ISA Server Security Checklist - Part 2 Securing the ISA Server Configuration
|In part one of our ISA Server Security checklist series, we talked about how to secure the operating system and network interfaces on the ISA Server. In part 2 we'll focus on ISA Server specific configuration issues that you can use to optimize security.
ISA Server is completely secure when you first install it. The default configuration settings on ISA Server prevent all inbound and outbound access (with the exception of some DNS and ICMP packets that are allowed by the default packet filters). ISA Server only becomes insecure after you start configuring it.
Note: Before evening getting into the specifics of ISA Server configuration, you should always install the latest hotfixes for both Win2k and ISA Server. At the time of writing this article, MS has released a Security Hotfix Rollup that updates the operating system with all the currently available hotfixes since SP2. You should also install the ISA Server SP1.
In this section we'll focus on ISA Server security in the following realms:
Configuring ISA Server 2000 : Building Firewalls for Windows 2000
By Deb and Tom Shinder
Packet filtering must be enabled on the ISA Server. If you don't enable packet filtering, all ports that are opened by applications and services on the ISA Server will be open for business! The goal of enabling packet filtering on the ISA Server is to close off all ports on the external interface except those you have explicitly opened.
You have the option to allow IP Routing when packet filtering is enabled (actually, you can enable IP Routing even when packet filtering is disabled, but you will never want to do this). IP Routing is somewhat of a misnomer when it comes to moving packets between the Internet and the internal network. The reason for this is that all LAT hosts must use NAT to access the Internet. Even though NAT is considered a routing protocol, packets are not directly routed from the Internet to the internal network, so you don't have to worry about Internet packets being directly routed into your internal network.
However, IP Routing does allow non-TCP/UDP packets to move outbound from the internal network. IP Routing must be enabled to allow PPTP (which uses IP Protocol 47 GRE packets) and ICMP through the ISA Server. The problem with allowing IP Routing of these protocols is that you do not have any degree of access control over the routing of these packets. If you enable IP Routing everyone has access to outbound non-TCP/UDP protocols (as long as the packet filter is in place to support them).
This brings up the security weakness of packet filters and why you never use packet filters to control outbound or inbound access unless you really need to use them. Always use Protocol Rules and Publishing Rules to control outbound and inbound access.
You should also enable filtering of IP Options and IP Fragments. One of the most popular exploits on the Internet today involves bypass firewall protection through the use of fragmented packets. However, if you filter out IP fragments, you will find that some multimedia will not work correctly. Jim Harrison informs me that streaming over 100K is especially susceptible to breaking if fragment filtering is enabled. There should be some improvement in this regard with SP1, which allows for larger UDP packets. Be sure to test your application to ensure they work with fragment filtering enabled. IP Options filtering should always be enabled. This prevents source routed packet attacks.