Identity Management and Security Summit - Security Session 2 Jamie Sharp CISSP Security Consultant...
-
date post
19-Dec-2015 -
Category
Documents
-
view
223 -
download
3
Transcript of Identity Management and Security Summit - Security Session 2 Jamie Sharp CISSP Security Consultant...
Identity Management and Security Summit - Security Session 2
Jamie Sharp CISSPSecurity ConsultantMicrosoft Services
AgendaAgenda
WirelessWireless
VPNVPN
PerimeterPerimeter
Call to ActionCall to Action
Wireless
Huge fear of wirelessHuge fear of wirelessRooted in misunderstandings of Rooted in misunderstandings of securitysecurityWireless can be made secureWireless can be made secure
Takes workTakes workNeed to understand problemNeed to understand problemNeed to plan for secure solutionNeed to plan for secure solution
Current SituationCurrent Situation
Wireless AntennasWireless AntennasHow To Build A Tin Can Waveguide How To Build A Tin Can Waveguide AntennaAntenna
http://http://www.turnpoint.net/wireless/cantennahowto.htwww.turnpoint.net/wireless/cantennahowto.htmlml
Antenna on the Cheap (er, Chip)Antenna on the Cheap (er, Chip)http://www.oreillynet.com/cs/weblog/view/wlg/http://www.oreillynet.com/cs/weblog/view/wlg/448448
WEPWEP
Secret key shared between access Secret key shared between access point and all clientspoint and all clients
Encrypts traffic before transmissionEncrypts traffic before transmissionPerforms integrity check after Performs integrity check after transmissiontransmission
WEP uses RC4, a stream cipherWEP uses RC4, a stream cipher[key] XOR [plaintext] [key] XOR [plaintext] [ciphertext] [ciphertext]
Maybe double-XOR for “better” security? Maybe double-XOR for “better” security? Hah!Hah!
[ciphertext] XOR [key] [ciphertext] XOR [key] [plaintext] [plaintext]
WEP - WEP - Wired Equivalent PrivacyWired Equivalent Privacy
WEP IssuesWEP Issues
Key and initialisation vector reuseKey and initialisation vector reuseKnown plaintext attackKnown plaintext attackPartial known plaintext attackPartial known plaintext attackWeaknesses in RC4 key scheduling Weaknesses in RC4 key scheduling algorithmalgorithmAuthentication forgingAuthentication forgingRealtime decryptionRealtime decryptionMore InformationMore Information
http://www.isaac.cs.berkeley.edu/isaac/wep-faq.hthttp://www.isaac.cs.berkeley.edu/isaac/wep-faq.htmlml
WEP - WEP - Wired Equivalent PrivacyWired Equivalent Privacy
Solution Today - 802.1XSolution Today - 802.1XPort-based access control Port-based access control mechanism defined by IEEEmechanism defined by IEEE
Works on anything, wired and wirelessWorks on anything, wired and wirelessAccess point must support 802.1XAccess point must support 802.1XNo special WIC requirementsNo special WIC requirements
Allows choice of authentication Allows choice of authentication methods using EAPmethods using EAP
Chosen by peers at authentication timeChosen by peers at authentication timeAccess point doesn’t care about EAP Access point doesn’t care about EAP methodsmethods
Manages keys automagicallyManages keys automagicallyNo need to preprogram WICsNo need to preprogram WICs
Solution Today - EAPSolution Today - EAP
Link-layer security frameworkLink-layer security frameworkSimple encapsulation protocol for Simple encapsulation protocol for authentication mechanismsauthentication mechanismsRuns over any link layer, lossy or losslessRuns over any link layer, lossy or lossless
No built-in securityNo built-in securityDoesn’t assume physically secure linkDoesn’t assume physically secure linkAuthentication methods must incorporate Authentication methods must incorporate their own securitytheir own security
Supported authentication methodsSupported authentication methodsTLS: authentication server supplies certificateTLS: authentication server supplies certificateIKE: server demonstrates possession of IKE: server demonstrates possession of preshared key or private key (certificate)preshared key or private key (certificate)Kerberos: server demonstrates knowledge of Kerberos: server demonstrates knowledge of session keysession keyPEAP: any pluggable method supporting PEAP: any pluggable method supporting mutual authenticationmutual authentication
AuthN Supported in AuthN Supported in WindowsWindows
EAP-MD5 disallowed for wirelessEAP-MD5 disallowed for wirelessCan’t create encrypted session Can’t create encrypted session between supplicant and authenticatorbetween supplicant and authenticatorWould transfer password hashes in the Would transfer password hashes in the clearclearCannot perform mutual authenticationCannot perform mutual authentication
Vulnerable to man-in-the-middle attacksVulnerable to man-in-the-middle attacks
EAP-TLS in Windows XP releaseEAP-TLS in Windows XP releaseRequires client certificatesRequires client certificatesBest to have machine and userBest to have machine and user
Service pack 1 adds protected EAP Service pack 1 adds protected EAP (PEAP)(PEAP)
Protected EAP (PEAP)Protected EAP (PEAP)
Extension to EAPExtension to EAPAllows use of any secure authentication Allows use of any secure authentication mechanism for EAPmechanism for EAP
No need to write individual EAP-enabled No need to write individual EAP-enabled methodsmethods
Windows PEAP allows:Windows PEAP allows:MS-CHAPv2—passwordsMS-CHAPv2—passwordsTLS (SSL channel)—certificatesTLS (SSL channel)—certificates
PEAP-EAP-TLS a little slower than EAP-TLSPEAP-EAP-TLS a little slower than EAP-TLS
SecurID—but not tested/supported for wirelessSecurID—but not tested/supported for wirelessFor many deployments, machine and user For many deployments, machine and user passwords still are necessarypasswords still are necessaryPEAP enables secure wireless nowPEAP enables secure wireless now
Allows easy migration to certificates and Allows easy migration to certificates and smartcards latersmartcards later
Clarifying TerminologyClarifying Terminology
802.11 is the specification for over-802.11 is the specification for over-the-air wireless networksthe-air wireless networks802.1X is a PHY-independent 802.1X is a PHY-independent specification for port-based access specification for port-based access controlcontrolCombining them makes senseCombining them makes senseThere is no such thing as 802.11XThere is no such thing as 802.11X
But there is work on something called But there is work on something called 802.11i802.11i
Association and Association and AuthenticationAuthenticationThe 802.11 association happens firstThe 802.11 association happens first
Need to talk to the AP and get an IP Need to talk to the AP and get an IP addressaddressOpen authentication—don’t have the Open authentication—don’t have the WEP key yetWEP key yet
Access beyond AP prohibited until Access beyond AP prohibited until authN succeedsauthN succeeds
AP drops non-EAPOL trafficAP drops non-EAPOL trafficAfter key is sent in EAPOW-key, access After key is sent in EAPOW-key, access beyond AP is allowedbeyond AP is allowed
Security conversation between Security conversation between supplicant and authentication serversupplicant and authentication server
Wireless NIC and AP are passthrough Wireless NIC and AP are passthrough devicesdevices
802.1X over 802.11802.1X over 802.11SupplicantSupplicantSupplicantSupplicant AuthenticatorAuthenticatorAuthenticatorAuthenticator AuthenticationAuthentication
ServerServerAuthenticationAuthentication
ServerServer
802.11 802.11 associationassociation
EAPOL-startEAPOL-start
EAP-request/EAP-request/identityidentity
EAP-response/EAP-response/identityidentity
RADIUS-access-RADIUS-access-requestrequest
EAP-requestEAP-request RADIUS-access-RADIUS-access-challengechallenge
EAP-response EAP-response (credentials)(credentials)
RADIUS-access-RADIUS-access-requestrequest
EAP-successEAP-success RADIUS-access-acceptRADIUS-access-accept
EAPOW-key EAPOW-key (WEP)(WEP)
Access blockedAccess blocked
Access allowedAccess allowed
802.1X & EAP Provides802.1X & EAP Provides
Mutual device authenticationMutual device authenticationWorkstation and authentication serverWorkstation and authentication serverNo rogue access pointsNo rogue access pointsPrevents man-in-the-middle attacksPrevents man-in-the-middle attacksEnsures key is transferred to correct Ensures key is transferred to correct entityentity
User authenticationUser authenticationNo unauthorized access or interceptionNo unauthorized access or interception
WEP key uniqueness and WEP key uniqueness and regenerationregeneration
System RequirementsSystem Requirements
Client: Windows XP service pack 1Client: Windows XP service pack 1Server: Windows Server 2003 IASServer: Windows Server 2003 IAS
Internet Authentication Service—our Internet Authentication Service—our RADIUS serverRADIUS serverCertificate on IAS computerCertificate on IAS computer
Backporting to Windows 2000Backporting to Windows 2000Client and IAS must have SP3Client and IAS must have SP3No zero-config support in the clientNo zero-config support in the clientSee KB article 313664See KB article 313664Supports only TLS and MS-CHAPv2Supports only TLS and MS-CHAPv2
Future EAP methods in XP and 2003 might Future EAP methods in XP and 2003 might not be backportednot be backported
WPA - An Interim Until WPA - An Interim Until 802.11i802.11iGoalsGoals
Require secure networkingRequire secure networkingSolve WEP issues with software and Solve WEP issues with software and firmware upgradesfirmware upgradesProvide secure wireless for SOHOProvide secure wireless for SOHO
No RADIUS neededNo RADIUS needed
Be forward compatible with 802.11iBe forward compatible with 802.11iBe available todayBe available todayWPA Wireless Security Update in WPA Wireless Security Update in Windows XP Windows XP http://support.microsoft.com/?kbid=815485http://support.microsoft.com/?kbid=815485
The Future - 802.11iThe Future - 802.11i
IEEE is working on 802.11iIEEE is working on 802.11iReplacement for WEPReplacement for WEPIncludes TKIP (Includes TKIP (Temporal Key Integrity Temporal Key Integrity Protocol) Protocol) , 802.1x, and keyed integrity , 802.1x, and keyed integrity checkcheckMandatory AES (Mandatory AES (Advanced Encryption Advanced Encryption Standard) Standard) Addresses all currently known Addresses all currently known vulnerabilities and poor implementation vulnerabilities and poor implementation decisionsdecisions
Need to be IEEE member to read Need to be IEEE member to read work in progresswork in progressExpected ratification in Q4 2003Expected ratification in Q4 2003
VPN
Remote Access TrendsRemote Access Trends
Explosive growth of mobile usersExplosive growth of mobile users63.4M handheld computers to be sold by 63.4M handheld computers to be sold by 2003*2003*
Increasing methods of accessIncreasing methods of accessApplication specific accessApplication specific access
Combined functionalityCombined functionality VPN and Firewall combined platformsVPN and Firewall combined platforms
* Source - (IDC)* Source - (IDC)
VPN Solution ComponentsVPN Solution Components
VPN Server
Internet
ISPTelecommuter
Mobile Worker
Administrator
Corporate NetworkClients
Gateway
Protocols
Authentication
Policy
Deployment Tools
File/Print Server
Database Server
Web Server
Email Server
Domain Controller
IAS Server
Windows VPN ComponentsWindows VPN Components
ClientClient
GatewayGateway
ProtocolsProtocols
AuthenticationAuthentication
PolicyPolicy
Integrated VPN clientIntegrated VPN client
Routing and Remote Routing and Remote Access ServicesAccess Services
Platform Support for Platform Support for Industry Standard Industry Standard
ProtocolsProtocols
Internet Authentication Internet Authentication Services Services
& Active Directory& Active Directory
Windows XPWindows XP
Windows ServerWindows Server20032003
Deployment Deployment ToolsTools
Connection ManagerConnection ManagerAdministration KitAdministration Kit
Windows XP Professional Windows XP Professional
ClientClient
Gateway Gateway
ProtocolsProtocols
AuthenticationAuthentication
DeploymentDeploymentToolsTools
PolicyPolicy
Integrated VPN ClientIntegrated VPN ClientInitiates connection to remote Initiates connection to remote networks.networks.
SimplicitySimplicity New Connections WizardNew Connections Wizard Automatic protocol detectionAutomatic protocol detection
SecuritySecurity Client state check with Client state check with
“Quarantine”“Quarantine” Supports advanced security and Supports advanced security and
encryptionencryption Supports certificates, smart Supports certificates, smart
cards, token cards and morecards, token cards and more
Windows Server GatewayWindows Server Gateway
ClientClient
GatewayGateway
ProtocolsProtocols
AuthenticationAuthentication
DeploymentDeploymentToolsTools
PolicyPolicy
Routing and Remote Access ServicesRouting and Remote Access ServicesLink clients to private networksLink clients to private networks
• SecuritySecurity• Secure remote access connection Secure remote access connection
technologytechnology• Per session VPN packet filtersPer session VPN packet filters
• PerformancePerformance• Offload hardware encryption Offload hardware encryption
supportedsupported• Load Balance support for VPN Load Balance support for VPN
• ManageabilityManageability• Integrated Active DirectoryIntegrated Active Directory™™
authenticationauthentication• Supports standards based Supports standards based
Authentication Servers (RADIUS)Authentication Servers (RADIUS)
Windows XP & Server 2003 Windows XP & Server 2003 ProtocolsProtocols
ClientClient
GatewayGateway
ProtocolsProtocols
AuthenticationAuthentication
DeploymentDeploymentToolsTools
PolicyPolicy
Industry Standard ProtocolsIndustry Standard ProtocolsSpecify link capabilities and Specify link capabilities and encrypts data traffic.encrypts data traffic.
• SecuritySecurity• Advanced security with L2TP/IPSec Advanced security with L2TP/IPSec
tunneling protocols. tunneling protocols. • PKI authentication supportPKI authentication support• Legacy user authentication support Legacy user authentication support
with PPTPwith PPTP• Support for Smart Cards with EAPSupport for Smart Cards with EAP
• InteroperabilityInteroperability• IETF standards based solutions IETF standards based solutions
• Network TransparencyNetwork Transparency• Multi-protocol and Multi-cast supportMulti-protocol and Multi-cast support
ClientClient
GatewayGateway
ProtocolsProtocols
AuthenticationAuthentication
DeploymentDeploymentToolsTools
PolicyPolicy
Internet Authentication ServicesInternet Authentication ServicesValidates user access to the Validates user access to the networknetworkDirectory IntegrationDirectory Integration
• Integrates with Active DirectoryIntegrates with Active DirectoryInteroperabilityInteroperability
• Authenticates other 3Authenticates other 3rdrd party VPN party VPN products that support RADIUSproducts that support RADIUS
SecuritySecurity• Support for “Quarantine”Support for “Quarantine”
New authentication supportNew authentication support• Smart Cards, Token Cards, Smart Cards, Token Cards,
Fingerprint scanners and moreFingerprint scanners and more
Windows Server Windows Server AuthenticationAuthentication
Windows Server PoliciesWindows Server Policies
ClientClient
GatewayGateway
ProtocolsProtocols
AuthenticationAuthentication
DeploymentDeploymentToolsTools
PolicyPolicy
AD Group PolicyAD Group PolicyNetwork policies for users to gain access Network policies for users to gain access
SecuritySecurity• Enforcement of policies to check the Enforcement of policies to check the
state of the client via quarantine state of the client via quarantine serviceservice
• Restricted access based on group Restricted access based on group membershipmembership
ManageabilityManageability• Centralized user management with Centralized user management with
integration of AD and authentication integration of AD and authentication serviceservice
Windows Server Windows Server Deployment ToolsDeployment Tools
ClientClient
GatewayGateway
ProtocolsProtocols
AuthenticationAuthentication
DeploymentDeploymentToolsTools
PolicyPolicy
Connection Manager Administration KitConnection Manager Administration KitCreate and manage client connection Create and manage client connection configurationsconfigurations
Central ConfigurationCentral Configuration• Create pre-configured dial-up Create pre-configured dial-up
connection software for simplified connection software for simplified client experienceclient experience
ExtensibilityExtensibility• Customizable help files, help-desk Customizable help files, help-desk
numbers, and morenumbers, and more• Configurable connect actions to Configurable connect actions to
launch custom code before or after launch custom code before or after connectionconnection
Phonebook ManagementPhonebook Management• Automatic phonebook updates for Automatic phonebook updates for
local ISP access numberslocal ISP access numbers
Windows Server 2003Internet Authentication Service
Active Active DirectoryDirectory
Network Access Quarantine Network Access Quarantine ControlControl
Ensures that remote systems meet Ensures that remote systems meet corporate security standardscorporate security standardsReduces risk of security compromisesReduces risk of security compromisesReduces the spread of virusesReduces the spread of virusesWhitepaper: Network Access Quarantine Whitepaper: Network Access Quarantine Control in Windows Server 2003Control in Windows Server 2003
http://www.microsoft.com/windowsserver2003/techinfo/ohttp://www.microsoft.com/windowsserver2003/techinfo/overview/quarantine.mspxverview/quarantine.mspx
InternetInternet CorpnetCorpnet
Remote UserRemote User RRASRRAS IASIAS
QuarantineQuarantine
Perimeter
What is ISA Server?What is ISA Server?
High Performance Web cacheHigh Performance Web cacheMulti-layered firewallMulti-layered firewall
Packet Level (static and dynamic filters)Packet Level (static and dynamic filters)Circuit Level (stateful inspection)Circuit Level (stateful inspection)Application Level (payload inspection)Application Level (payload inspection)Network Address Translation (NAT)Network Address Translation (NAT)
Centralised or Distributed Centralised or Distributed ManagementManagementICSA CertifiedICSA CertifiedCommon Criteria EAL2 CertifiedCommon Criteria EAL2 Certified
Provide secure, fast Provide secure, fast Internet/Intranet access with proxy Internet/Intranet access with proxy and cachingand caching
Secure Exchange and Web Servers Secure Exchange and Web Servers at the application layerat the application layer
Secure edge gateway with Secure edge gateway with integrated VPN, firewall and integrated VPN, firewall and cachingcaching
ISA = DefenceISA = Defence in Depth in Depth
Current SituationCurrent Situation
Traditional firewalls focus on packet Traditional firewalls focus on packet filtering and stateful inspectionfiltering and stateful inspectionToday’s attacks freely bypass thisToday’s attacks freely bypass thisPorts are overloaded & can be Ports are overloaded & can be exploitedexploited
Port 80 YesterdayPort 80 Yesterday—Web browsing only—Web browsing onlyPort 80 TodayPort 80 Today—Web browsing, OWA, —Web browsing, OWA, XML Web Services, …XML Web Services, …
Packet filtering and stateful Packet filtering and stateful inspection are not enoughinspection are not enough
Application-layer Firewalls Application-layer Firewalls are Necessaryare Necessary
Application-layer firewalls are required Application-layer firewalls are required to stop these attacksto stop these attacks
Enable deep content inspectionEnable deep content inspectionRequirement for network security todayRequirement for network security today
InternetInternet
Packet filtering Packet filtering firewall/routerfirewall/router
Packet filtering Packet filtering firewall/routerfirewall/router
Application-Application-layer firewalllayer firewallApplication-Application-layer firewalllayer firewall
to internalto internal
networknetwork
to internalto internal
networknetwork
““To provide edge security in this application To provide edge security in this application centric world…application-layer firewalls will centric world…application-layer firewalls will be required”be required” —John Pescatore, —John Pescatore, GartnerGartner
Packet filtering & stateful inspectionPacket filtering & stateful inspectionApplication-layer filteringApplication-layer filtering
ImperativeImperative for network security todayfor network security todayPotential to detect/inspect traffic regardless of Potential to detect/inspect traffic regardless of portport
Advanced proxy architectureAdvanced proxy architectureInternet traffic never routed to the internal Internet traffic never routed to the internal networknetwork
Extensible/pluggable architectureExtensible/pluggable architecture30+ partners: netIQ, Trend Micro, Rainfinity, 30+ partners: netIQ, Trend Micro, Rainfinity, Authenex, N2H2, Venation, ISS…Authenex, N2H2, Venation, ISS…
Best firewall for Windows environmentBest firewall for Windows environment
ISA Server = Application-ISA Server = Application-layer Securitylayer Security
Web PublishingWeb Publishing
Occurs at the application levelOccurs at the application levelISA understands HTTPISA understands HTTPCan publish multiple web servers using Can publish multiple web servers using one IP addressone IP addressCan Can Bridge and TunnelBridge and Tunnel SSL requests SSL requestsAllows secure access to the web serverAllows secure access to the web serverAccelerates performanceAccelerates performanceOff-load SSLOff-load SSL
Publishing Web ServersPublishing Web Servers
InternetInternet
africa.internal.nwtraders.msft
www.nwtraders.msft/africawww.nwtraders.msft/africa
europe.internal.nwtraders.msft
Internal NetworkInternal Network
ISA ServerISA Server
www.contoso.msft
AfricaAfrica
EuropeEurope
www.nwtraders.msft/europe
www.nwtraders.msft/europe
www.nwtraders.msft/africawww.nwtraders.msft/africa
www.contoso.msft
Server PublishingServer Publishing
Occurs at the application levelOccurs at the application levelISA understands SMTP, DNS, FTP, POP, ISA understands SMTP, DNS, FTP, POP, RPC, H.323 and Streaming media OOBRPC, H.323 and Streaming media OOBAllows secure access to published Allows secure access to published servicesservicesAll incoming and outgoing requests All incoming and outgoing requests inspected by ISAinspected by ISACan limit rules to specific clientsCan limit rules to specific clientsSingle IP visible to outside worldSingle IP visible to outside world
Server PublishingServer Publishing
InternetInternet192.168.9.1
131.107.3.1
mail1.nwtraders.msft
External Adapter
Internal Adapter
Exchange ServerExchange Server
Internal NetworkInternal Network
mail1.nwtraders.msft
ISA Deployment BenefitsISA Deployment BenefitsCost-effective to build, monitor Cost-effective to build, monitor and operateand operateIntegrated with Windows Integrated with Windows security and compatible with security and compatible with non-Windows hostsnon-Windows hostsSaves bandwidth by caching Saves bandwidth by caching frequently accessed contentfrequently accessed contentProvides a firewall engine with Provides a firewall engine with application layer inspectionapplication layer inspectionEnables QOS, detailed reporting, Enables QOS, detailed reporting, strong user authentication and strong user authentication and high availabilityhigh availability
SMTP FilterSMTP FilterHelp filter out unwanted e-mailHelp filter out unwanted e-mail
Uses ISA Server application-layer Uses ISA Server application-layer filtering abilityfiltering abilityFilter e-mail with increased reliability Filter e-mail with increased reliability and security on several attributesand security on several attributes
SenderSenderDomainDomainKeywordKeywordAttachment extension, name, sizeAttachment extension, name, sizeAny SMTP command and its lengthAny SMTP command and its length
RPC server RPC server (Exchange)(Exchange)RPC server RPC server (Exchange)(Exchange)
RPC client RPC client (Outlook)(Outlook)
RPC client RPC client (Outlook)(Outlook)
ServiceService UUIDUUID PortPort
ExchangeExchange {12341234-{12341234-1111…1111…
44044022
AD AD replicationreplication
{01020304-{01020304-4444…4444…
35435444
MMCMMC {19283746-{19283746-7777…7777…
92392333
RPC services grab random RPC services grab random high ports when they start, high ports when they start,
server maintains tableserver maintains table
Exchange RPC Exchange RPC RPC 101RPC 101
135/tcp135/tcp
Client connects to Client connects to portmapper on server portmapper on server
(port 135/tcp)(port 135/tcp)Client knows UUID Client knows UUID of service it wantsof service it wants
{12341234-1111…}{12341234-1111…}
Client accesses Client accesses application over application over
learned portlearned port
Client asks, “What Client asks, “What port is associated port is associated with my UUID?”with my UUID?”
Server matches UUID to Server matches UUID to the current port…the current port…
44024402
Portmapper responds Portmapper responds with the port and closes with the port and closes
the connectionthe connection
4402/tcp4402/tcp
Due to the random nature of RPC, this is Due to the random nature of RPC, this is not feasible over the Internetnot feasible over the Internet
All 64,512 high ports & port 135 must be All 64,512 high ports & port 135 must be opened on traditional firewallsopened on traditional firewalls
Exchange Exchange ServerServer
Exchange Exchange ServerServer
OutlookOutlookOutlookOutlook
Exchange RPC FilterExchange RPC FilterProtect remote Outlook e-mail without a VPNProtect remote Outlook e-mail without a VPN
ISA ServerISA ServerISA ServerISA Server
InternetInternet
ISA Server Exchange RPC filterISA Server Exchange RPC filter Only port 135 (portmapper) is openOnly port 135 (portmapper) is open
High ports are opened and closed for Outlook High ports are opened and closed for Outlook clients as necessaryclients as necessary
Inspects portmapper traffic at application-Inspects portmapper traffic at application-layerlayerOnly Exchange UUIDs allowed, nothing elseOnly Exchange UUIDs allowed, nothing else
Exchange RPC FilterExchange RPC FilterProtect remote Outlook e-mail without a VPNProtect remote Outlook e-mail without a VPN
Enforce RPC encryptionEnforce RPC encryptionOutlook RPC encryption can be enforced Outlook RPC encryption can be enforced centrallycentrally
Enable outbound RPC communicationEnable outbound RPC communicationOutlook clients behind ISA Server can now Outlook clients behind ISA Server can now access external Exchange Serversaccess external Exchange Servers
ISA Server with ISA Server with Feature Pack 1Feature Pack 1ISA Server with ISA Server with Feature Pack 1Feature Pack 1
Exchange Exchange ServerServer
Exchange Exchange ServerServer
Outlook Outlook clientclient
Outlook Outlook clientclient
RPCRPCRPCRPC
Internal networkInternal network
External networkExternal network
URLScan 2.5 for ISA URLScan 2.5 for ISA ServerServerHelp stop evolving types of Internet attacksHelp stop evolving types of Internet attacksFilters incoming requests based on Filters incoming requests based on
rules setrules setHelps protect from attacks whichHelps protect from attacks which
request unusual actionsrequest unusual actionshave a large number of charactershave a large number of charactersare encoded using an alternate are encoded using an alternate character setcharacter set
Can be used in conjunction with SSL Can be used in conjunction with SSL inspection to detect attacks over SSLinspection to detect attacks over SSL
RSA SecurID RSA SecurID AuthenticationAuthenticationHelp control access with 2-factor Help control access with 2-factor authenticationauthenticationISA Server prompts user for SecurID ISA Server prompts user for SecurID
username and PASSCODEusername and PASSCODERSA ACE/Agent on ISA Server passes RSA ACE/Agent on ISA Server passes credentials to the RSA ACE/Server for credentials to the RSA ACE/Server for validationvalidationWhen credentials are validatedWhen credentials are validated
User is granted access to the protected User is granted access to the protected contentcontentCookie is delivered to the user's Cookie is delivered to the user's browser for subsequent activity during browser for subsequent activity during the sessionthe session
Web serverWeb serverWeb serverWeb server
Authentication DelegationAuthentication DelegationHelp ensure only valid traffic is allowedHelp ensure only valid traffic is allowed
ISA ServerISA ServerISA ServerISA Server
For SecurID and basic authenticationFor SecurID and basic authenticationAuthentication happens at ISA ServerAuthentication happens at ISA Server
Eliminates multiple authentication dialogsEliminates multiple authentication dialogsOnly valid traffic allowed to the internal Only valid traffic allowed to the internal networknetworkEnabled per Web publishing ruleEnabled per Web publishing rule
InternetInternet
clientclientclientclient
Client requests protected Client requests protected content from Web servercontent from Web server
ISA Server pre-authenticates ISA Server pre-authenticates users and logs their activityusers and logs their activityISA Server forwards the credentials ISA Server forwards the credentials
to the protected Web or OWA serverto the protected Web or OWA server
http://http://
Link TranslatorLink TranslatorEliminate the need to re-architect intranet Eliminate the need to re-architect intranet sitessites
Translates hyperlinks within responses Translates hyperlinks within responses Intranet computer names to those of Intranet computer names to those of externally available computersexternally available computersIncluding: Including:
HTTP HTTPS; SharePoint Portal ServerHTTP HTTPS; SharePoint Portal Server
ISA Server ISA Server Feature Pack 1Feature Pack 1ISA Server ISA Server
Feature Pack 1Feature Pack 1Web server (Web server (
www.example.com)
Web server Web server (int-mktg)(int-mktg)
Web server Web server (int-mktg)(int-mktg)http://
http://int-mktg/http://int-mktg/sales.htmlsales.htmlint-mktg/int-mktg/mktg.example.com/mktg.example.com/LINK TRANSLATORLINK TRANSLATOR
http://http://mktg.example.com/http://mktg.example.com/sales.htmlsales.html
clientclientclientclient
Client requests Client requests www.example.com/index.htmlwww.example.com/index.html
InternetInternet
GuidanceGuidanceAnswer commonly asked ISA Server questions Answer commonly asked ISA Server questions
ISA Server Feature Pack 1 walkthroughsISA Server Feature Pack 1 walkthroughsOWA, link translation, RSA SecurIDOWA, link translation, RSA SecurID
Web Publishing Web Publishing Includes many different scenariosIncludes many different scenariosTroubleshooting informationTroubleshooting information
Exchange Server Publishing Exchange Server Publishing Includes Exchange RPC filter, POP and IMAPIncludes Exchange RPC filter, POP and IMAPTroubleshooting informationTroubleshooting information
Additional Documentation Additional Documentation Many subjects, including client types and Many subjects, including client types and creating digital certificatescreating digital certificates
Call to ActionCall to Action
Eliminate fear of wireless networksEliminate fear of wireless networksRevisit corporate remote access Revisit corporate remote access strategystrategyEvaluate the security of your current Evaluate the security of your current Exchange and Web Server Exchange and Web Server deploymentdeploymentRegularly check Regularly check www.microsoft.com/securitywww.microsoft.com/security
© 2003 Microsoft Corporation. All rights reserved.© 2003 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.