- Sign-up Now!
 - Current Issue
 - Edit Your Profile/Unsubscribe

Subscribe | Media Kit | About Us | All Issues | Subscriber Feedback | Contact Us | Privacy Statement
Sunbelt W2Knews™ Electronic Newsletter
The secret of those "who always seem to know" - Over 500,000 Readers!
Mon, Apr 12, 2004 (Vol. 9, #15 - Issue #471)
Special Report: Redmonds Brand New Firewall ISA Server 2004
  This issue of W2Knews™ contains:
  1. EDITORS CORNER
    • ISA 2004 Firewalls Set the Bar on Application Layer Filtering and High Security VPN
    • 2004 W2Knews Target Awards
  2. TECH BRIEFING
    • Never Again Worry About Renegade Executives; ISA 2004 Firewall Remote Access VPNs Lock Them Down Tight
    • Connect Branch Offices without Fear with ISA 2004 Firewall Site to Site VPNs
    • What does the ISA 2004 Firewall Application Layer Filtering Actually Do?
    • Enable Secure Remote Access to Microsoft Exchange Servers
    • Entirely New and Improved Firewall Configuration and Management Model
  3. NT/2000 RELATED NEWS
    • Steve Ballmer Beats the Drum for Microsoft Security Advances
    • Bill Gates Issues Security Progress Report: ISA 2004 Firewalls are Key
  4. NT/2000 THIRD PARTY NEWS
    • Defense in Depth with Sunbelt Network Security Inspector
    • Retina Supports ISA 2004 Firewall Protection with Proactive Scanning
    • Avoiding the Risk of Viruses Inside Compressed Files
  5. W2Knews 'FAVE' LINKS
    • This Week's Links We Like. Tips, Hints And Fun Stuff
  6. PRODUCT OF THE WEEK
    • Military Strength Security Scanner: Sunbelt Network Security Inspector
  SPONSOR: Ecora Enterprise Auditor
Trial Auditor Today ? Confirm Compliance Tomorrow!
Meet Sarbanes-Oxley, HIPAA, GLBA reporting requirements!
Automate multi-platform configuration reporting, change tracking,
and disaster recovery documentation. Enterprise Auditor supports
Cisco, Citrix, Linux, Lotus Domino, Exchange, IIS, SQL, Windows,
Novell NetWare, and Oracle. View built-in reports you can use
today to manage your system.
Visit Ecora Enterprise Auditor for more information.
  EDITORS CORNER

ISA 2004 Firewalls Set the Bar on Application Layer Filtering and High Security VPN

When's the last time you heard about a firewall being hacked? You haven't. Firewalls are hardened devices designed to be bastion hosts with interfaces directly connected to untrusted networks, such as the Internet. About the only time you'll encounter hacked firewalls is when they're misconfigured.

How do relatively unsophisticated attackers compromise networks when firewalls are relatively impervious to attack?

If you're running Granddaddy's firewall, you probably configure packet filters. Packet filters use network and transport layer information (or, with ICMP, network and ICMP type and code) to determine what packets to let through the firewall. This approach was once popular because Grandpa's firewall mostly concerned itself with network layer attacks.

Although script kiddies continue to pound firewalls with ineffective attacks, modern day hackers don't bother with the firewall; they go for the meat - the network services behind the firewall. Attacks against network services are known as application layer attacks. Application layer attacks can be as simple as the common buffer overflow, or as sophisticated as creating a VPN tunnel into your production network using DNS as the tunneling protocol.
http://www.w2knews.com/rd/rd.cfm?id=040412ED-ISA_Slashdot

If you're using a packet filtering firewall and haven't yet been compromised yet, be patient. You will. Fast packet filters are great at passing exploits with tremendous speed, but is that what you're really looking for in a firewall? The good news is ISA 2004 firewalls will hit the streets soon and come to your rescue. ISA 2004 builds on the powerful application layer protection provided by ISA Server 2000, but pumps it up a couple orders of magnitude. In fact, ISA 2004 sets a new bar for application layer firewalls. This is bad news for the bad guys, but very good news for you.

While ISA 2004 sets the new standard for deep application inspection firewalling, there are others like Checkpoint that will be nipping at the ISA firewall's heels. If you're only looking for a powerful application layer firewall that stops modern attacks from modern attackers at the perimeter, and you want to pay a little more to get a little less app layer filtering, you can definitely go with Checkpoint. So what else can I tell you about that will get you to hook up with an ISA firewall?

How about VPN? Not the tired old "IPSec is better than PPTP" or "SSL VPN is what's new tomorrow" bits you get from the sales dude. What's extremely cool is that while the ISA 2004 firewall raises the bar for application layer filtering firewalls, ISA 2004's new VPN features create a new bar. The ISA 2004 VPN server does something no other VPN server can do: provide strong user/group, site and application inspection and access control to VPN clients. This control over VPN client traffic allows you to prevent exploits, like Blaster, from entering your network via a VPN client channel without the outrageous expensive and limited functionality you see with so-called "SSL VPN" connections.

If you want to know more about firewalls in general, and ISA 2004 firewalls in particular, then read on. I guarantee that you'll learn something that you didn't already know, and that the info may just save your bacon when the next "worm of death" gets ready to whack your networks. Finally, head on over to www.microsoft.com/isaserver and www.isaserver.org to get all the news and info you need to put yourself at the head of the ISA firewall pack.

2004 W2Knews Target Awards

There's still time to vote for your favorite system admin tool at the 2004 W2Knews Target Awards! Winners will be announced at Tech·Ed 2004 in San Diego, CA (May 23-29). Check out the finalists here, and let your voice be heard:
http://www.w2knews.com/rd/rd.cfm?id=040412ED-Target_Awards

QUOTE OF THE WEEK:
"Saying you can't trust Microsoft on the perimeter is like saying some folk can't be trusted to vote or work in the professions. Ask 'em "why" you can't trust Microsoft security. They tell you "it's always been, and will always be, that way". Feels like they've got a Jim Crow against MS security, based on prejudice, ignorance and fear..."
--Anonymous security consultant, March 2003

Ooops Department: Sorry for a confusion in last week's issue. If you were looking for the link to get up to speed on Office 2003, and found the SNSI page... this was an Ooops on our part. You can find the Office 2003 article here:
http://www.w2knews.com/rd/rd.cfm?id=040412ED-Outlook2003

Warm regards,
Tom Shinder, M.D., MVP
Guest W2knews Editor
(email me with feedback: [email protected])

  SPONSOR: iHateSpam Server
The New Version 1.5 of iHateSpam Server has all the features you
asked for.
It is now the best-selling anti-spam solution for MS
Exchange with over 3,000 enterprise licenses. Every week, 50 more
sites decide to protect their enterprise with iHateSpam Server.
It was designed -by- Exchange admins -for- Exchange admins. Very
smooth integration. V1.5 has a new, world-class detection engine
and a host of powerful features. Spam Sucks. Your life shouldn't.
Get 30 award-winning spam-free days here:
Visit iHateSpam Server for more information.
  TECH BRIEFING

Never Again Worry About Renegade Executives; ISA 2004 Firewall Remote Access VPNs Lock Them Down Tight

Life has been difficult for network and firewall administrators ever since the ISPs started shutting down TCP 135 because of the Blaster worm. TCP 135 is required to connect to Microsoft Exchange Servers from the full Outlook MAPI client. The boss really likes to use Outlook 2000, 2002 or 2003 to connect to the office and doesn't want to mess around with OWA or other remote access solutions to Microsoft Exchange on the corporate network. What do you do? Usually you end up giving the boss a VPN account. Now he has the ability to run roughshod over the entire network, since he has the same level of network access as that he has when directly connected to a corporate switch via an Ethernet cable.

ISA 2004 firewall/VPN servers will put the boss in his place. He only needs access to the Exchange Server, and he only needs access to a specific set of protocols, not full access to the Exchange box. No problem! ISA 2004 firewall/VPN servers lock down VPN remote access clients easily. Create a group you want to allow full Outlook MAPI client access, create a firewall policy enabling only members of this group are allowed access to only the Exchange Server using only the protocols they require. Now the boss has full access to the Exchange services he requires without risking the entire network.

No other firewall/VPN server provides this level of granularity over VPN client connections. None provides the same level of stateful filtering and stateful inspection to VPN connections. Even if you weren't in the market for another firewall, you might want to check out ISA 2004 firewalls just for their VPN features, as I suspect this is what a lot of you have been looking to find for a long time.

Connect Branch Offices without Fear with ISA 2004 Firewall Site to Site VPNs

Branch office deployments are definitely on the upswing now that we're out of the economic slump. Gone are the bad old days of expensive dedicated point to point WAN links. Branch offices are now connected to the main office using site to site (gateway to gateway) VPN links running on relatively cheap Internet connections.

Security problems you encounter with site to site VPN connections are similar to those you see with remote access VPN connections the boss makes from his hotel room in Bangkok - except that you multiply the problem by hundreds or thousands of times! Site to site VPN connections between branch and main offices sound good, but the problem remains that unless you have control over the desktops at the branch office; you're going to be victimized by the untrusted hosts on the branch office network, even though they're supposed to represent "friendlies".

This is where the ISA 2004 firewall/VPN server combo saves you again. You can use the same user/group based access control to provide branch office users access to ONLY the servers they need to connect to, using ONLY the protocols they need to connect to the services they require. Branch office users can get their work done by accessing resources they require on the main office network and no longer have free rein over the entire the main office network. Your ole' gran-daddy's PIX or Checkpoint box won't do that.

Only the ISA 2004 firewall/VPN one-two punch gives you this control. Sweet!

What does the ISA 2004 Firewall Application Layer Filtering Actually Do?

There is a lot of talk about Application Layer Filtering (ALF) on the perimeter, but what does ALF really do? All firewalls protect against network layer attacks. They may take different approaches in doing so, but if the box is promoted as a firewall, it protects you against layer 3/4 exploits.

What all firewalls don't do is check what's going on at the application layer (also called "layer 7). When it comes down to beating down Internet scum at the perimeter, application layer protection is where the rubber meets the road. Here's just a few examples of the application layer exploits blocked by the new ISA 2004 firewall:

  • HTTP application layer filtering: Code Red, Nimda, HTR overflows, directory traversal attacks, buffer overflow attacks, chunked transfer encoding attacks, cross-site scripting attacks, malicious URLs, malicious HTTP content, high-bit encoding attacks, WebDAV attacks.
  • SMTP application layer filtering: spam flood attacks, malicious attachment attacks, SMTP buffer overflow attacks, SMTP disk flood DoS attack, spammer open relay attack, brute force closed relay attack, all worms and worm variants
  • DNS application layer filtering: DNS zone transfer from untrusted sources, DNS buffer overflow attacks, DNS malformed query attack, DNS malformed packet attacks
  • POP3 application layer filtering: POP3 buffer overflow attacks, POP3 malformed command attacks
  • RPC application layer filtering: Microsoft BLAST, Microsoft Blaster variants, Nachi, RPC worm variants and morphs the above focuses on using ALF to protect against external intruders. Exploits emanating from the corpnet can be a much bigger problem than those coming in from the Internet. In the worst case scenario, these internal exploits can expose your network to attorneys!
ISA 2004 firewalls protect you from attorneys and other malicious users by extending ALF to outbound access control. Other firewalls that tout application layer filtering focus almost exclusively on blocking external attackers. Check out these cool outbound access control ALF features:
  • Block access to all Windows executables
  • Block access to Web sites based on keywords on Web pages and URLs
  • Block access to Web sites based on signatures in Request and Response headers and data
  • Enforce encrypted channel for remote access secure Exchange RPC Outlook clients
  • Block FTP downloads or enable FTP downloads for selected users ONLY
  • Allow ONLY the HTTP methods (PUT, GET, etc) that you want to allow; block all others for everyone, or just on a user/group basis - granular control is yours
  • Enforce strict RPC compliance to hack and slash RPC worms as soon as they hit the ISA 2004 firewall; this also has the added benefit of stopping DCOM from moving through the ISA 2004 firewall box
There are tons more examples, but I think you get the point. ISA 2004 is the thought-leader in application layer firewalls and its pretty exciting stuff to watch. I've also heard it on the grapevine that we'll be seeing even more application layer filters for some of your favorite protocols by the end of the year.

Enable Secure Remote Access to Microsoft Exchange Servers

If you don't ever need to access the mail on the office Exchange Server from anywhere outside the office, then you don't need an ISA 2004 firewall. But if you do need secure remote access to Exchange Outlook Web Access (OWA), Outlook Mobile Access (OMA), RPC over HTTP and ActiveSync, then you do need an ISA 2004 firewall. Why? Because the ISA 2004 firewall provides a unique level of protection against remote access connections to Exchange through a combination of its HTTP deep application layer inspection filter and SSL to SSL bridging (aka - SSL termination).

SSL to SSL bridging allows the firewall to terminate and reestablish SSL sessions. In contrast, your poor cousin's firewall just allows SSL tunneled traffic through to the Exchange Web sites. The ISA 2004 SSL termination feature allows the ISA firewall to inspect the contents of the SSL connection and block those containing suspicious or recognized exploits. In contrast, a packet filter firewall like PIX merrily passes the SSL tunneled exploits back to your OWA, OMA and RPC over HTTP sites. But to be fair, the PIX passes those exploits really fast!

SSL termination (SSL to SSL bridging) is only one of the ISA 2004 firewall features that enable secure remote access to Exchange Servers. Check out some of these other Exchange protection technologies:

  • Delegation of Basic authentication prevents unauthenticated users from connecting to the Exchange site
  • ISA 2004 firewall form-based authentication allows the firewall to generate the form, instead of the Exchange 2003 Web site. Firewall generated forms-based authentication extends the security provided by delegation of basic authentication to protect the OWA Web site from attacks by unauthenticated users
  • Secure Exchange RPC, both inbound and outbound with the secure Exchange RPC filter. If the ISP's don't DoS your Exchange connections by blocking TCP 135, you can enjoy "hand's free" access to the full range of Exchange features from the full Outlook client using secure, encrypted Exchange RPC connections from anywhere in the world

Entirely New and Improved Firewall Configuration and Management Model

Many people who gave ISA 2004 a look found it to be a bit unwieldy. You had to configure the policy elements first and then create the Access Policy. There was a lot of back and forth using that approach. Even when you got the Policy Elements and Access Policies in place, you weren't really sure what rule would be applied when because the order in which rules were applied wasn't too clear.

ISA 2004 firewalls use a traditional top down rules processing approach that you're used to. In fact, you'll find the ISA 2004 firewall user interface to be the most functional and most attractive one you've ever worked with. You actually can use this interface to create secure inbound and outbound access controls without wasting a week in a firewall training class and spending a couple/three grand for the pleasure.

Don't believe it? Give it a try. Download a beta copy and install it on a lab machine. I promise you'll hardly believe your eyes!
http://www.w2knews.com/rd/rd.cfm?id=040412TB-ISA_Beta

  NT/2000 RELATED NEWS

Steve Ballmer Beats the Drum for Microsoft Security Advances

Security is Job One for Microsoft these days, and we're seeing evidence of this commitment everyday. While the ISA 2004 firewall is the standard bearer of Microsoft security, the firewall is only the beginning. Steve Ballmer and Security Business Unit VP Mike Nash make it clear that security is the overarching concern from the top down. As part of this commitment, Microsoft kicked off a 20-city security road show this week that will highlight ISA 2004 firewall protection, new Windows XP SP2 security technologies and some super secret stuff. For more info, visit:
http://www.w2knews.com/rd/rd.cfm?id=040412RN-ISA_Ballmer

Bill Gates Issues Security Progress Report: ISA 2004 Firewalls are Key

On March 31 of this year, Bill Gates issues a Microsoft Progress Report on Security that outlined the current security challenges that Microsoft and the entire industry face and how Microsoft is meeting those challenges. In addition to the powerful application layer security for inbound and outbound access control provided by ISA 2004 firewalls, Bill Gates explains the enhanced security feature sets in Windows Server 2003, Windows XP Service Pack 2, application programming targeted at process isolation and resiliency, active application protection technologies, and much more. Check out Bill G's letter over at:
http://www.w2knews.com/rd/rd.cfm?id=040412RN-ISA_BillG

  THIRD PARTY NEWS

Defense in Depth with Sunbelt Network Security Inspector

The ISA 2004 firewall is only the first piece of your strong defense and depth strategy. One of the most difficult issues with network defense in depth is host security. That's where the Sunbelt Network Security Inspector comes in. Here are some key features of Sunbelt's SNSI network security audit tool:

  • Close the door on hackers! You can't close the door if you don't know which one is open. That's why we designed Sunbelt Network Security Inspector (SNSI).
  • A low-cost, quick-install, fast-result vulnerability scanner that uses a top quality, commercial-grade database of ranked vulnerabilities
  • Prioritized vulnerability reports provide detailed and easy-to-follow instructions on how to fix holes fast, so you can focus on the most critical security issues
  • Configurable scans - create your own scans or use predefined scans such as "high risk" or the "SANS top 20"
  • Windows platform support: Find holes in Windows 95/98/ME/NT/2000/XP and Windows Server 2003 machines
  • The easy, all-new interface has a short learning curve: just point, right-click and QuickScan
SNSI is licensed per Administrator and lets you scan unlimited machines! SNSI won't make a hole in your budget, so you can afford to be proactive without compromises. Check the Benefits page for the enormously attractive Traveling License price. Check out SNSI at:
http://www.w2knews.com/rd/rd.cfm?id=040412TP-SNSI

Retina Supports ISA 2004 Firewall Protection with Proactive Scanning

We all know that firewalls (even ISA 2004 firewalls) and intrusion detection systems do not provide 100% protection against hackers. To a great extent, Firewalls and IDS tools are reactive in nature: they protect you when someone is actually hacking into your network. In order to achieve an effective defense in depth posture you also need a product that proactively helps secure your network in advance:

  • Retina was built to be non-intrusive. It does not bring down your networks while you run your penetration tests
  • Contrary to other scanners, in the Enterprise License, there are no limitations on the IP's audited. The licensing is easy and transparent
  • The autofix and autoupdate features are really strong, and new vulnerabilities are added ASAP, not once a month or six weeks like other tools. This is something really crucial
  • Last but not least, the reporting is great. It provides executive level summaries that are readable. Moreover, you can install Retina on a laptop and audit all your subnets. Try to get that done with some of the other products!
Retina was designed by eEye Digital Security to identify known and unknown vulnerabilities, suggest fixes to identified vulnerabilities, and report possible security holes within a network's Internet, intranet, and extranet environments. For more info check out Retina at:
http://www.w2knews.com/rd/rd.cfm?id=040412TP-Retina

Avoiding the Risk of Viruses Inside Compressed Files

These virus writers are a tricky lot. Not only do they want to infect as many computers as they can with their malicious codes, they use various disguises to hoodwink us as they can. One of the key methods is by compressing the file carrying the virus into the popular zip format.

Normally, any high-quality antivirus program can scan and disinfect files, as long as it you configure it to do so. The problem is when these files are password-protected.

When a password-protected compressed file reaches a computer, the antivirus protection cannot access it to scan the contents, because the user needs to enter a password to view the content. Most likely this is not a problem for a good antivirus solution - if the compressed file is infected, the AV will catch it when the file is run.

All goes to hell in a corporate network, even if the mail server has an updated antivirus, the file cannot be scanned and the infected file reaches the individual workstations scot-free. Of course, if the workstations are protected, the virus won't be able to go to town, but what if they aren't. Several of the Bagle variant spread like wildfire through password-protected files and thousands of computers were infected just like that which in turn increased network traffic and in some cases saturated the email server so badly it shut down.

The best way to handle this is through a layered defense and to make sure that any antivirus solution you has true daily updates and 24/7 tech support to help you solve any incidents that come up. I know the folks at Panda have developed a very specific detection routine protecting computers against the Bagle worm compressed file scheme. You can download their enterprise solution by clicking here:
http://www.w2knews.com/rd/rd.cfm?id=040412TP-Panda

  FAVE LINKS

This Week's Links We Like. Tips, Hints And Fun Stuff

  PRODUCT OF THE WEEK

Military Strength Security Scanner: Sunbelt Network Security Inspector

Need to close the door on hackers? But "no budget and no time" are your biggest problems? SNSI solves this problem: a world-class scanner that does not make a hole in your budget. Better yet, there is a KILLER competitive upgrade price. Compare that to other high-end scanners out there. It's easy to see why SNSI is rapidly becoming a Security Best Seller: The exception to "you get what you pay for".

http://www.w2knews.com/rd/rd.cfm?id=040412PW-SNSI