Transcript Advanced Application and Web Filtering

Advanced Application and Web
Filtering
1
Common security attacks
•
•
•
•
•
•
Finding a way into the network
Exploiting software bugs, buffer overflows
Denial of Service
TCP hijacking
Packet sniffing
Social problems
2
Common security attacks
•
•
•
•
•
•
Firewalls
Finding a way into the network
Exploiting software bugs, buffer overflows
Intrusion Detection Systems
Denial of Service
Ingress filtering, IDS
TCP hijacking
IPSec
Packet sniffing
Encryption (SSH, SSL, HTTPS)
Social problems
Education
3
Types of Firewalls
• Packet Filtering
• Stateful Inspection
• Application-Layer Inspection
Internet
4
Application filter and Web Filter
• Application filters work with the firewall
service in ISA Server to intercept and process
network packets as they pass through ISA
Server
• Application filters examine the applicationlevel
• Web filters are used to mediate HTTP, HTTPS,
and FTP tunneled
5
Application Filters
•
•
•
•
•
•
•
•
•
•
•
SMTP filter
DNS filter
POP Intrusion Detection filter
SOCKS V4 filter
FTP Access filter
H.323 filter
MMS filter
PNM filter
PPTP filter
RPC filter
RTSP filter
6
The SMTP Filter
if a command that is sent
over the SMTP channel is
not on this list, it is dropped
7
The DNS Filter
Three attacks:
• DNS host name overflow
• DNS length overflow
• DNS zone transfer
8
The SOCKS V4 Filter
9
Web Filters
•
•
•
•
•
HTTP Security filter
ISA Server Link Translator
Web Proxy filter
SecurID filter
OWA Forms-based Authentication filter
10
The HTTP Security Filter (HTTP Filter)
•
•
•
•
•
HTTP Security Filter Settings
HTTP Security Filter Logging
Disabling the HTTP Security Filter for Web Requests
Exporting and Importing HTTP Security Filter Settings
Investigating HTTP Headers for Potentially Dangerous
Applications
• Example HTTP Security Filter Policies
• Commonly Blocked Application Signatures
• The Dangers of SSL Tunneling
11
The HTTP Security Filter (HTTP Filter)
12
Overview of HTTP Security Filter
Settings
General Tab can configure the
following options:
•Maximum header length
•Payload length
•Maximum URL length
•Verify normalization
• Block high bit characters
• Block responses containing
Windows executable content
13
Overview of HTTP Security Filter
Settings
• Methods tab control what
HTTP methods are used
through an Access Rule or
Web Publishing Rule
• Three options:
– Allow all methods
– Allow only specified
methods
– Block specified methods
(allow all others)
14
Overview of HTTP Security Filter
Settings
• Add new method
15
Overview of HTTP Security Filter
Settings
• The Extensions Tab control
what file extensions are
allowed to be requested
through the ISA firewall
• Option:
– Allow all extensions
– Allow only specified
extensions
– Block specified extensions
(allow all others)
– Block requests containing
ambiguous extensions
16
Overview of HTTP Security Filter
Settings
• Add file extensions
17
Overview of HTTP Security Filter
Settings
• An HTTP header contains HTTP
communication specific
information that is included in
HTTP requests made from a
Web client and HTTP responses
sent back to the Web client
from a Web server.
• Option on Header Tab:
– Allow all headers except the
following
– Server header
– Via header
18
Overview of HTTP Security Filter
Settings
Common HTTP headers:
• Content-length
• Pragma
• User-Agent
• Accept-Encoding
19
Overview of HTTP Security Filter
Settings
The Via Header
The Server Header Option
20
Overview of HTTP Security Filter
Settings
• The Signatures tab allows you
to control access through the
ISA firewall based on HTTP
signatures you create
• These signatures are based on
strings contained components
of an HTTP communication:
–
–
–
–
–
Request UR L
Request headers
Request body
Response headers
Response body
21
The ISA Server Link Translator
• Link Translation
solves a number of
issues that may arise
for external users
connecting through
the ISA firewall to an
internal Web site
Link Translation Tab in Web Publishing Rule Properties
22
The Web Proxy Filter
• The Web Proxy filter
allows connections
from hosts not
configured as Web
Proxy clients to be
forwarded to the ISA
firewall’s Cache and
Web Proxy
components
23
The OWA Forms-Based Authentication
Filter
• Used to mediate Formsbased authentication to
OWA Web sites that are
made accessible via ISA
firewall Web Publishing
Rules.
24
IP Filtering and Intrusion Detection/Intrusion
Prevention
• Common Attacks Detection and Prevention
• DNS Attacks Detection and Prevention
• IP Options and IP Fragment Filtering
25
Common Attacks Detection and
Prevention
26
DNS Attacks Detection and Prevention
• DNS host name overflow
• DNS length overflow
• DNS zone transfer
27
IP Options and IP Fragment Filtering
The IP Options Tab
The IP Fragments Tab
28