Lesson 1: Overview of ISA Server Functionality
ISA Server 2004 is a valuable component in an overall plan to secure an organization’s network. Because ISA Server is deployed at the connecting point between an internal network and the Internet, ISA Server’s role is critical. Almost all organizations provide some level of access to the Internet for its users. ISA Server can be used to enforce security policies dealing with the types of access users should have to the Internet. At the same time, many organizations also allow remote users some type of access to internal servers. For example, almost all organizations allow e-mail servers on the Internet to connect to internal e-mail servers to send Internet e-mail. Many companies also host internal Web sites, or want employees to be able to access internal resources
from the Internet. ISA Server 2004 can be used to ensure that access to these internal resources is secure.
How ISA Server Works—An Overview
ISA Server is designed to secure the perimeter of an organization’s network. In most cases, this perimeter is between the organization’s internal local area network (LAN) and a public network such as the Internet.
The internal network, or protected network, is usually located on an organization’s premises and is under the control of the organization’s IT staff. The internal network is considered to be relatively
secure; that is, normally only authorized users have physical access to the internal network.
Also, the IT staff have a great deal of control over the types of traffic that are allowed on the internal network.
An organization has no control over who is accessing the Internet or over the security of network traffic on the Internet. Anyone in the world with an Internet connection can locate and access any other Internet connection using almost any application or protocol. Also, network packets sent via the Internet are not secure because they can be captured and inspected by anyone running a packet sniffer on an Internet network segment. A packet sniffer is an application that can be used to capture and view all the network traffic on a network. In order to capture network traffic, the packet sniffer must be connected to a network segment located between two routers.
How ISA Server Works as a Firewall
A firewall is a device that is located between one segment of a network and another, and allows only authorized traffic to pass between the segments. The firewall is configured with traffic filtering rules that define the types of network traffic that will be allowed to pass through. A firewall may be positioned and configured to protect an organization from the Internet, or it may be positioned internally to protect specific sections of an organization’s corporate network.
In most cases, firewalls are deployed at the network perimeter. The primary purpose of a firewall in this configuration is to ensure that no traffic from a publicly accessible network like the Internet can enter an organization’s internal network unless it has been explicitly permitted. For example, the organization may have an internal Web server that needs to be accessible to Internet users. The firewall can be configured to allow Internet traffic to access only that Web server.
ISA Server 2004 provides firewall functionality. By default, when you deploy ISA Server, it will block all traffic between networks that are attached to the server, including internal networks, perimeter networks (also known as demilitarized zones, or DMZs), and the Internet. ISA Server 2004 uses three types of filtering rules to block or allow network traffic: packet filtering, stateful filtering, and application-layer filtering.
Packet Filtering
Packet filtering works by examining the header information for each network packet that arrives at the firewall. When the packet arrives at the ISA Server network interface, ISA Server opens the packet header and checks information such as the source and destination addresses and the source and destination ports. ISA Server compares this information against its firewall rules that define which packets are allowed. If the source and destination addresses are allowed, and if the source and destination ports are allowed, the packet passes through the firewall to the destination network. If the addresses and the ports are not explicitly allowed, the packet is dropped and not forwarded through the firewall.
Stateful Filtering
Stateful filtering uses a more thorough examination of the network packet to make decisions on whether to forward it or not. When ISA Server uses a stateful inspection, it examines the Internet Protocol (IP) and the Transmission Control Protocol (TCP) headers to determine the state of a packet within the context of previous packets that have passed through ISA Server, or within the context of a TCP session. For example, a user on the internal network may send a request to a Web server on the Internet. The Web server sends a reply to that request. When the reply packet arrives at the firewall, the firewall inspects the TCP session information that is part of the packet. The firewall
determines that the packet is part of a currently active session that was initiated by the internal user, so the packet is forwarded to the user’s computer. If a user from outside the network attempts to connect to a computer inside the organization’s network, the firewall determines that the packet is not part of a currently active session and the packet is dropped.
Application-Layer Filtering
ISA Server also uses application-layer filtering to determine whether a packet is allowed or not. Application-layer filtering examines the actual content of a packet to determine if the packet can be forwarded through the firewall. An application filter opens the entire packet and examines the actual data in it before making a forwarding decision. For example, a user on the Internet may request a page from the internal Web server using the Hypertext Transfer Protocol (HTTP) GET command. When the packet arrives at the firewall, the application filter inspects the packet and detects the GET command. The application filter checks its policy to determine if the GET command is allowed. In most cases, the GET command is allowed and the packet is forwarded to the internal Web server.
ISA Server 2004 is a valuable component in an overall plan to secure an organization’s network. Because ISA Server is deployed at the connecting point between an internal network and the Internet, ISA Server’s role is critical. Almost all organizations provide some level of access to the Internet for its users. ISA Server can be used to enforce security policies dealing with the types of access users should have to the Internet. At the same time, many organizations also allow remote users some type of access to internal servers. For example, almost all organizations allow e-mail servers on the Internet to connect to internal e-mail servers to send Internet e-mail. Many companies also host internal Web sites, or want employees to be able to access internal resources
from the Internet. ISA Server 2004 can be used to ensure that access to these internal resources is secure.
How ISA Server Works—An Overview
ISA Server is designed to secure the perimeter of an organization’s network. In most cases, this perimeter is between the organization’s internal local area network (LAN) and a public network such as the Internet.
The internal network, or protected network, is usually located on an organization’s premises and is under the control of the organization’s IT staff. The internal network is considered to be relatively
secure; that is, normally only authorized users have physical access to the internal network.
Also, the IT staff have a great deal of control over the types of traffic that are allowed on the internal network.
An organization has no control over who is accessing the Internet or over the security of network traffic on the Internet. Anyone in the world with an Internet connection can locate and access any other Internet connection using almost any application or protocol. Also, network packets sent via the Internet are not secure because they can be captured and inspected by anyone running a packet sniffer on an Internet network segment. A packet sniffer is an application that can be used to capture and view all the network traffic on a network. In order to capture network traffic, the packet sniffer must be connected to a network segment located between two routers.
How ISA Server Works as a Firewall
A firewall is a device that is located between one segment of a network and another, and allows only authorized traffic to pass between the segments. The firewall is configured with traffic filtering rules that define the types of network traffic that will be allowed to pass through. A firewall may be positioned and configured to protect an organization from the Internet, or it may be positioned internally to protect specific sections of an organization’s corporate network.
In most cases, firewalls are deployed at the network perimeter. The primary purpose of a firewall in this configuration is to ensure that no traffic from a publicly accessible network like the Internet can enter an organization’s internal network unless it has been explicitly permitted. For example, the organization may have an internal Web server that needs to be accessible to Internet users. The firewall can be configured to allow Internet traffic to access only that Web server.
ISA Server 2004 provides firewall functionality. By default, when you deploy ISA Server, it will block all traffic between networks that are attached to the server, including internal networks, perimeter networks (also known as demilitarized zones, or DMZs), and the Internet. ISA Server 2004 uses three types of filtering rules to block or allow network traffic: packet filtering, stateful filtering, and application-layer filtering.
Packet Filtering
Packet filtering works by examining the header information for each network packet that arrives at the firewall. When the packet arrives at the ISA Server network interface, ISA Server opens the packet header and checks information such as the source and destination addresses and the source and destination ports. ISA Server compares this information against its firewall rules that define which packets are allowed. If the source and destination addresses are allowed, and if the source and destination ports are allowed, the packet passes through the firewall to the destination network. If the addresses and the ports are not explicitly allowed, the packet is dropped and not forwarded through the firewall.
Stateful Filtering
Stateful filtering uses a more thorough examination of the network packet to make decisions on whether to forward it or not. When ISA Server uses a stateful inspection, it examines the Internet Protocol (IP) and the Transmission Control Protocol (TCP) headers to determine the state of a packet within the context of previous packets that have passed through ISA Server, or within the context of a TCP session. For example, a user on the internal network may send a request to a Web server on the Internet. The Web server sends a reply to that request. When the reply packet arrives at the firewall, the firewall inspects the TCP session information that is part of the packet. The firewall
determines that the packet is part of a currently active session that was initiated by the internal user, so the packet is forwarded to the user’s computer. If a user from outside the network attempts to connect to a computer inside the organization’s network, the firewall determines that the packet is not part of a currently active session and the packet is dropped.
Application-Layer Filtering
ISA Server also uses application-layer filtering to determine whether a packet is allowed or not. Application-layer filtering examines the actual content of a packet to determine if the packet can be forwarded through the firewall. An application filter opens the entire packet and examines the actual data in it before making a forwarding decision. For example, a user on the Internet may request a page from the internal Web server using the Hypertext Transfer Protocol (HTTP) GET command. When the packet arrives at the firewall, the application filter inspects the packet and detects the GET command. The application filter checks its policy to determine if the GET command is allowed. In most cases, the GET command is allowed and the packet is forwarded to the internal Web server.