《安全与速度的完美结合课件.ppt》由会员分享,可在线阅读,更多相关《安全与速度的完美结合课件.ppt(86页珍藏版)》请在三一办公上搜索。
1、郝雪莹Microsoft China,安全与速度的完美结合,Microsoft Internet Security and Acceleration Server 2000,2,Agenda,产品概述布署场景防火墙缓存管理可扩展性,3,新的机遇, 新的挑战,用网络连接你的客户,合作伙伴与雇员,在WEB上的电子商务给你的企业带来了新的商机,把有限资源的内部网变成溶合在 Internet的网络,把网络暴露在所有的黑客,病毒和非法用户面前,竞争非常激烈,你的WEB必需提供快速可靠的服务,管理这样的网络需要更高的技术,机遇,挑战,4,The Connected Business,New Concern
2、s保护你的内部网络免受黑客与其它非法入侵者的侵害管理与控制网络访问在加快网络访问速度的同时保护宝贵的带宽资源,5,微软公司对于安全的认识,安全缺陷和病毒攻击是严重、代价沉重、全行业业范围的问题Internet 安全是全世界范围内实现数字化商务运作的最基本的考虑因素作为业界的领导者,微软公司具有保护Internet和客户数据的特殊责任,6,Microsoft ISA Server 2000安全与速度的完美结合,用可伸缩的,多层次的防火墙保护网络环境,用可伸缩,高性能的WEB缓存实现快速访问,与Windows 2000集成的,强壮的策略和管理机制,安全的网络连接,快速的 Web 访问,统一的管理方
3、式,可扩展的开放平台,可以扩展与定制的高级平台,7,什么是 ISA Server 2000,防火墙与缓存ISA Server 的版本ISA Server 标准版ISA Server 企业版,8,Microsoft ISA Server 2000标准版与企业版功能比较表,9,What Is ISA Server 2000 ISA 系统需求,10,防火墙 & 缓存,两者都应存在于网络的边缘或者说结合点模块化安装统一的管理MMCLogging and ReportingMonitoring and Alerting一致的访问策略低廉的培训维护费用,11,与 Windows 2000 紧密集成,Sec
4、urity包过滤网络地址转换 (NAT & SecureNAT)AuthenticationSystem Hardening虚拟专用网 (VPN)管理MMCTerminal ServicesEvent logActive Directory Array configuration and policy data NOT required!带宽控制透明地支持在其它平台上的客户机与服务器,12,Much More Than “Proxy Server 3.0”,Transparency for all clients and serversEnterprise policyGroup policy
5、SchedulesActive Directory integrationExtensible application filtersSMTP filterStreaming media splittingH.323 filter & GatekeeperMMC-based UITask Pads, wizardsRemote administrationConfiguring Exchange server behind firewall,IIS separationRAM cachingNew cache storeScheduled content downloadVPN integra
6、tionIntrusion detectionSystem hardeningNTLM & Kerberos authenticationDual-hop SSLCustomizable alertsLogging: W3C format, selectable fieldsIntegrated reportingBandwidth controlNew APIsModular installation,Deployment Scenarios,Microsoft Internet Security & Acceleration Server 2000,14,Small Organizatio
7、n,Internet,ISA Server,15,Large Enterprise,Internet,ISA Server防火墙 & 缓存,共同管理,16,DMZ & Secure Publishing,Internet,ISA #2,ISA #1,DMZ #1,Intranet,17,Chaining,ISA Server,ISA Server Array,Leased line orVPN connection,Branch,Main,Internet,Firewall,用可伸缩,多层次防火墙保护网络环境,19,为什么要使用防火墙?,保护自己不受黑客,病毒与非法用户的攻击控制向外的 Int
8、ernet访问保护 web servers and email servers更加安全的数据访问 保护关键的数据与信息- 并且 - 管理信息访问,20,ISA Server Firewall,Packet, circuit, and application-level traffic screeningStateful inspection examines traffic in its contextReduce risk of unauthorized accessAnalyze or modify content with “Smart” application filtersInteg
9、rated intrusion detectionBased on technology licensed from Internet Security Systems (ISS) Secure publishingProtect servers accessible to the outside worldSystem hardening“Lock down” the operating system, further strengthening securityIntegrated with Windows 2000 VPNWizard for easy configuration,21,
10、多层次的防火墙,Bottom up protection at every levelPacket levelStatic filtersDynamic filtersIntrusion detectionCircuit (protocol) levelSession based filteringConnection associationApplication levelIntelligent payload inspection,Packetlevel,Applicationlevel,Circuitlevel,22,Smart Application Filters,Protocol
11、aware filtersAnalyze the trafficBlock, redirect, modifyIntelligent filtering out-of-the-box:HTTP: Web request cachingSMTP: Traffic filteringStreaming media: Stream splittingFTP: Read only restrictionH.323: NetMeeting through the firewall,23,Intrusion Detection,24,Additional Security Features,VPN int
12、egrationIntegrated with on Windows 2000 VPNWizard for easy configurationSystem hardening wizard“Lockdown” for the operating systemThree pre-defined levelsSecure publishingSSL BridgingEncrypted tunneling,25,ISA Server Microsofts Firewall ISA Server 特性,多层次的防火墙集中或分布式管理PublishingICSA certified,26,ISA Se
13、rver Microsofts Firewall How A Firewall Protects,A firewall filters network traffic that enters or leaves a protected network.Decisions:IP 地址,协议与端口号建立连接IP包的有效负载应用过滤AuthenticationLogging and Alerting,27,ISA Server Microsofts FirewallISA Server Architecture,28,ISA Server Microsofts FirewallOutgoing FW
14、 Traffic Flow,29,ISA Server Microsofts FirewallIncoming FW Traffic Flow,30,ISA Server Microsofts FirewallISA Server 缺省情况,No incoming or outgoing traffic unless specifically allowed除了以下情况: ISA Server 可以执行 DNS lookupsPinging from ISA Server,31,ISA Server Microsofts Firewall为 Outgoing Requests制定规则,Prot
15、ocol Rules谁可以使用什么样的协议在什么时间访问什么?Default: No accessSite and Content Rules谁可以在什么时间访问什么站点和内容?Default: All access对互联网访问时这两个规则都是必要的,32,ISA Server Microsofts Firewall为Incoming Requests制定规则,Server Publishing RulesRedirect traffic for an external address / port to an internal addressWeb Publishing RulesRedir
16、ect Web requests onlyCan redirect to multiple internal Web sitesCan choose port for redirectionCan perform SSL bridging,33,ISA Server Microsofts FirewallFirewall Planning,Assess needs for outgoing traffic“Deny all” or “Allow all”Research user requirementsDesign required rules and policy elementsPlan
17、 for authentication (if required)Assess needs for incoming traffic Inventory resources that need to be accessed from the Internet.Design the required rules and policy elements,34,ISA Server Microsofts FirewallFirewall Planning (continued),ScalingArraysNetwork Load Balancing (NLB)DNS round robinPerim
18、eter Network Requirements,35,Firewall Design No External Access Required,36,Firewall Design Screened Host,Internet,Internal Network,Firewall,Screened Host,37,Firewall Design Three-Homed PerimeterNetwork Design,Firewall,Internet,Internal Network,Perimeter Network,38,Firewall Design Back-to-Back Perim
19、eterNetwork Design,39,Using Publishing And RoutingMethods for Passing Network Traffic,Web Proxy ServiceFirewall Service (proxy)IP Routing (secured by packet filters),40,Using Publishing And RoutingComparing Publishing and Routing,Publishing Rules publish internal sites to the external networkLocal A
20、ddress Table (LAT) defines what is internal Perimeter Network in three-homed design is treated as external networkNeed to configure routing between two external networksRouting is secured by packet filters,41,Using Publishing And RoutingServer Publishing,Reverse Network Address Translation (NAT)Exte
21、rnal network to internal networkSends packets received on external network interface to identical port on internal serverMapping: each port on each external address can be mapped separatelyNormally used for non-Web servers,42,Using Publishing And RoutingWeb Publishing,Redirects requests for URLs rec
22、eived on external interfaceCan redirect to multiple Web sitesCan redirect to internal or external sites,43,Using Publishing And RoutingSecure Web Publishing,Client connection terminates at ISA Server computerISA Server can perform authenticationISA Server needs Web server certificateWhat about conne
23、ction between ISA Server and internal Web server?SSL bridgingChoice of HTTP-S, HTTP, or FTP,44,Using Publishing And RoutingRouting,Required for all protocols other than TCP or UDPRequired to access three-homed perimeter network (external to external)ISA enforces packet filtering with routingNote: pa
24、cket filtering enhances security and increases performanceWarning: Do not enable routing outside of ISA Server,Demonstration 1Server Publishing And Web Publishing Creating a Server Publishing Rule Creating a WebPublishing Rule,46,ISA Server ConfigurationOutgoing Traffic,Protocol Rules and Site and C
25、ontent RulesPacket filtersProtocols other than UDP or TCPApplications or services running on ISA Server computerPacket filters can override rules,47,ISA Server ConfigurationScreened Host,Configure Server Publishing RulesConfigure Web Publishing Rules,48,ISA Server ConfigurationThree-Homed Perimeter
26、Network,Use routing with packet filtering for perimeter network serversServers need routable IP addressesUse publishing between perimeternetwork and internal network,49,ISA Server ConfigurationBack-to-Back Perimeter Network,Use Publishing Rules to publish servers on perimeter network to InternetUse
27、publishing rules to publish servers on internal network to perimeter networkEach ISA Server requires a separate LAT,50,Miscellaneous ConfigurationAuthentication,Firewall ClientsUser-based, automaticRequires client software, Win32 clients only, TCP and UDP onlySecureNAT ClientsBy IP addressNo client
28、software, all platforms, all protocols,51,Miscellaneous ConfigurationAuthentication (continued),Web Proxy clientBy user (logged-on user or authentication dialog box)Need to configure browser, etc.Need to configure authentication methods:BasicDigestIntegratedCertificates,52,Miscellaneous Configuratio
29、nIntrusion Detection,Technology licensed from Internet Security Systems (ISS)Monitors for a number of common attacksExtensive options for alerting,53,Miscellaneous ConfigurationServer Hardening,Wizard applies security settings to make Windows 2000 Server even more secure,54,Miscellaneous Configurati
30、onH.323 Gatekeeper,“Switchboard” for H.323 ApplicationsNetMeetingVoice over IP (VOIP)Etc.,55,Miscellaneous ConfigurationMessage Screener,Works with SMTP Filter to screen SMTP Messages forUsers and domainsAttachmentsKeywordsSMTP commandsCan run on ISA Server computer or other computer,Demonstration 2
31、Message Screener Blocking Users and DomainsBlocking AttachmentsBlocking Key Words,57,Miscellaneous ConfigurationVPN Configuration,Two types of connections:Access by remote usersConnecting two networksWizards configure ISA Server and RRASISA Server packet filtersRRAS configured as a VPN ServerRRAS pe
32、rforms all VPN functionsMay require additional configuration,Demonstration 3VPN Configuration Configuring a Local VPN Configuring a Remote VPN Reviewing VPN Configuration Settings,Caching,可伸缩,高性能的WEB缓存,60,Cache Scenarios - Forward Proxy,Internet,Liz,ISA Server,Corpnet users connect to the internet v
33、ia ISA,61,Cache Scenarios Reverse Caching,Internet,ISA Server looks like a Web serverInternally routes requests to multiple servers,62,为什么要使用缓存?,快速浏览降低网络带宽费用减轻 web 服务器的压力更加可靠的数据访问Increase performance - and - reduce costs,63,ISA Server Caching Features,Web 访问加速 RAM caching: “Hot content” served from
34、RAM有效地缓存机制最小化了磁盘I/OActive cachingScheduled content download分布式的缓存机制Cache Array Routing Protocol (CARP)Hierarchical Caching层次型策略,64,CARP on the Server,65,CARP (Cache Array Routing Protocol),高效Distributed cacheArrays的规模是线性的,平衡负载各个服务器的内容没有重复最高效地应用缓存的大小与缓存的命中率可靠容错的,自调节的 arrays当服务器增加或减少时,内容的转移与重新配置是动态的灵活
35、Routing can be implemented on server for best transparency, or on client for maximum efficiency,66,Hierarchical Caching (Chaining),Internet,50%Traffic $avingsOver Every WANLink,New York,Tokyo,London,67,Other Bandwidth Savings,Traffic PrioritizationImpose bandwidth policy via UIManage inbound and out
36、bound network traffic independentlyAdds this layer on top of Windows 2000 QoSLive media stream splitting,68,Configuring CachingBusiness Scenario,69,Configuring CachingAllowing Internet Access,Verify LAT,Create a protocol access rule,Turn on HTTP and FTP Caching*,Define Proxy setting on all clients,4
37、 simple steps,*enabled by default,70,Configuring CachingCache Expiration,FrequentlyCache is kept current, network performance may be degradedNormallyCache is somewhat current, network performance is consideredLess FrequentlyCache is less current, network performance is not degradedCustom Settings,71
38、,Configuring CachingActive Caching,Enables ISA to fetch a new version of cached objectsFrequentlyCache is kept current, network performance is degradedNormallyNetwork performance is considered when updating the cacheLess FrequentlyCache is less current, network performance is not degraded,72,Configu
39、ring Caching Advanced Cache Settings,Allows control over what content is cachedSize of objects to cacheDynamic contentMaximum URL cached in memoryControl what action to take with expired cache objectsReturn an error-or-Return expired object,73,Configuring Caching Adjusting Cache Size,LONDON Properti
40、es,Cache Drives,LONDON,OK,Cancel,Apply,Set,100,Maximum cache size (MB):,Total disk space (MB):39064Total maximum cache size (MB):100,DriveTypeDisk spaceFree spaceCache Size,Specify the size of the cache.,Properties of serverCreates a .cdat file of equivalent size4-8 MB for each client,Demonstration
41、4Configure Caching Enabling HTTP and FTP CachingExamining Cache configurationAllowing Internet Access,Management,Tiered policy and flexible management integrates with Windows 2000,76,Policy & Rules,Enterprise & array-levelAccess controlBy user/groupBy applicationBy destinationBy content typeBy sched
42、uleBandwidth priorities,77,Tasks Pads and Wizards,Tasks PadsThe easy way to set up and maintainWizardsStep-by-step for complex tasks,78,Alerting,AlertingFlexible alert dispatch mechanism,ISAServer,79,Logging, reporting, monitoring,LoggingPacket logSession logReportingDaily summariesPopular reportsMo
43、nitoringActive connectionsPerformance counters,Extensibility,Superior extensibility and customizability,81,Extensibility Mechanisms,Application filtersSmart inspection of data streamsWeb filters Based on ISAPIAdministration COM objectAll administrative properties and actions available programmatical
44、ly (read/write)Cache APIsMMC snap-insExtend the ISA Server user interfaceStorageIntegrate with array propagation, backup/restoreAlerts,A Community of ISVs,Summary,Secure, Fast Internet Connectivity,84,ISA Server Competitive Advantages,Best Windows IntegrationActive DirectoryNetworking FeaturesWindow
45、s applicationsIntegrated Firewall and Web Cache ManagementUnified Policy and Access ControlUnified Management Scale up and Scale Out for the EnterpriseTiered Policy ManagementScale Up - SMP optimizedScale Out - NLB and CARP Lower TCOIntegrated ServicesLeverage Existing SkillsWorks with what you have
46、Extensible Open Platform,85,Key Takeaways,Firewall & cache integrationMulti-layered firewall with smart filtersHigh performance and scalable cacheDesigned for reverse caching and secure publishingIntegrated VPN, intrusion detection, reporting, bandwidth controlTiered policy modelExtensibility,86,http:/,