Firewall policy rules are distinct from network rules in that they define what types of traffic and applications will be supported between the network segments. For example, an administrator may want to configure a firewall rule to allow web traffic from internal clients to the Internet. Firewall Policy Rules, shown in Figure 5.9, are the heart of ISA's firewall functionality. They define what is allowed and what is denied for specific networks, users, and protocols.
Figure 5.9. Examining firewall policy.
Firewall policy configuration should be well understood before ISA administration is attempted. Incorrectly configured rules can open up the wrong type of access to an environment and invite hackers in. It is therefore important to audit these settings on a regular basis as well as to ensure that they are set in the way that is necessary for functional security.
The basic rule of thumb with ISA firewall policy rules is to deny all traffic unless a specific need has been established that the traffic will be allowed. The key to a successful ISA firewall deployment is to identify the entire range of functionality that will be necessary in advance, and then to create individual rules to reflect that functionality.
Firewall rules are applied to network traffic from top to bottom in the list. This is important to note because specific rules may need to be applied before other ones are. For example, if a rule at the top of the list is set to deny HTTP traffic to a particular network segment, and a later rule allows it, the traffic is denied because it hits the upper rule first. Rule placement is therefore an important component of an ISA firewall policy.
To move rules up or down in the policy list, select a rule by clicking on it and then click the link titled Move Selected Rules Down or Move Selected Rules Up, depending on the specific need.
It should be noted that the last rule on an ISA Server is the default rule to deny all traffic if not already specified. So if there isn't a specific rule above the default rule that allows for a certain protocol or activity, that protocol is blocked by the default rule. This rule exists to preserve security: The ISA server is configured to allow only predefined activities to occur, and anything not explicitly stated is disallowed.
Modifying Firewall Policy Rules
If the Network Template Wizard was run, and a default policy other than Block All was enacted, then a set of predefined rules should already exist on the newly configured ISA server. Double-clicking on these rules individually is the way to modify them. The properties box for a rule, shown in Figure 5.10, contains multiple configuration options on each of the tabs as follows:
Figure 5.10. Modifying Firewall Policy Rules.
After any changes are made, click the OK button, click Apply in the Central Details pane, and OK again to save changes to the rule.
Creating Firewall Policy Rules
Firewall policy rules are powerful and highly customizable, and can be used to set up and secure access to a wide range of services and protocols. So it may seem surprising that creating an access rule to allow or deny specific types of traffic is relatively straight forward. To set up a new rule, perform the following steps: