Udostępnij za pośrednictwem


Microsoft & Security (3 of 3)

In this third and final article, Michael Riva and I are going to be covering our 'for sale' products that sit at the network edge: Internet Security and Acceleration (ISA) Server 2006 and Intelligent Application Gateway (IAG) 2007. Michael is a security consultant, who recently joined Microsoft Ireland as a Partner Technical Specialist (technical pre-sales and advice to and through our Partners) - basically, he's the guy who has the practical experience of implementing these solutions. See Michael's full biography below.

Internet Security and Acceleration (ISA) Server 2006

Prior to Internet Security and Acceleration (ISA) Server, we had a product called 'Proxy Server', which was our web caching solution. Unfortunately for us, most people associate ISA Server with its long-distant relative Proxy Server - if asked about ISA Server, they 'normally' reply along the lines of 'That's a nice Proxy solution - which I'll put behind a "real" firewall'. Internet Security and Acceleration (ISA) Server 2006 is actually the third generation of our fully functional firewall, VPN, web caching proxy and an application reverse-proxy solution (previous versions were in 2004 and 2000). In the last seven years of ISA, there have only been ten security updates, and only three of them where flagged as critical (there was one for ISA 2004 and there haven't been any for ISA 2006).

ISA Server's core firewall component focuses on the application-layer (layer seven) filtering, and especially on the HTTP/FTP/SMTP services. What does that mean? It simply means that ISA will not only open or close a network's ports, it will also screen for malformed or malicious network packets.

Application Layer Filtering (ALF) is nowadays the mandatory extra component that makes your network way more secure than it used to be. Relying on a single firewall without having any ALF mechanism either for inbound or outbound connection is really dangerous. Many hackers actually use opened ports on firewalls to send malicious code to an internal server. A DNS attack, for example, could be performed through any opened port. A malicious piece of code will successfully pass any basic packet or circuit -filtering firewall while having the appropriate ALF solution in the way will simply drop these kinds of packets. There are even 'solutions' out there that will let you run any application (that may use any port) through your firewall over port 80 (the port that's always open, as it's for HTTP).

You might think ISA Server would be slow because it scans the network traffic; it is actually very fast, as it is able to handle up to 1.5GB/s. A basic ASIC chip optimised to run a packet filer (this is the case with many firewall vendors) is most of the time a lot slower than ISA. The average speed of an entry-level Cisco Pix firewall, for example, would be around 300MB/s. It is worth pointing out here that you can either purchase ISA as a dedicated appliance or 'build your own' - in which case the underlying hardware can be as powerful as you need (you can even configure an array of ISA Servers, which will load balance the traffic).

ISA Server can act very well as a front-end or back-end firewall (or simply as 'the firewall' in small to medium environments); but for bigger network environments, it is highly recommended to use ISA Server as a back-end solution in conjunction with another third-party firewall. There are three reasons for this: Firstly a front-end firewall will take off most of the network load by reducing dramatically the amount of traffic being sent to the DMZ or internal network. Secondly, it is a good practice to use different vendors for your front and back-end firewalls, because if one layer in your defence is compromised, you have another (Defence in Depth). And lastly, because ISA Server is designed to offer an extra layer of security to Exchange, SharePoint and IIS mainly (we understand exactly what that traffic looks like and are able to work with it on its way through). It is obviously able to provide extended security to any web server or application.

In the Exchange case, for example, the authentication mechanism is performed by the ISA Server itself and no longer by the Exchange server. That gives you the insurance of only legitimate traffic being sent to your Exchange server, lowering your Exchange server load in the mean time.

ISA is also able to counter many attacks out of the box such as Windows out-of-band (WinNuke), Land, Ping of Death, IP half scan, UDP bomb, Port scan, DNS host name overflow, DNS length overflow, DNS zone transfer, POP3 buffer overflow and SMTP buffer overflow. This feature provides an enhanced way to protect your back-end servers from external but also from internal attacks from employees, which we see more and more nowadays.

Intelligent Application Gateway (IAG) Server 2007

IAG Server (formerly known as WHALE) is an SSL VPN appliance that considerably simplifies the way you can provide remote access to applications. The acquisition of IAG from Whale Communications was one of those instances where we liked the product so much, we bought the company.

Most SSL VPN solutions are hard to implement, because they do not work from most locations, due to an inability to install client-side software and/or due to firewall restrictions. With IAG Server you simply need a web browser (Internet Explorer, Firefox, etc) to get access to the published applications.

The uniqueness of IAG Server resides in the fact it will give remote users access to a specific application but not to the local network or servers themselves (the remote user's machine is never connected to the corporate network). To explain: IAG Server typically would not handle packets from layer one to six and will only send/receive packets from layer seven (application layer) to the remote user. In other words, it means the remote user does not even get a company's network IP address. So the user has absolutely no network access at all to a company network, but still he or she will be able to access published applications such as Outlook Web Access, Domino, SAP, WebSphere, SharePoint (just some examples of the predefined application-specific positive logic to protect back-end servers out of the box).

Out of the box IAG Server is able to work with 60 authentication vendors such as RSA Security, Vasco, Swivel, ActivCard Aladdin. It also works with numerous authentication systems and protocols such as Active Directory, RADIUS, LDAP, NTLM, Lotus Domino, PKI and TACACS+.

Another great feature is the 'attachment wiper'. This feature will systematically erase all traces of the session from the access device (with a pre-downloaded ActiveX or Java applet).

Every time the remote user logs off or simply closes the Internet browser, the applet will kick off and delete any trace, including cookies, user credentials memorised by the browser, URL entries, temporary files created by the downloading of files or any other mechanism during the user session. The 'attachment wiper' will overwrite seven times the disk clusters where those files were stored, making any reinstatement attempt technically impossible, even with the help of the FBI and NSA forensic tools!

The other main feature of IAG Server is its capability to instantly generate an 'endpoint report'.

IAG checks the remote machine to make sure that it conforms to corporate policy (i.e. what anti-virus signatures it is running, what patch level it is at or what version of any particular application is installed). Then, depending on the state of the machine and the user requesting access, it will dynamically limit access to specific features of the requested application. For example, we could define a rule, such that if a remote user does not have the latest version of the corporate anti-virus solution, he will not be allowed to upload any attachment to his emails.

IAG Server simply eliminates the risk of network attacks and operating system vulnerabilities as it only provides a means to access specific applications (or some of the features only) to approved users from approved machines.

I hope you have enjoyed reading this series of three articles - I have enjoyed writing them.
Dave

Comments

  • Anonymous
    August 13, 2008
    I found your site on technorati and read a few of your other posts. Keep up the good work. I just added your RSS feed to my Google News Reader. Looking forward to reading more from you down the road!