ISAserver.org Monthly Newsletter of October 2007 Sponsored by: Burstek

Welcome to the ISAserver.org newsletter by Thomas W Shinder MD, MVP. Each month we will bring you interesting and helpful information on ISA Server. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to: tshinder@isaserver.org

1. But I Have a Firewall!

You've heard the old joke. Joe User complains that his business computers have been hacked and that all credit card and personally identifiable information he stored on his customers has been stolen and is now, as we speak, being sold to the highest bidders on the Internet. This guy can't believe it happened. You ask him about security and he says "but I had a firewall!"

The funny thing isn't that the joke is funny, what's funny is that there really are people like that out there. The example I gave above was a real story, taken from the Wall Street Journal. The business owner had a couple of computers in his business that contained a wealth of PII (personally identifiable information) that was stolen out from under him. And he really did tell the reporter that he didn't know much about computers, but a consultant came in, put in a firewall, and called it secure (and probably "Good" too).

If you look more deeply into situations like this, you'll find that they don't have a firewall at all. What they have is a simple NAT device that doesn't perform any kind of reverse NAT. Since there isn't any reverse NAT, no new inbound connections can be made into the "protected" network. The consultant explains this to the befuddled business owner, charges him a few hundred dollars for plugging the NAT device in, and calls it a day.

While this is a pretty gross example of incompetence or perhaps malfeasance, it's not far from what I see on the ISAserver.org Web boards and mailing list every day. You might know the drill -- "Can you help me set up my single NIC ISA Server Proxy so that I'm secure? I already have a firewall".

Yes, I know that you already have a firewall, and it's called ISA 2004 or ISA 2006. Whatever device you have out there can be used to augment the exceptional firewall protection provided by the ISA Firewall, but it definitely does not provide a replacement for the ISA Firewall. Asking how to configure a secure single NIC (hork mode) ISA Firewall is an oxymoron - single NIC ISA Firewalls can only be set up as Web proxy devices, they can't provide security since they aren't inline devices, and since they aren't inline devices, they can't provide the physical or logical separation required between the good guys and the bad guys.

In many cases, the problem isn't with the ISA Firewall admin, who very much wants to run the ISA Firewall in full firewall mode so as to provide the highest level of protection possible. The problem is with the "network guys" or the "security guys". These guys are a problem because they fear what they don't understand (a normal human reaction) and they think of Microsoft security in terms of Windows 95 and Windows NT 4.0. Like those little bugs you find in amber, their understanding of the Microsoft security landscape is stuck somewhere in the pre-historic days of the Internet.

We can help educate these people so that everyone is able to get the most of their ISA Firewall purchase. Check out two articles I recently put up on www.isaserver.org that are aimed at helping the security and network guys understand the ISA Firewall:

Questions and Answers about the ISA 2006 Firewall
Why Upgrade to ISA 2006 Firewalls?

There is also another excellent article on the ISA Firewall's core firewall engine on the Microsoft Web site that will help convince them that the ISA Firewall is an honest to goodness network firewall, you can find that article at:

ISA Server 2006 Firewall Core

Security is difficult, and even when you correctly deploy an ISA Firewall, there's still a lot more you need to do. Otherwise, you'll be in the same position as the hapless business owner who thought he was secure because he had a firewall. You need to look at security from end to end, protecting the data on disk, protecting the data as it's in flight over the network, and protecting the data even when it's in the hands of the users and outside the access controls you place on file system, database, and other managed containers. Only then can you say you're secure, at least for the moment, as security is a never ending process representing an arms race between you and the criminals.

That's all for now! If you have any questions or comments, you're always welcome to send them to me at tshinder@isaserver.org

Thanks!

Tom

=======================

Quote of the Month - "Indecision may or may not be my problem."

-- Jimmy Buffet

=======================

2. ISA Server 2006 Migration Guide - Order Today!

3. ISAserver.org Learning Zone Articles of Interest

We have a great group of articles in the Learning Zone that will help you get a handle on your most difficult configuration issues. Here are just a few of the newer and more interesting articles:

• Questions and Answers About the ISA 2006 Firewall
• Why Upgrade to ISA 2006 Firewalls?
• Configuring the 2006 ISA Firewall to Support Password Changes
• Exporting and Importing Troublesome ISA Server Rule bases from 2004 to 2006
• ISA 2006 Web Caching
• Product Review: Collective Software's ClearTunnel

4. KB Articles of the Month

Here are some interesting and useful ISA Server related articles posted by Microsoft in the last month:

• Error message when you try to visit a Web site that is published in ISA Server 2004: "HTTP error 500: network name no longer exists"
• The "401 Authentication Required" response that is sent by a Web site is dropped when you use ISA Server 2004 as a Web proxy
• Error message when you try to open the HTTP compression preferences in the ISA Server Management console after you apply Service Pack 3 for ISA Server 2004: "ISA Server cannot load the property page"
• You cannot start the Microsoft Firewall service on a server that is running ISA 2004 or ISA 2006 if you enable SSL on a Web listener
• Routing and Remote Access stops responding in Windows Server 2003
• How to configure an ISA Server computer for a very large number of authentication requests
• RPC clients cannot use Kerberos authentication to authenticate with a server that you publish behind ISA Server 2004, Enterprise Edition

5. Tips of the Month

Seems like new suggestions for a true silent installation of the Firewall client come up every month. Check out this thread for another suggestion: True silent install of client (scroll down to the bottom of the page).

I've been meaning to write an article on how to configure a secure site to site VPN using L2TP/IPSec when one of the ISA Firewalls is behind a NAT device. Until then, if you need to accomplish this task, check out this thread on a discussion of the NAT-T issues with this configuration: VPN with back to back ISA 2006 DMZ.

Ever had a problem with Event ID 11004 after importing a domain name set? If so, here's one possible solution: Eventid 11004 after importing ruleset.

6. ISA Firewall Links of the Month

• When ISA Server Can't Set Up NLB Parameters
• Windows services may fail to start after installing ISA Server 2006 Supportability Pack (KB 939455)
• Amy Babinchak's Blog on SMB Security and ISA Firewalls

7. Blog Posts

• Client requests to access a published Web site are blocked when you configure ISA Server 2006 to allow direct authentication to access a published Web server
• Solving the "All Open" Rule Problem for Acquiring a Machine Certificate from an Enterprise CA
• Windows Services May Fail to Start After Installing ISA 2004 SP3
• Certificate Enrollment Requires a Custom Protocol
• Status Codes Gone Missing?

8. Ask Dr. Tom

QUESTION: Hi Tom,

I am facing one issue after installing ISA Server 2006 Enterprise Edition. Clients are not able to download .doc files. When user tries to download files, the progress bar stops at 99%. Any ideas? Thanks! - Dhyan.

ANSWER: I can't give you a definitive answer on this because I don't know the details of your implementation. However, one thing you can try is to configure the clients as Web Proxy clients. Also, make sure that Path MTU Discovery is enabled on the ISA Firewall. One last general suggestion is that you clear the cache on the ISA Firewall.

QUESTION: Tom,

I'm having a real fight with the security and network folks over here regarding what ISA does with OWA packets before it hits the CAS. In other words, what black listing and white listing features are built into ISA 2006 for Exchange OWA 2007. Any information you might have would be wonderful. Thanks! -- Charles

ANSWER: The ISA Firewall is the ideal network firewall to use to protect Exchange Servers. In fact, the ISA Firewall was designed from the ground up to provide the best possible protection for Microsoft Exchange, including the Client Access Server. You can use the HTTP Security Filter to provide positive logic filtering to insure that only known good communications make it to the Exchange Client Access Server. For detailed information on how to configure the HTTP Security Filter to secure your Client Access Server, check out, Using the HTTP Filter to Help Secure HTTP Access.

QUESTION: Hi Tom,

I'm from Brazil. Congratulations for your articles!

I have many FTP attempts to my FTP Server, behind the ISA 2006. The FTP logs show a large FTP attempts to my server.

How can I block the FTP attempts to the number specific for the user try to access? If the number X then block source IP address.

Thanks!! -- Sergio

ANSWER: You can configure your Server Publishing Rule with exceptions so that connections are allowed from anywhere except from IP addresses or networks that you don't want to connect using the Server Publishing Rule in question. Double click the Server Publishing Rule for the FTP server and click on the From tab. In the Exceptions section, click the Add button. In the Add Network Entities dialog box, click the New menu and click Computer. Create a computer object for the IP address that is attacking your set. If there are multiple machines attacking your site, create a Computer Set instead. Click Close in the Add Network Entities dialog box and click OK in the Properties dialog box for the Server Publishing Rule. Click Apply to save the changes and update the firewall policy.

QUESTION: Hi Thomas,

I'm the system administrator of my company and I'm trying to set up a configuration back to back Firewall using my existing isa2000 as proxy firewall and a new ISA2006 as back-end firewall.

The ISA2000 is also internal DNS server, DHCP and WINS. My internal network address range is 192.168.0.0/24. The ISA2000 is member of the domain. I think I have to change the address of my network if i want to have DMZ but I would like to reduce the inconvenience to my users as much as I can.

What is your suggestion? I'd like to use the same network address and just specify a reduced range of addresses for the DMZ network. Is it something supported?

ANSWER: This is a difficult problem because of the number of extraneous services installed on the ISA 2000 firewall. I would recommend moving the DHCP, WINS and DNS servers to a machine on the internal network, behind the back-end ISA Firewall. Then I would remove the ISA 2000 from the domain and join the back-end ISA 2006 firewall to the domain. Assign the back-end ISA Firewall an internal IP address that is the same as the old ISA 2000's internal IP address. You can use DHCP on the internal clients to point them to the new DNS and WINS server addresses. On the back-end ISA Firewall, configure the external interface to use the front-end ISA Firewall as its default gateway.

With this kind of configuration, I would configure the ISA 2000 firewall to allow all outbound traffic from the back-end ISA Firewall, and you should use only Server Publishing Rules on the front-end ISA Firewall for publishing resources on the internal network behind the back-end ISA Firewall.

However, my best recommendation is to remove the ISA 2000 firewall completely and use only the ISA 2006 firewall. The threat models used to design the ISA 2000 firewall were completely different than the threat models we see today for Internet facing devices. For this reason, your most secure solution is to completely remove ISA 2000 from your network and use only the ISA 2006 firewall. If you need a DMZ, you can add a third NIC to your ISA Firewall to create a tri-homed DMZ.

Got a question for Dr. Tom? Send it to tshinder@isaserver.org.