Using ISA 2004 Firewall Domain Name Sets to Control Internet Access

Using ISA 2004 Firewall Domain Name Sets to Control Internet Access


By Thomas W Shinder MD, MVP

Got questions? Discuss this article over at
http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=25;t=000113

One of the more popular applications of the ISA 2004 firewall is to control what sites users can access through the ISA firewall. For example, you might want to limit a group of users to a specific collection of Web sites, while blocking access to all other sites. At the same time, you might want other groups to have full access to all sites on the Internet.

Get the New Book!

There are a number of ways this can be accomplished using ISA 2004 firewalls. In this article, we’ll focus on how to use the ISA 2004 firewall’s Domain Name Sets feature to control access to Internet servers. Domain Name Sets can be used by all ISA client types, including SecureNAT, Web Proxy and Firewall clients. However, if you want to control access by user or group, you need to configure the clients as Web Proxy or Firewall clients (or both).

Now I can hear you say “but I don’t want to install the Firewall client and I don’t want to configure the browsers as Web Proxy clients”. That’s fine, but you’ll have to go without user/group based authentication. The reason is there is no provision in the network or transport layers (or any layer under layer 7) to send user credentials to the firewall. So, all firewalls that perform user/group based authentication depend on a client “piece” to enforce authentication requirements.

The good news is that it’s fairly easy to automate provisioning for the Web Proxy and Firewall clients, and to automate the installation of the Firewall client. Check out the ISA Server 2000 in Education Deployment Kit (http://isaserver.org/tutorials/isaedukit.html) for details on how to automate these processes.

Domain Name Sets are used to control access to an entire site. For example, if you don’t want people going to any site in the cisco.com domain, then you create a Domain Name Set with the entry *.cisco.com. If you didn’t want anyone going to any site in the domain checkpoint.com, then you would create a Domain Name Set entry for *.checkpoint.com. If you wanted to block only a particular server in the cisco.com domain, you could create an entry like www1.cisco.com, and that could be used to block access to the www1.cisco.com server, but allow access to other servers on the cisco.com site.

An advantage of Domain Name Sets is that they apply to all protocols and all client types. In contrast, URL Sets are only used for Web connections. These Web connections must be handled by the Web proxy filter and include connections made using the HTTP, HTTPS and FTP (FTP from machines explicitly configured as Web Proxy clients) protocols.

For example, we create a URL set with an entry news.cisco.com and create a rule blocking connections to the site using any protocol. We then open the Outlook Express newsreader. The connection will be allowed to the news.cisco.com NNTP server because the URL Set is only evaluated for HTTP, HTTPS and HTTP tunneled (Web Proxy) FTP sessions.

WARNING:


It’s critical that you understand the differences between the functionality provided by Domain Name Sets and URL Sets. Remember that Domain Name Sets can be used to control access for all protocols and all client types. URL Sets control access for clients establishing a connection via the Web Proxy filter.

In this article we’ll take a look at two examples that demonstrate how to use ISA 2004 firewall Domain Name Sets:

  • A simple scenario, where we create a Domain Name Set for a list of blocked sites for all users
  • A less simple scenario, where you want to allow a group of users access to a selected group of sites, but want to block access to all other sites for all protocols

Before we get into the scenarios, let’s examine the basic network infrastructure used in our example.

The Lab Network

The figure below shows the IP addressing information, the operating system and the salient services running on each machine participating in our lab network.

The domain controller on the protected network behind the ISA 2004 firewall is also a DNS resolver for the network. The DNS resolver can resolve names for internal network clients and can also resolve names for Internet hosts. If the DNS root hints file is primed correctly on the DNS server on the DC, then you’ll be able to resolve Internet host names too using the same DNS server as that used to resolve internal network host names. Note that this is not my preferred configuration. I prefer the DNS server on the internal network to use a DNS forwarder that is under my control (such as a caching-only DNS server on the ISA firewall itself, or a caching-only forwarder on a DMZ segment). But to keep things simple in our current discussion, we’ll allow the DNS server on the Internal network domain controller to perform recursion to resolve Internet host names.

NOTE:

Depending on how you configured the DNS server, you may or may not have a “primed” (ready) Root Hints file. Check out http://support.microsoft.com/default.aspx?scid=kb;EN-US;249868 for information on fixing the problem.

The ISA 2004 firewall is a member of the internal network domain. We make this machine a member of the Internal network domain so that we can use the Active Directory user database to authenticate Firewall and Web Proxy client users. The ISA 2004 firewall must be a member of the Internal network domain to authenticate domain users that are Firewall clients. The ISA 2004 firewall does not need to be a member of the domain if you only want to authenticate Web Proxy clients. In the case of Web Proxy clients, you can use RADIUS to authenticate domain users. Full details on configuring RADIUS for Web Proxy clients are included in Tom and Deb Shinder’s Configuring ISA Server 2004.

In the current example, the ISA 2004 firewall is a bastion host because it has a network interface on an external, untrusted network. In general, I do not like a bastion host to be a member of the domain. A better solution is to put an ISA 2004 firewall that is not a domain member in front of the ISA 2004 firewall that is a domain member. This creates a back to back ISA 2004 firewall configuration and provides a very high level of protection for the Internal network. While it’s unlikely that the domain member ISA firewall will ever be compromised, the possibility always exists. The front-end firewall in this configuration provides a high level of security and better “peace of mind”.

NOTE:


In order to obtain a very high level of protection for your back-end ISA firewall, its important to have more than a stateful filtering firewall in front of the back-end ISA firewall. This is why I prefer to use an ISA 2004 firewall in front of the back-end ISA 2004 firewall. A basic stateful packet filtering firewall, like PIX or Netscreen, performs only stateful filtering but is unable to perform both stateful filtering and stateful application layer inspection. A simple stateful filtering ‘firewall’ provides only nominal protection for the services located on the DMZ segment between the front-end firewall and the domain member ISA firewall, and the stateful filtering device provides little or no protection for the back end ISA firewall. For details on these issues, check out ISA Firewall Fairy Tales – What Hardware Firewall Vendors Don’t Want You to Know at http://isaserver.org/articles/2004tales.html

The Windows XP client machine on the ISA 2004 protected network is configured as a Web Proxy, Firewall and SecureNAT client. The SecureNAT client configuration will apply to the first scenario we cover in this article where we block a group of sites to everyone. The Web Proxy and Firewall client configuration applies to the second example, where we block and allow sites based on group membership.

In general, all Windows clients should be configured as both Web Proxy and Firewall clients. They should be configured a SecureNAT clients only if you require SecureNAT functionality (e.g., if the machine needs PPTP or ICMP access). The exceptions to this rule are network servers, such as DHCP, DNS, Active Directory, Certificate, RADIUS, SQL, SharePoint and just about any other network server you can think of. These servers should never be configured as Firewall clients, although feel free to configure them as Web Proxy or SecureNAT client if you have a reason to do so.

I have done some very basic configuration of the ISA 2004 firewall in advance. The firewall rule set includes a DNS server Access Rule that allows all clients outbound access to the DNS protocol from the Internal network to the External network. You can lock this down a bit by allowing only the DNS server outbound access to the DNS protocol. I have also created an “all open” rule that allows outbound access to all protocols to all users from the Internal network to the External network. We’ll look at the effect of the rule order in each of the scenarios covered here.

Get the New Book!

Scenario 1: Blocking Servers for All Users using Domain Name Sets

In the first example, we create a rule that blocks all users from accessing all servers in the cisco.com, checkpoint.com and sonicwall.com domains. User authentication is not required because this rule will apply to all users.

There are a couple ways we can approach creating this deny rule. One way is to first create the Domain Name Set first and then create the Access Rule. That’s how we used to do things with ISA Server 2000 firewalls. The problem with this approach is that 9 times out of 10, I would forget to create the Destination Set before trying to create the rule. In contrast, the ISA 2004 firewall allows us to create rule elements “on the fly”, so we don’t need to create these elements in advance.

Perform the following steps to create the Deny Access Rule:

  1. In the Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name and then click the Firewall Policy node.
  2. Click the Tasks tab in the Task Pane. On the Task Pane, click the Create a New Access Rule link.
  3. On the Welcome to the New Access Rule Wizard page, enter a name for the rule. In this example, we’ll name the rule Block Forbidden Sites. Click Next.
  4. On the Rule Action page, select the Deny option and click Next.
  5. On the Protocols page, select the default option All outbound traffic and click Next.
  6. On the Access Rule Sources page, click the Add button.
  7. In the Add Network Entities dialog box, click the Networks folder and then double click Internal. Click Close.
  8. Click Next on the Access Rule Sources page.
  9. On the Access Rule Destinations page, click the Add button.
  10. In the Add Network Entities dialog box, click the New menu and then click Domain Name Set.
  11. In the New Domain Name Set dialog box, enter in the Name text box Forbidden Sites. Click the New button. Enter *.cisco.com and press ENTER. Click the New button again and enter *.checkpoint.com and press ENTER. Click the New button one more time and enter *.sonicwall.com and press ENTER. Click OK.

  1. In the Add Network Entities dialog box, click the Domain Name Sets folder and then double click the Forbidden Sites entry. Click Close.

  1. Click Next on the Access Rule Destinations page.
  2. On the User Sets page, accept the default entry All Users and click Next.
  3. Click Finish on the Completing the New Access Rule Wizard page.
  4. Move the Forbidden Sites rule to the top of the list. The rule set now looks like that in the figure below.

  1. Click Apply to save the changes and update the firewall policy.
  2. Click OK in the Apply New Configuration dialog box.

The first rule will block connections from any host, using any protocol, to the forbidden sites. The second rule allows all hosts on the Internal network to access DNS servers on the Internet, and the third rule allows all users access to all sites on the Internet using any protocol. ISA 2004 firewalls evaluate connections from the top down and the first rule to match the connection’s parameters is applied. Well, almost. Rules that apply to authenticated users are also applied to unauthenticated users, so there’s sort of an implicit “unauthenticated users” group. We’ll examine this issue in more detail later in this article.

Now let’s test the connection. We’ll go to the Windows XP machine on the Internal network and try to connection to the www.cisco.com Web site using Internet Explorer. Remember, Internet Explorer is configured as a Web Proxy client (actually, it’s using the default configuration, which is to autodetect the proxy, and we’ve configured the required wpad entries to make this work). The figure below shows what the user sees when trying to access a forbidden site.

When we check out the connection in the ISA 2004 firewall’s log viewer, we can see that the Block Forbidden Sites rule denied the connection attempt to the site.

Next, let’s see what happens when we try to access a forbidden site using a non-Web protocol. We can simulate such a connection using the Telnet command. Open a Command Prompt and at the Command Prompt, enter telnet news.cisco.com 119 and press ENTER. You’ll see an error message indicating that the connection failed.

If we go to the ISA 2004 firewall’s log viewer, we can see that the Block Forbidden Sites rule denied the connection attempt to TCP port 119. Note the question mark to the right of the user name, Administrator. If you want to know what the question mark means, make sure to grab a copy of our ISA 2004 firewall book, Tom and Deb Shinder’s Configuring ISA Server 2004

Scenario 2: Limiting a Group of Users to a Collection of Sites

In this scenario, we will create a group called TEMPS and place user accounts of users who are temporary workers in that group. In this example, we have created a global security group called TEMPS and have created a user named Temp1. We then placed user Temp1 in the TEMPS Global Group. This prepares us for the ISA 2004 firewall configuration steps.

In the following procedure, we will create a rule that blocks the TEMPS group from accessing the Internet, with the exception of the microsoft.com., isaserver.org, and msexchange.org sites. In this example we will allow the members of the TEMPS group access to all protocols when accessing these sites. If we wanted, we could limit these users to just the HTTP and HTTPS protocols. These three sites contain all the information required by the users in the TEMPS groups. All other authenticated users will have access to all Internet sites by virtue of an “all open” authenticated users outbound access rule.

Perform the following steps to create the Deny rule that denies members of the TEMPS group access to all sites except the allowed sites:

  1. In the Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name and then click the Firewall Policy node.
  2. In the Firewall Policy node, click the Tasks tab on the Task Pane. Click the Create a New Access Rule link.
  3. On the Create a New Access Rule Wizard page, enter a name for the rule in the Access Rule name text box. In this example, we’ll call this rule Block TEMPS Except TEMPS Sites. Click Next.
  4. On the Rule Action page, select the Deny option and click Next.
  5. On the Protocols page, select the All outbound traffic option in the This rule applies to list and click Next.
  6. On the Access Rule Sources page, click the Add button.
  7. In the Add Network Entities dialog box, click the Networks folder and double click the Internal network. Click Close.
  8. On the Access Rule Destinations page, click the Add button.
  9. In the Add Network Entities dialog box, click the Networks folder and double click the External network.
  10. Click Next on the Access Rule Destinations page.
  11. On the User Sets page, click the Add button. In the Add Users dialog box, click the New menu.
  12. On the Welcome to the New User Sets page, enter a name for the firewall group in the User set name text box. In this example, we’ll name the group TEMPS Access. Firewall groups allow you to group users based on firewall requirements, not Active Directory requirements. ISA 2004 Firewall Groups allows you to group users and does not require you to be a member of the domain admins group. Click Next.
  13. On the Users page, click the Add button. In the fly-out menu, click the Windows users and groups option.

  1. In the Select Users or Groups dialog box, click the Locations button and select the Entire Directory option. In the Enter the object names to select text box, enter TEMPS and click the Check Names button. The Temps entry will become underlined. Click OK.

  1. Click Next on the Users page.

  1. Click Finish on the Completing the New User Set Wizard page.
  2. In the Add Users dialog box, double click on the TEMPS Access Firewall Group. Click Close.
  3. On the User Sets page, click the All Users entry in the This rule applies to requests from the following user sets list and click the Remove button. Click Next.
  4. Click Finish on the Completing the New Access Rule Wizard page.
  5. In the Firewall Policy list in the details pane, double click the Block Temps Except Temps Sites rule.
  6. In the Block Temps Except Temps Sites Properties dialog box, click the To tab.
  7. On the To tab, click the Add button in the Exceptions section.

  1. In the Add Network Entities dialog box, click the New menu and then click the Domain Name Set command.
  2. In the New Domain Name Set Policy Element dialog box, enter TEMPS Allowed in the Name text box. Click the New button. Enter *.microsoft.com and press ENTER. Click the New button again. Enter *.isaserver.org and press ENTER. Click the New button one more time. Enter *.msexchange.org. Click OK.

  1. In the Add Network Entities dialog box, click the Domain Name Sets folder and then double click on the TEMPS Allowed entry. Click Close.

  1. Click Apply and then click OK in the Block Temps Except Temps Sites Properties dialog box.

  1. Move the DNS outbound Access Rule to the top of the firewall policy list, and make the Block Temps Except Temps Sites to second on the list, as it appears in the figure below. You might wonder why we need to do this. The reason is that although the condition on the Block Temps Except Temps Sites rule indicates that the rule only applies to the TEMPS group, the fact is that it also applies to any unauthenticated connections. However, the rule has more far-reaching effects than just blocking access to whatever is listed in the To column. If the first rule matching the connection’s parameters requires authentication, and the user is unable to authenticate, then the connection is DENIED, even though the connection was not initiated by a user in the Firewall Group for which the Rule was intended. Make sure you understand that last statement. Again, if there is a rule that applies to the connection by matching the connection’s characteristics, but the user is unable to authenticate, then the connection is DENIED. This is why we need to put the DNS access rule before the Block Temps Except Temps Sites rule. If we put the DNS access rule after the Block Temps rule, then the connection would match the Protocol, the From and the To for the Block Temps Except Temps Sites rule, an the connection would be denied, even though its an anonymous access attempt and not an attempt from a member of the TEMPS Access group. For this reason, I recommend that you put your anonymous allow rules before any authenticated deny rules (by ‘anonymous rule’ I mean any rule that applies to ‘all users’). I promise that you will have trouble with this and hopeful this rule matching model will change either with a service pack or a “dot” upgrade to the ISA 2004 firewall software.

Whenever I make a rule that denies a group access to all sites except for a small collection of sites, I like to make a rule that explicitly allows them access to the allowed sites. This helps keep things organized and doesn’t require that you depend on a “all open” rule or some other rule that provide them access to the required sites.

Perform the following steps to create the rule that allows the TEMPS group access to the TEMPS Allowed Domain Name Set:

  1. In the Microsoft Internet Security and Acceleration Server 2004 management console, click the Firewall Policy node and then click the Tasks tab on the Task Pane. Click the Create a New Access Rule link.
  2. On the Welcome to the New Access Rule Wizard page, enter a name for the rule in the Access Rule name text box. In this example, we’ll name the rule Allow TEMPS to TEMPS Allowed. Click Next.
  3. On the Rule Action page, select the Allow option and click Next.
  4. On the Protocols page, select the Selected protocols option in the This rule applies to list and then click the Add button.
  5. In the Add Protocols dialog box, click the Common Protocols folder and then double click on the HTTP and HTTPS protocols. Click Close.
  6. Click Next on the Protocols page.
  7. On the Access Rule Sources page, click the Add button.
  8. In the Add Network Entities dialog box, click the Networks folder and double click Internal. Click Close.
  9. Click Next on the Access Rule Sources page.
  10. On the Access Rule Destinations page, click the Add button.
  11. In the Add Network Entities dialog box, click the Domain Name Sets folder. Double click on the TEMPS Allowed entry and click Close.
  12. Click Next on the Access Rule Destinations page.
  13. On the User Sets page, click the All Users entry and click Remove. Click the Add button.
  14. In the Add Users dialog box, double click on the TEMPS Access Firewall Group and click Close.
  15. Click Next on the User Sets page.
  16. Click Finish on the Completing the New Access Rule Wizard page.

Now we’ll make one more change. Instead of an “all open” rule that applies to all users, we’ll change the “all open” rule we made before starting this exercise so that it applies to all authenticated users except for members of the TEMPS Access group. This will prevent the members of the TEMPS Access Firewall Group from using the anonymous “all open” rule to access sites outside of those we want them to access.

I should note that this is not strictly required, as the Block Temps Except Temps Sites rule should block all access from members of the TEMPS Access Firewall Group to sites and protocols outside of those allowed and explicitly allowed. However, I do recommend the approach we use here as it prevents you from getting into trouble by having groups “inadvertently” use a rule to access content they should not have otherwise accessed.

Perform the following steps to change the “all open” rule:

  1. In the Microsoft Internet Security and Acceleration Server 2004 management console, click on the Firewall Policy node.
  2. Click the Toolbox tab in the Task Pane. On the Toolbox tab, click the Users entry beneath it.
  3. Drag the All Authenticated Users entry from the list of Users to the Condition column for the All Open rule and then release the left mouse button. Click the Include command in the menu that appears.

  1. In the Users list, drag the TEMPS Access Firewall Group to the same location. This time, click the Exclude command.
  2. Next, right click the All Users entry for the All Open rule and click Remove

  1. Click Apply to save the changes and update the firewall policy.
  2. Click OK in the Apply New Configuration dialog box.
  3. Your firewall policy should look like the figure below.

The first rule allows all hosts on the Internal network access to DNS servers on the Internet. This is an anonymous access rule, so no host needs authenticate to match this rule.

The second rule, Block Temps Except Temps Sites, denies all outbound protocols from Internal network clients to the Internet if they belong to the TEMPS Access Firewall Group and if they are not able to authenticate. Again, there is no reason to expect that unauthenticated users should be denied, but they are. If a rule requires a user to authenticate and the user is unable to authenticate (is acting as a SecureNAT client), then the connection is denied. Go figure.

The third rule, Allow TEMPS to TEMPS Allowed, allows members of the TEMPS Access Firewall Group located on the Internal network access to only the HTTP and HTTPS protocols to sites in the TEMPS Allowed Domain Name Set. This rule does not allow access to other sites, and does not allow access to other protocols when members of the TEMPS Access Firewall Group connect to the allowed sites.

The last rule, All Open, allows all authenticated users access to all sites using all protocols, except for user in the TEMPS Access group. This rule provides for outbound “all open” for authenticated users while preventing members of the TEMPS Access Firewall Group from using this rule to access other sites.

Let’s test this rule set by logging onto the Windows XP machine as a domain admin. Domain admins are not a member of the TEMPS Access group, so they would fit into the groups All Users and Authenticated Users if they are using the Web Proxy and/or Firewall client configuration. Since the Windows XP is a Firewall and Web Proxy client, all TCP and UDP connections will be authenticated.

Open Internet Explorer and go to www.isaserver.org. You should get to the Web site successfully because the All Open rule allowed the connection, as seen in the figure below. Try other sites, like www.msexchange.org and www.windowsecurity.com. You will be able to connect to each of these sites because you are able to use the All Open rule to connect to them.

Log off of the Windows XP machine and log on as Temp1, who is a member of the TEMPS Global Group and a member of the TEMPS Access Firewall Group.

Open Internet Explorer and go to www.msn.com. You should see what appears in the figure below.

Now try to go to www.isaserver.org. You’ll be able to access the ISAServer.org home page. The log file entries look like what you see in the figure below.

However, this doesn’t mean this user has free reign over ISAServer.org Web sites. Remember, we limited users of the TEMPS Access Firewall Group to only the HTTP and HTTPS protocols. To test this, let’s do the NNTP test again using Telnet from the Command Prompt.

Open a Command Prompt on the Windows XP client and enter telnet www.isaserver.org 119 and press ENTER. You’ll receive an error indicating that the connection failed. If you look in the ISA 2004 firewall’s log file viewer, you’ll see a line like that in the figure below.

Get the New Book!

Summary

In this article we examined two scenarios where you can use Domain Name Sets to control outbound access through the ISA 2004 firewall. In the first scenario, we saw how we can create a deny rule that blocks specific sites for all users. In the second scenario, we saw how you can create Access Rules that allow a group of users access to a collection of sites using specific protocols and deny access to sites and protocols outside of those explicitly allowed. Domain Name Sets are a powerful tool that allow you to lock down SecureNAT, Web Proxy and Firewall clients with a minimum of effort. When combined with the principle of least privilege, your ISA firewall can provide a higher level of security than any other firewall on the market today.

I hope you enjoyed this article and found something in it that you can apply to your own network. If you have any questions on anything I discussed in this article, head on over to http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=25;t=000113 and post a message. I’ll be informed of your post and will answer your questions ASAP. Thanks! –Tom

If you would like us to email you when Tom Shinder releases another article on ISAserver.org, subscribe to our ‘Real-Time Article Update’ by clicking here. Please note that we do NOT sell or rent the email addresses belonging to our subscribers; we respect your privacy.

Leave a Comment

Your email address will not be published.

Scroll to Top