> Firewall Policy -> Network Object -> New Web Listener

Name:                  OWA Listener

IP Address:         Listen request from the networks

External, Internal, Local host

Select External & click Address ‚Äúselect specify IP addresses‚ÄĚ & enter IP address as you like

Port specify:       Enable HTTP 80

Click Authentication & select basic + integrated

Finish

Rule: This rule allow mail server to mail sever communication

ISAPC -> Firewall Policy -> New -> Mail Server Publishing Rule

Name:                  Server2server

Access Type:      Server to server communication: SMTP, NNTP

Services:              SMTP & Secure SMTP

Newsgroups (NNTP)

Servers:                               define IP addresses which you want to publish

192.168.0.10 (mail server IP)

IP Addresses:    listen request from these networks

External

Finish

Note: now your mail server is available on internet because of these two rules

This is impossible; one resource is being published by ISA and same resource is available at ISA

If resource is available at ISA it will offer, if available on other server then it will publish

Rule: This rule allow remote desktop connection

ISAPC -> Firewall Policy -> New -> Sever Publishing Rule

Name:                  RDP server

Servers:                              192.168.0.30

Protocols:            RDP (Terminal Services) Server

See in properties RDP uses port number 3389

IP Addresses:    listen request from these networks

External

Finish

Rules: Create new rules as per requirement

Array à ISA Server Name à Firewall Policy

Name:                  Front End Internet Access (Array access Rule)

Action:                  Allow

Protocol:              All outgoing traffic

From:                    SMTP (computer) + Local Host

To:                          External + Internal + Local Host

Users:                   All Users

Name:                  RDP for ISA (Array access Rule)

Action:                  Allow

Protocol:              Select Protocol

RDP (terminal services) + RDP (terminal service) server +

MTP + SMTP Server + SMTPS + SMTP Server

From:                    All Network (and local host) + External + Local Host

To:                          ISA (PC) + ISA External (PC) + Internal + Local Host

Users:                   All authenticated user + All Users

Define New Network:

Firewall policy depend on network set

Suppose two network IDs are being used in enterprise network, one in Lahore and one In Islamabad.

Concept of ISA VPN concentrator, so traffic from Lahore office ISA to Internet or Lahore office ISA to Islamabad office by using VPN tunnel

By using single Net ID you cannot access two different networks so define separate networks.

Networks -> Internal (IP address range: 192.168.0.0 192.168.0.255)

Networks -> New -> Network

Name:                                  Islamabad

Network type:                  Internal Network

Address range:                 192.168.1.0 192.168.1.255

New Access Rule (allow traffic from Lahore to Islamabad)

Name:                                  Islamabad

Action:                                  allow

Protocols:                            all outbound traffic

From/Source:                    internal network

To/Destination:                                Islamabad

Users:                                   all users

Note: by default right request for FTP traffic (upload) is not allow even FTP protocols are defined because default FTP status is Read Only.

So configure FTP options are available with rules in which FTP protocol is addressed. Right click on Rule -> Configure FTP -> uncheck Read Only option (when read only is select, FTP uploads will be blocked)

Lahore to Islamabad

Suppose ISA at Lahore site and user at Islamabad office want to use internet from Lahore proxy, then need to do three tasks & make sure VPN tunnel between Lahore to Islamabad established.

  1. 1.       First add Islamabad subnet 192.168.1.0 in internal network at ISA
  2. 2.¬†¬†¬†¬†¬†¬† Second add static route at Lahore ISA machine. Route add 192.168.1.0 mask 255.255.255.0 192.168.16.10 ‚Äďp
  3. 3.       New Access Rule (allow internal & local host)

Name:                  Allow Internal

Action:                  allow

Protocols:                            all outbound traffic

From/Source:    Internal network + Local Host

To/Destination:                Internal network + Local Host

Users:                   all users

NAT & Route Case:

When request come at ISA for outbound/outgoing then it can perform two tasks

  1. NAT               translation

NAT (network address translation) used when pool of live IPs

PAT (port address translation) used when single live IP, ISA use it

  1. Route            no translation

Example (PAT): Source Port will be greater than 1024

SIP                          DIP                         SP           DP

Client to ISA       192.168.0.5         64.5.6.9                1059       80

ISA to Hotmail   200.100.100.1     64.5.6.9                1100       80

Hotmail to ISA   64.5.6.9                200.100.100.1     80           1100

ISA to Client       64.5.6.9                192.168.0.5         80           1059

PAT Table:           192.168.0.5:1059 200.100.100.1:1100

The port numbers are divided into three ranges:

Well Known Ports            0-1023                   Registered by IANA

Registered Ports                              1024-49151         Registered by IANA

Dynamic and/Private Ports          49152-65535       free

A value of 0 in the port numbers registry below indicates that no port has been allocated.

If no live IP at ISA & ISA has both private IPs but there is router involve and live IP on router then router perform NAT process, at ISA simply configure the ISA to perform routing not NAT (by default ISA do NAT)

Networks -> Network Rules -> Internet Access (by default NAT, configure it as Route)

De Military Zone (DMZ):

A network in which such machines/servers are available those are accessible by Internet. We can say public nature area is placed in private premises called DMZ.

DMZ used worldwide and in Microsoft it is called Screened Subnet or Perimeter Network

Benefits:              At private network (LAN card 1) you can disable all inbound traffic because Internet traffic only needs DMZ network (LAN card 2) access where mail & web servers are available.

If you are using private IPs at web/mail server then we publish web/email server at ISA, if we are using public IP at web/mail server this mean you purchase live IP pool for them e.g. 202.154.224-230, now you have to make new network & network rule to route the traffic from Internet to DMZ network

Public IPs is routable so there is no need of NAT for them.

ISAPC -> Configuration -> Network -> New Network

Name:                                  DMZ

Network type:                  Internal network

Network address:            202.154.224.224 202.154.224.230

Finish

ISAPC -> Configuration -> Network -> New Network Rule

Name:                                  DMZ2Internet

Net traffic source:           DMZ

Net traffic destination:  External

Net relationship:              Route

ISA as IDS (Intrusion Detection System):

Protect against Layer 2 attacks by deploying security solutions such as Layer 2 IDS and static MAC or port associations on switches. ISA has functionality of layer 2 IDS but it does not provide protection against layer 2 attacks (MAC)

General -> Additional security policy -> Enable Intrusion Detection and DNS Attach Detection

Common attacks tab & DNS attacks tab

Configuring ISA as VPN:

Recommended way is to use hardware based VPN (routers), software based VPN is not good (ISA VPN). Multiple ways to connect the remote sites for example Lahore & Islamabad two sites

  1. leased line: costly, both sites will be connected by leased lines
  2. VPN: cost efficient, both sites ISA will be connected to internet using local ISPs

Provide ability to pass private IP over public network through tunnel

ISA support two types of VPNs,

  1. 1.       Site to Site VPN

Compulsory tunnel: tunnel always up

Tunnel establish between devices/servers, client does not know about it

No mandatory IP address pool

  1. 2.       Remote Access VPN

On Demand Tunnel: temporary tunnel, based on user demand

Client request for tunnel and server assign IP (existing pool) to client

Mandatory IP address pool of private IPs

Case1:   If only outbound traffic then no need of fix live IP at ISA server because only traffic go outbound then replay, if inbound traffic means any body through Internet want to access then need fix live IP because client have to know about IP to dial.

Note:    dyndns.com site free software to resolve live IP at VPN server

VPN Protocols:

VPN created based on VPN ports

  1. L2TP                               Access VPN or Remote access VPN
  2. PPTP                              Access VPN or Remote access VPN
  3. IPSEC                             Site to site VPN or LAN to LAN VPN

See VPN Ports:

Routing & remote access -> Right click on pc name -> configures and enables routing & remote access -> Custom configuration -> VPN access -> finish

PC Name -> Ports (to see default created ports) & Property of Ports (default PPTP: 128 ports, L2TP: 128 ports etc can increase these ports.

Now disable this because we are not creating windows based VPN but we are making ISA based VPN

  1. 1.      Site to Site VPN (LAN to LAN VPN)

Connectivity between more than two branches and static live IP required for each site

ISA use IPSec for site to site VPN because IPSec is an industry standard.

IPSec authentication methods

  1. Kerberos                                     Microsoft support
  2. Shared key                                 Industry standard
  3. Certificate authority (CA)     Industry standard

 

I am at Lahore Site

ISAPC -> Virtual Private Network (VPN) -> Remote site -> Add remote site network

Site name:                          Islamabad

VPN Protocol:                    IP Security Protocol (IPSec) tunnel mode

Connection settings:

Local VPN gateway IP address                    202.59.68.220     (live IP of Lahore ISA)

Remote VPN gateway IP address            10.10.10.100       (live IP of ISB ISA)

IPSec authentication:     Use pre-shared key for authentication (key is: 1256789)

Network address:            add Islamabad IP rang (192.168.1.1 192.168.1.254)

Note: if show error message to add Islamabad network IPs then remove it from LAT table.

Now make same tunnel at Islamabad ISA server, just swap local/remote VPN gateway IPs & Lahore IP address range.

  1. 2.      Remote Access VPN

 

Configuring Remote Access VPN

ISAPC -> Virtual Private Network -> VPN Clients -> Enable VPN Client Access (enable it)

If it shows you error message that IP pool is not define, so define first IP Pool

Virtual Private Network -> Properties -> Address Assignment tab -> two ways to assign IP address to clients: Static address pool or DHCP, select Static Address Pool -> Add

Select Server:                    ISAPC

Start address:                    192.168.1.100                     end address:      192.168.1.120

ISAPC -> Virtual Private Network (VPN) -> VPN Clients -> Configure VPN client access

General Tab:      Enable VPN client access (checked automatically) Max VPN client allowed is 5 default

Protocols tab:    Enable PPTP or enable L2TP use IPSec for authentication so default PPTP enable

PPTP older & in NT PPTP available only; L2TP more secure & in 200X both available

PPTP support all clients (NT, 2000, 2003) & L2TP support only (2000 & 2003)

Group tab:          Add domain groups whose remote access VPNs are allowed e.g. domain users

User Mapping:  User without specifying domain name or user do not contain domain, than use user mapping, here enable user mapping & when username does not contain a domain than use this domain

Specify any domain name e.g. mcse.com

Now apply this VPN it automatically configure Routing & Remote Access of windows

Configuring Client for VPN 

First of all client is connected to internet through any dialup to ISP

Second create a VPN connection: Create a new connection -> select ‚ÄúConnect to the network at my workplace‚ÄĚ -> select ‚ÄúVirtual Private Network connection‚ÄĚ -> Name of connection: VPN -> Give live IP of ISA server

ISA Designs

Two types/ways of design

  1.  3 Homed firewall configuration (singe ISA server)
  2. Back to back firewall/DMZ configuration (more than one ISA server)

 

  1. 3 Homed firewall configuration (singe ISA server)

Three adaptor at ISA server, one connect to Internal network (LAN) one for DMZ network where you will use public IPs at your servers and one adaptor to connect external network(internet) here also use public IP

Internal LAN card:            Private IP             Private IP at network

DMZ LAN card:                  private IP             Public IP at network

External Card:                    public IP

  1.  Back to back firewall/DMZ configuration (more than one ISA server)

In this design DMZ network come between Internal and external networks.

ISA Backup/Restore

Make a backup it will capture all existing configuration of ISA.

ISA -> Right Click -> Backup ->file name: ISABackup.xml -> 8 char pass: 12345678 (backup ok)

ISA -> Right Click -> Restore ->select: ISABackup.xml -> Restore -> 8 char pass: 12345678 (ok)

Now apply the setting.

Note: For fault tolerance and disaster recovery make system state & ISA backup and then restore first system state & ISA backup but computer name must be same

ISA Bandwidth Control

ISA cannot control the bandwidth if you want to control bandwidth then use third party tools like; Bandwidth splitter it has no snap-in (free for 10 users: for license 180000 Rs)

GFI Web Monitor

Third party tool for bandwidth monitor tool

ISA-> Monitoring -> Reports

Generate report to check activity before one day

Here you will see reports by IP of clients, if you want to see by user name then install firewall client or secure NAT client

Copyright ©2010 -  2018 Ciscoforall.com | Privacy Policy