Web Service Security and Pre-Authentication with ISA 2004 - Access Denied: The Business of Security - Site Home

I have written about ISA 2004 as an application layer firewall and gateway and how it is designed to help secure access to a variety of services – including providing secure external access to collaborative/mobile services like Exchange, SharePoint and LCS. Although content filtering, URL filtering, SSL bridging, HTTP filtering and link translation are important pieces of this secure infrastructure….the most important might just be pre-authentication.

Before I continue, let’s first talk about how a web service might be attacked. There are the more traditional low level tcp/ip attacks (usually more DoS focused) that pretty much any respectable firewall would protect against (including ISA 2004) and then there are Application Layer attacks. One very common application layer attack are buffer overflows. For a great analysis of the most common application layer web service attacks check out OWASP.ORG - http://www.owasp.org/documentation/topten.html. These are typically complicated attacks that go after poorly written or designed applications and many of the most devastating attacks (and worms) in the wild have used some of these attacks over the last 10 years. There is no 100% replacement for a poorly written application, but ISA can help provide significant security around a variety of these attacks. In this article we will talk about the most important protection ISA offers for Web Applications - Pre-Authentication.

Pre-Authentication is so important because it requires that ANYONE that wants to access your back end web service must first provide credentials and have access to the resource being requested (authentication and authorization). They key here is that if you are requiring pre-authentication on ISA 2004 then there isn’t a SINGLE PACKET sent to the back end published resource until the user has supplied valid credentials that have access to the requested service. What does this mean with regards to who can attack your back end web resource (which may very well be a member of your domain and running other LOB apps like Exchange, IIS, SQL, etc)? Only authenticated users could even attempt an application layer attack on those resources!

So, by adding pre-authentication we have taken the number of potential attackers down from approx. 6.5 billion to just those who can provide valid credentials. That is a great first step (at a super low cost)! So now let’s look at that smaller group. Who can provide valid credentials? Of course there are valid users, but the problem here is that your valid users probably have INTERNAL access to those resources. So if your concern is valid users making these types of attacks…well that is a whole other article J

Of course there is the other group, those that have someone else’s credentials. That is why ISA natively supports Multi-Factor Authentication options! You can require users provide an RSA SecureID token or a certificate along with their credentials (ISA 2006 will support Radius OTP as well). Now it is even harder for someone to get someone else’s credentials! If that fails and someone does get credentials will they attempt some cryptic application layer attack….or just access those resources as that user! Imagine what they might have access to depending on who’s credentials are obtained. Can they VPN into your environment and be on the network with access to everything? There is a lot to think about. This is also a great layer of security against worms that propagate based on application holes.

Lastly, you have the other powerful application layer security and filtering capabilities provided by ISA 2004 that can help secure against many types of these attacks. But Pre-authentication is the first line of defense and is a great way to provide a powerful initial line of security at an un-believably low cost. Think about how many companies have Exchange Outlook Web Access (OWA) servers that are members of a domain just sitting in a DMZ with all traffic over SSL coming right into them, it is scary. For as little as a couple thousand bucks they could have all this extra security in a variety of form factors (including Appliances!).

In my next article I will be discussing and analyzing the security ramifications and risks of providing external access to Exchange Services specifically (Outlook Web Access, Outlook Mobile Access, Exchange Active-sync and RPC over Http(s)). Stay tuned!