Understanding Firewall Policy Rules

Firewall policy rules are distinct from network rules in that they define what types of traffic and applications will be supported between the network segments. For example, an administrator may want to configure a firewall rule to allow web traffic from internal clients to the Internet. Firewall Policy Rules, shown in Figure 5.9, are the heart of ISA's firewall functionality. They define what is allowed and what is denied for specific networks, users, and protocols.

Figure 5.9. Examining firewall policy.

Firewall policy configuration should be well understood before ISA administration is attempted. Incorrectly configured rules can open up the wrong type of access to an environment and invite hackers in. It is therefore important to audit these settings on a regular basis as well as to ensure that they are set in the way that is necessary for functional security.

The basic rule of thumb with ISA firewall policy rules is to deny all traffic unless a specific need has been established that the traffic will be allowed. The key to a successful ISA firewall deployment is to identify the entire range of functionality that will be necessary in advance, and then to create individual rules to reflect that functionality.

Firewall rules are applied to network traffic from top to bottom in the list. This is important to note because specific rules may need to be applied before other ones are. For example, if a rule at the top of the list is set to deny HTTP traffic to a particular network segment, and a later rule allows it, the traffic is denied because it hits the upper rule first. Rule placement is therefore an important component of an ISA firewall policy.

To move rules up or down in the policy list, select a rule by clicking on it and then click the link titled Move Selected Rules Down or Move Selected Rules Up, depending on the specific need.

It should be noted that the last rule on an ISA Server is the default rule to deny all traffic if not already specified. So if there isn't a specific rule above the default rule that allows for a certain protocol or activity, that protocol is blocked by the default rule. This rule exists to preserve security: The ISA server is configured to allow only predefined activities to occur, and anything not explicitly stated is disallowed.

Modifying Firewall Policy Rules

If the Network Template Wizard was run, and a default policy other than Block All was enacted, then a set of predefined rules should already exist on the newly configured ISA server. Double-clicking on these rules individually is the way to modify them. The properties box for a rule, shown in Figure 5.10, contains multiple configuration options on each of the tabs as follows:

  • General tab The General tab allows for modification of the rule name and also can be used to enable or disable a rule. A disabled rule still shows up in the list, but is not applied.

  • Action tab The Action tab defines whether the rule allows or denies the type of traffic defined in the rule itself. In addition, it gives the option of logging traffic associated with the rule (the default) or not.

  • Protocols tab The Protocols tab is important in the rule definition. It defines what type of traffic is allowed or denied by the rule. The rule can be configured to apply to all outbound traffic, selected protocols, or all outbound traffic except for the types selected. Default protocol definitions that come with ISA server can be used, as well as any custom protocol definitions that are created. In addition, this tab is where the port filtering and Application-layer filtering options are accessed, via the Filtering and Ports buttons.

  • From tab The From tab simply defines from which network or networks the originating traffic to which the rule applies will come.

  • To tab The To tab reverses this, and makes it possible to define for what source network or networks the particular traffic is aimed.

  • Users tab The Users tab, normally set to All Users by default, is used only when the full ISA Firewall client is deployed on client desktops. The client software allows unique users to be identified, allowing for specific rules to apply to each one as a group or individual user. For example, a group could be created whose members have full web access, whereas others are restricted.

  • Schedule tab The Schedule tab allows for the rule to apply during only specific intervals and to be inactive in others.

  • Content Types tab The Content Types tab enables an administrator to specify whether the rule is applied to only specific types of HTTP traffic, or whether it applies to all traffic.

Figure 5.10. Modifying Firewall Policy Rules.

After any changes are made, click the OK button, click Apply in the Central Details pane, and OK again to save changes to the rule.

Creating Firewall Policy Rules

Firewall policy rules are powerful and highly customizable, and can be used to set up and secure access to a wide range of services and protocols. So it may seem surprising that creating an access rule to allow or deny specific types of traffic is relatively straight forward. To set up a new rule, perform the following steps:


From the ISA Management Console, click on the Firewall Policy node in the console tree.


Click on the Tasks tab in the Tasks pane.


Click the link titled Create New Access Rule.


Enter a descriptive name for the new rule and click Next.


Select whether the rule will allow or deny traffic and click Next.


On the next dialog box, choose whether the rule will apply to all traffic, all traffic except certain protocols, or selected protocols. In this example, Selected protocols is selected. Click the Add button to add them.


To add the protocols, select them from the Protocols list shown in Figure 5.11 and click Add and then Close. The list is sorted by category to provide for ease of selection.

Figure 5.11. Creating firewall access rules.


Click Next to continue to the Source Network dialog box.


Click Add to add a source for the rule and then select the source network by clicking Add and then clicking Close.


Click Next to continue to the Destination Network dialog box.


At the Destination Network dialog box, click Add to add a source for the rule, select the source network by clicking Add and then clicking Close, and click Next to continue.


Leave the User Sets dialog box at the defaults and click Next.


Review the settings and click Finish.


Click Apply in the Central Details pane and click OK after it has been confirmed.

    Microsoft Internet Security and Acceleration ISA Server 2004 Unleashed
    Microsoft Internet Security and Acceleration (ISA) Server 2004 Unleashed
    ISBN: 067232718X
    EAN: 2147483647
    Year: 2005
    Pages: 216
    Authors: Michael Noel

    Similar book on Amazon

    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net