ISA Server 2000 in Education Deployment Kit
Helping Secure and Accelerate the Campus Internet with ISA Server 2000 Firewalls and Web Proxy Servers
Microsoft Internet Security and Acceleration Server 2000 in Education Deployment Kit
Chapter 1
Helping Secure and Accelerate the Campus Internet with ISA Server 2000 Firewalls and Web Proxy Servers
Dr. Thomas W Shinder
Debra Shinder
January 2004
Table of Contents
How ISA Server 2000 Helps Secure the Campus Network 3
Packet Filtering 3
Circuit-Level Filtering 4
Intelligent Application Filters 4
Accelerating the Web Browsing Experience with Web Proxy Caching 4
Why Use ISA Server 2000 as the Campus Firewall and Web Caching Server? 5
Benefits of ISA Server 2000 over other firewall and caching solutions 5
Tight integration with the Microsoft Windows operating systems 5
Integrated firewall and Web cache management 5
Scalability to support growing school districts, colleges and universities 6
Lower Total Cost of Ownership (TCO) 6
Benefits of Windows Integration 6
Microsoft Windows 2000 and Windows Server 2003 Active Directory Domains 6
Windows Networking and Network Server Services 7
Windows Management Interfaces and Reporting Tools 7
Integrated Firewall and Web Cache Management 7
Unified Policy and Access Control for Firewall and Web Caching Services 7
Familiar MMC-based Management Interface 7
Scaling Up and Scaling Out for the Campus Network 7
Tiered Policy Management Centralizes Access Control for All Campus Firewalls 7
Scale Up Performance with Multiple Processors 8
Scale Out Performance with Network Load Balancing and CARP 8
Lower Cost of Ownership 8
Integrated Networking Services – VPN, Firewall, Intrusion Detection and Bandwidth Control 8
Capitalize on Network Administrators’ Existing Windows Skills 8
Works with Your Current Network Infrastructure 8
Extensible Open Platform that can be Enhanced with Free Software Development Kit (SDK) 8
ISA Server 2000 Firewalls and Web Proxy Servers Solve Common Internet Access Control Problems for Educational Institutions 9
Granular Access Control for Web Browsing: 9
Simplify Firewall Administration for Busy Campus Administrators: 9
Blocking and Reporting Students from Attacking External Web Sites: 9
Identifying Abusers of Campus Internet Access: 10
Web Connections Stressing Bandwidth on the Internet Link: 10
Campus Network Administrators Require Firewall and VPN Access: 10
Rural School Districts Benefit from Web Proxy Chaining: 10
Educational Institutions Securely Self-Host Their Own Web Sites: 11
Academia was among the first field to utilize the online environment, but even a decade ago, online access was not as universally available in schools as it is today. Now it’s not just those in the computer science departments of universities who depend on the Internet. Teachers, parents, and administrators of K-12 and higher educational institutions are all influenced by the effects the Internet has had on education. The Internet has become a powerful tool, enabling access to distributed resources, facilitating learning at the K-12 and higher education levels, enabling elementary and secondary students to create content and publish it to a global audience, allowing college students to work together with other college students across the world, making it possible for university researchers to collaborate regardless of location, and helping parents view and participate in their children's schoolwork more easily than ever before.
The Internet is a powerful tool that can be used to enhance the educational experience, but it also has some inherent risks. This is especially true in the school, college and university environments. Children can view inappropriate material over the Internet; Internet intruders can break into campus networks and compromise student records; students can waste time by going to chat or game sites instead of using the Internet to research information for assignments, and internal or external hackers can use the campus computers to launch attacks. Other problems of a more technical nature, such as system performance and management, become problematic when network Internet access systems are pushed to their limits by the ever-increasing number of users on the campus network.
Microsoft ISA Server 2000 helps to solve some of the common problems encountered by today's Internet connected primary and secondary schools, colleges, universities and other educational institutions. ISA Server 2000 is an intelligent application layer firewall and Web caching server that helps protect the campus network from external attacks and from exploits that may originate from the internal network behind the ISA Server 2000 machine. The ISA Server 2000 Web cache helps educational institutions reduce overall bandwidth utilization and can provide for a faster Web access experience for campus Internet users by returning popular Web content from the ISA Server 2000 Web cache on the local network instead of from a increasingly congested Internet.
ISA Server can provide value to information technology managers, network administrators, and information security professionals in educational organizations of all sizes who are concerned about the security, performance, manageability, or operating costs of their networks. ISA Server can be used in a wide range of scenarios, from small schools, districts and satellite campuses to major, multi-campus systems and statewide networks.
How ISA Server 2000 Helps Secure the Campus Network
ISA Server 2000 enhances security using several methods. These include:
· packet filtering
· circuit-level filtering
· application filtering
ISA Server 2000 combines these methods to provide protection at multiple network layers.
Packet Filtering
When packet filtering is enabled, all packets on the external interface are dropped unless IP packet filters, Protocol Rules or Web or Server Publishing Rules explicitly allow them. The ISA Server 2000 firewall intercepts and evaluates packets before they are passed to higher levels in the firewall engine or to an application filter. Packet filtering also allows you to block packets originating from specific Internet hosts in the event that you have enabled inbound access to campus network resources for Internet users but need to block selected hosts on the Internet.
ISA Server 2000 uses dynamic packet filtering mechanisms that simplify configuration and management of the ISA Server 2000 firewall. Ports are opened automatically as required and closed when the communication ends. In contrast to static packet filtering used by traditional firewalls, dynamic filtering reduces the number of statically open ports for both inbound and outbound access.
Circuit-Level Filtering
ISA Server 2000’s circuit-level filtering provides another layer of security because the firewall inspects transport layer sessions. A transport layer session can include multiple primary and secondary connections, providing a number of important benefits for Windows-based clients running the Firewall Client software. The ISA Server 2000 Firewall client can use complex protocols that require secondary connections (such as voice and video applications) because it can track all the connections that participate in the transport layer session.
These transport layer sessions can be established only in response to an authenticated user request. This can improve security. In addition, circuit-level filtering provides built-in support for protocols with secondary connections, such as FTP, streaming media and voice/video applications.
A major advantage for the campus firewall and network administrator is the ability to define the complex protocol's primary and secondary connection port requirements in the user interface without requiring C++ programming skills or third-party tools. All you need to do is specify the port number or range, protocol type, TCP or UDP, and inbound or outbound direction.
Intelligent Application Filters
In order to protect the campus network from 21st century attackers, a firewall needs to be able to “understand” and filter application layer protocols. Today’s more sophisticated attacks leverage known and unknown weaknesses in these protocols to attack the campus network. For instance, attackers exploit vulnerabilities in DNS, SMTP and HTTP to circumvent traditional firewalls that only filter at the packet level (network layer). Because so many different protocols operate at the application layer, this
Intelligent application filters allow the ISA Server 2000 firewall to analyze the data stream for a particular application layer protocol and provide application layer specific inspection, screening or blocking, redirecting, or modification of the data as it passes through the firewall.
Application layer inspection (stateful inspection) is used to protect against such threats as unsafe SMTP commands or attacks against internal DNS servers that have been published using ISA Server 2000. Third-party tools for content screening, including virus detection, content analysis, and site blocking, provide application- and Web-filters to build into the firewall.
Accelerating the Web Browsing Experience with Web Proxy Caching
ISA Server 2000 can provide both firewall and Web Proxy features. The ISA Server 2000 Web Proxy service enables the firewall to act as a Web caching server. The Web Proxy component can accelerate the campus Web user’s browsing experience. The Web Proxy cache stores Web pages that have been requested by users so that the next time the same pages are requested by campus network users, the requests can be answered from the Web Proxy cache instead of having to be filled from the original Web site on the Internet.
ISA Server 2000 Web Proxy servers use fast RAM caching that keeps the most frequently accessed Web content in memory. This improves response time even further by retrieving popular Web content from memory instead of from the disk based cache file. ISA Server 2000 also provides an optimized disk cache database that reduces read and write disk access events.
The Web Proxy service supports both forward caching and reverse caching. Forward caching takes place when users behind the ISA Server 2000 Web caching server (internal users) make requests for Internet Web content. Reverse caching takes place when the ISA Server 2000 Web Proxy machine acts as a “reverse proxy” and enables Internet users (external users) faster access to Web sites on the campus network.
Why Use ISA Server 2000 as the Campus Firewall and Web Caching Server?
Security and fast Web access are both highly desirable commodities for today’s network administrators. Users of school, college and university networks need the protection offered by a sophisticated application layer aware firewall and the enhanced performance provided by a Web caching server.
There are many different vendors providing firewall and/or caching solutions. It’s difficult for busy IT personnel, administrators and purchasing agents to know which will best fit the needs of their educational institution’s network.
Benefits of ISA Server 2000 over other firewall and caching solutions
There are several reasons to choose ISA Server 2000 as your campus firewall and Web caching server. When compared to competitive products (including both hardware solutions such as Cisco Systems’ PIX firewall and software based solutions such as CheckPoint), ISA Server 2000 has a number of advantages. Benefits of using ISA Server 2000 include:
· Tight integration with the Microsoft Windows operating systems
· Integrated firewall and Web cache management
· Scalability to support growing school districts, colleges and universities
· Lower Total Cost of Ownership (TCO)
Tight integration with the Microsoft Windows operating systems
More than any other firewall or caching product, ISA Server 2000 is tightly integrated with the Microsoft Windows operating systems that run on so many educational institutions’ servers and client machines. Microsoft designed ISA Server from the ground up specifically to work with Windows. This makes for easy installation and management.
Administrators don’t need to learn about proprietary operating systems and management environments, as with most hardware-based solutions, because ISA Server 2000 uses the same tools they are accustomed to using when managing any Windows Server. This makes for a short learning curve and the ability to get the ISA server(s) up and running quickly and efficiently.
This complete compatibility with Windows also means administrators won’t have to deal with software conflicts as they might with some third-party software based solutions that run on Windows computers. Better compatibility means better reliability and stability for the entire network.
Integrated firewall and Web cache management
In many cases, third-party products function only as a firewall or only as a Web caching server. Many of the products that are capable of providing both functionalities require that you install add-on software to gain the extra functionality. This may mean extra cost to purchase the add-ons, and in many cases it also means additional hardware, as well. These “two box” solutions, in which the firewall runs on one hardware device and the caching service runs on another, also double the number of devices subject to failure.
For single management interface access for both network security and Web performance. ISA Server 2000 provides a “one-box” solution that reduces the hardware and software overhead from that required by other firewall and Web caching devices. This simplifies administration, reduces cost and literally gives you “two for the price of one.” With ISA Server 2000, you get both an industrial strength firewall and a high performance Web cache on the same machine.
Scalability to support growing school districts, colleges and universities
All educational institutions grow over time, and many campuses are currently enjoying unprecedented increases in enrollment. ISA Server 2000 can grow with the institution and this scalability enables you to easily add more ISA Server 2000 servers to the campus network so that your firewall and Web caching solution grows with you.
ISA servers can be grouped together into arrays so that client requests can be distributed among all the members of the array. This provides load balancing and fault tolerance, as well as easier administration. Enterprise policies and Web caching arrays can be managed centrally, so that management of an entire array and all ISA Server 2000 firewalls can be accomplished from a single management station.
Another way that ISA Server 2000 is scalable is through the addition of processors to the ISA Server 2000 machine. ISA Server can take advantage of Windows 2000’s and Windows Server 2003’s support for symmetric multiprocessing; this means a way to increase performance without purchasing an entire new machine.
Lower Total Cost of Ownership (TCO)
ISA Server 2000 is a cost effective firewall and Web caching solution. Initial cost compares favorably to many popular competing firewall and caching solutions, and the savings extend to total cost of ownership. For example, campus network administrators can install the ISA Server 2000 firewall and Web caching software on a single machine, instead of breaking up the Web caching and firewall components and installing them on separate devices. This reduces overall costs by saving on hardware, software, and maintenance overhead. The shorter learning curve based on the familiar Windows MMC interface reduces the cost of administrative time in getting up to speed on the software. And the ability of ISA Server 2000 to utilize multiple processors reduces upgrade costs necessary to realize performance gains.