Guidelines for Optimizing ISA Firewall Policy
Configuring firewall policy can be a complex affair on any firewall, including the ISA firewall. However, there are some general guidelines that you can use to optimize performance and security for your ISA firewall policy. Here is a approach you can use to order your rules, from the top down:
- Anonymous deny rules. Rules that deny specific access to all users are anonymous access rules and use the user group All Users. These rules should use the rule elements that require simple networking information. Examples of simple networking information include Protocol Definitions, Schedules and Network Objects (computer sets, ISA firewall Networks, computers, etc.) An example of such a rule would be a rule that denies all users access from anywhere to anywhere on protocols used by P2P applications.
- Anonymous allow rules. Rules that allow specific access to all users, defined by the All Users User Set. These rules should use the rule elements that require simple networking information as noted above. An example of such a rule would be one allowing access to the DNS protocol from the default Internal ISA firewall Network to the default External ISA firewall Network.
- Rules for specific IP addresses. Rules that allow or deny access for specific computers, as defined by their IP address.For example, a rule allowing UNIX computers that are members of a Computer Set access to the default External ISA firewall Network.
- Authenticated access rules, URLs, and MIME types, and also publishing rules. Rules containing rule elements requiring additional networking information, and that enforce policy for authenticated users, or for specific URLs or Multipurpose Internet Mail Extensions (MIME) types. Web and Server Publishing rules should also occur at this point in the rule order.
- Other allow rules. Rules that handle traffic that does not match rules that occur previously in the list of rules. For example, a rule allowing all traffic from the default Internal ISA firewall Network to the default External ISA firewall Network.
You should note that Web and Server Publishing Rules can actually be placed anywhere in the rule order after anonymous allow or deny rules.
For more information on ISA firewall policy best practices, check out http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/firewall_policy.mspx