Re: Is Firewall Client necessary?
From: CZ (CZ_at_no99spam.com)
Date: 08/02/04
- Next message: Imran Vilcassim: "ISA Problems"
- Previous message: Vladimir: "ISA Problems"
- Messages sorted by: [ date ] [ thread ]
Date: Mon, 2 Aug 2004 16:02:28 -0700
>> ISA has three *independent* Services:
Web Proxy Service: Clients use it via the browser's "proxy settings". It
only supplies HTTP, HTTPS, "Read-only" FTP, and Gopher. Authentication is
based on User Accounts.
Firewall Service: Client use it via having the Firewall Client installed.
It supplies all protocols based on TCP and UDP. It does not process other
Layer4 protocols such as ICMP and GRE (VPN). Authentication is based on User
Accounts.
SecureNAT Service: Clients use it via the Layer3 Routing Scheme of the LAN
(often ISA is their Default Gateway). It can supply pretty much the same
thing as any other NAT based device which is what any of the popular
hardware based "firewalls" are. Authentication is *only* based on Source IP#
& Destination IP#.
Phillip:
IMO, another viewpoint re: outbound packets (simplified and in general):
ISA Server 2000 has two primary services:
1) Firewall service: (wspsrv)
Uses a NAT-router concept: receives a packet on one interface, and forwards
the packet on the other interface, and uses a many-to-one NAT/PAT.
Application filters are an extension of the Firewall service.
2) Web proxy service (w3proxy)
Uses a proxy server concept: receives web proxy requests on one interface,
and sends a new packet on the other; and maintains a web cache. Packets must
be processed by it to use Content Gps.
There are three client concepts:
1) Firewall client:
Used for non-LAT destinations, non-Web Proxy request packets that have TCP
or UDP.
Packets will have ISA's LAN IP address as DA.
Sends packets to the Firewall service with a destination port of 3xxx.
Can pass credentials (re: user acct/gp authentication) to Firewall service.
Packets are subjected to access policy.
Packets can be subjected to HTTP Redirection (use to send packets to Web
proxy service).
Packets can be subjected to application level filtering.
Is the only client that can do dynamic creation of secondary connections.
ISA processes DNS queries for the client.
Packets are sent to Internet via NAT-router concept.
2) Web Proxy client:
Used for web proxy request packets.
Packets will have ISA's LAN IP address as DA.
Sends packets to Outgoing Web request listener (a Web Proxy service
interface) with a destination port of 8080 or 8443.
Can pass credentials (re: user acct/gp authentication) to Web Proxy service.
Packets are subjected to access policy.
Packets can be subjected to application level filtering.
ISA processes DNS queries for the client.
Packets are sent to Internet via proxy server concept.
3) Secure NAT (aka SNAT):
Used when ws is not using either of the other two client concepts.
Packets will have public server's IP address as DA.
Sends packets to ws's default gateway/ISA's NAT driver (packets are
inspected by ISA's Firewall service).
Cannot pass credentials (re: user acct/gp authentication) to ISA.
(Client sets can be used for selective control)
Packets are subjected to access policy.
Packets can be subjected to application level filtering.
Packets can be subjected to HTTP Redirection (use to send packets to Web
proxy service).
ISA does not process DNS queries for the client.
Packets are sent to Internet via NAT-router concept.
Re: which client is used: key issue is how the packet is sent (can use a
packet sniffer to verify how it is sent), not what client configurations the
ws has. I have seen a ws with Firewall Client enabled, send TCP as a SNAT
client (had to reinstall Firewall client to correct it).
Re: security of Firewall Clients vs SNAT clients:
One important difference is that Firewall Client can pass credentials to
ISA, SNAT cannot. They both use access policy, use NAT-router concept, can
be subjected to application level filtering, and can use the Web Proxy
service via HTTP Redirection.
BTW: ICMP and GRE are in OSI layer 3, not OSI layer 4.
Re: Proxy server vs. NAT-router:
Proxy server:
Packets are IP addressed to ISA server as an end point. ISA server sends a
new packet on the other interface to the public server as an end point.
NAT-router:
Normally, packets are IP addressed to the public server as an end point.
NAT will change the source IP address and make an entry in its port table.
Router will forward the changed packet on its other interface.
Note that for Firewall clients, the packets are IP addressed to ISA server.
You can see the above occur via packet sniffing and reviewing the TCP Seq
#s:
TCP packets outbound from proxy server: will have different Seq #s than the
packets from the client to ISA server. This would apply to ISA's Web Proxy
clients.
TCP packets outbound from NAT-router: will have same Seq #s as the packets
from the client to ISA server. This would apply to ISA's SNAT and Firewall
clients.
- Next message: Imran Vilcassim: "ISA Problems"
- Previous message: Vladimir: "ISA Problems"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
