Exploring Firewall Policy Settings
The heart and soul of ISA functionality lies in the Firewall Policy settings. These settings control the behavior of ISA and how it responds to traffic sent to it, and are therefore very important. It is critical to understand the functionality and terminology of the Firewall Policy settings, or run the risk of a misconfiguration that could jeopardize the server's security.
Examining the Firewall Policy Node
The Firewall Policy node, shown in Figure 3.12, contains several critical and commonly used tools in the ISA Console. The Central Details pane details the rules deployed on the server. The rules are, by default, sorted by the order in which they are applied, with the first rules applied at the top of the list. This concept, familiar to many who are used to working with other firewalls, is a new concept for ISA Server 2004; ISA 2000 did not apply rules in a logical order.
Figure 3.12. Viewing the Firewall Policy node.
In the Tasks pane on the right, three tabs are presented. The requisite Help tab displays common questions and help topics related to firewall policy. The Tasks tab contains a list of common
to the node. Lastly, the Toolbox tab contains a very useful list of the elements in the ISA Server, such as network entities, content types, protocol descriptions, and the like.
Understanding Firewall Access Rules
A Firewall Access rule is simply a mechanism by which access is granted or
for specific types of traffic through the ISA server. Rules are the means by which specific ports, applications, and other types of network traffic are either blocked or opened. If, for example, web access to the Internet is necessary for
on the Internet network of an ISA configuration, a specific Firewall Access rule needs to be configured to
allow this type of access.
In Figure 3.13, for example, several default rules that were created from the Network Template Wizard are
Figure 3.13. Exploring sample firewall rules.
In this example, four rules control the flow of traffic and specify what is allowed and what is denied through the firewall. Each rule in the CCentral Details pane can be sorted by multiple
, listed as
The order of the rule determines when it is processed. Whenever any type of traffic arrives at the ISA server, the firewall rules are applied in order, from
number to highest. If a match is made for the type of traffic, that firewall rule is
and no further rules are parsed.
Names of rules are displayed in the console to aid in the identification of what each rule does. Names
for rules should
the rule's function.
The action of a rule is one of two choices: Allow or Deny. For obvious reasons, it is critical to ensure that the rules have this field set properly.
The Protocols column displays to what common or custom-defined protocols the particular rule applies, such as HTTP, FTP, DNS, and others.
The From/Listener column displays the network or listener from which rule traffic will
. ISA examines only the traffic from this network when applying the rule.
The To column represents the destination of traffic. Only traffic sent to this network or set of networks will have the particular rule applied.
The Condition column allows for individual rules to only apply to particular users or groups of users.
granularity can be allowed only when the Firewall Client is deployed, so this is often simply set to All Users when the full client is not deployed.
Advanced information on configuring access rules can be found in Chapter 5.
Examining Publishing Rules and the Concept of Reverse Proxy
A server publishing rule is more complicated than a simple network access rule, in that it allows the ISA Server to
a destination server such as a web server and act as a reverse proxy server to the client
. A reverse proxy server is a system that acts as a
host for requesting clients, protecting the server from direct attack by proxying all requests that are sent to it, making them go through the reverse proxy server itself.
ISA Server 2004 is commonly deployed for its reverse proxy capabilities, particularly in its ability to secure web servers and Exchange Outlook Web Access (OWA.) Through reverse proxy, clients on the Internet are directed to the external IP address of the ISA server, which they think is the actual server for the services that they require. In reality, ISA
Network Address Translation (NAT),
the traffic for exploits and threats at the Application layer, and forwards the traffic back to the server. This greatly
the threat posed by having servers and services exposed to the Internet.
Server publishing rules in ISA Server allow for advanced services securing of SQL servers, Exchange servers, Web servers, SharePoint portal sites, RPC servers, and many other predefined options. For more information on configuring and using server publishing rules, see Chapters 5 and 7, "Deploying ISA Server as a Reverse Proxy into an Existing Firewall DMZ. "
Understanding System Policy Rules and the System Policy Editor
System policies are often misunderstood or not taken into consideration, but are a fundamental component to every ISA installation. System policies are
a default set of firewall policies that allow the ISA Server to perform various system functions. Without system policies in place, ISA would be unable to perform any network functions at all, such as Windows Update, without them being specifically designated in manually created firewall policies.
Basically speaking, system policies are really just firewall policies that have been preconfigured, but are hidden from view. Because the task of configuring an ISA Server would be
and ominous, these policies were configured as part of the firewall installation. It is wise, however, to examine each of these policies to ensure that they are truly necessary for the role that the ISA server will play in the organization. To view the system policies, click on the Show System Policy Rules link in the Tasks tab of the Firewall Policy node. Some of the default system policies are illustrated in Figure 3.14.
Figure 3.14. Viewing system policies.
To edit the system policy rules, right-click any one of the rules and click Edit System Policy. This displays the System Policy dialog box, as shown in Figure 3.15.
Figure 3.15. Editing the system policy.
The System Policy Editor allows for advanced configuration of the system policy rules in place on the Server. It is in this location that particular types of system access can be denied or enabled, based on the organization's particular security needs. For more information on editing the system policy, see Chapter 15, "Securing RPC Traffic."
Defining the Contents of the Firewall Policy Toolbox
The Firewall Policy toolbox, shown in Figure 3.16, is an extremely useful function that organizes all the individual
of the firewall policies into one logical area. The toolbox is easily accessed by clicking on the toolbox tab in the Task pane.
Figure 3.16. Examining the Firewall Policy toolbox.
To examine individual items in the toolbox, click the down arrow to expand the particular section, such as Schedules or Users, and then select the object and click the Edit button. To create new objects, select the object container and click the New button.
The toolbox comprises the following elements:
The Protocols toolbox contains a list of defined protocols that are used to communicate across networks. Common protocols such as DNS, HTTP, SMTP, POP, Telnet, MSN Messenger, and Ping are listed here, as well as more obscure protocols such as RIP, H.323, MMS, RTSP, and many others. By containing definitions for these protocols, you can easily configure ISA to create rules to block or allow them as necessary. In addition, you can create custom rules for protocols not in ISA's default list by clicking the New button in the toolbox. For information on creating custom and advanced protocol support, see Chapter 15.
The Users toolbox contains groupings of users that are useful for bulk application of firewall rules and other settings. The default groups created by ISA are All Authenticated Users, All Users, and System and Network Service. New groups can be created to logically organize different types of users to facilitate the creation of policies and rules. For more information on users and groups within ISA Server, refer to Chapter 11.
The Content Types toolbox allows for different applications and files to be organized according to the type of content they are. For example, a file that is downloaded via the web may be an audio file, an image, text, video, or any of several other options. Files that are grouped by content type can be controlled more easily, giving the ISA administrator an easy way to perform such actions as not allowing specific types of dangerous executables or other file types to be accessed. For more information on configuring and creating Content Types, see Chapter 15.
The Schedules toolbox allows for custom time schedules to be created. This can be extremely useful if there are organization-specific schedules that need to be consistently applied to multiple rules or parameters within projects. For example, a custom schedule could be created for scheduled maintenance, such as the dialog box shown in Figure 3.17 illustrates. This schedule can then be applied to default rules that deny connections during those periods of time.
Figure 3.17. Creating a custom schedule.
The Network Objects toolbox is perhaps the most important and commonly used of the toolboxes. All the configured network-related objects are listed in the toolbox, such as the Network Sets, Computer Sets, URL Sets, Address Ranges, and more. Even though the logical location for this toolbox would normally be under the network node, it has been placed with the rest of the toolboxes in the Firewall Policy node, so it is important to understand that distinction when looking for network settings, such as the location and configuration of web listeners and subnets. More information on using the Network Objects toolbox, including step-by-step descriptions, can be found in Chapter 5.
The toolbox serves as a "
-shop" for many configuration settings in ISA, and can make the life of an administrator much easier through the creation of custom schedules, content types, users, protocols, and network objects. For these reasons, it is highly advisable to become familiar with these options.