ISA Server 2004 and Packet Filtering
ISA Server 2004 does not have an option for directly configuring packet filtering. However,ISA Server does operate as a packet filter firewall, inspecting traffic at the network and transport layers. For example, if you define a firewall access rule that enables all protocol traffic from an IP address on one network to an IP address on another network, ISA Server uses a packet filter to allow that traffic. Or, if you configure a firewall access rule that denies the use of the default Telnet port (TCP Port 23), ISA Server will use a packet filter to block that port. ISA Server also enables ingress and egress filtering by default. ISA Server 2000 supports direct configuration of packet filters. If you upgrade to ISA Server 2004 from ISA Server 2000, the packet filter definitions are replaced by access rules.
What Is Stateful Filtering?
When a firewall uses stateful filtering, the firewall examines not only the packet header information, but the status of the packet as well. For example, the firewall can inspect a packet at its external interface and determine whether the packet is a response to a request from the internal network. This check can be performed at both the transport and the application layers.
Stateful filtering uses information about the TCP session to determine whether a packet should be blocked or allowed through the firewall. TCP sessions are established using the TCP three-way handshake, the purpose of which is to synchronize the sequence number and acknowledgment numbers and to exchange other information defining how the two hosts will exchange packets. The following steps outline the process:
1. The initiator of the TCP session, typically a client, sends a TCP segment to the server. The client sends its sequence number and requested that the server provide its sequence numbers (by setting the SYN bit to 1).
2. The responder of the TCP session, typically a server, sends back a TCP segment containing its initial sequence number and an acknowledgment (ACK) of the client’s sequence number. The server sets both the SYN bit and ACK bit to 1. The ACK bit indicates that the server has received the client’s sequence number.
3. The initiator sends the server a TCP segment containing an acknowledgment of the server’s sequence number. Once the client and server have agreed on the sequence numbers, they will use the sequence numbers to track all packets. TCP uses the information to recover from errors, such as packets arriving out of order or packets not arriving.
TCP uses a similar handshake process to end a connection. This guarantees that both hosts have finished transmitting and that all data was received.
A firewall uses this TCP information to perform stateful filtering. When a client on the internal network sends the first packet in the three-way handshake, the server forwards the packet and records that the packet has been sent. When the response comes back from the server, the firewall accepts the packet because it is in response to an internal request. If a packet arrives with only the SYN bit set, or with the SYN and ACK bits set, and the firewall does not have a record of a client request, the firewall blocks the packet.
Advantages and Disadvantages of Stateful Filtering
Using stateful filtering has several advantages. For example, stateful filtering ensures that all network traffic forwarded by the firewall is part of an existing session, or matches the rules for creating a new session. In addition, stateful filtering implements dynamic packet filtering, which ensures that specific ports are available only when a valid session exists. For example, if the Web Proxy filter requests that a Web server respond on Port 1159, ISA Server will listen on Port 1159 for only as long as the connection exists.
However, stateful filtering still does not provide enough protection against the threats to network security. Many of the newest attacks occur at the application level. For example, a client computer may download malicious code in an HTTP packet that is part of a legitimate session. Only application-layer stateful inspection can block these types of attacks.
ISA Server Connection Rules
ISA Server uses connection rules to keep track of sessions. Whenever a packet arrives at the server, ISA Server attempts to associate the packet with a connection rule, based on the protocol, source, and destination. A connection rule has the following attributes:
- Protocol number
- Source (IP address and port/endpoint)
- Destination (IP address and port/endpoint)
- Source address translation (used for NAT connections)
- Destination address translation (used for NAT connections)
- Statistics (number of bytes transferred, last access time)
- Misc. (checksum delta, used when doing address translation)