Microsoft ISA Server 2004 Firewall phần 1

Microsoft ISA Server 2004 is a hybrid stateful packet-inspecting, circuit-filtering, and application layer proxy firewall.
Nội dung trích xuất từ tài liệu:
Microsoft ISA Server 2004 Firewall phần 1Microsoft ISA Server 2004 FirewallMicrosoft ISA Server 2004 is a hybrid stateful packet-inspecting, circuit-filtering, andapplication layer proxy firewall. By hybrid, we mean that it can provide any of thosefunctionalities at any given time based on the traffic it is receiving. If it has an applicationfilter for the given protocol or application, it will function as an application proxyfirewall for that traffic. If it does not, it will resort to either stateful packet inspecting orcircuit filtering as required. In addition, ISA Server 2004 includes virtual privatenetworking (VPN) and caching capabilities, allowing it to function as an all-in-onedevice that, as one would expect, integrates pretty cleanly with Microsoft-centricenvironments.Before we look at the features of Microsoft ISA Server 2004, lets talk about the elephantin the room, namely the perception that ISA Server 2004 is not a real firewall. Thisperception is largely the result of misinformation, lack of education regarding theproduct, and simple dislike/disregard of anything Microsoft being remotely considered asa security solution. When you look at ISA Server 2004 with an honest and skeptical eye,it is relatively easy to cut through many of the fallacies and realize that Microsoft ISAServer 2004 is an effective and practical firewall solution.First on the list of misconceptions is the statement that any firewall running on aWindows platform cannot be secure. This is just not factually accurate. All firewalls runon some operating system. In the case of firewalls such as the Cisco PIX Firewall orCheck Point SecurePlatform, the operating system is specialized and hardened for use ona firewall. Windows, out of the box, is not designed to be run on a firewall, but it can beeffectively secured and hardened following the principles of running the minimumrequired services and functionality necessary to operate as a firewall alone. Someexcellent resources detail how to effectively secure the underlying Windows operatingsystem: • NSA Security Configuration Guides http://www.nsa.gov/snac/downloads_all.cfm?MenuID=scg10.3.1 • Hardening the Windows Infrastructure on the ISA Server 2004 Computer http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/hardeningwindows. mspx • Windows Server 2003 Security Guide http://www.microsoft.com/technet/security/prodtech/windowsserver2003/w2003h g/sgch00.mspx • ISA Server 2004 Security Hardening Guide http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/securityhardeninggui de.mspxNoteKeep in mind that many of the procedures for Windows 2000 are applicable to Windows2003 and vice versa, so do not hesitate using both the Windows 2000 and 2003 guidesregardless of your actual operating systemAnother frequent misconception is that ISA Server 2004 is just an upgrade to MicrosoftProxy Server 2.0. Although ISA Server 2004 is indeed the logical upgrade to ProxyServer 2.0 (technically, ISA Server 2000 is the direct upgrade to Proxy Server 2.0), that isnot to say that ISA Server 2004 is just a proxy server. Proxy Server 2.0 had absolutely noadvanced firewall features. It was primarily a caching engine with basic packet-filteringcapabilities. Microsoft ISA Server 2004 is a fully featured firewall, capable of performingstateful packet inspection as well as application layer filtering and proxying. In addition,it can function as a caching engine. Simply put, trying to claim that because ISA Server2004 is an upgrade to Proxy Server it is therefore not a real firewall has absolutely notechnical merit.Microsoft ISA Server 2004 FeaturesMicrosoft ISA Server 2004 consists of two editions: Standard Edition and EnterpriseEdition. The predominant differences between the Standard and Enterprise editions relateto scalability. Table 8-1 summarizes the differences between the Standard and Enterpriseeditions. Table 8-1. Comparison of ISA Server 2004 Standard and Enterprise EditionsFeature Standard Edition Enterprise EditionNetworks Unlimited Unlimited, with the addition of enterprise networks (networks that can be applied to any firewall array anywhere in the enterprise)Scale up Up to 4 CPUs and 2-GB RAM Unlimited (per operating system)Scale out Single server Up to 32 nodes using Table 8-1. Comparison of ISA Server 2004 Standard and Enterprise EditionsFeature Standard Edition Enterprise Edition Microsoft Network Load Balancing (NLB)Caching Single server store Unlimited (through the use of Cache Array Routing Protocol (CARP))High None Yes (using NLB)availabilityManagement Local management and configuration Array and enterprise-level configurationUnderlying Microsoft Windows Server 2003 Microsoft Windows Serveroperating (Standard or Enterprise Edition), 2003 (Standard or Enterprisesystem Microsoft Windows 2000 Server or Edition) Advanced Server with Service Pack 4 (SP4) or la ...