Configuring Virtual Private Networks for Remote Clients and Networks

How to Configure VPN Address Assignment
When VPN clients connect to the VPN server, they must be assigned an IP address configuration
that enables them to access the resources on the internal network or other networks. ISA Server can be configured to assign the IP address configuration directly, or to use a Dynamic Host Configuration Protocol (DHCP) server to assign the addresses.

When you use DHCP, VPN clients are assigned IP addresses that are part of the internal network subnet. The advantage of this addressing scheme is that you do not need to create special routing table entries to support the VPN clients and all VPN clients will automatically be able to access the internal network and the Internet (using the protocols specified in the access rules). In this configuration, ISA Server acts as an Address Resolution Protocol (ARP) proxy for VPN clients. For example, when addresses assigned to the VPN Clients network are part of the internal network segment, computers from the internal network will send ARP queries to VPN clients. ISA Server will
intercept the queries and reply on behalf of the connected VPN client. The network traffic will then be transparently routed to the VPN client.

Assigning IP Addresses to VPN Clients
When VPN clients connect to ISA Server, the client must be assigned an IP address.
There are two ways that ISA Server can assign the addresses:
1- Dynamic address assignment To enable dynamic address assignment, a DHCP server must be accessible from the computer running ISA Server. Any computer running Windows Server 2003 or Windows 2000 Server on the internal network can serve as the DHCP server. If you use a DHCP server for address assignment, ISA Server retrieves a group of available IP addresses from the DHCP server. When a VPN client connects, ISA Server assigns one of these addresses to the VPN client. As
part of the IP address assignment, ISA Server also assigns other TCP/IP properties such as the Domain Name System (DNS) servers and Windows Internet Naming Service (WINS) servers. The IP address assigned to the client is automatically moved from the internal network to the VPN Clients network (or Quarantined VPN Clients network if quarantine is enabled and the client is quarantined).

2- Static address assignment You can also configure ISA Server with a static pool of addresses to assign to VPN clients. In this configuration, you do not need a DHCP server; rather, you configure the IP addresses on the computer running ISA Server. When a client connects, ISA Server assigns one of the IP addresses to the VPN client. If you use a static address pool for address assignment, the addresses that you want to assign to the pool must first be removed from other defined networks,
because overlapping of IP addresses between networks is not allowed. You must also provide one more IP address in the static address pool than the expected number of remote VPN connections because the VPN interface on ISA Server requires an IP address.

Configuring Dial-In Permissions in Active Directory
In addition to configuring ISA Server to enable VPN connections, you must also configure Active Directory user accounts to enable dial-in permissions for those accounts. Until this is configured, users will be unable to connect to ISA Server using a VPN. The default user account configuration in Active Directory varies depending on the domain being used to authenticate users.

1- In Windows 2000 mixed-mode domains, or in Windows Server 2003 domains at the Windows 2000 mixed-functional level, all user accounts have dial-in access disabled by default. You must enable dial-in access on a per-account basis for these Active Directory domains.

2- In Windows 2000 native-mode domains, or in Windows Server 2003 domains at the Windows 2000 native or Windows Server 2003 functional levels, all user accounts, by default, have dial-in access controlled by Remote Access Policy. You can control dial-in access by just modifying the remote-access policy.

3- Windows NT 4.0 domains always have dial-in access controlled on a per-user account basis.

Configuring ISA Server to Secure SMTP Traffic

How to Configure the SMTP Application Filter
To make an Exchange Server computer accessible to other SMTP servers on the Internet,you must configure a publishing rule that publishes the Exchange Server computer using the SMTP port. When you configure a rule that uses SMTP, the SMTP application filter is enabled for that rule automatically. The SMTP application filter accepts the traffic, inspects it, and forwards it to internal SMTP servers only if the SMTP filter allows it.

What Is SMTP Command Filtering?
SMTP servers use a set of commands (also called verbs) to initiate an SMTP connection between servers and then to transmit SMTP messages. The SMTP application filter filters SMTP traffic by examining these SMTP commands.

The SMTP filter can be configured to disable specific SMTP commands. When an SMTP server or client uses a command that is defined but disabled, the filter stops the command and closes that connection. For example, if you disable the VRFY command, ISA Server will block all SMTP connections that use this command. When a client uses a command that is not recognized by the SMTP filter, the connection is also denied. For example, the SMTP filter does not define the TURN command, so TURN commands will be blocked by the SMTP filter.

Each SMTP command also has a maximum length that specifies the number of bytes allowed for each command. If an attacker sends a command that exceeds the number of bytes allowed for the command, ISA Server drops the connection and prevents the attacker from communicating with the SMTP server. For example, the default maximum length for the RCPT TO command is 266 bytes. If an SMTP connection uses a longer RCPT TO command than this limit, the connection is dropped.

How Message Screener Filters Messages
The Message Screener must be installed on a server running the Microsoft Internet Information Services (IIS) 5.0 or IIS 6.0 SMTP service. The Message Screener component can be installed on the computer running ISA Server, on a computer running Exchange Server, or on any other IIS 5.0 or IIS 6.0 SMTP server in the internal network or in a perimeter network (also known as a demilitarized zone, or DMZ).

SMTP Message Screener can be configured to filter incoming mail based on the following:
1- The information in the MAIL FROM SMTP command The MAIL FROM command specifies the source SMTP address for the e-mail message. This is used for sender and domain name filtering.

2- The information in the Content-Disposition header field for each attachment This field commonly contains the attachment file name and extension. SMTP Message Screener can filter attachments by extension, by name, or by size.

3- Keywords in the message subject or body This is used for filtering the message subject and the body, either text/plain or text/html content type.

SMTP Message Screener can be configured to delete e-mail messages, hold e-mail messages for later inspection, or forward e-mail messages to a specific e-mail account for further examination and analysis.

Integrating ISA Server 2004 and Exchange Server

Configuring ISA Server to Secure SMTP Traffic :
One way that ISA Server can secure Exchange Server is by providing enhanced options for filtering all SMTP messages sent from the Internet to the computers running Exchange Server. This lesson explains how to publish SMTP servers and how to configure SMTP filtering.

Known SMTP Security Issues
Virtually all e-mail sent on the Internet is sent using SMTP. To receive e-mail from the Internet, your organization must have an SMTP server that is accessible to other SMTP servers. However, SMTP has some security weaknesses, both at a protocol level and in terms of the content sent using SMTP messages.

SMTP Protocol-Level Exploits
SMTP servers are vulnerable to several protocol level exploits including buffer-overflow attacks and SMTP command attacks.
Buffer-overflow attacks A buffer-overflow attack is triggered when a program or process tries to store more data in a memory buffer than the buffer’s designed capacity.The extra information can spill into adjacent buffers, corrupting or overwriting the valid data that they hold. In buffer-overflow attacks, the extra data may contain code designed to trigger specific actions, in effect sending new instructions to the attacked computer. Buffer-overflow attacks can be mounted against an organization’s SMTP server by sending large SMTP commands. The best deterrent to a buffer-overflow attack against the SMTP server is to stop the attacker at the network perimeter, before
the exploit ever finds its way into the corporate network.

Attackers use buffer-overflow exploits to disable specific server services with the intent of mounting a denial-of-service (DoS) attack, either by disabling a specific service on the target computer or by taking the entire machine offline. More elaborate buffer overflow exploits can be used to disable key security features and allow the attacker to run commands of his choice on the targeted machine.

SMTP command attacks SMTP servers must support a standard set of commands that are used to send and receive SMTP messages. Attackers can use the commands to mount buffer-overflow attacks or to send malformed commands that the system programmers did not anticipate. Command-manipulation attacks can lead to system compromise by giving an attacker access to key files, the ability to overwrite files, or to inject Trojan horse programs onto a mail server.

Some SMTP commands are optional. Some commands, such as EXPN and VRFY, if configured incorrectly, can be used to find a list of recipients on the server. If these commands are not required, they can be disabled at the firewall so that the SMTP server does not receive them.

Unwanted or Malicious E-Mail Attacks
The most prominent security challenge related to e-mail is the number of unwanted and malicious e-mails that are sent across the Internet. These e-mails can be grouped in two categories: unwanted junk e-mail that consumes computer resources and user time but does not harm the computer, and malicious e-mails that contain viruses, worms, or Trojan horse programs.

Unwanted E-Mail It has been estimated that unwanted e-mail messages consume more than 50 percent of total bandwidth usage on the Internet today. Unwanted e-mail leads to the following problems:

1- Wasted bandwidth on both internal and Internet networks, which may lead to increased Internet bandwidth cost, and increased nonproductive traffic on the corporate network.
2- Increased resource usage, including disk space, processor, and memory use on e-mail servers
3- Decreased employee productivity due to reading and deleting unwanted e-mail
4- Increased administrative costs as network administrators attempt to reduce the negative effects of unwanted e-mail
5- Increased exposure to legal liability to users who may view offensive unwanted e-mail messages.

Malicious E-Mail Viruses and worms sent by e-mail can cause a tremendous amount of damage to corporate networks. Viruses and worm attacks are responsible for the following:

1- Destruction of data on servers and workstations
2- DoS attacks on servers and workstations
3- Lost employee productivity because a workstation or network server is unavailable
4- Distribution of corporate secrets by means of mass-mailing worms
5- Increased administrative costs due to repairing damaged workstations and servers
6- Increased bandwidth use on the corporate network and Internet connection secondary to mass-mailing worms and DoS attacks.

Viruses and worms most commonly access an organization’s network through e-mail. Virus writers realize that e-mail is a critical service in most organizations and they exploit this fact by crafting viruses and worms that spread by e-mail. When a user opens an e-mail attachment that contains dangerous code, the code is released to the user’s computer and then spreads to the rest of the network. A single infected host can damage virtually every networked device in a short period.

Implementing Perimeter Networks and Network Templates

What Are Perimeter Networks?
A perimeter network is a network that is separated from an internal network and the Internet. Perimeter networks allow external users to gain access to specific servers that are located on the perimeter network while preventing direct access to the internal network.

Perimeter networks have the following characteristics:
1- Protected by one or more firewalls Perimeter networks are separated from the Internet by one or more firewalls or routers. The perimeter network is usually also separated from the internal network by a firewall. The firewall protects the servers in the perimeter network from the Internet and filters traffic between the perimeter network and the internal network.

2- Contain publicly accessible servers and services The servers in the perimeter network are usually accessible to users from the Internet. The types of servers or services that are often located in the perimeter network include VPN servers and clients, remote access servers (RASs) and clients, Web servers, application front-end servers, SMTP gateway servers, and proxy servers.

3- Must be accessible from the Internet Because the servers on the perimeter network must be accessible from the Internet, the firewall protecting the perimeter network must allow network traffic from the Internet. This traffic must be filtered to ensure that only legitimate traffic enters the perimeter network. Because almost all network traffic will flow from the Internet to the perimeter network, most firewall rules can be configured to allow only inbound traffic.

4 -Require network connectivity to the internal network Frequently, the computers on the perimeter network must be able to connect to resources on the internal network. For example, VPN or RAS Clients connect to the VPN or RAS server, but then must gain access from that server to the internal network. An SMTP gateway server must be able to forward messages to internal e-mail servers. An application front-end server may need to connect to a database server on the internal
network. Often, users on the internal network must also be able to connect to servers in the perimeter network. This means that you must configure firewall access rules on the firewall between the perimeter network and the internal network to enable the required network traffic.

5- Require some level of network protection The servers on the perimeter network must be partially isolated both from the Internet and the internal network. The firewalls on both sides of a perimeter network should not forward all traffic, but should filter traffic flowing in both directions. Only required network traffic should be allowed to pass between networks.

Benefits of Using a Perimeter Network
The main reason for using a perimeter network is to provide an additional layer of security. A perimeter network is commonly used for deploying publicly accessible servers while servers that should never be accessed from the Internet are located on the internal network. In this way, even if an attacker penetrates the perimeter network security, only the perimeter network servers are compromised.

The servers in the perimeter network usually do not contain confidential or private organization data. This data and critical applications are located on the internal network. By implementing a perimeter network, you ensure that there is an additional layer of security between the Internet and the internal servers.

The perimeter network can also be used to secure other connections to the internal network. For example, many organizations are using mobile clients such as wireless devices or cell phones to access information such as e-mail on the internal network. These devices greatly increase the security risks; one way to reduce that risk is to install the wireless access servers for these devices in the perimeter network and then use the internal firewall to filter traffic from these servers to the internal network. VPN servers and clients can be secured using the same method.