Microsoft ® Internet Security and Acceleration Server 2006 Beta Technical Overview Steve Lamb Information Security Evangelist Microsoft UK
“You don’t put brakes on a car to go slower – you put them on to go faster more safely” User education is key As are processes and procedures Mis-configured systems are a major threat
“Good Security enables business to do more with less risk” Hold off the Rocket Science Apply Technology to Support the Business Policy Learn how the business works Don’t get in the way!
ISA – Application Layer Firewalling Currently – most firewalls check only basic packet information Real world equivalent of looking at the number and destination of a bus – and not looking at the passengers
Positioning Pillars & Deployment Scenarios Integrated Security Efficient Management Fast, Secure Access Web Access Protection Branch Office Gateway Secure Application Publishing
Secure Application Publishing The Problem Need customized forms, forms for mobile devices, authN support for non-browser apps More multi-factor authN support reqd. ISA in workgroup using RADIUS, lacks AD group info Lack of NTLM, Kerberos delegation support Multiple sign-ons required for different apps Manual link translation cumbersome IP-based NLB creates 1:1 between ISA & published server during sessions Exchange & SharePoint Publishing difficult Expired and duplicate certificates hard to track Idle-based session timeouts include non-user traffic e.g. RPC Exchange Intranet Web Server SharePoint Active Directory External Web Server Administrator User ISA 2006 Appliance Internal Network Internet Load Balancer RADIUS DMZ Strong Server Protection Better Identity Control Seamless Access High Performance Easy Management Username Password NTLM Kerberos Username Password Username Password Needs Pain Points
Exchange Intranet Web Server SharePoint Active Directory External Web Server Administrator User ISA 2006 Appliance DMZ Internal Network Internet Secure Application Publishing The Solution Get Username Password Passcode Username Password Get Strong Server Protection Customized forms incl. mobile devices, alternative authN for non-browser apps RADIUS OTP, smart card support LDAP support for AD integration & other user directories NTLM, Kerberos & Kerberos Constrained Delegation support Single sign-on Automatic link translation through global links table Cookie-based NLB keeps session alive in case of fail-over Exchange, SharePoint publishing Wizards Better UI for certificate management Idle-based, session-based timeouts account for non-user traffic Username Password Better Identity Control Seamless Access High Performance Easy Management Needs New ISA Server 2006 Features
Secure Application Publishing Added Value Strong Server Protection SSL Bridging VPN Quarantine Integrated Remote Client VPN Gateway Reverse Caching Logging & Reporting Better Identity Control Seamless Access High Performance Easy Management Move Exchange out of DMZ Provide pre-authentication for OWA, Outlook, and ActiveSync Multi-factor Authentication for Exchange Load Balancing of OWA Servers Exchange Full Access to all SharePoint docs HTTP Traffic Inspection SharePoint Antigen for Exchange. SharePoint, LCS Complete end-to-end Secure Messaging Solution ISA Server 2004 Features
Secure Application Publishing Key Differentiating Points Tight Integration With Microsoft Products SSL Bridging Inspects Encrypted Content Active Directory Integration Provides Better Management Dedicated Exchange & SharePoint Wizards Makes Setup Easy Integrated ALF & Cache Provides Added Protection & Lower TCO
Deploying to 100s of branch offices difficult No IT support at branch office Software update transfers from HQ to branch slow Policy updates from HQ to branch slow requiring CSS at branch Lack of compression support for traffic No support for traffic prioritization mechanisms Easy Deployment Better Protection Better Management Lower Connectivity Costs Bandwidth Optimization Branch Office Gateway The Problem Exchange Intranet Web Server SharePoint Active Directory External Web Server Administrator ISA 2006 Appliance Array DMZ Internal Network Internet S2S VPN BRANCH OFFICE HEAD QUARTERS User CSS Needs Pain Points
Branch Office Connectivity Wizard Unattended Installation Answer Files Software update caching using BITS Faster policy propagation needing only central CSS at HQ HTTP Compression and range compression and caching Support for DiffServ Branch Office Gateway The Solution Exchange Intranet Web Server SharePoint Active Directory External Web Server Administrator User ISA 2006 Appliance Array DMZ Internal Network Internet S2S VPN BRANCH OFFICE HEAD QUARTERS User CSS Easy Deployment Better Protection Better Management Lower Connectivity Costs Bandwidth Optimization Needs New ISA Server 2006 Features
Branch Office Gateway Added Value Flexible Branch Office Network Topology Integrated S2S VPN Gateway HTTP Caching Distributed Caching & Web Proxy Chaining Easy Deployment Better Protection Better Management Lower Connectivity Costs Bandwidth Optimization Integrated Firewall BITS Caching Complements R2 Remote Differential Caching Windows Server R2 ISA Server 2004 Features
Branch Office Gateway Key Differentiating Points Easy Integration with Existing Branch Office Infrastructure Integrated Application-Layer Firewall Provides Added Protection Integrated Cache Functionality Increases Speed Integrated S2S VPN Functionality Lowers TCO Centralized Management from HQ
Web Access Protection The Problem Need better protection against DoS, DDoS attacks Need better protect against internal worm propagation Need mitigation measures under attack Need better alerting and tracing of infected machines Centralized management and monitoring required External Attack Resilience Internal Attack Resilience Minimal Downtime Remediation Measures Better Management External Web Site Administrator Attacker ISA 2006 Appliance DMZ Internal Network Internet Extranet Web Server Needs Pain Points
Web Access Protection The Solution External Web Site Administrator Attacker ISA 2006 Appliance DMZ Internal Network Internet Extranet Web Server External Attack Resilience Internal Attack Resilience Minimal Downtime Remediation Measures Better Management Flood resiliency through better TCP connection monitoring & thresholds Worm resiliency through better TCP connection monitoring & thresholds Log throttling, control over memory consumption and pending DNS queries 90 newer alerts to provide better detection & forensic ability. Integration with MOM 2005 Needs New ISA Server 2006 Features
Web Access Protection Added Value ALF & Deep Packet Inspection Integrated Caching & CARP Multi-Network Architecture External Attack Resilience Internal Attack Resilience Minimal Downtime Remediation Measures Better Management Flexible SDK Easy-to-use UI Leverages NLB, RRAS, RADIUS, VPN Quarantine, WINS, DNS DHCP capabilities of Windows Server 2003 Windows Server 2003 ISA Server 2004 Features
Web Access Protection Key Differentiating Points Deep Content Inspects Actual Content of Traffic Multi-network Architecture Eases Infrastructure Integration Flexible SDK allows Easy Development of New Application Filters CARP Provides High Performance for Caching Easy-to-Use UI Makes Configuration Easier
© 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary. Steve Lamb Information Security Evangelist Microsoft UK