Reviewing and Modifying Network Rules

After the wizard has completed, the networks, network rules, and firewall rules will have been created and can be customized as necessary. In certain cases, it may be necessary to modify some of the settings that the wizard created, particularly if changes have been made or new networks need to be added to an environment after it has been placed into production.

Modifying Network Rules

Network rules, after they are put into place, are not changed often because the relationship between networks is often quite static. In certain cases, however, modifications may be necessary. If those circumstances arise, the task of modifying the rules is relatively straightforward. To modify an existing network rule, perform the following tasks :

1.	From the ISA Console, click on the Networks node in the console tree.
2.	Click on the Network Rules tab in the Central Details pane.
3.	Double-click on the particular network rule to be modified.
4.	From the dialog box shown in Figure 5.7, reconfigure the network rules as necessary, making changes to Source Networks, Destination Networks, or the Network Relationship. Figure 5.7. Modifying network rules.
5.	Click OK when the changes are complete.
6.	Click Apply to apply the changes and then click OK.

Creating New Network Rules

Creating a new network rule is primarily done only when a major change to the ISA firewall configuration has taken place, such as when a new network has been added to the server. In addition, this procedure can be used if the network template wizard is not run on a new server and manual methods of configuring the network rules are required. To create a new Network rule, perform the following tasks:

1.	From the ISA Console, click on the Networks node in the console tree.
2.	Click on the Network Rules tab in the Central Details pane.
3.	Click on the Tasks tab in the Tasks pane.
4.	Click the link titled Create a New Network Rule.
5.	Enter a descriptive name for the network rule and click Next to continue.
6.	On the Network Traffic Sources dialog box, click Add.
7.	Select the network or network set that will be added as a source of the rule and then click Add, Close, and Next to continue.
8.	For destination, click Add and perform the same process, this time selecting the network or network set that will be the destination set. Click Next when complete.
9.	Select the type of relationship to configure, NAT or Route, as shown in Figure 5.8. Click Next to continue. Figure 5.8. Creating new network rules.
10.	Review the settings and click Finish.
11.	Click Apply and then click OK to enable the new rule.

Understanding Firewall Policy Rules

Firewall policy rules are distinct from network rules in that they define what types of traffic and applications will be supported between the network segments. For example, an administrator may want to configure a firewall rule to allow web traffic from internal clients to the Internet. Firewall Policy Rules, shown in Figure 5.9, are the heart of ISA's firewall functionality. They define what is allowed and what is denied for specific networks, users, and protocols.

Figure 5.9. Examining firewall policy.

Firewall policy configuration should be well understood before ISA administration is attempted. Incorrectly configured rules can open up the wrong type of access to an environment and invite hackers in. It is therefore important to audit these settings on a regular basis as well as to ensure that they are set in the way that is necessary for functional security.

The basic rule of thumb with ISA firewall policy rules is to deny all traffic unless a specific need has been established that the traffic will be allowed. The key to a successful ISA firewall deployment is to identify the entire range of functionality that will be necessary in advance, and then to create individual rules to reflect that functionality.

Firewall rules are applied to network traffic from top to bottom in the list. This is important to note because specific rules may need to be applied before other ones are. For example, if a rule at the top of the list is set to deny HTTP traffic to a particular network segment, and a later rule allows it, the traffic is denied because it hits the upper rule first. Rule placement is therefore an important component of an ISA firewall policy.

To move rules up or down in the policy list, select a rule by clicking on it and then click the link titled Move Selected Rules Down or Move Selected Rules Up, depending on the specific need.

It should be noted that the last rule on an ISA Server is the default rule to deny all traffic if not already specified. So if there isn't a specific rule above the default rule that allows for a certain protocol or activity, that protocol is blocked by the default rule. This rule exists to preserve security: The ISA server is configured to allow only predefined activities to occur, and anything not explicitly stated is disallowed .

Modifying Firewall Policy Rules

If the Network Template Wizard was run, and a default policy other than Block All was enacted, then a set of predefined rules should already exist on the newly configured ISA server. Double-clicking on these rules individually is the way to modify them. The properties box for a rule, shown in Figure 5.10, contains multiple configuration options on each of the tabs as follows :

General tab The General tab allows for modification of the rule name and also can be used to enable or disable a rule. A disabled rule still shows up in the list, but is not applied.
Action tab The Action tab defines whether the rule allows or denies the type of traffic defined in the rule itself. In addition, it gives the option of logging traffic associated with the rule (the default) or not.
Protocols tab The Protocols tab is important in the rule definition. It defines what type of traffic is allowed or denied by the rule. The rule can be configured to apply to all outbound traffic, selected protocols, or all outbound traffic except for the types selected. Default protocol definitions that come with ISA server can be used, as well as any custom protocol definitions that are created. In addition, this tab is where the port filtering and Application-layer filtering options are accessed, via the Filtering and Ports buttons .
From tab The From tab simply defines from which network or networks the originating traffic to which the rule applies will come.
To tab The To tab reverses this, and makes it possible to define for what source network or networks the particular traffic is aimed.
Users tab The Users tab, normally set to All Users by default, is used only when the full ISA Firewall client is deployed on client desktops. The client software allows unique users to be identified, allowing for specific rules to apply to each one as a group or individual user . For example, a group could be created whose members have full web access, whereas others are restricted.
Schedule tab The Schedule tab allows for the rule to apply during only specific intervals and to be inactive in others.
Content Types tab The Content Types tab enables an administrator to specify whether the rule is applied to only specific types of HTTP traffic, or whether it applies to all traffic.

Figure 5.10. Modifying Firewall Policy Rules.

After any changes are made, click the OK button, click Apply in the Central Details pane, and OK again to save changes to the rule.

Creating Firewall Policy Rules

Firewall policy rules are powerful and highly customizable, and can be used to set up and secure access to a wide range of services and protocols. So it may seem surprising that creating an access rule to allow or deny specific types of traffic is relatively straight forward. To set up a new rule, perform the following steps:

1.	From the ISA Management Console, click on the Firewall Policy node in the console tree.
2.	Click on the Tasks tab in the Tasks pane.
3.	Click the link titled Create New Access Rule.
4.	Enter a descriptive name for the new rule and click Next .
5.	Select whether the rule will allow or deny traffic and click Next.
6.	On the next dialog box, choose whether the rule will apply to all traffic, all traffic except certain protocols, or selected protocols. In this example, Selected protocols is selected. Click the Add button to add them.
7.	To add the protocols, select them from the Protocols list shown in Figure 5.11 and click Add and then Close. The list is sorted by category to provide for ease of selection. Figure 5.11. Creating firewall access rules.
8.	Click Next to continue to the Source Network dialog box.
9.	Click Add to add a source for the rule and then select the source network by clicking Add and then clicking Close.
10.	Click Next to continue to the Destination Network dialog box.
11.	At the Destination Network dialog box, click Add to add a source for the rule, select the source network by clicking Add and then clicking Close, and click Next to continue.
12.	Leave the User Sets dialog box at the defaults and click Next.
13.	Review the settings and click Finish.
14.	Click Apply in the Central Details pane and click OK after it has been confirmed.