Click here to close now.




















Welcome!

Blog Feed Post

How To Protect Your Network: Microsoft ISA Firewall Server Best Practices

Microsoft Internet Security and Acceleration (ISA) ServerThis is the third article in our series “Protecting Your Network”. We previously discussed common firewall best practices and compared some of the most popular products to manage your network security. In this article we’ll focus on best practices specifically to Microsoft Internet Security and Acceleration (ISA) Server.

Let’s start looking at some recommendations to configure then Microsoft ISA firewall so it provides the best level of security, reliability and performance possible. There are too many items to describe all of them in this article, so we’ll focus on the most important items that you should pay attention to. The overview is not in any particular order so items higher in the list are not necessarily more important.

  1. ISA Server comes with a Firewall and Web Proxy client. You should deploy these clients to get superior performance over what a hardware firewall provides. The combination of ISA server and its clients provide an intelligent security solution, more so than an appliance without clients can offer.
  1. The ISA firewall should have only one DNS server configured on its interfaces, and that DNS server address must be configured on its internal interface (or whatever interface is closest to an internal DNS server that can resolve Internet host names). Never put an external DNS server on any of the ISA firewall’s interfaces, and never enter a DNS server address on more than one ISA firewall interface.
  1. When investigating a possible attack, use www.arin.net and do a Whois search on the IP address. This should be the first thing you do when you detect unusual activity in your firewall logs.
  1. Use DMZ networks connected to the ISA firewall to limit access to different security zones within your organization. Put ISA firewalls between different security zones to make sure you are protected against attacks sourcing from different security zones.
  1. Do not consolidate other server functions (file server, web server, etc) with the ISA server. The ISA firewall is a just that; a firewall.
  1. Harden the server using the ISA firewall hardening guides located at http://www.microsoft.com/isaserver/techinfo/guidance/2004/planning.mspx
  1. Typically there is no reason to enable NetBT on the external interface of the ISA firewall. If you don’t need it, disable it.
  1. There typically isn’t a reason to enable the Server service on the external interface of the ISA firewall, as it is used to enable access to shared resources on the ISA firewall. In general, the Server service should be disabled on all interfaces of the ISA firewall, but there can be side effects, such as being unable to access the Firewall client share on the ISA firewall if you installed it there. It is best to place the client installation files on a network share hosted by a file server. You shouldn’t run into any issues if the Server service is unbound only from the external interface.
  1. On Windows 2000, the Alerter and Messenger services should be disabled on the ISA firewall. Windows Server 2003 turns off these services by default, or they are turned off as part of running the Security Configuration Wizard on a Windows Server 2003 Service Pack 1 ISA firewall.
  1. Install Network monitor for troubleshooting issues. Microsoft Network Monitor comes with Windows, and you can install it Monitor either before or after the ISA firewall software is installed.
  1. The ISA firewall shouldn’t be used as a workstation; it is a network firewall representing an important component of your network security infrastructure. Don’t use client applications, such as Internet Explorer, on the ISA firewall and don’t disable the enhanced IE security configuration that is part of Windows Server 2003 Internet Explorer.
  1. If users complain about decreased performance of the Web, configure the clients as Web Proxy clients and configure the web browsers to use HTTP 1.1.
  1. Make sure to patch the base operating system before installing ISA. Innstall the base operating system on a protected network, so that you can safely install the operating system and then update the operating system before installing the ISA firewall software. Connect the ISA firewall device to the Internet only after the operating system is patched and the ISA firewall software is installed.
  1. You can rename the network interfaces installed on the ISA firewall from Local Area Connection 1 and Local Area Connection 2 to something more meaningful, such as WAN, LAN, and DMZ. This is helpful when you have a lot of interfaces installed on the ISA firewall device.
  1. The ISA firewall can mitigate worm and other automated attacks by enforcing connection limits. You can configure connection limits by going to the General node in the ISA firewall console and Define Connection Limits.

The above list represents only some of the recommendation to configuring your ISA Firewall and certainly doesn’t cover all of the aspects. If you want to analyze your implementation of ISA Server it is a good idea to download the Microsoft Best Practice Analyzer Tool from the Microsoft website and run this against your ISA Server. The tool is compatible with ISA Server 2004, 2006, and Forefront TMG: http://www.microsoft.com/download/en/details.aspx?id=811.

The Microsoft TechNet website is a great resource that offers a lot of information about how to configure your ISA server for your environment, performance best practices (http://technet.microsoft.com/en-us/library/cc302518.aspx) , and troubleshooting performance issues (http://technet.microsoft.com/en-us/library/cc302601.aspx)

Recommended Metrics for Load and Security Monitoring

To maintain and manage the health of ISA Server, it is necessary to monitor its performance and watch for any possible anomalies. The following sections list resource counters and ISA Server counters that help troubleshoot ISA Server performance problems. It is recommended that these counters be samples on a regular basis at a rate of several samples per minute.

The performance counters that should be tracked can be grouped in the following categories:

Base subsystem metrics:

  • Processor Subsystem
  • Network Subsystem
  • Disk Subsystem

ISA Server specific metrics:

  • ISA Server Firewall Engine
  • ISA Server Firewall Service
  • ISA Server Web Proxy
  • ISA Server Cache

Between the Processor, Disk, and Network subsystems, as well as the ISA specific metrics, there are many counters that can be measured, but for the purpose of providing a general, yet effective monitor, we’ll focus on the most recommended performance counters only. For those interested, a complete overview of the subsystem metrics and all the ISA supported performance counters can be found in the article; Advanced ISA Monitoring.

Microsoft recommends that, to monitor the general performance of your ISA server, the following metrics should be monitored:

Load Monitoring

Performance Counter Description
ISA Server Firewall Engine Active Connections
ISA Server Firewall Service Active Sessions
ISA Server Web Proxy Requests/sec
ISA Server Firewall Engine Bytes/sec
Security Monitoring
Category Performance Counter Name
ISA Server Firewall Engine Dropped packets/sec
ISA Server Firewall Engine Packets/sec
ISA Server Firewall Engine Connections/sec
ISA Server Web Proxy Average Milliseconds/request

These metrics offer a generic insight in your ISA server’s performance. Like previously mentioned, ISA server offers a lot more performance counters that can be queried to get more detailed information about the Firewall Engine, Web Proxy, and ISA cache. These will be discussed in the article; Advanced ISA Monitoring. The basic performance metrics that we mentioned in this article are included in the Custom Monitis ISA Monitor that is available for download. You can find full details about this monitor in the article: “Monitoring ISA Server with Monitis”.

Share Now:del.icio.usDiggFacebookLinkedInBlinkListDZoneGoogle BookmarksRedditStumbleUponTwitterRSS

Read the original blog entry...

More Stories By Hovhannes Avoyan

Hovhannes Avoyan is the CEO of Monitis, Inc., a provider of on-demand systems management and monitoring software to 50,000 users spanning small businesses and Fortune 500 companies.

Prior to Monitis, he served as General Manager and Director of Development at prominent web portal Lycos Europe, where he grew the Lycos Armenia group from 30 people to over 200, making it the company's largest development center. Prior to Lycos, Avoyan was VP of Technology at Brience, Inc. (based in San Francisco and acquired by Syniverse), which delivered mobile internet content solutions to companies like Cisco, Ingram Micro, Washington Mutual, Wyndham Hotels , T-Mobile , and CNN. Prior to that, he served as the founder and CEO of CEDIT ltd., which was acquired by Brience. A 24 year veteran of the software industry, he also runs Sourcio cjsc, an IT consulting company and startup incubator specializing in web 2.0 products and open-source technologies.

Hovhannes is a senior lecturer at the American Univeristy of Armenia and has been a visiting lecturer at San Francisco State University. He is a graduate of Bertelsmann University.

Latest Stories
With SaaS use rampant across organizations, how can IT departments track company data and maintain security? More and more departments are commissioning their own solutions and bypassing IT. A cloud environment is amorphous and powerful, allowing you to set up solutions for all of your user needs: document sharing and collaboration, mobile access, e-mail, even industry-specific applications. In his session at 16th Cloud Expo, Shawn Mills, President and a founder of Green House Data, discussed h...
The Software Defined Data Center (SDDC), which enables organizations to seamlessly run in a hybrid cloud model (public + private cloud), is here to stay. IDC estimates that the software-defined networking market will be valued at $3.7 billion by 2016. Security is a key component and benefit of the SDDC, and offers an opportunity to build security 'from the ground up' and weave it into the environment from day one. In his session at 16th Cloud Expo, Reuven Harrison, CTO and Co-Founder of Tufin,...
SYS-CON Events announced today that MobiDev, a software development company, will exhibit at the 17th International Cloud Expo®, which will take place November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. MobiDev is a software development company with representative offices in Atlanta (US), Sheffield (UK) and Würzburg (Germany); and development centers in Ukraine. Since 2009 it has grown from a small group of passionate engineers and business managers to a full-scale mobi...
There are many considerations when moving applications from on-premise to cloud. It is critical to understand the benefits and also challenges of this migration. A successful migration will result in lower Total Cost of Ownership, yet offer the same or higher level of robustness. In his session at 15th Cloud Expo, Michael Meiner, an Engineering Director at Oracle, Corporation, analyzed a range of cloud offerings (IaaS, PaaS, SaaS) and discussed the benefits/challenges of migrating to each offe...
Chuck Piluso presented a study of cloud adoption trends and the power and flexibility of IBM Power and Pureflex cloud solutions. Prior to Secure Infrastructure and Services, Mr. Piluso founded North American Telecommunication Corporation, a facilities-based Competitive Local Exchange Carrier licensed by the Public Service Commission in 10 states, serving as the company's chairman and president from 1997 to 2000. Between 1990 and 1997, Mr. Piluso served as chairman & founder of International Te...
Mobile, social, Big Data, and cloud have fundamentally changed the way we live. “Anytime, anywhere” access to data and information is no longer a luxury; it’s a requirement, in both our personal and professional lives. For IT organizations, this means pressure has never been greater to deliver meaningful services to the business and customers.
In a recent research, analyst firm IDC found that the average cost of a critical application failure is $500,000 to $1 million per hour and the average total cost of unplanned application downtime is $1.25 billion to $2.5 billion per year for Fortune 1000 companies. In addition to the findings on the cost of the downtime, the research also highlighted best practices for development, testing, application support, infrastructure, and operations teams.
In their session at 17th Cloud Expo, Hal Schwartz, CEO of Secure Infrastructure & Services (SIAS), and Chuck Paolillo, CTO of Secure Infrastructure & Services (SIAS), provide a study of cloud adoption trends and the power and flexibility of IBM Power and Pureflex cloud solutions. In his role as CEO of Secure Infrastructure & Services (SIAS), Hal Schwartz provides leadership and direction for the company.
Puppet Labs has announced the next major update to its flagship product: Puppet Enterprise 2015.2. This release includes new features providing DevOps teams with clarity, simplicity and additional management capabilities, including an all-new user interface, an interactive graph for visualizing infrastructure code, a new unified agent and broader infrastructure support.
For IoT to grow as quickly as analyst firms’ project, a lot is going to fall on developers to quickly bring applications to market. But the lack of a standard development platform threatens to slow growth and make application development more time consuming and costly, much like we’ve seen in the mobile space. In his session at @ThingsExpo, Mike Weiner, Product Manager of the Omega DevCloud with KORE Telematics Inc., discussed the evolving requirements for developers as IoT matures and conducte...
Container technology is sending shock waves through the world of cloud computing. Heralded as the 'next big thing,' containers provide software owners a consistent way to package their software and dependencies while infrastructure operators benefit from a standard way to deploy and run them. Containers present new challenges for tracking usage due to their dynamic nature. They can also be deployed to bare metal, virtual machines and various cloud platforms. How do software owners track the usag...
Explosive growth in connected devices. Enormous amounts of data for collection and analysis. Critical use of data for split-second decision making and actionable information. All three are factors in making the Internet of Things a reality. Yet, any one factor would have an IT organization pondering its infrastructure strategy. How should your organization enhance its IT framework to enable an Internet of Things implementation? In his session at @ThingsExpo, James Kirkland, Red Hat's Chief Arch...
Providing the needed data for application development and testing is a huge headache for most organizations. The problems are often the same across companies - speed, quality, cost, and control. Provisioning data can take days or weeks, every time a refresh is required. Using dummy data leads to quality problems. Creating physical copies of large data sets and sending them to distributed teams of developers eats up expensive storage and bandwidth resources. And, all of these copies proliferating...
Malicious agents are moving faster than the speed of business. Even more worrisome, most companies are relying on legacy approaches to security that are no longer capable of meeting current threats. In the modern cloud, threat diversity is rapidly expanding, necessitating more sophisticated security protocols than those used in the past or in desktop environments. Yet companies are falling for cloud security myths that were truths at one time but have evolved out of existence.
Digital Transformation is the ultimate goal of cloud computing and related initiatives. The phrase is certainly not a precise one, and as subject to hand-waving and distortion as any high-falutin' terminology in the world of information technology. Yet it is an excellent choice of words to describe what enterprise IT—and by extension, organizations in general—should be working to achieve. Digital Transformation means: handling all the data types being found and created in the organizat...