Module 1: Overview of Microsoft ISA Server Contents Overview Introducing ISA Server Using Caching Using Firewalls 11 Deployment Scenarios for ISA Server 19 Review 24 Information in this document is subject to change without notice The names of companies, products, people, characters, and/or data mentioned herein are fictitious and are in no way intended to represent any real individual, company, product, or event, unless otherwise noted Complying with all applicable copyright laws is the responsibility of the user No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Microsoft Corporation If, however, your only means of access is electronic, permission to print one copy is hereby granted Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property  2001 Microsoft Corporation All rights reserved Microsoft, Active Directory, ActiveX, BackOffice, FrontPage, JScript, MS-DOS, NetMeeting, Outlook, PowerPoint, Visual Basic, Visual C++, Visual Studio, Windows, Windows Media, and Windows NT are either registered trademarks or trademarks of Microsoft Corporation in the U.S.A and/or other countries Other product and company names mentioned herein may be the trademarks of their respective owners Module 1: Overview of Microsoft ISA Server iii Instructor Notes Presentation: 45 Minutes This module provides students with an introduction to Microsoft® Internet Security and Acceleration (ISA) Server 2000 and defines the associated functions and underlying concepts The module is organized as a preview of the course content and will be entirely lecture based After completing this module, students will be able to:
Explain the use of ISA Server
Describe the use of Web caching
Describe the use of firewalls
Identify common deployment scenarios for ISA Server Materials and Preparation This section provides the materials and preparation tasks that you need to teach this module Required Materials To teach this module, you need the Microsoft PowerPoint® file 2159A_01.ppt Preparation Tasks To prepare for this module, you should:
Read all of the materials for this module
Study the review questions and prepare alternative answers to discuss
Anticipate questions that students may ask Write out the questions and provide the answers
Review the ISA Server Web page (www.microsoft.com/isaserver/) for updated information about ISA Server
Read “Deployment scenarios” in ISA Server Help
Read “ISA Server Usage Scenarios” in the white paper entitled “Internet Security and Acceleration Server 2000 Installation and Deployment Guide” under Additional Reading on the Trainer Materials compact disc
Read the white paper titled “Internet Security and Acceleration Server 2000 Enterprise Edition: Deploying the Secure Firewall, Proxy, and Web Cache at Microsoft” under Additional Reading on the Trainer Materials compact disc
Read RFC 2979, “Behavior of and Requirements for Internet Firewalls,” under Additional Reading on the Trainer Materials compact disc
Read RFC 2196, “Site Security Handbook,” under Additional Reading on the Trainer Materials compact disc
Read RFC 2504, “Users' Security Handbook,” under Additional Reading on the Trainer Materials compact disc
Read RFC 2828, “Internet Security Glossary,” under Additional Reading on the Trainer Materials compact disc iv Module 1: Overview of Microsoft ISA Server Module Strategy Use the following strategy to present this module:
Introducing ISA Server Introduce ISA Server to students by briefly describing the product benefits Mention that the NET Enterprise Servers animation is available on the Student Materials compact disc
Using Caching Use the animated slide to describe the process that ISA Server uses to cache Web content Explain the three types of caching that ISA Server can use to accelerate Web performance for both internal and external clients
Using Firewalls Discuss how a firewall protects the internal network from intruders on the Internet by allowing only specific network traffic to come in to or to go out of an internal network Describe the three types of firewall designs presented in the module Explain that this course uses the term perimeter network to refer to a network that is separate from both the Internet and the private network and that contains resources to make available to users on the Internet in a secure manner Because the terms DMZ and screened subnet are also commonly used, tell students that these terms are interchangeable Ensure that students understand the terms and concepts associated with controlling network access These terms and concepts will be presented in more detail throughout the course
Deployment Scenarios for ISA Server Before you discuss the different deployment scenarios, explain that the examples that the module presents are just some of many possible scenarios Tell students that they can find more deployment scenarios in ISA Server Help and in the printed product documentation Customization Information This section identifies the lab setup requirements for a module and the configuration changes that occur on student computers during the labs This information is provided to assist you in replicating or customizing Microsoft Official Curriculum (MOC) courseware There are no labs in this module, and as a result, there are no lab setup requirements or configuration changes that affect replication or customization Module 1: Overview of Microsoft ISA Server Overview Topic Objective To provide an overview of the module topics and objectives Lead-in In this module, you will learn about using ISA Server as a cache server and as an enterprise firewall
Introducing ISA Server
Using Caching
Using Firewalls
Deployment Scenarios for ISA Server *****************************ILLEGAL FOR NON-TRAINER USE****************************** The Internet enables organizations to connect with customers, partners, and employees Although this presents new business opportunities, it can also cause concerns about security, performance, and manageability Microsoft® Internet Security and Acceleration (ISA) Server 2000 is designed to address the needs of today’s Internet-enabled organizations ISA Server includes caching features that enable organizations to save network bandwidth and provide faster Web access for users ISA Server also includes a firewall service that helps protect network resources against unauthorized access from outside of the organization’s network, while enabling efficient authorized access Finally, ISA Server includes management and administration features that enable organizations to centrally control and manage Internet use and access After completing this module, you will be able to:
Explain the use of ISA Server
Describe the use of Web caching
Describe the use of firewalls
Identify common deployment scenarios for ISA Server Module 1: Overview of Microsoft ISA Server
Introducing ISA Server Topic Objective To introduce ISA Server Lead-in ISA Server provides benefits and deployment options to help organizations manage Internet security and access
ISA Server Editions
Benefits of ISA Server
Installation Modes *****************************ILLEGAL FOR NON-TRAINER USE****************************** ISA Server is an enterprise firewall and cache server running on the Microsoft Windows® 2000 Server operating system that provides policy-based access control, acceleration, and management of internetworking ISA Server is available in two editions that are designed to meet the business and networking needs of your organization Whether deployed as separate components or as an integrated firewall and caching server, ISA Server provides organizations with a unified management console that is designed to simplify security and access management Module 1: Overview of Microsoft ISA Server ISA Server Editions Topic Objective To identify the ISA Server editions Lead-in ISA Server is available in two editions that are designed to meet the business and networking needs of your organization
ISA Server Standard Edition
ISA Server Enterprise Edition *****************************ILLEGAL FOR NON-TRAINER USE****************************** ISA Server is available in two editions that are designed to meet the business and networking needs of your organization ISA Server Standard Edition The standard edition provides firewall security and Web caching capabilities for small businesses, workgroups, and departmental environments The standard edition provides robust security, fast Web access, intuitive management, and excellent price and performance for business-critical environments ISA Server Enterprise Edition The enterprise edition is designed to meet the performance, management, and scalability needs of high-volume Internet traffic environments with centralized server management, multiple levels of access policy, and fault-tolerant capabilities The enterprise edition provides secure, scalable, and fast Internet connectivity for mission-critical environments Module 1: Overview of Microsoft ISA Server Benefits of ISA Server Topic Objective To describe the benefits offered by ISA Server Acceleration Acceleration Lead-in ISA Server offers an organization several benefits for Internet connectivity Fast Fast Web Web Access Access with with aa High-Performance High-Performance Cache Cache Security Security Secure Secure Internet Internet Connectivity Connectivity Through Through aa Multilayered Multilayered Firewall Firewall Management Management Unified Unified Management Management with with Integrated Integrated Administration Administration Extensibility Extensibility Extensible Extensible and and Open Open Platform Platform *****************************ILLEGAL FOR NON-TRAINER USE****************************** Delivery Tip To present more information about the NET Enterprise Server family, play the NET Enterprise Servers animation The animation is included on the Trainer Materials compact disc ISA Server is a key member of the NET Enterprise Server family The products in NET Enterprise Server family are Microsoft’s comprehensive family of server applications for building, deploying, and managing scalable, integrated, Web-based solutions and services ISA Server offers several benefits to organizations that want fast, secure, and manageable Internet connectivity Note For more information about the NET Enterprise Server family, view the NET Enterprise Servers animation, which is included on the Student Materials compact disc Fast Web Access with a High-Performance Cache ISA Server provides the following Web performance benefits:
Provides faster Web access for users by retrieving objects locally rather than over a slower connection to the potentially congested Internet
Reduces bandwidth costs by reducing network traffic from the Internet
Distributes the content of Web servers and e-commerce applications efficiently and cost-effectively to reach customers worldwide Note The capability for distributing Web content is available only in the ISA Server Enterprise Edition Module 1: Overview of Microsoft ISA Server Secure Internet Connectivity Through a Multilayered Firewall ISA Server provides the following security benefits:
Protects networks from unauthorized access by inspecting network traffic at several layers
Protects Web, e-mail, and other application servers from external attacks by using Web publishing and server publishing to securely process incoming requests to internal servers
Filters incoming and outgoing network traffic to ensure security
Enables secure access for authorized users from the Internet to the internal network by using virtual private networks (VPNs) Unified Management with Integrated Administration ISA Server provides the following management benefits:
Controls access centrally to ensure and enforce corporate policies
Improves productivity by limiting Internet use to approved applications and destinations
Allocates bandwidth to match business priorities
Provides monitoring tools and produces reports that show how Internet connectivity is used
Automates commonly performed tasks by using scripts Extensible and Open Platform ISA Server provides the following extensibility and customization benefits:
Addresses security and performance needs that are specific to an organization by using the ISA Server Software Development Kit (SDK) for in-house development of add-on components
Extends security and management functionality with third-party solutions
Automates administrative tasks with scriptable Component Object Model (COM) objects Module 1: Overview of Microsoft ISA Server Installation Modes Topic Objective To identify the installation modes and associated features of ISA Server Lead-in There are three modes for installing ISA Server
Cache Mode
Firewall Mode
Integrated Mode
Features Available with Each Mode *****************************ILLEGAL FOR NON-TRAINER USE****************************** You can install ISA Server in three different modes: cache mode, firewall mode, and integrated mode Cache Mode In cache mode, you can improve network performance and save bandwidth by storing frequently accessed Web objects closer to the user You can then route requests from clients to a cache server that holds the cached objects Firewall Mode In firewall mode, you can secure network traffic by configuring rules that control communication between an internal network and the Internet You can also publish internal servers, which enables an organization to share data on its network with partners or customers Integrated Mode In integrated mode, you can combine the firewall and cache services on a single host computer Although organizations can deploy ISA Server as a separate firewall or as a separate caching server, you can combine the firewall and cache server by choosing integrated mode Many organizations can benefit from unified administration of caching and firewall functions 12 Module 1: Overview of Microsoft ISA Server Firewall Overview Topic Objective To describe the primary functions of a firewall A Firewall is: Lead-in A firewall serves two primary functions
A Controlled Point of Access for All Traffic that Enters the Internal Network
A Controlled Point of Access for All Traffic that Leaves the Internal Network *****************************ILLEGAL FOR NON-TRAINER USE****************************** Key Points A firewall is typically installed at the point where an internal network connects to the Internet In a building, you construct a firewall to keep a fire in one area of the building from spreading to another area of a building A firewall on a network provides a similar purpose—it prevents the potential dangers of the Internet from spreading to your internal network A firewall is typically installed at the point where an internal network connects to the Internet A firewall serves two primary functions:
It is a controlled point of access for all traffic that enters the internal network A firewall prevents unauthorized users from gaining access to your network data and resources
It is a controlled point of access for all traffic that leaves the internal network A firewall ensures that interactions between the Internet and your internal network conform to the security rules and policies of your organization Module 1: Overview of Microsoft ISA Server 13 Bastion Host Topic Objective To describe a bastion host Lead-in A bastion host is the main point of contact for clients of internal networks to gain access to the Internet Internet Internet Firewall Internal Internal Network Network *****************************ILLEGAL FOR NON-TRAINER USE****************************** Delivery Tip Explain that a bastion host derives its name from the highly fortified projections of the outer walls of medieval castles A bastion host is a computer that is the main point of contact for clients of internal networks to gain access to the Internet As a firewall, the bastion host is designed to defend against attacks aimed at the internal network A bastion host is typically used for smaller networks to protect the internal network from the intruders Configuration of a Bastion Host A bastion host has two network adapters, one connected to the internal network and one connected to the Internet This configuration physically isolates the internal network from potential intruders on the Internet Because a bastion host configuration is a single point of defense, it is important to make sure that the computer is well secured Advantage of a Bastion Host The advantage of using a bastion host is that it minimizes the cost and the amount of administration that is required for a firewall However, a bastion host depends on a single firewall to secure the entire network If an Internet user compromises the firewall, that Internet user can gain access to the organization’s internal network, including any resources that are not sufficiently secured Important Because a bastion host allows Internet users to have direct access to your internal network, you must use additional means to protect your internal resources, such as setting strict access permissions on networks resources 14 Module 1: Overview of Microsoft ISA Server Perimeter Network with Three-Homed Firewall Topic Objective To describe a perimeter network with a three-homed firewall Lead-in In perimeter network configuration with a threehomed firewall, a single ISA Server computer, or an array of ISA Server computers, is set up with three network adapters Perimeter Perimeter Network Network Internet Internet Firewall Internal Internal Network Network *****************************ILLEGAL FOR NON-TRAINER USE****************************** Key Points A perimeter network allows external clients to gain access to specific servers located in the perimeter network, while completely preventing access to the internal network A perimeter network is a small network that contains resources that you want to make available to users on the Internet while maintaining the security of these resources A perimeter network is separate from both your internal network and the Internet A perimeter network allows external clients to gain access to specific servers located in the perimeter network, while completely preventing access to the internal network You typically use a perimeter network to deploy e-mail and Web servers A perimeter network can be set up in one of two configurations: a perimeter network with a three-homed firewall or a perimeter network with back-to-back firewalls Configuration of Perimeter Network with Three-Homed Firewall In a perimeter network configuration with a three-homed firewall, the firewall is set up with three network adapters One adapter is connected to each of the following networks:
The Internet
The internal network servers located in the perimeter network
The internal network clients Although the servers in the perimeter network each have Internet protocol (IP) addresses that can be accessed by external clients, the firewall computer does not allow direct access to resources that are located on the internal network Note An organization’s security policy may also allow limited and very controlled network traffic between computers in the perimeter network and selected computers on the internal network Module 1: Overview of Microsoft ISA Server Advantages of a Perimeter Network with Three-Homed Firewall A three-homed firewall provides more security than a bastion host because it allows secure access to some network resources from the Internet without allowing network traffic between the Internet and your internal network A three-homed firewall gives you a single point of administration to configure access to both your perimeter network and your internal network However, a three-homed firewall also presents a single point of access to all parts of your network, which means that you must be especially careful in designing your access rules and monitoring for security breaches 15 16 Module 1: Overview of Microsoft ISA Server Perimeter Network with Back-to-Back Firewalls Topic Objective To describe the design of a perimeter network with back-to-back firewalls Lead-in In a perimeter network with back-to-back firewalls, two firewalls are located on either side of the perimeter network Perimeter Perimeter Network Network Internet Internet External Firewall Internal Firewall *****************************ILLEGAL FOR NON-TRAINER USE****************************** Key Points In a perimeter network with back-to-back firewalls, there is no single point of access from the Internet to your internal network This design is the most secure of the firewall designs presented in this module In addition to a perimeter network with a three-homed firewall, you can also configure a perimeter network with back-to-back firewalls Configuration of Back-to-Back Firewalls In a perimeter network with back-to-back firewalls, two firewalls are located on either side of the perimeter network The two firewalls are connected to the perimeter network, with one also connected to the Internet and the other one also connected to the internal network In this configuration, there is no single point of access To reach the internal network, a user would need to get past both firewalls Advantages of Back-to-Back Firewalls You can configure more restrictive security rules on back-to back firewalls than on a three-homed firewall, which helps you to protect your internal network more reliably It is also easier to configure rules for a back-to-back firewall design if an organization’s access policy allows limited and very controlled network traffic between computers in the perimeter network and selected computers on the internal network Important The back-to-back firewall configuration is the safest and most commonly used firewall design Some organizations use variations of this design to achieve even higher levels of security For more information about firewall design, see Course 2150A, Designing a Secure Microsoft Windows 2000 Network ... customization Module 1: Overview of Microsoft ISA Server Overview Topic Objective To provide an overview of the module topics and objectives Lead-in In this module, you will learn about using ISA Server. .. Explain the use of ISA Server
Describe the use of Web caching
Describe the use of firewalls
Identify common deployment scenarios for ISA Server 2 Module 1: Overview of Microsoft ISA Server
... Materials compact disc iv Module 1: Overview of Microsoft ISA Server Module Strategy Use the following strategy to present this module:
Introducing ISA Server Introduce ISA Server to students by