Using ISA Server 2006 HTTP Security Filters to Block Instant Messaging
Often, new technologies emerge which consumers are quick to adopt and subsequently force the enterprise to reluctantly embrace. Eventually, uses within the business environment are discovered and as it turns out, the tools end up providing tremendous business value too - when used properly. Instant messaging is one such tool.
Not so long ago, home users began using instant messaging utilities such as ICQ and AOL Instant Messenger (AIM). They then brought instant messaging to work by setting it up on their desktop and laptop systems. Of course, since the tool was not endorsed by the company yet, the vast majority of those early ‘enterprise’ instant messaging sessions were just personal chatter between friends and family.
Eventually, instant messaging and the ability to see a user’s current status or availability (features that now make up part of the foundation of Unified Communications) were recognized as valuable tools for business communication and companies began to deploy instant messaging platforms. Within an enterprise though, instant messaging communications often must be logged and retained for compliance reasons. Controls must also be in place to prevent information leakage or malware compromise through the instant messaging client.
That is why it is so important for organizations to deploy instant messaging services they can manage, and why they must also restrict or eliminate the use of personal instant messaging tools within the enterprise. Microsoft ISA Server 2006 can be an effective tool for filtering and blocking rogue instant messaging tools in the enterprise.
ISA Server 2006 HTTP Filter
How can you use ISA Server 2006 to restrict access to instant messaging? The firewall in ISA Server 2006 has HTTP filtering capabilities that can be used for this purpose. The HTTP filter can inspect HTTP request and response headers and modify them.
By default, the ISA Server 2006 HTTP filter will only allow valid, RFC-compliant packets to pass through. However, the HTTP filter is also customizable, allowing you to configure it to block or restrict traffic based on various aspects of the packets including:
HTTP methods allowed
Request headers allowed
Response headers allowed
Specific content signatures
Restricting Instant Messaging
Preventing users from accessing instant messaging services is harder than it seems. Blocking the port(s) which the service uses is ineffective because most instant messaging clients are designed to automatically configure themselves to find other open ports if the default port is unavailable. In fact, instant messaging client applications frequently use common ports such as port 80 (HTTP) or port 21 (FTP) which are likely to be open in virtually any firewall.
Blocking instant messaging traffic by filtering ports will not work. The next line of defense would be a more robust firewall that can perform packet analysis. Instant messaging traffic is different than standard HTTP traffic and a firewall that inspects the packets will be able to allow the HTTP traffic through while rejecting the instant messaging packets…or so the theory goes. Instant messaging clients have evolved to be able to avoid detection by embedding the message traffic within an HTTP request.
For some instant messaging clients embedding traffic in HTTP requests is only performed when the data goes through a proxy server. The client applications are generally able to automatically reconfigure to route through the proxy if direct access with the instant messaging service is unavailable. Blocking the address of the proxy is not a viable solution because there are many free proxy servers available. The process of continually adding proxy servers would be an administrative headache and the list of blocked addresses would quickly become cumbersome.
Modifying Default HTTP header
What is an administrator to do then? Well, with ISA Server 2006 the HTTP filter can be used to control the content of the HTTP Via header. The Via header is used to avoid request loops, identify the protocol capabilities of the devices in the communication route, and for tracking message forwards. Proxy servers require the HTTP Via header to be able to properly direct inbound and outbound traffic between the client and the proxy.
The default header for ISA Server 2006 is to send the hostname of the ISA firewall that is processing the request. Regardless of any attempts to filter or restrict instant messaging traffic, the host name of the ISA Server should be considered sensitive information. Best practices suggest that the default name be changed to something more ambiguous that can not be used by an attacker to gain information that might allow them to compromise the server. Follow these steps to modify the default HTTP header for each access rule that includes HTTP as a defined protocol:
- Right-click on each access rule
- Select Configure HTTP
- Click on the Headers tab
- Choose Modify header in request and response
- Go to the Change to: field
- Enter something ambiguous
Choose something that does not give away the host name of the server, the operating system or platform of the server either. In other words, you also do not want the header information to default to ‘ISA Server’. There are other ways that an expert attacker would be able to determine that the firewall is an ISA Server, but you do not want to volunteer the information to the less-skilled script-kiddie attackers.
If you have multiple ISA Server 2006 servers managing outbound network traffic you may want to assign each a unique name while still remaining ambiguous. For example, you could set the default HTTP header to Proxy1, Proxy2, etc. You get the idea.
Filtering Instant Messaging Traffic with ISA Server 2006
Changing the default information for the HTTP Via header may thwart attempts by instant messaging clients to use proxy servers to bypass address blocking, but it would not stop instant messaging traffic entirely. Users and instant messaging clients continue to evolve new methods of circumventing security controls.
To filter or block more clever instant messaging communication methods you should employ a protocol analyzer such as Wireshark to monitor network traffic. The protocol analyzer will provide detailed information on a packet by packet basis that will enable you to determine the requests, methods, and other aspects of the instant messaging traffic so you can configure the ISA Server 2006 HTTP filter.
You can configure ISA Server 2006 to filter methods, file extensions, content signatures or other aspects of network traffic that you want to block on a case by case basis. Another approach would be to select the methods and other criteria that you want to allow and configure the HTTP filter to only accept packets that meet the authorized criteria. Regardless of whether you block what you do not want, or choose what you want and block everything else, the ISA Server 2006 HTTP filter is a powerful tool that allows you to establish very detailed control over the traffic that passes into or out of the network.
Figure 1: ISA Server 2006 provides comprehensive filtering capabilities for HTTP traffic
Using Third-Party Tools to Monitor and Filter Traffic
You can accomplish the goal of blocking or restricting instant messaging access using the methods listed above. The whole process is a bit of a cat and mouse game trying to stay one step ahead. Monitoring network traffic and inspecting packets is a burden that most administrators do not really have the time to do on a regular basis.
Another approach would be to use a third-party application for ISA Server such as GFI’s WebMonitor, a third-party tool that automates many of the steps that would require an administrator’s attention to perform manually. It also means that rather than having to dedicate time to monitoring traffic and developing rules to filter specific traffic you can rely on the application vendor to keep tabs on the current risks and threats and to develop the signatures and controls.
GFI WebMonitor for ISA Server for ISA Server goes beyond simply monitoring web traffic or blocking instant messaging and also provides tools to restrict web usage on a per user basis by capping the bandwidth allowed or establishing time-based restrictions. It also provides additional security in the form of anti-phishing and anti-malware tools.
Whether you choose to rely on the robust HTTP filter capabilities of ISA Server 2006 to block access to instant messaging services, or implement a third-party application such as GFI WebMonitor, it is important to be able to establish and enforce security policies for your network and to be able to restrict or block traffic that may be harmful or violate compliance requirements.