安全与速度的完美结合.ppt

《安全与速度的完美结合.ppt》由会员分享，可在线阅读，更多相关《安全与速度的完美结合.ppt（86页珍藏版）》请在三一办公上搜索。

1、郝雪莹Microsoft China,安全与速度的完美结合,Microsoft Internet Security and Acceleration Server 2000,2,Agenda,产品概述布署场景防火墙缓存管理可扩展性,3,新的机遇,新的挑战,用网络连接你的客户,合作伙伴与雇员,在WEB上的电子商务给你的企业带来了新的商机,把有限资源的内部网变成溶合在 Internet的网络,把网络暴露在所有的黑客,病毒和非法用户面前,竞争非常激烈,你的WEB必需提供快速可靠的服务,管理这样的网络需要更高的技术,机遇,挑战,4,The Connected Business,New Concerns

2、保护你的内部网络免受黑客与其它非法入侵者的侵害管理与控制网络访问在加快网络访问速度的同时保护宝贵的带宽资源,5,微软公司对于安全的认识,安全缺陷和病毒攻击是严重、代价沉重、全行业业范围的问题Internet 安全是全世界范围内实现数字化商务运作的最基本的考虑因素作为业界的领导者，微软公司具有保护Internet和客户数据的特殊责任,6,Microsoft ISA Server 2000安全与速度的完美结合,用可伸缩的,多层次的防火墙保护网络环境,用可伸缩,高性能的WEB缓存实现快速访问,与Windows 2000集成的,强壮的策略和管理机制,安全的网络连接,快速的 Web 访问,统一的管理方式

3、,可扩展的开放平台,可以扩展与定制的高级平台,7,什么是 ISA Server 2000,防火墙与缓存ISA Server 的版本ISA Server 标准版ISA Server 企业版,8,Microsoft ISA Server 2000标准版与企业版功能比较表,9,What Is ISA Server 2000 ISA 系统需求,10,防火墙&缓存,两者都应存在于网络的边缘或者说结合点模块化安装统一的管理MMCLogging and ReportingMonitoring and Alerting一致的访问策略低廉的培训维护费用,11,与 Windows 2000 紧密集成,Securi

4、ty包过滤网络地址转换(NAT&SecureNAT)AuthenticationSystem Hardening虚拟专用网(VPN)管理MMCTerminal ServicesEvent logActive Directory Array configuration and policy data NOT required!带宽控制透明地支持在其它平台上的客户机与服务器,12,Much More Than“Proxy Server 3.0”,Transparency for all clients and serversEnterprise policyGroup policySchedule

5、sActive Directory integrationExtensible application filtersSMTP filterStreaming media splittingH.323 filter&GatekeeperMMC-based UITask Pads,wizardsRemote administrationConfiguring Exchange server behind firewall,IIS separationRAM cachingNew cache storeScheduled content downloadVPN integrationIntrusi

6、on detectionSystem hardeningNTLM&Kerberos authenticationDual-hop SSLCustomizable alertsLogging:W3C format,selectable fieldsIntegrated reportingBandwidth controlNew APIsModular installation,Deployment Scenarios,Microsoft Internet Security&Acceleration Server 2000,14,Small Organization,Internet,ISA Se

7、rver,15,Large Enterprise,Internet,ISA Server防火墙&缓存,共同管理,16,DMZ&Secure Publishing,Internet,ISA#2,ISA#1,DMZ#1,Intranet,17,Chaining,ISA Server,ISA Server Array,Leased line orVPN connection,Branch,Main,Internet,Firewall,用可伸缩,多层次防火墙保护网络环境,19,为什么要使用防火墙?,保护自己不受黑客,病毒与非法用户的攻击控制向外的 Internet访问保护 web servers an

8、d email servers更加安全的数据访问 保护关键的数据与信息-并且-管理信息访问,20,ISA Server Firewall,Packet,circuit,and application-level traffic screeningStateful inspection examines traffic in its contextReduce risk of unauthorized accessAnalyze or modify content with“Smart”application filtersIntegrated intrusion detectionBased

9、on technology licensed from Internet Security Systems(ISS)Secure publishingProtect servers accessible to the outside worldSystem hardening“Lock down”the operating system,further strengthening securityIntegrated with Windows 2000 VPNWizard for easy configuration,21,多层次的防火墙,Bottom up protection at eve

10、ry levelPacket levelStatic filtersDynamic filtersIntrusion detectionCircuit(protocol)levelSession based filteringConnection associationApplication levelIntelligent payload inspection,Packetlevel,Applicationlevel,Circuitlevel,22,Smart Application Filters,Protocol aware filtersAnalyze the trafficBlock

11、,redirect,modifyIntelligent filtering out-of-the-box:HTTP:Web request cachingSMTP:Traffic filteringStreaming media:Stream splittingFTP:Read only restrictionH.323:NetMeeting through the firewall,23,Intrusion Detection,24,Additional Security Features,VPN integrationIntegrated with on Windows 2000 VPNW

12、izard for easy configurationSystem hardening wizard“Lockdown”for the operating systemThree pre-defined levelsSecure publishingSSL BridgingEncrypted tunneling,25,ISA Server Microsofts Firewall ISA Server 特性,多层次的防火墙集中或分布式管理PublishingICSA certified,26,ISA Server Microsofts Firewall How A Firewall Prote

13、cts,A firewall filters network traffic that enters or leaves a protected network.Decisions:IP 地址,协议与端口号建立连接IP包的有效负载应用过滤AuthenticationLogging and Alerting,27,ISA Server Microsofts FirewallISA Server Architecture,28,ISA Server Microsofts FirewallOutgoing FW Traffic Flow,29,ISA Server Microsofts Firewa

14、llIncoming FW Traffic Flow,30,ISA Server Microsofts FirewallISA Server 缺省情况,No incoming or outgoing traffic unless specifically allowed除了以下情况:ISA Server 可以执行 DNS lookupsPinging from ISA Server,31,ISA Server Microsofts Firewall为 Outgoing Requests制定规则,Protocol Rules谁可以使用什么样的协议在什么时间访问什么?Default:No acce

15、ssSite and Content Rules谁可以在什么时间访问什么站点和内容?Default:All access对互联网访问时这两个规则都是必要的,32,ISA Server Microsofts Firewall为Incoming Requests制定规则,Server Publishing RulesRedirect traffic for an external address/port to an internal addressWeb Publishing RulesRedirect Web requests onlyCan redirect to multiple inte

16、rnal Web sitesCan choose port for redirectionCan perform SSL bridging,33,ISA Server Microsofts FirewallFirewall Planning,Assess needs for outgoing traffic“Deny all”or“Allow all”Research user requirementsDesign required rules and policy elementsPlan for authentication(if required)Assess needs for inc

17、oming traffic Inventory resources that need to be accessed from the Internet.Design the required rules and policy elements,34,ISA Server Microsofts FirewallFirewall Planning(continued),ScalingArraysNetwork Load Balancing(NLB)DNS round robinPerimeter Network Requirements,35,Firewall Design No Externa

18、l Access Required,36,Firewall Design Screened Host,Internet,Internal Network,Firewall,Screened Host,37,Firewall Design Three-Homed PerimeterNetwork Design,Firewall,Internet,Internal Network,Perimeter Network,38,Firewall Design Back-to-Back PerimeterNetwork Design,39,Using Publishing And RoutingMetho

19、ds for Passing Network Traffic,Web Proxy ServiceFirewall Service(proxy)IP Routing(secured by packet filters),40,Using Publishing And RoutingComparing Publishing and Routing,Publishing Rules publish internal sites to the external networkLocal Address Table(LAT)defines what is internal Perimeter Netwo

20、rk in three-homed design is treated as external networkNeed to configure routing between two external networksRouting is secured by packet filters,41,Using Publishing And RoutingServer Publishing,Reverse Network Address Translation(NAT)External network to internal networkSends packets received on ex

21、ternal network interface to identical port on internal serverMapping:each port on each external address can be mapped separatelyNormally used for non-Web servers,42,Using Publishing And RoutingWeb Publishing,Redirects requests for URLs received on external interfaceCan redirect to multiple Web sites

22、Can redirect to internal or external sites,43,Using Publishing And RoutingSecure Web Publishing,Client connection terminates at ISA Server computerISA Server can perform authenticationISA Server needs Web server certificateWhat about connection between ISA Server and internal Web server?SSL bridging

23、Choice of HTTP-S,HTTP,or FTP,44,Using Publishing And RoutingRouting,Required for all protocols other than TCP or UDPRequired to access three-homed perimeter network(external to external)ISA enforces packet filtering with routingNote:packet filtering enhances security and increases performanceWarning

24、:Do not enable routing outside of ISA Server,Demonstration 1Server Publishing And Web Publishing Creating a Server Publishing Rule Creating a WebPublishing Rule,46,ISA Server ConfigurationOutgoing Traffic,Protocol Rules and Site and Content RulesPacket filtersProtocols other than UDP or TCPApplicati

25、ons or services running on ISA Server computerPacket filters can override rules,47,ISA Server ConfigurationScreened Host,Configure Server Publishing RulesConfigure Web Publishing Rules,48,ISA Server ConfigurationThree-Homed Perimeter Network,Use routing with packet filtering for perimeter network se

26、rversServers need routable IP addressesUse publishing between perimeternetwork and internal network,49,ISA Server ConfigurationBack-to-Back Perimeter Network,Use Publishing Rules to publish servers on perimeter network to InternetUse publishing rules to publish servers on internal network to perimet

27、er networkEach ISA Server requires a separate LAT,50,Miscellaneous ConfigurationAuthentication,Firewall ClientsUser-based,automaticRequires client software,Win32 clients only,TCP and UDP onlySecureNAT ClientsBy IP addressNo client software,all platforms,all protocols,51,Miscellaneous ConfigurationAu

28、thentication(continued),Web Proxy clientBy user(logged-on user or authentication dialog box)Need to configure browser,etc.Need to configure authentication methods:BasicDigestIntegratedCertificates,52,Miscellaneous ConfigurationIntrusion Detection,Technology licensed from Internet Security Systems(IS

29、S)Monitors for a number of common attacksExtensive options for alerting,53,Miscellaneous ConfigurationServer Hardening,Wizard applies security settings to make Windows 2000 Server even more secure,54,Miscellaneous ConfigurationH.323 Gatekeeper,“Switchboard”for H.323 ApplicationsNetMeetingVoice over

30、IP(VOIP)Etc.,55,Miscellaneous ConfigurationMessage Screener,Works with SMTP Filter to screen SMTP Messages forUsers and domainsAttachmentsKeywordsSMTP commandsCan run on ISA Server computer or other computer,Demonstration 2Message Screener Blocking Users and DomainsBlocking AttachmentsBlocking Key W

31、ords,57,Miscellaneous ConfigurationVPN Configuration,Two types of connections:Access by remote usersConnecting two networksWizards configure ISA Server and RRASISA Server packet filtersRRAS configured as a VPN ServerRRAS performs all VPN functionsMay require additional configuration,Demonstration 3V

32、PN Configuration Configuring a Local VPN Configuring a Remote VPN Reviewing VPN Configuration Settings,Caching,可伸缩,高性能的WEB缓存,60,Cache Scenarios-Forward Proxy,Internet,Liz,ISA Server,Corpnet users connect to the internet via ISA,61,Cache Scenarios Reverse Caching,Internet,ISA Server looks like a Web

33、serverInternally routes requests to multiple servers,62,为什么要使用缓存?,快速浏览降低网络带宽费用减轻 web 服务器的压力更加可靠的数据访问Increase performance-and-reduce costs,63,ISA Server Caching Features,Web 访问加速 RAM caching:“Hot content”served from RAM有效地缓存机制最小化了磁盘I/OActive cachingScheduled content download分布式的缓存机制Cache Array Routin

34、g Protocol(CARP)Hierarchical Caching层次型策略,64,CARP on the Server,65,CARP(Cache Array Routing Protocol),高效Distributed cacheArrays的规模是线性的,平衡负载各个服务器的内容没有重复最高效地应用缓存的大小与缓存的命中率可靠容错的,自调节的 arrays当服务器增加或减少时,内容的转移与重新配置是动态的灵活Routing can be implemented on server for best transparency,or on client for maximum eff

35、iciency,66,Hierarchical Caching(Chaining),Internet,50%Traffic$avingsOver Every WANLink,New York,Tokyo,London,67,Other Bandwidth Savings,Traffic PrioritizationImpose bandwidth policy via UIManage inbound and outbound network traffic independentlyAdds this layer on top of Windows 2000 QoSLive media st

36、ream splitting,68,Configuring CachingBusiness Scenario,69,Configuring CachingAllowing Internet Access,Verify LAT,Create a protocol access rule,Turn on HTTP and FTP Caching*,Define Proxy setting on all clients,4 simple steps,*enabled by default,70,Configuring CachingCache Expiration,FrequentlyCache i

37、s kept current,network performance may be degradedNormallyCache is somewhat current,network performance is consideredLess FrequentlyCache is less current,network performance is not degradedCustom Settings,71,Configuring CachingActive Caching,Enables ISA to fetch a new version of cached objectsFreque

38、ntlyCache is kept current,network performance is degradedNormallyNetwork performance is considered when updating the cacheLess FrequentlyCache is less current,network performance is not degraded,72,Configuring Caching Advanced Cache Settings,Allows control over what content is cachedSize of objects

39、to cacheDynamic contentMaximum URL cached in memoryControl what action to take with expired cache objectsReturn an error-or-Return expired object,73,Configuring Caching Adjusting Cache Size,LONDON Properties,Cache Drives,LONDON,OK,Cancel,Apply,Set,100,Maximum cache size(MB):,Total disk space(MB):390

40、64Total maximum cache size(MB):100,DriveTypeDisk spaceFree spaceCache Size,Specify the size of the cache.,Properties of serverCreates a.cdat file of equivalent size4-8 MB for each client,Demonstration 4Configure Caching Enabling HTTP and FTP CachingExamining Cache configurationAllowing Internet Acce

41、ss,Management,Tiered policy and flexible management integrates with Windows 2000,76,Policy&Rules,Enterprise&array-levelAccess controlBy user/groupBy applicationBy destinationBy content typeBy scheduleBandwidth priorities,77,Tasks Pads and Wizards,Tasks PadsThe easy way to set up and maintainWizardsS

42、tep-by-step for complex tasks,78,Alerting,AlertingFlexible alert dispatch mechanism,ISAServer,79,Logging,reporting,monitoring,LoggingPacket logSession logReportingDaily summariesPopular reportsMonitoringActive connectionsPerformance counters,Extensibility,Superior extensibility and customizability,8

43、1,Extensibility Mechanisms,Application filtersSmart inspection of data streamsWeb filters Based on ISAPIAdministration COM objectAll administrative properties and actions available programmatically(read/write)Cache APIsMMC snap-insExtend the ISA Server user interfaceStorageIntegrate with array propa

44、gation,backup/restoreAlerts,A Community of ISVs,Summary,Secure,Fast Internet Connectivity,84,ISA Server Competitive Advantages,Best Windows IntegrationActive DirectoryNetworking FeaturesWindows applicationsIntegrated Firewall and Web Cache ManagementUnified Policy and Access ControlUnified Managemen

45、t Scale up and Scale Out for the EnterpriseTiered Policy ManagementScale Up-SMP optimizedScale Out-NLB and CARP Lower TCOIntegrated ServicesLeverage Existing SkillsWorks with what you haveExtensible Open Platform,85,Key Takeaways,Firewall&cache integrationMulti-layered firewall with smart filtersHigh performance and scalable cacheDesigned for reverse caching and secure publishingIntegrated VPN,intrusion detection,reporting,bandwidth controlTiered policy modelExtensibility,86,http:/,