3 Ways To Get Wiser Web Access

The following example uses an access rule to block connections to an HTTP tunneling proxy named www.httptunnel.com.

1. Open the Microsoft Management Console (MMC) ISA Server Management snap-in, rightclick the Firewall Policy node in the left-hand pane, and select New, Access Rule. Name the access rule, then click Next.
2. On the Rule Action page, select Deny, then click Next.
3. On the Protocols page, accept the default setting (All outbound traffic) and click Next.
4. On the Access Rule Sources page, click Add. In the Add Network Entities dialog box, click the Network Sets folder, then double-click All Protected Networks. Click Close, then click Next.
5. On the Access Rule Destinations page, click Add. In the Add Network Entities dialog box, click New, then click Domain Name Set.
6. In the New Domain Name Set Policy Element dialog box (which Figure 1 shows), enter a name for the set—HTTP Tunneling Sites, in this example. To block other HTTP tunneling sites in the future, you can use this domain name set and add multiple domains. Click New, then type the first name of the first domain you want to block (httptunnel.com) and press Enter. Click New and enter the name of the next domain (*.httptunnel.com) and press Enter. (You need to create both entries because the wildcard blocks only hosts and subdomains of httptunnel.com.)
7. Click the Domain Name Sets folder. Double-click the HTTP Tunneling Sites entry. In the Add Network Entities dialog box click Close. Click Next.
8. On the User Sets page, accept the default entry and click Next.
9. On the Completing the New Access Rule Wizard page, click Finish, then click Apply to save the changes to the firewall policy.

The ISA firewall evaluates access rules from the top down. In general, you should place Deny rules above Allow rules so that you don't inadvertently allow a connection you want to block. Consider moving the new rule you just created to the top of your rules list. At the very least, move the rule above any other rule that includes the HTTP protocol.

METHOD 2:
Use the HTTP Security Filter to Block Unapproved Web-Enabled Applications
You can use the ISA firewall's HTTP Security Filter to inspect virtually any characteristic of an outbound HTTP communication that isn't SSL encrypted and to block the connection according to information in the HTTP application layer protocol stream. The major advantage of using the HTTP Security Filter is that ISA Server places filter controls on allow rules. Therefore, you can allow HTTP traffic to approved locations but block suspicious communications moving though the otherwise approved channel.

The HTTP Security Filter is especially helpful in blocking communications from peer-to-peer (P2P) applications that use HTTP. Many companies want to enable outbound HTTP communications through the firewall without limiting the sites that users can access—but don't want P2P applications to use HTTP to access the Internet. You can use the HTTP Security Filter to block P2P applications while still giving HTTP access to other applications.

The next example blocks outbound TCP port 80 access to the Kazaa client.

1. Use the method described in the first example to create an access rule that allows outbound HTTP access.
2. Right click the new access rule and select Configure HTTP.
3. In the Configure HTTP policy for rule dialog box, go to the Signatures tab and click Add.
4. In the Signature dialog box (which Figure 2 shows), enter a name for the signature—Kazaa Req header #1, in this example—and an optional Description. Select Request headers from the Search in drop-down list. Type P2P-Agent in the HTTP header text box, then type Kazaa in the Signature box. Click OK.
5. In the HTTP policy for rule dialog box, click OK, then click Apply to save the changes to the firewall policy.

Remember that the ISA firewall applies firewall policy from the top down. Even though this is an Allow rule, it will block HTTP connections that include the string that the signature specifies. Therefore, you should place this access rule above any other Allow access rules.

You can use a network analyzer to perform a packet trace and discover HTTP headers for the applications you want to block. Before doing so, you might want to look at Microsoft's published list of common application signatures (http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/common applicationsignatures.mspx). You can also visit Jim Harrison's ISA Server Tools Repository (http://www.isatools.org) to download scripts that will automatically configure your HTTP Security Filter to protect against common exploits.

METHOD 3:
Use the ISA Server 2004 Firewall Client to Block Unapproved Applications
The Firewall client is a generic Winsock proxy client. In contrast to SOCKS proxies, which require you to configure each application with the address and port of the SOCKS proxy, the Firewall client transparently accepts Winsock calls from all Winsock-enabled network applications.

The Firewall client intercepts all Winsock calls from Winsock applications and forwards those calls to the ISA firewall according to the Firewall client settings. These settings are managed centrally on the ISA firewall device and include

• which applications the Firewall client handles
• which destinations the Firewall client should handle
• Which destination ports the Firewall client shouldn't proxy

In addition to transparently proxying connections from Firewall client machines to the ISA firewall, the Firewall client also sends user credentials through an encrypted channel to the ISA firewall for granular user- or group-based control over all Winsock application connections that occur through the firewall. You can make your network routing infrastructure transparent to the Firewall client-enabled device, which needs know only the route to the IP address of the ISA firewall system. When you do so, you don't need to enable or change a route of last resort on your network routers.

   Previous  1  [2]  3  Next