当前位置:首页 >

isa 转载

今天在家学习,这书这么厚,看着我就感到渺茫。 amen说现在没多少人用isa 了,也是我看各论坛上都没什么人怎么提过isa问题。今天看了看书,感觉这东西如果真像所介绍那样,到是还满可以的,那位为什么会没什么人用呢,感觉奇怪所以去google, 结果进入isaserver.org 发现了这么一篇如此经典的文章,的确值得收藏。能写出这种文章来,我对这人深感佩服。

 

One of the worst ways to start my day is to read a post like this:

"We want to install ISA Server 2004 in Web cache mode. We already have a hardware firewall so we dont need ISA in firewall mode. How can I do that?"

What makes this a painful experience is that I can’t figure out whats up with these people who want to dumb down their ISA firewalls. When you install the ISA firewall in single NIC configuration, you lose a significant amount of security the ISA firewall can provide you that complements and enhances the security your current stateful packet inspection firewall provides. While the ISA firewall will exquisitely protect itself in single NIC mode, you’re at the mercy of your stateful packet inspection firewall for network protection, which isn’t a place I’d want to be.

Its like saying "My Ferrari goes too fast; can you give me instructions on how to remove three tires to slow it down? I already have a Yugo for going fast".

The fact is that the ISA firewall is a state of the art, third generation firewall that provides both the stateful packet inspection any "hardware" firewall provides and adds to that the ISA firewalls stateful application layer inspection that traditional hardware firewalls don’t provide.

When I ask these guys what the deal is with dumbing-down their ISA firewalls, I hear stuff like:

"I feel more comfortable with a hardware firewall in front."

"I dont trust Microsoft security."

"Isnt ISA a Proxy Server?"

I feel more comfortable when I have my teddy bear in bed with me because I believe it will stop monsters from coming out of the closet, but just because it makes me comfortable doesnt mean the teddy bear is going to prevent the monsters from coming out of the closet. They usually come out regardless of the status of my Teddy Bear.

Think about it. What firewall protects more hacked networks than any other? (hint: its not the ISA firewall)

If you dont trust Microsoft security, why are you running any Microsoft software at all? Host security is as important, and arguably more important, than the network security provided by any firewall.

And no, Proxy Server 2.0 was retired years ago - the ISA firewall is a FIREWALL. And a darned good one at that.

However, its clear that many firewall "experts" and administrators are still concerned about monsters coming out of the closet, and the "hardware" firewalls are their teddy bears. While we can never turn the ISA firewall into a teddy bear, we can make it look like one for those die-hards who feel uncomfortable without a "hardware" firewall.

To this end, well go over things you can do to make your ISA firewall as dumb (and insecure) as a hardware firewall.

Install the ISA firewall in Unihomed Web Proxy Mode

Create an "All Open" Outbound Access Rule

Never Require Authentication for Outbound Access

Dont Install the Firewall Client

Dont Configure the Browsers as Web Proxy Clients

Dont Use the HTTP Security Filter

Dont Join the ISA Firewall to Your Active Directory Domain

Dumbing Down Your ISA Firewall by Installing in Unihomed Web Proxy Mode

When you install the ISA firewall in unihomed Web Proxy mode, the only host on your network that is fully firewalled by the ISA firewall is the ISA firewall itself. The unihomed ISA firewall in this configuration acts as only a forward and reverse Web proxy server. While the ISA firewall retains its firewall functionality to protect itself, youre at the mercy of your stateful packet inspection firewall for protecting the rest of your network.

Create an All Open Access Rule

Ever wonder why the level 1 techs on the other side of the phone always tell you to "open a port" even though no firewall in the world has an "Open Port" button? The reason is that "hardware" firewalls assume that youre going to let everything from everyone outbound to the Internet, so the only ports that need to be "opened" are those inbound from the Internet (there are some non-sensical assumptions about "open a port" but well talk about those issues at another time).

You can reduce your overall level of security by the ISA firewall to that you get with a hardware firewall by creating an "All Open" Access Rule on the ISA firewall. This will give all users access to all protocols when connecting to the Internet and they can remain anonymous while doing it.

Allow Only Anonymous Connections through the ISA Firewall

Speaking of anonymous connections, most hardware firewall admins will agree that authentication is such a bother. Users complain that theyre not allowed to get to certain sites when using certain protocols, while other users seemed to be allowed to do so.

That isnt fair, is it? Everyone was able to do whatever they wanted on the Internet when you had only the "hardware" firewall. This is clear evidence that theres something wrong with the ISA firewall, right? If all users can’t get to everything, then ISA must have broke something.

Fix this by making your ISA firewall like your hardware firewall, and do not force authentication on any of your ISA firewalls Access Rules.

Don’t Install the Firewall Client

The Firewall client allows network client systems protected by the ISA firewall to transparently send user credentials over an encrypted channel to the ISA firewall for authentication purposes. This enables the ISA firewall to enforce strong user/group based access control over connections made to and through the ISA firewall.

The problem is that the hardware firewall doesnt require user/group based access control. So clearly theres no reason to install the Firewall client. And if you do have a hardware firewall that allows authentication for outbound access, then install the Firewall client but dont require encryption of the channel. This will dumb the ISA firewall down so that it acts like your hardware firewalls unencrypted channel for sending usernames and passwords.

This will make things easier for everyone.

Don’t Configure the Web Browsers as Web Proxy Clients

The Web Proxy client configuration enables the Web browser to automatically send user credentials to the ISA firewall and communicate directly with the ISA firewalls Web proxy component. This enables you to obtain user/group based access control over all Web access, and at the same time, as well as benefit from the ISA firewall’s Web caching feature and squeeze out the best performance.

However, since the hardware stateful packet inspection firewall doesnt have a Web proxy component and doesn’t authenticate users, there’s no reason to enable the Web proxy configuration. You also dont want Web access to be too fast due to the Web proxy components since your hardware firewall isnt able to cache Web pages to speed up Internet access.

Don’t Configure the ISA Firewall’s HTTP Security Filter

The ISA firewall is a powerhouse stateful packet and application layer inspection firewall. One of the key stateful application layer inspection features of the ISA firewall is its HTTP Security Filter.

The HTTP Security Filter allows the ISA firewall to fully inspect virtually any aspect of an HTTP communication and block it based on the parameters of your choice. The great thing is that the block decisions are applied to allow rules, so even if you allow HTTP communications for that particular connection, if there are suspicious components of the communication, the ISA firewall will block it.

The hardware firewall doesnt have the smarts to fully inspect communications moving through it, so you want to make sure you dont configure the HTTP Security Filter on the ISA firewall. The further enables the ISA firewall to be as dumb as your stateful packet inspection-only hardware firewall.

One Last Thing…

One last thing, do NOT join the ISA firewall to your Active Directory domain.

If you joined the ISA firewall to your domain, you would be able to use the Firewall client, you would be able to use integrated authentication for outbound access to transparently send user credentials to the ISA firewall for authenticated Web access, youd be able to record applications that users use to connect to the Internet through the ISA firewall, youd be able to simplify VPN remote access client and gateway configuration, youd be able to use user certificate mapping, youd be able to simplify pre-authentication of incoming Web requests -- youd be able do these things and a lot more.

Your hardware firewall cant do any of these things, so be sure your ISA firewall is just as clueless as your "hardware" firewall and dont join the ISA firewall to the domain!

Summary

There you have it. Your ISA firewall is now just like your hardware firewall. Do you feel more secure? Do you feel like you have more control over inbound and outbound access through the ISA firewall? Do you feel that you’ve made the most of your investment in the ISA firewall software and that you’ve performed the requisite due diligence required for best network security practices and regulatory compliance?

Hopefully, all this has put in context the "security" you believe the "hardware" firewall allegedly provides your organization. While you can certainly keep your current hardware firewall and put it in front of the ISA firewall (the more layers bad guys have to go through, the better), dont fool yourself that just because you paid five times more for the "hardware" firewall, that means its even half as secure as your ISA firewall.

转载自isaserver.org. 作者Thomas Shinder


最热门文章推荐:
开启系统还原
什么是cpu
cpu检测
cpu介绍
cpu正常温度
双cpu主板
cpu工作原理
cpu的发展史
 ↓相关文章:
© 2006-2008 All Rights Reserved