Configuring ISA Server as a Firewall

Lesson 1: Introduction to ISA Server as a Firewall

Firewalls are deployed to limit network traffic from one network to another. To distinguish between network traffic that should be allowed and network traffic that should be blocked, firewalls use packet filters, stateful filters, application filters, and intrusion detection. This lesson describes this core functionality provided by firewalls and how this functionality is implemented in ISA Server 2004.

What Is Packet Filtering?
A firewall’s primary role is to prevent network traffic from entering an internal network unless the traffic is explicitly permitted. One way that a firewall ensures this is through packet filtering. Packet filters control access to the network at the network layer by inspecting and allowing or denying the Internet Protocol (IP) packets. When the firewall inspects an IP packet, it examines only information in the network and transport layer headers.

A packet-filtering firewall can evaluate IP packets using the following criteria:
1- Destination address The destination address may be the actual IP address of the destination computer in the case of a routed relationship between the two networks being connected by ISA Server. The destination may also be the external interface of ISA Server in the case of a network address translation (NAT) network relationship.
2- Source address This is the IP address of the computer that originally transmitted the packet.
3- IP protocol and protocol number You can configure packet filters for Transmission Control Protocol (TCP), User Datagram Protocol (UDP), Internet Control Message Protocol (ICMP), and any other protocol. Each protocol is assigned a number. For example, TCP is protocol 6, and the Generic Routing Encapsulation (GRE) protocol for Point-to-Point Tunneling Protocol (PPTP) connections is protocol 47.
4- Direction This is the direction of the packet through the firewall. In most cases, the direction can be defined by inbound, outbound, or both. For some protocols, such as File Transfer Protocol (FTP) or UDP, the directional choices may be Receive Only, Send Only, or Both.
5- Port numbers A TCP or UDP packet filter defines a local and remote port. The local and remote ports can be defined by a fixed port number or a dynamic port number.

Advantages and Disadvantages of Packet Filtering
Packet filtering has advantages and disadvantages. Among its advantages are the following:
1- Packet filtering must inspect only the network and transport layer headers, so packet filtering is very fast.
2- Packet filtering can be used to block a particular IP address or to allow a particular IP address. If you detect an application-level attack from an IP address, you can block that IP address at the packet-filter level. Or, if you need to enable access to your network and you know that all access attempts will be coming from a particular address, you can enable access only for that source address.
3- Packet filtering can be used for ingress and egress filtering. Ingress filtering blocks all access on the external interface of the firewall to packets that have a source IP address that is logically on the internal network. For example, if your internal network includes the 192.168.20.0 network, an ingress filter will block a packet arriving at the external interface that claims to be coming from 192.168.20.1. An egress filter prevents packets from leaving your network that have a source IP address that is not on the internal network.

Disadvantages of packet filtering are the following:
1- Packet filters cannot prevent IP address spoofing or source-routing attacks. An attacker can substitute the IP address of a trusted host as the source IP address and the packet filter will not block the packet. Or the attacker can include routing information in the packet that includes incorrect routing information for return packets so that the packets are not returned to the actual host, but to the attacker’s computer.
2- Packet filters cannot prevent IP-fragment attacks. An IP-fragment attack splits a single IP packet into multiple fragments. Most packet-filtering firewalls check only the first fragment and assume that the other fragments of the same packet are acceptable. The additional fragments may contain malicious content.
3- Packet filters are not application-aware. You may be blocking the default Telnet port (Port 23) on your firewall, but allowing access to the Hypertext Transfer Protocol (HTTP) port (Port 80). If an attacker can configure a Telnet server to run on Port 80 on your network, the packets would be passed to the server.

Lesson 2: Configuring ISA Server as a Proxy Server

What Is a Proxy Server?
A proxy server is a server that is situated between a client application, such as a Web browser or a Winsock application, and a server to which the client connects. All client requests are sent to the proxy server. The proxy server creates a new request and sends the request to the specified server. The server response is sent back to the proxy server, which then replies to the client application. A proxy server can provide enhanced security and performance for Internet connections.

The most important reason for using a proxy server is to make the user’s connection to the Internet more secure. Proxy servers make the Internet connection more secure in the following ways:
1- User authentication When a user requests a connection to an Internet resource, the proxy server can require that the user authenticate, either by forcing the user to enter a user name and password or by using the cached credentials stored on the client computer. The proxy server can then grant or deny access to the Internet resource, based on the authenticated user.
2- Filtering client requests The proxy server can use multiple criteria to filter client requests. In addition to filtering the request based on the user making the request, the proxy server can filter requests based on the IP address, the protocol or application that is being used to access the Internet, the time of day, and the Web site the user requests.
3- Content inspection Proxy servers can inspect all traffic to and from the Internet connection and determine if there is any traffic that should be denied. This may include examining the traffic content for inappropriate words, scanning for viruses, or scanning for file extensions.
4- Logging user access Because all traffic flows through the proxy server, the server can log whatever the user does. For HTTP requests, this can include logging every URL visited by each user. The proxy server can be configured to provide detailed reports of user activity that can be used to ensure compliance with the organization’s Internet usage policies.
5- Hiding the internal network details Because all requests for Internet resources come from the proxy server rather than from the internal client computer, the details of the internal network are hidden from the Internet. In almost all cases, no client computer information, such as computer name or IP address, is sent to the Internet resource. In some cases, such as when creating a Remote Desktop Protocol connection to a server on the Internet, the client computer name is transmitted on the Internet.

Another benefit of using a proxy server is to improve Internet access performance. The Web proxy server improves performance by caching requested Internet pages on the Web proxy server’s hard disk. When another user requests the same information, the proxy server provides the page from the cache rather than retrieving it from the Internet.

How Proxy Servers Work
Proxy servers can be used to secure both inbound and outbound Internet access. When a proxy server is used to secure outbound Internet access, it is configured as a forwarding proxy server. When a proxy server is used to secure inbound Internet access, it is configured as a reverse proxy server.

How Does a Forward Proxy Server Work?
Forward proxy servers are usually located between a Web or Winsock application running on a client computer on the internal network and an application server located on the Internet. The proxy server may be running at the connection point between the Internet and the internal network. In this case, the client computers may have no physical connection to the Internet other than through the proxy server. In other cases, a firewall may be deployed between the Internet and the proxy server, but all client computers will still be configured to use the proxy server.

The following steps outline how a forward Web Proxy server works for a Web application:
1. A client application, such as a Web browser, makes a request for an object located on a Web server. The client application checks its Web proxy configuration to determine whether the request destination is on the local network or on an external network.
2. If the requested Web server is not on the local network, the request is sent to the proxy server.
3. The proxy server checks the request to confirm that there is no policy in place that blocks access to the requested content.
4. If caching is enabled, the proxy server also checks if the requested object exists in its local cache. If the object is stored in the local cache and it is current, the proxy server sends the object to the client from the cache. If the page is not in the cache or if the page is out of date, the proxy server sends the request to the appropriate server on the Internet.
5. The Web server response is sent back to the proxy server. The proxy server filters the response based on the filtering rules configured on the server.
6. If the content is not blocked and it is cacheable, ISA Server saves a copy of the content in its cache and the object is then returned to the client application that made the original request.

Installing and Managing ISA Server Clients

What Is a SecureNAT Client?
Client computers that do not have Firewall Client software are secure network address translation, or SecureNAT, clients. SecureNAT clients do not require any software installation or configuration, but the clients must be able to route requests for Internet resources through the ISA Server computer. To enable this, you must configure the default gateway on the SecureNAT clients and configure network routing, so that all traffic destined to the Internet is sent through the ISA Server computer.

When a SecureNAT client connects to the ISA Server computer, the request is directed first to the NAT driver, which substitutes the external IP address of the ISA Server computer for the internal IP address of the SecureNAT client. The client request is then directed to the Firewall service to determine whether access is allowed. Finally, the request may be filtered by application filters and other extensions. The Firewall service may also cache the requested object or deliver the object from the ISA Server cache.

Because SecureNAT clients require no software deployment and configuration, SecureNAT clients are the easiest to deploy. SecureNAT clients have other advantages:
1- SecureNAT clients also provide almost as much functionality as Firewall clients. For example, because SecureNAT client requests are passed through the Firewall Service, almost all options for filtering Internet requests apply to SecureNAT clients. If you block access to a specific Web site, or enable access for a specific protocol such as DNS, these rules will also be applied to SecureNAT clients.

2- Requests from SecureNAT clients can be passed to application filters, which can modify the requests to enable handling of complex protocols. For example, the FTP application filter in ISA Server manages the secondary connections for SecureNAT clients as well as for Firewall clients.

3- SecureNAT can use the Web Proxy service for Web access filtering and caching.The Firewall service can pass all HTTP requests to the Web Proxy service, which handles caching and ensures that site and content rules are applied appropriately.

4- Any operating system that supports Transmission Control Protocol/Internet Protocol (TCP/IP) can be configured as a SecureNAT client.

SecureNAT clients have two primary limitations:
1- You cannot control access to Internet resources based on users and groups.SecureNAT clients cannot pass authentication credentials to the ISA Server computer, so users cannot be uthenticated. This means that if you configure access rules that require authentication, SecureNAT clients cannot access the resources enabled by the rule.

2- SecureNAT clients may not be able to use all protocols. Some protocols and applications require secondary connections. For example, when you use FTP, by default, the client initiates a primary connection to the server and the server then initiates a secondary connection to the client. ISA Server must use an application filter that edits the data stream to allow SecureNAT clients to use such protocols and applications. ISA Server includes several application filters, such as an FTP filter
and an H.323 filter. If ISA Server does not include the appropriate application filter for a protocol or an application, SecureNAT clients cannot use this protocol or application.