Microsoft ISA Server 2004 Firewall phần 2

SecureNAT Client The SecureNAT client is effectively any device that attempts to communicate through the ISA Server 2004 firewall without being configured as one of the other firewall types
Nội dung trích xuất từ tài liệu:
Microsoft ISA Server 2004 Firewall phần 2SecureNAT ClientThe SecureNAT client is effectively any device that attempts to communicate through theISA Server 2004 firewall without being configured as one of the other firewall types. Forall intents and purposes, this is the traditional point to the firewall as the default gatewayto communicate type of a client. Therefore, practically any type of TCP/IP network hostcan communicate through the firewall as a SecureNAT client. Although easy toimplement (there is no special configuration required beyond just enabling networkcommunications on the host), the SecureNAT client is the least secure and capable of thefirewall clients. SecureNAT clients cannot be configured to authenticate with the firewallto determine what access should be permitted, nor can they access resources requiringcomplex protocols (protocols that require multiple connections; for example, standardFTP [port] mode connections) without the use of application filters installed on thefirewall itself.Firewall ClientThe ISA Server 2004 firewall client is one of the components to an ISA Server 2004solution that really separates it from the competition in terms of the kind of control overaccess that can be managed. The firewall client software can be installed on anyWindows-based client, which is a limitation in environments that use Linux, Sun, UNIX,or Mac computers. Once implemented, however, the firewall client enables you to defineaccess to external resources based on users and groups and authenticate all accessrequests to ensure that only the users you have specified are allowed to communicate. Italso enables you to define how they can communicate. This authentication information isstored in the firewall log files, making it easy to perform a forensic analysis to determinewhat sites, protocols, and applications the user was running or accessing.Perhaps the most powerful feature of the firewall client is the ability to enforce securitycontrols on the client itself (for example, allowing only applications that you explicitlypermit to function on the client or allowing only certain ports on the client to be used forcommunications). For example, a relatively difficult task to perform with most firewallsis to prevent instant messaging and peer-to-peer applications from being used by theusers. Instant messaging applications can almost all use HTTP (or any other protocol) asthe transport protocol, making it difficult to effectively block at the firewall. Similarly,many peer-to-peer applications can do the same thing. With the firewall client, you candefine the names of applications that should not be allowed to run; they will be blockedby the firewall client software. Keep in mind that if the users can rename the applicationexecutable, they can bypass these restrictions.Web Proxy ClientThe web proxy client is used anytime a computer is configured via its web browser to usea proxy, and the ISA Server 2004 server is specified as the proxy. Although webbrowsers are the most commonly implemented applications that use proxies, instantmessaging software and other applications that support using a proxy can also beconfigured as web proxy clients.The web proxy client enables you to improve the performance of web access because thedata can be cached by the firewall and served to the clients out of cache. This alsoreduces bandwidth requirements, as discussed in the next section. The web proxy clientalso supports using authentication for access, similar to the firewall client, thus providinga mechanism to control and track access on a user basis.Web Caching Server FunctionalityAlthough technically not a firewall or security feature, the ISA Server 2004 serverprovides full caching server functionality. This allows the server to transparently cacheweb request and then service subsequent requests out of cache, thus reducing the amountof bandwidth that is used for client web browsing. This also allows the ISA Server 2004server to function as a proxy, retrieving content on behalf of clients.Network Services PublishingTo provide access to protected resources, ISA Server 2004 implements what are knownas publishing rules. These rules are used to provide inbound/ingress filtering functionalityto resources that are being protected by the firewall. For example, if you have a webserver that needs to provide services to external clients, you would use network servicespublishing (specifically web server publishing rules) to publish or provide access to theprotected web server resource.There are four types of publishing rules: • Web server publishing rule • Secure web server publishing rule • E-mail server publishing rule • Server publishing ruleAs you would expect, the first three rules are specialized to handle the correspondingtypes of network services. The server publishing rule is the generic catchall rule type forany and all other publishing requirements.VPN FunctionalityMicrosoft ISA Server 2004, like many other firewalls, also provides integrated VPNfunctionality, allowing you to use the ISA Server 2004 both as a component in a site-to-site VPN as well as a termination point for remote access VPN services. Althoughprevious versions supported Point-to-Point Tunneling Protocol (PPTP) and Layer 2Tunnel Protocol / IP Security (L2TP/IPsec) VPN protocols, ISA Server 2004 alsosupports native IPsec tunnel mode VPN implementations.Because the VPN functionality is integrated with the firewall, ISA Server 2004 can alsoperform stateful packet filtering and inspection on VPN traffic that is passing through thefirewall, providing additional security and control of all traffic that is entering or exitingthe protected network. Doing so enables you to perform actions such as limiting yourremote sales users to a subset of servers and services on the protected network.Managem ...