Monday, December 22, 2008

ISAserver.org - December 2008 Newsletter

-------------------------------------------------------
ISAserver.org Monthly Newsletter of December 2008
Sponsored by: Collective Software
-------------------------------------------------------

Welcome to the ISAserver.org newsletter by Thomas W Shinder MD, MVP.
Each month we will bring you interesting and helpful information on ISA Server.
We want to know what all *you* are interested in hearing about.
Please send your suggestions for future newsletter content to: tshinder@isaserver.org


1. Merry Christmas, Happy Holidays and Happy New Year!
--------------------------------------------------------------

It is that time of year when most of us take some time off of work and think about things that we do not have time to think about otherwise. Things like "what am I going to do on my vacation" or "what should I get my wife for Christmas" or "what am I going to do with my life in 2009" Can you believe it? We're heading for 2009 with a bullet. I am hardly used to being in the 21st century!!

It is also that time of year when pundits come up with predictions for the next year. While I do not know if anybody would consider me a pundit (Google never seems to pick up our feeds as "news", even when we break information first), I do have some ideas of things I would like to see happen in 2009.

So here is my list of four things I think will happen when it comes to the Forefront Edge family of security products in 2009:

The SSL Security Hole Reaches Critical Mass

For years we have been banging the drum at ISAserver.org about the security risks that SSL connections pose to your network. Outbound SSL connections are just like VPN connections. Anything that crosses your edge network security devices over an outbound VPN connection is completely hidden from your firewall. That means your firewall is helpless at protecting you from what moves over the VPN channel. That is why most organizations do not allow outbound VPN connections from their networks. They do not want to connect their network to an untrusted network without having the ability to inspect and sanitize the content moving over the VPN channel.

From a security perspective, SSL is no different. Any time one of your users (or the malware contained on one of your users' machines) makes an outbound connection using SSL, the contents of that connection are completely hidden from your firewall. SSL is especially dangerous, because the typical user or admin thinks of SSL as a security technology, not a technology that can be used to compromise your network. But the fact is that users, attackers and malware can all leverage SSL to compromise your network, all because your edge security devices are unable to protect you from the hidden contents of these communications.

I expect that the security risks of SSL will finally bubble up into the collective IT consciousness next year, and major initiatives will be launched to close the SSL security hole. If you are already aware of the problem and want to do something about it now, then check out ClearTunnel from Collective Software. ClearTunnel will help you close the SSL security hole right now using your current ISA firewall deployment. The TMG might even have something to offer in this area, but we will have to wait for a public announcement of what the final version of the TMG will have to offer before being sure.

Outbound Access Control is No Longer a Luxury – Becomes a Requirement

I never cease to be amazed by the "generous" outbound access policies companies have. When I speak to the network security admins of these organizations, they are very concerned about what evil might lurk "out there" beyond the edge security devices. However, when I ask them about what they are doing to control what internal, corporate users do with the Internet connection, they draw a blank. In the vast majority of cases, they allow everything outbound. This liberal outbound access policy essentially turns the corporate Internet link into a "party line", where employees literally "party down" on the Internet connection and do whatever they want, whenever they want, like it's 1999!!

I predict that this will change significantly in the next year. If you are one of my American readers, I think the major push for stronger outbound access control will be federal regulations coming from the new administration. The new administration is very Internet savvy, and they are also into increased federal control over the flow and management of information. I fully expect that the new administration will push down increasingly stringent guidelines on both inbound and outbound access and more introduce more stringent guidelines on data control and governance across multiple vertical industries.

This should be a boon for the upcoming TMG and current ISA firewall admins. As you know, with the help of the Web Proxy and Firewall client configurations, you can exercise extremely strong, and exceptionally granular, user/group based access controls over what protocols, what sites, what applications, and what content users can access on the Internet. More importantly from a regulatory and legal point of view, you will have this user information available in your log files and reports, so that responsibility can be assigned to the appropriate people.

TMG Policy Integration with Stirling Puts Microsoft on the Bleeding Edge of Network Security

For years people have snickered when you brought up the subject of Microsoft and security. They have make jokes like "isn't this a contradiction in terms" or "isn't that an oxymoron?". Ha ha. The world has changed since IIS 4.0 and Windows ME. With the full implementation of the SDL (security development lifecycle) and increasing number of security products being released under the Microsoft Forefront brand name, I expect that we will not only have to listen to the jokes about Microsoft security, but actually see Microsoft as a leading security software company.

This paradigm shift should be accelerated next year with the release of "Stirling". What "Stirling" (a code name for the beta product) will be able to do when fully developed is tie together all of the Forefront products together into a single configuration, management and reporting console – giving you a "single pane of glass" to view your entire Microsoft security software infrastructure.

But Stirling will be much more than configuration, management and reporting for all of the Microsoft Forefront products. More importantly, you will be able to create proactive security response policies based on the information gathered from each of the products in the Forefront security product suite. Policies will be able to take the "interesting" information gathered from each of the products, and then based on this information, automatically trigger responses for each of the security products.

This level of automation will significantly improve security on any Microsoft network infrastructure. And the good news for future TMG firewall admins is that the TMG firewall will be a core component of the "Stirling" data collection and response policy framework. This centralized management and response approach to network security will put Microsoft on the bleeding edge of network security.

IAG 2007 Interest Skyrockets Because of IAG 2007 SP2 Trial .VHD Downloads

Last, but definitely not least, is IAG 2007 SP2. If you do not know about IAG 2007, it's Microsoft's SSL VPN solution. IAG 2007 and ISA and TMG are all part of the Forefront Edge security products group. The problem with IAG 2007 in the past was that it was only available as a hardware appliance. This prevented tens of thousands of ISAserver.org members from testing the product in their labs to see if it might be something they would be interested in. This all changes next year with IAG 2007 SP2. You will be able to download an evaluation version of the IAG 2007 in .vhd format, so that you can test it to your heart's content. The .vhd also provides us at ISAserver.org a great opportunity for publishing content directed at the IAG 2007. You will find that the IAG 2007 is as interesting, and as secure, as the ISA firewall. 2009 is going to be a great year for Forefront Edge security products here at ISAserver.org

What do you think? How close am I to what will happen in 2009? Let me know! Write to me at tshinder@isaserver.org and I will share what you think is going to happen with the TMG and IAG 2007 in 2009.

And before I leave, I wanted to let everyone know that Jason Jones, a leading light here at ISAserver.org, has finally been awarded the Forefront Edge (ISA/TMG) MVP by Microsoft. Jason is one of the smartest and hardest working guys I know in the ISA and TMG space and it is an honor to have him as an MVP. Jason is a moderator on our Web boards on ISAserver.org and also maintains a great blog where he uncovers many ISA secrets, that would have otherwise gone undocumented, at <http://blog.msfirewall.org.uk/>

See you next year!

Tom
tshinder@isaserver.org

For ISA and TMG and other Forefront Consulting Services in the USA, call me at
Prowess Consulting <http://www.prowessconsulting.com>
206-443-1117

=======================
Quote of the Month – "I'd rather pull a bobcat's tail in a phone booth than deploy a hork mode ISA firewall". – Dr. Tom Shinder
=======================

2. ISA Server 2006 Migration Guide - Order Today!
--------------------------------------------------------------

Dr. Tom Shinder's best selling books on ISA Server 2000 and 2004 were the "ISA
Firewall Bibles" for thousands of ISA Firewall administrators. Dr. Tom and his
illustrious team of ISA Firewall experts now present to you , ISA Server 2006
Migration Guide
<http://www.amazon.com/exec/obidos/ASIN/1597491993/isaserver1-20/>. This book
leverages the over two years of experience Tom and his team of ISA Firewall
experts have had with ISA 2006, from beta to RTM and all the versions and builds
in between. They've logged literally 1000's of flight hours with ISA 2006 and
they have shared the Good, the Great, the Bad and the Ugly of ISA 2006 with
their no holds barred coverage of Microsoft's state of the art stateful packet
and application layer inspection firewall.

Order your copy of ISA Server 2006 Migration Guide
<http://www.amazon.com/exec/obidos/ASIN/1597491993/isaserver1-20/>. You'll be
glad you did.


3. ISAserver.org Learning Zone Articles of Interest
--------------------------------------------------------------

We have a great group of articles in the Learning Zone that will help you get a
handle on your most difficult configuration issues. Here are just a few of the
newer and more interesting articles:

* Overview of ISA and TMG Networking and ISA Networking Case Study (Part 1)
<http://www.isaserver.org/tutorials/Overview-ISA-TMG-Networking-ISA-Networking-Case-Study-Part1.html>

* How to change Microsoft ISA Server 2006 NLB from Unicast to Multicast
<http://www.isaserver.org/tutorials/How-change-Microsoft-ISA-Server-2006-NLB-Unicast-Multicast.html>

* ISA Firewall Web Caching Capabilities
<http://www.isaserver.org/tutorials/ISA-Firewall-Web-Caching-Capabilities.html>

* How to migrate Microsoft ISA Server 2006 to Microsoft Forefront TMG
<http://www.isaserver.org/tutorials/How-migrate-Microsoft-ISA-Server-2006-Microsoft-Forefront-TMG.html>

* Auditing the Initial Configuration of the EBS TMG Firewall (Part 2)
<http://www.isaserver.org/tutorials/Auditing-Initial-Configuration-EBS-TMG-Firewall-Part2.html>

* Auditing the Initial Configuration of the EBS TMG Firewall (Part 1)
<http://www.isaserver.org/tutorials/Auditing-Initial-Configuration-EBS-TMG-Firewall-Part1.html>

* GFI WebMonitor Voted ISAserver.org Readers' Choice Award Winner - Monitoring and Management
<http://www.isaserver.org/news/ISAserver-Readers-Choice-Award-Monitoring-Management-GFI-WebMonitor-Sep08.html>


4. KB Articles of the Month
---------------------------------------------------------------

The MCP site that enables us to find KB articles based on date was down during the writing of this newsletter. The main KB search site still hasn't been fixed yet, so we're not able to search KB articles based on their release date. It has been a while now since they removed the date filtering capability from the public KB search site. I am afraid they would not ever bring that feature back. I am hoping that they have not killed the MCP KB search site. That was our last resort for finding new ISA/TMG KB articles.

However, I figured if I searched for TMG articles, I might come up with some interesting stuff. Here is some of what I found:

* How to configure ISA Server 2004 or Microsoft Forefront Threat Management Gateway, Medium Business Edition after you add a new network adapter or you replace a network adapter
<http://support.microsoft.com/kb/840698>

* How ISA Server 2006, ISA Server 2004, Microsoft Forefront Threat Management Gateway, Medium Business Edition handles client Web requests and how to bypass network address translation
<http://support.microsoft.com/kb/838368>

* How to deploy the ISA Server 2004 Firewall Client program
<http://support.microsoft.com/kb/838122>

* DNS queries that pass through Forefront Threat Management Gateway NAT do not use random source ports
<http://support.microsoft.com/kb/957298>

* The features and limitations of a single-homed ISA Server 2006, ISA Server 2004, or Microsoft Forefront Threat Management Gateway, Medium Business Edition computer
<http://support.microsoft.com/kb/838364>

* How to use a computer that is running ISA Server 2006, ISA Server 2004, Microsoft Forefront Threat Management Gateway, Medium Business Edition, or Windows Essential Business Server 2008 to block transparent HTTP clients without requiring authentication
<http://support.microsoft.com/kb/884505>


5. Tip of the Month
--------------------------------------------------------------

A lot of us use the ISA or TMG firewall as an internal network firewall that controls what users can access when connecting to other internal network through the firewall. One common scenario is a multihomed ISA firewall that connects internal networks of different levels of trust. For example, one network contains the user workstations, full of their typical worms and malware, and the other network contains files server, mail servers and Web servers.

Since we want to control on a per user/group basis what users on the User Network can connect to on the network services network, we use the Firewall client to give us that fine-tuned control and enhanced reporting. The problem is that when you try to enforce user/group access controls over connections to file shares, the connection attempts fail.

The problem is that CIFS/SMB connections do not use Winsock calls for network access. Since the Firewall client is actually a Winsock proxy application, it only intercepts network connection requests from Winsock applications. Since the Firewall is not able to intercept the file share requests, any connection that requires authentication will fail. The solution is to allow anonymous connections to the file shares and make triple sure that you have locked down permissions on the files and shares on that network services network.

For more information on this issue, check out:
<http://support.microsoft.com/kb/913782>


6. ISA Firewall Links of the Month
--------------------------------------------------------------

ISA Firewall fans and writers! If you publish an article or a blog post about the ISA firewall, let me know. I'll put links to your articles and posts in the newsletter. Just send the link to tshinder@isaserver.org

* Security Considerations with Forefront Edge Virtual Deployments
<http://technet.microsoft.com/en-us/library/cc891502.aspx>

* ISA Server Branch Office Policies Best Practices: ISA Server co-location with a domain controller
<http://technet.microsoft.com/en-us/library/cc891503.aspx>

* Securing and Accelerating Branch Office Communications Using ISA Server 2006
<http://download.microsoft.com/download/e/7/6/e76fdda3-5c2c-4fbb-9c6f-3bcd0ed4b8ef/branch_Officewp.doc>

* The ISA Server 2006 Firewall Core
<http://download.microsoft.com/download/e/7/6/e76fdda3-5c2c-4fbb-9c6f-3bcd0ed4b8ef/Firewall_Corewp.doc>


7. Blog Posts
--------------------------------------------------------------

* Customizing ISA Server 2006 HTML Forms - Part 1: Simple, Consistent Form Branding
<http://blog.msfirewall.org.uk/2008/11/customising-isa-server-2006-html-forms.html>

* Resource Guide for Using Microsoft NLB with ISA Server 2006 Enterprise Edition
<http://blog.msfirewall.org.uk/2008/10/resource-guide-for-using-microsoft-nlb.html>

* 502 Proxy Error — HTTP Message Includes an Unsupported Header
<http://blogs.isaserver.org/shinder/2008/12/11/502-proxy-error-http-message-includes-an-unsupported-header/>

* Monitoring Malware Through the Edge with Microsoft Forefront Threat Management Gateway
<http://blogs.isaserver.org/shinder/2008/12/10/monitoring-malware-through-the-edge-with-microsoft-forefront-threat-management-gateway/>

* Exchange 2007 and ISA Server 2006: Helpful Docs and Blog Posts
<http://blogs.isaserver.org/shinder/2008/12/10/exchange-2007-and-isa-server-2006-helpful-docs-and-blog-posts/>

* Hardening SSL Cipher Strength and SSL Protocol Support on ISA Servers
<http://blogs.isaserver.org/shinder/2008/12/09/hardening-ssl-cipher-strength-and-ssl-protocol-support-on-isa-servers/>


8. Ask Dr. Tom
--------------------------------------------------------------

* QUESTION:

Hi Tom,

We have only one email server. When we send an e-mail message, it has a source IP of x.x.x.117. The problem is that the MX record is to x.x.x.118. This is a major problem because of Spam engines. The Spam engines will see a difference in IP address and think it is Spam. There are third party solutions out there that will do this for us, for a price. Is there ANY way to do this in the ISA configuration?
Thanks! - Jack

* ANSWER:

You have identified a common problem seen with ISA and TMG MBE firewalls. The problem is that when there are multiple IP addresses bound to the external interface of the firewall, the source IP address of outbound connection will show as the primary IP address on the external interface. The easiest fix here is to just move the IP address you want to be the source IP address to the top of the list. Once you do that, the .118 address in your example will show as the primary IP address and all is well.

However, there may be times when this would not work. In most cases, you need to create two MX records, one for each of your redundant inbound SMTP relays. There are going to be on two different IP addresses. When a destination SMTP server tries to do a reverse lookup on your domain, there will be a 50% chance that the IP address is the correct one (assuming that one of those addresses is the primary IP address bound to the external interface of the ISA firewall).

There is no built-in ISA or TMG MBE feature that will fix this. However, I would highly recommend a product by Collective Software to fix this problem. The name of the product is IPBinder. This ISA/TMG add-on will allow you to choose which IP address to bind to your servers for outbound NAT traffic. IPBinder is reasonable priced and well worth the cost. Check it out at <http://www.collectivesoftware.com/Products/IPbinder>

Got a question for Dr. Tom? Send it to tshinder@isaserver.org.


TechGenix Sites
--------------------------------------------------------------

MSExchange.org <http://www.msexchange.org/>
WindowSecurity.com <http://www.windowsecurity.com/>
WindowsNetworking.com <http://www.windowsnetworking.com/>
VirtualizationAdmin.com <http://www.virtualizationadmin.com/>

--
Visit the Subscription Management <http://www.techgenix.com/newsletter/>
section to unsubscribe.
ISAserver.org is in no way affiliated with Microsoft Corp.
http://www.techgenix.com/advert/index.htm for sponsorship
information or contact us at advertising@isaserver.org
Copyright c ISAserver.org 2008. All rights reserved.

No comments:

Post a Comment