Lesson 1: Introduction to ISA Server as a Firewall
Firewalls are deployed to limit network traffic from one network to another. To distinguish between network traffic that should be allowed and network traffic that should be blocked, firewalls use packet filters, stateful filters, application filters, and intrusion detection. This lesson describes this core functionality provided by firewalls and how this functionality is implemented in ISA Server 2004.
What Is Packet Filtering?
A firewall’s primary role is to prevent network traffic from entering an internal network unless the traffic is explicitly permitted. One way that a firewall ensures this is through packet filtering. Packet filters control access to the network at the network layer by inspecting and allowing or denying the Internet Protocol (IP) packets. When the firewall inspects an IP packet, it examines only information in the network and transport layer headers.
A packet-filtering firewall can evaluate IP packets using the following criteria:
1- Destination address The destination address may be the actual IP address of the destination computer in the case of a routed relationship between the two networks being connected by ISA Server. The destination may also be the external interface of ISA Server in the case of a network address translation (NAT) network relationship.
2- Source address This is the IP address of the computer that originally transmitted the packet.
3- IP protocol and protocol number You can configure packet filters for Transmission Control Protocol (TCP), User Datagram Protocol (UDP), Internet Control Message Protocol (ICMP), and any other protocol. Each protocol is assigned a number. For example, TCP is protocol 6, and the Generic Routing Encapsulation (GRE) protocol for Point-to-Point Tunneling Protocol (PPTP) connections is protocol 47.
4- Direction This is the direction of the packet through the firewall. In most cases, the direction can be defined by inbound, outbound, or both. For some protocols, such as File Transfer Protocol (FTP) or UDP, the directional choices may be Receive Only, Send Only, or Both.
5- Port numbers A TCP or UDP packet filter defines a local and remote port. The local and remote ports can be defined by a fixed port number or a dynamic port number.
Advantages and Disadvantages of Packet Filtering
Packet filtering has advantages and disadvantages. Among its advantages are the following:
1- Packet filtering must inspect only the network and transport layer headers, so packet filtering is very fast.
2- Packet filtering can be used to block a particular IP address or to allow a particular IP address. If you detect an application-level attack from an IP address, you can block that IP address at the packet-filter level. Or, if you need to enable access to your network and you know that all access attempts will be coming from a particular address, you can enable access only for that source address.
3- Packet filtering can be used for ingress and egress filtering. Ingress filtering blocks all access on the external interface of the firewall to packets that have a source IP address that is logically on the internal network. For example, if your internal network includes the 192.168.20.0 network, an ingress filter will block a packet arriving at the external interface that claims to be coming from 192.168.20.1. An egress filter prevents packets from leaving your network that have a source IP address that is not on the internal network.
Disadvantages of packet filtering are the following:
1- Packet filters cannot prevent IP address spoofing or source-routing attacks. An attacker can substitute the IP address of a trusted host as the source IP address and the packet filter will not block the packet. Or the attacker can include routing information in the packet that includes incorrect routing information for return packets so that the packets are not returned to the actual host, but to the attacker’s computer.
2- Packet filters cannot prevent IP-fragment attacks. An IP-fragment attack splits a single IP packet into multiple fragments. Most packet-filtering firewalls check only the first fragment and assume that the other fragments of the same packet are acceptable. The additional fragments may contain malicious content.
3- Packet filters are not application-aware. You may be blocking the default Telnet port (Port 23) on your firewall, but allowing access to the Hypertext Transfer Protocol (HTTP) port (Port 80). If an attacker can configure a Telnet server to run on Port 80 on your network, the packets would be passed to the server.