Internet Security and Acceleration Server 2000
with Service Pack 1 Audit
Internet Security and Acceleration Server 2000
with Service Pack 1 AuditThis paper presents an overview of a security assessment conducted by Foundstone®, Inc. of Microsoft® Internet Security and Acceleration (ISA) Server 2000 after the addition of Service Pack 1 (SP1). This is the second security assessment of ISA Server 2000 performed by the experts at Foundstone. The initial audit was completed in February 2001, prior to the public release of the first version of ISA Server 2000.
Foundstone conducted the current audit in the months preceding the public release of SP1 on 15-Feb-02. Foundstone’s comprehensive product testing methodologies employed an array of security penetration techniques, commercial-grade stress testing and monitoring, and Foundstone’s custom toolkit based on its FoundScan technology.
Foundstone’s analysis showed that SP1 improves the already solid security of ISA Server 2000. Foundstone is confident that ISA Server 2000 properly configured is an effective firewall in enterprise environments.
Microsoft continues to subject ISA Server 2000 to regular audits by Foundstone, demonstrating the company’s ongoing commitment to improving product security.
TABLE OF CONTENTS
Introduction 1
Scope and Objectives 2
Background 4
Solution 5
Conclusion 6
www.foundstone.com © 2003 Foundstone, Inc. All Rights Reserved | 1
Introduction
Foundstone has conducted independent security evaluations for ISA Server 2000 since the product’s initial release in late 2000. Foundstone’s most recent audit, performed in late 2001, evaluated the ISA Server 2000 Service Pack 1 (SP1) update to the original product.
Spanning more than 250 man-hours, the SP1 review involved a dedicated security team from Foundstone, including Joel Scambray, the author of Hacking Exposed Windows 2000. During the audit, Foundstone had full access to the ISA Server 2000 product and development teams. The Foundstone and ISA Server 2000 teams met weekly to discuss the assessment’s progress.
The audit employed Foundstone’s product testing methodologies, which include the most up-to-date security tools and penetration techniques. Foundstone designed its ISA Server 2000 testing to circumvent selected network access control features and gauge SP1’s resistance to a denial-of-service (DoS) attack that would render a typical deployment inoperable.
This whitepaper focuses on Foundstone’s assessment of the enhanced security offered by SP1. It is based on test results and the ongoing communication between Foundstone and the ISA Server 2000 development team.
www.foundstone.com © 2003 Foundstone, Inc. All Rights Reserved | 2
Scope and Objectives
Foundstone’s testing concentrated on the following features of ISA Server 2000 with SP1: Firewall
• Packet Filtering
• Application Filters
− SMTP
− HTTP Redirector
− POP Intrusion Detection
− DNS Intrusion Detection
Web Publishing
Intrusion Detection
• IP Spoofing
• Port Scanning Web Proxy Web Caching Management
• Policy Control
• Logging
• Reporting
• Alerts
Foundstone also retested findings from its previous audit of SP1 and analyzed published SP1 vulnerabilities.
Foundstone installed and configured ISA Server 2000 to simulate a “real world” Internet-connected environment. The product ran on a PC with dual 733Mhz Intel Pentium III CPUs, 512MB of RAM, Windows 2000 in integrated mode, including the H.323 gateway and the Message Screener. The cache size was 5GB. Intrusion detection, logging of “allow” packets, and IP routing were also enabled. Foundstone configured Internet Information Services (IIS) to use port 81 and IISAdmin to not use port 8080. This prevented conflicts with standard ISA Server 2000 proxy ports of 80 and 8080. SP1 installation completed the setup.
Foundstone then applied its standard test methodologies, focusing on vulnerabilities and exploits present in real world environments. The first test was full network discovery and vulnerability scans of all available interfaces. Foundstone identified and analyzed all listening TCP and UDP services for vulnerabilities.
www.foundstone.com © 2003 Foundstone, Inc. All Rights Reserved | 3
For portions of this testing, Foundstone utilized FoundScan, a vulnerability assessment and remediation tool developed by Foundstone. FoundScan remotely examines networks, databases, servers, off-the-shelf applications, and even custom web applications for vulnerabilities.
Foundstone also performed a battery of firewall “allowed traffic” checks. These tests employ dozens of known techniques for bypassing IP packet filters, exploits which specifically target firewall products such as ISA Server 2000.
Network protocol analysis helped identify potential security issues arising from session captures, replay attacks, and credential harvesting via product communications.
After cataloging all product input facilities, Foundstone tested for buffer overflows using a looping, incremented test harness based on its NTOMax stress-testing tool. Foundstone also performed additional input validation testing using manual techniques.
Finally, Foundstone attempted to subvert product functionality through software fault injection and various unauthorized or inappropriate activities. Although remote network penetration was its primary focus, Foundstone also attempted local exploitation and privilege escalation where appropriate.
www.foundstone.com © 2003 Foundstone, Inc. All Rights Reserved | 4
Background:
Testbed Instrumentation
Foundstone uses internally developed custom hacking tools, including commercial-grade network eavesdropping devices, a diverse range of network and system-level software probes, and libraries of known exploit code covering popular applications and operating systems. During ISA Server 2000 testing, Foundstone logged all appropriate trans-firewall communications on both internal, perimeter, and external networks. To provide external confirmation and verification of its observations, Foundstone analyzed packet-level decodes both automatically and manually. Foundstone also continually monitored product performance to note any abnormal behavior.
www.foundstone.com © 2003 Foundstone, Inc. All Rights Reserved | 5
Solution:
Findings & Recommendations
At the conclusion of testing, Foundstone provided a detailed report to Microsoft that included specific results, recommendations, and supporting test data. Findings highlighted ISA Server 2000’s many robust security features and recommended areas for improvement. The ISA Server 2000 development team promptly took action to improve the product and resolve concerns discovered during testing.
Recommendations included:
• Tightening of default internal interface security
• Minor improvements to logging
• Web proxy
• HTTP caching
• Web publishing features
Foundstone also noted that ISA Server 2000’s packet filters are adequately sealed against common packet manipulation attacks.
www.foundstone.com © 2003 Foundstone, Inc. All Rights Reserved | 6
Conclusion
In February 20, 2002, ISA Server 2000 celebrated its one year anniversary and the release of SP1. Based on Foundstone’s assessment of SP1, the ISA Server 2000 team made several improvements to the product’s security features. Additionally, Microsoft demonstrates its ongoing commitment to ISA Server 2000 security by submitting the product to periodic security audits of new Service Packs and updated versions. Foundstone is confident that ISA Server 2000 with SP1 competes well with other established products in its market.
Security is a critical concern in the high-tech world. With its focus on security products such as ISA Server 2000 and its willingness to submit its products to outside technical review, Microsoft has demonstrated a strong commitment to improving enterprise-level security. Since ISA Server 2000’s initial release, Microsoft has made independent technical review of the product a top priority. Foundstone looks forward to performing additional assessments.
Foundstone also notes that Microsoft has integrated independent security reviews with customer feedback to further enhance its products. SP1 adds significant improvements to the initial release of ISA Server 2000, for instance. Enhanced security features include:
• Improved stability
• Fixes for common issues reported through Microsoft Product Support Services (PSS)
• Fixes that allow operation within the Windows® .NET Server Family
• Improvements in SSL publishing of Outlook Web Access (OWA)
• Server publishing improvements
• Rollup of previous patches
Foundstone remains confident that Microsoft will deliver on its commitment to ISA Server 2000 security, as well as making security a top priority across its product line.
www.foundstone.com © 2003 Foundstone, Inc. All Rights Reserved | 7
Resources
Foundstone http://www.foundstone.com
ISA Server 2000 Home http://www.microsoft.com/isaserver
ISA Server 2000 Technical Overview http://www.microsoft.com/technet/prodtechnol/isa/evaluate/isatecov.asp
ISA Server 2000 Service Pack 1 http://www.microsoft.com/isaserver/downloads/sp1.asp
