1. 郝雪莹xyhao@microsoft.com Microsoft China 安全与速度的完美结合 Microsoft Internet Security and Acceleration Server 2000

2. 2Agenda 产品概述 产品概述 布署场景 布署场景 防火墙 防火墙 缓存 缓存 管理 管理 可扩展性 可扩展性

3. 3 新的机遇, 新的挑战 用网络连接你的客户, 合作 伙伴与雇员 在 WEB 上的电子商务给你 的企业带来了新的商机 把有限资源的内部网变成 溶合在 Internet 的网络 把网络暴露在所有的黑客, 病毒和非法用户面前 竞争非常激烈, 你的 WEB 必需提供快速可靠的服务 管理这样的网络需要更高 的技术 机遇挑战

4. 4 The Connected Business New Concerns New Concerns  保护你的内部网络免受黑 客与其它非法入侵者的侵害  管理与控制网络访问  在加快网络访问速度的同 时保护宝贵的带宽资源 Internet

5. 5微软公司对于安全的认识 安全缺陷和病毒攻击是严重、代价沉重、全行业 业范围的问题 安全缺陷和病毒攻击是严重、代价沉重、全行业 业范围的问题 Internet 安全是全世界范围内实现数字化商务运 作的最基本的考虑因素 Internet 安全是全世界范围内实现数字化商务运 作的最基本的考虑因素 作为业界的领导者，微软公司具有保护 Internet 和客户数据的特殊责任 作为业界的领导者，微软公司具有保护 Internet 和客户数据的特殊责任

6. 6 Microsoft ISA Server 2000 Microsoft ISA Server 2000 安全与速度的完美结合 用可伸缩的, 多层次的防火墙保护网络环 境 用可伸缩, 高性能的 WEB 缓存实现快速 访问 与 Windows 2000 集成的, 强壮的策略和 管理机制 安全的网络连接 快速的 Web 访问 统一的管理方式 可扩展的开放平 台 可扩展的开放平 台可以扩展与定制的高级平台

7. 7 什么是 ISA Server 2000 防火墙与缓存 防火墙与缓存 ISA Server 的版本 ISA Server 的版本  ISA Server 标准版  ISA Server 企业版

8. 8 ▲服务器的建置单机运作多机的集中管理 ▲原则的设定 (policy support) 服务器本机服务器阵列 ▲硬件支持 4 颗 CPU 无限制 Web 缓存 ▲扩展性适合小型企业适合中大型企业 ▲分散式与阶层式缓存仅阶层式皆有 统一的管理 ▲ Windows ® 2000 Active Directory 整合有限完全 ▲多层次原则无有 ▲多服务器管理无有 Microsoft® ISA Server 2000 标准版与企业版功能比较表

9. 9 What Is ISA Server 2000 ISA 系统需求 Processor 300 MHz or higher Pentium II compatible Operating System Microsoft Windows 2000 Server or Advanced Server with SP2 or higher Memory 256 MB of RAM Hard Disk  20 MB of available hard drive space  An available NTFS partition  4-8 MB for each proxy client Other To implement the array and advanced configuration policies on the Enterprise edition you also need: Windows Active Directory on the network

10. 10 防火墙 & 缓存 两者都应存在于网络的边缘或者说结合点 两者都应存在于网络的边缘或者说结合点 模块化安装 模块化安装 统一的管理 统一的管理  MMC  Logging and Reporting  Monitoring and Alerting 一致的访问策略 一致的访问策略 低廉的培训维护费用 低廉的培训维护费用

11. 11 与 Windows 2000 紧密集成 Security Security  包过滤  网络地址转换 (NAT & SecureNAT)  Authentication  System Hardening 虚拟专用网 (VPN) 虚拟专用网 (VPN) 管理 管理  MMC  Terminal Services  Event log Active Directory™ Active Directory™  Array configuration and policy data  NOT required! 带宽控制 带宽控制 透明地支持在其它平台上的客户机与服务器 透明地支持在其它平台上的客户机与服务器

12. 12 Much More Than “Proxy Server 3.0” Transparency for all clients and servers Transparency for all clients and servers Enterprise policy Enterprise policy Group policy Group policy Schedules Schedules Active Directory integration Active Directory integration Extensible application filters Extensible application filters SMTP filter SMTP filter Streaming media splitting Streaming media splitting H.323 filter & Gatekeeper H.323 filter & Gatekeeper MMC-based UI MMC-based UI Task Pads, wizards Task Pads, wizards Remote administration Remote administration Configuring Exchange server behind firewall Configuring Exchange server behind firewall IIS separation IIS separation RAM caching RAM caching New cache store New cache store Scheduled content download Scheduled content download VPN integration VPN integration Intrusion detection Intrusion detection System hardening System hardening NTLM & Kerberos authentication NTLM & Kerberos authentication Dual-hop SSL Dual-hop SSL Customizable alerts Customizable alerts Logging: W3C format, selectable fields Logging: W3C format, selectable fields Integrated reporting Integrated reporting Bandwidth control Bandwidth control New APIs New APIs Modular installation Modular installation

13. Deployment Scenarios Microsoft Internet Security & Acceleration Server 2000

14. 14 Small Organization Internet ISA Server

15. 15 Large Enterprise Internet ISA Server 防火墙 & 缓存, 共同管理

16. 16 DMZ & Secure Publishing Interne t ISA #2ISA #1 DMZ #1 Intranet

17. 17Chaining ISA Server ISA Server Array Leased line or VPN connection Branch Main Internet

18. Firewall 用可伸缩, 多层次防火墙保护 网络环境

19. 19 为什么要使用防火墙 ?  保护自己不受黑客, 病毒与非法用户的攻击  控制向外的 Internet 访问  保护 web servers and email servers  更加安全的数据访问 保护关键的数据与信息 保护关键的数据与信息 - 并且 - 管理信息访问

20. 20 ISA Server Firewall Packet, circuit, and application-level traffic screening Packet, circuit, and application-level traffic screening  Stateful inspection examines traffic in its context  Reduce risk of unauthorized access  Analyze or modify content with “Smart” application filters Integrated intrusion detection Integrated intrusion detection  Based on technology licensed from Internet Security Systems (ISS) Secure publishing Secure publishing  Protect servers accessible to the outside world System hardening System hardening  “Lock down” the operating system, further strengthening security Integrated with Windows 2000 VPN Integrated with Windows 2000 VPN  Wizard for easy configuration

21. 21多层次的防火墙 Bottom up – protection at every level Bottom up – protection at every level  Packet level Static filters Static filters Dynamic filters Dynamic filters Intrusion detection Intrusion detection  Circuit (protocol) level Session based filtering Session based filtering Connection association Connection association  Application level Intelligent payload inspection Intelligent payload inspection Packet level Application level Circuit level

22. 22 Smart Application Filters Protocol aware filters Protocol aware filters  Analyze the traffic  Block, redirect, modify Intelligent filtering out-of-the-box: Intelligent filtering out-of-the-box:  HTTP: Web request caching  SMTP: Traffic filtering  Streaming media: Stream splitting  FTP: Read only restriction  H.323: NetMeeting® through the firewall

23. 23 Intrusion Detection

24. 24 Additional Security Features VPN integration VPN integration  Integrated with on Windows 2000 VPN  Wizard for easy configuration System hardening wizard System hardening wizard  “Lockdown” for the operating system  Three pre-defined levels Secure publishing Secure publishing SSL Bridging SSL Bridging  Encrypted tunneling

25. 25 ISA Server – Microsoft’s Firewall ISA Server 特性 多层次的防火墙 多层次的防火墙 集中或分布式管理 集中或分布式管理 Publishing Publishing ICSA certified ICSA certified

26. 26 ISA Server – Microsoft’s Firewall How A Firewall Protects A firewall filters network traffic that enters or leaves a protected network. A firewall filters network traffic that enters or leaves a protected network. Decisions: Decisions:  IP 地址, 协议与端口号  建立连接  IP 包的有效负载  应用过滤  Authentication Logging and Alerting Logging and Alerting

27. 27 ISA Server – Microsoft’s Firewall ISA Server Architecture z Web Proxy Client Secure NAT Client Firewall Client Local Area Network Web Proxy Service Firewall Service Web Filter Packet Filtering Third Party Filter Streaming Filter SMTP Filter H.323 Filter FTP Filter Cache Internet NAT Driver HTTP Redirector

28. 28 ISA Server – Microsoft’s Firewall Outgoing FW Traffic Flow PFLog SessionLog Policy TCP/IPStack PFD NAT driver NDIS PFxD SecureNATdriver SecureNAT User Mode Firewall Firewall Service Service Kernel Mode User Mode SocketLayer Routing Reassembly ApplicationFilter Internal Interface External Interface

29. 29 ISA Server – Microsoft’s Firewall Incoming FW Traffic Flow PFLog SessionLog Policy TCP/IPStack PFD NAT driver NDIS PFxD SecureNATdriver SecureNAT User Mode Firewall Firewall Service Service Kernel Mode User Mode SocketLayer Routing Reassembly ApplicationFilter Internal Interface External Interface

30. 30 ISA Server – Microsoft’s Firewall ISA Server 缺省情况 No incoming or outgoing traffic unless specifically allowed No incoming or outgoing traffic unless specifically allowed 除了以下情况 : 除了以下情况 :  ISA Server 可以执行 DNS lookups  Pinging from ISA Server

31. 31 ISA Server – Microsoft’s Firewall 为 Outgoing Requests 制定规则 Protocol Rules Protocol Rules  谁可以使用什么样的协议在什么时间访问什么 ?  Default: No access Site and Content Rules Site and Content Rules  谁可以在什么时间访问什么站点和内容 ?  Default: All access 对互联网访问时这两个规则都是必要的 对互联网访问时这两个规则都是必要的

32. 32 ISA Server – Microsoft’s Firewall 为 Incoming Requests 制定规则 Server Publishing Rules Server Publishing Rules  Redirect traffic for an external address / port to an internal address Web Publishing Rules Web Publishing Rules  Redirect Web requests only  Can redirect to multiple internal Web sites  Can choose port for redirection  Can perform SSL bridging

33. 33 ISA Server – Microsoft’s Firewall Firewall Planning Assess needs for outgoing traffic Assess needs for outgoing traffic  “Deny all” or “Allow all”  Research user requirements  Design required rules and policy elements  Plan for authentication (if required) Assess needs for incoming traffic Assess needs for incoming traffic  Inventory resources that need to be accessed from the Internet.  Design the required rules and policy elements

34. 34 ISA Server – Microsoft’s Firewall Firewall Planning (continued) Scaling Scaling  Arrays  Network Load Balancing (NLB)  DNS round robin Perimeter Network Requirements Perimeter Network Requirements

35. 35 Firewall Design No External Access Required Internet Internal Network Firewall

36. 36 Firewall Design Screened Host Internet Internal Network Firewall Screened Host

37. 37 Firewall Design Three-Homed Perimeter Network Design Firewall Internet Internal Network Perimeter Network

38. 38 Firewall Design Back-to-Back Perimeter Network Design Internet Internal Network Perimeter Network Firewall Web Server

39. 39 Using Publishing And Routing Methods for Passing Network Traffic Web Proxy Service Web Proxy Service Firewall Service (proxy) Firewall Service (proxy) IP Routing (secured by packet filters) IP Routing (secured by packet filters)

40. 40 Using Publishing And Routing Comparing Publishing and Routing Publishing Rules publish internal sites to the external network Publishing Rules publish internal sites to the external network Local Address Table (LAT) defines what is internal Local Address Table (LAT) defines what is internal Perimeter Network in three-homed design is treated as external network Perimeter Network in three-homed design is treated as external network Need to configure routing between two external networks Need to configure routing between two external networks  Routing is secured by packet filters

41. 41 Using Publishing And Routing Server Publishing Reverse Network Address Translation (NAT) Reverse Network Address Translation (NAT) External network to internal network External network to internal network Sends packets received on external network interface to identical port on internal server Sends packets received on external network interface to identical port on internal server Mapping: each port on each external address can be mapped separately Mapping: each port on each external address can be mapped separately Normally used for non-Web servers Normally used for non-Web servers

42. 42 Using Publishing And Routing Web Publishing Redirects requests for URLs received on external interface Redirects requests for URLs received on external interface Can redirect to multiple Web sites Can redirect to multiple Web sites Can redirect to internal or external sites Can redirect to internal or external sites Internet isa.internal.microsoft.com www.microsoft.com/isaserver/ www.internal.microsoft.com ISA Server www.microsoft.com/ /isaserver/ / / Internal Network

43. 43 Using Publishing And Routing Secure Web Publishing Client connection terminates at ISA Server computer Client connection terminates at ISA Server computer  ISA Server can perform authentication  ISA Server needs Web server certificate What about connection between ISA Server and internal Web server? What about connection between ISA Server and internal Web server? SSL bridging SSL bridging  Choice of HTTP-S, HTTP, or FTP

44. 44 Using Publishing And Routing Routing Required for all protocols other than TCP or UDP Required for all protocols other than TCP or UDP Required to access three-homed perimeter network (external to external) Required to access three-homed perimeter network (external to external) ISA enforces packet filtering with routing ISA enforces packet filtering with routing  Note: packet filtering enhances security and increases performance  Warning: Do not enable routing outside of ISA Server

45. Demonstration 1 Server Publishing And Web Publishing Creating a Server Publishing Rule Creating a Web Publishing Rule

46. 46 ISA Server Configuration Outgoing Traffic Protocol Rules and Site and Content Rules Protocol Rules and Site and Content Rules Packet filters Packet filters  Protocols other than UDP or TCP  Applications or services running on ISA Server computer  Packet filters can override rules

47. 47 ISA Server Configuration Screened Host Configure Server Publishing Rules Configure Server Publishing Rules Configure Web Publishing Rules Configure Web Publishing Rules

48. 48 ISA Server Configuration Three-Homed Perimeter Network Use routing with packet filtering for perimeter network servers Use routing with packet filtering for perimeter network servers  Servers need routable IP addresses Use publishing between perimeter network and internal network Use publishing between perimeter network and internal network

49. 49 ISA Server Configuration Back-to-Back Perimeter Network Use Publishing Rules to publish servers on perimeter network to Internet Use Publishing Rules to publish servers on perimeter network to Internet Use publishing rules to publish servers on internal network to perimeter network Use publishing rules to publish servers on internal network to perimeter network Each ISA Server requires a separate LAT Each ISA Server requires a separate LAT

50. 50 Miscellaneous Configuration Authentication Firewall Clients Firewall Clients  User-based, automatic  Requires client software, Win32 clients only, TCP and UDP only SecureNAT Clients SecureNAT Clients  By IP address  No client software, all platforms, all protocols

51. 51 Miscellaneous Configuration Authentication (continued) Web Proxy client Web Proxy client  By user (logged-on user or authentication dialog box)  Need to configure browser, etc.  Need to configure authentication methods: Basic Basic Digest Digest Integrated Integrated Certificates Certificates

52. 52 Miscellaneous Configuration Intrusion Detection Technology licensed from Internet Security Systems (ISS) Technology licensed from Internet Security Systems (ISS) Monitors for a number of common attacks Monitors for a number of common attacks Extensive options for alerting Extensive options for alerting

53. 53 Miscellaneous Configuration Server Hardening Wizard applies security settings to make Windows 2000 Server even more secure Wizard applies security settings to make Windows 2000 Server even more secure

54. 54 Miscellaneous Configuration H.323 Gatekeeper “Switchboard” for H.323 Applications “Switchboard” for H.323 Applications  NetMeeting  Voice over IP (VOIP)  Etc.

55. 55 Miscellaneous Configuration Message Screener Works with SMTP Filter to screen SMTP Messages for Works with SMTP Filter to screen SMTP Messages for  Users and domains  Attachments  Keywords  SMTP commands Can run on ISA Server computer or other computer Can run on ISA Server computer or other computer

56. Demonstration 2 Message Screener Blocking Users and Domains Blocking Attachments Blocking Key Words

57. 57 Miscellaneous Configuration VPN Configuration Two types of connections: Two types of connections:  Access by remote users  Connecting two networks Wizards configure ISA Server and RRAS Wizards configure ISA Server and RRAS  ISA Server packet filters  RRAS configured as a VPN Server RRAS performs all VPN functions RRAS performs all VPN functions  May require additional configuration

58. Demonstration 3 VPN Configuration Configuring a Local VPN Configuring a Remote VPN Reviewing VPN Configuration Settings

59. Caching 可伸缩, 高性能的 WEB 缓存

60. 60 Cache Scenarios - Forward Proxy GET www.msnbc.com Internet Liz ISA Server John GET www.msnbc.com Cache Corpnet users connect to the internet via ISA

61. 61 Cache Scenarios – Reverse Caching DNS Internet “www.ms.com”“www.ms.com/ISA” /ISA Web Server Secure Network ISA Server Cache Joe Internet ISA Server looks like a Web server Internally routes requests to multiple servers

62. 62 为什么要使用缓存 ? 快速浏览 快速浏览 降低网络带宽费用 降低网络带宽费用 减轻 web 服务器的压力 减轻 web 服务器的压力 更加可靠的数据访问 更加可靠的数据访问 Increase performance - and - reduce costs

63. 63 ISA Server Caching Features Web 访问加速 Web 访问加速  RAM caching: “Hot content” served from RAM  有效地缓存机制最小化了磁盘 I/O Active caching Active caching Scheduled content download Scheduled content download 分布式的缓存机制 分布式的缓存机制  Cache Array Routing Protocol (CARP)  Hierarchical Caching 层次型策略 层次型策略

64. 64 CARP on the Server www.foo.com Do you have www.foo.com? GET www.foo.com Cache Internet Client Server 1 Server 2 Server 3

65. 65 CARP (Cache Array Routing Protocol) 高效 高效  Distributed cache  Arrays 的规模是线性的, 平衡负载  各个服务器的内容没有重复  最高效地应用缓存的大小与缓存的命中率 可靠 可靠  容错的, 自调节的 arrays  当服务器增加或减少时, 内容的转移与重新配置是动态 的 灵活 灵活  Routing can be implemented on server for best transparency, or on client for maximum efficiency

66. 66 Hierarchical Caching (Chaining) Internet ~50% Traffic $avings Over Every WAN Link New York TokyoLondon

67. 67 Other Bandwidth Savings Traffic Prioritization Traffic Prioritization  Impose bandwidth policy via UI  Manage inbound and outbound network traffic independently  Adds this layer on top of Windows 2000 QoS Live media stream splitting Live media stream splitting

68. 68 Configuring Caching Business Scenario ISA Clients Internet

69. 69 Configuring Caching Allowing Internet Access Verify LAT Create a protocol access rule Turn on HTTP and FTP Caching* Define Proxy setting on all clients  4 simple steps *enabled by default

70. 70 Configuring Caching Cache Expiration Frequently Frequently  Cache is kept current, network performance may be degraded Normally Normally  Cache is somewhat current, network performance is considered Less Frequently Less Frequently  Cache is less current, network performance is not degraded Custom Settings Custom Settings

71. 71 Configuring Caching Active Caching Enables ISA to fetch a new version of cached objects Enables ISA to fetch a new version of cached objects  Frequently Cache is kept current, network performance is degraded Cache is kept current, network performance is degraded  Normally Network performance is considered when updating the cache Network performance is considered when updating the cache  Less Frequently Cache is less current, network performance is not degraded Cache is less current, network performance is not degraded

72. 72 Configuring Caching Advanced Cache Settings Allows control over what content is cached Allows control over what content is cached  Size of objects to cache  Dynamic content  Maximum URL cached in memory Control what action to take with expired cache objects Control what action to take with expired cache objects  Return an error -or-  Return expired object

73. 73 Configuring Caching Adjusting Cache Size LONDON Properties Cache Drives LONDON OKCancelApply Set 100Maximum cache size (MB): Total disk space (MB):39064 Total maximum cache size (MB):100 DriveTypeDisk space…Free space…Cache Size… Specify the size of the cache. Properties of server Properties of server  Creates a.cdat file of equivalent size  4-8 MB for each client

74. Demonstration 4 Configure Caching Enabling HTTP and FTP Caching Examining Cache configuration Allowing Internet Access

75. Management Tiered policy and flexible management integrates with Windows 2000

76. 76 Policy & Rules Enterprise & array-level Enterprise & array-level Access control Access control  By user/group  By application  By destination  By content type  By schedule Bandwidth priorities Bandwidth priorities Active policy: Access rules ISA server namespace

77. 77 Tasks Pads and Wizards Tasks Pads Tasks Pads  The easy way to set up and maintain Wizards Wizards  Step-by-step for complex tasks Common tasks

78. 78Alerting Alerting Alerting  Flexible alert dispatch mechanism Intrusion System event Violation ISA Server

79. 79 Logging, reporting, monitoring Logging Logging  Packet log  Session log Reporting Reporting  Daily summaries  Popular reports Monitoring Monitoring  Active connections  Performance counters

80. Extensibility Superior extensibility and customizability

81. 81 Extensibility Mechanisms Application filters Application filters  Smart inspection of data streams Web filters Web filters  Based on ISAPI Administration COM object Administration COM object  All administrative properties and actions available programmatically (read/write) Cache APIs Cache APIs MMC snap-ins MMC snap-ins  Extend the ISA Server user interface Storage Storage  Integrate with array propagation, backup/restore Alerts Alerts

82. A Community of ISVs

83. Summary Secure, Fast Internet Connectivity

84. 84 ISA Server Competitive Advantages Best Windows Integration Best Windows Integration  Active Directory  Networking Features  Windows applications Integrated Firewall and Web Cache Management Integrated Firewall and Web Cache Management  Unified Policy and Access Control  Unified Management Scale up and Scale Out for the Enterprise Scale up and Scale Out for the Enterprise  Tiered Policy Management  Scale Up - SMP optimized  Scale Out - NLB and CARP Lower TCO Lower TCO  Integrated Services  Leverage Existing Skills  Works with what you have  Extensible Open Platform

85. 85 Key Takeaways Firewall & cache integration Firewall & cache integration Multi-layered firewall with smart filters Multi-layered firewall with smart filters High performance and scalable cache High performance and scalable cache Designed for reverse caching and secure publishing Designed for reverse caching and secure publishing Integrated VPN, intrusion detection, reporting, bandwidth control Integrated VPN, intrusion detection, reporting, bandwidth control Tiered policy model Tiered policy model Extensibility Extensibility

86. 86 http://www.microsoft.com/ISAServer