Security World: ISAserver.org - October 2007 Newsletter

ISAserver.org Newsletter of October 2007
Sponsored by: Burstek
------------------------------------------------------------------------------
In this issue:
But I Have a Firewall!
Tom and Deb Shinder's Configuring ISA Server 2004 -- Order Today!
ISAserver.org Learning Zone Articles of Interest
KB Articles of the Month
Tip of the Month
ISA Firewall Links of the Month
Blog Posts
Ask Dr. Tom

Welcome to the ISAserver.org newsletter! Each month we will bring you interesting and helpful information on ISA Server. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to: tshinder@isaserver.org

------------------------------------------------------------------------------
------------------------------------------------------------------------------
Why ISA Users Choose Burstek Internet Security Software
<IMG height=30 hspace=5 src="http://images.isoftmarketing.com/shirtISApic.gif" width=120 align=left vspace=3 border=0>(http://www.burstek.com/ISApromo/)Burstek makes serious Internet security easy for ISA users. Because it was created specifically for Microsoft and ISA environments, Burstek is easy to install & administer, and delivers feature-rich Web filtering & reporting for your entire enterprise without additional consoles, hardware, software or plug-ins. See why bt-LogAnalyzer was voted ISAserver.org Readers' Choice Award Winner in 2007. Try Burstek for ISA free for 15 days and we'll give you a free "No worries" Burstek T-shirt!

Evaluate a Free Trial of Burstek for ISA today and Get a free T-Shirt!(http://www.burstek.com/ISApromo/)
------------------------------------------------------------------------------
------------------------------------------------------------------------------

1. But I Have a Firewall!
By Thomas W Shinder MD, MVP

You've heard the old joke. Joe User complains that his business computers have been hacked and that all credit card and personally identifiable information he stored on his customers has been stolen and is now, as we speak, being sold to the highest bidders on the Internet. This guy can't believe it happened. You ask him about security and he says "but I had a firewall!"

The funny thing isn't that the joke is funny, what's funny is that there really are people like that out there. The example I gave above was a real story, taken from the Wall Street Journal. The business owner had a couple of computers in his business that contained a wealth of PII (personally identifiable information) that was stolen out from under him. And he really did tell the reporter that he didn't know much about computers, but a consultant came in, put in a firewall, and called it secure (and probably "Good" too).

If you look more deeply into situations like this, you'll find that they don't have a firewall at all. What they have is a simple NAT device that doesn't perform any kind of reverse NAT. Since there isn't any reverse NAT, no new inbound connections can be made into the "protected" network. The consultant explains this to the befuddled business owner, charges him a few hundred dollars for plugging the NAT device in, and calls it a day.

While this is a pretty gross example of incompetence or perhaps malfeasance, it's not far from what I see on the ISAserver.org Web boards and mailing list every day. You might know the drill -- "Can you help me set up my single NIC ISA Server Proxy so that I'm secure? I already have a firewall".

Yes, I know that you already have a firewall, and it's called ISA 2004 or ISA 2006. Whatever device you have out there can be used to augment the exceptional firewall protection provided by the ISA Firewall, but it definitely does not provide a replacement for the ISA Firewall. Asking how to configure a secure single NIC (hork mode) ISA Firewall is an oxymoron - single NIC ISA Firewalls can only be set up as Web proxy devices, they can't provide security since they aren't inline devices, and since they aren't inline devices, they can't provide the physical or logical separation required between the good guys and the bad guys.

In many cases, the problem isn't with the ISA Firewall admin, who very much wants to run the ISA Firewall in full firewall mode so as to provide the highest level of protection possible. The problem is with the "network guys" or the "security guys". These guys are a problem because they fear what they don't understand (a normal human reaction) and they think of Microsoft security in terms of Windows 95 and Windows NT 4.0. Like those little bugs you find in amber, their understanding of the Microsoft security landscape is stuck somewhere in the pre-historic days of the Internet.

We can help educate these people so that everyone is able to get the most of their ISA Firewall purchase. Check out two articles I recently put up on www.isaserver.org that are aimed at helping the security and network guys understand the ISA Firewall:

Questions and Answers about the ISA 2006 Firewall(http://isaserver.org/tutorials/Questions-Answers-ISA-2006-Firewall.html)
Why Upgrade to ISA 2006 Firewalls?(http://isaserver.org/tutorials/Why-Upgrade-ISA-2006-Firewalls.html)

There is also another excellent article on the ISA Firewall's core firewall engine on the Microsoft Web site that will help convince them that the ISA Firewall is an honest to goodness network firewall, you can find that article at:

ISA Server 2006 Firewall Core(http://www.microsoft.com/isaserver/prodinfo/firewall_corewp.mspx)

Security is difficult, and even when you correctly deploy an ISA Firewall, there's still a lot more you need to do. Otherwise, you'll be in the same position as the hapless business owner who thought he was secure because he had a firewall. You need to look at security from end to end, protecting the data on disk, protecting the data as it's in flight over the network, and protecting the data even when it's in the hands of the users and outside the access controls you place on file system, database, and other managed containers. Only then can you say you're secure, at least for the moment, as security is a never ending process representing an arms race between you and the criminals.

That's all for now! If you have any questions or comments, you're always welcome to send them to me at tshinder@isaserver.org(mailto: tshinder@isaserver.org)

Thanks!

Tom

=======================

Quote of the Month - "Indecision may or may not be my problem."

-- Jimmy Buffet

=======================

------------------------------------------------------------------------------

2. ISA Server 2006 Migration Guide - Order Today!
By Thomas W Shinder

Dr. Tom Shinder's best selling books on ISA Server 2000 and 2004 were the "ISA Firewall Bibles" for thousands of ISA Firewall administrators. Dr. Tom and his illustrious team of ISA Firewall experts now present to you , ISA Server 2006 Migration Guide. This book leverages the over two years of experience Tom and his team of ISA Firewall experts have had with ISA 2006, from beta to RTM and all the versions and builds in between. They've logged literally 1000's of flight hours with ISA 2006 and they have shared the Good, the Great, the Bad and the Ugly of ISA 2006 with their no holds barred coverage of Microsoft's state of the art stateful packet and application layer inspection firewall.

Order your copy of ISA Server 2006 Migration Guide. You'll be glad you did. Order it here: http://www.amazon.com/exec/obidos/ASIN/1597491993/isaserver1-20/

3. ISAserver.org Learning Zone Articles of Interest

Questions and Answers About the ISA 2006 Firewall
http://isaserver.org/tutorials/Questions-Answers-ISA-2006-Firewall.html

Why Upgrade to ISA 2006 Firewalls?
http://isaserver.org/tutorials/Why-Upgrade-ISA-2006-Firewalls.html

Configuring the 2006 ISA Firewall to Support Password Changes
http://isaserver.org/tutorials/Configuring-2006-ISA-Firewall-Support-Password-Changes.html

Exporting and Importing Troublesome ISA Server Rule bases from 2004 to 2006
http://isaserver.org/tutorials/Exporting-Importing-Troublesome-ISA-Server-Rule-bases-2004-2006.html

ISA 2006 Web Caching
http://isaserver.org/tutorials/ISA-2006-Web-Caching.html

Product Review: Collective Software's ClearTunnel
http://isaserver.org/tutorials/Product-Review-Collective-Software-ClearTunnel.html

------------------------------------------------------------------------------
4. KB Articles of the Month

Here are some interesting and useful ISA Server related articles posted by Microsoft in the last month:

Error message when you try to visit a Web site that is published in ISA Server 2004: "HTTP error 500: network name no longer exists"
http://support.microsoft.com/kb/940659/en-us

The "401 Authentication Required" response that is sent by a Web site is dropped when you use ISA Server 2004 as a Web proxy
http://support.microsoft.com/kb/940708/en-us

Error message when you try to open the HTTP compression preferences in the ISA Server Management console after you apply Service Pack 3 for ISA Server 2004: "ISA Server cannot load the property page"
http://support.microsoft.com/kb/942936/en-us

You cannot start the Microsoft Firewall service on a server that is running ISA 2004 or ISA 2006 if you enable SSL on a Web listener
http://support.microsoft.com/kb/940463/en-us

Routing and Remote Access stops responding in Windows Server 2003
http://support.microsoft.com/kb/888090/en-us

How to configure an ISA Server computer for a very large number of authentication requests
http://support.microsoft.com/kb/326040/en-us

RPC clients cannot use Kerberos authentication to authenticate with a server that you publish behind ISA Server 2004, Enterprise Edition
http://support.microsoft.com/kb/917145/en-us

------------------------------------------------------------------------------
5. Tips of the Month

Seems like new suggestions for a true silent installation of the Firewall client come up every month. Check out this thread for another suggestion: <A href="http://forums.isaserver.org/m_410002100/mpage_1/tm.htm">True silent install of client</A> (scroll down to the bottom of the page).

I've been meaning to write an article on how to configure a secure site to site VPN using L2TP/IPSec when one of the ISA Firewalls is behind a NAT device. Until then, if you need to accomplish this task, check out this thread on a discussion of the NAT-T issues with this configuration: <A href="http://forums.isaserver.org/m_2002052815/mpage_1/key_/tm.htm#2002054653">VPN with back to back ISA 2006 DMZ.</A>

Ever had a problem with Event ID 11004 after importing a domain name set? If so, here's one possible solution: <A href="http://forums.isaserver.org/m_2002054489/mpage_1/key_/tm.htm#2002054539">Eventid 11004 after importing ruleset.</A>

6. ISA Firewall Links of the Month

When ISA Server Can't Set Up NLB Parameters
https://blogs.technet.com/isablog/archive/2007/10/18/when-isa-server-can-t-set-up-nlb-parameters.aspx

Windows services may fail to start after installing ISA Server 2006 Supportability Pack (KB 939455)
https://blogs.technet.com/isablog/archive/2007/10/15/windows-services-may-fail-to-start-after-installing-isa-server-2006-supportability-pack-kb-939455.aspx

Amy Babinchak's Blog on SMB Security and ISA Firewalls
http://securesmb.blogspot.com/

------------------------------------------------------------------------------
7. Blog Posts

Client requests to access a published Web site are blocked when you configure ISA Server 2006 to allow direct authentication to access a published Web server
http://blogs.isaserver.org/shinder/2007/10/17/client-requests-to-access-a-published-web-site-are-blocked-when-you-configure-isa-server-2006-to-allow-direct-authentication-to-access-a-published-web-server/

Solving the "All Open" Rule Problem for Acquiring a Machine Certificate from an Enterprise CA
http://blogs.isaserver.org/shinder/2007/10/16/solving-the-all-open-rule-problem-for-acquiring-a-machine-certificate-from-an-enterprise-ca/

Windows Services May Fail to Start After Installing ISA 2004 SP3
http://blogs.isaserver.org/shinder/2007/10/16/windows-services-may-fail-to-start-after-installing-isa-2004-sp3/

Certificate Enrollment Requires a Custom Protocol
http://blogs.isaserver.org/pouseele/2007/10/12/certificate-enrollment-requires-a-custom-protocol/

Status Codes Gone Missing?
http://blogs.isaserver.org/shinder/2007/10/09/status-codes-gone-missing/

------------------------------------------------------------------------------

8. Ask Dr. Tom

QUESTION: Hi Tom, I am facing one issue after installing ISA Server 2006 Enterprise Edition. Clients are not able to download .doc files. When user tries to download files, the progress bar stops at 99%. Any ideas? Thanks! - Dhyan.

ANSWER: I can't give you a definitive answer on this because I don't know the details of your implementation. However, one thing you can try is to configure the clients as Web Proxy clients. Also, make sure that Path MTU Discovery is enabled on the ISA Firewall. One last general suggestion is that you clear the cache on the ISA Firewall.

QUESTION: Tom, I'm having a real fight with the security and network folks over here regarding what ISA does with OWA packets before it hits the CAS. In other words, what black listing and white listing features are built into ISA 2006 for Exchange OWA 2007. Any information you might have would be wonderful. Thanks! -- Charles

ANSWER: The ISA Firewall is the ideal network firewall to use to protect Exchange Servers. In fact, the ISA Firewall was designed from the ground up to provide the best possible protection for Microsoft Exchange, including the Client Access Server. You can use the HTTP Security Filter to provide positive logic filtering to insure that only known good communications make it to the Exchange Client Access Server. For detailed information on how to configure the HTTP Security Filter to secure your Client Access Server, check out, <A href="http://www.microsoft.com/technet/isa/2006/http_filtering/default.mspx?mfr=true">Using the HTTP Filter to Help Secure HTTP Access.</A>

QUESTION: Hi Tom, I'm from Brazil. Congratulations for your articles! I have many FTP attempts to my FTP Server, behind the ISA 2006. The FTP logs show a large FTP attempts to my server. How can I block the FTP attempts to the number specific for the user try to access? If the number X then block source IP address. Thanks!! -- Sergio

ANSWER: You can configure your Server Publishing Rule with exceptions so that connections are allowed from anywhere except from IP addresses or networks that you don't want to connect using the Server Publishing Rule in question. Double click the Server Publishing Rule for the FTP server and click on the From tab. In the Exceptions section, click the Add button. In the Add Network Entities dialog box, click the New menu and click Computer. Create a computer object for the IP address that is attacking your set. If there are multiple machines attacking your site, create a Computer Set instead. Click Close in the Add Network Entities dialog box and click OK in the Properties dialog box for the Server Publishing Rule. Click Apply to save the changes and update the firewall policy.

QUESTION: Hi Thomas, I'm the system administrator of my company and I'm trying to set up a configuration back to back Firewall using my existing isa2000 as proxy firewall and a new ISA2006 as back-end firewall. The ISA2000 is also internal DNS server, DHCP and WINS. My internal network address range is 192.168.0.0/24. The ISA2000 is member of the domain. I think I have to change the address of my network if i want to have DMZ but I would like to reduce the inconvenience to my users as much as I can. What is your suggestion? I'd like to use the same network address and just specify a reduced range of addresses for the DMZ network. Is it something supported?

ANSWER: This is a difficult problem because of the number of extraneous services installed on the ISA 2000 firewall. I would recommend moving the DHCP, WINS and DNS servers to a machine on the internal network, behind the back-end ISA Firewall. Then I would remove the ISA 2000 from the domain and join the back-end ISA 2006 firewall to the domain. Assign the back-end ISA Firewall an internal IP address that is the same as the old ISA 2000's internal IP address. You can use DHCP on the internal clients to point them to the new DNS and WINS server addresses. On the back-end ISA Firewall, configure the external interface to use the front-end ISA Firewall as its default gateway. With this kind of configuration, I would configure the ISA 2000 firewall to allow all outbound traffic from the back-end ISA Firewall, and you should use only Server Publishing Rules on the front-end ISA Firewall for publishing resources on the internal network behind the back-end ISA Firewall. However, my best recommendation is to remove the ISA 2000 firewall completely and use only the ISA 2006 firewall. The threat models used to design the ISA 2000 firewall were completely different than the threat models we see today for Internet facing devices. For this reason, your most secure solution is to completely remove ISA 2000 from your network and use only the ISA 2006 firewall. If you need a DMZ, you can add a third NIC to your ISA Firewall to create a tri-homed DMZ.

Got a question for Dr. Tom? Send it to tshinder@isaserver.org.
------------------------------------------------------------------------------
------------------------------------------------------------------------------
Why ISA Users Choose Burstek Internet Security Software
<IMG height=30 hspace=5 src="http://images.isoftmarketing.com/shirtISApic.gif" width=120 align=left vspace=3 border=0>(http://www.burstek.com/ISApromo/)Burstek makes serious Internet security easy for ISA users. Because it was created specifically for Microsoft and ISA environments, Burstek is easy to install & administer, and delivers feature-rich Web filtering & reporting for your entire enterprise without additional consoles, hardware, software or plug-ins. See why bt-LogAnalyzer was voted ISAserver.org Readers' Choice Award Winner in 2007. Try Burstek for ISA free for 15 days and we'll give you a free "No worries" Burstek T-shirt!

Visit the Subscription Management section to unsubscribe.
ISAserver.org is in no way affiliated with Microsoft Corp.
For sponsorship information, contact us at advertising@isaserver.org.
Copyright © ISAserver.org 2007. All rights reserved.

Security World

Search This Blog

Wednesday, October 24, 2007

ISAserver.org - October 2007 Newsletter

No comments: