the best damn firewall book period phần 10 doc

132 270 0
the best damn firewall book period phần 10 doc

Đang tải... (xem toàn văn)

Tài liệu hạn chế xem trước, để xem đầy đủ mời bạn chọn Tải xuống

Thông tin tài liệu

Protecting Mail services with ISA Server • Chapter 28 1163 Configuring the Authentication Method When Outlook logs on to the Exchange server, the Exchange server instructs the Outlook client to authenticate with an Active Directory domain controller.The problem is you do not want to open the ports responsible for authentication through the ISA server.To get around this problem, you can configure the Exchange server to perform authentication on the behalf of the Outlook client. To configure the Exchange server to proxy authentication requests for the Outlook client, navigate to the following Registry key: HKLM\System\CurrentControlSet\Services\MSExchangeSA\Parameters Add the following: ■ Value No RFR Service ■ Type REG_DWORD ■ Data 1 Note that the value does have spaces in it. At first we thought that this might have been a typo, but we confirmed that the spaces should be included. After adding the value, restart the Exchange server. Note that you do not need to add this value if the Exchange server is also a domain controller. Clients Behind NAT Servers/ISA Servers If the Outlook client is behind a NAT server or an ISA server, it will not be able to receive new mail notification requests.The reason is that these new mail notification requests are not part of the existing RPC connection between Outlook and the Exchange server.The NAT server and ISA server drop the packet because the new mail notification message is seen as an unsolicited inbound request. This doesn’t mean that you won’t ever get any new mail. If you send mail to the Exchange server, a new mail notification message is sent through the active RPC channel between the Outlook client and the Exchange server when the message is sent. However, RPC wasn’t designed for use over the Internet. If there is an error in any of the RPC packets carrying the new mail notification, the notification message will not go through.You can get around this by forcing synchronization with the F9 key in Outlook 2000, or set up the Exchange account to carry out an automatic send/receive every few minutes in Outlook 2002.The exception to this is when you encrypt the data connection between Outlook and the Exchange server. In that case, e-mail notification never works, and you have to click on a folder to initiate the connection. The good news is that everything else works fine when Outlook is behind the NAT server. If you use the Windows 2000 RRAS NAT, no further configuration is required for the NAT routing protocol. If there is an ISA server in front of the Outlook client, you will need to con- figure an RPC protocol definition and configure the client as a Firewall client.You must use the Firewall client configuration because SecureNAT clients do not support secondary connections. You need to create the following protocol definition (Figure 28.17): www.syngress.com 252_BDFW_28.qxd 9/19/03 2:03 PM Page 1163 1164 Part V • ISA Server ■ Primary connection TCP 135 Outbound ■ Secondary connections TCP 1025-65534 Outbound The initial connection takes place on TCP 135.The remote ISA server (the one publishing the Exchange server) sends back to the local ISA server (the one in front of the Outlook client) the port number on which the Outlook client needs for subsequent requests. Since this new outgoing connection is part of the original RPC conversation, a secondary connection to an ephemeral (high number) port is required outbound from the local ISA server to the remote ISA server. Once you create the RPC protocol definition, create a protocol rule using this protocol definition. Creating the Exchange RPC Server Publishing Rule The Exchange RPC server publishing rule uses a protocol definition provided by the RPC application filter. If you disable the application filter, you lose the protocol definition. Perform the following steps to create the server publishing rule: 1. In the ISA Management Console, expand the server or array name and the Publishing node. 2. Right-click the Server Publishing Rules node and select New | Rule. 3. On the page, enter a name for the rule and click Next. 4. On the Address Mapping page, enter the IP address of the internal Exchange server and the IP address on the external interface you want external network clients to use to access the Exchange server. Click Next. 5. On the Protocol Settings page, select the Exchange RPC Server rule and click Next. 6. On the Client Type page, select Any Request and click Next (it’s unlikely you’ll be able to identify a client address set to assign the external Outlook clients). 7. On the final page of the wizard, click Finish. The rule will take effect soon after you click Finish. If you want the rule to apply right away, restart the Firewall service. www.syngress.com Figure 28.17 Outbound RPC Protocol Definition 252_BDFW_28.qxd 9/19/03 2:03 PM Page 1164 Protecting Mail services with ISA Server • Chapter 28 1165 WARNING Configuring the Outlook client is beyond the scope of this book, and the procedures vary depending on the version of Outlook you’re configuring. Both Outlook 2000 and Outlook 2002 (XP) can use the Exchange RPC publishing rule to access the Exchange server on the internal network. It is important to note that you can force the client to use an encrypted RPC connection when connecting to the ISA server. There is one drawback to using an encrypted channel: you will never receive notifica- tions of new e-mail. In fact, you won’t receive notification of new e-mail even if you schedule an automatic Send/Receive or press F9, depending on the version of Outlook. To receive new e-mail notification messages, you must click on an existing message or folder to initiate a connection with the Exchange server . If you are using Outlook 2000, do not install Office Service Pack 2. There appears to be an undocumented issue preventing Outlook 2000 SP2 clients from connecting to an Exchange 2000 server published using the RPC server publishing rule. This problem appears to be specific to the server publishing rule, because if you bring the client onto the internal network, you can log on to the Exchange server without problems. Publishing Outlook Web Access on the Internal Network Exchange Server The same procedures used to publish OWA on the ISA server are used when you publish OWA on the internal network Exchange server.The only difference is that you don’t need to worry about disabling socket pooling on the ISA server because you’ll choose to disable the IIS W3SVC on the ISA server for security purposes. As a review, here are the basic procedures required to publish the OWA site on the internal network Exchange server: ■ Configure the OWA Web site on the Exchange server Configure folder permis- sions, obtain and assigning a certificate for the Web site, configure a port for SSL con- nections on the default Web site, and configure the sites to require an SSL connection. ■ Configure the Incoming Web Requests listener on the ISA server Create the individual listener, export the OWA Web site certificate and import it into the ISA Server’s machine certificate store, and bind the certificate to the Incoming Web Requests listener. ■ Create the Web publishing rule Create the destination set used for the OWA Web publishing rule, create the Web publishing rule, and configure the rule to bridge SSL connections as SSL. ■ Configure the OWA client Web browser Improve performance for the OWA client by installing a client certificate on all browser clients. www.syngress.com 252_BDFW_28.qxd 9/19/03 2:03 PM Page 1165 1166 Part V • ISA Server For details of this configuration, check the relevant sections on how to publish OWA on the ISA server.The only difference is that you use the internal IP address of the Exchange server rather than the IP address of the internal interface of the ISA server for the redirect. NOTE There is a good chance that by the time you read this book, Microsoft will have released the ISA Server Feature Pack. One of the features included in the major update to ISA Server is an Outlook Web Access Publishing Wizard. The wizard will greatly simplify pub- lishing of OWA sites. However, like all wizards, it will have its limitations. Check www.isaserver.org/shinder for updates on this feature of the ISA Server Feature Pack and other important ISA Server news and articles. Message Screener on the Internal Network Exchange Server You can install the Message Screener on the internal network Exchange server.The difference between the installations is that when the Message Screener is on the ISA server, the entire ISA Server software package is installed on the ISA/Exchange Server computer. In contrast to the “all but the kitchen sink” approach we covered earlier, when the Exchange server is on a dedicated server, all you need to install is the SMTP Message Screener.You don’t need to install any other component of the ISA Server software. Run the ISA Server installation program as you usually would to install only the Message Screener component on the internal network Exchange server. Select the Custom installation option and then deselect the ISA Services and Administration tools options in the Custom Installation dialog box (Figure 28.18). Select the Add-in services option and click Change Option. Remove the Install H.323 Gatekeeper Service option (Figure 28.19).The only component you want is the Message www.syngress.com Figure 28.18 The Custom Installation Dialog Box 252_BDFW_28.qxd 9/19/03 2:03 PM Page 1166 Protecting Mail services with ISA Server • Chapter 28 1167 Screener. Make sure that the Message Screener option is selected and complete the installation on the Exchange server computer.You won’t see any new configuration interfaces or Start menu items related to the Message Screener on the Exchange server. Configuration of the Message Screener is done via the SMTP filter on the ISA server. The next step is to configure credentials that the Message Screener software will use to com- municate with the SMTP application filter on the ISA server. Credentials are configured using the SMTPCRED tool, which is installed in the Program Files\Microsoft ISA Server folder on the Exchange server’s hard disk after running the Message Screener installation. Open the SMTPCRED tool by double-clicking it. In the Message Screener Credentials dialog box (Figure 28.20), enter your ISA server name, the Username of the person who installed the ISA server, the Domain to which that user account belongs, and the Password of that user. Note that you do not need to use the credentials of the user who installed the ISA server, but it does streamline the process and reduces troubleshooting issues encountered with the Message Screener by an order of magnitude. Click OK after entering the information. www.syngress.com Figure 28.19 Selecting the Message Screener Figure 28.20 The SMTPCRED Tool 252_BDFW_28.qxd 9/19/03 2:03 PM Page 1167 1168 Part V • ISA Server The last thing is to configure DCOM permissions.The Message Screener communicates with the SMTP application filter via DCOM. While this isn’t an issue when the ISA server and the Exchange server are on the same machine, it does become an issue when they are on different machines. Perform the following steps to configure the DCOM permissions: 1. Select Start | Run and type dcomcnfg.exe in the Open text box. Click OK. 2. Click the Applications tab and select VendorData class | Properties (Figure 28.21). 3. On the VendorData Class Properties dialog box, click the Security tab (Figure 28.22). Select the Use custom access permissions and click Edit. Figure 28.22 The VendorData Class Properties Dialog Box 4. Add the Everyone group by clicking Add and selecting the Everyone group (Figure 28.23). Click OK. 5. Repeat steps #3 and #4 to edit the Use custom launch permissions and Use custom configuration permissions options. 6. Click OK. 7. Restart both the ISA server and the Exchange server. We suggest restarting the ISA server first. www.syngress.com Figure 28.21 The DCOM Configuration Properties Dialog Box Figure 28.23 Adding the Everyone Group 252_BDFW_28.qxd 9/19/03 2:03 PM Page 1168 Protecting Mail services with ISA Server • Chapter 28 1169 The remainder of the configuration is the same as when you run the Message Screener on the ISA/Exchange server computer.You will be able to screen for incoming and outgoing mes- sages, but you will have the same limitations regarding Outlook MAPI clients sending SMTP messages to the Internet.The solution is the same: create a second virtual SMTP server and have the default SMTP virtual server forward mail to the second SMTP virtual server.The Internet- bound messages sent by Outlook clients will be exposed to the SMTP Message Screener when they are forwarded to the second SMTP virtual server. GFI’s Mail Security and Mail Essentials for SMTP Servers It’s estimated that spam makes up as much as 20 percent of the total traffic moving through the Internet. Spam clogs e-mail boxes, and contains viruses, worms, and offensive language. Spam fills the massive disks on today’s mail servers and is a public nuisance. Spam can negatively impact your personal and professional life: just think about how many times you’ve accidentally ignored an important message because it got lost in a sea of spam in your inbox. We don’t have to convince you that something needs to be done about spam. Many network administrators use Real-time Black Hole Lists to automate spam blocking on their networks.The problem with RBLs is they are maintained by third parties. If there is one thing we learned during the dot com bomb, it’s that inappropriate trust in third parties can put your business in jeopardy. There are several types of RBLs. Legitimate RBLs look for open mail relays on the Internet and blacklist the IP addresses of the open relays.The blacklisting is based on the assumption that eventually, a spammer will find the open relay and use it to send spam.The problem with this approach is that the open relay will be blacklisted even if no spam has ever been sent through it. It’s sort of like the police taking you into custody for a shooting because you have two hands, one of which might have held a gun. The other type of RBL is based on user reports. One user of the service reports that he received mail that he thinks is spam.That user tells three of his friends to make the same report. BANG! The domain from which the alleged spam is sent is blocked by the RBL. Suppose you send someone an e-mail message inviting him to your birthday party. He didn’t ask for that mes- sage, so he reports you as a spammer, and he gets three of his antisocial friends to send in the same report. A couple of days later, you find that some people aren’t getting mail from you. Why? Your domain or account has been blocked by the RBLs that blindly trust user reports. This type of spam blocking has to be the most egregious form of censorship we’ve seen in decades. Everyone hates spam, we really hate spam, but we hate the idea of a third party cen- soring what should be sent to our network.That’s our job, our responsibility, and our mail. It’s not the job of some anonymous RBL to decide what’s legitimate. The SMTP Message Screener goes a long way to resolving the spam problem.You can block mail based on text strings.The problem is that you don’t have much flexibility with the SMTP Message Screener. For example, you can’t: ■ Easily save the keyword entries in the Message Screener ■ Check for e-mail viruses using the Message Screener www.syngress.com 252_BDFW_28.qxd 9/19/03 2:03 PM Page 1169 1170 Part V • ISA Server ■ Check for viruses in e-mail attachments using the Message Screener ■ Import a list of keywords from a text file into the Message Screener ■ Check for non-virus-related e-mail exploits with the Message Screener ■ Check for whole words in the Message Screener (you can only check for text strings) ■ Creating conditional content checking rules for e-mail It’s our opinion that the only valid way to control spam is by using a keyword method. We’ve found that the most effective way to prevent spam from getting to user mailboxes is to create a list of keywords that don’t apply to the legitimate business or personal communications. Using this method, you can control over 99 percent of the spam entering your network. While the ISA Server SMTP Message Screener is better than nothing, we’ve found that the best tool for this job is GFI Software’s MailSecurity, which can be used to block spam in both small and large organizations. MailSecurity is easy to set up, and you can import your spam filter list easily from a text file. It also detects e-mail viruses and attachments, and auto-updates its virus definition list on a daily basis. MailSecurity Versions There are two versions of MailSecurity. One plugs into your Exchange 2000 server and inspects the contents of the message store.The other version is for SMTP mail gateways and inspects mail as it moves through the gateway.The main advantage of the Exchange Server version is that it can inspect mail sent between internal users.The main advantage of the SMTP relay version is that it has more information about each e-mail and can decide better what mail is considered inbound and outbound. MailSecurity can be configured to inspect only inbound, only outbound, or both inbound and outbound e-mail. We typically install an SMTP relay on all networks that have an Exchange 2000 server. For that reason we consider the SMTP gateway version the best choice. Note that you can use both versions.You can install the SMTP gateway version on your SMTP relay, and you can install the Exchange Server 2000 version on your Exchange server and you don’t have to buy any more licenses for filtering based on keyword, user, or domain.You do need to pay extra for a mainte- nance contract and automatic anti-virus updates. Installing MailSecurity for SMTP Gateways Installing MailSecurity for SMTP gateways is straightforward: 1. Download the installation file from www.gfi.com/mailsecurity/index.html and run the mailsecurity.exe installation package.The Welcome to the GFI MailSecurity for Exchange/SMTP Installation Wizard page will be displayed (Figure 28.24). Click Next to continue. www.syngress.com 252_BDFW_28.qxd 9/19/03 2:03 PM Page 1170 Protecting Mail services with ISA Server • Chapter 28 1171 2. The License Agreement page appears. Select the I accept the license agreement option and click Next. 3. On the User Information page, enter your name, company name, and serial number (if you have one; otherwise, use Evaluation as your key). Click Next. 4. On the Administrator Email page (Figure 28.25), enter the MailSecurity adminis- trator e-mail address. Notification messages can be sent to the administrator e-mail account you enter here.You can add more administrators or change the one you enter here later. Click Next. 5. On the Destination Folder page, select the location of the program files and click Next. 6. This brings you to the Mail Server page shown in Figure 28.26. If your SMTP relay is on a DMZ segment, enter the IP address on the external interface of the ISA server used by the SMTP server publishing rule that’s publishing the internal network Exchange server. 7. If the SMTP relay is on your internal network, enter the IP address of your Exchange server.The default port TCP 25 will work in the majority of cases. However, if you want MailSecurity to send to an alternate port, just type the alternate port number in the on port text box.The setup program will create a remote domain in the IIS SMTP service for the domain you enter in the Local domain text box. If you are managing multiple www.syngress.com Figure 28.24 The Welcome Page Figure 28.25 The Administrator Email Dialog Box 252_BDFW_28.qxd 9/19/03 2:03 PM Page 1171 1172 Part V • ISA Server mail domains, you should manually create those remote domains after the installation is complete. 7. Click Next to continue. 8. Identify the type of mail server that is running MailSecurity (see Figure 28.27). In this example, we’re installing MailSecurity on an SMTP relay, so the second option is correct. Click Next to continue, and click Next one more time to start installing the application. 9. Click Finish when you get notification that the application has been installed successfully. 10. Open the Internet Information Services console after you’re finished installing MailSecurity. Expand the Default SMTP Virtual Server node and click the Domains node.You’ll see that a new remote domain was created and configured to use your internal mail server as a smart host. If you configure MailSecurity on a DMZ SMTP relay, you’ll see the IP address used on the external interface of the ISA server in your SMTP server publishing rule. If you host multiple mail domains, create a remote domain for each domain you host and have them use your mail server as a smart host. Make sure that your server is not configured as an open relay by setting the appropriate relay settings on the Default SMTP Virtual Server (Figure 28.28). www.syngress.com Figure 28.26 The Mail Server Information Page Figure 28.27 Choosing the Mail Server Type 252_BDFW_28.qxd 9/19/03 2:03 PM Page 1172 [...]... sorter has obtained all the coins it can (packets from the network), and is ready to send the packets through the chute Before rolling the coins (the detection engine), the coin sorter needs to determine if they are coins This is done through the preprocessor .The preprocessor takes the raw packets and checks them against certain plug-ins (like an RPC plug-in and a port scanner plug-in).These plug-ins check... from the external network (defined by EXTERNAL_NET) to any system on the internal network (defined by HOME_NET) to port 143, which is the IMAP port .The msg variable defines what is sent to the Snort alert, and the rest of the information of the packet is content based.There are definitions on the type of attack (misc-attack), the SID number (1993), and the Bugtraq (www.securityfocus.com) reference on the. .. packet sniffer I A packet logger I A NIDS All the uses relate to each other in a way that builds on each other However, it’s easiest to put the packet sniffer and the packet logger together in the same category—basically, it’s the same functionality .The difference is that with the logging functionality; you can save the packets into a file Conversely, you can read the packet logs with Snort as well Using... into the directory /var/adm/snort/logs with the home subnet 10. 1.0.0/24, you would use the following: # snort -dev -l /var/adm/snort/logs -h 10. 1.0.0/24 However, if you log the data in binary format, you don’t need all the options .The binary format is also known as the TCPDump formatted data file Several packet sniffers use the TCPDump data format, including Snort The binary format for Snort makes the. .. rules themselves consist of two parts: I The rule header The rule header is basically the action to take (log or alert), type of network packet (TCP, UDP, ICMP, and so forth), source and destination IP addresses, and ports I The rule option The option is the content in the packet that should make the packet match the rule The detection engine and its rules are the largest portion (and steepest learning... before the packets are sent to the rules to check for alerts NOTE By supporting only the latest rules of the latest application, Snort ensures that users are using only the most recent version As of press time, the latest revision is 2.0.1, so the rules only work with that version Speaking of rules, as time progressed, so did the number of rules .The size of the latest rules is increasing with the number... they are coins, and how they should roll (the preprocessor performs this function on the IDS) 3 Next, the coins are sorted according to the coin type.This is for storage of quarters, nickels, dimes, and pennies (the detection engine performs this function on the IDS) 4 Finally, it is the administrator’s task to decide what to do with the coins—usually you’ll roll them and store them (logging and database... all the services to work together and publish the Exchange services among the Exchange services, the ISA server, and the Internet Information server We also covered how to publish Exchange mail services on the internal network .The procedures are very similar and in many ways much easier because you don’t need to run IIS services on the ISA server.You can also leverage the automation provided by the. .. and Windows Other supported systems include Sparc Solaris, PowerPC MacOS X and MkLinux, and PA-RISC HP-UX Snort will run on just about any modern OS today NOTE People can get into heated debates as to which OS is best, but you have to be the one to administer the system, so you pick the OS There is an ongoing argument regarding the best OS on which to run Snort A while back, the *BSDs had the better... a set of rules If the rules match the data in the packet, then they are sent to the alert processor Earlier in this chapter, we described Snort as a signature-based IDS .The signature-based IDS function is accomplished by using various rule sets .The rule sets are grouped by category (Trojan horses, buffer overflows, access to various applications), and are updated regularly The rules themselves consist . TCP 102 5-65534 Outbound The initial connection takes place on TCP 135 .The remote ISA server (the one publishing the Exchange server) sends back to the local ISA server (the one in front of the. configuration, check the relevant sections on how to publish OWA on the ISA server .The only difference is that you use the internal IP address of the Exchange server rather than the IP address of the internal. of the ISA server for the redirect. NOTE There is a good chance that by the time you read this book, Microsoft will have released the ISA Server Feature Pack. One of the features included in the

Ngày đăng: 13/08/2014, 15:21

Tài liệu cùng người dùng

  • Đang cập nhật ...

Tài liệu liên quan