Contents
Overview 1
Securing the Server 2
Examining Perimeter Networks 6
Examining Packet Filtering and
IP Routing 10
Configuring Packet Filtering
and IP Routing 17
Configuring Application Filters 24
Lab A: Configuring the Firewall 35
Review 45
Module 6:
Configuring the Firewall
Information in this document is subject to change without notice. The names of companies,
products, people, characters, and/or data mentioned herein are fictitious and are in no way intended
to represent any real individual, company, product, or event, unless otherwise noted. Complying
with all applicable copyright laws is the responsibility of the user. No part of this document may
be reproduced or transmitted in any form or by any means, electronic or mechanical, for any
purpose, without the express written permission of Microsoft Corporation. If, however, your only
means of access is electronic, permission to print one copy is hereby granted.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
CD Build Specialist: Julie Challenger
Manufacturing Support: Laura King; Kathy Hershey
Operations Coordinator: John Williams
Lead Product Manager, Release Management: Bo Galford
Group Manager, Business Operations: David Bramble
Group Manager, Technical Services: Teresa Canady
Group Product Manager, Content Development: Dean Murray
General Manager: Robert Stewart
Module 6: Configuring the Firewall iii
Instructor Notes
This module provides students with the knowledge and skills to configure
Microsoft
®
Internet Security and Acceleration (ISA) Server 2000 as a firewall.
After completing this module, students will be able to:
Secure the ISA Server computer.
Explain the use of perimeter networks.
Explain the use of packet filtering and Internet Protocol (IP) routing.
Configure packet filtering and IP routing.
Configure application filters.
Review RFC 792, “Internet Control Message Protocol,” under Additional
Readings on the Trainer Materials compact disc.
Presentation:
75 Minutes
Lab:
30 Minutes
iv Module 6: Configuring the Firewall
Module Strategy
Use the following strategy to present this module:
Securing the Server
Discuss the best practices for securing computers, explaining that the list in
the module is not comprehensive but is meant to be a guideline. Explain that
the ISA Server Security Configuration Wizard changes several operating
system settings to pre-configured values and emphasize that ISA Server
includes no automatic method of reverting back to the original values.
Examining Perimeter Networks
Briefly describe the use of perimeter networks, which were introduced in
Module 1. Ensure that students understand that ISA Server treats both the
Internet and the perimeter network as external networks, which requires that
you enable IP routing to move network packets between the networks.
Examining Packet Filtering and IP Routing
Explain that the packet filtering and routing functions of ISA Server provide
more enhanced security than the packet filtering and routing functions of the
Module 6: Configuring the Firewall v
Customization Information
This section identifies the lab setup requirements for a module and the
configuration changes that occur on student computers during the labs. This
information is provided to assist you in replicating or customizing Microsoft
Official Curriculum (MOC) courseware.
The lab in this module is also dependent on the classroom
configuration that is specified in the Customization Information section at the
end of the Classroom Setup Guide for Course 2159A, Deploying and Managing
Microsoft Internet Security and Acceleration Server 2000.
Lab Setup
The following list describes the setup requirements for the lab in this module.
Setup Requirement 1
The lab in this module requires that ISA Server be installed on all ISA Server
computers. To prepare student computers to meet this requirement, perform one
of the following actions:
Complete Module 2, “Installing and Maintaining ISA Server,” in Course
2159A, Deploying and Managing Microsoft Internet Security and
Acceleration Server 2000.
Perform a full installation of ISA Server manually.
Setup Requirement 2
The lab in this module requires that the ISA Server administration tools be
installed on all ISA Server client computers. To prepare student computers to
meet this requirement, perform one of the following actions:
Configure the default gateway manually.
Setup Requirement 5
The lab in this module requires that Microsoft Internet Explorer be configured
on all student computers to use the ISA Server computer as a Web Proxy
server. To prepare student computers to meet this requirement, perform one of
the following actions:
Complete Module 2, “Installing and Maintaining ISA Server,” in Course
2159A, Deploying and Managing Microsoft Internet Security and
Acceleration Server 2000.
Configure Internet Explorer manually.
Setup Requirement 6
The lab in this module requires that Internet Information Services (IIS) be
configured on all ISA Server computers to use Transmission Control Protocol
(TCP) port 8008 for the default Web site. To prepare student computers to meet
this requirement, perform one of the following actions:
Complete Module 2, “Installing and Maintaining ISA Server,” in Course
2159A, Deploying and Managing Microsoft Internet Security and
Acceleration Server 2000.
Configure IIS manually.
Setup Requirement 7
The lab in this module requires a protocol rule on the ISA Server computer that
that allows all members of the Domain Admins group to gain access to the
Configuring Application Filters
*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
Microsoft
®
Internet Security and Acceleration (ISA) Server 2000 includes
several security features to help you enforce your security policies. The ISA
Server Security Configuration Wizard enables you to set the appropriate level
of system security for the operating system. Packet filtering helps prevent
unauthorized access to your internal network by inspecting incoming traffic and
blocking packets that do not meet your specified security criteria. Internet
Protocol (IP) routing allows you to forward network packets according to rules
that you define. Application filters control application-specific traffic to
determine if network traffic should be accepted, rejected, redirected, or
modified.
The packet filtering and routing functions of ISA Server provide
more enhanced security than the packet filtering and routing functions of the
Microsoft Windows
®
2000 Routing and Remote Access. To provide the most
comprehensive security for your internal network, use ISA Server, not the
Routing and Remote Access service, to configure packet filtering and routing
on an ISA Server computer.
Setting System Security
*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
ISA Server is an important component of an overall security strategy, but
network security consists of many elements. Using security best practices will
also help you to secure your network effectively.
ISA Server includes the ISA Server Security Configuration Wizard, which you
can use to apply system security settings to a single ISA Server computer or to
all of the servers in an array. The ISA Server Security Configuration Wizard
uses security templates that are included with Microsoft Windows 2000 Server
to configure the operating system for different levels of security. You can set
the appropriate level of system security, depending on how ISA Server
functions in your network.
Topic Objective
To identify the topics related
to securing the ISA Server
computer.
Lead-in
ISA Server is an important
component of an overall
security strategy, but
network security consists of
many elements.
Module 6: Configuring the Firewall 3
Install the latest service pack and security updates. Before installing any
service packs or updates, test them thoroughly in a lab environment.
Do not run unnecessary services on the ISA Server computer, and configure
ISA Server with rules that allow only required network traffic to pass
through the ISA Server computer.
Audit security-related events and frequently review the associated log files.
For more information about Windows 2000 auditing, see Module 9,
“Implementing Security in Windows 2000,” in Course 2152, Implementing
Microsoft Windows 2000 Professional and Server. For more information
about monitoring ISA Server security, see Module 8, “Monitoring and
Reporting,” in Course 2159A, Deploying and Managing Microsoft Internet
Security and Acceleration Server 2000.
Document all aspects of your network configuration. Maintaining
documentation helps you to detect intrusion and recover from intrusion
incidents.
Understand the network protocols that you use with ISA Server. A thorough
understanding of these protocols will help to ensure that you configure ISA
Server properly.
Maintain physical security. Anyone with physical access to the ISA Server
computer can gain complete control of the computer.
Topic Objective
To describe security best
Limited
Limited
Services
Services
Basicdc
Basicdc
.inf
.inf
Secure
Secure
Server Templates
Server Templates
Hisecws.inf
Hisecws.inf
Securews.inf
Securews.inf
Basicsv.inf
Basicsv.inf
*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
When configuring the security settings of the ISA Server computer, you can use
the ISA Server Security Configuration Wizard to increase the security of
several components of Windows 2000. Securing the ISA Server computer is
especially important when that computer is directly connected to the Internet.
You can select from one of the following security levels in the ISA Server
Security Configuration Wizard:
The security template that the ISA Server Security Configuration Wizard
applies depends on the security setting that you select and the type of computer
that you are using.
To run the ISA Server Security Configuration Wizard, the
systemroot\security\templates folder must contain the required template. If the
required template is missing, the ISA Server Security Configuration Wizard
fails to run. To add a missing template, you must copy it from the Microsoft
Windows 2000 Server compact disc to the Templates folder on your computer.
ISA Server uses the templates listed in the following table.
Security level For a server For a domain controller
Dedicated Hisecws.inf Hisecdc.inf
Limited Services Securews.inf Securedc.inf
Secure Basicsv.inf Basicdc.inf For more information about security templates, see Module 9,
"Implementing Security in Windows 2000," in Course 2152, Implementing
Microsoft Windows 2000 Professional and Server.
Use the ISA Server Security Configuration Wizard to apply system security
settings to an ISA Server computer.
To run the Wizard:
1. In ISA Management, in the console tree, expand your server or array, and
then click Computer or Computers.
2. In the details pane, right-click the applicable server, click Secure, and then
follow the on-screen instructions to complete the wizard.
Viewing Configuration Changes
When you run the ISA Server Security Configuration Wizard, ISA Server
to perimeter network
configurations.
Lead-in
You can deploy ISA Server
as a dedicated firewall that
acts as the secure gateway
to the Internet for internal
clients.
Module 6: Configuring the Firewall 7
Perimeter Networks
Firewall
Internet
Internet
Perimeter Network
Perimeter Network
Internal Network
Internal Network
*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
A perimeter network, also known as a DMZ, demilitarized zone, or screened
subnet, is a small network that you set up separately from an internal network
and the Internet. Perimeter networks allow external users to gain access to
specific servers that are located on the perimeter network, while preventing
direct access to the internal network.
Perimeter Network Uses
up separately from an
internal network and the
Internet.
Note
8 Module 6: Configuring the Firewall
Three-Homed Perimeter Network
Internet
Internet
Perimeter Network
Perimeter Network
Internal Network
Internal Network
E
n
a
b
l
e
I
P
R
o
u
t
i
n
g
Computer
*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
In a three-homed perimeter network configuration, a stand-alone ISA Server
computer or an array of ISA Server computers connects the Internet, the
perimeter network, and the internal network. ISA Server treats both the Internet
and the perimeter network as external networks, which requires that you enable
IP routing to move network packets between the networks.
Setting Up the ISA Server Computer
To set up an ISA Server computer in a three-homed perimeter network
configuration, install and configure each network adapter as follows:
1. Connect one network adapter to the internal network. Include all of the
internal IP addresses in the local address table (LAT).
2. Connect the second network adapter to the perimeter network. Do not add
the IP addresses of the perimeter network to the LAT.
3. Connect the third network adapter to the Internet. Do not add any IP
addresses from the Internet to the LAT. Placing certain types of servers, especially File Transfer Protocol (FTP)
servers, into three-homed perimeter network configurations may create security
risks. For more information about these risks, see “Three-homed perimeter
network configuration” in ISA Server Help.
Slide Objective
To describe the use of a
the following actions:
Enable IP routing.
Enable packet filtering.
Create the appropriate IP packet filters to allow routing of the correct IP
packets to each of the servers in the perimeter network.
For example, to make a Simple Mail Transfer Protocol (SMTP) server on the
perimeter network available to users on the Internet, you must enable IP routing
and packet filtering. You then need to create an IP packet filter that configures
the ISA Server computer to route all of the required packets from the Internet to
the mail server.
Delivery Tip
Tell students that IP routing,
packet filtering, and IP
packet filters will be covered
later in this module.
10 Module 6: Configuring the Firewall
Examining Packet Filtering and IP Routing
Controlling Network Traffic
Understanding Packet Filtering
to packet filtering and IP
routing.
Lead-in
You can control the flow of
IP packets to and from an
external network interface of
an ISA Server computer by
using IP routing and packet
filtering.
Important
Module 6: Configuring the Firewall 11
Controlling Network Traffic
Web Proxy Service
Firewall Service -- Proxy
Firewall Service -- Routing
*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
You can use ISA Server to control the flow of IP packets between different
networks, typically your internal network and the Internet. ISA Server controls
IP packets by using the following services and methods:
Web Proxy service. The Web Proxy service receives outgoing Web requests
Lead-in
You can use ISA Server to
control the flow of IP
packets between different
networks, typically your
internal network and the
Internet.
Note
12 Module 6: Configuring the Firewall
Understanding Packet Filtering
Internal Network
Internal Network
ISA
Server
Packet Filter
131.107.1.1
131.107.2.1
Protocol
Protocol
Direction
Direction
UDP Incoming
Destination / Port
Destination / Port
131.107.2.200 / 53
Source / Port
Source / Port
Any / Any
Type
also dynamically opens the appropriate ports that allow packets to return to the
IP address and port of the original packet.
For example, you create a packet filter that allows incoming packets to UDP
port 53 on a server on your perimeter network, and a computer on the Internet
sends a packet to the server. ISA Server automatically allows outgoing network
packets to pass from UDP port 53 on your perimeter network to the IP address
and port number that initiated the connection.
Dynamic packet filters that allow packets to return to the IP address
and port of the original packet are in effect for only the duration of the session.
Also, you cannot modify a dynamic rule.
Topic Objective
To describe the process of
packet filtering.
Lead-in
Packet filtering allows you to
control the network packets
that an ISA Server computer
accepts on an external
network interface.
Important
Importan
t
Module 6: Configuring the Firewall 13
Types of Packet Filters
You control which packets are allowed to traverse an external network interface
of the ISA Server computer by using the following types of packet filters:
*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
In some situations, you must use IP routing, packet filtering, or both IP routing
and packet filtering.
Situations That Require IP Routing
Use IP routing for the following situations:
Servers in a three-homed perimeter network. ISA Server treats both three-
homed perimeter networks and the Internet as external networks and routes
packets between them. When you allow users on the Internet to connect to a
server on a three-homed perimeter network, you must configure ISA Server
to perform IP routing between these networks.
Allowing external users to gain access to resources on servers on a
back-to-back perimeter network requires different configuration steps. For
more information about making servers in a back-to-back perimeter network
available to the Internet, see Module 7, “Configuring Access to Internal
Resources,” in Course 2159A, Deploying and Managing Microsoft Internet
Security and Acceleration Server 2000.
Protocols other than UDP and TCP. The Web Proxy service handles
outgoing requests that are using the Hypertext Transfer Protocol (HTTP),
Hypertext Transfer Protocol-Secure (HTTP-S), or FTP protocols. The
Firewall service handles requests from any application that uses the UDP
and TCP protocols. For all other protocols, ISA Server must route the
allows incoming packets to the ISA Server computer on TCP and UDP
port 53.
Applications running on the ISA Server computer. When you run an
application on the ISA Server computer that needs to connect to the Internet,
you must create one or more IP packet filters that allow the appropriate
outgoing packets. An application running on the ISA Server computer
cannot use the Firewall service to connect to the Internet because
configuring the ISA Server computer as a Firewall client is not supported.
Instead, the application must establish a direct connection to the Internet,
which requires you to create packet filters that allow the appropriate
network traffic.
For example, to allow an e-mail client application that is running on the ISA
Server computer to connect to an SMTP server, create an IP packet filter
that allows packets to pass from the ISA Server computer to TCP port 25 on
a remote SMTP server.
Do not create packet filters for outgoing traffic from internal
clients that pass through the Firewall service or the Web Proxy service.
Because ISA Server automatically and dynamically opens the ports that are
required to handle such communications based on the protocol rules that you
configured, no packet filters are required provided that all client requests use
the TCP or UDP protocol.
Servers in a three-homed perimeter network. When you allow users on the
Internet to connect to a server on a three-homed perimeter network, you
must create IP packet filters to open the ports that are required for ISA
Server to accept and route packets to services that are running on the server
in the perimeter network.
Use the following guidelines when using packet filtering, IP routing, or both.
Packet Filtering and IP Routing Not Enabled
When you do not enable packet filtering or IP routing, ISA Server does not
apply packet filters to incoming network traffic, which lowers the protection of
the ISA Server computer. Use this combination of settings only to optimize
performance and when the external interface of the ISA Server computer is
connected to a network that you have control over, for example, when using
ISA Server to forward traffic from a branch office by using a leased line.
Packet Filtering Enabled and IP Routing Not Enabled
When you enable packet filtering, ISA Server drops all of the IP packets on
external network interfaces unless they are explicitly allowed by static or
dynamic rules. The ISA Server computer also does not forward packets
directly. Use this setting when:
All client connections use the UDP or TCP protocol.
You do not need to forward packets between the Internet and a three-homed
perimeter network configuration.
Packet Filtering and IP Routing Enabled
When combining packet filtering and IP routing, you gain the security benefits
of packet filtering, the ability to route protocols other than TCP or UDP, and the
ability to route between the Internet and a three-homed perimeter network. Use
this configuration in situations that require both security and routing.
Packet Filtering Not Enabled and IP Routing Enabled
You cannot configure ISA Server to route packets without enabling packet
filtering because of the low level of security that such a configuration would
provide. If your network configuration requires a router, evaluate the Routing
and Remote Access service in Windows 2000.
Topic Objective
settings.
Topic Objective
To identify the topics related
to configuring packet
filtering and IP routing.
Lead-in
You must enable packet
filtering and IP routing to
forward IP packets from one
external network to another
external network.
18 Module 6: Configuring the Firewall
Enabling Packet Filtering and IP Routing
IP Packet Filters Properties
General
OK Cancel
Use this page to control packet routing and packet
filtering properties.
Packet Filters Intrusion Detection PPTP
Enable packet filtering
Apply
Enable Intrusion detection
Enable IP routing
Select to enable
packet filtering.
Select to enable
IP routing.
*****************************
Creating IP Packet Filters
Name the Filter
Select the Filter Mode
Select the Filter Type
Select Local IP Address
Select Remote Computer(s)
Start
Start
Start
Finish
Finish
Finish
Configure Filter Settings
*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
Before you create an IP packet filter, you must identify the associated protocols
and ports for the specified packets. You must also identify the IP addresses or
IP address ranges of the computers for the source and destination.
To create a new IP packet filter:
1. In ISA Management, in the console tree, expand your server or array,
expand Access Policy, click IP Packet Filters, and then in the details pane,
click Create a Packet Filter.
2. In the New IP Packet Filter Wizard, type a name that describes the filter,
and then click Next.
3. On the Filter Mode page, select Allow packet transmission or Block
Copyright: Tài liệu đại học ©