安全与速度的完美结合

安全与速度的完美结合MicrosoftInternetSecurityandAccelerationServer20001Agenda产品概述防火墙缓存布署场景管理可扩展性2新的机遇,新的挑战用网络连接你的客户,合作伙伴与雇员在WEB上的电子商务给你的企业带来了新的商机把有限资源的内部网变成溶合在Internet的网络把网络暴露在所有的黑客,病毒和非法用户面前竞争非常激烈,你的WEB必需提供快速可靠的服务管理这样的网络需要更高的技术机遇挑战3MicrosoftISAServer2000

安全与速度的完美结合用可伸缩的,多层次的防火墙保护网络环境用可伸缩,高性能的WEB缓存实现快速访问与Windows2000集成的,强壮的策略和管理机制安全的网络连接快速的Web访问统一的管理方式可扩展的开放平台可以扩展与定制的高级平台4防火墙&缓存两者都应存在于网络的边缘或者说结合点模块化安装统一的管理MMCLoggingandReportingMonitoringandAlerting一致的访问策略低廉的培训维护费用5与Windows2000紧密集成Security包过滤网络地址转换(NAT&SecureNAT)AuthenticationSystemHardening虚拟专用网(VPN)管理MMCTerminalServicesEventlogActiveDirectory™ArrayconfigurationandpolicydataNOTrequired!带宽控制透明地支持在其它平台上的客户机与服务器6MuchMoreThan“ProxyServer3.0”TransparencyforallclientsandserversEnterprisepolicyGrouppolicySchedulesActiveDirectoryintegrationExtensibleapplicationfiltersSMTPfilterStreamingmediasplittingH.323filter&GatekeeperMMC-basedUITaskPads,wizardsRemoteadministrationConfiguringExchangeserverbehindfirewallIISseparationRAMcachingNewcachestoreScheduledcontentdownloadVPNintegrationIntrusiondetectionSystemhardeningNTLM&KerberosauthenticationDual-hopSSLCustomizablealertsLogging:W3Cformat,selectablefieldsIntegratedreportingBandwidthcontrolNewAPIsModularinstallation7

ISAServer2000版本ISAServer的版本ISAServer标准版ISAServer企业版8WhatIsISAServer2000

ISA系统需求Processor300MHzorhigherPentiumIIcompatibleOperatingSystemMicrosoftWindows2000ServerorAdvancedServerwithSP2orhigherMemory256MBofRAMHardDisk20MBofavailableharddrivespaceAnavailableNTFSpartition4-8MBforeachproxyclientOtherToimplementthearrayandadvancedconfigurationpoliciesontheEnterpriseeditionyoualsoneed:WindowsActiveDirectoryonthenetwork9功能标准版企业版▲服务器的建置单机运作多机的集中管理▲原则的设定(policysupport)服务器本机服务器阵列▲硬件支持4颗CPU无限制Web缓存▲扩展性适合小型企业适合中大型企业▲分散式与阶层式缓存仅阶层式皆有统一的管理▲Windows®2000ActiveDirectory整合有限完全▲多层次原则无有▲多服务器管理无有Microsoft®ISAServer2000标准版与企业版功能比较表

10SmallOrganizationInternetISAServer11LargeEnterpriseInternetISAServer防火墙&缓存,

共同管理12DMZ&SecurePublishingInternetISA#2ISA#1DMZ#1Intranet13ChainingISAServerISAServerArrayLeasedlineorVPNconnectionBranchMainInternet14Firewall用可伸缩,多层次防火墙保护网络环境15为什么要使用防火墙?保护自己不受黑客,病毒与非法用户的攻击控制向外的Internet访问保护webserversandemailservers更加安全的数据访问

保护关键的数据与信息-并且-管理信息访问16防火墙基本技术(note)什么是防火墙七层结构与四层结构包过滤（IP/IPExtension）静态动态状态检测应用代理(App.)示例电路网关(TCP)Socksvs.WinsockProxyNATNAT分类17ISAServer的防火墙包过滤，电路以及应用级数据流监控StatefulinspectionexaminestrafficinitscontextReduceriskofunauthorizedaccessAnalyzeormodifycontentwith“Smart”applicationfilters集成的入侵检测/IntegratedintrusiondetectionBasedontechnologylicensedfromInternetSecuritySystems(ISS)安全发布/SecurepublishingProtectserversaccessibletotheoutsideworld系统加强/Systemhardening“Lockdown”theoperatingsystem,furtherstrengtheningsecurity集成VPN/IntegratedwithWindows2000VPNWizardforeasyconfiguration18ISAServer–Microsoft’sFirewall

ISAServerArchitecturezWebProxy

ClientSecureNAT

ClientFirewall

ClientLocal

Area

NetworkWebProxyServiceFirewall

ServiceWebFilterPacketFilteringThirdPartyFilterStreamingFilterSMTPFilterH.323FilterFTPFilterCacheInternetNAT

DriverHTTP

Redirector19IntrusionDetection20AdditionalSecurityFeaturesVPNintegrationIntegratedwithonWindows2000VPNWizardforeasyconfigurationSystemhardeningwizard“Lockdown”fortheoperatingsystemThreepre-definedlevelsSecurepublishingSSLBridgingEncryptedtunneling21ISAServer–Microsoft’sFirewall

为OutgoingRequests制定规则ProtocolRules谁可以使用什么样的协议在什么时间访问什么?Default:NoaccessSiteandContentRules谁可以在什么时间访问什么站点和内容?Default:Allaccess配置演示对互联网访问时这两个规则都是必要的带宽控制的使用22ISAServer–Microsoft’sFirewall(略)

为IncomingRequests制定规则ServerPublishingRulesRedirecttrafficforanexternaladdress/porttoaninternaladdressWebPublishingRulesRedirectWebrequestsonlyCanredirecttomultipleinternalWebsitesCanchooseportforredirectionCanperformSSLbridging23ISAServer–Microsoft’sFirewall

FirewallPlanning(continued)ScalingArraysNetworkLoadBalancing(NLB)DNSroundrobinPerimeterNetworkRequirements24FirewallDesign

NoExternalAccessRequiredInternetInternalNetworkFirewall25FirewallDesign

ScreenedHostInternetInternalNetworkFirewallScreenedHost26FirewallDesign

Three-HomedPerimeter

NetworkDesignFirewallInternetInternalNetworkPerimeterNetwork27FirewallDesign

Back-to-BackPerimeter

NetworkDesignInternetInternal

NetworkPerimeter

NetworkFirewallFirewallWebServer28MiscellaneousConfiguration

Authentication

配置技巧FirewallClientsUser-based,automaticRequiresclientsoftware,Win32clientsonly,TCPandUDPonlySecureNATClientsByIPaddressNoclientsoftware,allplatforms,allprotocolsHowtoPing!29MiscellaneousConfiguration

Authentication(continued)WebProxyclientByuser(logged-onuserorauthenticationdialogbox)Needtoconfigurebrowser,etc.Needtoconfigureauthenticationmethods:BasicDigestIntegratedCertificates30MiscellaneousConfiguration

IntrusionDetectionTechnologylicensedfromInternetSecuritySystems(ISS)MonitorsforanumberofcommonattacksExtensiveoptionsforalerting可以开发自己定义的入侵检测规则31MiscellaneousConfiguration

ServerHardeningWizardappliessecuritysettingstomakeWindows2000Serverevenmoresecure参考文件在ISA安装目录中32MiscellaneousConfiguration

H.323Gatekeeper“Switchboard”forH.323ApplicationsNetMeetingVoiceoverIP(VOIP)Etc.33Caching可伸缩,高性能的WEB缓存34为什么要使用缓存?快速浏览降低网络带宽费用减轻web服务器的压力更加可靠的数据访问Increaseperformance -and- reducecosts35CacheScenarios-

ForwardProxyGETInternetLizISAServerJohnGETCacheGETCorpnetusers

connecttothe

internetviaISA

36CacheScenarios–

ReverseCachingDNSInternet“”“/ISA”/ISAWebServerSecureNetworkISAServerCacheJoeInternetISAServerlookslikeaWebserverInternallyroutesrequeststomultipleservers37ISAServerCachingFeaturesWeb访问加速RAMcaching:“Hotcontent”servedfromRAM有效地缓存机制最小化了磁盘I/OActivecachingScheduledcontentdownload分布式的缓存机制CacheArrayRoutingProtocol(CARP)HierarchicalCaching层次型策略NLB负载均衡/DNS轮询自动搜寻代理服务器38CARPontheServerDoyouhave?GETCacheInternetClientServer1Server2Server339CARP(CacheArrayRoutingProtocol)高效DistributedcacheArrays的规模是线性的,平衡负载各个服务器的内容没有重复最高效地应用缓存的大小与缓存的命中率可靠容错的,自调节的arrays当服务器增加或减少时,内容的转移与重新配置是动态的灵活Routingcanbeimplementedonserverforbesttransparency,oronclientformaximumefficiency系统默认设置40HierarchicalCaching(Chaining)Internet~50%Traffic$avingsOverEveryWANLinkNewYorkTokyoLondon41NLB和ISA

防火墙和代理服务器集群ISA-1-Internal

DIP:

VIP:00ISA-2-Internal

DIP:

VIP:00ISA-1-External

DIP:

VIP:00ISA-2-External

DIP:

VIP:00NLBClusterNLBClusterISA1ISA242ConfiguringCaching

CacheExpirationFrequentlyCacheiskeptcurrent,networkperformancemaybedegradedNormallyCacheissomewhatcurrent,networkperformanceisconsideredLessFrequentlyCacheislesscurrent,networkperformanceisnotdegradedCustomSettings43ConfiguringCaching

ActiveCaching&NegativeCachingEnablesISAtofetchanewversionofcachedobjectsFrequentlyCacheiskeptcurrent,networkperformanceisdegradedNormallyNetworkperformanceisconsideredwhenupdatingthecacheLessFrequentlyCacheislesscurrent,networkperformanceisnotdegraded44ConfiguringCaching

AdvancedCacheSettingsAllowscontroloverwhatcontentiscachedSizeofobjectstocacheDynamiccontentMaximumURLcachedinmemoryControlwhatactiontotakewithexpiredcacheobjectsReturnanerror -or-Returnexpiredobject45ConfiguringCaching

AdjustingCacheSizeLONDONPropertiesCacheDrivesLONDONOKCancelApplySet100Maximumcachesize(MB):Totaldiskspace(MB): 39064Totalmaximumcachesize(MB): 100Drive Type Diskspace… Freespace… CacheSize…Specifythesizeofthecache.PropertiesofserverCreatesa.cdatfileofequivalentsize4-8MBforeachclient46Demonstration

ConfigureCaching

EnablingHTTPandFTPCaching

ExaminingCacheconfiguration

AllowingInternetAccess47ServerPublishing48发布与路由（UsingPublishingAndRouting）

PublishingRules将内部站点发布到外部网上“内部网”由LocalAddressTable(LAT)定义dPerimeterNetworkinthree-homed对于ISA来说等同于外部网两个外部网之间的通信通需要设置路由用

packetfilters确保路由的安全通信49发布与路由(UsingPublishingAndRouting)

服务器发布/ServerPublishing反向NetworkAddressTranslation(NAT)映射外部网到内部网将外网卡上收到的数据包发送给内网服务器的特定端口映射:外网卡上的不同端口可以映射到内网的不同服务器上主要用于WEBservers以外的服务器50发布与路由

WebPublishing将外网卡上接收的请求重定向可以为多个站点做重定向可以重定向到内部或外部站点Internet

/isaserver/ISAServer//isaserver//InternalNetwork51发布与路由

SecureWebPublishing客户机的连线终止于ISAServercomputerISAServercanperformauthenticationISAServerneedsWebservercertificateWhataboutconnectionbetweenISAServerandinternalWebserver?SSLbridgingChoiceofHTTP-S,HTTP,orFTP52发布与路由

路由TCP/UDP以外的协议必须使用路由才能通信外网访问three-homedperimeternetwork必须使用路由(externaltoexternal)ISA在路由功能中强行使用包过滤Note:packetfilteringenhancessecurityandincreasesperformanceWarning:DonotenableroutingoutsideofISAServer/保持ISA为唯一路由53ISAServerConfiguration

OutgoingTrafficProtocolRulesandSiteandContentRulesPacketfiltersProtocolsotherthanUDPorTCPApplicationsorservicesrunningonISAServercomputerPacketfilterscan

overriderules54ISAServerConfiguration

Three-HomedPerimeterNetworkUseroutingwithpacketfilteringforperimeternetworkserversServersneedroutableIPaddressesUsepublishingbetweenperimeter

networkandinternalnetwork55ISAServerConfiguration

Back-to-BackPerimeterNetworkUsePublishingRulestopublishserversonperimeternetworktoInternetUsepublishingrulestopublishserversoninternalnetworktoperimeternetworkEachISAServerrequires

aseparateLAT56Demonstration

ServerPublishingAndWebPublishing

CreatingaServerPublishingRule

CreatingaWeb

PublishingRule57(Edited)

MiscellaneousConfiguration

VPNConfigurationThreetypesofconnections:AccessbyremoteusersConnectingtwonetworksAccessremoteVPNfromISAprotectednetworkWizardsconfigureISAServerandRRASISAServerpacketfiltersRRASconfiguredasaVPNServerRRASperformsallVPNfunctionsMayrequireadditionalconfiguration58Demonstration

VPNConfiguration

ConfiguringaLocalVPN

ConfiguringaRemoteVPNReviewingVPNConfigurationSettings59ManagementTieredpolicyandflexiblemanagementintegrateswithWindows2000

60Policy&RulesEnterprise&array-levelAccesscontrolByuser/groupByapplicationBydestinationBycontenttypeByscheduleBandwidthprioritiesActivepolicy:AccessrulesISAservernamespace61TasksPadsandWizardsTasksPadsTheeasywaytosetupandmaintainWizardsStep-by-stepforcomplextasksCommontasks62AlertingAlertingFlexiblealertdispatchmechanismIntrusionSystemeventViolationISAServer63Logging,reporting,monitoringLoggingPacketlogSessionlogReportingDailysumma