• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

How secure?

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 General ] >> Web Publishing >> How secure? Page: [1]
Login
Message << Older Topic   Newer Topic >>
How secure? - 23.Sep.2009 4:16:34 PM   
Rievax

 

Posts: 50
Joined: 13.Oct.2004
Status: offline
Hello ISA users!

I just had a request from my upper management to determine how secure it is to publish our LAN IIS servers through the WEB Publishing feature of ISA 2004. Let's say our ISA 2004 is fully updated. What are the chances that someone could hack the WEB site(s) we publish, and then have access to our local LAN?

To me, it sounds impossible, mostly I guess because I'm no hacker / security specialist... I understand that a DMZ zone back in the old times was exactly to address this kind of problem, but today, with all ports closed, and a problem anti-virus protection, is there still a "real" risk to give a hacker access to our network just by publishing an IIS web site? Does the DMZ infrastructure still very important to maintain?

Could someone give me some articles to read, advices, books, anything to tell me I have to have a DMZ zone?

It is a vague question, but I think you got the point...

Thank you!

Xavier.


Post #: 1
RE: How secure? - 23.Sep.2009 5:51:38 PM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
You can browse through the Publishing Tutorials on this site for information that is much better than anything I could sit here and tell you.
http://www.isaserver.org/articles_tutorials/publishing/

For HTTP Sites:
http://www.isaserver.org/tutorials/Creating-Configuring-Non-SSL-Web-Publishing-Rules-Part1.html

http://www.isaserver.org/tutorials/Creating-Configuring-Non-SSL-Web-Publishing-Rules-Part2.html

http://www.isaserver.org/tutorials/Creating-Configuring-Non-SSL-Web-Publishing-Rules-Part3.html


But what do I think about all of it?.....

Hackers hack a web site due to vulnerabilites in the web sit code primarily,...and vulnerabilities in the web server secondarily,.......not by vulnerabilies in the firewall.  Why?,...because they are "already there",...if they are on the web site they are already past the firewall to begin with.  It doens't matter what brand or model the firewall is.  Slapping a firewall in front of a web server will never "fix" faulty web site code.

But with that said....

ISA does have additional abilities that other firewalls don't have in terms of  monitoring the HTTP Stream content and dropping the connection if it sees "bad things".  If the site requires authentication to get to it then ISA can pre-authenticate the user before the authentication attempts ever reach the web server.

But in the end,...most of the security rests on the quality of the web site,...not the firewall in front of it.   The person does not "have access" to your LAN because they access the web site,...think about how Web technology and the HTTP protocol works,...in reality the site comes to him,...he doesn't come to it.  The code of the site downloads and executes in the user's web brower,...the execution (most of it) happens on the users end. 

The user sends an HTTP Request to the web server,...the server runs any server-side code,...generates client-side from that,...sends the client-side code to the user where it executes in the users browser on the users machine.

You can put the Web Server into a Perimeter Network if you want (DMZ).  It can be Back-to-Back or Tri-Homed,...depending on what works better in your envorinment.  But doing so might make it difficult for the web server to interact with other resources on the LAN if it needs to do that.

I do not believe there is any way to "measure" and come up with some kind of mechanical number rating for "how secure it is to publish our LAN IIS servers through the WEB Publishing feature of ISA 2004".   It almost becomes an emotional thing, and if the guy you have to deal with is an "Anti-MS'er" that believes nothing produced by MS could ever be secure it becomes a religous argument and nothing you say will convince him of anything.

ISA?  and patching?   Well of course the ISA should be get fully updated anyway. But there arent' that many patches for it,...there has hardly ever been anything to patch.  ISA has probably been the most solid product MS ever produced.  There are tons of patches for the OS,...but the OS is "hidden" behind the ISA services and is not directly exposed any longer anyway.  ISA has been around for 10 years,...it has never ever ever ever ever in it history been "hacked".   The only time anyone ever got around an ISA is when a bumbling Admin or a Web developer provided the hacker with the means to get in and "rolled the red carpet out" for them,...it was never a flaw in the ISA product. 




_____________________________

Phillip Windell

(in reply to Rievax)
Post #: 2
RE: How secure? - 23.Sep.2009 5:52:09 PM   
paulo.oliveira

 

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi Xavier,

IHMO, no one can guarantee that your web site will never be hacked! It does not exist 100% secure software!

However, ISA application layer inspection can really help to migitage most of attacks that some other firewalls canīt!

Still IMHO, a perimeter network (DMZ) is very important when it comes to security, because it separate internal from external network. So, if you have correctly configured access rule between these networks, the chances of your internal network been compromised are reduced.

One more thing Iīd like to mention is when you put any computer on the internet, you have to keep in mind that is susceptible to be attacked in one way or another.

Thatīs why you have to keep your softwares updated (routers, fw, servers, computers).

Some resources you can read:
http://technet.microsoft.com/en-gb/library/cc302617.aspx
http://technet.microsoft.com/en-gb/library/bb794854.aspx
http://technet.microsoft.com/en-gb/library/cc302627.aspx


Regards,
Paulo Oliveira.

_____________________________

Microsoft Premier Field Engineer (PFE)
Blog: http://poliveirasilva.wordpress.com/
Twitter: https://twitter.com/poliveirasilva

(in reply to Rievax)
Post #: 3
RE: How secure? - 23.Sep.2009 7:59:50 PM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
quote:

ORIGINAL: Rievax

Hello ISA users!

I just had a request from my upper management to determine how secure it is to publish our LAN IIS servers through the WEB Publishing feature of ISA 2004. Let's say our ISA 2004 is fully updated. What are the chances that someone could hack the WEB site(s) we publish, and then have access to our local LAN?

To me, it sounds impossible, mostly I guess because I'm no hacker / security specialist... I understand that a DMZ zone back in the old times was exactly to address this kind of problem, but today, with all ports closed, and a problem anti-virus protection, is there still a "real" risk to give a hacker access to our network just by publishing an IIS web site? Does the DMZ infrastructure still very important to maintain?

Could someone give me some articles to read, advices, books, anything to tell me I have to have a DMZ zone?

It is a vague question, but I think you got the point...

Thank you!

Xavier.





The best way to measure the risk is to have the someone provide a security or penetration test. It is these guys job to test systems (they do it, day in, day out) and provide a view or "measure" of security risk.

In my expereince, from pretty much all of the penetration tests I have had on our customer deployments it has always been the web application that is weak and susceptible to things like cross-site scripting (CSS) and SQL inection, not the ISA configuration.

If you employ all the features of ISA, you will mitigate a fair bit of risk, but there are limits...the following article is a good overview of what you can do:

http://www.isaserver.org/tutorials/ISA-2006-Firewall-Web-Publishing-Rules.html

My hit list would be:

* Pre-auth web applications with ISA (ideally increase level of auth using two-factor solutions) 
* Always use web publishing for web apps, nt server pubs
* SSL bridge to keep end-to-end encrytion (with SSL3.0 and TLS1.0 min)
* Enforce FQDN and path restrictions to exact application need; no more
* Enforce HTTP filters to exact application need; no more

Personally, I would consider a move to ISA2k6 (or TMG) for the very best level of protection. TMG has some greatl technology on the IDS/IPS front to go a fair bit futher than before...

Summary: Get ISA as close to best practive as you can, then get it tested by professionals; once done, hand the report to management with mitigation recommendations. You will then have an expert view of "risk" and be able to prioritise the high risk areas (probably like CSS and SQL injection or other code problems).

Finally, IMHO the DMZ still has some value as it allows you to separate assests that are Internet facing and those that aren't. Different trust levels should be isolated. Compromise of an Internet facing host is then less likely to impact systems that are not Internet facing. The only problem is that the line between DMZ and LAN is often very blurred (and getting worse) by application connectivity to other internal services. For me, the key is to inspect and classify data rather than worry so much about how it gets from A to B.

Having said that I still use ISA as a great way of creating a layer 7 DMZ, and much more useful than a layer 3 DMZ which is what more hardware firewalls provide. Layer 3 DMZs that provide no L7 protection is often what  people mean when they use the term "DMZ". It often depends on the protocols involved; for example if the DMZ=>Intranet traffic uses protocols like HTTP, RPC and SMTP, ISA has appliction layer filters that can add real value here as ISA can control both Internet=>DMZ traffic *and* DMZ=>Intarnet traffic both to a deep inspection level...

Anyhow, I'm starting to ramble, so I will stop now

Cheers

JJ 

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to Rievax)
Post #: 4
RE: How secure? - 24.Sep.2009 10:32:40 AM   
Rievax

 

Posts: 50
Joined: 13.Oct.2004
Status: offline
Thank you very much for your answers!

The main goal of my question was more to discuss about the usefulness of a DMZ zone than the reliability of the ISA. We are actually running a tri-homed configuration (DMZ-WEB / DMZ-DATA / LAN) behind a "corporate" firewall (old Nokia/CheckPoint) in front of the DMZ-WEB. In the last few years, we started to publish LAN web servers (IIS / Apache / JBOSS) directly to the Internet, and using the DMZ zones less - to the point where I was asking myself: "Should I stop that and move everything back to the DMZ or should I just get rid of the DMZ itself"

Reading you messages, I understand there are no definite answer on the matter. Having a DMZ looks (and I think is) more secure, but to what extent?

Is it really possible to have complete LAN access for a hacker by attacking a properly published WEB site? Attacking a WEB site integrity (which could happened in a DMZ or not) is much more different that accessing the corporate LAN because of an IIS flaw. Is it just possible?...

Should we, from a security point of view, forget about what is possible or not, and keep the perimeter networks? Isn't it today just too crazy to have two different DMZ for Data and WEB?

To Jason Jones:
You wrote
quote:

"For me, the key is to inspect and classify data rather than worry so much about how it gets from A to B"
... I don't really get you here... when you create a FW rule, it is always that: you just let got whatever is supposed to get through (specific data) from point A to point B.

The idea of having an external resource providing a security or penetration test is OK as long as you can trust them. To me, it is easy to says "Hey, you MUST have a DMZ zone... if not, if somebody compromises you web server, they will have full access to your LAN"...

That's it. I'm still questioning myself :-)

Feel free to add / discuss anything on this matter.

Thank's again.

Xavier.

(in reply to pwindell)
Post #: 5
RE: How secure? - 24.Sep.2009 10:57:52 AM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
It's called defense in depth; the extent to what you decide is "deep enough" is your call

Isolating systems that are exposed to different risks levels into differnt security zones is just good security practice and part of a least privilege design IMHO.

My comment about "from A to B" was trying to explain that many people treat inbound communications from a DMZ with a traditioanl layer 3 "just open ports". However, what's move important IMHO is how is the port being used, is it RFC/normal use or is it non-RFC/malicious use? This is where an application layer firewall can add real value the separate security zones model, by ensure that communications between zones is inspected in much more detail; thereby mitigating more security risk and protecting application usage, not network usage...

ISA provides an excellent level of protection for an internal web server, but a vulerability in the web service could cause the box to be owned. If it is owned, what can it then access? What exists between that server and your line of business servers with customer data on?

If you have a secure internal network that uses internal firewalls or some form of IPSec logical separation, or other security solutions, then maybe the implication of compomise may be mininal. Otherwise, separating high-risk or high-business value servers in different security zones seems like a good idea to me...

You don't have to always achieve this using a "DMZ", you can consider things like IPSec server and domain isolation or even things like NAC/NAP to enforce boundaries where risk levels change.

If you don't have the skill to provide a security test (no offence, most people don't, myself included) then you have to trust somebody - these types of people often have a very different mindset too. You then have to review their findings and make your own decisions on how much you spend to achieve the level of risk you are comfortable with...sometimes accepting risk is actually the right choice, at least you have considered it and made a judgement that can be audited, this is much better than finding out later that you "could have had that tested to check..."

That's my take on it anyhow

Cheers

JJ


_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to Rievax)
Post #: 6

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 General ] >> Web Publishing >> How secure? Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts