Using ISA 2004 Firewalls to Block Worm Attacks (v1.2)
By Thomas W Shinder MD, MVP
Got questions? Discuss this article over at
One of the key security features ISA Server 2004 firewalls bring to the plate is their ability to block a wide variety of viruses and worms. The ISA Server 2004 firewall can block external users from infecting your network and the ISA 2004 firewall can prevent infected hosts on the corporate network from infecting machines on external networks.
By default, the ISA Server 2004 firewall will not allow any exploit inbound to networks protected by the ISA firewall. The only way remote hosts can infect a protected host is if you create a publishing rule that allows access to the protected network or to the ISA Server 2004 firewall itself. However, this does not mean you are always at risk, because the ISA Server 2004 firewall is not only a stateful filtering firewall, its also a stateful application layer inspection firewall. The stateful application layer inspection filters can protect your published servers, even if a worm uses the port required to publish the server. For example, you can use the HTTP Security filter to protect all published Web servers and the secure Exchange RPC filter to protect published Exchange Servers.
I plan to update this document on an ongoing basis with links to articles on this site providing information on how to configure the ISA 2004 firewall to block worm and virus attacks. I’ll update this document each time a large outbreak takes place.
ARTICLES ON BLOCKING VIRUS AND WORM EXPLOITS:
Using ISA Server 2004 to Protect Against Nimda
Using ISA Server 2004 to Protect Against Code Red
At this time I have only completed the articles for the Ject, Sasser, Bagle MyDoom, SoBig, and Slammer exploits. I’ll update the links as I complete the other articles. Until then, you can go to the Microsoft ISA Server 2004 homepage (www.microsoft.com/isaserver) and get information on how to block these attacks.
If there are attacks that you’re interested in that aren’t already on this list, send me a note and I’ll schedule an article on how to block that attack. Thanks!
I hope you enjoyed this article and found something in it that you can apply to your own network. If you have any questions on anything I discussed in this article, head on over to http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=25;t=000106 and post a message. I’ll be informed of your post and will answer your questions ASAP. Thanks! –Tom
If you would like us to email you when Tom Shinder releases another article on ISAserver.org, subscribe to our ‘Real-Time Article Update’ by clicking here. Please note that we do NOT sell or rent the email addresses belonging to our subscribers; we respect your privacy.