Your organization might have already made decisions about allowing or denying Internet traffic by protocol. For example, you might allow Web browsing for your user community but block IM traffic. However, what about blocking content within the overall set of protocols that you plan to allow? For example, you might want to let your employees browse the Web, but you don't want them visiting certain Web sites. You also might want to block certain types of content from any Web site (e.g., downloads of executable programs).
These instances point to the need for content filtering: inspecting content as it comes across your firewall and making a decision about whether it should be denied or allowed. Microsoft Internet Security and Acceleration (ISA) Server is not only a stateful packet filter (letting you permit or deny entire protocols) but is also a stateful content filter. It lets you open up the content within packets traveling across your network and make decisions about what to do with them.
You can use ISA Server to enable several types of Web content filtering to improve your network's security. I'll walk you through several blocking exercises: blocking content by DNS name or specific URL path, by specific keywords found within the Web content your users request, and by file type. I use ISA Server 2004 in my examples.
Blocking by URL
To block a specific Web site or set of Web sites, you need to define a URL set as part of a firewall rule within your existing ISA Server configuration. The primary difference between a standard firewall policy rule and this type of content filter rule is the destination type. In a firewall rule, the destination defined in the rule is a network entity—whether an individual host or a range of IP addresses (e.g., the "External" network that ISA Server predefines). When you decide to create a content filter, you define a set of URLs as the destination instead, and you set the policy to deny all traffic.
Let's look at an example. Suppose you decide that no one in your organization should browse the Playboy Web site from your corporate network. (I pick on http://www.playboy.com when I discuss content filtering because it's a widely recognized name in adult content.) You start by creating a typical firewall rule and defining it with the values that Table 1 shows.
Because you'll be creating a URL set for the first time, no options are available under the existing category. Therefore, click New to create a new URL set to apply to this firewall rule. Figure 1 shows the New URL Set Rule Element dialog box.
As you can see, I defined the URL set as containing one path: http:// *.playboy.com. By using the wildcard option (*), I can successfully block all servers within the playboy.com DNS zone. Overall, this approach is better than denying access to specifically listed sites (e.g., www.playboy.com, server1.playboy.com, server2.playboy .com). After you've created your rule, apply the changes to your firewall so that they take effect.
After your new policy is in place, go to a workstation in your organization and attempt to browse one of the Web sites that you've blocked. If everything is working properly, you should see a browser error message stating "The page cannot be displayed." A Technical Information section at the bottom of the error message explains that ISA Server denied the specified URL.
To avoid unnecessary Help desk calls and take the opportunity to remind your user community of your organization's policies about restricted sites, you can assign a custom HTML error page to your URL set deny rule. In the Properties dialog box for the rule, go to the Action tab, which Figure 2 shows, to select the Redirect HTTP requests to this Web page option and specify a URL.
You might want to consider banning other types of Web sites, for other reasons. Some businesses ban fantasy football Web sites. I see an increasing number of organizations blocking the use of Web-based email sites from within the organization because they've found that most virus infections entering their networks come from Web-based email solutions.
Keep in mind that like other ISA Server firewall rules, content-filter rules are processed from first to last. ISA Server attempts to find a match for each request traveling through your network, beginning with rule #1 in your firewall rule set. If no match is found, ISA Server compares the request to rule #2, then to rule #3, and so forth, until it finds a match or the traffic is processed by the Default Deny rule (which should always be at the bottom of your rules). After ISA Server finds a match, no other rules are processed. Therefore, place your rules to deny certain Web sites above the rules that let your users browse the Web.
Also, remember that you can set a content-filtering rule to apply only at certain times. For example, perhaps your organization wants to block fantasy football Web sites only during business hours. In that circumstance, just create the rule as you typically would but apply a schedule to the rule.
Previous
Register
aaleem250 February 11, 2007 (Article Rating: