Configuration and Evaluation of Some Microsoft and Linux Proxy Servers, Security, Intrusion Detection, AntiVirus and AntiSpam Tools E-Book

Configuration and Evaluation of Some Microsoft and Linux Proxy Servers, Security, Intrusion Detection, AntiVirus and AntiSpam Tools

By

Dr. Hidaia Mahmood Alassouli

[email protected]

Overview:

The book consists from three parts:

Part A: Configuration of Microsoft ISA Proxy Server and Linux Squid Proxy Server

Part B: Evaluation of Some Windows and Linux Intrusion Detection Tools

Part C: Quick Configuration of Postfix Mail Server to Support Anti Spam and Anti Virus Using Two Methods

I. Part A: Configuration of Microsoft ISA Proxy Server and Linux Squid Proxy Server.

Part A concerns about basic Microsoft ISA server and Linux Squid Server configuration As a lot of technicians switch between ISA server and Squid server, I decided to write this paper to present some reference when configuring ISA and Squid. There a lot of issues that not covered, and you can go to the manual of ISA server and Squid server for detailed configuration of ISA and Squid. The paper is composed from two parts

Microsoft ISA server 2004 Configuration

Linux Squid Server Configuration

II. Part B: Evaluation of Some Windows and Linux Intrusion Detection Tools

Part B evaluates some the security tools. Top security tools can be found in http://sectools.org/. Most important vulnerabilities in Windows and Linux can be found in www.sans.org/top20/. The paper covers the installation and configuration of the following security tools:

III. Part C: Quick Configuration of Postfix Mail Server to Support Anti Spam and Anti Virus Using Two Methods

In Part C, I configured the Postfix mail server that support the Anti-Spam and Anti-Virus, using two methods, for sake of evaluation and realizing which method can be considered to be the best,

Part A: Configuration of Microsoft ISA Proxy Server and Linux Squid Proxy Server

By

Dr. Hidaia Mahmood Alassouli

[email protected]

A.1. Introduction to Part A: Configuration of Microsoft ISA Proxy Server and Linux Squid Proxy Server

This part concerns about basic Microsoft ISA server and Linux Squid Server configuration As a lot of technicians switch between ISA server and Squid server, I decided to write this paper to present some reference when configuring ISA and Squid. There a lot of issues that not covered, and you can go to the manual of ISA server and Squid server for detailed configuration of ISA and Squid. The paper is composed from two parts

Microsoft ISA server 2004 Configuration

Linux Squid Server Configuration

Note that, this work was done without proper simulation, because of the lack of resources, as testing firewall configuration requires many computers, with one of them should have many network cards. Also the ISA server is not used in the computer center now.

A.2. Microsoft ISA Server 2004

A.2.1. Main operation:

All of the network rules and access rules make up the firewall policy. The firewall policy is applied in the following way:

1. A user using a client computer sends a request for a resource located on the Internet.

2. If the request comes from a Firewall Client computer, the user is transparently authenticated using Kerberos or NTLM if domain authentication is configured. If the user cannot be transparently authenticated, ISA Server requests the user credentials. If the user request comes from a Web proxy client, and the access rule requires authentication, ISA Server requests the user credentials. If the user request comes from a SecureNAT client, the user is not authenticated, but all other network and access rules are still applied.

3. ISA Server checks the network rules to verify that the two networks are connected. If no network relationship is defined between the two networks,

the request is refused.

4. If the network rules define a connection between the source and destination networks, ISA Server processes the access rules. The rules are applied in order of priority as listed in the ISA Server Management interface. If an allow rule allows the request, then the request is forwarded without checking any additional access rules. If no access rule allows the request, the final default access rule is applied, which denies all access.

5. If the request is allowed by an access rule, ISA Server checks the network rules again to determine how the networks are connected. ISA Server checks the Web chaining rules (if a Web proxy client requested the object) or the firewall chaining configuration (if a SecureNAT or Firewall Client requested the object) to determine how the request will be serviced.

6. The request is forwarded to the Internet Web server.

A.2.2. Type of networks and network relationships and ISA Server clients:

The default type of networks,

VPN Clients-

Built-in dynamic network object representing client computers connected to ISA Server via VPN.

Internal-

Network representing the internal network, i.e. 10.12.00.00 -10.12.255.254.

Local Host-

Built-in network object representing the ISA Server computer

Quarantined VPN Clients-

Built-in dynamic network representing client computers connecting to ISA Server via VPN that are currently quarantined.

Perimeter-

Network object representing a perimeter network (also known as DMZ, demilitarized zone, and screened subnet).

External-

Network object representing the Internet.

There are two types of network relationships:

ISA Server provides secure access to internet for all of its clients. ISA server has three type of clients:

Firewall clients:

Firewall clients are computers that have firewall client software installed and enabled. When computer with firewall client software installed makes a request for resources on internet, the request is directed to firewall service on ISA server computer. The firewall service will authenticate and authorize the user and filter the request based on firewall rules and application filters and other add-ins. The Firewall service may also cache the requested object or serve the object from the ISA server cache using web proxy filter. Firewall clients provide highest level of functionality.

SecureNAT clients:

SecureNAT clients are computers that don’t have firewall client installed. Instead, SecureNAT clients are configured to route all requests for resources on other networks to an internal IP address on the computer running ISA server. If the network includes only a single segment, the SecureNAT client is configured to use the internal IP address on the computer running ISA server as the default gateway. Requests from SecureNAT clients are directed first to the network address translation (NAT) driver, which substitutes the ISA server external IP address for the internal IP address of the SecureNAT client. The client request is then directed to firewall service to determine if the access is allowed. Finally, the request maybe filtered by application filters and other extensions. The firewall service may cache the request object or deliver the object to ISA server cache. You need to configure only the default gateway of the client computers.

Web Proxy Clients:

They are any computers that run CERN-compatible web application such as web browsers. Requests from the web proxy clients are directed to firewall service on the ISA server computer to determine if the access is allowed. The firewall service may also cache the requested object or serve the object from the ISA server web cache. The web application must be configured to use the ISA server.