Solution Snapshot
PROBLEM: Differences in user needs make it difficult to block application access to the Internet, but allowing such access across the board opens your network to malicious activity
SOLUTION: Use an ISA Server 2004 firewall to lock down application access
WHAT YOU NEED: ISA Server 2004 Standard Edition or Enterprise Edition, installed on a server that has two or more network interface cards; Web browsers that can be configured to use a Web proxy server; Firewall client for ISA Server 2004
DIFFICULTY: 2 out of 5
SOLUTION STEPS:
- Use access rules to block application access to dangerous sites
- Use the HTTP Security Filter to block unapproved Web-enabled applications
- Use the ISA Server 2004 Firewall client to block unapproved applications
The challenge: You need to block certain network applications from accessing the Internet, according to your company's network-use policy. The complication: Some users or groups have a legitimate need for Internet access through those applications. The solution: Deploy a Microsoft Internet Security and Acceleration (ISA) Server 2004 firewall to obtain granular control over the applications and services that users can access through the firewall.
The ISA firewall includes and supports several technologies that you can use to control which applications, protocols, and servers users on an ISA firewall-protected network can access. The ISA firewall provides the advantages of both stateful packet and application-layer inspection. The firewall's stateful packet inspection feature enables it to stop attacks at the network and transport layers of the TCP/IP protocol stack. ISA Server's application-layer inspection capabilities enable the firewall to control network access at the application layer. The ISA firewall can perform application-layer inspection through both proxied (Web and Winsock) and non-proxied connections.
You can configure the ISA firewall to enable Internet access for network applications for some users, while blocking that same access for other users. This solves the problem of differential access requirements for different users and groups and also gives you the means to create a strong audit trail to track which users use which applications to connect to which sites at which time of day. You can use three methods in particular to obtain a high level of access control over application access through the firewall:
- Method 1: Use access rules to block application access to dangerous sites
- Method 2: Use the HTTP Security Filter to block unapproved Web-enabled applications
- Method 3: Use the ISA Server 2004 Firewall client to block unapproved applications
METHOD 1:
Use Access Rules to Block Application Access to Dangerous Sites
Access rules control outbound access through the ISA firewall. The concept of outbound access through an ISA Server 2004 firewall is a bit different than in earlier ISA firewalls because ISA Server 2004 firewalls have no concept of a trusted network. The idea of outbound access from an internal, trusted network to an external, untrusted network no longer applies. In ISA Server 2004, outbound access is always configured through access rules; inbound access is always configured through Web or server publishing rules. Access rules control application access through the firewall based on the following parameters:
- the source IP address of the host making the request
- the destination address or Fully Qualified Domain Name (FQDN) of the requested resource
- the source and destination port included in the request
- the user making the request
- the time of day that the request is made
Access rules are useful when applications (such as HTTPTunnel) require access to specific port numbers or servers. For example, there's a class of applications that malicious entities can use to subvert firewall and network-usage policy by tunneling other application protocols in an HTTP header, making HTTP the transport for the tunneled application protocol. An HTTP header can be used to encapsulate protocols such as Internet Relay Chat (IRC), Network News Transfer Protocol (NNTP), POP3, and SMTP. These application protocols then can be used to transfer data to and from the corporate network when a firewall is configured to allow outbound connections to TCP port 80 (the standard Web port) or 443 (the secure Web port).
You can use the ISA firewall to stop the use of dangerous HTTP tunneling applications by preventing connections to well-known HTTP tunneling proxy gateways. This method stops connections to the third-party application gateway and stops users from using an otherwise unapproved protocol.
Blocking access to these HTTP tunneling proxies also solves another problem. Tunneling applications often use Secure Sockets Layer (SSL)/ Transport Layer Security (TLS) encryption to prevent HTTP filtering firewalls such as the ISA firewall from inspecting application headers in outbound HTTP communications. (The ISA firewall can perform HTTP inspection on inbound SSL encrypted sessions but it can't inspect outbound SSL sessions.)
Previous
Register
