Contents Overview 1 Securing the Server 2 Examining Perimeter Networks 6 Examining Packet Filtering and IP Routing 10 Configuring Packet Filtering and IP Routing 17 Configuring Application Filters 24 Lab A: Configuring the Firewall 35 Review 45 Module 6: Configuring the Firewall Information in this document is subject to change without notice. The names of companies, products, people, characters, and/or data mentioned herein are fictitious and are in no way intended to represent any real individual, company, product, or event, unless otherwise noted. Complying with all applicable copyright laws is the responsibility of the user. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Microsoft Corporation. If, however, your only means of access is electronic, permission to print one copy is hereby granted. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.  2001 Microsoft Corporation. All rights reserved. Microsoft, Active Directory, ActiveX, BackOffice, FrontPage, JScript, MS-DOS, NetMeeting, Outlook, PowerPoint, Visual Basic, Visual C++, Visual Studio, Windows, Windows Media, and Windows NT are either registered trademarks or trademarks of Microsoft Corporation in the U.S.A. and/or other countries. Other product and company names mentioned herein may be the trademarks of their respective owners. Instructional Designer: Victoria Fodale (Azwrite LLC) Technical Lead: Joern Wettern (Independent Contractor) Program Manager: Robert Deupree Jr. Product Manager: Greg Bulette Lead Product Manager, Web Infrastructure Training Team: Paul Howard Technical Contributors: Ronald Beekelaar, Adina Hagege, Eran Harel, John Lamb, Lucian Lui, Ron Mondri, Thomas W. Shinder, Bill Stiles (Applied Technology Services), Kent Tegels, Oren Trutner Graphic Artist: Andrea Heuston (Artitudes Layout & Design) Editing Manager: Lynette Skinner Editor: Stephanie Edmundson Copy Editor: Kristin Elko (S&T Consulting) Production Manager: Miracle Davis Production Coordinator: Jenny Boe Production Tools Specialist: Julie Challenger Production Support: Lori Walker ( S&T Consulting) Test Manager: Peter Hendry Courseware Testing: Greg Stemp (S&T OnSite) Creative Director, Media/Sim Services: David Mahlmann CD Build Specialist: Julie Challenger Manufacturing Support: Laura King; Kathy Hershey Operations Coordinator: John Williams Lead Product Manager, Release Management: Bo Galford Group Manager, Business Operations: David Bramble Group Manager, Technical Services: Teresa Canady Group Product Manager, Content Development: Dean Murray General Manager: Robert Stewart Module 6: Configuring the Firewall iii Instructor Notes This module provides students with the knowledge and skills to configure Microsoft ® Internet Security and Acceleration (ISA) Server 2000 as a firewall. After completing this module, students will be able to:  Secure the ISA Server computer.  Explain the use of perimeter networks.  Explain the use of packet filtering and Internet Protocol (IP) routing.  Configure packet filtering and IP routing.  Configure application filters. Materials and Preparation This section provides the materials and preparation tasks that you need to teach this module. Required Materials To teach this module, you need the Microsoft PowerPoint ® file 2159A_06.ppt. Preparation Tasks To prepare for this module, you should:  Read all of the materials for this module.  Complete the lab.  Study the review questions and prepare alternative answers to discuss.  Anticipate questions that students may ask. Write out the questions and provide the answers.  Read “Using Packet Filtering,” “Using extensions,” “Internet Security,” “Perimeter Network Scenarios,” and “ISA Server system Security” in ISA Server Help.  Read Module 9, “Implementing Security in Windows 2000,” in Course 2152, Implementing Microsoft Windows 2000 Professional and Server.  Read Module 3, “Enabling Secure Internet Access,” Module 7, “Configuring Access to Internal Resources,” and Module 8, “Monitoring and Reporting,” in Course 2159A, Deploying and Managing Microsoft Internet Security and Acceleration Server 2000.  Review RFC 792, “Internet Control Message Protocol,” under Additional Readings on the Trainer Materials compact disc. Presentation: 75 Minutes Lab: 30 Minutes iv Module 6: Configuring the Firewall Module Strategy Use the following strategy to present this module:  Securing the Server Discuss the best practices for securing computers, explaining that the list in the module is not comprehensive but is meant to be a guideline. Explain that the ISA Server Security Configuration Wizard changes several operating system settings to pre-configured values and emphasize that ISA Server includes no automatic method of reverting back to the original values.  Examining Perimeter Networks Briefly describe the use of perimeter networks, which were introduced in Module 1. Ensure that students understand that ISA Server treats both the Internet and the perimeter network as external networks, which requires that you enable IP routing to move network packets between the networks.  Examining Packet Filtering and IP Routing Explain that the packet filtering and routing functions of ISA Server provide more enhanced security than the packet filtering and routing functions of the Microsoft Windows ® 2000 Routing and Remote Access service. Emphasize that you should use ISA Server, and not the Routing and Remote Access service, to configure packet filtering and routing on an ISA Server computer. Explain that ISA Server treats IP addresses that are in the Local Address Table (LAT) as internal and does not apply packet filters to those addresses. Explain that the decision to use IP routing to support a perimeter network depends on the type of perimeter network.  Configuring Packet Filtering and IP Routing Tell students to always confirm that ISA Server does not include a predefined filter before creating a custom IP packet filter.  Configuring Application Filters Explain that unlike IP packet filters, which make forwarding decisions based on the header of each IP packet, application filters can examine entire transactions between a client application and a server application. Explain that some functionality of the Simple Mail Transfer Protocol (SMTP) filter depends on the Message Screener component. Mention that the Message Screener is an optional ISA Server component that you usually install on a separate computer on your network. Explain that redirecting Hypertext Transfer Protocol (HTTP) requests improves client performance and allows you to apply site and content rules to Firewall clients and SecureNAT clients. Explain that the H.323 filter enables users who use conferencing applications, such as Microsoft NetMeeting ® , to communicate with others over the Internet. Module 6: Configuring the Firewall v Customization Information This section identifies the lab setup requirements for a module and the configuration changes that occur on student computers during the labs. This information is provided to assist you in replicating or customizing Microsoft Official Curriculum (MOC) courseware. The lab in this module is also dependent on the classroom configuration that is specified in the Customization Information section at the end of the Classroom Setup Guide for Course 2159A, Deploying and Managing Microsoft Internet Security and Acceleration Server 2000. Lab Setup The following list describes the setup requirements for the lab in this module. Setup Requirement 1 The lab in this module requires that ISA Server be installed on all ISA Server computers. To prepare student computers to meet this requirement, perform one of the following actions:  Complete Module 2, “Installing and Maintaining ISA Server,” in Course 2159A, Deploying and Managing Microsoft Internet Security and Acceleration Server 2000.  Perform a full installation of ISA Server manually. Setup Requirement 2 The lab in this module requires that the ISA Server administration tools be installed on all ISA Server client computers. To prepare student computers to meet this requirement, perform one of the following actions:  Complete Module 2, “Installing and Maintaining ISA Server,” in Course 2159A, Deploying and Managing Microsoft Internet Security and Acceleration Server 2000.  Install the ISA Server administration tools manually. Setup Requirement 3 The lab in this module requires that the Firewall Client be installed on all ISA Server client computers. To prepare student computers to meet this requirement, perform one of the following actions:  Complete Module 2, “Installing and Maintaining ISA Server,” in Course 2159A, Deploying and Managing Microsoft Internet Security and Acceleration Server 2000.  Install the Firewall Client manually. Important vi Module 6: Configuring the Firewall Setup Requirement 4 The lab in this module requires that all of the ISA Server client computers be configured to use the ISA Server computer’s IP address on the private network as their default gateway. To prepare student computers to meet this requirement, perform one of the following actions:  Complete Module 2, “Installing and Maintaining ISA Server,” in Course 2159A, Deploying and Managing Microsoft Internet Security and Acceleration Server 2000.  Configure the default gateway manually. Setup Requirement 5 The lab in this module requires that Microsoft Internet Explorer be configured on all student computers to use the ISA Server computer as a Web Proxy server. To prepare student computers to meet this requirement, perform one of the following actions:  Complete Module 2, “Installing and Maintaining ISA Server,” in Course 2159A, Deploying and Managing Microsoft Internet Security and Acceleration Server 2000.  Configure Internet Explorer manually. Setup Requirement 6 The lab in this module requires that Internet Information Services (IIS) be configured on all ISA Server computers to use Transmission Control Protocol (TCP) port 8008 for the default Web site. To prepare student computers to meet this requirement, perform one of the following actions:  Complete Module 2, “Installing and Maintaining ISA Server,” in Course 2159A, Deploying and Managing Microsoft Internet Security and Acceleration Server 2000.  Configure IIS manually. Setup Requirement 7 The lab in this module requires a protocol rule on the ISA Server computer that that allows all members of the Domain Admins group to gain access to the Internet by using any protocol. To prepare student computers to meet this requirement, perform one of the following actions:  Complete Module 3, “Enabling Secure Internet Access,” in Course 2159A, Deploying and Managing Microsoft Internet Security and Acceleration Server 2000.  Create the rule manually. Lab Results Performing the lab in this module introduces the following configuration changes:  The ISA Server computer is configured with the Basicdc.inf security template.  ISA Server is configured to perform packet filtering and routing. Module 6: Configuring the Firewall 1 Overview  Securing the Server  Examining Perimeter Networks  Examining Packet Filtering and IP Routing  Configuring Packet Filtering and IP Routing  Configuring Application Filters ***************************** ILLEGAL FOR NON - TRAINER USE ****************************** Microsoft ® Internet Security and Acceleration (ISA) Server 2000 includes several security features to help you enforce your security policies. The ISA Server Security Configuration Wizard enables you to set the appropriate level of system security for the operating system. Packet filtering helps prevent unauthorized access to your internal network by inspecting incoming traffic and blocking packets that do not meet your specified security criteria. Internet Protocol (IP) routing allows you to forward network packets according to rules that you define. Application filters control application-specific traffic to determine if network traffic should be accepted, rejected, redirected, or modified. The packet filtering and routing functions of ISA Server provide more enhanced security than the packet filtering and routing functions of the Microsoft Windows ® 2000 Routing and Remote Access. To provide the most comprehensive security for your internal network, use ISA Server, not the Routing and Remote Access service, to configure packet filtering and routing on an ISA Server computer. After completing this module, you will be able to:  Secure the ISA Server computer.  Explain the use of perimeter networks.  Explain the use of packet filtering and IP routing.  Configure packet filtering and IP routing.  Configure application filters. Topic Objective To provide an overview of the module topics and objectives. Lead-in In this module, you will learn how to configure ISA Server as a firewall. Important 2 Module 6: Configuring the Firewall    Securing the Server  Best Practices  Setting System Security ***************************** ILLEGAL FOR NON - TRAINER USE ****************************** ISA Server is an important component of an overall security strategy, but network security consists of many elements. Using security best practices will also help you to secure your network effectively. ISA Server includes the ISA Server Security Configuration Wizard, which you can use to apply system security settings to a single ISA Server computer or to all of the servers in an array. The ISA Server Security Configuration Wizard uses security templates that are included with Microsoft Windows 2000 Server to configure the operating system for different levels of security. You can set the appropriate level of system security, depending on how ISA Server functions in your network. Topic Objective To identify the topics related to securing the ISA Server computer. Lead-in ISA Server is an important component of an overall security strategy, but network security consists of many elements. Module 6: Configuring the Firewall 3 Best Practices Stay Informed About Security Issues Stay Informed About Security Issues Install the Latest Service Pack and Security Updates Install the Latest Service Pack and Security Updates Do Not Run Unnecessary Services or Accept Unnecessary Packets Do Not Run Unnecessary Services or Accept Unnecessary Packets Audit Security-Related Events and Review the Associated Log Files Audit Security-Related Events and Review the Associated Log Files Document All Aspects of Your Network Configuration Document All Aspects of Your Network Configuration Understand the Network Protocols that You Use With ISA Server Understand the Network Protocols that You Use With ISA Server Maintain Physical Security Maintain Physical Security ***************************** ILLEGAL FOR NON - TRAINER USE ****************************** Because the ISA Server computer is often directly connected to the Internet, it is important that you adequately secure that computer. The following list presents security best practices to use as guidelines when securing computers in your network, and particularly the ISA Server computer:  Stay informed about security issues pertaining to Windows 2000 and ISA Server. For security bulletins and other security-related information, see the Microsoft Security Web site at http://www.microsoft.com/security. You may also want to subscribe to security-related mailing lists.  Install the latest service pack and security updates. Before installing any service packs or updates, test them thoroughly in a lab environment.  Do not run unnecessary services on the ISA Server computer, and configure ISA Server with rules that allow only required network traffic to pass through the ISA Server computer.  Audit security-related events and frequently review the associated log files. For more information about Windows 2000 auditing, see Module 9, “Implementing Security in Windows 2000,” in Course 2152, Implementing Microsoft Windows 2000 Professional and Server. For more information about monitoring ISA Server security, see Module 8, “Monitoring and Reporting,” in Course 2159A, Deploying and Managing Microsoft Internet Security and Acceleration Server 2000.  Document all aspects of your network configuration. Maintaining documentation helps you to detect intrusion and recover from intrusion incidents.  Understand the network protocols that you use with ISA Server. A thorough understanding of these protocols will help to ensure that you configure ISA Server properly.  Maintain physical security. Anyone with physical access to the ISA Server computer can gain complete control of the computer. Topic Objective To describe security best practices. Lead-in Because the ISA Server computer is often directly connected to the Internet, it is important that you adequately secure that computer. Delivery Tip Explain that this list is not comprehensive, but is meant to present guidelines for securing the ISA Server computer. Note 4 Module 6: Configuring the Firewall Setting System Security Domain Controller Templates Domain Controller Templates Hisecdc Hisecdc .inf .inf Securedc.inf Securedc.inf Security Level Security Level Dedicated Dedicated Limited Limited Services Services Basicdc Basicdc .inf .inf Secure Secure Server Templates Server Templates Hisecws.inf Hisecws.inf Securews.inf Securews.inf Basicsv.inf Basicsv.inf ***************************** ILLEGAL FOR NON - TRAINER USE ****************************** When configuring the security settings of the ISA Server computer, you can use the ISA Server Security Configuration Wizard to increase the security of several components of Windows 2000. Securing the ISA Server computer is especially important when that computer is directly connected to the Internet. You can select from one of the following security levels in the ISA Server Security Configuration Wizard:  Dedicated. Use this setting when an ISA Server computer is functioning as a dedicated firewall with no other applications.  Limited Services. Use this setting when the ISA Server computer is functioning as a combined firewall and cache server. An ISA Server computer can also be protected by an additional firewall.  Secure. Use this setting when the ISA Server computer performs other functions, such as running a Web server, a database server, or a mail server. The ISA Server Security Configuration Wizard changes several operating system settings to pre-configured values. To change all of these settings back to the original values, you must document or export the settings before running the wizard and then reconfigure all of the values. ISA Server includes no automatic method of reverting back to the original values. Topic Objective To describe the security levels that you can set for the ISA Server computer. Lead-in There are three security levels that you can apply to an ISA Server computer. Caution [...]... Readings on the Student Materials compact disc 6 On the Local Computer page, select the IP address or IP addresses to apply the filter to, and then click Next 7 On the Remote Computer page, select the remote computer or computers to apply the filter to, and then click Next 8 On the Completing the New IP Packet Filter Wizard page, review your choices, and then click Finish 22 Module 6: Configuring the Firewall. .. Server 2000 24 Module 6: Configuring the Firewall Configuring Application Filters Topic Objective To identify topics related to configuring application filters Application Filter Overview Lead-in Configuring the SMTP Filter Application filters provide an extra layer of security for the Firewall service Configuring the Streaming Media Filter Configuring the HTTP Redirector Filter Configuring the H.323 Filter... to clear the Enable an SMTP command check box Configure the SMTP application filter buffer overflow thresholds On the SMTP Commands tab, double-click the appropriate command In the SMTP Command Rule box, select the Enable an SMTP command check box In the Maximum Length box, type the maximum length of the command line for the SMTP commands Module 6: Configuring the Firewall 29 Configuring the Streaming... filter, on the Filter settings page, enter the following information, and then click Next 20 Module 6: Configuring the Firewall For this setting Do the following IP protocol Select Custom protocol, Any, ICMP, TCP, or UDP If you select Custom Protocol, provide the protocol number Number Type the number of the IP protocol Direction Specify the direction for the communication The settings available in the wizard... In addition, the Streaming Media filter can improve the performance of the streaming media for clients by splitting the live streams 30 Module 6: Configuring the Firewall Delivery Tip Explain the use of WMT and Windows Media Services Configuring Live Stream Splitting Configuring live stream splitting enables the Streaming Media filter to obtain the media stream from the Internet and then make it available... Server computer Firewall service routing The Firewall service can also route IP packets between networks Routing forwards network packets between different networks without changing the IP addresses and ports in the IP packet header The Firewall service also uses rules to determine whether to route a packet You define these rules by creating IP packet filters 12 Module 6: Configuring the Firewall Understanding... 2000 Protocols other than UDP and TCP The Web Proxy service handles outgoing requests that are using the Hypertext Transfer Protocol (HTTP), Hypertext Transfer Protocol-Secure (HTTP-S), or FTP protocols The Firewall service handles requests from any application that uses the UDP and TCP protocols For all other protocols, ISA Server must route the packets Module 6: Configuring the Firewall 15 Situations... and then follow the on-screen instructions to complete the wizard Viewing Configuration Changes When you run the ISA Server Security Configuration Wizard, ISA Server creates a log file of all of the changes ISA Server names this file securwiz.log and places it in the ISA Server installation directory You can review this file to see the actions that the wizard performed 5 6 Module 6: Configuring the Firewall. .. about these risks, see “Three-homed perimeter network configuration” in ISA Server Help Module 6: Configuring the Firewall 9 Configuring the Perimeter Network The Microsoft Web Proxy service and the network address translation component of the Microsoft Firewall service move network packets between only an internal network and an external network or vice versa Because ISA Server treats both the Internet... servers in the perimeter network For example, to make a Simple Mail Transfer Protocol (SMTP) server on the perimeter network available to users on the Internet, you must enable IP routing and packet filtering You then need to create an IP packet filter that configures the ISA Server computer to route all of the required packets from the Internet to the mail server 10 Module 6: Configuring the Firewall . Install the Firewall Client manually. Important vi Module 6: Configuring the Firewall Setup Requirement 4 The lab in this module requires that all of the. packets between the networks. Note Module 6: Configuring the Firewall 9 Configuring the Perimeter Network The Microsoft Web Proxy service and the network