安全与速度的完美结合课件

1、郝雪莹xyhaoMicrosoft China安全与速度的完美结合Microsoft Internet Security and Acceleration Server 20001Agenda 产品概述布署场景防火墙缓存管理可扩展性2新的机遇, 新的挑战用网络连接你的客户,合作伙伴与雇员在WEB上的电子商务给你的企业带来了新的商机把有限资源的内部网变成溶合在 Internet的网络把网络暴露在所有的黑客,病毒和非法用户面前竞争非常激烈,你的WEB必需提供快速可靠的服务管理这样的网络需要更高的技术机遇挑战3The Connected BusinessNew Concerns保护你的内部网络免受黑

2、客与其它非法入侵者的侵害管理与控制网络访问在加快网络访问速度的同时保护宝贵的带宽资源Internet4微软公司对于安全的认识安全缺陷和病毒攻击是严重、代价沉重、全行业业范围的问题Internet 安全是全世界范围内实现数字化商务运作的最基本的考虑因素作为业界的领导者，微软公司具有保护Internet和客户数据的特殊责任5Microsoft ISA Server 2000安全与速度的完美结合用可伸缩的,多层次的防火墙保护网络环境用可伸缩,高性能的WEB缓存实现快速访问与Windows 2000集成的,强壮的策略和管理机制安全的网络连接快速的 Web 访问统一的管理方式 可扩展的开放平台可以扩展与

3、定制的高级平台6什么是 ISA Server 2000防火墙与缓存ISA Server 的版本ISA Server 标准版ISA Server 企业版7功能标准版企业版服务器的建置单机运作多机的集中管理原则的设定(policy support)服务器本机服务器阵列硬件支持4颗CPU无限制Web缓存扩展性适合小型企业适合中大型企业分散式与阶层式缓存仅阶层式皆有统一的管理Windows 2000 Active Directory整合有限完全多层次原则无有多服务器管理无有Microsoft ISA Server 2000标准版与企业版功能比较表 8What Is ISA Server 2000 IS

4、A 系统需求Processor300 MHz or higher Pentium II compatible Operating SystemMicrosoft Windows 2000 Server or Advanced Server with SP2 or higherMemory256 MB of RAMHard Disk20 MB of available hard drive spaceAn available NTFS partition4-8 MB for each proxy clientOther To implement the array and advanced co

5、nfiguration policies on the Enterprise edition you also need:Windows Active Directory on the network9防火墙 & 缓存两者都应存在于网络的边缘或者说结合点模块化安装统一的管理MMCLogging and ReportingMonitoring and Alerting一致的访问策略低廉的培训维护费用10与 Windows 2000 紧密集成Security包过滤网络地址转换 (NAT & SecureNAT)AuthenticationSystem Hardening虚拟专用网 (VPN)管理M

6、MCTerminal ServicesEvent logActive Directory Array configuration and policy data NOT required!带宽控制透明地支持在其它平台上的客户机与服务器11Much More Than “Proxy Server 3.0”Transparency for all clients and serversEnterprise policyGroup policySchedulesActive Directory integrationExtensible application filtersSMTP filterS

7、treaming media splittingH.323 filter & GatekeeperMMC-based UITask Pads, wizardsRemote administrationConfiguring Exchange server behind firewallIIS separationRAM cachingNew cache storeScheduled content downloadVPN integrationIntrusion detectionSystem hardeningNTLM & Kerberos authenticationDual-hop SS

8、LCustomizable alertsLogging: W3C format, selectable fieldsIntegrated reportingBandwidth controlNew APIsModular installation12Deployment Scenarios Microsoft Internet Security & Acceleration Server 200013Small OrganizationInternetISA Server14Large EnterpriseInternetISA Server防火墙 & 缓存,共同管理15DMZ & Secur

9、e PublishingInternetISA #2ISA #1DMZ #1Intranet16ChainingISA ServerISA Server ArrayLeased line orVPN connectionBranchMainInternet17Firewall用可伸缩,多层次防火墙保护网络环境18为什么要使用防火墙? 保护自己不受黑客,病毒与非法用户的攻击控制向外的 Internet访问保护 web servers and email servers更加安全的数据访问 保护关键的数据与信息- 并且 - 管理信息访问19ISA Server FirewallPacket, cir

10、cuit, and application-level traffic screeningStateful inspection examines traffic in its contextReduce risk of unauthorized accessAnalyze or modify content with “Smart” application filtersIntegrated intrusion detectionBased on technology licensed from Internet Security Systems (ISS) Secure publishin

11、gProtect servers accessible to the outside worldSystem hardening“Lock down” the operating system, further strengthening securityIntegrated with Windows 2000 VPNWizard for easy configuration20多层次的防火墙Bottom up protection at every levelPacket levelStatic filtersDynamic filtersIntrusion detectionCircuit

12、 (protocol) levelSession based filteringConnection associationApplication levelIntelligent payload inspectionPacketlevelApplicationlevelCircuitlevel21Smart Application FiltersProtocol aware filtersAnalyze the trafficBlock, redirect, modifyIntelligent filtering out-of-the-box:HTTP: Web request cachin

13、gSMTP: Traffic filteringStreaming media: Stream splittingFTP: Read only restrictionH.323: NetMeeting through the firewall22Intrusion Detection23Additional Security FeaturesVPN integrationIntegrated with on Windows 2000 VPNWizard for easy configurationSystem hardening wizard“Lockdown” for the operati

14、ng systemThree pre-defined levelsSecure publishingSSL BridgingEncrypted tunneling24ISA Server Microsofts Firewall ISA Server 特性多层次的防火墙集中或分布式管理PublishingICSA certified25ISA Server Microsofts Firewall How A Firewall ProtectsA firewall filters network traffic that enters or leaves a protected network.D

15、ecisions:IP 地址,协议与端口号建立连接IP包的有效负载应用过滤AuthenticationLogging and Alerting26ISA Server Microsofts FirewallISA Server ArchitecturezWeb ProxyClientSecure NATClientFirewallClientLocalAreaNetworkWeb Proxy ServiceFirewallServiceWeb FilterPacket FilteringThird Party FilterStreaming FilterSMTP FilterH.323 Fil

16、terFTP FilterCacheInternetNATDriverHTTPRedirector27ISA Server Microsofts FirewallOutgoing FW Traffic FlowPF LogSessionLogPolicyTCP/IP StackPFDNAT driverNDISPFxDSecureNATdriverSecureNAT User Mode Firewall ServiceKernel ModeUser ModeSocketLayerRoutingReassemblyApplicationFilterInternalInterfaceExterna

17、lInterface28ISA Server Microsofts FirewallIncoming FW Traffic FlowPF LogSessionLogPolicyTCP/IP StackPFDNAT driverNDISPFxDSecureNATdriverSecureNAT User Mode Firewall ServiceKernel ModeUser ModeSocketLayerRoutingReassemblyApplicationFilterInternalInterfaceExternalInterface29ISA Server Microsofts Firew

18、allISA Server 缺省情况No incoming or outgoing traffic unless specifically allowed除了以下情况: ISA Server 可以执行 DNS lookupsPinging from ISA Server30ISA Server Microsofts Firewall为 Outgoing Requests制定规则Protocol Rules谁可以使用什么样的协议在什么时间访问什么?Default: No accessSite and Content Rules谁可以在什么时间访问什么站点和内容?Default: All acce

19、ss对互联网访问时这两个规则都是必要的31ISA Server Microsofts Firewall为Incoming Requests制定规则Server Publishing RulesRedirect traffic for an external address / port to an internal addressWeb Publishing RulesRedirect Web requests onlyCan redirect to multiple internal Web sitesCan choose port for redirectionCan perform SS

20、L bridging32ISA Server Microsofts FirewallFirewall PlanningAssess needs for outgoing traffic“Deny all” or “Allow all”Research user requirementsDesign required rules and policy elementsPlan for authentication (if required)Assess needs for incoming traffic Inventory resources that need to be accessed

21、from the Internet.Design the required rules and policy elements33ISA Server Microsofts FirewallFirewall Planning (continued)ScalingArraysNetwork Load Balancing (NLB)DNS round robinPerimeter Network Requirements34Firewall Design No External Access RequiredInternetInternal NetworkFirewall35Firewall De

22、sign Screened HostInternetInternal NetworkFirewallScreened Host36Firewall Design Three-Homed PerimeterNetwork DesignFirewallInternetInternal NetworkPerimeter Network37Firewall Design Back-to-Back PerimeterNetwork DesignInternetInternalNetworkPerimeterNetworkFirewallFirewallWeb Server38Using Publishi

23、ng And RoutingMethods for Passing Network TrafficWeb Proxy ServiceFirewall Service (proxy)IP Routing (secured by packet filters)39Using Publishing And RoutingComparing Publishing and RoutingPublishing Rules publish internal sites to the external networkLocal Address Table (LAT) defines what is inter

24、nal Perimeter Network in three-homed design is treated as external networkNeed to configure routing between two external networksRouting is secured by packet filters40Using Publishing And RoutingServer PublishingReverse Network Address Translation (NAT)External network to internal networkSends packe

25、ts received on external network interface to identical port on internal serverMapping: each port on each external address can be mapped separatelyNormally used for non-Web servers41Using Publishing And RoutingWeb PublishingRedirects requests for URLs received on external interfaceCan redirect to mul

26、tiple Web sitesCan redirect to internal or external sitesInternet /isaserver/ISA Server/isaserver/Internal Network42Using Publishing And RoutingSecure Web PublishingClient connection terminates at ISA Server computerISA Server can perform authenticationISA Server needs Web server certificateWhat abo

27、ut connection between ISA Server and internal Web server?SSL bridgingChoice of HTTP-S, HTTP, or FTP43Using Publishing And RoutingRoutingRequired for all protocols other than TCP or UDPRequired to access three-homed perimeter network (external to external)ISA enforces packet filtering with routingNot

28、e: packet filtering enhances security and increases performanceWarning: Do not enable routing outside of ISA Server44Demonstration 1Server Publishing And Web Publishing Creating a Server Publishing Rule Creating a WebPublishing Rule 45ISA Server ConfigurationOutgoing TrafficProtocol Rules and Site a

29、nd Content RulesPacket filtersProtocols other than UDP or TCPApplications or services running on ISA Server computerPacket filters can override rules46ISA Server ConfigurationScreened HostConfigure Server Publishing RulesConfigure Web Publishing Rules47ISA Server ConfigurationThree-Homed Perimeter N

30、etworkUse routing with packet filtering for perimeter network serversServers need routable IP addressesUse publishing between perimeternetwork and internal network48ISA Server ConfigurationBack-to-Back Perimeter NetworkUse Publishing Rules to publish servers on perimeter network to InternetUse publi

31、shing rules to publish servers on internal network to perimeter networkEach ISA Server requires a separate LAT49Miscellaneous ConfigurationAuthenticationFirewall ClientsUser-based, automaticRequires client software, Win32 clients only, TCP and UDP onlySecureNAT ClientsBy IP addressNo client software

32、, all platforms, all protocols50Miscellaneous ConfigurationAuthentication (continued)Web Proxy clientBy user (logged-on user or authentication dialog box)Need to configure browser, etc.Need to configure authentication methods:BasicDigestIntegratedCertificates51Miscellaneous ConfigurationIntrusion De

33、tectionTechnology licensed from Internet Security Systems (ISS)Monitors for a number of common attacksExtensive options for alerting52Miscellaneous ConfigurationServer HardeningWizard applies security settings to make Windows 2000 Server even more secure53Miscellaneous ConfigurationH.323 Gatekeeper“

34、Switchboard” for H.323 ApplicationsNetMeetingVoice over IP (VOIP)Etc.54Miscellaneous ConfigurationMessage ScreenerWorks with SMTP Filter to screen SMTP Messages forUsers and domainsAttachmentsKeywordsSMTP commandsCan run on ISA Server computer or other computer55Demonstration 2Message Screener Block

35、ing Users and DomainsBlocking AttachmentsBlocking Key Words56Miscellaneous ConfigurationVPN ConfigurationTwo types of connections:Access by remote usersConnecting two networksWizards configure ISA Server and RRASISA Server packet filtersRRAS configured as a VPN ServerRRAS performs all VPN functionsM

36、ay require additional configuration57Demonstration 3VPN Configuration Configuring a Local VPN Configuring a Remote VPN Reviewing VPN Configuration Settings58Caching可伸缩,高性能的WEB缓存59Cache Scenarios - Forward ProxyGET InternetLizISA ServerJohnGET CacheGET Corpnet users connect to the internet via ISA60C

37、ache Scenarios Reverse CachingDNSInternet“”“/ISA”/ISAWeb ServerSecure NetworkISA ServerCacheJoeInternetISA Server looks like a Web serverInternally routes requests to multiple servers61为什么要使用缓存? 快速浏览降低网络带宽费用减轻 web 服务器的压力更加可靠的数据访问Increase performance - and - reduce costs62ISA Server Caching FeaturesW

38、eb 访问加速 RAM caching: “Hot content” served from RAM有效地缓存机制最小化了磁盘I/OActive cachingScheduled content download分布式的缓存机制Cache Array Routing Protocol (CARP)Hierarchical Caching层次型策略63CARP on the ServerDo you have ?GET CacheInternetClientServer 1Server 2Server 364CARP (Cache Array Routing Protocol)高效Distrib

39、uted cacheArrays的规模是线性的,平衡负载各个服务器的内容没有重复最高效地应用缓存的大小与缓存的命中率可靠容错的,自调节的 arrays当服务器增加或减少时,内容的转移与重新配置是动态的灵活Routing can be implemented on server for best transparency, or on client for maximum efficiency65Hierarchical Caching (Chaining)Internet50%Traffic $avingsOver Every WANLinkNew YorkTokyoLondon66Other

40、 Bandwidth SavingsTraffic PrioritizationImpose bandwidth policy via UIManage inbound and outbound network traffic independentlyAdds this layer on top of Windows 2000 QoSLive media stream splitting67Configuring CachingBusiness ScenarioISAClientsInternet68Configuring CachingAllowing Internet AccessVer

41、ify LATCreate a protocol access ruleTurn on HTTP and FTP Caching*Define Proxy setting on all clients4 simple steps*enabled by default69Configuring CachingCache ExpirationFrequentlyCache is kept current, network performance may be degradedNormallyCache is somewhat current, network performance is cons

42、ideredLess FrequentlyCache is less current, network performance is not degradedCustom Settings70Configuring CachingActive CachingEnables ISA to fetch a new version of cached objectsFrequentlyCache is kept current, network performance is degradedNormallyNetwork performance is considered when updating

43、 the cacheLess FrequentlyCache is less current, network performance is not degraded71Configuring Caching Advanced Cache SettingsAllows control over what content is cachedSize of objects to cacheDynamic contentMaximum URL cached in memoryControl what action to take with expired cache objectsReturn an

44、 error-or-Return expired object72Configuring Caching Adjusting Cache SizeLONDON PropertiesCache DrivesLONDONOKCancelApplySet100Maximum cache size (MB):Total disk space (MB):39064Total maximum cache size (MB):100DriveTypeDisk spaceFree spaceCache SizeSpecify the size of the cache.Properties of server

45、Creates a .cdat file of equivalent size4-8 MB for each client73Demonstration 4Configure Caching Enabling HTTP and FTP CachingExamining Cache configurationAllowing Internet Access74ManagementTiered policy and flexible management integrates with Windows 2000 75Policy & RulesEnterprise & array-levelAccess controlBy user/groupBy applicationBy destinationBy content typeBy scheduleBandwidth prioritiesActive policy: Access rulesISA server na