明天要考ISA了, 心态现还可以, 也没什么可怕的,反正早晚都得考。
ISA is part of the .NET product, supports firewall, caching, and redundancy features. .net includes ISA; EXCHANGE; SQL; host integration; commerce server; biz talk server; application center.
ISA multi layer means it can filter incoming and outgoing data at multi layers of the OSI, giving complete control over precise types of data to block.
Using packet and application filters, ISA can block most DOS attacks.
Two types of packet filters, stateful filters causing to statically open holes in the firewall, and dynamic filters allows to open and close ports as needed.
Application filters allow ISA server to perform content filtering and virus checking for incoming and outgoing data on a per application basis.
Forward caching stores internet content locally on ISA server, while reverse caching stores internal web content on ISA server, forward and reveries caching can be configured to cache passively or actively. Passive caching allows to determine cached content through accessing a variety of internet content. Active caching allows you to determine cached content along with the times isa server should update the content with TTL.
Caching: web caching also called passive caching, client request cache in server.
distributed and hierarchical caching can be used to balance loads among isa server, minimize wan traffic and eliminate a single point of failure. Hierarchical means communicate with one another in an upstream system. Distributed use array.
Network redundancy and load balancing can be attained thought the use of ISA server arrays, this allows multiple isa server machines to act as on administrative unit.
Q1, if an application used the SOCKS protocol to communicate that application could be running on.
Win2000; mac; unix; linux.
Packet filtering works primarily at the network and transport layer. packet filtering based on service type source and destination device or port numbers permit or deny.
TTL: the amount of idle time content remains in the cache before deleted.
Circuit level filtering is also called protocol filtering, unlike packet filtering with details circuit treats session as a whole. Access is based on applications, ports are based on app requests. Allows app with no firewall or proxy support, For non client software clients, circuit level filtering occurs with a windows sockets SOCKS filter, drawback to this is any application accessing the external network must be socks 4.3a compatible. Unlike winsocks(TCP/IP socket interface under windows) it can support any current os platforms including linux; unix; and mac.
Application level filtering is most processor intensive and sophisticated level of firewall, allows addressed to individual application and perform application specific processing as inspecting modifying screening or blocking … there’s built in application filters, as http ftp smtp cocks rpc…. The two type of application included with source code is DNS and POP.
Nat is universal client support, RFC standard, functions without client software. SNAT allow win 2000 policies applying to ISA, snat works at network and transport layers. Summarize SNAT is a true client transparency, allowing for application security not just to client software communication.
Integrating with 2k, ad storage and tiered policy management are enterprise only.
Packet level intrusions: ping of death, icmp echo request. All port scan. Enumerated port scan, checking running services. Ip half scan, find open ports and services while avoiding detection. Udp bomb, udp packets result in corrupted data in certain fields. Land, establish session where source and destination ip address and port number are identical. Out of band, send out of band dos.
Application level intrusions: pop buffer overflow, access root level of pop server by overflowing internal buffer. Dns hostname overflow. DNS length overflow, ip exceed. DNS zone transfer from privilege ports, zone transfer on 1024 below. DNS high ports.
Hardware require: 256 ram, p2 300mhz; 2G; 2 network cards.
Before installing isa, must configure tcp/ip and bind it to at least one network card. Rename card name.
OSI再次复习,希望最后一次。 app. Presentation format data passed between computers. Session, maintain sessions. Transport, assign port add session data (segment). Network, packet or datagram. Data link, llc +mac, cyclical redundancy check ensures app running at layer 7 doesn’t receive corrupted data. Physical (bits)
TCP/Ip model: transport, TCP or UDP(best effort delivery) else as ICMP, ICMP response includes destination unreachable, undeliverable. Echo and echo reply, id connectivity between two network devices. Parameter problem, host or transition router id an error in packet head. Redirect, note host packet redirect. Source quench, slow rate when packet arrive too quickly. TTL exceeded, note source device packet TTL expire. Internet layer, where all network device receives a logically configured ip address used for network communication. Data physical later, PPP SLIP.
Asynchronous transfer mode ATM: an extremely fast packet switched WAN solution that transfers data using fixed packet sizes called cells.
Channel service unit/data service unit (CSU/DSU): a network device similar to a modem, required to interface with a service provider for T1 and T3 connections. The CSU performs diagnostic functions and the DSU provides the physical interface.
Committed information rate: a specified amount of guaranteed bandwidth on a frame relay service.
Data link connection identifiers (DCLCIs): unique identifiers for virtual circuits in a frame relay WAN. Similar to the MAC address on LANs.
LAN emulation (LANE): atm technology that allows the Ethernet or token ring LAN to treat the ATM network as another LAN subnet.
Local access rate: the maximum speed allowable from the physical, frame relay connection.
Synchronous optical network (SONET): a defined standard for connecting fiber optic transmission systems at the physical layer.
Isa is licensed on per processor basis.
Before installing ISA, reassign ports 80 and 8080 in IIS because ISA takes control of those ports. Also update active directory schema using ISA server enterprise initialization tool.
2000 fundamentals:
1 processor: 4;8;32. memory: 4;8;64. advanced and data supports clustering. mmc - .msc there’s 2 general modes in mmc, the author mode allows admin to change the console, this mode gives complete control over adding and removing snap ins. User mode, full access; limited access multiple windows; limited access single window. Do not save changes will prevent user from changing the console. The only way to prevent changes to customized consoles is to remove the ntfs write permission from the .msc file.
Rights assignment, deny always takes precedence.
Ntfs permissions, by default all users have full control to all files on all hard disks.
Protocol analysis helps accurately estimate the amount of network traffic generated prior to making a network connection to a host
Company management
Technical expertise of your client
Recording network availability: id critical network components finding ways to make them fault tolerant. Finding the cost per hour of network outages supplies you with facts to take to management. Finding data on network failures illuminates problem area to keep under surveillance.
Network baseline: is a chart of the current levels of network traffic and client performance.
Wan topologys:
Leased lines, a point to point connection. Packet switching, share a common pool of network bandwidth uses virtual circuits to provide end to end connectivity. Circuit switching, dedicated circuit path must exist between a sender and receiver for the duration of the call. Pots is circuit switching , isdn is circuit switching frame relay is packet switching .
Isa hardware consideration, 500 uses 300 256 2-4, 1000users 550, 256 10, more then 1000 two 550 computers with 256 and 10 for each server
Upgrading proxy: domain filters- site and content rules. Winsock permission settings- protocol rules. Publishing properties – web publishing rules. Static packet filtering – open or blocked ip packet filters. Web proxy routing rules – routing rules.
Isa default settings: access control, isa server grants all access request by default.
Alerts, all alerts are active except all port scan attack dropped packets protocol violation and udp bomb attack. Caching, cache size is set to the size specified during setup. Enterprise policy setting, net array adopt the default enterprise policy. Local address table. Packet filtering , firewall or integrated mode packet filtering is enabled by default, cache disabled. Publishing, disabled by default. Routing, isa retrieves all web client requests directly from the internet. User permissions, stand alone, only members of administrators group can config policies, if array, members of the domain admins and enterprise admins can config.
Re running the cd, add/remove; reinstall; remove all.
Unattended fileL msisaund.ini
LAT: list of all internal lan ip addresses.
Array policy can never overrule enterprise policy to grant more access, it can only make a policy more restrictive. Server policy is only implemented on stand alone isa server, enterprise and array policy do not affect stand alone isa servers.
Use array policy only – array restrict enterprise.
Use enterprise policy – default enterprise rules all isa in AD.
Allow array level access policy rules that restrict enterprise policy – define lower level array policies that further restrict the enterprise level policy for individual network segments.
Allow publishing rules – create web server publishing rules on a per array basis rather than by only allowing enterprise wide publishing rules.
Force packet filtering on the array – have all isa server array use packet filtering configured through the firewall service.
Enterprise policy is made up of site content and protocol rules defines which network users can access a given internet or intranet destination (site rule) type of content that can access(content rule) what protocol they can use to access destination (protocol rule). An array can’t be affected by more than one enterprise policy.
Policy elements define the criteria used when deciding to allow or deny a client inbound or outbound access to the LAN or Internet. Standard policy elements are independent of each other. Policy elements are always used with rules and have no functionality on their own. Enterprise contains all array level elements except 2. Schedule policy elements defines time boundaries; Bandwidth priorities(array only); Destination set defines network devices accessed on the local or remote network(destination; ip add; path). Client address set defines clients that can access through isa. Protocol definitions define tcp udp sub protocols isa can use. Content group define valid file name extension and mime types. Dial up entries (array only) config dial up connections with isa to an isp or remote.
Once config elements, config rules. Base on corporate policies.
Choosing firewalls, standard firewall1server 2 cards. Three homed server 1 server 3 or more cards. Dual homed server 2 servers 2 more cards. Dual firewall provides sane advantage as three homed with one enhancement the single point of failure is eliminated.
Securing isa 3 levels: dedicated(hisec templates), only as a firewall. Limited service(sec templates), used as a firewall and cache server in integrated mode or as a firewall and a DC(not recommended.) secure(basic templates), use isa setting if server perform other roles such as running web email or ftp server.
Packet filtering vs ip routing.
Use packet filtering situations: applications running on the isa server computer. Protocols other than tcp and udp. Service running on the isa server computer. Routing between networks not included in the lat.
Use ip routing: ip protocols other than tcp and udp. Routing between networks not included in the lat. Packet filtering, source ip address and port number; Destination ip address and port number; ip protocol information. Allow or deny. Static packet filtering dynamic packet filtering. Default packet filters
Remember packet filtering disable ip routing enabled is not available through isa.
Packet filtering: allow or deny based on 3 situations, source ip add and port number; destination ip and port number; ip protocol information. Packet filtering can be configured as static or dynamic. Default packet filters are 7 only 6 are active by default. DHCP client isn’t enabled by default. The other 6 are DNS filter; ICMP outbound; ICMP ping response; ICMP source quench; ICMP timeout in; ICMP unreachable in. aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa为什么会这样,要背的东西太多了,我背不下来。
By default ISA only logs packets that activate a deny packet filter. You can log allow through the global properties.
ftp filter is designed to give snat client ftp access beyond the public network, because snat clients can’t open secondary ports for applications, ftp filter detects the request and dynamically opens port for ftp requires.
Smtp filters: based on attachments; users/domains; keywords.
Streaming media filter: media protocols allowed in ISA are Microsoft windows media (WMS); progressive network protocol (PNM); real time streaming protocol (RTSP)
H.323 filter: allows any 323 based conferencing application.
HTTP redirect: allows redirect from firewall and snat clients to web proxt service. Note http redirector can’t redirect authentication information if authentication is required for proxy then firewall and snat clients are unable to pass through. Options are : redirect to local web proxy service default; if the local service is unavailable, redirect requests to requested web server; send to requested web server, keeps snat and firewall clients from being routed through proxy also disables caching features for non web proxy clients; reject http requests from firewall and snat clients.
Isa cache size is 50% can be configured up to 80-90% as dedicated caching only. Default time limit is 60. http and ftp caching. In http caching mode, normally is the default policy with best performance in most situations. Less frequently mode increase amount of time that objects are kept. Set time to live of object in cache to mode chosed when none others are meeting your needs. Normal and less frequently TTL are grayed out, TTL can be set in the last rule.
Active caching, isa monitors frequently access files in web cache auto refresh content before ttl expires. Active caching 3 options, frequently, cause isa to connect to update popular cached files. Normally option, objects are update frequently but isa also takes into account of the bandwidth this option is the most widely chosen. Less frequently, isa refresh cached object occasionally but is primarily concerned with network performance. Active caching will save refresh content more during low bandwidth and process use.
When system usage is low, ISA copies multi objects from RAM to disk, based on popularity of objects. This process is also called batch update. Periodically isa backs up entire cache directory in RAM to disk.
HTTP code 200 success message.204 no response. 404 page not found. Negative caching enable caches http error message.
Scheduled content download allow to specified web site during scheduled times. Active and scheduled are also called cache prefetching.
Isa use carp for array
Retrieve them directly from specified destination, isa download web pages in standard fashion way.
Route to a specific upstream server, send request to an isa server machine or isa array for retrieval.
Redirect to, allow redirect request to another when site or internal web server.
No limit on maximum depth***** hundred of content would be downloaded.
ISA stores cache creates one cache file per hard disk partition.
Publishing policy, isa uses to process requests for internal resources. Web publishing is for http https and ftp. Server publishing for all other internal server. Isa treats internal server as snat, firewall client shouldn’t be installed on any published server. Reverse proxy, cache internal web site to external users.
ISA allows publishing any type of internal server by creating publishing policy. Published internal servers as treated as snat clients.
Publishing on ISA:
Advantages: low cost solution; all network service is centralized in one location, allows for easy backup and administration. Internal clients and servers gain security since packet filters allow access to only ISA server itself.
Disadvantages: performance decrease for all network service running on ISA, including caching and firewall features; single point of failure for all network service; defeat the purpose of caching services; security is compromised, and for all locally network services too.
Basic firewall:
AD: low cost; ISA id dedicated to caching and firewall, resulting in high performance.
DA: network traffic increases for internal network; since ISA is on a directly connected network internal has a security risk.
Three homed:
AD: network traffic eliminated from internal network; same price as above.
DA: same as above 2.
Dual :
AD: increased security for internal network; additional secure publishing options; all ad of 3 homed.
DA: most expensive.
Protocol redirection allows route HHTP and SSL requests as different protocol.
Publishing mail servers, ISA can publish any mail servers that support the SMTP protocol. Then configure the message screener, allows to use SMTP application filter features for analyzing SMTP traffic. ISA communicate with message screener through DCOM, dcomcnfg.exe – vendordata class- set permissions.
For other types of servers use the generic server publishing.
H.323
Multimedia protocol includes voice video data conferencing for use over packet switched networks.
Whatever of the internet and public switched telephone network. All = global network.
323 components:
Terminal: client endpoints on LAN with real time 2 way communication.
Gateways : gateways interface 323 to other networks such as PSTN 320ISDN…
Gatekeepers : provides address resolution, access control and bandwidth control.
Multipoint control unit : supports conference calls between three or more terminals.
For netmeeting gate keepers remenber the ip is ISA’s internal interface or DNS hostname.
Note, do not use dashes or spaces when entering the netmeeting phone number.
Routes can be set based on emails or ips.
Local VPN wizard creates a vpn configuration setting .vpc file containing all settings for the remote vpn servers.
Note, when configure ISA to use ipsec/l2tp, ipsec driver is enabled on ISA, both authentication header and encapsulating security payload are controlled by the ipsec driver not by the packet filter driver on ISA.
Configuring snat clients: since snat clients do not authenticate to ISA, filter can only be based on ip address or hostname of the source and destination devices. User and group restrictions do not apply to snat clients. Applying rules to snat clients can only be based on ip or web site, not to username. Snat client configure has no client installation can be easily done through DHCP, direct the default gateway of the client to ISA server to complete the client configuration. Snat client supports all TCP/IP subprotocols.
Web proxy clients: browser 1.1 compatible. Since web proxy redirection only applies to the web browser itself, there fore web proxy clients only support http https and ftp protocols. And except for a few media streaming applications. Web proxy must be manually configured on each machine. Gains all speed benefit of caching services. Restrics can not be based on user or group membership.
Auto configure script for proxy client:
Provides fault tolerance on single failure; load balancing; server changes; CARP.
Auto discovery of web proxy clients:
Allows IE to dynamically locate ISA server machine anywhere on the network, rather then requiring manual configuration, provides easy for moving clients around. When web browser boots up it queries a DCHP or DNS server to find the isa server machine, the answer is then returned through web proxy auto discovery entry in either database. The browser access internet without attention.
WPAD must be configured a entry on the dns and dncp server.
Firewall clients:
Firewall client is not supported on non windows plateforms. Restrictions can be created based on usernames and group membership. Only supports all tcp and udp based applications, needs software installation on all clients machines. Versions 95 before can’t install firewall client.
Chkwsp32.exe: dos app, status of connection. Firewallc.txt: log of firewall client installtion. Mpcver.txt: version of firewall client installed. Mspclnt.ini: all firewall configuration settings. Msplat.txt: copy of the isa server’s LAT. Setupbin: all setup files for installtion.
Monitoring:
Choosing the type of information to collect. Alerts; performance trends; security trends.
Determing the most critical information:
Documenting strategy: baseline record of network activity during normal operations.
Developing an emergency response strategy:
Creating a schedule for reviewing and archiving log files
Intrusion detection system allows you to generate log files create trigger events.
Network layer attack
All port scan; enumerated port scan, attempt to see what service are running; ip half scan, finds open ports and services while avoiding detection; land attack, establish session which source and destination up and port are identical; ping of death, icmp echo overflows buffers.
Application layer attacks: dns host name overflow; dns length overflow (ip length); dns zone transfer from privileged ports and high ports; pop buffer overflow; udp bomb, corrupt data. Windows out of band attack, DOS.
By default ISA log event to viewer and continues to run normally.
Logging:
Logs can be based on 3 differnet areas: packet filter logs, records packets passing through ISA. Firewall service log, access attempt of internal clients. Web proxy service logs, access attempts of internal clients using web proxy service.
Formats are: ISA format; ODBC format; W3C format. By default logging for all 3 service is enabled in the W3C format
Once report job is created , reports can be viewed from any browser options are: summary set of reports illustrate network traffic usage sorted by application. Web usage, display top web users common http responses and obect types. Application usage, internet application usage. Traffic and utilization, total internet usage by application protocol and direction. Security, attempts to breach network security.
ISA monitor, isa bandwidth control, isa server cache, isa server firewall service, isa packet filter, isa server web proxy service.
Test, telnet to test open tcp ports on ISA. Netstat view open tcpip connection .
Troubleshooting:
ISA fails to start for following installations: not enough memory, ip address of internal NIC is not included in LAT.
ISA can’t renew a DHCP lease after installation, DHCP address are obtained through a UDP broadcast, default ISA blocks all UDP ports. Enable DHCPclient packet filter, which is disabled by default.
Caching problems, 100MB + 0.5MB/per user = minimum cache storage.
Web proxy service fails to start, delete and recreate cache storage drivers, clear the current cached files. ISA stores all cached content in .cdat files. A new .cdat file is created for evey 10GB of cache storage space required.
All cached website are not available offline, enable isa to cache dynamic content typically solves the problem.
Cache initialization failure, happens when chose all available hard disk space on a partition when installing ISA server. Resize cache space to account for remaining free disk space.
Clients can’t use a non tcp or non udp protocol, problem discovers when client can’t ping external hosts, stucks on icmp protocol, to allow other protocols, you must enable ip routing on isa server.
User is granted access, although a site and content rule explicitly denies access, fix, choose not to enable anonymous web access or to create rules based on nonauthentication criteria.
Clients can still access a protocol after a rule is disabled. The problem is internal user’s FTP session never disconnected, find user abort current ftp session.
Client can’t connect directly to the internet, by design firewall client redirects all outgoing requests from the client to isa server, disable firewall client.
Client web browser can’t authenticate, happens if you use a non Microsoft web browser such as netscape or mosaic. Isa server authentication basic, digest integrated windows, client certificate, if isa is configured to support only integrated windows, non Microsoft web browser will be unable to authenticate isa and users will be denied access.
Firewall client connections are slow to connect or cannot connect or can’t to intranet servers. Problems happens when client attempts to access a web server and the external dns server is unavailable. Firewall client attempts to access a server on the intranet. Fix, external DNS does not have the mapping to the internet server and the request fails. External DNS server does not have a mapping to the intranet server and returns the external ip address. Solves by configuring one or more internal DNS servers that contain valid records for any intranet server, once internal dns server is set config all firewall clients to access the server for DNS name resolution.
|