Welcome!

Blog Feed Post

How To Protect Your Network: Microsoft ISA Firewall Server Best Practices

Microsoft Internet Security and Acceleration (ISA) ServerThis is the third article in our series “Protecting Your Network”. We previously discussed common firewall best practices and compared some of the most popular products to manage your network security. In this article we’ll focus on best practices specifically to Microsoft Internet Security and Acceleration (ISA) Server.

Let’s start looking at some recommendations to configure then Microsoft ISA firewall so it provides the best level of security, reliability and performance possible. There are too many items to describe all of them in this article, so we’ll focus on the most important items that you should pay attention to. The overview is not in any particular order so items higher in the list are not necessarily more important.

  1. ISA Server comes with a Firewall and Web Proxy client. You should deploy these clients to get superior performance over what a hardware firewall provides. The combination of ISA server and its clients provide an intelligent security solution, more so than an appliance without clients can offer.
  1. The ISA firewall should have only one DNS server configured on its interfaces, and that DNS server address must be configured on its internal interface (or whatever interface is closest to an internal DNS server that can resolve Internet host names). Never put an external DNS server on any of the ISA firewall’s interfaces, and never enter a DNS server address on more than one ISA firewall interface.
  1. When investigating a possible attack, use www.arin.net and do a Whois search on the IP address. This should be the first thing you do when you detect unusual activity in your firewall logs.
  1. Use DMZ networks connected to the ISA firewall to limit access to different security zones within your organization. Put ISA firewalls between different security zones to make sure you are protected against attacks sourcing from different security zones.
  1. Do not consolidate other server functions (file server, web server, etc) with the ISA server. The ISA firewall is a just that; a firewall.
  1. Harden the server using the ISA firewall hardening guides located at http://www.microsoft.com/isaserver/techinfo/guidance/2004/planning.mspx
  1. Typically there is no reason to enable NetBT on the external interface of the ISA firewall. If you don’t need it, disable it.
  1. There typically isn’t a reason to enable the Server service on the external interface of the ISA firewall, as it is used to enable access to shared resources on the ISA firewall. In general, the Server service should be disabled on all interfaces of the ISA firewall, but there can be side effects, such as being unable to access the Firewall client share on the ISA firewall if you installed it there. It is best to place the client installation files on a network share hosted by a file server. You shouldn’t run into any issues if the Server service is unbound only from the external interface.
  1. On Windows 2000, the Alerter and Messenger services should be disabled on the ISA firewall. Windows Server 2003 turns off these services by default, or they are turned off as part of running the Security Configuration Wizard on a Windows Server 2003 Service Pack 1 ISA firewall.
  1. Install Network monitor for troubleshooting issues. Microsoft Network Monitor comes with Windows, and you can install it Monitor either before or after the ISA firewall software is installed.
  1. The ISA firewall shouldn’t be used as a workstation; it is a network firewall representing an important component of your network security infrastructure. Don’t use client applications, such as Internet Explorer, on the ISA firewall and don’t disable the enhanced IE security configuration that is part of Windows Server 2003 Internet Explorer.
  1. If users complain about decreased performance of the Web, configure the clients as Web Proxy clients and configure the web browsers to use HTTP 1.1.
  1. Make sure to patch the base operating system before installing ISA. Innstall the base operating system on a protected network, so that you can safely install the operating system and then update the operating system before installing the ISA firewall software. Connect the ISA firewall device to the Internet only after the operating system is patched and the ISA firewall software is installed.
  1. You can rename the network interfaces installed on the ISA firewall from Local Area Connection 1 and Local Area Connection 2 to something more meaningful, such as WAN, LAN, and DMZ. This is helpful when you have a lot of interfaces installed on the ISA firewall device.
  1. The ISA firewall can mitigate worm and other automated attacks by enforcing connection limits. You can configure connection limits by going to the General node in the ISA firewall console and Define Connection Limits.

The above list represents only some of the recommendation to configuring your ISA Firewall and certainly doesn’t cover all of the aspects. If you want to analyze your implementation of ISA Server it is a good idea to download the Microsoft Best Practice Analyzer Tool from the Microsoft website and run this against your ISA Server. The tool is compatible with ISA Server 2004, 2006, and Forefront TMG: http://www.microsoft.com/download/en/details.aspx?id=811.

The Microsoft TechNet website is a great resource that offers a lot of information about how to configure your ISA server for your environment, performance best practices (http://technet.microsoft.com/en-us/library/cc302518.aspx) , and troubleshooting performance issues (http://technet.microsoft.com/en-us/library/cc302601.aspx)

Recommended Metrics for Load and Security Monitoring

To maintain and manage the health of ISA Server, it is necessary to monitor its performance and watch for any possible anomalies. The following sections list resource counters and ISA Server counters that help troubleshoot ISA Server performance problems. It is recommended that these counters be samples on a regular basis at a rate of several samples per minute.

The performance counters that should be tracked can be grouped in the following categories:

Base subsystem metrics:

  • Processor Subsystem
  • Network Subsystem
  • Disk Subsystem

ISA Server specific metrics:

  • ISA Server Firewall Engine
  • ISA Server Firewall Service
  • ISA Server Web Proxy
  • ISA Server Cache

Between the Processor, Disk, and Network subsystems, as well as the ISA specific metrics, there are many counters that can be measured, but for the purpose of providing a general, yet effective monitor, we’ll focus on the most recommended performance counters only. For those interested, a complete overview of the subsystem metrics and all the ISA supported performance counters can be found in the article; Advanced ISA Monitoring.

Microsoft recommends that, to monitor the general performance of your ISA server, the following metrics should be monitored:

Load Monitoring

Performance Counter Description
ISA Server Firewall Engine Active Connections
ISA Server Firewall Service Active Sessions
ISA Server Web Proxy Requests/sec
ISA Server Firewall Engine Bytes/sec
Security Monitoring
Category Performance Counter Name
ISA Server Firewall Engine Dropped packets/sec
ISA Server Firewall Engine Packets/sec
ISA Server Firewall Engine Connections/sec
ISA Server Web Proxy Average Milliseconds/request

These metrics offer a generic insight in your ISA server’s performance. Like previously mentioned, ISA server offers a lot more performance counters that can be queried to get more detailed information about the Firewall Engine, Web Proxy, and ISA cache. These will be discussed in the article; Advanced ISA Monitoring. The basic performance metrics that we mentioned in this article are included in the Custom Monitis ISA Monitor that is available for download. You can find full details about this monitor in the article: “Monitoring ISA Server with Monitis”.

Share Now:del.icio.usDiggFacebookLinkedInBlinkListDZoneGoogle BookmarksRedditStumbleUponTwitterRSS

Read the original blog entry...

More Stories By Hovhannes Avoyan

Hovhannes Avoyan is the CEO of PicsArt, Inc.,

Latest Stories
SYS-CON Events announced today that TidalScale will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. TidalScale is the leading provider of Software-Defined Servers that bring flexibility to modern data centers by right-sizing servers on the fly to fit any data set or workload. TidalScale’s award-winning inverse hypervisor technology combines multiple commodity servers (including their ass...
SYS-CON Events announced today that Avere Systems, a leading provider of hybrid cloud enablement solutions, will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Avere Systems was created by file systems experts determined to reinvent storage by changing the way enterprises thought about and bought storage resources. With decades of experience behind the company’s founders, Avere got its ...
The next XaaS is CICDaaS. Why? Because CICD saves developers a huge amount of time. CD is an especially great option for projects that require multiple and frequent contributions to be integrated. But… securing CICD best practices is an emerging, essential, yet little understood practice for DevOps teams and their Cloud Service Providers. The only way to get CICD to work in a highly secure environment takes collaboration, patience and persistence. Building CICD in the cloud requires rigorous ar...
Microsoft Azure Container Services can be used for container deployment in a variety of ways including support for Orchestrators like Kubernetes, Docker Swarm and Mesos. However, the abstraction for app development that support application self-healing, scaling and so on may not be at the right level. Helm and Draft makes this a lot easier. In this primarily demo-driven session at @DevOpsSummit at 21st Cloud Expo, Raghavan "Rags" Srinivas, a Cloud Solutions Architect/Evangelist at Microsoft, wi...
Containers are rapidly finding their way into enterprise data centers, but change is difficult. How do enterprises transform their architecture with technologies like containers without losing the reliable components of their current solutions? In his session at @DevOpsSummit at 21st Cloud Expo, Tony Campbell, Director, Educational Services at CoreOS, will explore the challenges organizations are facing today as they move to containers and go over how Kubernetes applications can deploy with lega...
Today most companies are adopting or evaluating container technology - Docker in particular - to speed up application deployment, drive down cost, ease management and make application delivery more flexible overall. As with most new architectures, this dream takes significant work to become a reality. Even when you do get your application componentized enough and packaged properly, there are still challenges for DevOps teams to making the shift to continuous delivery and achieving that reducti...
We all know that end users experience the Internet primarily with mobile devices. From an app development perspective, we know that successfully responding to the needs of mobile customers depends on rapid DevOps – failing fast, in short, until the right solution evolves in your customers' relationship to your business. Whether you’re decomposing an SOA monolith, or developing a new application cloud natively, it’s not a question of using microservices – not doing so will be a path to eventual b...
In his session at 21st Cloud Expo, Raju Shreewastava, founder of Big Data Trunk, will provide a fun and simple way to introduce Machine Leaning to anyone and everyone. Together we will solve a machine learning problem and find an easy way to be able to do machine learning without even coding. Raju Shreewastava is the founder of Big Data Trunk (www.BigDataTrunk.com), a Big Data Training and consulting firm with offices in the United States. He previously led the data warehouse/business intellige...
In a recent survey, Sumo Logic surveyed 1,500 customers who employ cloud services such as Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP). According to the survey, a quarter of the respondents have already deployed Docker containers and nearly as many (23 percent) are employing the AWS Lambda serverless computing framework. It’s clear: serverless is here to stay. The adoption does come with some needed changes, within both application development and operations. Tha...
As hybrid cloud becomes the de-facto standard mode of operation for most enterprises, new challenges arise on how to efficiently and economically share data across environments. In his session at 21st Cloud Expo, Dr. Allon Cohen, VP of Product at Elastifile, will explore new techniques and best practices that help enterprise IT benefit from the advantages of hybrid cloud environments by enabling data availability for both legacy enterprise and cloud-native mission critical applications. By rev...
In his Opening Keynote at 21st Cloud Expo, John Considine, General Manager of IBM Cloud Infrastructure, will lead you through the exciting evolution of the cloud. He'll look at this major disruption from the perspective of technology, business models, and what this means for enterprises of all sizes. John Considine is General Manager of Cloud Infrastructure Services at IBM. In that role he is responsible for leading IBM’s public cloud infrastructure including strategy, development, and offering ...
SYS-CON Events announced today that Ryobi Systems will exhibit at the Japan External Trade Organization (JETRO) Pavilion at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Ryobi Systems Co., Ltd., as an information service company, specialized in business support for local governments and medical industry. We are challenging to achive the precision farming with AI. For more information, visit http:...
Amazon is pursuing new markets and disrupting industries at an incredible pace. Almost every industry seems to be in its crosshairs. Companies and industries that once thought they were safe are now worried about being “Amazoned.”. The new watch word should be “Be afraid. Be very afraid.” In his session 21st Cloud Expo, Chris Kocher, a co-founder of Grey Heron, will address questions such as: What new areas is Amazon disrupting? How are they doing this? Where are they likely to go? What are th...
As you move to the cloud, your network should be efficient, secure, and easy to manage. An enterprise adopting a hybrid or public cloud needs systems and tools that provide: Agility: ability to deliver applications and services faster, even in complex hybrid environments Easier manageability: enable reliable connectivity with complete oversight as the data center network evolves Greater efficiency: eliminate wasted effort while reducing errors and optimize asset utilization Security: imple...
High-velocity engineering teams are applying not only continuous delivery processes, but also lessons in experimentation from established leaders like Amazon, Netflix, and Facebook. These companies have made experimentation a foundation for their release processes, allowing them to try out major feature releases and redesigns within smaller groups before making them broadly available. In his session at 21st Cloud Expo, Brian Lucas, Senior Staff Engineer at Optimizely, will discuss how by using...