Protect and restrict clients' Internet access
The most notable challenge of Internet security is protecting your intranet from intruders while providing controlled Internet access for internal clients. You can use Microsoft Internet Security and Acceleration (ISA) Server 2000 to give selected user accounts Internet access through a proxy. Not only does ISA Server help protect your clients and your network from external attacks, its proxy server also gives you the means to track and control users' Internet activity. (ISA Server also supports reverse proxy, but this article doesn't cover that capability. For details about ISA Server's overall capabilities, see "Microsoft's Stellar ISA Server," October 2000, http://www
.winnetmag.com, InstantDoc 15477.)
For the purposes of this article, I use a simple network topology: one Windows 2000 Service Pack 3 (SP3) machine running ISA Server Enterprise Edition to provide firewall and Web proxy support. This setup is perfect for a department or small office network. Figure 1 shows my sample network with one ISA Server system (ISA-Leon), a client system (Alpha, IP address 10.0.0.2), and an external Web/FTP server (Leonbr-Hm, IP address 192.168.154.1). The ISA Server machine has two NICs, one of which (IP address 10.0.0.1) connects to the internal network and one of which (IP address 192.168.154.20) connects to the external network (i.e., the Internet).
Editions and Modes
ISA Server comes in an enterprise edition and a standard edition. ISA Server Enterprise Edition lets you run ISA Server in standalone mode or logically aggregate multiple ISA Server systems in one array (you can create an array with one computer, but doing so doesn't offer any benefits). An array configuration supports enterprisewide administrative policies, and any change you make to one machine in the array propagates to each machine, so you don't need to implement the change on each box. You can create multiple arrays to support multi-tier policies and rules, and you can delegate the administration of various arrays. Enterprise Edition integrates with Active Directory (AD) and stores ISA Server array—configuration data in AD or stores standalone ISA server—configuration data in the registry. (When you install Enterprise Edition on a non—AD-enabled network, ISA Server installs as a standalone server.) Enterprise Edition scales on machines with any number of CPUs (ISA Server Standard Edition supports a maximum of four CPUs). For the sake of simplicity, I ran my sample ISA Server system in standalone mode, not integrated with AD.
ISA Server supports three modes of operation; during installation, you select which mode to use. Firewall mode provides all the benefits of secure access, secure Web publishing, and protocol filtering. Web caching mode provides a cache repository to accelerate Internet access for internal clients. Integrated mode combines the functionality of the other two modes and is the mode I've used on my sample system.
ISA Server supports three types of clients: Secure Network Address Translation (SecureNAT) clients, Firewall clients, and Web Proxy clients. I've configured my sample client as a Firewall and Web Proxy client. Let's examine these three client options in more detail.
SecureNAT. For SecureNAT clients, the ISA Server system operates as a NAT device, receiving outgoing packets from the internal network. The server replaces the source IP addresses in the outgoing packets with the ISA Server machine's external IP address. If I configure my sample network to support SecureNAT clients, for example, when Alpha sends a request to Leonbr-Hm, Leonbr-Hm identifies the request as coming from IP address 192.168.154.20 (i.e., ISA-Leon's external NIC). The ISA Server machine hides the client machines without exposing their IP addresses. The entire process is transparent to the clients and doesn't require any additional software on the client machines. (For this reason, SecureNAT works on clients running any network OS.) The only client requirement is that you must configure the clients' default gateway to be the ISA Server system's internal-network NIC. If you configure clients to receive IP information through DHCP, you can configure your DHCP server to give the clients the correct gateway address. If you use an intranet in a subnetted environment that requires multiple routers, you must configure the final router's default gateway to be the ISA Server machine's internal-network IP address.
SecureNAT clients are responsible for name resolution, so your intranet needs a DNS server available to resolve Internet addresses. You can point internal clients to an external DNS server and create a special rule on the ISA Server machine, permitting DNS queries to go out to the DNS server. If clients need to resolve both internal and external addresses, however, you need to set up a local DNS server that can resolve internal addresses and forward external queries to external DNS servers, as needed.
SecureNAT clients don't run any specific software, so ISA Server can't identify which users are requesting external connections. Therefore, you can't implement username-based security policies on your ISA Server machine; if you configure ISA Server to require authentication, ISA Server will deny all SecureNAT-client requests. Also, if an application-level protocol (e.g., FTP) requires an open secondary connection, you must use a special application filter. ISA Server comes with many such filters, but you might need to write the filter if the protocol that requires a secondary connection is proprietary. And because packets don't provide clients' source IP addresses, applications such as Distributed COM (DCOM) that rely on having a correct source IP address won't work with SecureNAT clients.
Firewall. Firewall clients must run ISA Server's Firewall Client software. The \%programfiles%\microsoft isa server\clients directory, which the system creates during ISA Server installation, contains all the binary and configuration files necessary to install that software. To configure Firewall Client options, you use the Microsoft Management Console (MMC) ISA Management snap-in's Client Configuration node; ISA Server propagates the settings to all Firewall-client machines. The software, which ISA Server implements as a Winsock Layered Service Provider, intercepts all sockets calls and routes them to the ISA Server machine. As a result, all sockets applications on the internal network work as though they have a direct connection to the Internet. After you install the software on your clients, for example, users can run ftp.exe from the command line to access any external FTP site.
Name resolution is simple for Firewall clients. By default, ISA Server resolves all names that contain periods (e.g., www.braginski.com); names without periods are resolved locally. You can use the ISA Management snap-in to change the name-resolution options.
Firewall-client requests include usernames, so you can implement access policies based on usernames. However, requests are made in the context of the current user, and the client software has no mechanism for asking a user to provide a different set of credentials if the logged-on user's credentials are invalid. Therefore, if you've implemented a restriction that prevents a Firewall-client user from passing the firewall, the request will fail without prompting the user to enter a different set of credentials.
Web Proxy. The Web Proxy client is the simplest way to give users Internet access. To configure a Web Proxy client, you simply configure the client Web browser to use ISA Server as a proxy server. Web Proxy clients can't use command-line FTP applications; to overcome this limitation, you can configure Web Proxy clients to also use the Firewall Client software, which supports all network applications (as long as ISA server has the appropriate application filters to support the necessary secondary connections). The clients in my example are configured as Web Proxy and Firewall clients.
The most important aspect of ISA Server Setup is specifying which NIC represents the internal network. ISA Server bases all decisions (e.g., whether to grant a client access to internal machines, whether to provide a client outside access) on the Local Address Table (LAT) that you specify for the internal NIC. During installation, the Setup program prompts you to select the internal network's IP address range. The simplest method is to click Construct Table, which opens the Local Address Table dialog box. When you select the NIC that connects to the internal network and click OK, ISA Server Setup retrieves the necessary IP address information from the Win2K routing table and populates the LAT with the internal IP address range. You can then add or remove IP addresses from that range.
You manage ISA Server through the ISA Management snap-in, which supports a Taskpad view or an Advanced view. I prefer the Advanced view, which Figure 2 shows and which logically organizes all ISA Server configuration components in folders under the ISA Server system object. The Web-exclusive sidebar "ISA Management Folders" (http://www.secadministrator.com, InstantDoc ID 38774) describes these folders.
ISA Server configuration is the same for standalone systems and for systems that are part of an array. To configure ISA Server, open the ISA Server system object's Properties dialog box. The dialog box's Outgoing Web Requests tab, which Figure 3 shows, controls how ISA Server handles outgoing requests. On this tab, you can change the port that the proxy uses for outgoing connections (e.g., 8080). To let only authenticated users access the Internet through the proxy, select the Ask unauthenticated users for identification check box. When you configure clients to use ISA Server as a Web proxy, that option will cause client browsers to prompt users to enter proxy credentials.
Like Microsoft IIS, ISA Server supports a variety of authentication methods. To select the authentication scheme that clients will use to submit credentials to the proxy server, highlight the ISA Server system in the Identification section, then click Edit to open the Add/Edit Listeners dialog box. I suggest that you select the Integrated option, which instructs clients to use Kerberos authentication (when the ISA Server system and client systems are members of AD) or NT LAN Manager (NTLM). When you select Integrated authentication, client browsers will first try to use the credentials of the currently logged-on user; if those credentials fail, the browser will prompt the user to enter credentials. Therefore, most domain users will enjoy transparent authentication. The Basic with this domain option sends credentials in clear text; this option is secure enough for a production environment only when used over a Secure Sockets Layer (SSL) connection. The Digest with this domain option works similarly to NTLM, and the Client certificate (secure channel only) option works only with SSL.
The ISA Management console's Monitoring\Services folder contains three services: Firewall Service, Web Proxy Service, and Scheduled Content Download. Firewall Service is essential for SecureNAT and Firewall clients. Web Proxy Service, in addition to providing Web proxy functionality, accelerates Internet usage for internal Web Proxy clients by connecting them to the ISA Server content cache. If SecureNAT and Firewall clients are to enjoy the benefits of this acceleration, ISA Server must redirect those clients' requests to the Web Proxy Service. (The HTTP Redirector Filter in the ISA Management console's Extensions\Application Filters folder controls these redirections. Right-click the filter to configure its redirection options.) In my sample setup, I can stop the Web Proxy Service without denying Internet access for SecureNAT or Firewall clients, or I can stop the Firewall Service, after which only Web Proxy clients will be able to access the Internet. The Scheduled Content Download service prepopulates the content cache with frequently used URLs and isn't essential for either Firewall or Web Proxy operations.
By default, after you install ISA Server, its access control algorithm (Figure 4 shows a simplified version) prevents internal clients from accessing all external systems. For each outgoing request, the Firewall Service determines whether the current access rules explicitly allow or deny the request's protocol, destination, and content type. You can implement site and content rules that control which sites specific users can access. ISA Server denies all external requests until you explicitly Allow them and also checks all traffic traveling through the proxy to determine whether any IP packet filters explicitly Deny a request (ISA Server doesn't enforce any Deny filters by default). For example, external systems can't ping the ISA Server system until you create an IP packet filter that allows the Internal Control Message Protocol (ICMP) types that Ping uses. Your first task in providing clients Internet access, therefore, is to add an Allow protocol rule for HTTP and HTTP Secure (HTTPS).
You use the ISA Management console's Access Policy folder's Site and Content Rules, Protocol Rules, and IP Packet Filters subfolders to configure these rules and filters. To create a protocol rule, right-click the Protocol Rules folder, then select New Rule to open the New Rule Wizard. Follow the wizard to create an Allow rule for HTTP and HTTPS. In my example, I name the rule Http Allow, but you can use any name. Click Next, then select Allow. On the next screen, select Selected Protocols from the drop-down list, then select the HTTP and HTTPS check boxes. Click Next on each remaining screen to accept the default values. After the wizard closes, restart the Firewall and Web Proxy services; right-click each service (under Monitoring\Services) and select Stop, then select Start to restart the services.
Protocols and Access Policies
Let's use our ISA-Leon proxy functionality and configure Alpha to access Leonbr-Hm. Open Microsoft Internet Explorer (IE) and select Tools, Internet Options from the menu bar. Select the Connections tab, then click LAN Settings. On the Local Area Network (LAN) Settings dialog box, select only the Use a proxy server for your LAN (These settings will not apply to dialup or VPN connections) check box. Enter ISA-Leon in the Address text box and 8080 in the Port text box. To test my sample network's access to the Internet, I placed a short script, which Listing 1 shows, in Leonbr-Hm's \inetpub\scripts folder. I also configured ISA Server to ask unauthenticated users for identification and to use the Basic authentication method (so that I can easily view the results of my tests).
When I log on to Alpha and navigate to http://leonbr-hm/script, Alpha's browser prompts me to enter proxy credentials. When I supply credentials for a user who can access the ISA Server system (e.g., the Administrator credentials for ISA-Leon), the proxy server permits the connection. Alpha's browser displays the page that Figure 5 shows. Notice the HTTP_VIA header in the request. The proxy adds this header to indicate that ISA-Leon routed the request. If I'd chosen the Integrated authentication method, the browser would try to use default credentials. In that case, ISA Server wouldn't have prompted me for credentials unless those I'd used to log on to Alpha weren't sufficient to access the proxy server.
Using an authenticated proxy connection lets you uniquely identify a user and track that user's Internet usage. Because the proxy server logs users' identities, you can evaluate the ISA Server logs to monitor accessed sites on a user-by-user basis. ISA Server creates these logs in \%programfiles%\microsoft isa server\isalogs. Figure 6 shows a sample log (I've removed most fields for simplicity's sake). The log shows the client's IP address, the provided username, the request's method, and the requested URL. You can easily scan these logs to determine whether users are trying to access inappropriate sites; if you've required proxy authentication (by selecting the Ask unauthenticated users for identification check box on the server's Properties dialog box), you can even identify which users are doing so. (If you don't select that option, ISA Server treats all connections as anonymous.)
Beef Up Security
Using ISA Server as a firewall and Web proxy can help protect your network from external attacks while providing controlled external access. The proxy server can also help you keep a rein on internal clients' Internet usage.