ISAserver.org Monthly Newsletter of March 2007 Sponsored by: GFI SoftwareWelcome to the ISAserver.org newsletter by Thomas W Shinder MD, MVP. Each month we will bring you interesting and helpful information on ISA Server. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to: tshinder@isaserver.org Anti-virus and real time monitoring for ISA Server with GFI WebMonitor
1. Does Anyone Take Perimeter Security Seriously?At the recent worldwide MVP conference in Redmond I had the chance to spend a lot of time with the Windows Security MVPs, given the fact that my wife, Deb Shinder, is a security MVP. One of the people I spent some time talking to about network security was Slav Pidgorny. I owe a debt of gratitude to Slav, as he was the person who nominated me for my ISA Firewall MVP, which I've kept in good standing for the last five years. Slav is also one of the smartest guys I know, so I always pay close attention to what he has to say. We were getting into a discussion of perimeterization and how you can use the ISA Firewall to create multiple perimeters within the organization, based on the defined security zone for which the assets in that zone belong. Slav is of the opinion that attempts at access control based on perimeterization are unrealistic, that it's too complex, and that there are too many perimeters in an organization to make such a venture worthwhile. My argument was that asset classification is something that all security teams need to do as part of their due diligence effort to protect networked assets. One key part of asset classification is to determine the relative value of the asset, the probability that asset will be compromised, and the costs to the organization in the event that the asset is compromised. Assets of similar ratings belong to the same security zone and should be segregated from assets belonging to other security zones, in order to control potential damage incurred if another security zone's assets are compromised. While this seems to be a complex endeavor, it's far from impossible. I've used the ISA Firewall for internal network zone segmentation many times, and it's not rocket science. While Slav maintains that the process is too complex, I can come back and say that it's only complex if you don't know how to do it. Once you take the time to learn how to create internal (and edge) perimeters using the ISA Firewall, it's actually quite simple. And once you learn how to effectively use perimeterization, you can avoid some other recommendations which I strongly disagree with, for where to place a client access server in relation to other servers in the Exchange configuration, and also avoid the popular yet flawed recommendation that the ISA Firewall should not be a domain member and somehow requires other "firewalls" to protect the ISA Firewall, even though Microsoft itself only uses the ISA Firewall and not other firewalls on their corporate network. What do you think? Is network perimeterization a thing of the past (or worse, a thing that never happened) and we should just put the clients, servers, domain controllers, all types of Exchange Servers, SQL servers, SharePoint Servers, Systems Management Servers, Web Servers, FTP servers, and any other server you want to think about in a single, free for all "EMZ" (Extremely Militarized Zone) and hope and pray that host security will save the day? Send me a note at tshinder@isaserver.org and let me know what you think and we'll hash out the results next month. Thanks! Before I leave this month, I need to tell you about Tim Mullen's and Jim Harrison's Microsoft Ninjitsu: Black Belt Edition class that will be given at Black Hat in Las Vegas this year. This "Developed for Blackhat" training is the only one of its kind, and is an absolute must for anyone responsible for securing Microsoft installations. This course combines the most popular aspects of Tim Mullen's "Microsoft Ninjitsu and ISA Ninjistu" training sessions into an intense two day training that runs the gamut of securing Microsoft deployments from infrastructure applications of IPSec and Group Policy to the secure publication of SQL data into your DMZ and the secure provision external services via authentication perimeter DMZ segmentation. Quite simply, it is The Best Microsoft training ever! Tim and Jim will be delivering the course, and I'll be there as a "teacher's assistant" to help the students with questions and procedures about the ISA Firewall and the Microsoft IAG 2007. This is a once in a lifetime event and I hope to see you there! For more information check out http://www.blackhat.com/html/bh-usa-07/bh-usa-07-index.html ======================= Quote of the Month - "I don't like jail, they got the wrong kind of
bars in there" ======================= 2. Tom and Deb Shinder's Configuring ISA Server 2004 - Order Today!
Anti-virus and real time monitoring for ISA Server with GFI WebMonitor
3. ISAserver.org Learning Zone Articles of InterestWe have a great group of articles in the Learning Zone that will help you get a handle on your most difficult configuration issues. Here are just a few of the newer and more interesting articles:
4. KB Articles of the MonthHere are some interesting and useful ISA Server related articles posted by Microsoft in the last month:
5. Tip of the MonthOne of the most common questions asked on the ISAserver.org message boards related to FTP connection failures. The most common scenario is when users are able to connect using the command line FTP client, but connections using Internet Explorer fail. The fix might be as simple as configuring the ISA Firewall to issue PASV mode FTP connections. Check out http://support.microsoft.com/kb/300641 for information on how to do this. As things stand right now, Exchange 2007's networking features are pretty much a black box. This is extremely problematic for ISA Firewall admins who want to use network security best practices by putting the Edge Exchange Server in a different security zone from the Hub and mailbox servers. Here's a great article that explicates the required protocols and may be the solution for security conscious ISA Firewall admins: http://blogs.3sharp.com/Blog/deving/archive/2007/01/11/2774.aspx Anti-virus and real time monitoring for ISA Server with GFI WebMonitor
6. ISA Firewall Links of the MonthISA 2004 Security Hardening Guide http://www.microsoft.com/technet/isa/2004/plan/securityhardeningguide.mspx TechNet Webcast on Microsoft Edge Secure Access Technologies. This is a level 200 discussion on Microsoft's edge security products, including ISA 2006 firewalls and the IAG 2007. Best Practices for Performance for ISA 2006 firewalls http://www.microsoft.com/technet/isa/2006/perf_bp.mspx Get the latest version of Network Monitor! This is a completely revamped version of NetMon with so many improvements that you'll just have to see it to believe it! Get up to speed on the technical details of the Microsoft IAG 2007 at http://www.microsoft.com/forefront/edgesecurity/iag/whitepapers.mspx 7. Blog PostsRequire 128-bit Encryption for HTTPS Traffic with ISA Server 2006 (Part2) WARNING! Windows Server 2003 SP2 May Destroy Your ISA Firewall without Warning IAG 2007 Webcasts http://blogs.isaserver.org/shinder/2007/03/21/iag-2007-webcasts/ Should You Get an ISA Firewall or the IAG 2007? http://blogs.isaserver.org/shinder/2007/03/21/should-you-get-an-isa-firewall-or-the-iag-2007/ Support ISAserver.org ? Get Cool ISAserver.org Shirts, Mugs and Hats! ISA 2006 Update for Exchange 2007 Fails (miserably) http://blogs.isaserver.org/shinder/2007/03/20/isa-2006-update-for-exchange-2007-fails-miserably/ Do Not Install a Host AV Program on the ISA Firewall! http://blogs.isaserver.org/shinder/2007/03/19/do-not-install-a-host-av-program-on-the-isa-firewall/ Questions and Answers About Microsoft's ISA Firewall Deployment 8. Ask Dr. TomQUESTION: I have 2 NICs and I had already configured both of them (as internal and external LAN cards) and they are working fine. How could I do the network rule policy because I can't access the Internet. Thanks! --Iaculallad ANSWER: When you install the ISA Firewall software on a
multihomed machine, one of the things you do during setup is define the
Default Internal Network. When installation is complete, the default
configuration is to make the ISA Firewall an edge firewall, which includes
a Network Rule that sets a NAT relationship between the Default Internal
Network and the default External Network.
QUESTION: I have read a lot of articles from the website, and
I'm deeply impressed, but I still cannot understand how to make simple
incoming NAT connections? ANSWER: You should have no problem publishing these two Web servers. Steps to take:
Got a question for Dr. Tom? Send it to tshinder@isaserver.org. Anti-virus and real time monitoring for ISA Server with GFI WebMonitor
TechGenix Sites
|
