Our Approach to ISA Firewall Network Design and Defense Tactics - Dr. Tom Shinderamp;#039;s Configuring ISA Server 1002004 [Electronic resources] نسخه متنی

Our Approach to ISA Firewall Network Design and Defense Tactics

Every book has its own unique approach to a subject, and that's certainly true for this book's approach to ISA firewalls. You'll notice throughout this book that we refer to the ISA 2004 product as the 'ISA firewall' or 'ISA firewall' or even 'ISA firewall.' We've made it a point to bring together the name 'ISA' with the term 'firewall'. We do this because it's important to get the point across that the ISA firewall is indeed an enterprise-ready firewall that, at this point of time, is capable of providing a higher level of firewall protection than virtually any other firewall on the market.

It is from this vantage point that we approach all of the discussion of the ISA firewall in this book. The ISA firewall can be placed anywhere on your network: as a front-end Internet edge perimeter firewall, as a back-end departmental or asset-segment firewall, and even as a firewall that is dedicated to protecting a collection of vital network services. The level of flexibility in placing the ISA firewall in relation to other networking services and firewalls is a testament to the ISA firewall's power in protecting your network resources, no matter where those resources are located.

If you've made it this far in the book, then we can assume that you already have an ISA firewall in place, or you are considering placing an ISA firewall somewhere on your network. In both situations, it's likely that you're going to have to deal with network infrastructure people, or even DMZ or router administrators, who have bought into the hardware firewall vendors' marketing schemes that have convinced them that 'hardware firewalls' are the only way to get true firewall security.

To make your life easier when discussing firewall issues with these 'hardware firewall experts,' we will discuss our approach and philosophy regarding the ISA firewall and how it compares with the marketing approaches of the hardware firewall vendors. We will discuss the following subjects that will help clarify the situation and help you put any ISA firewall detractors against the wall and on the defensive:

Defense in Depth

ISA Firewall Fallacies

Why ISA Belongs in Front of Critical Assets

A Better Network and Firewall Topology

By the time you're done with this section, you'll have the fact ammo you need to get an ISA firewall solution in place to protect your network.

Defense in Depth

Just about every firewall administrator has heard the old joke where the guy's boss asks him, 'Is our network secure?' and the response is, 'Of course; we have a firewall!' Unfortunately, this is the attitude of many real-life network and firewall administrators. They consider the network edge firewall as their primary defense against all network attacks and attackers.

The sad fact is that the network edge firewall is only a small single piece of your overall security plan. While the Internet edge firewall is a key component of your network security scheme, its only one part, and that single part does very little to provide defense in depth.

Defense in depth refers to the security philosophy that there are multiple partitions or security zones within an organization and each of these must be protected. The interface between security zones represents a specific edge, with each edge requiring a customized approach to security and access control.

The number of security zones varies with the organization and how the organization's network is laid out. Smaller organizations may have just a single network segment sitting behind an Internet edge firewall. Larger organizations may have very complex

networks with multiple security zones, and these organizations may also have security zones within security zones. Each security zone requires its own level of inbound and outbound access control, and firewall policy should be customized by meeting each security zone's unique access control requirements.

Regardless of the complexity of your network, the principle of least privilege leads you to the correct path to firewall placement and configuration. The principle of least privilege states that access is allowed only for those users who require the resource, and access is allowed only to those resources that users are allowed to access. For example, if you have a collection of users who require access to the Microsoft Web site and no other sites, and the only protocol they need to use is HTTP, and they should only have access to the Microsoft Web site using the HTTP protocol between the hours of 9:00

A.M. and 5:00

P.M. , then the firewall should enforce this access policy. Allowing users access to resources that they do not require in order to complete their work only increases the overall attack surface (exposure) of your network.

To help demonstrate how security zones dictate access control, firewall configuration and firewall placement, we'll go over a typical enterprise-level network and how it might segregate its security zones. We will call these zones 'Rings,' and each ring is comparable to a layer in an onion, with the center of the onion containing your core network assets that require the highest level of network level security and access control.

These rings are:

Ring 1: The Internet Edge

Ring 2: The Backbone Edge

Ring 3: The Asset Network Edge

Ring 4: Local Host Security

Figure 4.1 shows the outermost ring, which is the Internet edge.

Figure 4.1: Ring 1: Internet Edge

The Internet edge is the first point of attack for externally-situated hosts. Because most of us have a greater fear of the unknown than of the known, network and firewall administrators believe they should put their most intelligent and powerful firewalls at this location. If you don't think about this too much, this makes sense.

The problem is that the great majority of network attacks occur from inside the network, and that you should put your most powerful defenses closest to the most valuable assets. If you consider how the approach of putting the strongest defenses at the edge flies in the face of how you secure anything else in this world, you'll realize that the Internet edge firewall should not be your most secure or sophisticated firewall, it should be your fastest firewall.

We first cover the logic behind putting the strongest defenses closest to the most valued assets, and then we'll discuss the rationale behind making the outermost firewall the fastest firewall.

Think about how a bank secures its cash assets. First, there are Federal agencies that hover unseen around all of our lives. This 'outermost' level of bank security doesn't stop many bank robberies in progress, though it helps in preventing law-abiding citizens from deciding to rob a bank when they have nothing else to do that day.

The next layer of defense, moving inward toward the bank's core assets, is the local police department. The police drive around town and maybe they'll be in front of the bank when the bank robber is about to begin the hold-up. While this can provide a small measure of security, the police can't be in front of the bank all the time, and when they do respond, it's after the fact. The police typically arrive when the perpetrator is long gone

The next ring, closer to the core bank assets, can be represented by the front door cameras (more likely parking lot cameras). The bank security personnel may be able to stop a robbery from taking place if they are vigilant and identify the criminal right before the robbery attempt begins. The problem with this approach is they can't stop the guy until he does something suggesting a robbery attempt is in progress. You can't stop somebody these days just because he's wearing a sock over his head and carrying an empty pillow case. If he has a gun, but has a concealed carry permit, you still can't do anything to him unless he's displaying is illegally, or perhaps taking it into the bank (depending on your local or federal laws). However, the security cameras are more sophisticated and more likely to stop a robbery attempt in progress than the Federal security ring or the local policy security ring.

The next ring is the one at the border of the outside of the bank and the area between the tellers. There is typically an armed guard in this area. The armed guard provides a better level of protection because he can stop a robbery as it begins, if he identifies a robbery taking place, and if he shoots the robber before the robber shoots him. The armed guard in the lobby definitely provides a much higher level of security than the cameras watching outside the building, the local police cruising the streets, and the Feds.

The next ring of security lies at the interface between the inside of the bank vault and the lobby and teller area, which is the door of the bank vault. If the robber flies past the Fed, arrives when there's no police car in sight, looks like a typical customer and

isn't flagged by the security cameras, and shoots the armed guard before the armed guard shoots him (I'm assuming that the robber isn't in a country or state that allows its citizens to carry weapons legally; if the bank were in this one of these areas, the robber would also have to survive armed citizens), the final hurdle is the bank vault door. Unless the robber is a munitions expert or some kind of safe cracker, the bank vault door will stop him every time.

The bank vault door provides the highest level of security, and it's the most 'hardened' and 'impenetrable' of the bank defenses. That's why it's put directly in front of the bank's core assets, to protect these assets in the event that an intruder gets past all other security rings.

However, no security ring, no matter how well protected is impenetrable. (Remind the 'hardware firewall experts' of this fact the next time they tell you about the inviolate nature of 'hardware' firewalls.)

Let's assume the robber isn't a munitions expert or a safe cracker. Instead, he'll use the coward's way out and take advantage of social engineering (coward computer hackers use similar methods). In this case, the bank robber social engineers this situation by threatening the lives of customers and tellers if the bank vault door is not opened by the bank manager.

Since you can always find more money, but human life tickets are only good for one punch, the bank manager opens the vault door.

At this point, you might think the game is over and the robber has won. He's penetrated the last defense ring, and the money is his (overlook the fact that in order to win the robbery game, the robber also has to successfully leave the bank with the cash).

However, there is another layer of defense, and that is the defense the money itself can provide. The bags of money may have exploding ink in them, which explodes and covers the robber with a bright shade of pink if the cash is moved or removed at the wrong time or the incorrect way. Or, maybe if the money is moved inappropriately, anesthetic gas is pumped into the vault, or maybe the money is marked and is easily identified if it is spent in public. If the bank hopes to recoup its money, it must make sure that methods of protection are applied to the money itself, as that is the last ring of defense the bank has in protecting its assets.

The point of this story is that the bank, and any other entity that secures its core assets, puts its most hardened, most sophisticated and most impenetrable barriers closest to those assets. The enemy is always at his best at the outermost ring. By the time he's made it to the innermost ring, he's either completely exhausted his resources or ready to give up. In either case, the enemy should meet stronger defensive mechanisms as he continues to get weaker. This helps accelerate his ultimate defeat. Table 4.1 reveals several defense rings protecting bank assets.

With this bank vault scenario protection scheme in mind, how do you explain the attitude of many network and firewall administrators who claim, 'While I think an ISA firewall is great, I wouldn't feel comfortable if I didn't have a hardware firewall in front of the ISA firewall.'

This kind of statement implies that the ISA firewall might not be as 'strong' as the traditional hardware packet-filtering firewall. Does it make sense that you should put your 'weakest link' (in terms of network firewall protection) directly in front of your core network assets?

The irony is that these network and firewall administrators are doing the right thing. It's just that they're doing it for the wrong reason. They've been beaten over the head for years by 'firewall experts' and 'hardware firewall' marketeers with the idea that only the ASIC ('hardware') firewalls can be secure; so-called 'software firewalls' are inherently insecure because of reasons 'X, Y and Z'.

Reason 'X' always has something to do with the underlying operating system. After repeating with excellent elocution and perfect tempo, 'Windows is not secure,' for several minutes, they never get around to reasons 'Y' and 'Z'. Table 4.2 provides information on reasons Y and Z.

The truth is hardware firewalls do belong at the Internet edge of the network. But not for the reasons the 'firewall experts' proclaim. The actual reason is that while traditional hardware stateful-filtering firewalls cannot provide the high level of security required by modern Internet-connected networks, they can pass packets very quickly and do stateful-packet filtering. The speed is very important for organizations that have multi-gigabit connections to the Internet. Because of the amount of processing they must do, high-security, application-layer aware firewalls cannot handle this volume of traffic and provide the deep application-layer stateful inspection required of a modern network firewall.

Stateful-filtering hardware firewalls can handle the high volume of traffic, perform basic packet filtering, and allow inbound traffic only to services that you intend to provide to remote users (outbound access control isn't very effective for high-speed packet-filtering firewalls at the Internet edge).

For example, if you intend to provide only HTTP, HTTPS and IMAP4 access to resources on the corporate network, the high-speed stateful packet-filtering firewall will only accept new inbound connection requests for TCP ports 80, 143 and 443. The high-speed packet-filtering firewall can quickly determine the destination port and validity of information at layer 4 and below and accept or reject the traffic, based on this rudimentary analysis. While this approach provides a marginal level measure of security, it is far from what is required to protect modern networks with Internet-facing hosts.

So the next time you hear someone say, 'I wouldn't be comfortable without having a hardware firewall in front of the ISA firewall,' you'll know that he's right, but his discomfort is based on the wrong reasons because he doesn't understand that you increase security as you move inward, not reduce it.

Ring 2 is the Backbone Edge that marks a line between the internal interfaces of the Internet Edge firewalls and the external interfaces of the backbone segment firewalls. Figure 4.2 shows the placement of the four Backbone Edge firewalls surrounding the edges of the corporate backbone network.

Figure 4.2: Ring 2: The Backbone Edge

The corporate backbone network provides a common network to which all other corporate network segments connect. The total traffic moving inbound and outbound through backbone firewalls is lower on a per-firewall basis than the Internet Edge firewalls because there are more of them.

For example, you might have two high-speed packet-filtering firewalls on the Internet Edge handling 5 gigabits/second each for a total of 10 gigabits/second between them. There are four Backbone Edge firewalls, and assuming that the load is shared equally among these, each of the Backbone Edge firewalls handles 2.5 gigabits/second.

The Backbone Edge firewalls can begin the real firewall work required to protect the corporate assets by performing stateful application-layer inspection of both inbound and outbound traffic. Since modern exploits are aimed at the application layer (because that's where the 'money' is), the backbone application-layer firewalls can do the job of checking the application layer validity of the communications moving through them.

For example, if you allow inbound HTTP, the stateful inspection application layer-aware firewalls on the Backbone Edge start to apply real network security by checking the details of the HTTP communication and block suspicious connections through the firewall.

This is a good location for the ISA firewall. Since the ISA firewall is considered the model of a stateful application-layer inspection firewall, it can perform the heavy lifting required to protect the corporate backbone network and the network inside of it, as well as ensure that inappropriate traffic (such as worm-generated traffic) does not cross the Backbone Edge ring. Traffic volume in this example isn't a problem for ISA firewalls, as they have been tested and confirmed as multi-gigabit firewalls, based on their hardware configuration and firewall rule base.

The next security perimeter is at Ring 3. Ring 3 is at the border of the backbone network and the networks containing the corporate assets. Corporate assets can represent user workstations, servers, departmental LANs, management networks, and anything else you don't want unauthorized access to. The line demarcating the backbone network and the asset networks is the Asset Network Edge. This is the ring where you need the strongest, most sophisticated level of protection. If an intruder is able to violate the integrity of this ring, they are in the position to directly access your corporate assets and carry out a successful attack.

Figure 4.3 shows the location of the Asset Network Edges in Ring 3.

Figure 4.3: Ring 3 at the Asset Network Edge

It is at Ring 3 that the ISA firewall becomes critical. In contrast to a packet-filtering hardware device, you need real firewall protection. Simple packet filtering is inadequate when it comes to protecting resources in the network asset ring. Not only must you ensure that all incoming connections are subjected to deep, stateful application-layer inspection, you must also ensure that outbound connections from the asset networks are subjected to strong user/group-based access control.

Strong outbound user/group-based access control is an absolute requirement. In contrast to typical hardware packet-filtering devices that let everything out, firewalls at the Asset Network Edge must be able to control outbound connections based on user/group-based membership. Reasons for this are listed below.

You must be able to log the user name of all outbound connections so that you can make users accountable for their Internet activity.

You must be able to log the application the user used to access Internet content; this allows you to determine if applications not allowed by network use policy are being used and enables you to take effective countermeasures.

Your organization may be held responsible for material leaving your network; therefore, you must be able to block inappropriate material from leaving your network.

Sensitive corporate information may be transferred outside the network from Asset Network locations. You must be able to block outbound transfer of proprietary information and record user names and the names of the software applications used to transfer proprietary information to external locations.

The ISA firewall is the ideal firewall for the Asset Network edges because it meets all of these requirements. When systems are properly configured as Firewall and Web Proxy clients, you are able to:

Record the user name for all TCP and UDP connections made to the Internet (or any other network the user might connect to by going through the ISA firewall).

Record the software application used to make these TCP and UDP connections through the ISA firewall.

Block connections to any domain name or IP address based on user name or group membership.

Block access to any content outside the Asset Network based on user name or group membership.

Block transfer of information from the Asset Network to any other network based on user name or group membership.

Deep stateful application-layer inspection and access control requires processing power. Servers should be sized appropriately to meet the requirements of powerful stateful application-layer processing. Fortunately, even with complex rule sets, the ISA firewall is able to handle well over 1.5 gigabits/second per server, and even higher traffic volumes with the appropriate hardware configuration.

Ring 4 represents the deepest security perimeter in this model. Ring 4 is the Host-based security ring. The Host-based security ring represents the junction between host systems and the network to which they are directly attached. The following figure shows the position of Ring 4.

Figure 4.4: Ring 4: Host-based Security

Approaches to Host-based security are somewhat different than what you see with network firewall protection, but the principles are the same. Host-based security requires that you control what is allowed inbound and outbound to the host machine and that the applications on the hosts are designed with security in mind. Some of the things you should consider when dealing with the Host-based Security ring are listed below.

A Host-based firewall can be used to control what incoming and outgoing connections are allowed and what applications can send and receive data. This is the typical 'personal firewall' approach, but it can be expanded to support Server applications, in addition to providing personal firewall support for user workstations.

IPSec policy (on systems that support it) can be used to control what is allowed inbound and outbound from and to specific hosts. If a particular workstation or server does not need to connect to all possible computers, you can lock them down using IPSec policies to limit connections to a predefined collection of machines.

Applications and services running on the hosts must be designed with security in mind. That means these applications and services are not vulnerable to common attacks such as buffer overflow and social attacks (such as HTML e-mail exploits and opening attachments).

Antivirus software must be used to block viruses that come from other network locations or are introduced by compromised hotfixes and software.

Anti-scumware software must be installed to protect the machines, to prevent Adware and other malicious software from being installed on the machine.

Anti-spam software must be installed on the machine if an e-mail client is installed. Anti-spam software should also be installed on SMTP relays that handle inbound and outbound mail to block spam that carries not only potentially dangerous payload, but also to reduce losses in employee productivity related to spam.

Users and installed services should run with least privilege to limit the impact malicious software can have should it be executed. For example, a lot of adware, scumware, spyware, viruses, and rootkits will fail to install if the compromised user account does not have admin or power user rights.

The Host-based security is the last defense. No firewall can completely make up for weaknesses found at the host layer. Network firewall security is helpful for control access from corporate network to corporate network and attacks coming from non-local networks that must traverse the ISA firewall, but only Host-based security can handle attacks coming from the local network where the connection does not traverse a network firewall.

Now that you have a good grounding in the varieties of security perimeters, you realize that comments like, 'I wouldn't feel comfortable putting an ISA firewall in without putting a hardware packet filter in front of it,' are akin to saying, 'I wouldn't feel comfortable putting a ICBM missile silo in unless I can put a poodle in front of it.'

Note that for smaller networks that might have a single ring, which is the Internet Edge ring, the entire discussion is moot. The only reason to put a packet-filtering traditional firewall in front of the ISA firewall is to waste money. You'd be better off buying two ISA firewalls, or buying two sophisticated application-layer firewalls with the ISA firewall behind the other application-layer firewall. This ensures that the ISA firewall can implement the strong user/group-based security you require.

ISA Firewall Fallacies

There are a collection of misconceptions and fallacies that are commonly associated with the ISA firewall. As an ISA firewall administrator, you'll need to be able to address these fallacies and educate colleagues and managers. Some common ISA firewall fallacies include:

Software firewalls are inherently weak. Only hardware firewalls can be trusted to secure a network.

You can't trust any service running on the Windows operating system to be secure. You could never secure a firewall running on a Windows OS.

ISA machines make for good proxy servers, but I need a real firewall to protect my network.

ISA firewalls run on an Intel hardware platform, and only firewalls that have all 'solid state' components can be firewall. A firewall should have no moving parts if you want to consider it to be a firewall.

'I have a firewall and an ISA Server.'

A real firewall should be a nightmare to configure, and ideally, should use a command line interface to make it accessible only to individuals who have attended expensive vendor training classes.

Let's take each of these ISA firewall fallacies one at a time.

Software Firewalls are Inherently Weak

As an ISA firewall admin, you've probably run into people who:

Don't know what an ISA firewall is

Think it's some sort of caching server, akin to the old CacheFlow product (purchased by Bluecoat) or Squid

Believe only hardware firewalls are 'secure' and so-called 'software' firewalls aren't suitable at the datacenter perimeter

Teaching people who have never heard of an ISA firewall can be a lot of fun. You get to tell them about how an ISA firewall provides strong inbound and outbound access controls in ways no other firewall currently on the market can provide, how the ISA firewall blocks file sharing programs, how it prevents malicious users from violating network security policies (such as downloading copyrighted material), how the ISA firewall provides superior protection for Microsoft Exchange services including OWA and MAPI/RPC, and how it is so easy to configure that it blows away all other enterprise-grade firewalls on the market.

You will encounter a number of network and firewall administrators who have heard of the ISA firewall, but have the misconception that 'ISA is a Web Proxy or caching server thingie,' (to quote a firewall expert I once encountered at a security conference).

ISA firewalls are honest-to-goodness, enterprise-class firewalls that provide the strong inbound and outbound access control and application-layer filtering you need to protect today's networks, not the networks of the 1990s where traditional packet filter-based firewalls were good enough.

The 'only hardware firewalls can be made secure' believers are the most recalcitrant. They've been told over the years that hardware (ASIC-based) firewalls are the acme of firewalls, and any firewall not based on ASIC is an inadequate software firewall and should more properly be referred to as a proxy. I have to wonder how they reconcile this dogma with the fact that the number-one selling firewall product is CheckPoint, a software-based firewall.

The hardware firewall fantasy is based on a historical reality. In the 1990s, hardware firewalls could provide a reasonable level of security and performance using simple packet-filtering mechanisms that look at source and destination addresses, ports, and protocols, and make quick decisions. Since firewall-filtering logic is 'burnt-in' to the ASIC (Application Specific Integrated Circuit), it's not easy to hack the basic system. However, twenty-first century attackers have learned you don't need to hack the packet-filtering firewall's core instruction set to get around the relatively poor network security that stateful filtering hardware-based systems provide.

You can find an excellent article debunking the myth of ASIC superiority at http://www.issadvisor.com/viewtopic.php?t=368. The author makes a very good case for avoiding hardware firewalls because they will never be able to keep pace with modern threat evolution and that one-box software-based firewalls are the future of network firewalls and perimeter security. Herein lies the massive advantage conferred by your ISA firewall: it can be quickly upgraded and enhanced to meet not only today's threats, but also the exploits against which you're sure to need defense in the future.

You Can't Trust Any Service Running on the Windows Operating System to be Secure

This is a common point of contention among the 'hardware firewall' enthusiasts. I'm often asked about how we can feel secure running ISA firewalls on Windows operating systems, given the number of security holes and bug fixes the base operating system requires. This is a good and valid question. Here the highlights you should consider regarding the issue of the underlying Windows operating system and running the ISA firewall on top of it.

Not all hotfixes apply to the ISA firewall in its role as network firewall. Many of these hotfixes are services based. Since you don't run client or server services on the ISA firewall machine, most of the hotfixes are irrelevant.

Some of the hotfixes address issues with core operating system components, such as RPC (which the Blaster worm took advantage of). Since the ISA firewall applies security policy to all interfaces, you would have to create a Access Rule allowing the attack access to the firewall. In the specific case of RPC, the secure RPC filter blocks Blaster and related attacks. IIS problems are a non-issue because you do not run IIS services (with the exception of maybe the IIS SMTP service) on the firewall. Other services are only accessible if you open up the ports to the firewall to allow the attack in. A properly configured ISA firewall, therefore, is much more secure than the based operating system because network access to the firewall is severely truncated.

Other hotfixes apply to stability issues. You need to apply these hotfixes and service packs. However, all firewall vendors issue regular fixes (if they don't, then they're not paying attention and their software is vulnerable, even if they don't know it, and even if they haven't acknowledged the vulnerabilities to you).

Some hotfixes require restarting. You can schedule the restart for a convenient time. Note that you will not need to install all hotfixes because not all of them, or even a significant number of them, apply to the ISA firewall. The number of restarts required should be negligible.

If you can't trust services running on a Windows operating system, then how can you trust the underlying OS for your Exchange, SQL, SharePoint and other Microsoft server installations?

The underlying OS on the ISA firewall can be hardened. In fact, there is a profile in the Windows Server 2003 SP1 Security Configuration Wizard (SCW) allowing you to harden the underlying OS automatically using the SCW.

You can harden the underlying OS manually if you don't want to use the SCW or don't have access to it. There will be a OS hardening guide that releases concurrently with ISA 2004 that will walk you through the process of hardening the underlying OS while leaving the ISA firewall services unaffected. This was a significant issue with ISA Server 2000 because many of us attempted to harden the OS and it had side effects that we weren't aware of.

While the issue of the underlying operating system is a factor, you can see that the underlying Windows Server 2003 OS is definitely not a significant factor. As for Windows 2000, securing the underlying OS may be bit more of an issue, but you can still harden the OS to an extent that it rivals any hardware firewall.

ISA Firewalls Make Good Proxy Servers, but I Need a 'Real Firewall' to Protect My Network

It's true that ISA firewalls make great proxy servers. In fact, the ISA firewall is both a stateful filtering and proxy firewall. Blended firewalls of this type are the most sophisticated and most secure firewalls available today.

The conventional packet-filtering firewall uses a very simple mechanism to control inbound and outbound access: source and destination port, source and destination IP address, and for ICMP, source and destination IP address together with ICMP type and code. Packet filters must be explicitly created for each inbound and outbound connection. More sophisticated packet filters can dynamically open response ports. ISA firewalls are able to dynamically open ports via their dynamic packet-filtering feature.

The 'circuit layer' firewall is akin to what most commentators refer to as the 'stateful filtering firewall' It should be noted that the term 'stateful' can mean whatever you want it to mean. It was introduced as a marketing term, and like most marketing terms, was designed to sell product, not to quantify and specify any specific feature or behavior.

However, most people think of stateful filtering (in contrast to stateful inspection) as a mechanism where the stateful filter tracks the connection state at the transport (layer 4) level. The TCP protocol can define session state, while UDP does not. Because of this, UDP communications must have a pseudo-state enforced by the stateful-filtering device. Stateful filtering is helpful in protecting against a number of sub-application layer attacks, such as session hijacking.

Most hardware firewalls stop there. They can perform simple packet filtering, dynamic packet filtering, and stateful packet filtering (stateful filtering). These firewalls also often provide advanced routing features, which places them more in the class of a network router than a true modern firewall. In contrast, the routing features of ISA firewalls are less impressive than you see in traditional packet filter-based firewalls.

As we've discussed earlier, the packet-filter firewall is useful on Ring 1, at the Internet Edge, because of their processing speed. The primary problem with these firewalls is that they really do not provide the level of protection you require to stop exploits from reaching Rings 2 and 3, where advanced application-layer inspection must be performed.

This is where the proxy firewalls enter the mix. A proxy firewall is able to inspect the entire contents of an application-layer communication by deconstructing and reconstructing the entire application layer message. For example, the proxy firewall reconstructs the entire HTTP message, examines the commands and data within the message, statefully inspects the contents and compares those with the application layer rules. The proxy firewall then allows or denies the communication based on the application layer rules configured for the HTTP protocol.

For example, one of the more common HTTP exploits is the directory traversal attack. Many popular worms take advantage of directory traversal to access executables on a Web server. For example, the following URL:

http://www.iusepixfirewalls.com/scripts/..%5c../winnt/system32/ cmd.exe?/c+dir+c:\

executes the cmd.exe file and runs the 'dir c:\' command which lists all files in the C:\ directory. Note the '%5c' string. This is a Web server escape code. Escape codes represent normal characters in the form of %nn, where nn stands for a two-character entry. The escape code '%5c' represents the character '\'. The IIS root directory enforcer might not check for escape codes and allow the request to be executed. The Web server's operating system understands escape codes and executes the command.

Escape codes are also very useful for bypassing poorly written filters enforced on input received from users. If the filter looks for '../' (dot dot slash), then the attacker could easily change the input to '%2e%2e/'. This has the same meaning as '../', but is not detected by the filter. The escape code %2e represents the character '.' (dot). The ISA firewall, being a sophisticated stateful application-layer inspection firewall, easily blocks these exploits.

Proxy firewalls have the potential to block exploits for any application layer protocol. Other application layer protocols include SMTP, NNTP, Instant Messaging protocols, POP3, IMAP4 and all others. Blended firewalls like ISA 2004, which combine stateful filtering and stateful application-layer inspection, can easily be upgraded with software to block the most recent application layer-attack. In contrast, stateful filtering firewalls are totally unaware of application-layer attacks, and even hardware firewalls with rudimentary application-layer inspection cannot be quickly upgraded to meet the latest application-layer exploit because of the limits of ASIC (hardware) processing and development.

ISA Firewalls Run on an Intel Hardware Platform, and Firewalls Should Have 'No Moving Parts'

Why does a firewall require no moving parts, while my Exchange, SQL, Web, FTP and any other mission critical run fine with 'moving parts'? Usually, the term 'moving parts' has something to do with Intel platforms and hard disks. Here are some advantages to using the Intel PC-based platform for firewalls.

When memory, processor, or network card goes bad on the device, you can replace it at commodity hardware prices. You do not need to go back to the solid state hardware vendor and pay premium prices for their versions of hardware components.

When you want to upgrade memory, processor, storage, NIC, or any other component, you can use commodity hardware and add that to your machine. You do not need to go to the source hardware vendor to obtain overpriced upgrades.

Because the ISA firewall software is hard-disk based, you do not have the memory and storage restrictions of straightjacket solid state devices. You can install on-box application-layer filters, increase the cache size, tweak performance and security settings, and perform fine-tuned customizations required by your environment.

The 'no moving parts' aspect pertains primarily to hard disks. Hard disk MTBF values are in years. Even low-end IDE drives last 3+ years with normal use. When the disk fails, the ISA firewall configuration is easy to restore because the entire configuration is stored in a simple .xml file. You can be back up and running within 15 minutes with the right disaster-recovery plan. Compare that to fried memory in a hardware device where the entire device must be returned to the manufacturer.

The disaster recovery aspect is perhaps the most compelling reason for using a 'software' firewall. A single ISA firewall, or an entire array of 10 ISA firewalls, can be rebuilt in a matter of minutes without requiring you to replace the entire box or requiring you to obtain hardware pieces from the vendor. And if you're using removable drives, it's a literal no-brainer to be up in running for the entire array in less than 30 minutes!

'I Have a Firewall and an ISA Server'

'I've got a firewall, and I want to place an ISA Server behind it; how do I do that?' These comments often come from ISA fans, so I know there's no intent to denigrate the ISA firewall. Instead, this indicates that the ISA firewalls admins don't realize that ISA firewalls are the firewalls for their network and the stateful packet-filtering devices they put in front of the ISA firewalls are performing basic packet filtering which helps with processor off-loading.

To be fair, not everyone uses the ISA firewall as a firewall. You do have the option to install the ISA firewall in single NIC mode, which is comparable to the 'cache only' mode that ISA Server 2000 included. In single NIC mode, the ISA firewall functionality is truncated. Most of the firewall functionality is removed, and the machine provides limited functionality as a Web Proxy server only.

This is not to imply that the ISA firewall in single NIC mode is not secure. Enough of the firewall functionality is left in place to allow the ISA firewall to protect itself and to secure the Web-proxied connections made through the single NIC ISA firewall. The ISA firewall in single NIC configuration only allows connections to itself that you explicitly allow via the firewall's system policy. The only connections it allows to corporate network hosts are those you explicitly allow via Web Publishing Rules, and the only outbound connections that can be made through the single NIC ISA firewall are those you allow via an HTTP/HTTPS-only list of Access Rules.

While I would prefer to see all organizations use the 2004 firewall for its intended use, which is as a full-featured, blended stateful packet-filtering and stateful application-layer inspection firewall, I do realize that larger organizations may have already spent, literally, millions of dollars on other firewall solutions. These organizations do want to benefit from the reverse proxy components the ISA firewall provides to obtain superior OWA, OMA, ActiveSync and IIS protection. For this reason, it's important to point out that the ISA firewall, even in the 'crippled' single NIC mode, provides a high level of protection for forward and reverse proxy connections.

Why ISA Belongs in Front of Critical Assets

We've covered a lot of ground, so let's sum up the reasons why the ISA firewall belongs in front of your critical network assets.

ISA firewalls run on commodity hardware, which keeps costs in check while allowing you the luxury of upgrading the hardware with commodity components when you need to 'scale up' the hardware.

Being a 'software' firewall, the firewall configuration can be quickly upgraded with application-aware enhancing software from Microsoft and from third-party vendors.

Being a 'software' firewall, you can quickly replace broken components without returning the entire firewall to the vendor or requiring that you have several hot or cold standbys waiting in the wings.

The ISA firewall provides sophisticated and comprehensive stateful application-layer inspection, in addition to stateful packet filtering, to protect against common network-layer attacks and modern application-layer attacks.

The ISA firewall should be placed behind high-speed packet-filtering firewalls. This is important on networks that have multi-gigabit connections to the Internet. The packet-filtering firewalls reduce the total amount of traffic that each back end ISA firewall needs to process. This reduces the total amount of processing overhead required on the ISA firewalls and allows the ISA firewalls to provide the true, deep stateful application-layer inspection required to protect your network assets.

While the ISA firewall can't match the pure packet-passing capabilities of traditional hardware ASIC firewalls, the ISA firewall provides a much higher level of firewall functionality via its stateful packet filtering and stateful application-layer inspection features.

The ISA firewall is able to authenticate all communications moving through the firewall. This argues for placing the firewall directly in front of the Asset Networks. Ideally, another non-authenticating ISA firewall is placed in front of the authenticating ISA firewall so that sophisticated stateful application-layer inspection and stateful packet filtering is done before those connections reach the ISA firewalls performing authentication.

A Better Network and Firewall Topology

At this point we've put to rest the belief that hardware firewalls are more secure than an ISA firewall. With that understanding in mind, where exactly should we place the ISA firewall?

The answer depends on the size of your network and the number of rings or security zones you need to protect. If you have a large network, then the four-ring approach we discussed will work best, with the Backbone Network and the Asset Network protected by ISA firewalls. The Backbone Network ISA firewall is configured for full stateful filtering and stateful application-layer inspection without outbound access controls, while the Asset Network ISA firewalls provide stateful filtering and stateful application-layer inspection, as well as inbound and outbound user/group-based access controls.

Figure 4.5 recaps the Backbone and Asset Network configuration.

Figure 4.5: Backbone and Asset Network

Simpler network configurations may not have multiple rings or have multi-gigabit network connections. For these networks, there is no reason to place a fast packet-filtering firewall at the Internet Edge ring.

However, you do want to host publicly-accessible services on a DMZ segment between the Internet Edge and the Asset Edge. This represents your DMZ segment. You can safely and confidently place the ISA firewall at the Internet Edge and be confident that you have a higher level of security and access control than you would have with a conventional-packet filtering firewall. In addition, you can configure the Internal (back-end) ISA firewall for strong inbound and outbound user/group-based access control.

The firewall in Figure 4.6 depicts of the DMZ Firewall Segment configuration.

Figure 4.6: DMZ Firewall Segment

The most simple configuration requires only a single firewall situated at the Internet edge. In that case, you can place a single ISA firewall at the Internet Edge and benefit from its full firewall functionality knowing that it provides your network a far higher level of security and protection then what you would derive from a simple high-speed packet filter-based firewall.