Welcome!

Blog Feed Post

How To Protect Your Network: Microsoft ISA Firewall Server Best Practices

Microsoft Internet Security and Acceleration (ISA) ServerThis is the third article in our series “Protecting Your Network”. We previously discussed common firewall best practices and compared some of the most popular products to manage your network security. In this article we’ll focus on best practices specifically to Microsoft Internet Security and Acceleration (ISA) Server.

Let’s start looking at some recommendations to configure then Microsoft ISA firewall so it provides the best level of security, reliability and performance possible. There are too many items to describe all of them in this article, so we’ll focus on the most important items that you should pay attention to. The overview is not in any particular order so items higher in the list are not necessarily more important.

  1. ISA Server comes with a Firewall and Web Proxy client. You should deploy these clients to get superior performance over what a hardware firewall provides. The combination of ISA server and its clients provide an intelligent security solution, more so than an appliance without clients can offer.
  1. The ISA firewall should have only one DNS server configured on its interfaces, and that DNS server address must be configured on its internal interface (or whatever interface is closest to an internal DNS server that can resolve Internet host names). Never put an external DNS server on any of the ISA firewall’s interfaces, and never enter a DNS server address on more than one ISA firewall interface.
  1. When investigating a possible attack, use www.arin.net and do a Whois search on the IP address. This should be the first thing you do when you detect unusual activity in your firewall logs.
  1. Use DMZ networks connected to the ISA firewall to limit access to different security zones within your organization. Put ISA firewalls between different security zones to make sure you are protected against attacks sourcing from different security zones.
  1. Do not consolidate other server functions (file server, web server, etc) with the ISA server. The ISA firewall is a just that; a firewall.
  1. Harden the server using the ISA firewall hardening guides located at http://www.microsoft.com/isaserver/techinfo/guidance/2004/planning.mspx
  1. Typically there is no reason to enable NetBT on the external interface of the ISA firewall. If you don’t need it, disable it.
  1. There typically isn’t a reason to enable the Server service on the external interface of the ISA firewall, as it is used to enable access to shared resources on the ISA firewall. In general, the Server service should be disabled on all interfaces of the ISA firewall, but there can be side effects, such as being unable to access the Firewall client share on the ISA firewall if you installed it there. It is best to place the client installation files on a network share hosted by a file server. You shouldn’t run into any issues if the Server service is unbound only from the external interface.
  1. On Windows 2000, the Alerter and Messenger services should be disabled on the ISA firewall. Windows Server 2003 turns off these services by default, or they are turned off as part of running the Security Configuration Wizard on a Windows Server 2003 Service Pack 1 ISA firewall.
  1. Install Network monitor for troubleshooting issues. Microsoft Network Monitor comes with Windows, and you can install it Monitor either before or after the ISA firewall software is installed.
  1. The ISA firewall shouldn’t be used as a workstation; it is a network firewall representing an important component of your network security infrastructure. Don’t use client applications, such as Internet Explorer, on the ISA firewall and don’t disable the enhanced IE security configuration that is part of Windows Server 2003 Internet Explorer.
  1. If users complain about decreased performance of the Web, configure the clients as Web Proxy clients and configure the web browsers to use HTTP 1.1.
  1. Make sure to patch the base operating system before installing ISA. Innstall the base operating system on a protected network, so that you can safely install the operating system and then update the operating system before installing the ISA firewall software. Connect the ISA firewall device to the Internet only after the operating system is patched and the ISA firewall software is installed.
  1. You can rename the network interfaces installed on the ISA firewall from Local Area Connection 1 and Local Area Connection 2 to something more meaningful, such as WAN, LAN, and DMZ. This is helpful when you have a lot of interfaces installed on the ISA firewall device.
  1. The ISA firewall can mitigate worm and other automated attacks by enforcing connection limits. You can configure connection limits by going to the General node in the ISA firewall console and Define Connection Limits.

The above list represents only some of the recommendation to configuring your ISA Firewall and certainly doesn’t cover all of the aspects. If you want to analyze your implementation of ISA Server it is a good idea to download the Microsoft Best Practice Analyzer Tool from the Microsoft website and run this against your ISA Server. The tool is compatible with ISA Server 2004, 2006, and Forefront TMG: http://www.microsoft.com/download/en/details.aspx?id=811.

The Microsoft TechNet website is a great resource that offers a lot of information about how to configure your ISA server for your environment, performance best practices (http://technet.microsoft.com/en-us/library/cc302518.aspx) , and troubleshooting performance issues (http://technet.microsoft.com/en-us/library/cc302601.aspx)

Recommended Metrics for Load and Security Monitoring

To maintain and manage the health of ISA Server, it is necessary to monitor its performance and watch for any possible anomalies. The following sections list resource counters and ISA Server counters that help troubleshoot ISA Server performance problems. It is recommended that these counters be samples on a regular basis at a rate of several samples per minute.

The performance counters that should be tracked can be grouped in the following categories:

Base subsystem metrics:

  • Processor Subsystem
  • Network Subsystem
  • Disk Subsystem

ISA Server specific metrics:

  • ISA Server Firewall Engine
  • ISA Server Firewall Service
  • ISA Server Web Proxy
  • ISA Server Cache

Between the Processor, Disk, and Network subsystems, as well as the ISA specific metrics, there are many counters that can be measured, but for the purpose of providing a general, yet effective monitor, we’ll focus on the most recommended performance counters only. For those interested, a complete overview of the subsystem metrics and all the ISA supported performance counters can be found in the article; Advanced ISA Monitoring.

Microsoft recommends that, to monitor the general performance of your ISA server, the following metrics should be monitored:

Load Monitoring

Performance Counter Description
ISA Server Firewall Engine Active Connections
ISA Server Firewall Service Active Sessions
ISA Server Web Proxy Requests/sec
ISA Server Firewall Engine Bytes/sec
Security Monitoring
Category Performance Counter Name
ISA Server Firewall Engine Dropped packets/sec
ISA Server Firewall Engine Packets/sec
ISA Server Firewall Engine Connections/sec
ISA Server Web Proxy Average Milliseconds/request

These metrics offer a generic insight in your ISA server’s performance. Like previously mentioned, ISA server offers a lot more performance counters that can be queried to get more detailed information about the Firewall Engine, Web Proxy, and ISA cache. These will be discussed in the article; Advanced ISA Monitoring. The basic performance metrics that we mentioned in this article are included in the Custom Monitis ISA Monitor that is available for download. You can find full details about this monitor in the article: “Monitoring ISA Server with Monitis”.

Share Now:del.icio.usDiggFacebookLinkedInBlinkListDZoneGoogle BookmarksRedditStumbleUponTwitterRSS

Read the original blog entry...

More Stories By Hovhannes Avoyan

Hovhannes Avoyan is the CEO of PicsArt, Inc.,

Latest Stories
One of biggest questions about Big Data is “How do we harness all that information for business use quickly and effectively?” Geographic Information Systems (GIS) or spatial technology is about more than making maps, but adding critical context and meaning to data of all types, coming from all different channels – even sensors. In his session at @ThingsExpo, William (Bill) Meehan, director of utility solutions for Esri, will take a closer look at the current state of spatial technology and ar...
The Internet of Things can drive efficiency for airlines and airports. In their session at @ThingsExpo, Shyam Varan Nath, Principal Architect with GE, and Sudip Majumder, senior director of development at Oracle, will discuss the technical details of the connected airline baggage and related social media solutions. These IoT applications will enhance travelers' journey experience and drive efficiency for the airlines and the airports. The session will include a working demo and a technical d...
What happens when the different parts of a vehicle become smarter than the vehicle itself? As we move toward the era of smart everything, hundreds of entities in a vehicle that communicate with each other, the vehicle and external systems create a need for identity orchestration so that all entities work as a conglomerate. Much like an orchestra without a conductor, without the ability to secure, control, and connect the link between a vehicle’s head unit, devices, and systems and to manage the ...
Businesses are struggling to manage the information flow and interactions between all of these new devices and things jumping on their network, and the apps and IT systems they control. The data businesses gather is only helpful if they can do something with it. In his session at @ThingsExpo, Chris Witeck, Principal Technology Strategist at Citrix, will discuss how different the impact of IoT will be for large businesses, expanding how IoT will allow large organizations to make their legacy ap...
The many IoT deployments around the world are busy integrating smart devices and sensors into their enterprise IT infrastructures. Yet all of this technology – and there are an amazing number of choices – is of no use without the software to gather, communicate, and analyze the new data flows. Without software, there is no IT. In this power panel at @ThingsExpo, moderated by Conference Chair Roger Strukhoff, panelists will look at the protocols that communicate data and the emerging data analy...
As ridesharing competitors and enhanced services increase, notable changes are occurring in the transportation model. Despite the cost-effective means and flexibility of ridesharing, both drivers and users will need to be aware of the connected environment and how it will impact the ridesharing experience. In his session at @ThingsExpo, Timothy Evavold, Executive Director Automotive at Covisint, will discuss key challenges and solutions to powering a ride sharing and/or multimodal model in the a...
SYS-CON Events announced today that Commvault, a global leader in enterprise data protection and information management, has been named “Bronze Sponsor” of SYS-CON's 19th International Cloud Expo, which will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. Commvault is a leading provider of data protection and information management solutions, helping companies worldwide activate their data to drive more value and business insight and to transform moder...
SYS-CON Events announced today that eCube Systems, a leading provider of middleware modernization, integration, and management solutions, will exhibit at @DevOpsSummit at 19th International Cloud Expo, which will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. eCube Systems offers a family of middleware evolution products and services that maximize return on technology investment by leveraging existing technical equity to meet evolving business needs. ...
Creating replica copies to tolerate a certain number of failures is easy, but very expensive at cloud-scale. Conventional RAID has lower overhead, but it is limited in the number of failures it can tolerate. And the management is like herding cats (overseeing capacity, rebuilds, migrations, and degraded performance). Download Slide Deck: ▸ Here In his general session at 18th Cloud Expo, Scott Cleland, Senior Director of Product Marketing for the HGST Cloud Infrastructure Business Unit, discusse...
Whether they’re located in a public, private, or hybrid cloud environment, cloud technologies are constantly evolving. While the innovation is exciting, the end mission of delivering business value and rapidly producing incremental product features is paramount. In his session at @DevOpsSummit at 19th Cloud Expo, Kiran Chitturi, CTO Architect at Sungard AS, will discuss DevOps culture, its evolution of frameworks and technologies, and how it is achieving maturity. He will also cover various st...
All clouds are not equal. To succeed in a DevOps context, organizations should plan to develop/deploy apps across a choice of on-premise and public clouds simultaneously depending on the business needs. This is where the concept of the Lean Cloud comes in - resting on the idea that you often need to relocate your app modules over their life cycles for both innovation and operational efficiency in the cloud. In his session at @DevOpsSummit at19th Cloud Expo, Valentin (Val) Bercovici, CTO of So...
Cloud computing is being adopted in one form or another by 94% of enterprises today. Tens of billions of new devices are being connected to The Internet of Things. And Big Data is driving this bus. An exponential increase is expected in the amount of information being processed, managed, analyzed, and acted upon by enterprise IT. This amazing is not part of some distant future - it is happening today. One report shows a 650% increase in enterprise data by 2020. Other estimates are even higher....
What are the new priorities for the connected business? First: businesses need to think differently about the types of connections they will need to make – these span well beyond the traditional app to app into more modern forms of integration including SaaS integrations, mobile integrations, APIs, device integration and Big Data integration. It’s important these are unified together vs. doing them all piecemeal. Second, these types of connections need to be simple to design, adapt and configure...
Digital innovation is the next big wave of business transformation based on digital technologies of which IoT and Big Data are key components, For example: Business boundary innovation is a challenge to excavate third-party business value using IoT and BigData, like Nest Business structure innovation may propose re-building business structure from scratch, as Uber does in the taxicab industry The social model innovation is also a big challenge to the new social architecture with the design fr...
A strange thing is happening along the way to the Internet of Things, namely far too many devices to work with and manage. It has become clear that we'll need much higher efficiency user experiences that can allow us to more easily and scalably work with the thousands of devices that will soon be in each of our lives. Enter the conversational interface revolution, combining bots we can literally talk with, gesture to, and even direct with our thoughts, with embedded artificial intelligence, wh...