Configuring Microsoft's multitalented security product in 6 steps
Internet access presents unique security challenges for both large and small corporations. As your business relies more and more on the Internet, you're increasingly concerned about how your employees use this resource. Employee email and Web surfing, intruder attacks, and bandwidth-hungry applications are straining your gateways to the Web. Microsoft Internet Security and Acceleration (ISA) Server—the successor to Proxy Server 2.0—offers a compelling solution to many of these problems with its dual-purpose firewall and caching functionality that lets you publish services running on internal servers. Completely mastering ISA Server's feature set can be time-consuming, but Microsoft has done a good job of simplifying the basic configuration of a relatively complex and comprehensive product. Independent security laboratory International Computer Security Association (ICSA) recently certified ISA Server—a development that will bring even more attention to this enhanced product. (For more information about ISA Server and Proxy Server, see "Related Articles in Previous Issues," page 72.)
With a little planning and some basic knowledge of the Internet, you can quickly configure ISA Server to control access to your network and reduce your company's bandwidth usage. You can also implement a host of other features, including basic network-intrusion detection, robust logging, reports, and alerts.
Topology Considerations
ISA Server's flexibility permits deployment in a variety of topologies. To streamline your installation, you must clearly identify and document the type of connection and security policy you want. You need to define how and where to restrict corporate access, what your remote or satellite offices' needs are, and whether you want to allow remote user connections. Also, think about how you can benefit from ISA Server's caching functionality. Caching stores previously received objects. In other words, the ISA Server cache—rather than the Internet—satisfies subsequent requests for an object (e.g., a picture, a Web page). Caching benefits you in two ways: First, it greatly reduces an object's repeated download time; second, it reduces your Internet bandwidth usage because the system retrieves the object from the Web only once. ISA Server's caching functionality improves on that of Proxy Server 2.0. To enable basic caching, you needn't worry about a customized setup; however, for more advanced installations, ISA Server provides many controls with which you can tweak its caching functionality's behavior and performance.
You also have two important installation decisions to make: First, which mode of operation do you want to implement? You can install ISA Server in one of three modes: Caching, Firewall, or Integrated, which combines the features of the Caching and Firewall modes.
Second, you need to define the ISA Server system's relationship with other ISA Server computers on the network. ISA Server can act independently of other ISA Server systems (if you install it as a standalone server) or as part of a team (if you install it as part of an array). The standalone installation provides caching and firewall functions that are similar to that of an array installation. However, the standalone installation has a few drawbacks: It doesn't integrate with Active Directory's (AD's) directory services, it limits scalability, and it doesn't provide centralized management capabilities. Arguably more secure, the standalone installation effectively isolates the ISA Server machine from your Microsoft network domain—assuming it isn't a domain member. Even if attackers compromise the ISA Server machine, they wouldn't have direct access to domain account information or your domain design. However, because of the isolation, you need to independently manage each additional ISA Server system's access policies, and you must use external methods to perform client load balancing. Because of these limitations, standalone installations are more suited to smaller deployments.
If you choose to implement an array configuration, avoid installing ISA Server on a domain controller (DC) on the perimeter (i.e., exposed to the Internet). Although locking down a DC for placement on the Internet is possible, I recommend minimizing the exposed applications and services by keeping your DC behind the ISA Server firewall. If your ISA Server system is a member server of your company's primary (trusted) domain, consider applying multiple layers of security and utilizing existing equipment in your network. For example, you could enable packet filtering on your Internet router or install multiple layers of ISA Server systems in a back-to-back perimeter network configuration. This type of compartmentalization can significantly increase your security. For example, you might configure the external ISA Server array for packet filtering and server publishing and configure the internal ISA Server array for authenticating internal users and applying your outbound security access policy. In this example, the external ISA Server array would be a member of an independent perimeter network domain and the internal ISA Server array would be a member of your corporate domain. These layers provide additional security by forcing network traffic that crosses your network to pass multiple independent checkpoints. Alternatively, you can put ISA Server systems in a separate AD forest and establish a one-way trust between that forest and your production domain. This approach gives you the benefits of an array without exposing your critical domain or requiring the additional servers that the compartmentalized model necessitates. If you use this design, keep an eye on your configuration to ensure that services such as application authentication work across this type of domain trust relationship. How you design your configuration depends on how much security you require as well as on your budget.
Installing ISA Server
ISA Server runs on the Windows 2000 Server family, and ISA Server's administration tools run on either Win2K Server or Win2K Professional. If you install ISA Server on a member server or DC, the computer running the administration tools must be a member of the domain. During the setup process, you can specify the location of the ISA Server cache files. At a minimum, you need one partition for the OS's boot files and the ISA Server software, and one NTFS-formatted disk for the cache files. Microsoft recommends installing multiple physical NTFS-formatted disks for best performance.
Previous
Register
