Blocking Dangerous Sites with Domain Name and URL Sets
There are countless threats outside of the network trying to gain access to and exploit internal network resources if given the chance. The firewall is generally the primary guardian of the network, restricting unwanted traffic and preventing unauthorized access. ISA Server 2006 is employed by many organizations to address these network security concerns.
Outside threats are not the only concern though. Employees may waste significant amounts of time visiting non business-related Web sites, or possibly compromising network resources by visiting malicious Web sites.
Most organizations have policies restricting the activities that users are allowed to engage in on the Internet using company-owned computer resources. IT administrators have to be able to monitor and control that access, and be able to block access to malicious or inappropriate sites.
Domain Name Sets in ISA Server 2006
There are a variety of ways to accomplish this goal, but in this article we will focus on using Domain Name Sets and URL Sets to block access to dangerous or inappropriate sites. All ISA Server client types can use Domain Name Sets to block access. However, only Web Proxy and Firewall clients can be controlled at the group or user level.
Domain Name Sets enable you to block access to an entire site, such as espn.com. If you create a Domain Name Set with the entry *.espn.com, you will block users from going to any site within the espn.com domain and no longer have to worry about users spending all day checking sports statistics and standings. Similarly, you can create a Domain Name Set with the entry *.playboy.com to prevent users from visiting any sites on the playboy.com domain and viewing inappropriate material that could result in a sexual harassment suit or other HR consequences.
You can also use Domain Name Sets to block access at a more granular level by specifying a specific server on the domain. For example, you could create an entry for www3.espn.com to block access to the www3 server while still allowing access to the rest of the espn.com domain.
Domain Name Sets apply to all protocols and all client types. That means that once the Domain Name Set entry is created all traffic to the domain is blocked regardless of the ISA Server 2006 client type. If you are only concerned about Web connections, and not every network protocol, you can block access using URL Sets instead.
URL Sets in ISA Server 2006
URL Sets are similar to Domain Name Sets except that URL Sets only block access to Web connections. In order for URL Sets to be effective, the connections have to be made using the HTTP or HTTPS protocols (FTP servers configured as Web Proxy clients can also be blocked) and must be handled by the Web Proxy filter.
For example, you can create a URL Set with an entry for hotmail.com and create a rule to block access to hotmail.com using any protocol. Attempts to access the hotmail.com site with a Web browser will be blocked, but users with POP3 or SMTP clients configured will still be able to retrieve email from hotmail.com because the URL Set only applies to HTTP, HTTPS, and FTP sessions through the Web Proxy (tunneled HTTP).
It's important to remember the distinction between the Domain Name Sets and the URL Sets. URL Sets allow you to restrict access more surgically, blocking traffic to designated URL’s using the HTTP and HTTPS protocols as long as the client establishing the connection is doing so via the Web Proxy filter. By contrast, Domain Name Sets are a more blanket approach, blocking access to domains regardless of protocol or client type.
Creating the Access Rules
Domain Name Sets and URL Sets need access rules applied as well in order to put them into action. You can create the Domain Name Set or URL Set as a function of the Access Rule Wizard. Follow these steps to create an Access Rule and the associated Domain Name or URL Set to block access:
Open the ISA Server 2006 management console
Expand the server name and select Firewall Policy
Click the Tasks tab in the Task Pane
Select Create a New Access Rule
Enter a name for the Access Rule. For this scenario, enter Block ESPN and click Next
Select Deny on the Rule Action page and click Next
On the Protocols page, the selection will depend on whether you want to create a Domain Name Set or a URL Set
- For a Domain Name Set, choose All Outbound Traffic
- For a URL Set, choose Selected Protocols and select HTTP and HTTPS (and possibly FTP if you choose)
Click Add on the Access Rule Sources page
Click on Networks and choose Internal, then click on Close
Select Add on the Access Rule Destinations page
On the Add Network Entities page click on the appropriate selection- Domain Name Set or URL Set
Enter a name for the Domain Name or URL Set in the dialog box
Click New and add the domain that you want to block access to- in this case *.espn.com
Remember, Access Rules are processed in sequential order. Make sure you move the new Access Rule, and any other Deny rules, to the top of the list. It makes sense to process rules denying access before proceeding to examine rules that allow access.
Determining What to Block
It is a valuable function to be able to block access to inappropriate and potentially malicious sites, but there are thousands - possibly tens of thousands - of such sites to block. Trying to block them all is much too impractical.
A different approach would be to monitor Web usage and identify any inappropriate or potentially malicious sites users visit frequently and target only those sites. This approach is still quite time consuming and tedious. It can be a full-time job in and of itself just to review log data and create rules to block access to unwanted domains.
It is possible to import lists of known inappropriate or malicious domains from TXT or XML files. Using this method is more efficient in terms of being able to quickly and easily block a variety of inappropriate sites. However, such lists are not all-inclusive. They may miss inappropriate sites frequented by your users which places the responsibility back on you to monitor and block on a case by case basis.
Using Third-Party Tools to Restrict Access
Generally speaking, I recommend that administrators use the tools they have rather than investing scarce budget dollars buying third-party tools that duplicate native functionality. However, there is a convenience and efficiency factor that plays into that decision and makes a business case justifying the use of third-party applications in some instances. This is one of those instances in my opinion.
Yes, ISA Server 2006 has comprehensive controls for restricting and blocking access to inappropriate and potentially malicious web sites. However, configuring and maintaining that functionality requires too much time and effort. A third-party solution like GFI WebMonitor for ISA Server accomplishes the same thing without the effort, freeing you up to focus on more important tasks.
GFI WebMonitor utilizes a site categorization database that allows you to block access to websites by category - such as blocking adult, sports, or peer-to-peer (P2P) networking, or job search sites. The GFI URL database monitors content on over 165 million domains and is updated daily.
Rather than you monitoring Web usage logs 24/7 and manually identifying sites to block, you can accomplish the same goal with a few clicks in GFI WebMonitor. Using a third-party tool like this enables you to reduce the amount of time wasted by employees online, protect the network from malicious attacks, and enforce Internet usage policies much more efficiently than trying to do it manually using the functionality built-in to ISA Server 2006.