Module 6: Configuring the Firewall
Download
Report
Transcript Module 6: Configuring the Firewall
Module 6:
Configuring the Firewall
Overview
Securing the Server
Examining Perimeter Networks
Examining Packet Filtering and IP Routing
Configuring Packet Filtering and IP Routing
Configuring Application Filters
Microsoft® Internet Security and Acceleration (ISA)
Server 2000 includes several security features to help
you enforce your security policies. The ISA Server
Security Configuration Wizard enables you to set the
appropriate level of system security for the operating
system. Packet filtering helps prevent unauthorized
access to your internal network by inspecting incoming
traffic and blocking packets that do not meet your
specified security criteria. Internet Protocol (IP) routing
allows you to forward network packets according to
rules that you define. Application filters control
application-specific traffic to determine if network traffic
should be accepted, rejected, redirected, or modified.
Important:
The packet filtering and routing functions of ISA Server
provide more enhanced security than the packet
filtering and routing functions of the Microsoft
Windows® 2000 Routing and Remote Access. To
provide the most comprehensive security for your
internal network, use ISA Server, not the Routing and
Remote Access service, to configure packet filtering
and routing on an ISA Server computer.
After completing this module, you will be able to:
Secure the ISA Server computer.
Explain the use of perimeter networks.
Explain the use of packet filtering and IP routing.
Configure packet filtering and IP routing.
Configure application filters.
Securing the Server
Best Practices
Setting System Security
ISA Server is an important component of an overall
security strategy, but network security consists of many
elements. Using security best practices will also help
you to secure your network effectively.
ISA Server includes the ISA Server Security
Configuration Wizard, which you can use to apply
system security settings to a single ISA Server
computer or to all of the servers in an array. The ISA
Server Security Configuration Wizard uses security
templates that are included with Microsoft Windows
2000 Server to configure the operating system for
different levels of security. You can set the appropriate
level of system security, depending on how ISA Server
functions in your network.
Best Practices
Stay Informed About Security Issues
Install the Latest Service Pack and Security Updates
Do Not Run Unnecessary Services or Accept Unnecessary Packets
Audit Security-Related Events and Review the Associated Log Files
Document All Aspects of Your Network Configuration
Understand the Network Protocols that You Use With ISA Server
Maintain Physical Security
Best Practices
Because the ISA Server computer is often directly
connected to the Internet, it is important that you
adequately secure that computer. The following list
presents security best practices to use as guidelines
when securing computers in your network, and
particularly the ISA Server computer:
Stay Informed About Security Issues
Slay informed about security issues pertaining to
Windows 2000 and ISA Server. For security bulletins
and other security-related information, see the Microsoft
Security Web site at
http://www.microsoft.com/security.
You may also want to subscribe to security-related
mailing lists.
Install the Latest Service Pack and Security Updates
Install the latest service pack and security updates.
Before installing any service packs or updates, test
them thoroughly in a lab environment.
Do Not Run Unnecessary Services or Accept Unnecessary Packets
Do not run unnecessary services on the ISA Server
computer, and configure ISA Server with rules that allow
only required network traffic to pass through the ISA
Server computer.
Audit Security-Related Events and Review the Associated Log Files
Audit security-related events and frequently review the
associated log files.
Note:
For more information about Windows 2000 auditing, see
Module 9, "implementing Security in Windows 2000," in
Course 2152, Implementing Microsoft Windows 2000
Professional and Server. For more information about
monitoring ISA Server security, see Module 8,
"Monitoring and Reporting," in Course 2159A,
Deploying and Managing Microsoft Internet Security and
Acceleration Server 2000.
Document All Aspects of Your Network Configuration
Document all aspects of your network configuration.
Maintaining documentation helps you to detect
intrusion and recover from intrusion incidents.
Understand the Network Protocols that You Use With ISA Server
Understand the network protocols that you use with ISA
Server. A thorough understanding of these protocols
will help to ensure that you configure ISA Server
properly.
Maintain Physical Security
Maintain physical security. Anyone with physical access
to the ISA Server computer can gain complete control of
the computer.
Setting System Security
Security Level
Server Templates
Domain Controller Templates
Dedicated
Hisecws.inf
Hisecdc.inf
Limited
Services
Securews.inf
Securedc.inf
Secure
Basicsv.inf
Basicdc.inf
Best Practices
When configuring the security settings of the ISA Server
computer, you can use the ISA Server Security
Configuration Wizard to increase the security of several
components of Windows 2000. Securing the ISA Server
computer is especially important when that computer is
directly connected to the Internet.
You can select from one of the following security levels in the ISA
Server Security Configuration Wizard:
Dedicated. Use this setting when an ISA Server computer is
functioning as a dedicated firewall with no other applications.
Limited Services. Use this setting when the ISA Server computer is
functioning as a combined firewall and cache server. An ISA Server
computer can also be protected by an additional firewall.
Secure. Use this setting when the ISA Server computer performs
other functions, such as running a Web server, a database server, or
a mail server.
Caution:
The ISA Server Security Configuration Wizard changes several
operating system settings to pre-configured values. To change all
of these settings back to the original values, you must document or
export the settings before running the wizard and then reconfigure
all of the values. ISA Server includes no automatic method of
reverting back to the original values.
Applying Security Templates
The security template that the ISA Server Security
Configuration Wizard applies depends on the security
setting that you select and the type of computer that
you are using.
To run the ISA Server Security Configuration Wizard, the
systemroot\security\templates folder must
contain the required template. If the required template is
missing, the ISA Server Security Configuration Wizard
fails to run. To add a missing template, you must copy it
from the Microsoft Windows 2000 Server compact disc
to the Templates folder on your computer.
ISA Server uses the templates listed in the following table.
Security level
For a server
Dedicated
Limited Services
Secure
Hisecws.inf
Securews.inf
Basicsv.inf
For a domain
controller
Hisecdc.inf
Securedc.inf
Basicdc.inf
Note:
For more information about security templates, see Module 9,
"Implementing Security in Windows 2000," in Course 2152,
Implementing Microsoft Windows 2000 Professional and Server.
Use the ISA Server Security Configuration Wizard to
apply system security settings to an ISA Server
computer.
To run the Wizard:
1.
In ISA Management, in the console tree, expand your
server or array, and then click Computer or
Computers.
2.
In the details pane, right-click the applicable server,
click Secure, and then follow the on-screen
instructions to complete the wizard.
Viewing Configuration Changes
When you run the ISA Server Security Configuration
Wizard, ISA Server creates a log file of all of the
changes. ISA Server names this file securwiz.log and
places it in the ISA Server installation directory. You can
review this file to see the actions that the wizard
performed.
Examining Perimeter Networks
Perimeter Networks
Three-Homed Perimeter Network
You can deploy ISA Server as a firewall that acts as a
secure gateway to the Internet for internal clients. ISA
Server protects all of the communication between the
internal computers and the Internet. In a simple firewall
design, the ISA Server computer has two network
interface cards, one connected to the local network and
one connected to the Internet. In more complex designs,
such as a design that includes a perimeter network with
one or more published servers, you may also need to
configure the ISA Server computer for IP routing.
Perimeter Networks
Perimeter Network
Internet
Firewall
Internal Network
A perimeter network, also known as a DMZ,
demilitarized zone, or screened subnet, is a small
network that you set up separately from an internal
network and the Internet. Perimeter networks allow
external users to gain access to specific servers that
are located on the perimeter network, while preventing
direct access to the internal network.
Perimeter Network Uses
A perimeter network is commonly used for deploying an
organization's publicly accessible servers, such as email servers and Web servers. Permitting access to the
perimeter network docs not allow access to other
company data that may be available on computers in
the internal network. Even if an external user penetrates
the perimeter network security, only the perimeter
network servers are compromised.
Perimeter Network Configurations
Typically, a perimeter network uses one of the following
configurations:
Back-to-back perimeter network configuration. Uses two ISA
Server computers on either side of the perimeter network to protect
the network.
Note: For more information on how to make server resources in a
back-to-back perimeter network available, see Module 7,
"Configuring Access to Internal Resources," in Course 2159A,
Deploying and Managing Microsoft Internet Security and
Acceleration Server 2000.
Three-homed perimeter network configuration. Uses the same
ISA Server computer with the perimeter network to protect the
internal network. The ISA Server computer is three-homed, which
means that it is connected to three networks: the Internet, the
perimeter network, and the internal network.
Three-Homed Perimeter Network
Perimeter Network
2
Internet
3
1
ISA Server
Computer
Internal Network
In a three-homed perimeter network configuration, a
stand-alone ISA Server computer or an array of ISA
Server computers connects the Internet, the perimeter
network, and the internal network. ISA Server treats
both the Internet and the perimeter network as external
networks, which requires that you enable IP routing to
move network packets between the networks.
Setting Up the ISA Server Computer
To set up an ISA Server computer in a three-homed perimeter
network configuration, install and configure each network adapter
as follows:
1.
Connect one network adapter to the internal network. Include all of
the internal IP addresses in the local address table (LAT).
2.
Connect the second network adapter to the perimeter network. Do
not add the IP addresses of the perimeter network to the LAT.
3.
Connect the third network adapter to the Internet. Do not add any
IP addresses from the Internet to the LAT.
Note:
Placing certain types of servers, especially File Transfer Protocol
(FTP) servers, into three-homed perimeter network configurations
may create security risks. For more information about these risks,
see "Three-homed perimeter network configuration" in ISA Server
Help.
Configuring the Perimeter Network
The Microsoft Web Proxy service and the network
address translation component of the Microsoft Firewall
service move network packets between only an internal
network and an external network or vice versa. Because
ISA Server treats both the Internet and your perimeter
network in a three-homed perimeter network
configuration as external networks, you must use IP
routing to move network packets between the Internet
and the perimeter network.
To set up a three-homed ISA Server computer in a
perimeter network, perform the following actions:
Enable IP routing.
Enable packet filtering.
Create the appropriate IP packet filters to allow routing
of the correct IP packets to each of the servers in the
perimeter network.
For example, to make a Simple Mail Transfer Protocol
(SMTP) server on the perimeter network available to
users on the Internet, you must enable IP routing and
packet filtering. You then need to create an IP packet
filter that configures the ISA Server computer to route
all of the required packets from the Internet to the mail
server.
Examining Packet Filtering
Controlling Network Traffic
Understanding Packet Filtering
Using IP Routing and Packet Filtering
Guidelines for Using Packet Filtering and IP Routing
You can control the flow of IP packets to and from the
external network interface of an ISA Server computer by
using packet filtering and IP routing.
By using packet filtering, you can allow IP packets or
can block IP packets that are destined for the ISA Server
computer or for specific computers on your perimeter
network or internal network. You can also use packet
filtering to block packets that originate from your
internal network.
When you enable routing on a Windows 2000 computer,
that computer routes all traffic between the Internet and
your internal network. In this case, the computer acts as
a router, which is a device that connects separate
networks by forwarding packets between them.
By enabling both packet filtering and IP routing in ISA
Server, you gain the benefits of strict policy
enforcement by using packet filters and establish the
correct routing behavior for protocols that use
secondary network connections after establishing a
primary connection.
Important:
You can enable packet filtering only if you install ISA
Server in Firewall mode or in Integrated mode.
Controlling Network Traffic
Web Proxy Service
Firewall Service -- Proxy
Firewall Service -- Routing
You can use ISA Server to control the flow of IP packets
between different networks, typically your internal
network and the Internet. ISA Server controls IP packets
by using the following services and methods:
Web Proxy service
The Web Proxy service receives outgoing Web requests
from internal Web Proxy clients and then forwards these
requests to Web servers on the Internet. The packets
are never directly exchanged between the internal Web
Proxy client and the Web server on the Internet.
Note:
The Web Proxy service can also process incoming Web
requests for internal Web servers, which is called Web
publishing. For more information about Web publishing,
see Module 7, "Configuring Access to Internal
Resources," in Course 2159A, Deploying and Managing
Microsoft Internet Security and Acceleration Server
2000.
Firewall service — proxy
The Firewall service processes requests from internal
Firewall clients and SecureNAT clients that use the User
Datagram Protocol (UDP) protocol or the Transmission
Control Protocol (TCP) protocol to gain access to
external network resources. The Firewall service
intercepts IP packets, changes the IP header
information, and then sends the packets to the external
server. The IP packets appear to the external server as if
they originated from the ISA Server computer.
Firewall service — routing
The Firewall service can also route IP packets between
networks. Routing forwards network packets between
different networks without changing the IP addresses
and ports in the IP packet header. The Firewall service
also uses rules to determine whether to route a packet.
You define these rules by creating IP packet filters.
Understanding Packet Filtering
Perimeter Network
131.107.2.200
131.107.1.1
131.107.2.1
ISA
Server
192.168.1.1
Packet Filter
Internal Network
Source / Port
Destination / Port
Protocol
Direction
Type
Any / Any
131.107.2.200 / 53
UDP
Incoming
Allow
Packet filtering allows you to control which packets an
ISA Server computer accepts on an external network
interface.
Important:
ISA Server treats all network interfaces that are not
configured with an IP address that is in the LAT as
external. If one or more of the IP addresses that are
associated with a network interface are in the LAT, ISA
Server treats the network interface as internal and does
not apply packet filters.
IP Packet Headers
You control IP packets by using the following IP packet
header information:
Source IP address and port
Destination IP address and port
IP protocol information
When you create a packet filter that allows bi-directional
traffic, ISA Server also dynamically opens the
appropriate ports that allow packets to return to the IP
address and port of the original packet.
For example, you create a packet filter that allows
incoming packets to UDP port 53 on a server on your
perimeter network, and a computer on the Internet
sends a packet to the server. ISA Server automatically
allows outgoing network packets to pass from UDP port
53 on your perimeter network to the IP address and port
number that initiated the connection.
Important:
Dynamic packet filters that allow packets to return to the
IP address and port of the original packet are in effect
for only the duration of the session. Also, you cannot
modify a dynamic rule.
Types of Packet Filters
You control which packets are allowed to traverse an
external network interface of the ISA Server computer
by using the following types of packet filters:
Allow filters
Used to define which packets the external network
adapter accepts. ISA Server accepts packets that meet
the conditions of an Allow filter only.
Block filters
Used to define exceptions to Allow filters. ISA Server
drops packets that meet the conditions of a Block filter,
even though they may also meet the conditions of an
Allow filter. For example, you can create an Allow filter
to permit incoming SMTP traffic to a mail server. You
can then create a Block filter to deny access to the mail
server for an IP address that was the origin of a
previous intrusion attempt. You can also use packet
filters to override protocol rules that allow client
connections.
Using IP Routing and Packet Filtering
Situations That Require IP Routing
Servers in a three-homed perimeter network
Protocols other than UDP and TCP
Situations That Require Packet Filtering
Services running on the ISA Server computer
Applications running on the ISA Server computer
Servers in a three-homed perimeter network
Protocols other than UDP and TCP
In some situations, you must use IP routing, packet
filtering, or both IP routing and packet filtering.
Situations That Require IP Routing
Use IP routing for the following situations:
Servers in a three-homed perimeter network.
ISA Server treats both three-homed perimeter networks and the
Internet as external networks and routes packets between them.
When you allow users on the Internet to connect to a server on a
three-homed perimeter network, you must configure ISA Server to
perform IP routing between these networks.
Note:
Allowing external users to gain access to resources on servers on a
back-to-back perimeter network requires different configuration
steps. For more information about making servers in a back-to-back
perimeter network available to the Internet, see Module 7,
"Configuring Access to Internal Resources," in Course 2159A,
Deploying and Managing Microsoft Internet Security and
Acceleration Server 2000.
Protocols other than UDP and TCP.
The Web Proxy service handles outgoing requests that
are using the Hypertext Transfer Protocol (HTTP),
Hypertext Transfer Protocol-Secure (HTTP-S), or FTP
protocols. The Firewall service handles requests from
any application that uses the UDP and TCP protocols.
For all other protocols, ISA Server must route the
packets.
Situations That Require Packet Filtering
Use packet filtering for the following situations:
Services running on the ISA Server computer. When a
service is running on an ISA Server computer, you must
create an IP packet filter that allows incoming packets
for the port associated with that service.
For example, if the ISA Server computer is also
functioning as an external Domain Name System (DNS)
server, you must allow incoming DNS query packets. To
allow the DNS query packets, create an IP packet filter
that allows incoming packets to the ISA Server
computer on TCP and UDP port 53.
Applications running on the ISA Server computer. When
you run an application on the ISA Server computer that
needs to connect to the Internet, you must create one or
more IP packet filters that allow the appropriate
outgoing packets. An application running on the ISA
Server computer cannot use the Firewall service to
connect to the Internet because configuring the ISA
Server computer as a Firewall client is not supported.
Instead, the application must establish a direct
connection to the Internet, which requires you to create
packet filters that allow the appropriate network traffic.
For example, to allow an e-mail client application that is
running on the ISA Server computer to connect to an
SMTP server, create an IP packet filter that allows
packets to pass from the ISA Server computer to TCP
port 25 on a remote SMTP server.
Important:
Do not create packet filters for outgoing traffic from
internal clients that pass through the Firewall service or
the Web Proxy service. Because ISA Server
automatically and dynamically opens the ports that are
required to handle such communications based on the
protocol rules that you configured, no packet filters are
required provided that all client requests use the TCP or
UDP protocol.
Servers in a three-homed perimeter network. When you
allow users on the Internet to connect to a server on a
three-homed perimeter network, you must create IP
packet filters to open the ports that are required for ISA
Server to accept and route packets to services that are
running on the server in the perimeter network.
For example, to allow external clients to connect to an
SMTP server in a perimeter network, create an IP packet
filter that allows incoming packets for TCP port 25 on
the SMTP server.
Protocols other than UDP and TCP. Because ISA Server
routes all requests from SecureNAT clients that use
protocols other than TCP or UDP, you must configure
the appropriate packet filters to allow this traffic to pass
through the ISA Server computer.
For example, to allow clients to use the Ping utility,
which uses the Internet Control Message Protocol
(ICMP) protocol, create an IP packet filter that allows the
predefined filter "ICMP all outbound" for internal clients.
Guidelines for Using Packet Filtering and IP Routing
Packet Filtering and IP Routing Not Enabled
Packet Filtering Enabled and IP Routing Not Enabled
Packet Filtering and IP Routing Enabled
Packet Filtering Not Enabled and IP Routing Enabled
Use the following guidelines when using packet
filtering, IP routing, or both.
Packet Filtering and IP Routing Not Enabled
When you do not enable packet filtering or IP routing,
ISA Server does not apply packet filters to incoming
network traffic, which lowers the protection of the ISA
Server computer. Use this combination of settings only
to optimize performance and when the external interface
of the ISA Server computer is connected to a network
that you have control over, for example, when using ISA
Server to forward traffic from a branch office by using a
leased line.
Packet Filtering Enabled and IP Routing Not Enabled
When you enable packet filtering, ISA Server drops all of
the IP packets on external network interfaces unless
they are explicitly allowed by static or dynamic rules.
The ISA Server computer also does not forward packets
directly. Use this setting when:
All client connections use the UDP or TCP protocol.
You do not need to forward packets between the Internet
and a three-homed perimeter network configuration.
Packet Filtering and IP Routing Enabled
When combining packet filtering and IP routing, you
gain the security benefits of packet filtering, the ability
to route protocols other than TCP or UDP, and the ability
to route between the Internet and a three-homed
perimeter network. Use this configuration in situations
that require both security and routing.
Packet Filtering Not Enabled and IP Routing Enabled
You cannot configure ISA Server to route packets
without enabling packet filtering because of the low
level of security that such a configuration would
provide. If your network configuration requires a router,
evaluate the Routing and Remote Access service in
Windows 2000.
Configuring Packet Filtering and IP Routing
Enabling Packet Filtering and IP Routing
Creating IP Packet Filters
Configuring Packet Filter Options
You must enable packet filtering and IP routing to
forward IP packets from one external network to another
external network. You can then create IP packet filters to
allow incoming packets for specific ports and services.
To increase the security of your ISA Server computer,
you can configure packet-filtering settings.
Enabling Packet Filtering and IP Routing
IP Packet Filters Properties
General Packet Filters Intrusion Detection PPTP
Use this page to control packet routing and packet
filtering properties.
Select to enable
packet filtering.
Select to enable
IP routing.
Enable packet filtering
Enable Intrusion detection
Enable IP routing
OK
Cancel
Apply
When you enable packet filtering, ISA Server monitors
the IP packets that pass through the external network
adapter on the ISA Server computer. In addition to
packet filtering, you must enable IP routing to forward IP
packets from one external network to another external
network, such as the Internet and a three-homed
perimeter network. You must also enable IP routing
when client computers use network protocols other
than the TCP and UDP protocols.
To enable packet filtering and IP routing:
1.
In ISA Management, in the console tree, expand your
server or array, expand Access Policy, right-ciick IP
Packet Filters, and then click Properties.
2.
On the General tab. ensure that the Enable packet
filtering check box is selected.
3.
Click the Enable IP routing check box, and then click
OK.
Creating IP Packet Filters
Start
Name the Filter
Select the Filter Mode
Select the Filter Type
Configure Filter Settings
Select Local IP Address
Select Remote Computer(s)
Finish
Before you create an IP packet filter, you must identify
the associated protocols and ports for the specified
packets. You must also identify the IP addresses or IP
address ranges of the computers for the source and
destination.
To create a new IP packet filter:
1.
In ISA Management, in the console tree, expand your server or
array, expand Access Policy, click IP Packet Filters, and then in the
details pane, click Create a Packet Filter.
2.
In the New IP Packet Filter Wizard, type a name that describes the
filter, and then click Next.
3.
On the Filter Mode page, select Allow packet transmission or
Block packet transmission, and then click Next:
4.
On the Filter Type page, select Custom or Predefined to specify
the type of filter to create, and then click Next.
Important:
Before creating a custom filter, always confirm that ISA Server
does not include a predefined filter that meets your requirements.
5.
If you select a custom filter, on the Filter settings page, enter the
following information, and then click Next.
For this setting
Do the following
IP protocol
Select Custom protocol, Any, ICMP, TCP, or UDP.
If you select Custom Protocol, provide the
protocol number.
For this setting
Do the following
Number
Type the number of the IP protocol.
For this
setting
Do the following
Direction
Specify the direction for the communication. The settings
available in the wizard will vary depending on the IP
protocol that you select. For most protocols, you can
specify Inbound, Outbound, or Both.
Because the UDP protocol is connectionless and requires
no session establishment, the options differ for this
protocol. If you select the UDP protocol, select Send only
(the ISA Server computer or computer on a perimeter
network only sends packets), Send/Receive (the ISA Server
computer or computer on a perimeter network sends
packets and can receive responses), Receive only (the ISA
Server computer or computer on a perimeter network only
receives packets), Receive/Send (the ISA Server computer
or computer on a perimeter network receives packets and
can send responses), or Both (full, bi-directional
communications).
For this setting
Do the following
Local port
Click All ports to apply the rule to all ports, click
Dynamic (1025-5000) to apply the rule to the ports
that client applications typically use to establish
connections with servers, or click Fixed port to
select a specific port, such as the port on which a
server listens. If you select Fixed port, type the
port number in the Port number box.
Note:
A local port is a port on the ISA Server computer
or the computer on the perimeter network. This
option is available with only the TCP and UDP
protocols.
For this setting
Do the following
Remote port
Click All ports to apply the rule to all remote
ports. Click Fixed port to select a specific port,
such as the port on which a remote server listens.
If you select Fixed port, type the port number in
the Port number box.
Note:
A remote port is a port on the computer that
communicates with the ISA Server computer or
the computer on the perimeter network. This
option is available with only the TCP and UDP
protocols.
For this setting
Do the following
Type
Click All types to apply the rule to all ICMP types.
Click Fixed Type to apply the rule to only a
specific ICMP type, and then type a type number.
Note:
This option is available with only the ICMP
protocol. The ICMP protocol identifies types by a
type field in an ICMP packet, such as Destination
Unreachable (Type 3).
For this setting
Do the following
Code
Click All Codes to apply the rule to all ICMP
codes. Click Fixed Code to apply the rule to only
a specific ICMP code, and then type a type
number.
Note:
This option is available with only the ICMP
protocol. The ICMP protocol identifies message
codes by a code field in the ICMP packet that
depends on the ICMP type. For example, an ICMP
packet with Type 3 can include Code 4, which
indicates Fragmentation Needed. The code
numbers that are used depend on the ICMP type.
Note:
For a list of registered protocol numbers, see the
Information Sciences Institute Web site at
http://www.isi.edu/in-notes/iana/assignments/protocolnumbers
For a list of ICMP types, see the Information Sciences
Institute Web site at
http://www.isi.edu/in-notes/iana/assignments/icmpparameters
For a list of ICMP codes, see RFC 792, "Internet Control
Message Protocol" under Additional Readings on the
Student Materials compact disc.
6.
On the Local Computer page, select the IP address or
IP addresses to apply the filter to, and then click Next.
7.
On the Remote Computer page, select the remote
computer or computers to apply the filter to, and then
click Next.
8.
On the Completing the New IP Packet Filter Wizard
page, review your choices, and then click Finish.
Configuring Packet Filter Options
Configure Logging of Packets from Allow Filters
Configure PPTP Through the ISA Firewall
Enable Filtering of IP Fragments
Enable Filtering of IP Options
You can increase the security of your ISA Server
computer and gain additional information about packet
filtering by configuring packet filter options. You
configure packet-filter options in the IP Packet Filter
Properties dialog box. Packet filter options enable you
to:
Configure logging of packets from Allow filters. Enable
this option only for troubleshooting packet filters. By
default, ISA Server logs information about IP packets
that it drops due to Block filters. When you select Log
packets from Allow filters, ISA Server also records
information about packets that were forwarded because
of an Allow filter. Enabling this option causes an
additional workload for the ISA Server computer and
can create large amounts of logging information.
Note:
For more information about ISA Server logs, see Module
8, "Monitoring and Reporting," in Course 2159A,
Deploying and Managing Microsoft Internet Security and
Acceleration Server 2000.
Configure PPTP through the ISA firewall. Select the
PPTP through ISA firewall check box on the PPTP tab to
enable client computers to establish outgoing
connections by using the Point-to-Point Tunneling
Protocol (PPTP). When you enable PPTP, ISA Server
allows traffic that uses IP protocol 47, and it creates a
packet filter called SecureNAT PPTP. When you enable
PPTP through the ISA Firewall, all users with SecureNAT
clients can establish PPTP connections through ISA
Server.
Enable filtering of IP fragments. Set this option to refuse
and drop all fragmented IP packets. A well-known attack
sends and reassembles fragmented packets in a way
that may disrupt the operations of a computer.
Important:
Do not enable filtering of IP fragments if you want to
allow video streams or quality audio streams to pass
through the ISA Server computer.
Enable Filtering of IP Options. Set this option to refuse
and drop all packets that have "IP Options" in the
header. Some well-known attacks use IP options in the
IP packet header. Enabling the filtering of IP Options
guards against such attacks.
Note:
When configuring packet filters, you can also configure
several aspects of intrusion detection. For more
information about how to configure intrusion detection,
see Module 3, "Enabling Secure Internet Access," and
Module 8, "Monitoring and Reporting," in Course 2159A,
Deploying and Managing Microsoft Internet Security and
Acceleration Server 2000.
Configuring Application Filters
Application Filter Overview
Configuring the SMTP Filter
Configuring the Streaming Media Filter
Configuring the HTTP Redirector Filter
Configuring the H.323 Filter
Application filters provide an extra layer of security for
the Firewall service. Unlike IP packet filters, which make
forwarding decisions based on the header of each IP
packet, application filters can examine entire
transactions between a client application and a server
application, such as an entire e-mail message. An
application filter can also examine transactions that use
more than one protocol. An application filter can
perform protocol-specific or system-specific tasks, such
as authentication and virus checking. ISA Server uses
application filters to support protocols that are more
complex, such as the FTP protocol.
Application filters operate in addition to packet filters
and access rules. To enable network traffic to pass
through ISA Server, you must also configure any
required packet filters or protocol rules.
Several application filters are installed with ISA Server.
You can enable and configure these filters to meet the
needs of your organization. In-house developers or
third-party developers can also create additional
application filters.
Note:
You can use application filters only if you install ISA
Server in Firewall mode or in Integrated mode.
Application Filter Overview
DNS Intrusion Detection Filter
FTP Access Filter
H.323 Filter
HTTP Redirector Filter
POP Intrusion Detection Filter
RPC Filter
SMTP Filter
SOCKS V4 Filter
Streaming Media Filter
ISA Server
By default, ISA Server enables all of the application
filters that are installed with ISA Server, except for the
SMTP filter. Application filters register with the Firewall
service and are automatically loaded when you start the
Firewall service.
ISA Server includes the following application filters:
DNS Intrusion Detection filter
Detects DNS traffic that indicates some types of network
intrusions that use DNS.
Note:
For more information about DNS intrusions, see Module
8, "Monitoring and Reporting," in Course 2I59A,
Deploying and Managing Microsoft Internet Security and
Acceleration Server 2000.
FTP Access filter
Enables ISA Server to support the FTP protocol.
H.323 filter
Controls incoming and outgoing network traffic that
uses the H.323 protocol. Applications that use the H.323
protocol provide multimedia services to clients, such as
multimedia conferencing and Internet telephony.
HTTP Redirector filter
Redirects Web requests from Firewall clients and
SecureNAT clients to the Web Proxy service, directly to
the requested Web site, or blocks such requests.
POP Intrusion Detection filter
Detects traffic that indicates some types of network
intrusions that use the Post Office Protocol (POP).
Note:
For more information about POP intrusions, see Module
8, "Monitoring and Reporting," in Course 2159A,
Deploying and Managing Microsoft Internet Security and
Acceleration Server 2000.
RFC filter
Enables the publishing of servers that use remote
procedure calls (RPCs).
SMTP filter
Screens and blocks e-mail messages based on the
properties of attachments, such as users, domains,
keywords, or SMTP commands.
SOCKS V4 filter
Allows ISA Server to respond to clients that use the
SOCKS protocol.
Streaming Media Filter
Allows Firewall clients and SecureNAT clients to use
protocols for gaining access to streaming media
services, such as those provided by Microsoft Windows
Media™ Technology (WMT) Server.
To enable or disable an application filter:
1.
In ISA Management, in the console tree, expand your server or
array, expand Extensions, and then click Application Filters.
2.
In the details pane, right-click the appropriate application filter, and
then click Properties.
3.
On the General tab, select or click to clear the Enable this filter
check box, and then click OK.
Note:
Developers can also create Web filters, which screen and route
Web content. Web filters can monitor, evaluate, and intercept HTTP
communication between an internal network and the Internet. Web
filters load when you start the Web Proxy service. For more
information about creating Web filters, see the documentation that
is included with the ISA Server Software Development Kit (SDK).
Configuring the SMTP Filter
SMTP Filter Properties
General Attachments Users/Domains Keywords SMTP Commands
SMTP Filter
Vendor:
Microsoft
Version:
3.0 RC 1
Description: Filters SMTP traffic
Enable this filter
OK
Cancel
Cancel
After you create IP packet filters that allow incoming SMTP traffic to
reach the mail server, you must enable the SMTP filter. The SMTP
filter screens SMTP traffic that arrives on port 25 of the ISA Server
computer. For example, you can configure the SMTP filter to check
for buffer overrun attacks. A buffer overrun attack occurs when an
SMTP command is specified with a line length that exceeds a
specific value. Some third-party SMTP servers are vulnerable to
such attacks, which may allow an intruder to run arbitrary
commands on the mail server.
You can also configure the SMTP filter to block specific SMTP
commands. For example, you can block the VRFY command to
prevent an intruder from using this command to gain information
about users in the organization. In addition, the SMTP filter can
screen incoming e-mail messages based on the user or the domain
and can drop or redirect messages from the specific users or
domains.
The SMTP application filter can also screen e-mail messages based
on attachments and keywords. For example, you can configure the
SMTP application filter to reject e-mail messages that contain an
attachment that indicates a known e-mail virus.
Important:
To screen e-mail messages for specific attachments, users,
domains, or keywords, you must install the Message Screener. The
Message Screener is an optional ISA Server component that you
usually install on a separate computer on your network. For more
information about how to configure servers in your network to
enable content filtering of SMTP traffic, see Module 7, "Configuring
Access to Internal Resources," in Course 2159A, Deploying and
Managing Microsoft Internet Security and Acceleration Server 2000.
To configure the SMTP filter:
1.
In ISA Management, in the console tree, expand your
server or array, expand Extensions, and then click
Application Filters.
2.
In the details pane, right-click SMTP Filter, and then
click Properties.
3.
Perform the following actions in the SMTP Filter
Properties dialog box, and then click OK.
To
Do this
Stop users from sending
messages to the SMTP server
On the Users/Domains tab, in the
Sender's name box, type the email address of the e-mail sender
from whom e-mail messages will
be rejected, and then click Add.
To
Do this
Stop domains from sending
messages to the SMTP server
On the Users/Domains tab, in the
Domain Name box, type the name
of the DNS domain from which email messages will be rejected,
and then click Add.
To
Do this
Configure
attachments
for the SMTP
application
filter
On the Attachments tab, click Add. In the Mail
Attachment Rule dialog box, select the Enable
attachment rule check box, and then click one of the
following:
Attachment
name. Type the name of the attachment.
Attachment
extension. Type a file extension. For
example, to prohibit attachments with an .exe extension,
type .exe
Attachment
size limit. Type the maximum size of the
attachment. Some e-mail attacks involve overloading a
mail server with large attachments.
In the Action list, select Delete message, Hold message,
or Forward messages to, and then type the forwarding
address.
To
Do this
Configure
keywords for
the SMTP
application
filter
On the Keywords tab, click Add. Click Enable keyword
rule. In the Keyword box, type the keyword string.
Under Apply action if keyword is found in, select one of
the following options to indicate which part of the e-mail
message that the SMTP application filter checks for the
keyword:
• Message header or body
• Message header
• Message body
In the Action list, select Delete message, Hold message,
or Forward messages to, and type the forwarding
address.
To
Do this
Disallow an SMTP command
On the SMTP Commands tab,
double-click the appropriate
command. In the SMTP Command
Rule dialog box, click to clear the
Enable an SMTP command check
box.
To
Do this
Configure the SMTP application
filter buffer overflow thresholds
On the SMTP Commands tab,
double-click the appropriate
command. In the SMTP Command
Rule box, select the Enable an
SMTP command check box. In the
Maximum Length box, type the
maximum length of the command
line for the SMTP commands.
Configuring the Streaming Media Filter
Streaming Media Filter Properties
General Live Stream Splitting
Use this page to select WMT live stream splitting mode
Select one of these
options to enable
live stream
splitting.
Disable WMT live stream splitting
Split live streams using a local WMT server
Split live streams using the following WMT server pool:
WMT Server Address
Add…
Remove
Edit…
WMT server administrator account:
User account:
Browse…
Password:
Confirm password:
OK
Cancel
Apply
The Streaming Media filter enables Firewall Clients and
SecureNAT clients to use popular streaming media
protocols to gain access to media streaming servers.
Streaming media technology allows the distribution of
audio and video on the Internet as a continuous realtime stream. A server application transmits the media
stream to a client application. The client application can
start displaying the video or play the audio immediately
or as soon as enough of the media stream is received
and stored in the application's buffer.
The Streaming Media filter supports the following streaming media
protocols:
Microsoft Windows Media (MMS), which allows Microsoft Windows
Media™ Player client access and server publishing.
Progressive Networks Protocol (PNM), which allows RealPlayer
client access and server publishing.
Real Time Streaming Protocol (RTSP), which allows RealPlayer G2
and QuickTime 4 client access and server publishing.
In addition, the Streaming Media filter can improve the performance
of the streaming media for clients by splitting the live streams.
Configuring Live Stream Splitting
Configuring live stream splitting enables the Streaming
Media filter to obtain the media stream from the Internet
and then make it available on a WMT Server computer
or WMT Server pool for access by clients. To allow
SecureNAT clients or Firewall clients to take advantage
of live stream splitting, no client configuration is
required.
If you configure ISA Server to make streaming media
available on a single WMT Server computer, the
Windows Media Services, an optional component of
Windows 2000 Server, must be installed on the ISA
Server computer. If you transmit the live stream by
using a pool of one or more WMT Server computers,
this pool can be located anywhere on your internal
network.
Note:
To use live stream splitting, you must install Windows
Media Service on the ISA Server computer. If you use a
WMT server pool, you need to install only the Windows
Media Service administration tool on the ISA Server
computer.
To configure live stream splitting for a streaming media
filter:
1. In ISA Management, in the console tree, expand your
server or array, expand Extensions, and then click
Application Filters.
2. In the details pane, right-click Streaming Media Filter,
and then click Properties.
3. On the Live Stream Splitting tab, click one of the
following options, and then click OK.
To
Then
Disable live stream splitting
Click Disable WMT live stream
splitting.
Enable splitting of media streams
by using the ISA Server computer
Click Split live streams using a
local WMT server.
Enable splitting of media streams
by using a WMT Server pool on
your network
Click Split live streams using the
following WMT server pool, click
Add, and then type the IP address
of the WMT Server pool.
4. If you are enabling splitting of media streams by using a
WMT Server pool, in the User account box, type the user
name of the WMT Server administrator account. In the
Password box and in the Confirm password box, type
the account password, and then click OK.
Note:
The user account that you specify must be a member of
the Netshow Administrators group on each WMT Server
computer.
Configuring the HTTP Redirector Filter
HTTP Redirector Filter Properties
General Options
Response to HTTP requests:
Select an option
to redirect HTTP
requests.
Redirect to local Web Proxy service
If the local service is unavailable, redirect requests to
requested Web server
Send to requested Web server
Reject HTTP requests from Firewall and SecureNAT clients
OK
Cancel
Apply
The HTTP Redirector filler forwards HTTP requests from
Firewall clients and SecureNAT clients to the Web Proxy
service on the ISA Server computer. By using the HTTP
Redirector filter, HTTP requests are cached, even if
users on a Firewall client computer or SecureNAT client
computer do not configure their Web browser to use the
ISA Server computer as a Web Proxy server. Redirecting
HTTP requests improves client performance and allows
you to apply site and content rules to Firewall clients
and SecureNAT clients.
HTTP Redirector Filter Options
You can configure the HTTP Redirector filter to perform one of the
following actions:
Redirect requests to the Web Proxy service. This option is the
default option for the HTTP Redirector filter. When choosing
redirection, you can also configure ISA Server to send the request
directly to the Web server if the Web Proxy service is unavailable.
Send requests to the Web server. Requests bypass the Web Proxy
service and the objects are not cached. Choose this option if you do
not want the ISA Server computer to cache HT'I P requests from
Firewall clients or from SecureNAT clients.
Discard HTTP requests. Discards alt HTTP requests from Firewall
clients and SecureNAT clients. Choose this option when you want to
require all clients that use the HTTP protocol to be configured as
Web Proxy clients.
Note:
When the HTTP Redirector filter passes a request from a
Firewall client to the Web Proxy service, the client's
authentication information is lost. Therefore, the Web
Proxy service treats all HTTP and FTP requests that
originate from Firewall clients as unauthenticated. If you
configured the Web Proxy service to require
authentication, ISA Server denies requests from Firewall
clients. SecureNAT clients never send authentication
information.
Configuring Redirection Options
To configure the HTTP Redirector filter:
1. In ISA Management, in the console tree, expand your
server or array, expand Extensions, and then click
Application Filters.
2. In the details pane, right-click HTTP Redirector Filter,
and then click Properties.
3. On the Options tab, click the appropriate option, and
then click OK.
Configuring the H.323 Filter
H.323 Filter Properties
General Call Control
Specify an
H.323
Gatekeeper.
Gatekeeper location
Use this Gatekeeper
Browse…
LONDON
Call direction
Allow incoming calls
Allow outgoing calls
Use DNS gatekeeper lookup and LRQs for alias resolution
Media Control
Select one or
more media
options.
Allow audio
Allow video
Allow T120 and application sharing
OK
Cancel
Apply
The H.323 filter enables users who use conferencing
applications, such as Microsoft NetMeeting®, to
communicate with others over the Internet by using
video, audio, and application sharing. You can configure
the H.323 filter to limit client access to certain media,
such as denying access to video or data sharing.
Note:
To enable multiple H.323 sessions and to improve
efficiency, you can configure an H.323 Gatekeeper, for
more information on H.323 Gatekeepers, see Module 7,
"Configuring Access to Internal Resources," in Course
2159A. Deploying and Managing Microsoft Internet
Security and Acceleration Server 2000.
To configure the 11.323 filter:
1. In ISA Management, in the console tree, expand
Extensions, and then click Application Filters.
2. In the details pane, right-click H.323 Filter, and then
click Properties.
3. On the Call Control tab. select the Use this Gatekeeper
check box, and then specify the computer that runs the
H.323 Gatekeeper.
4. Select one or more of the following options, and then click OK:
Allow incoming calls. Permits people in other organizations to call
people in your organization over the Internet.
Allow outgoing calls. Permits people in your organization to call
people in other organizations over the Internet.
Use DNS gatekeeper lookup and LRQs for alias resolution. Enables
the use of DNS to look up H.323 aliases for outgoing calls.
Allow audio. Permits audio calls.
Allow video. Permits video calls.
Allow T120 and application sharing. Permits T.120 data and
application sharing.
Lab A: Configuring the Firewall
Review
Securing the Server
Examining Perimeter Networks
Examining Packet Filtering and IP Routing
Configuring Packet Filtering and IP Routing
Configuring Application Filters