An Overview of Firewall Policy


Firewall policies govern how source and destination networks communicate with each other. The components involved include network rules, access rules, and publishing rules (server and Web). As mentioned earlier, ISA Server processes network rules first, then goes on to evaluate access or publishing rules.

Network rules define how networks communicate with one another. Networks can have three types of relationships:

  • No relationship, in which case all traffic is dropped

  • NAT, which hides the IP addresses on one network from the other

  • Route, which requires either all private or public address ranges, and maintains the original source IP address

Tip 

If you have a NAT relationship between networks, then ISA Server uses access rules to manage traffic from protected networks (internal) to external (untrusted) networks, and publishing rules to manage traffic from untrusted (external) to protected networks. If you have a route relationship between networks, ISA Server can use access rules for traffic flowing both ways between sites.

Best Practices

When configuring your rules, keep the following guidelines in mind. Certain simple elements can be processed quickly, and should be set at the top of the rule list; this strategy helps to eliminate unnecessary processing of traffic that can be eliminated quickly. See Table 8-2 for a description of the amount of processing required by different components.

Table 8-2: Performance Impact of Rule Components

Processing Requirements

Description

Location in Rule List

Light

Protocol definitions

Schedules

All IP address—based network elements (computers, computer sets, networks, and network sets)

Source port information

Top

Heavy

Domain name sets and URL sets

Users

Content type

Bottom

Heavy

Rules that use SMTP filter, HTTP filter, or FTP filter

Bottom

In general, follow this order for ordering your rules:

  1. Global deny rules

  2. Global allow rules

  3. Rules for specific computers

  4. Rules for specific users, URLs, and MIME types, and also publishing rules

  5. Other allow rules

    Note 

    For more detailed information on how to improve the performance of your firewall policies, see the excellent and rich "Best Practices Firewall Policy for ISA Server 2004" whitepaper at http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/firewall_policy.mspx.

Lockdown Mode

One common concern that people express is how well their network is protected before the ISA Server Firewall Service starts, when it shuts down, or if it fails. Never fear! ISA Server provides excellent protection! Where ISA Server 2000 allowed all traffic to pass through the firewall if the firewall service wasn't started, ISA Server 2004 is more secure—in these scenarios, the ISA Server packet filter driver (FWENG) manages traffic in lockdown mode, which allows only certain types of traffic.

Note 

For detailed information regarding what is allowed, see the Microsoft Knowledge Base article, "Lockdown Mode of Operation in ISA Server 2004" at http://support.microsoft.com/?scid=838711.

Exporting and Importing Firewall Policy

ISA Server allows you to back up and share firewall policy information in an XML format.

To export the firewall policy, follow these steps:

  1. In the console tree, expand the server name, and click Firewall Policy.

  2. In the task pane, click the Tasks tab. Under Related Tasks, click Export Firewall Policy.

  3. In the Export Configuration dialog box, browse to the location to where you would like to save the export file, and type a filename to be given to the export file in the File Name text box. If you would like to export confidential information like user credential passwords, RADIUS shared secrets, or preshared IPSec keys, select the Export Confidential Information (Encryption Will Be Used) check box, as shown in Figure 8-4; otherwise click Export.

  4. In the Set Password dialog box, you must specify a password with at least eight characters to be used when later importing the file. Type the password and confirm the password, and then click OK.

    Note 

    All of the confidential information included in the export file is encrypted. This step only appears if you choose to export the confidential information.

  5. In the Export Firewall Policy Rules dialog box, click OK.

image from book
Figure 8-4: If you select this option, be sure to protect the exported file, as it contains confidential information.

To import the firewall policy, follow these steps:

  1. In the console tree, expand the server name, and click Firewall Policy.

  2. In the task pane, click the Tasks tab. Under Related Tasks, click Import Firewall Policy.

  3. In the Import Configuration dialog box, browse to the location on the disk where you saved the export XML file, and select the export file to insert it into the File Name text box. If you would like to import cache drive settings and SSL certificates, select the Import Cache Drive Settings And SSL Certificates check box, and then click Import.

  4. In the Type Password To Open File dialog box, type the name of the password associated with the export file, and click OK.

  5. In the Importing Firewall Policy Rules dialog box, click OK.

  6. In the details pane, click Apply to save the changes, and then click OK.

Configuring FTP Filtering

When you want to manage FTP connections based on individual rules, do so from within access or publishing rules that include the FTP protocol. These rules take advantage of the FTP Application filter, which manages FTP traffic from SecureNAT clients by opening the secondary ports required for FTP dynamically and performing address translation. Follow these steps to configure FTP filtering:

  1. In the ISA Server Management console tree, expand the server name, and click Firewall Policy.

  2. In the details pane, right-click the access or publishing rule you will use to configure FTP, then select Configure FTP.

    Note 

    To publish an FTP server, follow the steps described in the section "Creating a Server Publishing Rule" later in the chapter.

  3. The only option you have available to configure is whether FTP uploads should be blocked, as shown in Figure 8-5. Select the Read Only check box if you wish to block uploads.

image from book
Figure 8-5: The Read Only check box allows downloads without allowing uploads, reducing the possibility of systems or data being compromised.

Note 

For more information on how the FTP Access filter works, see the FTP Access filter section in the ISA Server Help file.

Configuring HTTP Filtering

ISA Server 2004 can perform granular inspection of HTTP traffic using the HTTP filter. Whereas ISA Server 2000 Feature Pack 1 offered functionality to filter HTTP traffic using URLscan, it would apply to all traffic. The HTTP filter can be applied to individual rules, which, for example, lets you allow certain HTTP methods for one group of users, and deny them for another.

To configure HTTP filtering, follow these instructions:

  1. In the ISA Server Management console tree, expand the server name, and click Firewall Policy.

  2. In the details pane, right-click the access or publishing rule you will use to configure HTTP, then select Configure HTTP from the shortcut menu. You will see the Configure HTTP Policy For Rule dialog box, as shown in Figure 8-6.

image from book
Figure 8-6: Use the HTTP filter for fine control of HTTP traffic on a per-rule basis.

See Table 8-3 for a description of each of the items in the Configure HTTP Policy For Rule dialog box.

Table 8-3: HTTP Security Filter Settings

Tab

Area

Option

Description

General

Request Headers

Maximum Headers Length (Bytes)

This setting is global to every rule that uses the HTTP filter, and provides the ability to limit the size of HTTP headers to prevent buffer overflow attacks. Type the number of bytes in this text box. Values between 10,000 and 33,000 are common.

General

Request Payload

Allow Any Payload Length or Minimum Payload Length (Bytes)

To allow any payload size, select the check box. If cleared, you can block Web content based on payload size by typing in the upper limit in bytes.

General

URL Protection

Maximum URL Length (Bytes)

Type the longest length in bytes you wish for a URL.

General

URL Protection

Maximum Query Length (Bytes)

Type the longest length in bytes you wish for a query.

General

URL Protection

Verify Normalization

This check box verifies the escaped characters (like %20 for a space) to prevent double encoding attacks. If you use this option with a Microsoft SharePoint server, you will have problems with your libraries.

General

URL Protection

Block High Bit Characters

Blocks "high bit" characters (or characters in the upper ASCII range, greater than 128). This prevents some attacks, but can also cause some Web applications that rely on these characters to fail.

General

Executables

Block Responses Containing Windows Executable Content

Select this check box to prevent HTTP responses that contain executable files.

Methods

Specify the Action Taken For HTTP Methods

Allow All Methods, Allow Only Specified Methods, or Block Specified Methods

These options allow you to configure what HTTP methods (for example, GET, PUT, HEAD, POST, and so on) are allowed or blocked. Use the Add, Edit, and Remove buttons to define and edit methods.

Extensions

Specify The Action Taken On File Extensions

Allow All Extensions, Allow Only Specified Extensions, or Block Specified Extensions

These options allow you to configure what HTTP requests with defined file extensions (like .exe, .vbs, .asp) are allowed or blocked. Use the Add, Edit, and Remove buttons to define and edit the extensions.

Extensions

Specify The Action Taken On File Extensions

Block Requests Containing Ambiguous Extensions

This option blocks any extensions that can't be determined

Headers

 

Allow All Headers Except The Following

This section allows you to specify the request or response headers that will be blocked. Use the Add, Edit, and Remove buttons on the right to take corresponding actions on these headers.

Headers

Server Header

Send Original Header, Strip Header From Response, or Modify/Change To

These options allow you to change the server header (which describes the type of Web server you're using, like IIS or A pache), You can send the original, remove the header, or spoof a server header.

Headers

Via Header

Send Default Header, Modify Header In Request And Response/Change To

These options allow you to change the Via Header (which identifies the proxy server to downstream clients) by selecting the Modify Header In Request option, and typing in a spoofed header.

Signatures

 

Block Content Containing These Signatures

You can add, edit, or remove signatures (that is, text strings you specify that can be found in the Request URL, Request Headers, Request Body, Response Headers, or Response Body).

Signatures

 

Show Only Enabled Search Strings

Select this check box when you wish to show only the search strings for which the filter is currently searching.

Note 

Before configuring these settings, be sure to consult with your Web administrators. Changing these settings (such as Maximum Query Length) can have an adverse effect on some Web applications.

For more information on configuring the HTTP Security filter, see the MSDN article entitled, "HTTP Filtering In ISA Server 2004" at http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/httpfiltering.mspx and Chapter 10 of Tom and Deb Shinder's Configuring ISA Server 2004.

Configuring RPC Filtering

In ISA Server 2000, the RPC filter applied to all traffic. ISA Server 2004 provides perrule RPC filtering, allowing a great deal more control over RPC traffic. You can configure RPC filtering in both the system policy and with individual access rules. ISA Server 2004 allows you to Enforce Strict RPC Compliance, which provides the highest level of security by preventing Distributed Component Object Model (DCOM) traffic.

There are three ways in which you might need to configure RPC filtering: in the system policy, on an access rule, and when allowing remote Microsoft Outlook clients to connect to a Microsoft Exchange server.

Configuring RPC in System Policy

To configure RPC on the system policy, follow these steps:

  1. In the ISA Server Management console tree, expand the server name, and click Firewall Policy.

  2. In the task pane, click the Task tab, then click Edit System Policy.

  3. In the Configuration Groups list, in the Authentication Services group, select Active Directory, as shown in Figure 8-7.

  4. To enable RPC filtering, select the Enable check box on the General tab.

  5. To prevent DCOM and other RPC-type protocols from running (which will protect you against certain attacks), select the Enforce Strict RPC Compliance check box.

  6. Click OK, then click Apply to commit the changes to ISA Server. Click OK to confirm the changes.

image from book
Figure 8-7: This policy defines how the ISA server processes RPC traffic.

Note 

Many applications require DCOM traffic, so you might need to clear the Enforce Strict RPC Compliance check box. One common situation requires that you temporarily disable RPC filtering when requesting a certificate using the Certificates snap-in in the MMC. See "'The Certificate Request Failed Because Of One Of The Following Conditions' Error Message When You Request a Certificate in ISA Server 2004" Knowledge Base article at http://support.microsoft.com/?scid=833704 for more information on this condition.

Configuring RPC on an Access Rule

To configure the RPC filter on an access rule (which must have RPC protocols selected), follow these steps:

  1. In the ISA Server Management console tree, expand the server name, and click Firewall Policy.

  2. In the details pane, right-click on the access or publishing rule you will use to configure RPC, then select Configure RPC Protocol from the shortcut menu. The Configure RPC Protocol Policy dialog box appears, as shown in Figure 8-8.

  3. Because the RPC filter is enabled when the RPC protocol is selected, the RPC filter manages RPC traffic. The only option you have available to configure is to select the Enforce Strict RPC Compliance check box (see the earlier discussion).

  4. Click OK, then click Apply to commit the changes to ISA Server.

image from book
Figure 8-8: This dialog box allows you to configure how ISA Server manages RPC traffic for this particular rule.

Configuring RPC with Outlook Clients

To learn how to configure RPC for Outlook, see Chapter 16, "Configuring Microsoft ISA Server with Microsoft Exchange Server 2003."




Microsoft Internet Security and Acceleration ISA Server 2004 Administrator's Pocket Consultant
Microsoft Internet Security and Acceleration (ISA) Server 2004 Administrators Pocket Consultant (Pro-Administrators Pocket Consultant)
ISBN: 0735621888
EAN: 2147483647
Year: 2006
Pages: 173

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net