Microsoft ISA Server, Part II - Firewall Functions, Publishing Policy Rules
In the previous article we were concerned with primary functions of the Microsoft Internet Security & Acceleration Server (ISA Server). We addressed issues including the product's position in the wide range of firewalls available on the market, product installation tips and procedures, as well as basic setups. In this article, we will focus on the impressive range of security solutions offered by ISA Server and the methods that allow information on servers in the internal network to be securely published to external Internet clients.
The IT security strategy which is incorporated within ISA Server seems to address the need for secure internal networking, both for small businesses that use a few computers and are connected to the Internet via modem, as well as for large highly-networked corporations using internet connectivity as a routine procedure. Despite the product name (Internet Security & Acceleration Server) that clearly implies its application sphere, it can be effectively employed in many other situations. We will illustrate this with an example of an enterprise having its individual departments isolated from the user's needs and installing an ISA Server into the corporate topology between the accounting department or managerial office subnet and the rest of the system.
ISA Server Security Configuration
It is recommended to define the server security level before beginning the ISA Server security configuration. To configure the appropriate security level, right-click the server icon in the window:
Servers and Arrays -> Server name -> Computers and select "Secure..." to start the wizard.
After the wizard starts, a warning message will appear saying that any changes made to the settings cannot be undone.
Fig. 1 ISA Server Configuration Wizard warning
There are three levels of security that are available using the wizard, so in the next step, configure the security level that is appropriate for your ISA Server. When selecting security options, consider primarily the service to be provided by your server, for instance, whether it is intended to perform firewall-only services or also domain controller or file server roles. Depending on the choice the access level will then be granted to the server.
Fig. 2 Choosing ISA Server security level
To configure the chosen and appropriate security level, run one of the files (templates) below (see Table), which are available for this purpose.
Table 1 ISA Server Security scenarios
Domain Controller Security Template
All these templates are available at the directory %SystemRoot%\security\Templates\. If necessary the security scenarios can be modified. Knowledgeable administrators may try to create their own security schemes to meet the requirements established in the company's IT Security Policies and provide maximum control over access to the server and to the files it contains and manages.
Once these procedures are completed, the Active Directory schema will be updated and you will be prompted to restart the computer.
Policy-based Access Control
As with most firewalls, ISA Server provides the administrator with the possibility to configure detailed usage policies. These rules apply for both outgoing traffic (e.g. local users) and incoming traffic (e.g. external users, teleworkers or potential hackers). Each packet that passes through ISA Server can be recorded, and may then be followed by a log with details of Internet connection usage, attack attempts etc. Prior to configuring the access policy rules, one should define the access policy elements to be followed. These are available at the tab: Servers and Arrays -> Server Name -> Policy Elements.
These rules include:
Schedules - these determine when the rule is in effect. They allow configuration of a very flexible security policy. For example, a group of users can be restricted to access specific Web pages during working hours and to have full Internet access at all other times.
Bandwidth priorities - to prioritize ISA Server-based network connections. There is a default bandwidth rule - all connections have the same priority.
Destination sets - this set may contain the IP address, the IP range, computer name and a specific path on the destination server and may give access, for example, to the following destination only: www.faq.net.pl/binaries. You can use an asterisk (*) to specify a group of all computers in the domain. E.g., if there is a need to create a group encompassing all computers from the domain bsi.net.pl, produce the destination set containing "*.bsi.net.pl". Destination sets can be further used when configuring the following access policy elements: Site and Content Rules, Bandwidth Rules, Web Publishing Rules and Routing Rules.
Client Address Sets - the client sets containing the IP address ranges. These can also be used when configuring the following access policy elements: Site and Content Rules, Bandwidth Rules, Web Publishing Rules, Server Publishing Rules and Routing Rules.
Protocol Definitions - these include a list of preconfigured protocol definitions available on ISA Server that are further used to create Protocol Rules and Server Publishing Rules. In addition to predefined protocols, customisable protocols can be created and used. In order to create a customised protocol, one must specify the following information: the number (between 1 and 65535) of the port that will be used for communication, the protocol type (TCP or UDP), and the direction of the traffic (Inbound or Outbound). There is also an option called "secondary connections", which is the range of port numbers, protocol, and direction used for additional connections or packets that follow the initial connection.
Content Groups - include groups of file types subdivided in eleven categories: Applications, Application Data Files, Audio, Compressed Files, Documents, HTML Documents, Images, Macro Documents, Text, Video, and VRML.
Dial-Up Entries - these specify the connectivity between the ISA Server computer and the Internet (or other Dial-Up servers) for dial-up connections. In order to configure this feature properly, specify the name of the Windows 2000 connection and then the login and the password of the authorized user.
Once these policy elements have been defined, one can attempt to configure the access rules that are provided in the "Access Policy" tab and include the following three elements:
Site and Content Rules - which control access to specific destination servers and certain contents, objects and locations,
Protocol Rules - define which protocol clients can use to access the Internet,
IP Packet Filters - rules that govern packet filtering.
Fig. 3 when configuring Access Rules one will go through Policy Elements and Access Policy tabs
Site and Content Rules
With these rules, the network administrator determines access to contents outside the firewall. They include information about if and when a client/user, or a client set can access certain destination sets.
One can allow or deny access to the Internet by creating site and content rules as appropriate. ISA Server by default disables the use of any protocol.
The illustration below is an example configuration for rules that allow the internal network users to access the URL: www.securitynet.pl during office hours (09.00-17.00).
Prior to attempting to configure access rules, one must create the following three access policy elements:
Client Address Sets,
All three elements are to be created using a wizard that appears after opening the "Policy Elements" menu. Right-click "Site and Content Rules" and select "New" to start the New Site and Content Wizard allowing easy creation of a new filter.
The New Site and Content Wizard
1. Rule Action screen. One can select either of two possible server actions in relation to an event:
Allow - permits to access the external sites,
Deny - clients using that definition will be denied access to the external sites. For HTTP contents there is the possibility to redirect requests on another server, specifying also the reasons one cannot access the site.
In this example, Allow will be selected:
2. How to apply the rule. There are four options to select from:
Allow access based on destination,
Allow access only on certain times,
Allow some clients access to all external sites,
Custom - allows for a detailed definition of all three parameters contained in a single access rule.
In this example, Custom will be selected:
3. Destination Sets screen. There are three options to select from:
All internal destinations,
All external destinations,
Specified destination sets - (from the drop-down box select the destination set created in the policy elements).
All destinations except selected sets.
From the drop-down box select the destination set corresponding to the address www.securitynet.pl.
4. Schedule screen. - to define the times when the user will have access to the specified external sites. At this point, select the option from the drop-down box, as appropriate (same as "Destination Sets").
Fig. 4 Scheduling access times
5. Client type screen. There are two options to select from:
Specific computers (client address sets) - one must specify IP addresses of the computers, the rule you create will apply to,
Specific users and groups - one must specify users from a group of users (through Active Directory), and the rule you create will apply.
6. Determining the external sites to which the rule applies. In ISA Server, these sites are subdivided in eleven groups:
Application Data Files,
The contents for individual groups can be viewed at Policy Elements -> Content Groups.
Right-click the tab and select "New" to start the wizard and customize the group "Content".
Specify the set of documents accessible by the external users.
Fig. 5 On the Content Groups screen one can specify the types to which the rule created will apply.
Protocol rules the types of Internet connections that clients are allowed to make. One must adhere strictly to the configuration principles when defining rules of communication with external networks. When a client requests communication with a specific object in the external network, ISA Server checks whether the rule allowing communication based on this specific protocol, has been created or not. If such a rule does not exist or permission to access a particular protocol is denied, the request will be rejected. Otherwise, the server will check if the administrator has permitted the user to access this specific site (in the Site and Content Rules). Since the protocol rules and the content rule work hand in hand, the user will be allowed to access the site, if both "agree".
When creating rules be aware that the sequence in which they appear is irrelevant, however the rules that deny protocols are processed before the rules that allow access. More specifically, if you configure two conflicting rules, one that allows access and the other that denies access along SMTP protocol, the whole SMTP traffic will be disabled.
Note also, that selecting "All protocols" means that only the protocols defined in the Protocol Definitions will be selected. In other words, if any non-standard protocols are used in the network, they must be added to the protocol definitions. Otherwise, even with "All Protocols" a non-standard protocol will be denied.
Continuing on the previous example, if one wants to allow the users to enter the site www.securitynet.pl. Then the HTTP protocol must be enabled.
Following that step, proceed as follows:
Start the "Protocol Rules" wizard,
Select the specific users to (Allow), or (Deny) using the protocol,
Select the protocol.
Fig. 6 Configuring the protocol to which the rule applies
On the Schedule screen, select the times for accessing the protocol, for example from 09.00 a.m. to 05.00. p.m.
Similarly to Site and Content Rules, select users or groups of computers to access the protocol.
Once the above filters are properly configured, the users will be allowed to access the site www.securitynet.pl.
IP Packet Filters
The last group of filters available for the Microsoft ISA Server administrator are Packet Filters. IP packet filters combined with IP packets routing allow creation of a secure perimeter network (also known as a DMZ, DeMilitarized Zone). As in the previous two types of rules, there is a wizard available to help with the configuration.
When creating an IP packet, one must first set the criteria for packets transferred through the firewall:
- Allow packet transmission,
- Block packet transmission.
In "Filter Type" dialog box select either a predefined filter suitable for a few basic communication purposes or click "Custom".
In the "Filter Settings" box set the following parameters:
- IP Protocol
i. Custom Protocol - one must specify a protocol number,
ii. Any (encompasses all protocols),
- Local Port
i. All Ports,
ii. Fixed Port,
iii. Dynamic Ports.
- Remote Port
i. All Ports,
ii. Fixed Port,
iii. Dynamic Ports.
Specify the IP address of the computer to which the rule will apply. One may select from the following options:
- Default IP addresses for each external interface on the ISA Server computer,
- This ISA server's external IP,
- This computer (on the perimeter network) - (DMZ).
In the final step, one must define remote computers or a range of remote computers to which the rule you create will apply.
Publishing Policy Rules
Nowadays, having a registered web site and email facility is becoming a standard for all types of businesses throughout the world. Many organisations decide to outsource networking services from ISPs assuming that such services are always secure and always available. However, such a solution may be somewhat inconvenient for the users. If, for example, one needs a new email account, a specific request should be made and sent to the ISP for this service. However, it seems that just for this reason, there is a tendency among network managers in many companies, to relocate servers to their corporate networks, but few are aware of how threatening such a decision may be. A server - whether a Web server, email server or any other service, is as secure for publishing policy as the system administrator is capable of defining the ports, over which a specific service is to be passed. With ISA Server, publishing policy rules consist of two categories of rules that allow information to be securely published to the external Internet:
Web Publishing Rules - for publishing Web servers only
Server Publishing Rules - for publishing other Web sites.
In line with Microsoft's tendency for newly introduced products, the configuration procedure is simplified by providing suitable wizards.
There are built-in three configuration wizards:
Web Publishing Rule wizard.
In order to create a Web publishing rule, right-click Servers & Arrays -> Server Name -> Publishing -> Web Publishing Rules and from the context menu select New -> Rule.
In the next step, select the destination set to which the rule you are creating will apply. If this is a corporate network Web server, select the computer in the internal network to make it available to the hosts.
Next, one must configure the hosts, which will provide the requests that are to be governed by the rule being created. For instance, in the case of a Web server where the organisation's web site is published, select "Any request". If it is an Intranet service that will be accessed by remote users, one may define the range of IP addresses to which the rule will apply, or select users that, after authentication, will be allowed to access the Web server.
In the final step, one must define what would happen when a request matches the parameters mentioned above. For example, one may define that such a request would be ignored, or decide on which server located behind the ISA Server computer such a request would be redirected to. Once this rule is created, any incoming requests sent on the ISA Server address as HTTP requests, will be redirected to a corporate Web server. This will enhance security because Internet users will be not allowed to access the Web server directly. ISA Server will cache all requests.
Fig. 7 The Web Publishing Rules Wizard
The Secure Mail Server Wizard.
In order to configure a secure email internal server, on the "Servers & Arrays -> Server Name -> Publishing -> Server Publishing Rules" tab, right-click "Secure Mail Server".
In the next step, define communication protocols (SMTP incoming, SMTP outgoing, Exchange/Outlook, IMAP, POP, NNTP) and the certificate for authenticating to the SSL server (no encryption or SSL encrypted).
Next, specify the IP internal address (from those IP addresses that belong to the ISA Server), to redirect requests to the internal server.
In the final step, one must specify the IP address of the internal server (located behind the ISA Server computer) to handle requests defined in 2 above.
Fig. 8 The Secure Server Publishing Rules Wizard
Naturally, it is not necessary to place all these services on a single ISA Server, although the Internet is only aware of one IP address through the connection.
The New Server Publishing Rules Wizard
Using the server publishing service, allow an internal server to be accessible to external clients. To start the configuration, on the "Servers & Arrays -> Server Name -> Publishing -> Server Publishing Rules" tab, right-click "New -> Rule".
Specify two IP addresses, one for the IP server in the internal network (IP address of internal server), and one for the IP address of the ISA Server that will be visible to external Internet clients, for whom the service you create will be available.
In the final step, one must define the protocol that will followed by the external Internet clients when accessing the internal server located behind a firewall. From the default menu in a drop-down box, you can select any filter that is predefined in the "Protocol Rules" tab and is marked "Inbound" in the "Direction" tab.
As may be seen from the above considerations, ISA Server features an enhanced suite of filters to match specific types of traffic between the internal network and the Internet. It also provides for a detailed configuration framework for protocols, file types, server access times, and bandwidth rules. However, unlike other firewalls, ISA Server is far more perceptive in terms of functionality. Once installed, even a novice administrator can protect ISA Server against external Internet malicious attacks. Of course, there is a catch: the ISA Server itself that is installed internally must be well protected i.e. the operating system that it runs on must be securely configured against external attacks, otherwise a hacker could gain access to the LAN assets.