ISA Security Concepts - Part I
Zubair Alexander specializes in design, implementation, and engineering of enterprise network services. For more information on all of his publications, visit his Web site at www.techgalaxy.net.
This sample chapter is excerpted from Microsoft ISA Server 2000.
As one might expect, security concepts will get a lot of coverage in an ISA Server book. Because we have a large number of important items to cover, the ISA Server security concepts are broken down into two chapters in this book: Chapter 3, "ISA Security Concepts Part I," and Chapter 4, "ISA Security Concepts Part II."
ISA Server can be implemented as a dedicated firewall to protect your local area network from potential intruders on external networks. You can configure rules and filters that prevent unauthorized users from entering your network, and you can limit the access of authorized users to only the contents that they should be accessing, thus securing your valuable corporate resources.
In this first of two security chapters, we will focus on topics such as the ISA Server Security Configuration wizard. This wizard enables you to tighten your security considerably. We will explore site and content rules in detail. Rules enable you to control the flow of traffic to meet your security needs. In other words, they determine which computers, users, or applications should be able to access resources on your network. Rules can be configured for both inbound and outbound traffic. We will also discuss the support for Virtual Private Networks (VPNs) in ISA Server. You will learn how to configure both ends of a VPN tunnel using the ISA Server wizards. Later in this chapter, you will also find a comparison of existing security solutions.
When discussing security and firewalls, it's hard not to talk about demilitarized zones (DMZs). A DMZ provides an extra layer of protection against outside attacks. In this chapter, first you will be presented with an overview of DMZs, followed by an explanation of a couple of common DMZ scenarios in use today.
After exploring the security items found in this chapter, move on to Chapter 4, "ISA Security Concepts II." The primary focus of this chapter will be on packet filtering. You will learn the fundamentals of packet filtering, including the creation and application of filters. You will also be presented with the application filter concepts.
Emphasizing Network Security
As a person responsible for securing your network, it is probably no surprise that you have to be security conscious from the get go. Some administrators leave their system unprotected in the beginning while they slowly work on different aspects of their system. Needless to say, this could be a huge security risk.
Let's take a real-world scenario that's more common than a lot of folks realize. As you may know, businesses that have standardized on Compaq's servers can use Compaq's Web-enabled management software to manage their systems. The wide range of components that can be managed includes RAID configurations and free hard disk space to IP addresses and serial numbers. You can even restart the server remotely and get into the management tools.
Well, you say, that sounds pretty cool. So what's the problem? Well, the problem is that some newbie administrator may not realize that Compaq's management software running any Web-based management tool on port 2301 can act as a proxy server. This could potentially leave the server wide open to folks on the Internet, unless the administrator changes the default configuration before connecting the server to the Internet. With the default username (administrator) and password (administrator) known to everyone, hackers can have anonymous access to the server. By the way, Compaq has a security patch available for Windows NT 4.0 and Windows 2000 to fix the problem with the Web-enabled management software. The patch is available at http://www.compaq.com/support/files/server/us/download/9608.html.
If you don't take precautionary measures to secure your network devices, you are taking a risk. Change the default passwords on systems before you put them in production; don't enable services unless you have properly configured them; don't share folders unless you've set the permissions; don't enable Web sites unless you've configured proper authenticationyou get the point. Take security seriously, go through the security checklists, and be overly cautious. Now, let's explore the security options ISA Server offers you as you plan and implement a security system to protect personal and/or corporate data and servers.