安全与速度的完美结合.ppt

郝雪莹 Microsoft China,安全与速度的完美结合,Microsoft Internet Security and Acceleration Server 2000,2,Agenda,产品概述 布署场景 防火墙 缓存 管理 可扩展性,3,新的机遇, 新的挑战,用网络连接你的客户,合作伙伴与雇员,在WEB上的电子商务给你的企业带来了新的商机,把有限资源的内部网变成溶合在 Internet的网络,把网络暴露在所有的黑客,病毒和非法用户面前,竞争非常激烈,你的WEB必需提供快速可靠的服务,管理这样的网络需要更高的技术,机遇,挑战,4,The Connected Business,New Concerns 保护你的内部网络免受黑客与其它非法入侵者的侵害 管理与控制网络访问 在加快网络访问速度的同时保护宝贵的带宽资源,5,微软公司对于安全的认识,安全缺陷和病毒攻击是严重、代价沉重、全行业业范围的问题 Internet 安全是全世界范围内实现数字化商务运作的最基本的考虑因素 作为业界的领导者，微软公司具有保护Internet和客户数据的特殊责任,6,Microsoft ISA Server 2000 安全与速度的完美结合,用可伸缩的,多层次的防火墙保护网络环境,用可伸缩,高性能的WEB缓存实现快速访问,与Windows 2000集成的,强壮的策略和管理机制,安全的网络连接,快速的 Web 访问,统一的管理方式,可扩展的开放平台,可以扩展与定制的高级平台,7,什么是 ISA Server 2000,防火墙与缓存 ISA Server 的版本 ISA Server 标准版 ISA Server 企业版,8,Microsoft ISA Server 2000标准版与企业版功能比较表,9,What Is ISA Server 2000 ISA 系统需求,10,防火墙 & 缓存,两者都应存在于网络的边缘或者说结合点 模块化安装 统一的管理 MMC Logging and Reporting Monitoring and Alerting 一致的访问策略 低廉的培训维护费用,11,与 Windows 2000 紧密集成,Security 包过滤 网络地址转换 (NAT & SecureNAT) Authentication System Hardening 虚拟专用网 (VPN) 管理 MMC Terminal Services Event log Active Directory Array configuration and policy data NOT required! 带宽控制 透明地支持在其它平台上的客户机与服务器,12,Much More Than “Proxy Server 3.0”,Transparency for all clients and servers Enterprise policy Group policy Schedules Active Directory integration Extensible application filters SMTP filter Streaming media splitting H.323 filter & Gatekeeper MMC-based UI Task Pads, wizards Remote administration Configuring Exchange server behind firewall,IIS separation RAM caching New cache store Scheduled content download VPN integration Intrusion detection System hardening NTLM & Kerberos authentication Dual-hop SSL Customizable alerts Logging: W3C format, selectable fields Integrated reporting Bandwidth control New APIs Modular installation,Deployment Scenarios,Microsoft Internet Security & Acceleration Server 2000,14,Small Organization,Internet,ISA Server,15,Large Enterprise,Internet,ISA Server 防火墙 & 缓存, 共同管理,16,DMZ & Secure Publishing,Internet,ISA #2,ISA #1,DMZ #1,Intranet,17,Chaining,ISA Server,ISA Server Array,Leased line or VPN connection,Branch,Main,Internet,Firewall,用可伸缩,多层次防火墙保护网络环境,19,为什么要使用防火墙?,保护自己不受黑客,病毒与非法用户的攻击 控制向外的 Internet访问 保护 web servers and email servers 更加安全的数据访问 保护关键的数据与信息 - 并且 - 管理信息访问,20,ISA Server Firewall,Packet, circuit, and application-level traffic screening Stateful inspection examines traffic in its context Reduce risk of unauthorized access Analyze or modify content with “Smart” application filters Integrated intrusion detection Based on technology licensed from Internet Security Systems (ISS) Secure publishing Protect servers accessible to the outside world System hardening “Lock down” the operating system, further strengthening security Integrated with Windows 2000 VPN Wizard for easy configuration,21,多层次的防火墙,Bottom up protection at every level Packet level Static filters Dynamic filters Intrusion detection Circuit (protocol) level Session based filtering Connection association Application level Intelligent payload inspection,Packet level,Application level,Circuit level,22,Smart Application Filters,Protocol aware filters Analyze the traffic Block, redirect, modify Intelligent filtering out-of-the-box: HTTP: Web request caching SMTP: Traffic filtering Streaming media: Stream splitting FTP: Read only restriction H.323: NetMeeting through the firewall,23,Intrusion Detection,24,Additional Security Features,VPN integration Integrated with on Windows 2000 VPN Wizard for easy configuration System hardening wizard “Lockdown” for the operating system Three pre-defined levels Secure publishing SSL Bridging Encrypted tunneling,25,ISA Server Microsofts Firewall ISA Server 特性,多层次的防火墙 集中或分布式管理 Publishing ICSA certified,26,ISA Server Microsofts Firewall How A Firewall Protects,A firewall filters network traffic that enters or leaves a protected network. Decisions: IP 地址,协议与端口号 建立连接 IP包的有效负载 应用过滤 Authentication Logging and Alerting,27,ISA Server Microsofts Firewall ISA Server Architecture,28,ISA Server Microsofts Firewall Outgoing FW Traffic Flow,29,ISA Server Microsofts Firewall Incoming FW Traffic Flow,30,ISA Server Microsofts Firewall ISA Server 缺省情况,No incoming or outgoing traffic unless specifically allowed 除了以下情况: ISA Server 可以执行 DNS lookups Pinging from ISA Server,31,ISA Server Microsofts Firewall 为 Outgoing Requests制定规则,Protocol Rules 谁可以使用什么样的协议在什么时间访问什么? Default: No access Site and Content Rules 谁可以在什么时间访问什么站点和内容? Default: All access 对互联网访问时这两个规则都是必要的,32,ISA Server Microsofts Firewall 为Incoming Requests制定规则,Server Publishing Rules Redirect traffic for an external address / port to an internal address Web Publishing Rules Redirect Web requests only Can redirect to multiple internal Web sites Can choose port for redirection Can perform SSL bridging,33,ISA Server Microsofts Firewall Firewall Planning,Assess needs for outgoing traffic “Deny all” or “Allow all” Research user requirements Design required rules and policy elements Plan for authentication (if required) Assess needs for incoming traffic Inventory resources that need to be accessed from the Internet. Design the required rules and policy elements,34,ISA Server Microsofts Firewall Firewall Planning (continued),Scaling Arrays Network Load Balancing (NLB) DNS round robin Perimeter Network Requirements,35,Firewall Design No External Access Required,36,Firewall Design Screened Host,Internet,Internal Network,Firewall,Screened Host,37,Firewall Design Three-Homed Perimeter Network Design,Firewall,Internet,Internal Network,Perimeter Network,38,Firewall Design Back-to-Back Perimeter Network Design,39,Using Publishing And Routing Methods for Passing Network Traffic,Web Proxy Service Firewall Service (proxy) IP Routing (secured by packet filters),40,Using Publishing And Routing Comparing Publishing and Routing,Publishing Rules publish internal sites to the external network Local Address Table (LAT) defines what is internal Perimeter Network in three-homed design is treated as external network Need to configure routing between two external networks Routing is secured by packet filters,41,Using Publishing And Routing Server Publishing,Reverse Network Address Translation (NAT) External network to internal network Sends packets received on external network interface to identical port on internal server Mapping: each port on each external address can be mapped separately Normally used for non-Web servers,42,Using Publishing And Routing Web Publishing,Redirects requests for URLs received on external interface Can redirect to multiple Web sites Can redirect to internal or external sites,43,Using Publishing And Routing Secure Web Publishing,Client connection terminates at ISA Server computer ISA Server can perform authentication ISA Server needs Web server certificate What about connection between ISA Server and internal Web server? SSL bridging Choice of HTTP-S, HTTP, or FTP,44,Using Publishing And Routing Routing,Required for all protocols other than TCP or UDP Required to access three-homed perimeter network (external to external) ISA enforces packet filtering with routing Note: packet filtering enhances security and increases performance Warning: Do not enable routing outside of ISA Server,Demonstration 1 Server Publishing And Web Publishing Creating a Server Publishing Rule Creating a Web Publishing Rule,46,ISA Server Configuration Outgoing Traffic,Protocol Rules and Site and Content Rules Packet filters Protocols other than UDP or TCP Applications or services running on ISA Server computer Packet filters can override rules,47,ISA Server Configuration Screened Host,Configure Server Publishing Rules Configure Web Publishing Rules,48,ISA Server Configuration Three-Homed Perimeter Network,Use routing with packet filtering for perimeter network servers Servers need routable IP addresses Use publishing between perimeter network and internal network,49,ISA Server Configuration Back-to-Back Perimeter Network,Use Publishing Rules to publish servers on perimeter network to Internet Use publishing rules to publish servers on internal network to perimeter network Each ISA Server requires a separate LAT,50,Miscellaneous Configuration Authentication,Firewall Clients User-based, automatic Requires client software, Win32 clients only, TCP and UDP only SecureNAT Clients By IP address No client software, all platforms, all protocols,51,Miscellaneous Configuration Authentication (continued),Web Proxy client By user (logged-on user or authentication dialog box) Need to configure browser, etc. Need to configure authentication methods: Basic Digest Integrated Certificates,52,Miscellaneous Configuration Intrusion Detection,Technology licensed from Internet Security Systems (ISS) Monitors for a number of common attacks Extensive options for alerting,53,Miscellaneous Configuration Server Hardening,Wizard applies security settings to make Windows 2000 Server even more secure,54,Miscellaneous Configuration H.323 Gatekeeper,“Switchboard” for H.323 Applications NetMeeting Voice over IP (VOIP) Etc.,55,Miscellaneous Configuration Message Screener,Works with SMTP Filter to screen SMTP Messages for Users and domains Attachments Keywords SMTP commands Can run on ISA Server computer or other computer,Demonstration 2 Message Screener Blocking Users and Domains Blocking Attachments Blocking Key Words,57,Miscellaneous Configuration VPN Configuration,Two types of connections: Access by remote users Connecting two networks Wizards configure ISA Server and RRAS ISA Server packet filters RRAS configured as a VPN Server RRAS performs all VPN functions May require additional configuration,Demonstration 3 VPN Configuration Configuring a Local VPN Configuring a Remote VPN Reviewing VPN Configuration Settings,Caching,可伸缩,高性能的WEB缓存,60,Cache Scenarios - Forward Proxy,Internet,Liz,ISA Server,Corpnet users connect to the internet via ISA,61,Cache Scenarios Reverse Caching,Internet,ISA Server looks like a Web server Internally routes requests to multiple servers,62,为什么要使用缓存?,快速浏览 降低网络带宽费用 减轻 web 服务器的压力 更加可靠的数据访问 Increase performance - and - reduce costs,63,ISA Server Caching Features,Web 访问加速 RAM caching: “Hot content” served from RAM 有效地缓存机制最小化了磁盘I/O Active caching Scheduled content download 分布式的缓存机制 Cache Array Routing Protocol (CARP) Hierarchical Caching 层次型策略,64,CARP on the Server,65,CARP (Cache Array Routing Protocol),高效 Distributed cache Arrays的规模是线性的,平衡负载 各个服务器的内容没有重复 最高效地应用缓存的大小与缓存的命中率 可靠 容错的,自调节的 arrays 当服务器增加或减少时,内容的转移与重新配置是动态的 灵活 Routing can be implemented on server for best transparency, or on client for maximum efficiency,66,Hierarchical Caching (Chaining),Internet,50% Traffic $avings Over Every WAN Link,New York,Tokyo,London,67,Other Bandwidth Savings,Traffic Prioritization Impose bandwidth policy via UI Manage inbound and outbound network traffic independently Adds this layer on top of Windows 2000 QoS Live media stream splitting,68,Configuring Caching Business Scenario,69,Configuring Caching Allowing Internet Access,Verify LAT,Create a protocol access rule,Turn on HTTP and FTP Caching*,Define Proxy setting on all clients,4 simple steps,*enabled by default,70,Configuring Caching Cache Expiration,Frequently Cache is kept current, network performance may be degraded Normally Cache is somewhat current, network performance is considered Less Frequently Cache is less current, network performance is not degraded Custom Settings,71,Configuring Caching Active Caching,Enables ISA to fetch a new version of cached objects Frequently Cache is kept current, network performance is degraded Normally Network performance is considered when updating the cache Less Frequently Cache is less current, network performance is not degraded,72,Configuring Caching Advanced Cache Settings,Allows control over what content is cached Size of objects to cache Dynamic content Maximum URL cached in memory Control what action to take with expired cache objects Return an error -or- Return expired object,73,Configuring Caching Adjusting Cache Size,LONDON Properties,Cache Drives,LONDON,OK,Cancel,Apply,Set,100,Maximum cache size (MB):,Total disk space (MB): 39064 Total maximum cache size (MB): 100,Drive Type Disk space Free space Cache Size,Specify the size of the cache.,Properties of server Creates a .cdat file of equivalent size 4-8 MB for each client,Demonstration 4 Configure Caching Enabling HTTP and FTP Caching Examining Cache configuration Allowing Internet Access,Management,Tiered policy and flexible management integrates with Windows 2000,76,Policy & Rules,Enterprise & array-level Access control By user/group By application By destination By content type By schedule Bandwidth priorities,77,Tasks Pads and Wizards,Tasks Pads The easy way to set up and maintain Wizards Step-by-step for complex tasks,78,Alerting,Alerti