Are you looking for a way to significantly enhance security for your Internet-facing Microsoft applications and services? If so, take a look at Microsoft Internet and Security Acceleration (ISA) Server 2004, which makes a quantum leap beyond its predecessor, ISA Server 2000. ISA Server 2004 provides a network firewall that performs both stateful filtering (at the Open System Interconnection—OSI—model's transport layer 4 and below) and stateful application-layer (layer 7) filtering on all installed interfaces.
Many organizations have an existing firewall infrastructure but still want to obtain the security benefits that ISA Server 2004 provides. The ISA Server 2004 firewall is extremely flexible and has a number of viable deployment options. One of the most common and most secure of these options is a back-to-back firewall configuration, in which a traditional packet filterbased hardware firewall on the front end provides basic stateful filtering to protect the demilitarized zone (DMZ) between the firewall and the LAN interface, and an ISA Server 2004 firewall on the back end provides both stateful filtering and stateful application-layer inspection to protect core business resources.
Filtering remote access to Microsoft Exchange Server services is a popular ISA Server scenario, and several of the firewall's new technologies provide a unique level of protection for Internet-facing Exchange services, especially Microsoft Outlook Web Access (OWA). If you're interested in placing an ISA Server firewall behind an existing packet filterbased hardware firewall, this scenario provides a good example of the required procedures. Figure 1 shows a high-level view of the back-to-back firewall design. Key features of the network and firewall topology include the following:
A stateful packet-filtering (application-specific integrated circuit—ASIC—based) hardware firewall, which I'll call the
hardware firewall, is placed on the front end. This rudimentary firewall provides layer 4 and below protection for hosts on the perimeter network between the hardware firewall and the ISA Server 2004 firewall, which I'll call the ISA firewall.
This DMZ segment is an unauthenticated segment: Whereas public servers in the DMZ might require local authentication at the server, no authentication is required to enter the segment.
- A stateful filtering and stateful application-layer (layer 7) filtering ISA firewall is placed on the back end. This firewall, which is closer to core business assets, must provide a higher level of protection than the hardware firewall. The ISA firewall achieves this goal by performing the same stateful filtering as the hardware firewall but exceeds the hardware firewall's protective ability by adding stateful application-layer inspection. In addition, strong user- and group-based authentication is required for all inbound and outbound connections through the ISA firewall.
- The ISA firewall has three network interfaces: an external interface that connects to the DMZ segment, an internal interface that connects to a network infrastructureservices segment containing core infrastructure servers (e.g., a domain controller—DC—and Global Catalog—GC—server, a front-end Exchange server, a back-end Exchange server), and another internal interface that connects to a network segment containing client systems. No unauthenticated connections are allowed from the external interface to the infrastructure-services segment, and no connections at all are allowed from the client segment except those necessary to use network services. This design protects the network infrastructure servers not only from external attacks but also from attacks launched by hosts on the client segment.
- The ISA Server system is a member of the internal network domain. Some experts suggest that domain membership can compromise internal network security in the event that the ISA Server system is compromised. However, if that happens, the server's domain membership has little effect on how much damage an attacker can accomplish. The protection you gain by making the ISA Server system a member of the domain far outweighs any theoretical advantages of not doing so.
- Secure Sockets Layer (SSL)to-SSL bridging on the ISA firewall is used to prevent exploits from hiding inside SSL tunnels. The remote Web client tunnels through the hardware firewall and terminates its SSL session with the ISA firewall's external interface. The ISA firewall decrypts the packets, performs stateful application-layer filtering on the communications, and re-encrypts the packets to send them along a second SSL link established between the ISA firewall's internal interface and the front-end Exchange server.
- The ISA firewall is configured to require that a client certificate be presented to the front-end Exchange server's OWA Web site. This requirement protects the front-end Exchange server in the event that an attacker tries to use another machine (e.g., through a spoofed IP address) to impersonate the ISA firewall and forward connections to the front-end Exchange server. Because such an attacker won't have a valid client certificate, the connection attempt will fail even if the attacker has valid OWA user credentials. Note that the Web client doesn't present a client certificate to the Exchange server or ISA firewall; only the ISA firewall presents a client certificate when establishing the SSL link between itself and the front-end Exchange server.