1 / 86

安全与速度的完美结合

Microsoft Internet Security and Acceleration Server 2000. 安全与速度的完美结合. 郝雪莹 xyhao@microsoft.com Microsoft China. Agenda . 产品概述 布署场景 防火墙 缓存 管理 可扩展性. 新的机遇 , 新的挑战. 机遇. 挑战. 用网络连接你的客户 , 合作伙伴与雇员. 把网络暴露在所有的黑客 , 病毒和非法用户面前. 在 WEB 上的电子商务给你的企业带来了新的商机. 竞争非常激烈 , 你的 WEB 必需提供快速可靠的服务.

kaoru
Download Presentation

安全与速度的完美结合

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Microsoft Internet Security and Acceleration Server 2000 安全与速度的完美结合 郝雪莹 xyhao@microsoft.com Microsoft China

  2. Agenda • 产品概述 • 布署场景 • 防火墙 • 缓存 • 管理 • 可扩展性

  3. 新的机遇, 新的挑战 机遇 挑战 用网络连接你的客户,合作伙伴与雇员 把网络暴露在所有的黑客,病毒和非法用户面前 在WEB上的电子商务给你的企业带来了新的商机 竞争非常激烈,你的WEB必需提供快速可靠的服务 把有限资源的内部网变成溶合在 Internet的网络 管理这样的网络需要更高的技术

  4. Internet The Connected Business • New Concerns • 保护你的内部网络免受黑客与其它非法入侵者的侵害 • 管理与控制网络访问 • 在加快网络访问速度的同时保护宝贵的带宽资源

  5. 微软公司对于安全的认识 • 安全缺陷和病毒攻击是严重、代价沉重、全行业业范围的问题 • Internet 安全是全世界范围内实现数字化商务运作的最基本的考虑因素 • 作为业界的领导者,微软公司具有保护Internet和客户数据的特殊责任

  6. Microsoft ISA Server 2000安全与速度的完美结合 安全的网络连接 用可伸缩的,多层次的防火墙保护网络环境 快速的 Web 访问 用可伸缩,高性能的WEB缓存实现快速访问 统一的管理方式 与Windows 2000集成的,强壮的策略和管理机制 可扩展的开放平台 可以扩展与定制的高级平台

  7. 什么是 ISA Server 2000 • 防火墙与缓存 • ISA Server 的版本 • ISA Server 标准版 • ISA Server 企业版

  8. Microsoft® ISA Server 2000标准版与企业版功能比较表

  9. What Is ISA Server 2000 ISA 系统需求

  10. 防火墙 & 缓存 • 两者都应存在于网络的边缘或者说结合点 • 模块化安装 • 统一的管理 • MMC • Logging and Reporting • Monitoring and Alerting • 一致的访问策略 • 低廉的培训维护费用

  11. 与 Windows 2000 紧密集成 • Security • 包过滤 • 网络地址转换 (NAT & SecureNAT) • Authentication • System Hardening • 虚拟专用网 (VPN) • 管理 • MMC • Terminal Services • Event log • Active Directory™ • Array configuration and policy data • NOT required! • 带宽控制 • 透明地支持在其它平台上的客户机与服务器

  12. Transparency for all clients and servers Enterprise policy Group policy Schedules Active Directory integration Extensible application filters SMTP filter Streaming media splitting H.323 filter & Gatekeeper MMC-based UI Task Pads, wizards Remote administration Configuring Exchange server behind firewall IIS separation RAM caching New cache store Scheduled content download VPN integration Intrusion detection System hardening NTLM & Kerberos authentication Dual-hop SSL Customizable alerts Logging: W3C format, selectable fields Integrated reporting Bandwidth control New APIs Modular installation Much More Than “Proxy Server 3.0”

  13. Microsoft Internet Security & Acceleration Server 2000 Deployment Scenarios

  14. Small Organization Internet ISA Server

  15. Large Enterprise Internet ISA Server 防火墙 & 缓存,共同管理

  16. DMZ & Secure Publishing Internet ISA #1 ISA #2 Intranet DMZ #1

  17. Chaining ISA Server Array Internet Main Leased line or VPN connection ISA Server Branch

  18. Firewall 用可伸缩,多层次防火墙保护网络环境

  19. 为什么要使用防火墙? • 保护自己不受黑客,病毒与非法用户的攻击 • 控制向外的 Internet访问 • 保护 web servers and email servers • 更加安全的数据访问 保护关键的数据与信息 - 并且 - 管理信息访问

  20. ISA Server Firewall • Packet, circuit, and application-level traffic screening • Stateful inspection examines traffic in its context • Reduce risk of unauthorized access • Analyze or modify content with “Smart” application filters • Integrated intrusion detection • Based on technology licensed from Internet Security Systems (ISS) • Secure publishing • Protect servers accessible to the outside world • System hardening • “Lock down” the operating system, further strengthening security • Integrated with Windows 2000 VPN • Wizard for easy configuration

  21. 多层次的防火墙 • Bottom up – protection at every level • Packet level • Static filters • Dynamic filters • Intrusion detection • Circuit (protocol) level • Session based filtering • Connection association • Application level • Intelligent payload inspection Applicationlevel Circuitlevel Packetlevel

  22. Smart Application Filters • Protocol aware filters • Analyze the traffic • Block, redirect, modify • Intelligent filtering out-of-the-box: • HTTP: Web request caching • SMTP: Traffic filtering • Streaming media: Stream splitting • FTP: Read only restriction • H.323: NetMeeting® through the firewall

  23. Intrusion Detection

  24. Additional Security Features • VPN integration • Integrated with on Windows 2000 VPN • Wizard for easy configuration • System hardening wizard • “Lockdown” for the operating system • Three pre-defined levels • Secure publishing • SSL Bridging • Encrypted tunneling

  25. ISA Server – Microsoft’s FirewallISA Server 特性 • 多层次的防火墙 • 集中或分布式管理 • Publishing • ICSA certified

  26. ISA Server – Microsoft’s FirewallHow A Firewall Protects • A firewall filters network traffic that enters or leaves a protected network. • Decisions: • IP 地址,协议与端口号 • 建立连接 • IP包的有效负载 • 应用过滤 • Authentication • Logging and Alerting

  27. Internet Web Proxy Service Web Filter Web ProxyClient Cache HTTPRedirector z Third Party Filter NATDriver Secure NATClient Streaming Filter FirewallService SMTP Filter H.323 Filter FirewallClient FTP Filter Packet Filtering LocalAreaNetwork ISA Server – Microsoft’s FirewallISA Server Architecture

  28. Policy Firewall Service Application Filter Session Log Socket Layer SecureNAT User Mode User Mode Kernel Mode TCP/IP Stack SecureNAT driver Routing NAT driver PF Log PFxD Reassembly PFD InternalInterface ExternalInterface NDIS ISA Server – Microsoft’s FirewallOutgoing FW Traffic Flow

  29. Policy Firewall Service Application Filter Session Log Socket Layer SecureNAT User Mode User Mode Kernel Mode TCP/IP Stack SecureNAT driver Routing NAT driver PF Log PFxD Reassembly PFD InternalInterface ExternalInterface NDIS ISA Server – Microsoft’s FirewallIncoming FW Traffic Flow

  30. ISA Server – Microsoft’s FirewallISA Server 缺省情况 • No incoming or outgoing traffic unless specifically allowed • 除了以下情况: • ISA Server 可以执行 DNS lookups • Pinging from ISA Server

  31. ISA Server – Microsoft’s Firewall为 Outgoing Requests制定规则 • Protocol Rules • 谁可以使用什么样的协议在什么时间访问什么? • Default: No access • Site and Content Rules • 谁可以在什么时间访问什么站点和内容? • Default: All access • 对互联网访问时这两个规则都是必要的

  32. ISA Server – Microsoft’s Firewall为Incoming Requests制定规则 • Server Publishing Rules • Redirect traffic for an external address / port to an internal address • Web Publishing Rules • Redirect Web requests only • Can redirect to multiple internal Web sites • Can choose port for redirection • Can perform SSL bridging

  33. ISA Server – Microsoft’s FirewallFirewall Planning • Assess needs for outgoing traffic • “Deny all” or “Allow all” • Research user requirements • Design required rules and policy elements • Plan for authentication (if required) • Assess needs for incoming traffic • Inventory resources that need to be accessed from the Internet. • Design the required rules and policy elements

  34. ISA Server – Microsoft’s FirewallFirewall Planning (continued) • Scaling • Arrays • Network Load Balancing (NLB) • DNS round robin • Perimeter Network Requirements

  35. Internet Firewall Internal Network Firewall Design No External Access Required

  36. Firewall Design Screened Host Screened Host Internet Firewall Internal Network

  37. Firewall Design Three-Homed PerimeterNetwork Design Perimeter Network Internet Firewall Internal Network

  38. Web Server PerimeterNetwork Internet Firewall InternalNetwork Firewall Firewall Design Back-to-Back PerimeterNetwork Design

  39. Using Publishing And RoutingMethods for Passing Network Traffic • Web Proxy Service • Firewall Service (proxy) • IP Routing (secured by packet filters)

  40. Using Publishing And RoutingComparing Publishing and Routing • Publishing Rules publish internal sites to the external network • Local Address Table (LAT) defines what is internal • Perimeter Network in three-homed design is treated as external network • Need to configure routing between two external networks • Routing is secured by packet filters

  41. Using Publishing And RoutingServer Publishing • Reverse Network Address Translation (NAT) • External network to internal network • Sends packets received on external network interface to identical port on internal server • Mapping: each port on each external address can be mapped separately • Normally used for non-Web servers

  42. /isaserver/ / www.microsoft.com/isaserver/ Internal Network www.microsoft.com/ Internet isa.internal.microsoft.com ISA Server www.internal.microsoft.com Using Publishing And RoutingWeb Publishing • Redirects requests for URLs received on external interface • Can redirect to multiple Web sites • Can redirect to internal or external sites

  43. Using Publishing And RoutingSecure Web Publishing • Client connection terminates at ISA Server computer • ISA Server can perform authentication • ISA Server needs Web server certificate • What about connection between ISA Server and internal Web server? • SSL bridging • Choice of HTTP-S, HTTP, or FTP

  44. Using Publishing And RoutingRouting • Required for all protocols other than TCP or UDP • Required to access three-homed perimeter network (external to external) • ISA enforces packet filtering with routing • Note: packet filtering enhances security and increases performance • Warning: Do not enable routing outside of ISA Server

  45. Demonstration 1Server Publishing And Web PublishingCreating a Server Publishing Rule Creating a WebPublishing Rule

  46. ISA Server ConfigurationOutgoing Traffic • Protocol Rules and Site and Content Rules • Packet filters • Protocols other than UDP or TCP • Applications or services running on ISA Server computer • Packet filters can override rules

  47. ISA Server ConfigurationScreened Host • Configure Server Publishing Rules • Configure Web Publishing Rules

  48. ISA Server ConfigurationThree-Homed Perimeter Network • Use routing with packet filtering for perimeter network servers • Servers need routable IP addresses • Use publishing between perimeternetwork and internal network

  49. ISA Server ConfigurationBack-to-Back Perimeter Network • Use Publishing Rules to publish servers on perimeter network to Internet • Use publishing rules to publish servers on internal network to perimeter network • Each ISA Server requires a separate LAT

  50. Miscellaneous ConfigurationAuthentication • Firewall Clients • User-based, automatic • Requires client software, Win32 clients only, TCP and UDP only • SecureNAT Clients • By IP address • No client software, all platforms, all protocols

More Related