Microsoft Internet Security and Acceleration Server 2000 in by 70eaO6

VIEWS: 4 PAGES: 14

									Microsoft Internet
Security and Acceleration
Server 2000 in Education
Deployment Kit

 Chapter 6
 Controlling Internet Access for Campus
 Computers using ISA Server 2000




 Dr. Thomas W Shinder
 Debra Shinder
 January 2004
                                         ISA Server 2000 in Education Deployment Kit
                     Chapter 6: Controlling Internet Access for Campus Computers using ISA Server 2000




Table of Contents
ISA Server 2000 Clients and Access Control .................................................................................. 3
Using Protocol Rules to Control Protocol Access ........................................................................... 4
Using Site and Content Rules to Control Access to Sites and Web Content .................................. 7
Using Packet Filters to Control Access to the ISA Server 2000 Firewall ...................................... 12
Summary ....................................................................................................................................... 13




                                                                                                                                                2
                                   ISA Server 2000 in Education Deployment Kit
               Chapter 6: Controlling Internet Access for Campus Computers using ISA Server 2000




A big issue for schools, colleges and universities is potential vicarious liability when students or
others use the computers on their networks to launch attacks. Additionally, educational
institutions deal with a large amount of confidential information and in many cases are mandated
by privacy laws to ensure that such information is not released to unauthorized persons. It’s often
essential to prevent employees or others on campus from sending this restricted information
outside the campus network.

Thus, outbound access control is critical for campus networks. Traditional firewall administrators
have considered the firewall to be more of a “one way” technology that blocks external intruders
                                                                                 st
from attacking the campus network behind the firewall. However, now that 21 century attackers
are now able to take advantage of campus network clients to launch attacks against hosts on
other networks by using Internet worms and Trojans, and with an increasing need to keep
sensitive internal data in, this has changed. To be effective, a firewall must now do double duty,
controlling both incoming and outgoing information.

ISA Server 2000 allows you to control outbound access for all your campus network clients
behind the ISA Server 2000 Firewall and Web Proxy server. Outbound access control allows you
to specify which sites campus users can connect to and which protocols they can use to connect
to the Internet. In addition, you can use the ISA Server 2000 outbound access control
mechanisms to log user names for each Internet connection a campus user makes. This allows
you to compile useful reports that include Internet usage on a per user basis.

Outbound access control is an effective method for preventing various exploits. For example,
many Internet Trojans use the IRC protocol to allow attackers to transfer remote control
applications on campus computers. ISA Server 2000 outbound access control can be used to
control who has access to IRC and block IRC for all unapproved clients on the network.

In this ISA Server 2000 in Education document, we will discuss the following topics that deal
with outbound access control:

       ISA Server 2000 clients and access control
       Using Protocol Rules to control protocol access
       Using Site and Content Rules to control access to sites and Web content
       Using packet filters to control access to the ISA Server 2000 firewall




3
                                   ISA Server 2000 in Education Deployment Kit
               Chapter 6: Controlling Internet Access for Campus Computers using ISA Server 2000




ISA Server 2000 Clients and Access Control
There are three types of ISA Server 2000 client configurations that can be implemented on the
campus networks behind an ISA Server 2000 Firewall and Web Proxy server. These client types
are:

       The SecureNAT client
       The Firewall client
       The Web Proxy client

The SecureNAT client is any computer behind the ISA Server 2000 firewall and Web Proxy
server that is configured with a default gateway that routes Internet-bound requests to the internal
interface of the ISA Server 2000 machine. This machine can run any operating system that
supports TCP/IP. If the SecureNAT client computer is located on the same network ID as the
internal interface of the ISA Server 2000 machine, then the default gateway is the IP address of
the internal interface of the ISA Server 2000 machine. If the SecureNAT client is located on a
network ID remote from the internal interface, then the default gateway used by the SecureNAT
client must be able to route Internet-bound requests to the internal interface of the ISA Server
2000 machine. SecureNAT clients cannot send credentials to the ISA Server 2000 machine and
access control for SecureNAT clients is done via client address sets. The SecureNAT client can
only access protocols listed in the Protocol Definitions node in the ISA Management console.
Application filters are required for multi-connection protocols.

The Firewall client is any machine with the Firewall client software installed on it. The Firewall
client software can only be installed on Windows-based computers. The Firewall client does not
need to rely on the default gateway configuration of the Firewall client machine because requests
made by the Firewall client are sent directly to the internal interface of the ISA Server 2000
computer. The Firewall client computer only needs to know the route to the internal interface of
the ISA Server 2000 machine. The Firewall client can send user credentials to the ISA Server
2000 machine. In addition, the Firewall client can access all TCP and UDP protocols it is given
permission to access.

The Web Proxy client is a machine with its Web browser configured to use the ISA Server 2000
machine as its Web Proxy. It can be running any operating system, so long as the browser is
configured properly. The Web Proxy client configuration is used to access HTTP, HTTPS, FTP
and Gopher download protocols. The Web Proxy client, like the Firewall client, is independent of
the default gateway configuration on the machine because the requests made by Web Proxy
clients are sent directly to the ISA Server 2000 machine’s internal interface. In addition, the Web
Proxy client can send user credentials to the ISA Server 2000 Web Proxy service.

The ISA Server 2000 client types are not mutually exclusive. A single machine can be configured
as all three ISA Server 2000 client types. However, a machine cannot act as both a SecureNAT
and Firewall client for the same connection. The reason for this is that while the SecureNAT client
configuration can be used to access TCP and UDP protocols, the Firewall client software will
always intercept these requests and forward them directly to the Firewall service on the ISA
Server 2000 firewall computer.




                                                                                                      4
                                   ISA Server 2000 in Education Deployment Kit
               Chapter 6: Controlling Internet Access for Campus Computers using ISA Server 2000




Using Protocol Rules to Control Protocol Access
Protocol Rules can be used to specify which protocols can be used to connect to Internet
resources by users behind the ISA Server 2000 firewall. Protocol Rule rules should be created to
allow access to protocols required by specific users and groups. There must be a Protocol Rule
that allows access before a user can access the Internet using a particular protocol.

You should never need to create a Protocol Rule that denies access. If you use the principle of
least privilege, then users are given access only to protocols they require and none others. It may
take some time to determine what the required protocols are, as users may not be aware of the
protocols they use to get their routine work done. However, you will be able to prevent external
intruders from using a number of Trojan-like mechanisms from attacking your network if you
create Protocol Rules that allow access only to required protocols.

Protocol Rules apply to all ISA Server 2000 client types. For example, if a group is given access
to the HTTP protocol, group members using the Web Proxy and Firewall client types will be able
to connect via HTTP. If a client address set is given access to the HTTP protocol, then all three
client types will be able to access the protocol (the SecureNAT client is not able to send
credentials to the ISA Server 2000 firewall, so SecureNAT users must be given access via a
client address set).

You will need to create a Global Group and a user account in order to perform the following
exercise. In this exercise, we will give permission to use the HTTP and HTTPS (SSL) protocols to
user2. This user is a member of the HTTP Protocol Access group. Create the HTTP Protocol
Access group in the Active Directory Users and Computers console and then create the
user2 user account. Place user2 in the HTTP Protocol Access group. In addition, you will need
to install the Firewall client on the CLIENT2 computer. Please refer to the ISA Server 2000 in
Education document Protecting Departmental/Student LAN segments with ISA Server 2000
for information on how to install the Firewall client.

Perform the following steps to create the restrictive Protocol Rule:

    1. In the ISA Management console, expand the Servers and Arrays node and expand
       your server name. Expand the Access Policy node and right click on the Protocol
       Rules node. Point to New and click Rule.
    2. We must create two Protocol Rules: the first Protocol Rule allows the DNS server access
       to the DNS query and DNS zone transfers protocols and the second allows the HTTP
       Protocol Access group access to the HTTP and HTTPS (SSL) protocols. In the
       Welcome to the New Protocol Rule Wizard page, enter a name for the Protocol Rule.
       In this example, we will enter DNS Access and click Next.
    3. On the Rule Action page, select the Allow action and click Next.
    4. On the Protocols page, click the down arrow for the Apply this rule to drop down list
       and select the Selected Protocols option. In the list of Protocols, put a checkmark in
       the DNS Query and DNS Zone Transfer protocols. Put a checkmark in the Show only
       selected protocols checkbox and click Next.
    5. On the Schedule page, select the Always option and click Next.
    6. On the client type page, select the Any request option and click Next. (later, we will
       change this to a DNS Server client address set).
    7. Review your settings and click Finish.
    8. In the left pane of the ISA Management console, expand the Policy Elements node.
       Right click the Client Address Sets node, point to New and click Set.
    9. In the Name text box on the Client Set dialog box, enter DNS Server. Click the Add
       button. In the Add/Edit IP Addresses text box, enter the IP address of the domain
       controller in the From and in the To text boxes and click OK. In the Client Set dialog
       box, the IP address of the domain controller now appears in the Members list. Click OK.



5
                                 ISA Server 2000 in Education Deployment Kit
             Chapter 6: Controlling Internet Access for Campus Computers using ISA Server 2000


   10. Return to the Protocol Rules node and double click on the DNS Access rule. Click on
       the Applies To tab. Select the Client address sets specified below option. Click the
       Add button for the Applies to requests coming from list. Select the DNS Server entry
       in the Client Sets list and click Add in the Add Client Sets dialog box.. Click OK in the
       Add Client Sets dialog box. The DNS Server client address set appears in the list of
       Client Sets on the Applies To tab.

       Click Apply and then click OK in the DNS Access Properties dialog box.




Now we can create the Protocol Rule that allows members of the HTTP Protocol Access group
access to the HTTP and HTTPS (SSL) protocols:

   1. Expand the Access Policy node in the left pane of the ISA Management console and
      right click on the Protocol Rules node. Point to New and click Rule.
   2. On the Welcome to the New Protocol Rule Wizard page, enter a name for the Protocol
      Rule in the Protocol rule name text box. In this example, we will name the rule
      HTTP/HTTPS Access. Click Next.
   3. On the Rule Actions page, select the Allow option and click Next.
   4. On the Protocols page, select the Selected protocols option from the Apply this rule
      to drop down list. In the Protocols list, put checkmarks in the HTTP and HTTPS
      checkboxes. Put a checkmark in the Show only selected protocols checkbox. Click
      Next.
   5. On the Schedule page, use the default entry, Always, and click Next.
   6. On the Client Type page, select the Specific users and groups option and click Next.


                                                                                                   6
                                   ISA Server 2000 in Education Deployment Kit
               Chapter 6: Controlling Internet Access for Campus Computers using ISA Server 2000


    7. On the Select Users or Groups page, click the Add button. Click the Object Types
       button and put a checkmark in the Groups checkbox. Click the Locations button and
       select the msfirewall.org location. In the Enter the object names to select text box,
       enter HTTP Protocol Access group and click the Check Names button to confirm that
       the group name was entered correctly. Click OK in the Select Users or Groups dialog
       box. Click Next on the Users and Groups page.




    8. Click Finish on the Completing The New Protocol Rule Wizard page.
    9. Go to the CLIENT1 machine and open Internet Explorer. Go to the www.microsoft.com
        Web site. The connection request is allowed.
    10. Open a command prompt and at the command line, enter ftp ftp.microsoft.com and
        press ENTER. You will see the response Connection request refused.

Using Site and Content Rules to Control Access to Sites
and Web Content
ISA Server 2000 Site and Content Rules enable you to control what sites and content users on
the internal network behind the ISA Server 2000 machine can access on the Internet. In the
context of Site and Content Rules, the terms “sites” refers to a computer, identified by either fully
qualified domain name or IP address. The term “content” refers to the types of files and resources
that are accessed via the Web Proxy service. Although you can control access to all sites for all
ISA Server 2000 clients, you can only control content access for clients that access the content
via the Web Proxy service.



7
                                   ISA Server 2000 in Education Deployment Kit
               Chapter 6: Controlling Internet Access for Campus Computers using ISA Server 2000



    Note:
    Web Proxy, SecureNAT and Firewall clients can all access Internet content via the Web
    Proxy service. The Web Proxy client connects to the Web Proxy service directly. The
    SecureNAT and Firewall clients connect to the Web Proxy service indirectly through the
    HTTP Redirector filter. If the HTTP Redirector filter is disabled, then Content Rules will not be
    applied to SecureNAT and Firewall clients.

In the following example, we will create a Site and Content Rule that blocks access to .zip files for
members of the Block Zip Files group. In order to prepare for this exercise, create a group in the
Active Directory Users and Computers console named Block ZIP Files. Then create a user
named user2 and add this user to the group.

In addition, you will need to install the ISA Server 2000 hotfix noted in KB article FIX: Site and
Content Rules do Not Filter Based on File Name Extensions at
http://support.microsoft.com/default.aspx?scid=kb;en-us;813864. After installing the hotfix, you
will need to configure the Registry according to the KB article.

Perform the following steps to create a rule to prevent members of the Block ZIP Files group
from accessing zip files on the Internet:

    1. Open the ISA Management console, expand the Servers and Arrays node and then
       expand the server name. Expand the Policy Elements node. Right click on the Content
       Groups, point to New and click Content Group.




                                                                                                     8
                                  ISA Server 2000 in Education Deployment Kit
              Chapter 6: Controlling Internet Access for Campus Computers using ISA Server 2000


    2. In the New Content Group dialog box, enter a name for the Content Group. In this
       example, we will name it Zip Files. Enter a description for the Content Group in the
       Description text box. In this example, we will enter File Extension for ZIP files. In the
       Available types text box, enter the file extension .zip and then click Add.

        Click OK in the New Content Group dialog box.




    3. Expand the Access Policy node in the left pane of the ISA Management console and
       click the Site and Content Rules node. Notice that there is a default Site and Content
       Rule that allows all users access to all Sites and Content. We must change the
       configuration of the default Site and Content Rule so that only domain users can use it.
       The reason for this is that anonymous access rules are applied first. Since the default
       rule allows anonymous access to all sites and content, this rule will be applied first and
       our more restrictive rule will not be applied. We will also need to create a Site and
       Content Rule that allows our DNS server access to all sites and content.
    4. Double click on the Allow Rule in the right pane of the ISA Management console. Click
       on the Applied To tab. Select the Users and groups specified below option. Click the
       Add button in the Applies to requests coming from section. In the Select this object
       type section, click the Object Types button and put a checkmark in the Groups
       checkbox. In the From this location section, click the Locations button and change the
       location to that of the msfirewall.org domain. Enter Domain Users in the Enter the
       object names to select text box and click OK. The domain group now appears in the
       list. Click Apply and then click OK in the Allow rule Properties dialog box.



9
                                  ISA Server 2000 in Education Deployment Kit
              Chapter 6: Controlling Internet Access for Campus Computers using ISA Server 2000


    5. Expand the Policy Elements node and right click on the Client Address Sets node.
        Point to New and click Set.
    6. In the Name text box on the Client Set dialog box, enter DNS Server. Click the Add
        button. In the Add/Edit IP Addresses text box, enter the IP address of the domain
        controller in the From and in the To text boxes and click OK. In the Client Set dialog
        box, the IP address of the domain controller now appears in the Members list. Click OK.
    7. The next step is to create a Site and Content Rule that allows the DNS server on the
        domain controller to access the Internet. This is required so that the DNS server can
        resolve the names of Internet hosts. Expand the Access Policy node and right click on
        the Site and Content Rules node. Point to New and click Rule.
    8. On the Welcome to the New Site and Content Rule Wizard page, enter a name for the
        rule in the Site and content rule name text box. In this example, we will name the rule
        DNS Server. Click Next.
    9. On the Rule Action page, select the Allow option and click Next.
    10. On the Rule Configuration page, select the Custom option and click Next.
    11. On the Destination Sets page, select the All destinations option and click Next.
    12. On the Schedules page, select the Always option and click Next.
    13. On the Client Type page, select the Specific computers (client address set) option
        and click Next.
    14. On the Client Sets page, click the Add button. Click the DNS Server client set in the left
        pane of the Add Client Sets dialog box and click Add. The DNS Server set should now
        appear in the right pane of the dialog box. Click OK. The DNS Server client set should
        appear in the list of client sets on the Client Sets page. Click Next.
    15. On the Content Groups page, select the Any content type option and click Next.
    16. Review your settings and click Finish on the Completing the New Site and Content
        Rule Wizard page.

Now we are ready to create the Site and Content Rule that limits users in the Block Zip Files
group from downloading zip files. Perform the following steps to create the Site and Content Rule:

    1. In the ISA Management console, expand the Access Policy node and right click on the
       Site and Content Rules node. Point to New and click Rule.
    2. On the Welcome to the New Site and Content Rule Wizard page, enter the name
       Block ZIP Downloaders in the Site and content rule name text box. Click Next.




                                                                                                  10
                                    ISA Server 2000 in Education Deployment Kit
                Chapter 6: Controlling Internet Access for Campus Computers using ISA Server 2000


     3. On the Rule Action page, select the Deny option. You have the option to redirect users
        to a Web Page explaining why the request was blocked by selecting the If HTTP
        request, redirect request to this site option. We will not select this option in this
        example. Click Next.




     4.   On the Rule Configuration page, select the Custom option.
     5.   On the Destination Sets page, select the All Destinations page and click Next.
     6.   On the Schedule page, select the Always option and click Next.
     7.   On the Client Type page, select the Specific users and groups option and click Next.




11
                                   ISA Server 2000 in Education Deployment Kit
               Chapter 6: Controlling Internet Access for Campus Computers using ISA Server 2000


    8. On the Users and Groups page, click the Add button. In the Select Users or Groups
       dialog box, click the Object Types button and select the Groups option. Click the
       Locations button and change the location to the msfirewall.org location. In the Enter the
       object names to select text box enter Block ZIP Files and click OK. Click Next.




    9. On the Content Groups page, select the Only the following content types option. In
        the Content type list, put a checkmark in the Zip Files checkbox. Click Next.
    10. Review your settings on the Completing the New Site and Content Rule Wizard page
        and click Finish.
    11. Log onto the CLIENT1 computer as user2. Visit the Microsoft ISA Server 2000 Feature
        Pack 1 page at http://www.microsoft.com/downloads/details.aspx?FamilyID=2f92b02c-
        ac49-44df-af6c-5be084b345f9&DisplayLang=en and try to download the docs.zip file.
        You will be presented with a dialog box asking for authentication. After failing
        authentication, client access to the zip file is denied.
    12. You can avoid the authentication dialog boxes before the request is denied if you redirect
        the connection request to a Web page.

There are a number of tools that help make it easier for you to control access to Web sites. One
of the primary issues with Web site access control is that it is not easy to import a large group of
Web sites into a Destination Set. You can use tools located at Jim Harrison’s www.isatools.org
Web site to import large number of sites contained in Squid and XML files into an ISA Server
2000 Destination Set.




                                                                                                   12
                                    ISA Server 2000 in Education Deployment Kit
                Chapter 6: Controlling Internet Access for Campus Computers using ISA Server 2000



Using Packet Filters to Control Access to the ISA Server
2000 Firewall
We mention using packet filters to control access only as a reminder that you cannot use packet
filters to control outbound access from the internal network to the Internet. Packet filters have a
limited application when controlling access.

ISA Server 2000 uses packet filtering to control inbound and outbound access on the external
interface of the ISA Server computer. The packet filtering mechanism is the ISA Server's first line
of defense against inbound attacks. The packet filtering feature supplements the RRAS packet
filtering and you should not run both on the same machine. If you have RRAS packet filtering
enabled to control inbound access, then you should disable the filters that control inbound and
outbound access through the external interface of the ISA Server 2000 machine. For example,
these filters are created when you run the RRAS VPN Server Wizard. However, if you are using
RRAS packet filters to control access between directly connected internal networks, then you
may leave the RRAS packet filters in place.

To check whether packet filtering has been enabled, right click on the IP Packet Filters node in
the left pane of the ISA Management console and click Properties. On the General tab, put a
checkmark in the Enable packet filtering checkbox to activate packet filtering. Packet filtering is
enabled by default when ISA Server 2000 is installed in Firewall or Integrated mode. Packet
filtering is not available when the ISA Server 2000 machine is installed in Caching only mode.

You should enable packet filtering in the following situations:

    When the ISA Server is at the edge of the network
    When you configure a trihomed ISA Server
    When you need to run services and applications on the ISA Server itself

When you enable packet filtering, ISA Server 2000 denies inbound access to all ports on the
external interface that do not have packet filter explicitly created to allow inbound and/or
outbound access to the ISA Server 2000 machine. If you have packet filtering enabled and you
have no packet filters, then there will be no inbound or outbound access unless you have created
Protocol or Publishing rules.

Packet filtering should always be enabled when the ISA Server is at the edge of the network.
When the ISA Server has an external interface with an untrusted network, you can ensure that no
ports are open inadvertently by enabling packet filtering. By default, the only traffic that will be
allowed when packet filtering is enabled is based on some ICMP filters required for basic network
management, and the DNS filter which allows the ISA Server to make DNS queries on the behalf
of ISA Server clients on the internal network and so that the ISA Server 2000 machine can
perform reverse lookups for FQDNs.

You need to enable packet filtering and configure packet filters if you create a trihomed ISA
Server with a DMZ segment. Traffic to and from the DMZ segment is controlled by the use of
packet filters. If there is no filter allowing the traffic into or out of the DMZ, then the traffic will be
blocked at the external interface of the ISA Server.

Services and Applications running on the ISA Server require packet filters. For example, if you
want to run a mail client such as Outlook Express on the ISA Server itself, you must create a
packet filter for outbound access to TCP Port 25 and TCP Port 110 at a minimum to allow access
to external SMTP and POP3 servers. You can add other packet filters such as TCP 119 for NNTP
or TCP 143 for IMAP access.




13
                                   ISA Server 2000 in Education Deployment Kit
               Chapter 6: Controlling Internet Access for Campus Computers using ISA Server 2000


An exception to the packet filter requirement for client applications running on the ISA Server
2000 computer is the Web browser running on the ISA Server itself. In this case, you can
configure the web browser to be a Web Proxy client.

Packet filters should not be used for the following purposes:

   To control inbound access to internal network services
   To control outbound access for ISA Server clients

You can configure access to servers on the internal network by using either Server Publishing or
Web Publishing rules. These rules allow you to "publish" servers (make them available) to
external network users. When you create the publishing rules, ISA Server will open inbound
access to the ports required to connect to internal servers.

Outbound Access Control for ISA Server clients should be done with Protocol Rules and Site and
Content Rules. However, only the Protocol Rules have influence on outbound protocol access,
since Site and Content rules are focused only on site names.

When a Protocol Rule is created, ISA Server allows inbound and outbound access to the ports
specified in the rule. You never need to create packet filters to support your Protocol Rules. If the
Protocol Rule is not working, then you should check for other factors that may be causing this
situation.

Something to keep in mind regarding Protocol Rules is that if you enable a rule that allows "All IP
Traffic,” it will work differently depending on which type of client is accessing that rule. Firewall
Client computers will have outbound access to all TCP/UDP ports, but SecureNAT clients only
have access to the protocols that are specified in the Protocol Definitions that are configured on
the ISA Server.

Summary
In this ISA Server 2000 in Education document, we discussed how you can use ISA Server 2000
to control outbound access to help make the campus network more secure. We began with a
discussion on the different ISA Server 2000 client types. We then went over how to use Site and
Content Rules and Protocol Rules to control outbound access on a user/group basis. Finally, we
discussed the purpose of ISA Server 2000 packet filters and showed you how to use packet filters
in an ISA Server 2000 environment.




                                                                                                   14

								
To top