Sunbelt W2Knews Electronic Newsletter
The secret of those "who always seem to know" - Over 500,000 Readers!
Mon, Apr 12, 2004 (Vol. 9, #15 - Issue #471)
Special Report: Redmonds Brand New Firewall ISA Server 2004
This issue of W2Knews contains:
- EDITORS CORNER
- ISA 2004 Firewalls Set the Bar on Application Layer Filtering and High Security VPN
- 2004 W2Knews Target Awards
- TECH BRIEFING
- Never Again Worry About Renegade Executives; ISA 2004 Firewall Remote Access VPNs Lock Them Down Tight
- Connect Branch Offices without Fear with ISA 2004 Firewall Site to Site VPNs
- What does the ISA 2004 Firewall Application Layer Filtering Actually Do?
- Enable Secure Remote Access to Microsoft Exchange Servers
- Entirely New and Improved Firewall Configuration and Management Model
- NT/2000 RELATED NEWS
- Steve Ballmer Beats the Drum for Microsoft Security Advances
- Bill Gates Issues Security Progress Report: ISA 2004 Firewalls are Key
- NT/2000 THIRD PARTY NEWS
- Defense in Depth with Sunbelt Network Security Inspector
- Retina Supports ISA 2004 Firewall Protection with Proactive Scanning
- Avoiding the Risk of Viruses Inside Compressed Files
- W2Knews 'FAVE' LINKS
- This Week's Links We Like. Tips, Hints And Fun Stuff
- PRODUCT OF THE WEEK
- Military Strength Security Scanner: Sunbelt Network Security Inspector
SPONSOR: Ecora Enterprise Auditor
Trial Auditor Today ? Confirm Compliance Tomorrow!
Meet Sarbanes-Oxley, HIPAA, GLBA reporting requirements!
Automate multi-platform configuration reporting, change tracking,
and disaster recovery documentation. Enterprise Auditor supports
Cisco, Citrix, Linux, Lotus Domino, Exchange, IIS, SQL, Windows,
Novell NetWare, and Oracle. View built-in reports you can use
today to manage your system.
Visit Ecora Enterprise Auditor for more information.
ISA 2004 Firewalls Set the Bar on Application Layer Filtering and High Security VPN
When's the last time you heard about a firewall being hacked? You
haven't. Firewalls are hardened devices designed to be bastion
hosts with interfaces directly connected to untrusted networks,
such as the Internet. About the only time you'll encounter hacked
firewalls is when they're misconfigured.
How do relatively unsophisticated attackers compromise networks
when firewalls are relatively impervious to attack?
If you're running Granddaddy's firewall, you probably configure
packet filters. Packet filters use network and transport layer
information (or, with ICMP, network and ICMP type and code) to
determine what packets to let through the firewall. This approach
was once popular because Grandpa's firewall mostly concerned
itself with network layer attacks.
Although script kiddies continue to pound firewalls with
ineffective attacks, modern day hackers don't bother with the
firewall; they go for the meat - the network services behind the
firewall. Attacks against network services are known as
application layer attacks. Application layer attacks can be as
simple as the common buffer overflow, or as sophisticated as
creating a VPN tunnel into your production network using DNS as
the tunneling protocol.
If you're using a packet filtering firewall and haven't yet been
compromised yet, be patient. You will. Fast packet filters are
great at passing exploits with tremendous speed, but is that what
you're really looking for in a firewall? The good news is ISA
2004 firewalls will hit the streets soon and come to your rescue.
ISA 2004 builds on the powerful application layer protection
provided by ISA Server 2000, but pumps it up a couple orders of
magnitude. In fact, ISA 2004 sets a new bar for application layer
firewalls. This is bad news for the bad guys, but very good news
While ISA 2004 sets the new standard for deep application
inspection firewalling, there are others like Checkpoint that
will be nipping at the ISA firewall's heels. If you're only
looking for a powerful application layer firewall that stops
modern attacks from modern attackers at the perimeter, and you
want to pay a little more to get a little less app layer
filtering, you can definitely go with Checkpoint. So what else
can I tell you about that will get you to hook up with an ISA
How about VPN? Not the tired old "IPSec is better than PPTP"
or "SSL VPN is what's new tomorrow" bits you get from the sales
dude. What's extremely cool is that while the ISA 2004 firewall
raises the bar for application layer filtering firewalls, ISA
2004's new VPN features create a new bar. The ISA 2004 VPN server
does something no other VPN server can do: provide strong
user/group, site and application inspection and access control to
VPN clients. This control over VPN client traffic allows you to
prevent exploits, like Blaster, from entering your network via a
VPN client channel without the outrageous expensive and limited
functionality you see with so-called "SSL VPN" connections.
If you want to know more about firewalls in general, and ISA 2004
firewalls in particular, then read on. I guarantee that you'll
learn something that you didn't already know, and that the info
may just save your bacon when the next "worm of death" gets ready
to whack your networks. Finally, head on over to
www.microsoft.com/isaserver and www.isaserver.org to get all the
news and info you need to put yourself at the head of the ISA
2004 W2Knews Target Awards
There's still time to vote for your favorite system admin tool at the 2004 W2Knews Target Awards! Winners will be announced at Tech·Ed 2004 in San Diego, CA (May 23-29). Check out the finalists here, and let your voice be heard:
QUOTE OF THE WEEK:
"Saying you can't trust Microsoft on the perimeter is like saying
some folk can't be trusted to vote or work in the professions.
Ask 'em "why" you can't trust Microsoft security. They tell
you "it's always been, and will always be, that way". Feels like
they've got a Jim Crow against MS security, based on prejudice,
ignorance and fear..."
--Anonymous security consultant, March 2003
Ooops Department: Sorry for a confusion in last week's issue. If you were looking for the link to get up to speed on Office 2003, and found the SNSI page... this was an Ooops on our part. You can find the Office 2003 article here:
Tom Shinder, M.D., MVP
Guest W2knews Editor
(email me with feedback: [email protected])
SPONSOR: iHateSpam Server
The New Version 1.5 of iHateSpam Server has all the features you
asked for. It is now the best-selling anti-spam solution for MS
Exchange with over 3,000 enterprise licenses. Every week, 50 more
sites decide to protect their enterprise with iHateSpam Server.
It was designed -by- Exchange admins -for- Exchange admins. Very
smooth integration. V1.5 has a new, world-class detection engine
and a host of powerful features. Spam Sucks. Your life shouldn't.
Get 30 award-winning spam-free days here:
Visit iHateSpam Server for more information.
Never Again Worry About Renegade Executives; ISA 2004 Firewall Remote Access VPNs Lock Them Down Tight
Life has been difficult for network and firewall administrators
ever since the ISPs started shutting down TCP 135 because of the
Blaster worm. TCP 135 is required to connect to Microsoft
Exchange Servers from the full Outlook MAPI client. The boss
really likes to use Outlook 2000, 2002 or 2003 to connect to the
office and doesn't want to mess around with OWA or other remote
access solutions to Microsoft Exchange on the corporate network.
What do you do? Usually you end up giving the boss a VPN account.
Now he has the ability to run roughshod over the entire network,
since he has the same level of network access as that he has when
directly connected to a corporate switch via an Ethernet cable.
ISA 2004 firewall/VPN servers will put the boss in his place. He
only needs access to the Exchange Server, and he only needs
access to a specific set of protocols, not full access to the
Exchange box. No problem! ISA 2004 firewall/VPN servers lock
down VPN remote access clients easily. Create a group you want to
allow full Outlook MAPI client access, create a firewall policy
enabling only members of this group are allowed access to only
the Exchange Server using only the protocols they require. Now
the boss has full access to the Exchange services he requires
without risking the entire network.
No other firewall/VPN server provides this level of granularity
over VPN client connections. None provides the same level of
stateful filtering and stateful inspection to VPN connections.
Even if you weren't in the market for another firewall, you might
want to check out ISA 2004 firewalls just for their VPN features,
as I suspect this is what a lot of you have been looking to find
for a long time.
Connect Branch Offices without Fear with ISA 2004 Firewall Site to Site VPNs
Branch office deployments are definitely on the upswing now that
we're out of the economic slump. Gone are the bad old days of
expensive dedicated point to point WAN links. Branch offices are
now connected to the main office using site to site (gateway to
gateway) VPN links running on relatively cheap Internet
Security problems you encounter with site to site VPN connections
are similar to those you see with remote access VPN connections
the boss makes from his hotel room in Bangkok - except that you
multiply the problem by hundreds or thousands of times! Site to
site VPN connections between branch and main offices sound good,
but the problem remains that unless you have control over the
desktops at the branch office; you're going to be victimized by
the untrusted hosts on the branch office network, even though
they're supposed to represent "friendlies".
This is where the ISA 2004 firewall/VPN server combo saves you
again. You can use the same user/group based access control to
provide branch office users access to ONLY the servers they need
to connect to, using ONLY the protocols they need to connect to
the services they require. Branch office users can get their work
done by accessing resources they require on the main office
network and no longer have free rein over the entire the main
office network. Your ole' gran-daddy's PIX or Checkpoint box
won't do that.
Only the ISA 2004 firewall/VPN one-two punch gives you this
What does the ISA 2004 Firewall Application Layer Filtering Actually Do?
There is a lot of talk about Application Layer Filtering (ALF) on
the perimeter, but what does ALF really do? All firewalls protect
against network layer attacks. They may take different approaches
in doing so, but if the box is promoted as a firewall, it
protects you against layer 3/4 exploits.
What all firewalls don't do is check what's going on at the
application layer (also called "layer 7). When it comes down to
beating down Internet scum at the perimeter, application layer
protection is where the rubber meets the road. Here's just a few
examples of the application layer exploits blocked by the new ISA
ISA 2004 firewalls protect you from attorneys and other malicious
users by extending ALF to outbound access control. Other
firewalls that tout application layer filtering focus almost
exclusively on blocking external attackers. Check out these cool
outbound access control ALF features:
- HTTP application layer filtering: Code Red, Nimda, HTR overflows, directory traversal attacks, buffer overflow attacks, chunked transfer encoding attacks, cross-site scripting attacks, malicious URLs, malicious HTTP content, high-bit encoding attacks, WebDAV attacks.
- SMTP application layer filtering: spam flood attacks, malicious attachment attacks, SMTP buffer overflow attacks, SMTP disk flood DoS attack, spammer open relay attack, brute force closed relay attack, all worms and worm variants
- DNS application layer filtering: DNS zone transfer from untrusted sources, DNS buffer overflow attacks, DNS malformed query attack, DNS malformed packet attacks
- POP3 application layer filtering: POP3 buffer overflow attacks, POP3 malformed command attacks
- RPC application layer filtering: Microsoft BLAST, Microsoft Blaster variants, Nachi, RPC worm variants and morphs the above focuses on using ALF to protect against external intruders. Exploits emanating from the corpnet can be a much bigger problem than those coming in from the Internet. In the worst case scenario, these internal exploits can expose your network to attorneys!
There are tons more examples, but I think you get the point. ISA
2004 is the thought-leader in application layer firewalls and its
pretty exciting stuff to watch. I've also heard it on the
grapevine that we'll be seeing even more application layer
filters for some of your favorite protocols by the end of the
- Block access to all Windows executables
- Block access to Web sites based on keywords on Web pages and URLs
- Block access to Web sites based on signatures in Request and Response headers and data
- Enforce encrypted channel for remote access secure Exchange RPC Outlook clients
- Block FTP downloads or enable FTP downloads for selected users ONLY
- Allow ONLY the HTTP methods (PUT, GET, etc) that you want to allow; block all others for everyone, or just on a user/group basis - granular control is yours
- Enforce strict RPC compliance to hack and slash RPC worms as soon as they hit the ISA 2004 firewall; this also has the added benefit of stopping DCOM from moving through the ISA 2004 firewall box
Enable Secure Remote Access to Microsoft Exchange Servers
If you don't ever need to access the mail on the office Exchange
Server from anywhere outside the office, then you don't need an
ISA 2004 firewall. But if you do need secure remote access to
Exchange Outlook Web Access (OWA), Outlook Mobile Access (OMA),
RPC over HTTP and ActiveSync, then you do need an ISA 2004
firewall. Why? Because the ISA 2004 firewall provides a unique
level of protection against remote access connections to Exchange
through a combination of its HTTP deep application layer
inspection filter and SSL to SSL bridging (aka - SSL termination).
SSL to SSL bridging allows the firewall to terminate and
reestablish SSL sessions. In contrast, your poor cousin's
firewall just allows SSL tunneled traffic through to the Exchange
Web sites. The ISA 2004 SSL termination feature allows the ISA
firewall to inspect the contents of the SSL connection and block
those containing suspicious or recognized exploits. In contrast,
a packet filter firewall like PIX merrily passes the SSL tunneled
exploits back to your OWA, OMA and RPC over HTTP sites. But to be
fair, the PIX passes those exploits really fast!
SSL termination (SSL to SSL bridging) is only one of the ISA 2004
firewall features that enable secure remote access to Exchange
Servers. Check out some of these other Exchange protection
- Delegation of Basic authentication prevents unauthenticated users from connecting to the Exchange site
- ISA 2004 firewall form-based authentication allows the firewall to generate the form, instead of the Exchange 2003 Web site. Firewall generated forms-based authentication extends the security provided by delegation of basic authentication to protect the OWA Web site from attacks by unauthenticated users
- Secure Exchange RPC, both inbound and outbound with the secure Exchange RPC filter. If the ISP's don't DoS your Exchange connections by blocking TCP 135, you can enjoy "hand's free" access to the full range of Exchange features from the full Outlook client using secure, encrypted Exchange RPC connections from anywhere in the world
Entirely New and Improved Firewall Configuration and Management Model
Many people who gave ISA 2004 a look found it to be a bit
unwieldy. You had to configure the policy elements first and then
create the Access Policy. There was a lot of back and forth using
that approach. Even when you got the Policy Elements and Access
Policies in place, you weren't really sure what rule would be
applied when because the order in which rules were applied wasn't
ISA 2004 firewalls use a traditional top down rules processing
approach that you're used to. In fact, you'll find the ISA 2004
firewall user interface to be the most functional and most
attractive one you've ever worked with. You actually can use this
interface to create secure inbound and outbound access controls
without wasting a week in a firewall training class and spending
a couple/three grand for the pleasure.
Don't believe it? Give it a try. Download a beta copy and install
it on a lab machine. I promise you'll hardly believe your eyes!
NT/2000 RELATED NEWS
Steve Ballmer Beats the Drum for Microsoft Security Advances
Security is Job One for Microsoft these days, and we're seeing
evidence of this commitment everyday. While the ISA 2004 firewall
is the standard bearer of Microsoft security, the firewall is
only the beginning. Steve Ballmer and Security Business Unit VP
Mike Nash make it clear that security is the overarching concern
from the top down. As part of this commitment, Microsoft kicked
off a 20-city security road show this week that will highlight
ISA 2004 firewall protection, new Windows XP SP2 security
technologies and some super secret stuff. For more info, visit:
Bill Gates Issues Security Progress Report: ISA 2004 Firewalls are Key
On March 31 of this year, Bill Gates issues a Microsoft Progress
Report on Security that outlined the current security challenges
that Microsoft and the entire industry face and how Microsoft is
meeting those challenges. In addition to the powerful application
layer security for inbound and outbound access control provided
by ISA 2004 firewalls, Bill Gates explains the enhanced security
feature sets in Windows Server 2003, Windows XP Service Pack 2,
application programming targeted at process isolation and
resiliency, active application protection technologies, and much
more. Check out Bill G's letter over at:
THIRD PARTY NEWS
Defense in Depth with Sunbelt Network Security Inspector
The ISA 2004 firewall is only the first piece of your strong
defense and depth strategy. One of the most difficult issues with
network defense in depth is host security. That's where the
Sunbelt Network Security Inspector comes in. Here are some key
features of Sunbelt's SNSI network security audit tool:
SNSI is licensed per Administrator and lets you scan unlimited
machines! SNSI won't make a hole in your budget, so you can
afford to be proactive without compromises. Check the Benefits
page for the enormously attractive Traveling License price.
Check out SNSI at:
- Close the door on hackers! You can't close the door if you don't know which one is open. That's why we designed Sunbelt Network Security Inspector (SNSI).
- A low-cost, quick-install, fast-result vulnerability scanner that uses a top quality, commercial-grade database of ranked vulnerabilities
- Prioritized vulnerability reports provide detailed and easy-to-follow instructions on how to fix holes fast, so you can focus on the most critical security issues
- Configurable scans - create your own scans or use predefined scans such as "high risk" or the "SANS top 20"
- Windows platform support: Find holes in Windows 95/98/ME/NT/2000/XP and Windows Server 2003 machines
- The easy, all-new interface has a short learning curve: just point, right-click and QuickScan
Retina Supports ISA 2004 Firewall Protection with Proactive Scanning
We all know that firewalls (even ISA 2004 firewalls) and
intrusion detection systems do not provide 100% protection
against hackers. To a great extent, Firewalls and IDS tools are
reactive in nature: they protect you when someone is actually
hacking into your network. In order to achieve an effective
defense in depth posture you also need a product that proactively
helps secure your network in advance:
Retina was designed by eEye Digital Security to identify known
and unknown vulnerabilities, suggest fixes to identified
vulnerabilities, and report possible security holes within a
network's Internet, intranet, and extranet environments. For more
info check out Retina at:
- Retina was built to be non-intrusive. It does not bring down your networks while you run your penetration tests
- Contrary to other scanners, in the Enterprise License, there are no limitations on the IP's audited. The licensing is easy and transparent
- The autofix and autoupdate features are really strong, and new vulnerabilities are added ASAP, not once a month or six weeks like other tools. This is something really crucial
- Last but not least, the reporting is great. It provides executive level summaries that are readable. Moreover, you can install Retina on a laptop and audit all your subnets. Try to get that done with some of the other products!
Avoiding the Risk of Viruses Inside Compressed Files
These virus writers are a tricky lot. Not only do they want to
infect as many computers as they can with their malicious codes,
they use various disguises to hoodwink us as they can. One of
the key methods is by compressing the file carrying the virus
into the popular zip format.
Normally, any high-quality antivirus program can scan and
disinfect files, as long as it you configure it to do so.
The problem is when these files are password-protected.
When a password-protected compressed file reaches a computer,
the antivirus protection cannot access it to scan the contents,
because the user needs to enter a password to view the content.
Most likely this is not a problem for a good antivirus solution - if the compressed file is infected, the AV will catch it when
the file is run.
All goes to hell in a corporate network, even if the mail server
has an updated antivirus, the file cannot be scanned and the
infected file reaches the individual workstations scot-free.
Of course, if the workstations are protected, the virus won't be
able to go to town, but what if they aren't. Several of the Bagle
variant spread like wildfire through password-protected files and
thousands of computers were infected just like that which in turn
increased network traffic and in some cases saturated the email
server so badly it shut down.
The best way to handle this is through a layered defense and to
make sure that any antivirus solution you has true daily updates
and 24/7 tech support to help you solve any incidents that come
up. I know the folks at Panda have developed a very specific
detection routine protecting computers against the Bagle worm
compressed file scheme. You can download their enterprise
solution by clicking here:
This Week's Links We Like. Tips, Hints And Fun Stuff
PRODUCT OF THE WEEK
Military Strength Security Scanner: Sunbelt Network Security Inspector
Need to close the door on hackers? But "no budget and no time"
are your biggest problems? SNSI solves this problem: a world-class scanner that does not make a hole in your budget. Better
yet, there is a KILLER competitive upgrade price. Compare that
to other high-end scanners out there. It's easy to see why SNSI
is rapidly becoming a Security Best Seller: The exception to
"you get what you pay for".