Microsoft Internet Security and Acceleration Server 2000 in Education Deployment Kit
Helping Secure and Accelerate the Campus Internet with ISA Server 2000 Firewalls and Web Proxy Servers
Dr. Thomas W Shinder
Table of Contents
Academia was among the first field to utilize the online environment, but even a decade ago, online access was not as universally available in schools as it is today. Now it’s not just those in the computer science departments of universities who depend on the Internet. Teachers, parents, and administrators of K-12 and higher educational institutions are all influenced by the effects the Internet has had on education. The Internet has become a powerful tool, enabling access to distributed resources, facilitating learning at the K-12 and higher education levels, enabling elementary and secondary students to create content and publish it to a global audience, allowing college students to work together with other college students across the world, making it possible for university researchers to collaborate regardless of location, and helping parents view and participate in their children's schoolwork more easily than ever before.
The Internet is a powerful tool that can be used to enhance the educational experience, but it also has some inherent risks. This is especially true in the school, college and university environments. Children can view inappropriate material over the Internet; Internet intruders can break into campus networks and compromise student records; students can waste time by going to chat or game sites instead of using the Internet to research information for assignments, and internal or external hackers can use the campus computers to launch attacks. Other problems of a more technical nature, such as system performance and management, become problematic when network Internet access systems are pushed to their limits by the ever-increasing number of users on the campus network.
Microsoft ISA Server 2000 helps to solve some of the common problems encountered by today's Internet connected primary and secondary schools, colleges, universities and other educational institutions. ISA Server 2000 is an intelligent application layer firewall and Web caching server that helps protect the campus network from external attacks and from exploits that may originate from the internal network behind the ISA Server 2000 machine. The ISA Server 2000 Web cache helps educational institutions reduce overall bandwidth utilization and can provide for a faster Web access experience for campus Internet users by returning popular Web content from the ISA Server 2000 Web cache on the local network instead of from a increasingly congested Internet.
ISA Server can provide value to information technology managers, network administrators, and information security professionals in educational organizations of all sizes who are concerned about the security, performance, manageability, or operating costs of their networks. ISA Server can be used in a wide range of scenarios, from small schools, districts and satellite campuses to major, multi-campus systems and statewide networks.
ISA Server 2000 enhances security using several methods. These include:
· packet filtering
· circuit-level filtering
· application filtering
ISA Server 2000 combines these methods to provide protection at multiple network layers.
When packet filtering is enabled, all packets on the external interface are dropped unless IP packet filters, Protocol Rules or Web or Server Publishing Rules explicitly allow them. The ISA Server 2000 firewall intercepts and evaluates packets before they are passed to higher levels in the firewall engine or to an application filter. Packet filtering also allows you to block packets originating from specific Internet hosts in the event that you have enabled inbound access to campus network resources for Internet users but need to block selected hosts on the Internet.
ISA Server 2000 uses dynamic packet filtering mechanisms that simplify configuration and management of the ISA Server 2000 firewall. Ports are opened automatically as required and closed when the communication ends. In contrast to static packet filtering used by traditional firewalls, dynamic filtering reduces the number of statically open ports for both inbound and outbound access.
ISA Server 2000’s circuit-level filtering provides another layer of security because the firewall inspects transport layer sessions. A transport layer session can include multiple primary and secondary connections, providing a number of important benefits for Windows-based clients running the Firewall Client software. The ISA Server 2000 Firewall client can use complex protocols that require secondary connections (such as voice and video applications) because it can track all the connections that participate in the transport layer session.
These transport layer sessions can be established only in response to an authenticated user request. This can improve security. In addition, circuit-level filtering provides built-in support for protocols with secondary connections, such as FTP, streaming media and voice/video applications.
A major advantage for the campus firewall and network administrator is the ability to define the complex protocol's primary and secondary connection port requirements in the user interface without requiring C++ programming skills or third-party tools. All you need to do is specify the port number or range, protocol type, TCP or UDP, and inbound or outbound direction.
In order to protect the campus network from 21st century attackers, a firewall needs to be able to “understand” and filter application layer protocols. Today’s more sophisticated attacks leverage known and unknown weaknesses in these protocols to attack the campus network. For instance, attackers exploit vulnerabilities in DNS, SMTP and HTTP to circumvent traditional firewalls that only filter at the packet level (network layer). Because so many different protocols operate at the application layer, this
Intelligent application filters allow the ISA Server 2000 firewall to analyze the data stream for a particular application layer protocol and provide application layer specific inspection, screening or blocking, redirecting, or modification of the data as it passes through the firewall.
Application layer inspection (stateful inspection) is used to protect against such threats as unsafe SMTP commands or attacks against internal DNS servers that have been published using ISA Server 2000. Third-party tools for content screening, including virus detection, content analysis, and site blocking, provide application- and Web-filters to build into the firewall.
ISA Server 2000 can provide both firewall and Web Proxy features. The ISA Server 2000 Web Proxy service enables the firewall to act as a Web caching server. The Web Proxy component can accelerate the campus Web user’s browsing experience. The Web Proxy cache stores Web pages that have been requested by users so that the next time the same pages are requested by campus network users, the requests can be answered from the Web Proxy cache instead of having to be filled from the original Web site on the Internet.
ISA Server 2000 Web Proxy servers use fast RAM caching that keeps the most frequently accessed Web content in memory. This improves response time even further by retrieving popular Web content from memory instead of from the disk based cache file. ISA Server 2000 also provides an optimized disk cache database that reduces read and write disk access events.
The Web Proxy service supports both forward caching and reverse caching. Forward caching takes place when users behind the ISA Server 2000 Web caching server (internal users) make requests for Internet Web content. Reverse caching takes place when the ISA Server 2000 Web Proxy machine acts as a “reverse proxy” and enables Internet users (external users) faster access to Web sites on the campus network.
Security and fast Web access are both highly desirable commodities for today’s network administrators. Users of school, college and university networks need the protection offered by a sophisticated application layer aware firewall and the enhanced performance provided by a Web caching server.
There are many different vendors providing firewall and/or caching solutions. It’s difficult for busy IT personnel, administrators and purchasing agents to know which will best fit the needs of their educational institution’s network.
There are several reasons to choose ISA Server 2000 as your campus firewall and Web caching server. When compared to competitive products (including both hardware solutions such as Cisco Systems’ PIX firewall and software based solutions such as CheckPoint), ISA Server 2000 has a number of advantages. Benefits of using ISA Server 2000 include:
· Tight integration with the Microsoft Windows operating systems
· Integrated firewall and Web cache management
· Scalability to support growing school districts, colleges and universities
· Lower Total Cost of Ownership (TCO)
More than any other firewall or caching product, ISA Server 2000 is tightly integrated with the Microsoft Windows operating systems that run on so many educational institutions’ servers and client machines. Microsoft designed ISA Server from the ground up specifically to work with Windows. This makes for easy installation and management.
Administrators don’t need to learn about proprietary operating systems and management environments, as with most hardware-based solutions, because ISA Server 2000 uses the same tools they are accustomed to using when managing any Windows Server. This makes for a short learning curve and the ability to get the ISA server(s) up and running quickly and efficiently.
This complete compatibility with Windows also means administrators won’t have to deal with software conflicts as they might with some third-party software based solutions that run on Windows computers. Better compatibility means better reliability and stability for the entire network.
In many cases, third-party products function only as a firewall or only as a Web caching server. Many of the products that are capable of providing both functionalities require that you install add-on software to gain the extra functionality. This may mean extra cost to purchase the add-ons, and in many cases it also means additional hardware, as well. These “two box” solutions, in which the firewall runs on one hardware device and the caching service runs on another, also double the number of devices subject to failure.
For single management interface access for both network security and Web performance. ISA Server 2000 provides a “one-box” solution that reduces the hardware and software overhead from that required by other firewall and Web caching devices. This simplifies administration, reduces cost and literally gives you “two for the price of one.” With ISA Server 2000, you get both an industrial strength firewall and a high performance Web cache on the same machine.
All educational institutions grow over time, and many campuses are currently enjoying unprecedented increases in enrollment. ISA Server 2000 can grow with the institution and this scalability enables you to easily add more ISA Server 2000 servers to the campus network so that your firewall and Web caching solution grows with you.
ISA servers can be grouped together
into arrays so that client requests can be distributed among all the members of
the array. This provides load balancing and fault tolerance, as well as easier
Another way that ISA Server 2000 is scalable is through the addition of processors to the ISA Server 2000 machine. ISA Server can take advantage of Windows 2000’s and Windows Server 2003’s support for symmetric multiprocessing; this means a way to increase performance without purchasing an entire new machine.
ISA Server 2000 is a cost effective firewall and Web caching solution. Initial cost compares favorably to many popular competing firewall and caching solutions, and the savings extend to total cost of ownership. For example, campus network administrators can install the ISA Server 2000 firewall and Web caching software on a single machine, instead of breaking up the Web caching and firewall components and installing them on separate devices. This reduces overall costs by saving on hardware, software, and maintenance overhead. The shorter learning curve based on the familiar Windows MMC interface reduces the cost of administrative time in getting up to speed on the software. And the ability of ISA Server 2000 to utilize multiple processors reduces upgrade costs necessary to realize performance gains.
ISA Server 2000 works with both Windows Server 2003 and Windows Server 2003 and takes advantage of Windows Server operating system technologies that include management, networking, and authentication services. This tight integration with Windows makes ISA Server 2000 the ideal firewall and Web caching server to help secure and accelerate other Microsoft applications, such as Microsoft Exchange and Microsoft SharePoint Portal Servers.
Microsoft’s Active Directory, the sophisticated hierarchical directory service introduced in Windows 2000 Server and enhanced in Windows Server 2003, provides a powerful centralized database for storage and easy retrieval of information about network objects.
With ISA Server 2000 Enterprise Edition, campus network and firewall administrators can leverage the Active Directory to provide scalable and centralized administration of Windows Users and Groups, ISA Server 2000 inbound and outbound access policies, and ISA Server 2000 Configuration information. ISA Server 2000 Standard Edition can also use the Active Directory to authenticate users for inbound and outbound access.
Campus network and firewall administrators can take advantage of Windows networking features, including the built-in virtual private networking (VPN), quality of service (QoS) for bandwidth prioritization, network load balancing (NLB) to provide real time failover and distribution of the processing load, as well as DNS, WINS, DHCP and other Windows networking services. ISA Server 2000 firewalls and Web caching servers can secure communications between internal and external networks using policy-based IPSec connections.
Campus network and firewall administrators can use core operating system services such as the local Security Accounts Management (SAM) database, as well as Active Directory authentication, operating system event logs, and the Microsoft Management Console (MMC) administration tool. Firewall and Web cache management using familiar Windows interfaces reduces the risk of firewall misconfiguration, which is the most common reason firewall related problems that can result in compromise of the network.
ISA Server 2000 provides a unified management interface that simplifies management of both the firewall and Web caching components. From this management interface, ISA Server 2000 firewall and network administrators can set inbound and outbound access control policies that are applied to both the firewall and Web cache. This provides consistent control over Internet access and reduces the chance of firewall and Web cache configuration errors.
Whether deployed as a firewall or a Web cache server, ISA Server manages Internet access consistently with access control policies. Access restrictions placed on the firewall are applied to the Web cache server as well.
Network and firewall administrators can use a single management interface to configure and manage both firewall and Web caching components. The firewall and Web cache components share common logging, reporting, and alerting services of ISA Server 2000.
ISA Server 2000 Enterprise Edition is built for even the largest educational institutions, such as large public and private research universities and state-wide education organizations. Tiered firewall policies provide a scalable management model. Centralized policy management makes it simple to increase the number of managed clients and servers on the campus network. Performance also scales to meet the growing needs of large educational institutions with Windows networking and caching technologies such as symmetric multiprocessing (SMP), network load balancing (NLB), and Caching Array Routing Protocol (CARP).
ISA Server 2000 Enterprise Edition provides tiered policies that enable firewall and Web caching servers to have local array policies while inheriting enterprise-wide policies. The enterprise policies enforce a standard level of security for all machines participating in the enterprise array, which local policies can be used to fine tune the security specifications created by enterprise policies. Firewall and network administrators can also delegate various levels of ISA Server administration in distributed deployments so that operators have the level of access they require and no more.
Microsoft designed ISA Server 2000 to scale up with multiple processors by optimizing for Windows 2000 SMP. ISA Server 2000 software was designed to fully utilize the extra processing power to boost performance. Both ISA Server 2000 Standard and Enterprise Editions support multiple processors.
ISA Server 2000 uses the Windows network load balancing services to enable real time failover and load balancing for inbound or outbound connections through the ISA Server 2000 firewall and Web Proxy server. ISA Server 2000 network and firewall administrators can take advantage of CARP (the Caching Array Routing Protocol) to provide load-sharing, high availability, and high performance through clustering of multiple ISA Server machines in a Web caching CARP array using ISA Server 2000 Enterprise Edition.
ISA Server 2000 lowers cost of ownership for firewall and Web caching by providing integrated firewall and Web caching services, familiar MMC-based management tools, and an open development platform that can be used to extend the security and performance provided by the core ISA Server 2000 software.
Unlike other firewall and Web caching solutions that require separate purchases, ISA Server integrates services such as firewall, Web cache, basic intrusion detection, reporting, VPN, and bandwidth management into a single product.
Campus network and firewall administrators can capitalize on their current Windows knowledge and skills and focus on firewall security issues and policy enforcement, rather than learning a new operating system, user interface (UI), or command line syntax.
ISA Server 2000 machines installed in caching only, firewall or integrated modes can be placed virtually anywhere in an existing network infrastructure and require a minimum of disruption. You can enhance your current firewall infrastructure by dropping in ISA Server 2000 firewalls and Web caching servers to perform sophisticated application layer filtering in conjunction with existing traditional packet filtering firewalls that you already have in place.
An extensive software development kit (SDK) and application programming interfaces (APIs) allow educational institutions to extend the firewall security and Web proxy performance of ISA Server 2000 machines. In addition, ISA Server 2000 has industry-wide third party vendor support to provide a large number of value-added security, management, and caching applications. ISA Server 2000 provides an open platform that ensures customers get scalable security, performance, and management.
ISA Server 2000 can solve a number of Internet access control issues for educational institutions. Here are a few examples of how bringing ISA Server 2000 firewall and Web caching server into the campus network and solve common issues:
A private academy wants to provide Internet access for
students from their dorm rooms. However, the academy does not want to provide
the same level of Internet access to all students. The academy would like to
provide limited Internet access to freshmen, and increase the number of allowed
sites for upperclassmen.
ISA Server 2000 allows you to create granular access policies based on user/group members. For example, you can create one access policy, called "freshman access," which limits access of the freshmen students to a selected number of sites. Another access policy, called "upperclassmen access," allows access to all legitimate Web sites. The freshmen policy is assigned to the freshman global group in the Active Directory, and the upperclassmen policy is assigned to the upperclassman Global group.
The university’s firewall administrator has left the institution for another opportunity in the IT industry. No one at the university understands how to configure the BSD Unix-based Gauntlet firewall that is currently in place.., No changes in access policy can be made until the university finds and hires an individual who can correctly configure the firewall.
ISA Server 2000 ease of use features make it simple for almost any experienced Windows administrator to configure the firewall. Third-party integration products allow campus network and firewall administrators to further simplify management. For example, you can offload the filtering aspects of configuration to third party products that keep databases of commonly banned Web sites. Network administrators will not have to hand-edit a cf file or recompile a kernel in order to allow outbound access to new protocols.
Schools are filled with students who consider themselves to be “hackers”. Ranging from savvy programmers to “script kiddies,” they consider it a mark of pride to intrude into systems without authorization, distribute viruses and worms, and bring down computers and networks. Without policy based access control and logging and reporting that includes user credentials, these “hackers in training” can put the school at risk of legal liability by launching attacks from the school’s computers against external Web sites across the Internet, and can threaten the school’s own network by attacking student and departmental LANs.
ISA Server 2000 integrates intrusion detection tools from Internet Security Systems (ISS), with which malicious hacking activities can be monitored automatically. For example, when a student initiates a Ping of Death attack against a departmental LAN, ISA Server 2000 can immediately trigger an event. That event can alert the principal or guidance counselor. The student can then be warned or censured. Subsequent violations of network policy might lead to restricting that student to computers that are personally monitored by teachers.
Educational institutions often allow students access to all
Internet sites and content. However, school administrators usually have no idea
of how this unlimited access policy is used (and misused).
With this “open access” policy, teachers and administrators don’t know which
students are repeatedly attempting to connect to inappropriate sites and which
ones are browsing inappropriate content instead of performing research for
school related activities. In addition, schools do not know who is generating
the most Internet traffic during peak times.
Knowledge is power, and ISA Server 2000’s built in reporting features give campus network and firewall administrators clear documentation of the most popular Web sites for their users, as well as a record of the most popular applications and the heaviest bandwidth users. ISA Server gives administrators the flexibility to allocate greater bandwidth during times of heaviest use to selected users, such as power users who always go to approved or productive sites (as determined by a compatible third-party content engine). This type of bandwidth control can also be used as a reward for students who consistently follow network policy.
Few schools and universities have unlimited bandwidth; all Internet links have a finite limit. Some institutions pay for bandwidth on a usage basis. Even if bandwidth is not metered by the provider, network and firewall administrators become frustrated when they see network performance slow down because too many students are going to the same site and downloading the same content over and over again. The performance degradation for repeated downloads of the same content reduce performance and can even prevent an institution from engaging in certain teaching exercises, such as having a thousand students participate in a simultaneous school-wide Internet exercise.
ISA Server 2000 can generate reports to determine which sites are accessed the most frequently, and then Web Routing Rules can be configured to cache those sites more aggressively so that the server does not have to go out onto the Internet to access them as often during peak usage times. ISA Server 2000 uses RAM caching in addition to hard disk space. This gives students access to popular Web sites even faster than if the cache were stored on a hard disk cache alone.
Campus network and firewall administrators need secure
access to sites outside of the campus network. In some cases, administrators
and staff and faculty members may want to be able to access the campus network
from their homes so that they can handle system management, file access or
e-mail access on nights and weekends. In other cases, administrators may wish
to bring remote or satellite campuses or facilities into the network, or to
enable distance learning activities with students across the county or across
ISA Server 2000 can be configured as an integrated firewall/VPN server to allow communication from specific remote clients to network resources. The remote clients –administrators working from home, teachers or managers at remote sites, or distance learning students – dial into their own ISPs, and a VPN tunnel is established between the remote user and the campus network.
A rural school district often has facilities spread across many miles, and many colleges and universities have several remote campuses. Managing performance at these geographically separated facilities can be a challenge, with remote users often getting the short end of the stick when traffic is high and available bandwidth is low. Educational institutions’ IT administrators would like to manage their networks so that remote users have equal Internet access with users on the central campus or facility.
ISA Server can be deployed in a large, geographically dispersed network with arrays of computers in the main facility and at branch or satellite facilities, as necessary to accommodate user needs. This allows IT administrators at these educational institutions to centralize the security and caching policy for the entire organization. It also alleviates performance concerns in the remote facilities, as an ISA Server at the remote location can service user requests for Internet objects from the local cache.
School districts and colleges and universities have a major interest in Web publishing, whether they're posting public relations and recruitment information, student projects, research data, or school lunch and scheduling information. However, a public Web server can be an inviting target for hackers, and educational institutions’ networks often contain a great deal of confidential information, from grades to student medical records to financial data, that must not be compromised. The educational organization wants outside users to have full access to its data – but only to that data it chooses to make publicly available.
ISA Server offers Web publishing functions that enable educational organizations to securely publish Web content from within their protected intranets. The ISA Server impersonates a Web server to the outside world, while the Web server maintains access to internal network services. The Web server can be located either on the same computer as the ISA Server or on a different computer, although a separate server heightens the security of the system.