Your SlideShare is downloading. ×
  • Like
郝雪莹 xyhao@microsoft.com Microsoft China
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply

郝雪莹 xyhao@microsoft.com Microsoft China

  • 742 views
Published

 

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
742
On SlideShare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
2
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide
  • This Overview Deck introduces the features and benefits of Internet Security and Acceleration Server (ISA Server), Microsoft’s 为 Windows 2000 服务器构建的新的企业级的防火墙和 Web 缓存服务器 Intended Audience: Business Decision Makers, IT Pros Technical Level: Moderate
  • ADDITIONAL INFORMATION FOR PRESENTER:
  • ADDITIONAL INFORMATION FOR PRESENTER:
  • ADDITIONAL INFORMATION FOR PRESENTER:

Transcript

  • 1.
      • 安全与速度的完美结合
    郝雪莹 [email_address] Microsoft China Microsoft Internet Security and Acceleration Server 2000
  • 2. Agenda
    • 产品概述
    • 布署场景
    • 防火墙
    • 缓存
    • 管理
    • 可扩展性
  • 3. 新的机遇 , 新的挑战 用网络连接你的客户 , 合作伙伴与雇员 在 WEB 上的电子商务给你的企业带来了新的商机 把有限资源的内部网变成溶合在 Internet 的网络 把网络暴露在所有的黑客 , 病毒和非法用户面前 竞争非常激烈 , 你的 WEB 必需提供快速可靠的服务 管理这样的网络需要更高的技术 机遇 挑战
  • 4. The Connected Business
    • New Concerns
      • 保护你的内部网络免受黑客与其它非法入侵者的侵害
      • 管理与控制网络访问
      • 在加快网络访问速度的同时保护宝贵的带宽资源
    Internet
  • 5. 微软公司对于安全的认识
    • 安全缺陷和病毒攻击是严重、代价沉重、全行业业范围的问题
    • Internet 安全是全世界范围内实现数字化商务运作的最基本的考虑因素
    • 作为业界的领导者,微软公司具有保护 Internet 和客户数据的特殊责任
  • 6. Microsoft ISA Server 2000 安全与速度的完美结合 用可伸缩的 , 多层次的防火墙保护网络环境 用可伸缩 , 高性能的 WEB 缓存实现快速访问 与 Windows 2000 集成的 , 强壮的策略和管理机制 安全的网络连接 快速的 Web 访问 统一的管理方式 可扩展的开放平台 可以扩展与定制的高级平台
  • 7. 什么是 ISA Server 2000
    • 防火墙与缓存
    • ISA Server 的版本
      • ISA Server 标准版
      • ISA Server 企业版
  • 8. Microsoft® ISA Server 2000 标准版与企业版功能比较表 有 无 ▲ 多服务器管理 有 无 ▲ 多层次原则 完全 有限 ▲ Windows ® 2000 Active Directory 整合 统一的管理 皆有 仅阶层式 ▲ 分散式与阶层式缓存 适合中大型企业 适合小型企业 ▲ 扩展性 Web 缓存 无限制 4 颗 CPU ▲ 硬件支持 服务器阵列 服务器本机 ▲ 原则的设定 (policy support) 多机的集中管理 单机运作 ▲ 服务器的建置 企业版 标准版 功能
  • 9. What Is ISA Server 2000 ISA 系统需求 To implement the array and advanced configuration policies on the Enterprise edition you also need: Windows Active Directory on the network
    • 20 MB of available hard drive space
    • An available NTFS partition
    • 4-8 MB for each proxy client
    256 MB of RAM Microsoft Windows 2000 Server or Advanced Server with SP2 or higher 300 MHz or higher Pentium II compatible Other Hard Disk Memory Operating System Processor
  • 10. 防火墙 & 缓存
    • 两者都应存在于网络的边缘或者说结合点
    • 模块化安装
    • 统一的管理
      • MMC
      • Logging and Reporting
      • Monitoring and Alerting
    • 一致的访问策略
    • 低廉的培训维护费用
  • 11. 与 Windows 2000 紧密集成
    • Security
      • 包过滤
      • 网络地址转换 (NAT & SecureNAT)
      • Authentication
      • System Hardening
    • 虚拟专用网 (VPN)
    • 管理
      • MMC
      • Terminal Services
      • Event log
    • Active Directory™
      • Array configuration and policy data
      • NOT required!
    • 带宽控制
    • 透明地支持在其它平台上的客户机与服务器
  • 12. Much More Than “Proxy Server 3.0”
    • Transparency for all clients and servers
    • Enterprise policy
    • Group policy
    • Schedules
    • Active Directory integration
    • Extensible application filters
    • SMTP filter
    • Streaming media splitting
    • H.323 filter & Gatekeeper
    • MMC-based UI
    • Task Pads, wizards
    • Remote administration
    • Configuring Exchange server behind firewall
    • IIS separation
    • RAM caching
    • New cache store
    • Scheduled content download
    • VPN integration
    • Intrusion detection
    • System hardening
    • NTLM & Kerberos authentication
    • Dual-hop SSL
    • Customizable alerts
    • Logging: W3C format, selectable fields
    • Integrated reporting
    • Bandwidth control
    • New APIs
    • Modular installation
  • 13. Deployment Scenarios Microsoft Internet Security & Acceleration Server 2000
  • 14. Small Organization Internet ISA Server
  • 15. Large Enterprise Internet ISA Server 防火墙 & 缓存 , 共同管理
  • 16. DMZ & Secure Publishing Internet ISA #2 ISA #1 DMZ #1 Intranet
  • 17. Chaining ISA Server ISA Server Array Leased line or VPN connection Branch Main Internet
  • 18. Firewall 用可伸缩 , 多层次防火墙保护网络环境
  • 19. 为什么要使用防火墙 ?
    • 保护自己不受黑客 , 病毒与非法用户的攻击
    • 控制向外的 Internet 访问
    • 保护 web servers and email servers
    • 更加安全的数据访问
    • 保护关键的数据与信息
    • - 并且 -
    • 管理信息访问
  • 20. ISA Server Firewall
    • Packet, circuit, and application-level traffic screening
      • Stateful inspection examines traffic in its context
      • Reduce risk of unauthorized access
      • Analyze or modify content with “Smart” application filters
    • Integrated intrusion detection
      • Based on technology licensed from Internet Security Systems (ISS)
    • Secure publishing
      • Protect servers accessible to the outside world
    • System hardening
      • “ Lock down” the operating system, further strengthening security
    • Integrated with Windows 2000 VPN
      • Wizard for easy configuration
  • 21. 多层次的防火墙
    • Bottom up – protection at every level
      • Packet level
        • Static filters
        • Dynamic filters
        • Intrusion detection
      • Circuit (protocol) level
        • Session based filtering
        • Connection association
      • Application level
        • Intelligent payload inspection
    Packet level Application level Circuit level
  • 22. Smart Application Filters
    • Protocol aware filters
      • Analyze the traffic
      • Block, redirect, modify
    • Intelligent filtering out-of-the-box:
      • HTTP: Web request caching
      • SMTP: Traffic filtering
      • Streaming media: Stream splitting
      • FTP: Read only restriction
      • H.323: NetMeeting® through the firewall
  • 23. Intrusion Detection
  • 24. Additional Security Features
    • VPN integration
      • Integrated with on Windows 2000 VPN
      • Wizard for easy configuration
    • System hardening wizard
      • “ Lockdown” for the operating system
      • Three pre-defined levels
    • Secure publishing
    • SSL Bridging
      • Encrypted tunneling
  • 25. ISA Server – Microsoft’s Firewall ISA Server 特性
    • 多层次的防火墙
    • 集中或分布式管理
    • Publishing
    • ICSA certified
  • 26. ISA Server – Microsoft’s Firewall How A Firewall Protects
    • A firewall filters network traffic that enters or leaves a protected network.
    • Decisions:
      • IP 地址 , 协议与端口号
      • 建立连接
      • IP 包的有效负载
      • 应用过滤
      • Authentication
    • Logging and Alerting
  • 27. ISA Server – Microsoft’s Firewall ISA Server Architecture z Web Proxy Client Secure NAT Client Firewall Client Local Area Network Web Proxy Service Firewall Service Web Filter Packet Filtering Third Party Filter Streaming Filter SMTP Filter H.323 Filter FTP Filter Cache Internet NAT Driver HTTP Redirector
  • 28. ISA Server – Microsoft’s Firewall Outgoing FW Traffic Flow PF Log Session Log Policy TCP/IP Stack PFD NAT driver NDIS PFxD SecureNAT driver SecureNAT User Mode Firewall Service Kernel Mode User Mode Socket Layer Routing Reassembly Application Filter Internal Interface External Interface
  • 29. ISA Server – Microsoft’s Firewall Incoming FW Traffic Flow PF Log Session Log Policy TCP/IP Stack PFD NAT driver NDIS PFxD SecureNAT driver SecureNAT User Mode Firewall Service Kernel Mode User Mode Socket Layer Routing Reassembly Application Filter Internal Interface External Interface
  • 30. ISA Server – Microsoft’s Firewall ISA Server 缺省情况
    • No incoming or outgoing traffic unless specifically allowed
    • 除了以下情况 :
      • ISA Server 可以执行 DNS lookups
      • Pinging from ISA Server
  • 31. ISA Server – Microsoft’s Firewall 为 Outgoing Requests 制定规则
    • Protocol Rules
      • 谁可以使用什么样的协议在什么时间访问什么 ?
      • Default: No access
    • Site and Content Rules
      • 谁可以在什么时间访问什么站点和内容 ?
      • Default: All access
    • 对互联网访问时这两个规则都是必要的
  • 32. ISA Server – Microsoft’s Firewall 为 Incoming Requests 制定规则
    • Server Publishing Rules
      • Redirect traffic for an external address / port to an internal address
    • Web Publishing Rules
      • Redirect Web requests only
      • Can redirect to multiple internal Web sites
      • Can choose port for redirection
      • Can perform SSL bridging
  • 33. ISA Server – Microsoft’s Firewall Firewall Planning
    • Assess needs for outgoing traffic
      • “ Deny all” or “Allow all”
      • Research user requirements
      • Design required rules and policy elements
      • Plan for authentication (if required)
    • Assess needs for incoming traffic
      • Inventory resources that need to be accessed from the Internet.
      • Design the required rules and policy elements
  • 34. ISA Server – Microsoft’s Firewall Firewall Planning (continued)
    • Scaling
      • Arrays
      • Network Load Balancing (NLB)
      • DNS round robin
    • Perimeter Network Requirements
  • 35. Firewall Design No External Access Required Internet Internal Network Firewall
  • 36. Firewall Design Screened Host Internet Internal Network Firewall Screened Host
  • 37. Firewall Design Three-Homed Perimeter Network Design Firewall Internet Internal Network Perimeter Network
  • 38. Firewall Design Back-to-Back Perimeter Network Design Internet Internal Network Perimeter Network Firewall Firewall Web Server
  • 39. Using Publishing And Routing Methods for Passing Network Traffic
    • Web Proxy Service
    • Firewall Service (proxy)
    • IP Routing (secured by packet filters)
  • 40. Using Publishing And Routing Comparing Publishing and Routing
    • Publishing Rules publish internal sites to the external network
    • Local Address Table (LAT) defines what is internal
    • Perimeter Network in three-homed design is treated as external network
    • Need to configure routing between two external networks
      • Routing is secured by packet filters
  • 41. Using Publishing And Routing Server Publishing
    • Reverse Network Address Translation (NAT)
    • External network to internal network
    • Sends packets received on external network interface to identical port on internal server
    • Mapping: each port on each external address can be mapped separately
    • Normally used for non-Web servers
  • 42. Using Publishing And Routing Web Publishing
    • Redirects requests for URLs received on external interface
    • Can redirect to multiple Web sites
    • Can redirect to internal or external sites
    Internet isa.internal.microsoft.com www.microsoft.com/isaserver/ www.internal.microsoft.com ISA Server www.microsoft.com/ /isaserver/ / Internal Network
  • 43. Using Publishing And Routing Secure Web Publishing
    • Client connection terminates at ISA Server computer
      • ISA Server can perform authentication
      • ISA Server needs Web server certificate
    • What about connection between ISA Server and internal Web server?
    • SSL bridging
      • Choice of HTTP-S, HTTP, or FTP
  • 44. Using Publishing And Routing Routing
    • Required for all protocols other than TCP or UDP
    • Required to access three-homed perimeter network (external to external)
    • ISA enforces packet filtering with routing
      • Note: packet filtering enhances security and increases performance
      • Warning: Do not enable routing outside of ISA Server
  • 45. Demonstration 1 Server Publishing And Web Publishing Creating a Server Publishing Rule Creating a Web Publishing Rule
  • 46. ISA Server Configuration Outgoing Traffic
    • Protocol Rules and Site and Content Rules
    • Packet filters
      • Protocols other than UDP or TCP
      • Applications or services running on ISA Server computer
      • Packet filters can override rules
  • 47. ISA Server Configuration Screened Host
    • Configure Server Publishing Rules
    • Configure Web Publishing Rules
  • 48. ISA Server Configuration Three-Homed Perimeter Network
    • Use routing with packet filtering for perimeter network servers
      • Servers need routable IP addresses
    • Use publishing between perimeter network and internal network
  • 49. ISA Server Configuration Back-to-Back Perimeter Network
    • Use Publishing Rules to publish servers on perimeter network to Internet
    • Use publishing rules to publish servers on internal network to perimeter network
    • Each ISA Server requires a separate LAT
  • 50. Miscellaneous Configuration Authentication
    • Firewall Clients
      • User-based, automatic
      • Requires client software, Win32 clients only, TCP and UDP only
    • SecureNAT Clients
      • By IP address
      • No client software, all platforms, all protocols
  • 51. Miscellaneous Configuration Authentication (continued)
    • Web Proxy client
      • By user (logged-on user or authentication dialog box)
      • Need to configure browser, etc.
      • Need to configure authentication methods:
        • Basic
        • Digest
        • Integrated
        • Certificates
  • 52. Miscellaneous Configuration Intrusion Detection
    • Technology licensed from Internet Security Systems (ISS)
    • Monitors for a number of common attacks
    • Extensive options for alerting
  • 53. Miscellaneous Configuration Server Hardening
    • Wizard applies security settings to make Windows 2000 Server even more secure
  • 54. Miscellaneous Configuration H.323 Gatekeeper
    • “ Switchboard” for H.323 Applications
      • NetMeeting
      • Voice over IP (VOIP)
      • Etc.
  • 55. Miscellaneous Configuration Message Screener
    • Works with SMTP Filter to screen SMTP Messages for
      • Users and domains
      • Attachments
      • Keywords
      • SMTP commands
    • Can run on ISA Server computer or other computer
  • 56. Demonstration 2 Message Screener Blocking Users and Domains Blocking Attachments Blocking Key Words
  • 57. Miscellaneous Configuration VPN Configuration
    • Two types of connections:
      • Access by remote users
      • Connecting two networks
    • Wizards configure ISA Server and RRAS
      • ISA Server packet filters
      • RRAS configured as a VPN Server
    • RRAS performs all VPN functions
      • May require additional configuration
  • 58. Demonstration 3 VPN Configuration Configuring a Local VPN Configuring a Remote VPN Reviewing VPN Configuration Settings
  • 59. Caching 可伸缩 , 高性能的 WEB 缓存
  • 60. Cache Scenarios - Forward Proxy Internet Liz ISA Server Corpnet users connect to the internet via ISA GET www.msnbc.com John GET www.msnbc.com Cache GET www.msnbc.com
  • 61. Cache Scenarios – Reverse Caching Internet
    • ISA Server looks like a Web server
    • Internally routes requests to multiple servers
    DNS “ www.ms.com” “ www.ms.com/ISA” /ISA Web Server Secure Network ISA Server Cache Joe Internet
  • 62. 为什么要使用缓存 ?
    • 快速浏览
    • 降低网络带宽费用
    • 减轻 web 服务器的压力
    • 更加可靠的数据访问
    • Increase performance
    • - and -
    • reduce costs
  • 63. ISA Server Caching Features
    • Web 访问加速
      • RAM caching: “Hot content” served from RAM
      • 有效地缓存机制最小化了磁盘 I/O
    • Active caching
    • Scheduled content download
    • 分布式的缓存机制
      • Cache Array Routing Protocol (CARP)
      • Hierarchical Caching
    • 层次型策略
  • 64. CARP on the Server www.foo.com Do you have www.foo.com? GET www.foo.com Cache Internet Client Server 1 Server 2 Server 3
  • 65. CARP (Cache Array Routing Protocol)
    • 高效
      • Distributed cache
      • Arrays 的规模是线性的 , 平衡负载
      • 各个服务器的内容没有重复
      • 最高效地应用缓存的大小与缓存的命中率
    • 可靠
      • 容错的 , 自调节的 arrays
      • 当服务器增加或减少时 , 内容的转移与重新配置是动态的
    • 灵活
      • Routing can be implemented on server for best transparency, or on client for maximum efficiency
  • 66. Hierarchical Caching (Chaining) ~50% Traffic $avings Over Every WAN Link New York Tokyo London Internet
  • 67. Other Bandwidth Savings
    • Traffic Prioritization
      • Impose bandwidth policy via UI
      • Manage inbound and outbound network traffic independently
      • Adds this layer on top of Windows 2000 QoS
    • Live media stream splitting
  • 68. Configuring Caching Business Scenario ISA Clients Internet
  • 69. Configuring Caching Allowing Internet Access
    • Verify LAT
    Create a protocol access rule Turn on HTTP and FTP Caching* Define Proxy setting on all clients
    • 4 simple steps
    *enabled by default
  • 70. Configuring Caching Cache Expiration
    • Frequently
      • Cache is kept current, network performance may be degraded
    • Normally
      • Cache is somewhat current, network performance is considered
    • Less Frequently
      • Cache is less current, network performance is not degraded
    • Custom Settings
  • 71. Configuring Caching Active Caching
    • Enables ISA to fetch a new version of cached objects
      • Frequently
        • Cache is kept current, network performance is degraded
      • Normally
        • Network performance is considered when updating the cache
      • Less Frequently
        • Cache is less current, network performance is not degraded
  • 72. Configuring Caching Advanced Cache Settings
    • Allows control over what content is cached
      • Size of objects to cache
      • Dynamic content
      • Maximum URL cached in memory
    • Control what action to take with expired cache objects
      • Return an error
          • -or-
      • Return expired object
  • 73. Configuring Caching Adjusting Cache Size
    • Properties of server
      • Creates a .cdat file of equivalent size
      • 4-8 MB for each client
    LONDON Properties Cache Drives LONDON OK Cancel Apply Set 100 Maximum cache size (MB): Total disk space (MB): 39064 Total maximum cache size (MB): 100 Drive Type Disk space… Free space… Cache Size… Specify the size of the cache.
  • 74. Demonstration 4 Configure Caching Enabling HTTP and FTP Caching Examining Cache configuration Allowing Internet Access
  • 75. Management Tiered policy and flexible management integrates with Windows 2000
  • 76. Policy & Rules
    • Enterprise & array-level
    • Access control
      • By user/group
      • By application
      • By destination
      • By content type
      • By schedule
    • Bandwidth priorities
    Active policy: Access rules ISA server namespace
  • 77. Tasks Pads and Wizards
    • Tasks Pads
      • The easy way to set up and maintain
    • Wizards
      • Step-by-step for complex tasks
    Common tasks
  • 78. Alerting
    • Alerting
      • Flexible alert dispatch mechanism
    ISA Server Intrusion System event Violation
  • 79. Logging, reporting, monitoring
    • Logging
      • Packet log
      • Session log
    • Reporting
      • Daily summaries
      • Popular reports
    • Monitoring
      • Active connections
      • Performance counters
  • 80. Extensibility Superior extensibility and customizability
  • 81. Extensibility Mechanisms
    • Application filters
      • Smart inspection of data streams
    • Web filters
      • Based on ISAPI
    • Administration COM object
      • All administrative properties and actions available programmatically (read/write)
    • Cache APIs
    • MMC snap-ins
      • Extend the ISA Server user interface
    • Storage
      • Integrate with array propagation, backup/restore
    • Alerts
  • 82. A Community of ISVs
  • 83. Summary Secure, Fast Internet Connectivity
  • 84. ISA Server Competitive Advantages
    • Best Windows Integration
      • Active Directory
      • Networking Features
      • Windows applications
    • Integrated Firewall and Web Cache Management
      • Unified Policy and Access Control
      • Unified Management
    • Scale up and Scale Out for the Enterprise
      • Tiered Policy Management
      • Scale Up - SMP optimized
      • Scale Out - NLB and CARP
    • Lower TCO
      • Integrated Services
      • Leverage Existing Skills
      • Works with what you have
      • Extensible Open Platform
  • 85. Key Takeaways
    • Firewall & cache integration
    • Multi-layered firewall with smart filters
    • High performance and scalable cache
    • Designed for reverse caching and secure publishing
    • Integrated VPN, intrusion detection, reporting, bandwidth control
    • Tiered policy model
    • Extensibility
  • 86. http://www.microsoft.com/ISAServer