CHAPTER 4

                CONFIGURING INTERNET SECURITY USING ACCESS

                                                         POLICIES

 

 

One of the primary functions of ISA Server is to connect your local network to the Internet while

protecting your local network from malicious content originating from external sources.

 

 

 

Controlling Outgoing Requests

 

When ISA Server processes an outgoing request, it checks routing rules, site and content rules,

and protocol rules to determine whether access is allowed.

 

For outgoing request, rules and packet filters are processed in the following order:

 

• Protocol rules (if disabled, ISA will not work)
• Site and content rules
• IP packet filters (not good)
• Routing rules or Firewall Chaining configuration.

 

 

To get access to the Internet, you need at least these:

 

•   A protocol rule.  This allows all internal clients to use any protocol at all times.
•   A Site and content rule.  This allows everyone access to content on all sites at all times. 

NOTE:   that this rule allows internal clients access to the Internet without allowing external

clients access to your network.

 

 

Rules and Authentication

 

Protocol rules and site and content rules can be configured to allow or to deny specific users access

to chosen protocols, Internet sites, or content.  Secure clients cannot authenticate.

 

 

SecureNAT Clients and Authentication

 

SecureNAT client requests all non-Web Internet requests from clients that do not have Firewall

Client installed.  For example, mail and news requests are treated as SecureNAT sessions when the

client computers on which the requests are made do not have the Firewall Client software enabled.

 

 

 

 

 

 

=====================================================================

 

winisa4.html                                                     PAGE 2                                                   2002/05/25

 

 

 

Firewall Clients and Authentication

 

Firewall clients provide user name and computer name information to ISA Server when making a

request. If there are additional protocol rule denying access to user John, he will be denied access

if he makes a non-Web from a Firewall client.

 

 

Web Proxy Clients and Authentication

 

Web Proxy client requests are anonymous by default, but there are two conditions that force Web

Proxy clients to provide user identification.

 

When either of the following conditions is met, rules that are configured for specific users or groups

are enforced for Web Proxy client sessions:

 

The default ISA Server properties have been modified to require authentication for outgoing Web requests.

Access policy includes an allow-type rule (whether a protocol rule or a site and content rule) that

is configured for specific users or groups.

 

 

 

Web Requests:

 

ISA Management, right-click the applicable array and then click Properties.

On the Incoming Web Requests tab or on the Outgoing Web Requests tab, click the Ask Unauthenticated

Users for Identification check box.

 

NOTE:  This change will not take effect until Web Proxy is restarted.

 

NOTE:  User sessions open until you kick them off!  Normally these types

Of changes are don on off hours.

 

 

ISA Server System Security (System Hardening)

 

ISA Server includes the ISA Server Security Configuration wizard which you can use to apply the full

range of system security settings to all the servers in an array.  The ISA Server Security Configuration

wizard allows you to select any of the following security levels:  (templates)

 

Dedicated.  This setting is appropriate when ISA Server is functioning as a fully dedicated firewall,

with no other interactive applications.

 

Limited Services.  This setting is appropriate when ISA Server is functioning as a combined firewall

and cache server.  It may be protected by an additional firewall.

 

Secure.  This setting is appropriate when the ISA Server computer has other servers installed on it,

such as an IIS server, database, or SMTP servers.

 

 

 

 

=====================================================================

 

winisa4.html                                                     PAGE 3                                                   2002/05/25

 

 

 

 

You can launch the ISA Server Security Configuration Wizard by selecting the Computers folders in

ISA Management, right-clicking the server icon of the server you want to configure in the details pane,

and selecting Secure from the shortcut menu.

 

 

 

Lesson Summary:

 

•   You can use ISA Server to configure an access policy, which consists of site and content rules,

protocols rules, and IP packet filters. 

•   SecureNAT clients do not provide user identification, and when rules require authentication,
•   SecureNAT client requests denied.
•   To enhance system security, ISA Server includes the ISA Server Security Configuration wizard,

which you can use to apply a full range of system security settings to all the servers in an array.

 

 

Lesson 2:  Creating Customized Policy Elements

 

In any access policy, each specified parameter such as content type, schedule, client set, and destination is

called a policy element.

 

 

Policy Elements

 

Policy elements are the parameters or building blocks of policy rules.  For example, when you deny a set

of clients access to certain Web content at certain times, the client set, the Web content, and the specified

times all represent policy elements.  Policy elements can be created at the enterprise level or array level,

and they include:

 

Schedules.  Work hours, allow or deny certain times of the day.

 

Bandwidth priorities.  1-200.

 

Destination sets.  A destination set is a computer name, IP address, domain name, or IP range,

and each of these destination sets can include a path.

 

Client address sets.  You can apply rules to one or more client address sets or to all addresses

except the specified client address sets.  SecureNAT cannot authenticate.

 

Protocol definitions.  Protocol definitions included with ISA Server cannot be modified or

deleted.  When you create a protocol definition, you specify the following:

 

 

 

=====================================================================

 

winisa4.html                                                     PAGE 4                                                   2002/05/25

 

 

 

 

 

Port number.  This is a port number between 1-65535 that is used for the initial connection.

 

Low-level protocol.  This is either TCP or UDP.

 

Direction.  These are Send only, Receive only, Send receive, and Receive send.

 

Secondary connections (Optional).  This is the range of port numbers, protocol, and direction used

for additional connections or packets that follow the initial connection.  You can configure one or

more secondary connections.  List port numbers, protocol.txt @ Root of C.

 

 

Configuring Content Groups

 

Content groups specify Multipurpose Internet Mail Extensions (MIME) types and file name extensions.

 

Content groups apply only to Hypertext Transfer Protocol ( HTTP), FTP traffic, which passed through

the Web Proxy service.

 

When a client requests FTP content, ISA Server checks the file name extension of the requested object. 

ISA Server determines if a rule applies to a content group that includes the requested file name extension

and processes the rule accordingly.

 

For example, to include all Directory files in a content group, select the following file name extensions

and MIME types:

 

.dir

.dxr

.dcr

application/x-director

 

 

 

Lesson Summary:

 

•   Creating customized policy elements enables you to apply policy rules to particular aspects of your

network.  Policy elements types include schedules, bandwidth priorities, destination sets, client address

sets, protocol definitions, content groups, and dial-up entries.

•   You can create a schedule type if you need to apply rules at times that do not match either of ISA
•   Server’s preconfigured schedules, which are Work Hours and Weekends.

 

 

Lesson 3:  Configuring Protocol Rules

 

Protocol rules specify which particular protocols are allowed to pass through ISA Server from which clients

and at what times.

 

 

 

=====================================================================

 

winisa4.html                                                     PAGE 5                                                   2002/05/25

 

 

 

 

Protocol Rules

 

You can define protocol rules that allow or deny use of one or more protocol definitions.  You can configure

protocol rules to apply to all IP traffic or to a specific set of protocols definitions.  (Allow or Deny access)

 

 

Protocol Availability

 

ISA Server includes a list of 86 preconfigured, well-known protocol definitions, including the most widely used

Internet protocols.  Note that is ISA Server is installed in Cache mode, protocol rules can be applied only

to HTTP, HTTPS, Gopher, and FTP protocols.

 

For example, even if you disable SMTP filter, SMTP packets may still be allowed to pass because the SMTP

protocol is defined by ISA Server and not by the SMTP filter.

 

NOTE:  Active Directory will shut down if you shut down SMTP, SMTP needed to access Active Directory

and Replication.

 

 

Processing Order

 

Unlike routing rules, protocol rules are not given order of priority, but denying type protocol rules take priority

over rules that allow access.  They are applied in no specific order.

 

 

Array-Level and Enterprise-Level Protocol Rules

 

Protocol rules can be created at both the array level and at the enterprise level.  When an array policy is

permitted in addition to an enterprise policy, the array policy’s protocol rules can only further restrict enterprise-

level protocol rules.

 

 

Web Protocols

 

When you select Protocol Rules on the scope pane in ISA Management, you can use the taskpad in the details

pane to create a protocol rule that allows users to access the Internet by using only specific Web Protocols.

 

 

**** See the charts on page 156 –160 *****

 

 

 

=====================================================================

 

winisa4.html                                                     PAGE 6                                                   2002/05/25

 

 

 

 

Know FTP = Port number 21                             Telnet = 23

           POP3 = 110                                               Http= 80

           SMTP = 25                                                 Https= 443

 

 

Lesson Summary:

 

By creating protocol rules, you allow or refuse to allow clients to pass through ISA Server based on

particular protocols or sets of protocols.

 

The protocols you can reference in protocol rules include a list of preconfigured definitions in ISA Server

of the most commonly used protocols for networking and Internet services.

 

 

Lesson 4:  Configuring Site and Content Rules

 

As with protocol rules, you can apply site and content rules to any combination of specific computers,

users, IP addresses and schedules.

 

Site and content rules determine if and when users or client addresses sets can access specific content on

specific destination sets.

 

 

Processing Order

 

Unlike routing rules, site and content rules are not given order or priority, but deny-type site and content

rules take priority over rules that allow access.  For example, if you create two rules, one of which allows

access to any request and one which denies access to all users in the Sales department, the Sales

department cannot gain access to the Internet.

 

 

Allow and Deny Actions

 

Site and content rules can either allow or deny access to specific sites.  If access is denied, for HTTP

objects, the request can be redirected to an alternate Uniform Resource Locator (URL), typically a page

on an internal server, explaining why access is denied.  Deny still overrules.

 

 

Destination Sets and Path Processing

 

When you create a site and content site, you specify which destinations are accessible.   Destination sets

can include IP addresses of specific computers or computer host names.

 

For example, for certain clients and protocols, ISA Server will ignore any path specified in the destination

set.

 

 

 

=====================================================================

 

winisa4.html                                                     PAGE 7                                                   2002/05/25

 

 

 

 

When enforcing a rule for a given request, and when path processing is not supported for the content

associated with the request, the ISA Server ignores any destination in the rule that specifies a path.

 

NOTE:  No fine tuning for Deny or Allow, applies to all.

 

 

Lesson Summary:

 

•   Site and content rules determine if and when users or client address sets can access specific content on

specific destination sets.

•   When you create a site and content rule, you specify which destinations are accessible. 

Destination sets can include IP addresses of specific computers, computer names,

path names, or Web addresses.

 

 

 

Lesson 5:  Configuring IP Packet Filters

 

IP packet filters allow or block packets from passing through specified ports.  In a simple network,

you do not normally need to create IP packet filters to provide secure Internet access for your

client computers.

 

 

When to Use IP Packet Filters

 

 

•   You should not create an IP packet filter that opens port 80.  It will be a security risk.  Rather,

you should create the necessary site and content rule and protocol rule that allows this access.

However, in some scenarios, you must use IP packet filters.  Configure IP packet filters when:

•   You publish servers that are located on a perimeter network (or DMS, demilitarized zone, and

screened subnet). 

•   You run applications or other services on the ISA Server computer that need to

access the Internet.  You want to allow access to protocols that are not based on UDP or TCP.

 

 

 

=====================================================================

 

winisa4.html                                                     PAGE 8                                                   2002/05/25

 

 

 

 

Creating IP Packet Filters

 

With IP packet filters, you can intercept and either allow or block packets destined for specific

computers on your corporate network.  You can configure two types of static IP packet filters: 

allow filters and block filters.

 

IP Packet filters are defined by the following parameters:

 

Servers.  The filter allows or blocks communication on the specified server.

 

Protocol, port, and direction.  The filter allows or blocks traffic at the specified port,

using the specified protocol in the specified direction.

 

Local host.  This is the name of the computer in the internal network for which

communications is open or blocked.

 

Remote host.  This is the name of the computer on the Internet for which

communication is allowed or blocked.

 

 

IP Fragment Filtering

 

When you check the Enable Filtering Of IP Fragments check box, you allow the Web Proxy

service and Firewall service to filter packet fragments.

 

Do not enable IP fragment filtering if you want to allow video streams or quality audio streams

to pass through ISA Server.

 

 

Logging Packets

 

All packets that pass through ISA server can be logged to the packet filter log.  You can

configure exactly which packets are logged by following these guidelines:

 

 

•   By default, when you install ISA Server, all dropped packets are logged to the

packet filter log. 

•   You can configure ISA Server to disable logging for packets that are dropped due to

any specific block-mode IP packet filter.

•   You can configure ISA Server to log all packets, allowed and dropped that are

communicated by way of ISA Server.

 

 

NOTE:  If your ISA Server computer is connected to the Internet via a dedicated line through a

network adapter (and not via a dial-up line through a modem), you do not need to create IP

packet filters to establish Web access on the ISA Server computer.  Port = 8080 Internal.

 

 

 

Lesson Summary:

 

•   Through access policy rules and publishing rules are the preferred means of allowing access

to and from your network.

•   You can configure three types of options of IP packet filters:  IP fragment filtering, IP option

filtering, and “Allow” filter logging.

 

 

 

=====================================================================

 

winisa4.html                                                     PAGE 9                                                   2002/05/25

 

 

 

 

Lesson 6:  Configuring ISA Server to Detect External Attacks

and Intrusions

 

You can configure ISA Server to detect common types of network attacks.  You can also configure

ISA Server to respond to detected intrusions by sending an e-mail, starting a specified program,

and starting or stopping selected ISA Server services.

 

When an attack is detected by ISA Server, ISA Server performs a set of configured actions

(or alerts).  The following events are considered intrusions:

 

Port scan attack.  Two types of port scan attacks trigger an alert in ISA Server:  All Ports

Scan

 

Attacks and Enumerated Port Scan Attacks. (counts the services running)

 

IP half scan attack.  This alert notifies that repeated attempts to a destination computer

were made, and no corresponding ACK (acknowledge) packets were communicated. 

If the destination computer is not waiting for the connection on the specified port, it

responds with an RST (reset) packet.

 

Land attack.  This alert notifies that a TCP SYN packet was sent with a spoofed

source IP address and port number that matches that of the destination IP address

and port.

 

Ping of death attack.  This alert notifies you that a large amount of information was

appended to an ICMP echo request (ping) packet.

 

UDP bomb attack.  A UDP packet that is constructed with illegal values in certain

fields will cause some older operating systems to crash when the packet is received.

 

Windows out-of-band attack.  (WinNuke)  This alert notifies you that there was an

out-of-band denial-of-service attack attempted against a computer protected by ISA

Server.

 

 

 

=====================================================================

 

winisa4.html                                                     PAGE 10                                                 2002/05/25

 

 

 

 

NOTE:  A Well-known port is any port in the range of 0-1023

 

 

 

Lesson Summary:

 

•   When you enable intrusion detection on the IP Packet Filters properties dialog box in ISA
•   Management, you can configure ISA Server to detect any of six common network attacks.
•   These attacks include a port scan attack, an IP half scan attack, and land attack, a ping of

death attack, a UDP bomb attack, and a Windows-out-of-band (WinNuke) attack).

•   You can also configure ISA Server to respond to attacks by sending an e-mail to an

administrator, by specified program, or by starting or stopping selected ISA Server services.