The heart and soul of ISA functionality lies in the Firewall Policy settings. These settings control the behavior of ISA and how it responds to traffic sent to it, and are therefore very important. It is critical to understand the functionality and terminology of the Firewall Policy settings, or run the risk of a misconfiguration that could jeopardize the server's security. Examining the Firewall Policy NodeThe Firewall Policy node, shown in Figure 3.12, contains several critical and commonly used tools in the ISA Console. The Central Details pane details the rules deployed on the server. The rules are, by default, sorted by the order in which they are applied, with the first rules applied at the top of the list. This concept, familiar to many who are used to working with other firewalls, is a new concept for ISA Server 2004; ISA 2000 did not apply rules in a logical order. Figure 3.12. Viewing the Firewall Policy node.In the Tasks pane on the right, three tabs are presented. The requisite Help tab displays common questions and help topics related to firewall policy. The Tasks tab contains a list of common tasks related to the node. Lastly, the Toolbox tab contains a very useful list of the elements in the ISA Server, such as network entities, content types, protocol descriptions, and the like. Understanding Firewall Access RulesA Firewall Access rule is simply a mechanism by which access is granted or denied for specific types of traffic through the ISA server. Rules are the means by which specific ports, applications, and other types of network traffic are either blocked or opened. If, for example, web access to the Internet is necessary for clients on the Internet network of an ISA configuration, a specific Firewall Access rule needs to be configured to specifically allow this type of access. In Figure 3.13, for example, several default rules that were created from the Network Template Wizard are illustrated. Figure 3.13. Exploring sample firewall rules.In this example, four rules control the flow of traffic and specify what is allowed and what is denied through the firewall. Each rule in the CCentral Details pane can be sorted by multiple variables, listed as follows:
Advanced information on configuring access rules can be found in Chapter 5. Examining Publishing Rules and the Concept of Reverse ProxyA server publishing rule is more complicated than a simple network access rule, in that it allows the ISA Server to mimic a destination server such as a web server and act as a reverse proxy server to the client requests. A reverse proxy server is a system that acts as a bastion host for requesting clients, protecting the server from direct attack by proxying all requests that are sent to it, making them go through the reverse proxy server itself. ISA Server 2004 is commonly deployed for its reverse proxy capabilities, particularly in its ability to secure web servers and Exchange Outlook Web Access (OWA.) Through reverse proxy, clients on the Internet are directed to the external IP address of the ISA server, which they think is the actual server for the services that they require. In reality, ISA performs Network Address Translation (NAT), scans the traffic for exploits and threats at the Application layer, and forwards the traffic back to the server. This greatly reduces the threat posed by having servers and services exposed to the Internet. Server publishing rules in ISA Server allow for advanced services securing of SQL servers, Exchange servers, Web servers, SharePoint portal sites, RPC servers, and many other predefined options. For more information on configuring and using server publishing rules, see Chapters 5 and 7, "Deploying ISA Server as a Reverse Proxy into an Existing Firewall DMZ. " Understanding System Policy Rules and the System Policy EditorSystem policies are often misunderstood or not taken into consideration, but are a fundamental component to every ISA installation. System policies are essentially a default set of firewall policies that allow the ISA Server to perform various system functions. Without system policies in place, ISA would be unable to perform any network functions at all, such as Windows Update, without them being specifically designated in manually created firewall policies. Basically speaking, system policies are really just firewall policies that have been preconfigured, but are hidden from view. Because the task of configuring an ISA Server would be time-consuming and ominous, these policies were configured as part of the firewall installation. It is wise, however, to examine each of these policies to ensure that they are truly necessary for the role that the ISA server will play in the organization. To view the system policies, click on the Show System Policy Rules link in the Tasks tab of the Firewall Policy node. Some of the default system policies are illustrated in Figure 3.14. Figure 3.14. Viewing system policies.To edit the system policy rules, right-click any one of the rules and click Edit System Policy. This displays the System Policy dialog box, as shown in Figure 3.15. Figure 3.15. Editing the system policy.The System Policy Editor allows for advanced configuration of the system policy rules in place on the Server. It is in this location that particular types of system access can be denied or enabled, based on the organization's particular security needs. For more information on editing the system policy, see Chapter 15, "Securing RPC Traffic." Defining the Contents of the Firewall Policy ToolboxThe Firewall Policy toolbox, shown in Figure 3.16, is an extremely useful function that organizes all the individual components of the firewall policies into one logical area. The toolbox is easily accessed by clicking on the toolbox tab in the Task pane. Figure 3.16. Examining the Firewall Policy toolbox.To examine individual items in the toolbox, click the down arrow to expand the particular section, such as Schedules or Users, and then select the object and click the Edit button. To create new objects, select the object container and click the New button. The toolbox comprises the following elements:
The toolbox serves as a "one-stop-shop" for many configuration settings in ISA, and can make the life of an administrator much easier through the creation of custom schedules, content types, users, protocols, and network objects. For these reasons, it is highly advisable to become familiar with these options. |