Application Filters - Dr. Tom Shinderamp;#039;s Configuring ISA Server 1002004 [Electronic resources] نسخه متنی

اینجــــا یک کتابخانه دیجیتالی است

با بیش از 100000 منبع الکترونیکی رایگان به زبان فارسی ، عربی و انگلیسی

جستجو بر اساس ... همه عنوان پدیدآور موضوع یادداشت تمام متن
اصطلاحنامه مجموعه ها مرورالفبایی لغت نامه دهخدا
جستجو در لغت نامه
بیشتر
کتابخانه شخصی پرسش از کتابدار ارسال منبع

Dr. Tom Shinderamp;#039;s Configuring ISA Server 1002004 [Electronic resources] - نسخه متنی

Thomas W. Shinder; Debra Littlejohn Shinder

| نمايش فراداده ، افزودن یک نقد و بررسی
افزودن به کتابخانه شخصی
میخواهم بخوانم
درحال خواندن
خوانده شده
ارسال به دوستان

آدرس پست الکترونیک گیرنده :

آدرس پست الکترونیک فرستنده :

نام و نام خانوارگی فرستنده :

پیغام برای گیرنده ( حداکثر 250 حرف ) :

کد امنیتی را وارد نمایید

ارسال
جستجو در متن کتاب
بیشتر
تنظیمات قلم

فونت

اندازه قلم

+ - پیش فرض

حالت نمایش

روز نیمروز شب
جستجو در لغت نامه
بیشتر
لیست موضوعات

Back Cover Dr. Tom Shinder's Configuring ISA Server 2004 Introduction Acknowledgments About the Authors Technical Editor A Note From the Publisher From Deb and Tom Shinder, Authors Chapter 1: Evolution of a Firewall: From Proxy 1.0 to ISA 2004 The Book: What it Covers and Who It's For It's in the Book: What We Cover This Book's For You: Our Target Audience Security: The New Star of the Show Security: What's Microsoft Got to Do with It? Security: A Policy-Based Approach Security: A Multilayered Approach Firewalls: The Guardians at the Gateway Firewalls: History and Philosophy Firewalls: Understanding the Architecture Firewalls: Features and Functionality Firewalls: Role and Placement on the Network ISA: From Proxy Server to Full-Featured Firewall ISA: A Glint in MS Proxy Server's Eye ISA: A Personal Philosophy Summary Chapter 2: Examining the ISA Server 2004 Feature Set The New GUI: More Than Just a Pretty Interface Examining the Graphical Interface Examining The Management Nodes Teaching Old Features New Tricks Enhanced and Improved Remote Management Enhanced and Improved Firewall Features Enhanced and Improved Virtual Private Networking and Remote Access Enhanced and Improved Web Cache and Web Proxy Enhanced and Improved Monitoring and Reporting Multi-Networking Support New Application Layer Filtering (ALF) Features VPN Quarantine Control Missing in Action: Gone but Not Forgotten Live Media Stream Splitting H.323 Gateway Bandwidth Control Active Caching Summary Solutions Fast Track New GUI: More Than Just a Pretty Face Teaching Old Features New Tricks New Features on the Block Missing in Action: Gone But Not Forgotten Frequently Asked Questions Chapter 3: Stalking the Competition: How ISA 2004 Stacks Up Firewall Comparative Issues The Cost of Firewall Operations Specifications and Features Comparing ISA 2004 to Other Firewall Products ISA Server 2004 Comparative Points Comparing ISA 2004 to Check Point Comparing ISA 2004 to Cisco PIX Comparing ISA 2004 to NetScreen Comparing ISA 2004 to SonicWall Comparing ISA 2004 to WatchGuard Comparing ISA 2004 to Symantec Enterprise Firewall Comparing ISA 2004 to Blue Coat SG Comparing ISA 2004 to Open Source Firewalls Summary Comparing Architecture Comparing Functionality Comparing Cost Solutions Fast Track Firewall Comparative Issues Comparing ISA 2004 to Other Firewall Products Frequently Asked Questions Chapter 4: ISA 2004 Network Concepts and Preparing the Network Infrastructure Our Approach to ISA Firewall Network Design and Defense Tactics Defense in Depth ISA Firewall Fallacies Software Firewalls are Inherently Weak You Can't Trust Any Service Running on the Windows Operating System to be Secure ISA Firewalls Make Good Proxy Servers, but I Need a 'Real Firewall' to Protect My Network ISA Firewalls Run on an Intel Hardware Platform, and Firewalls Should Have 'No Moving Parts' 'I Have a Firewall and an ISA Server' Why ISA Belongs in Front of Critical Assets A Better Network and Firewall Topology Tom and Deb Shinder's Configuring ISA 2004 Network Layout Creating the ISALOCAL Virtual Machine How ISA Firewall’s Define Networks and Network Relationships ISA 2004 Multinetworking The ISA Firewall’s Default Networks Creating New Networks Controlling Routing Behavior with Network Rules The ISA 2004 Network Objects ISA Firewall Network Templates Dynamic Address Assignment on the ISA Firewall’s External Interface Dial-up Connection Support for ISA firewalls, Including VPN Connections to the ISP “Network Behind a Network” Scenarios (Advanced ISA Firewall Configuration) Web Proxy Chaining as a Form of Network Routing Firewall Chaining as a Form of Network Routing Configuring the ISA Firewall as a DHCP Server Summary Solutions Fast Track Our Approach to the ISA Firewall Network Design and Defense Tactics Tom and Deb Shinder's Configuring ISA 2004 Network Layout How ISA Firewalls Define Networks and Network Relationships Frequently Asked Questions Chapter 5: ISA 2004 Client Types and Automating Client Provisioning Understanding ISA 2004 Client Types Understanding theISA 2004 SecureNAT Client Name Resolution for SecureNAT Clients Name Resolution and 'Looping Back' Through the ISA 2004 Firewall Understanding the ISA 2004 Firewall Client ISA 2004 Web Proxy Client ISA 2004 Multiple Client Type Configuration Deciding on an ISA 2004 Client Type Automating ISA 2004 Client Provisioning Configuring DHCP Servers to Support Web Proxy and Firewall Client Autodiscovery Configuring DNS Servers to Support Web Proxy and Firewall Client Autodiscovery Special Considerations for VPN Clients Automating Installation of the Firewall Client Configuring Firewall Client and Web Proxy Client Configuration in the ISA Management Console Group Policy Software Installation Silent Installation Script Systems Management Server (SMS) Summary Solutions Fast Track Understanding the ISA 2004 SecureNAT Client Understanding the ISA 2004 Web Proxy Client Understanding the ISA 2004 Firewall Client Frequently Asked Questions Chapter 6: Installing and Configuring the ISA Firewall Software Pre-installation Tasks and Considerations System Requirements Configuring the Routing Table DNS Server Placement Configuring the ISA Firewall's Network Interfaces Unattended Installation Installation via a Terminal Services Administration Mode Session Performing a Clean Installation on a Multihomed Machine Default Post-installation ISA Firewall Configuration The Post-installation System Policy Performing an Upgrade Installation Performing a Single NIC Installation (Unihomed ISA Firewall) Quick Start Configuration for ISA Firewalls Configuring the ISA Firewall's Network Interfaces Installing and Configuring a DNS Server on the ISA Server Firewall Installing and Configuring a DHCP Server on the ISA Server Firewall Installing and Configuring the ISA Server 2004 Software Configuring the Internal Network Computers Hardening the Base ISA Firewall Configuration and Operating System ISA Firewall Service Dependencies Service Requirements for Common Tasks Performed on the ISA Firewall Client Roles for the ISA Firewall Lockdown Mode Connection Limits DHCP Spoof Attack Prevention Summary Solutions Fast Track Pre-installation considerations Performing a clean installation Default Post-install System Policy and Firewall Configuration Frequently Asked Questions Chapter 7: Creating and Using ISA 2004 Firewall Access Policy Introduction ISA Firewall Access Rule Elements Protocols User Sets Content Types Schedules Network Objects The Rule Action Page The Protocols Page The Access Rule Sources Page The Access Rule Destinations Page The User Sets Page Access Rule Properties The Access Rule Context Menu Options Configuring RPC Policy Configuring FTP Policy Configuring HTTP Policy Ordering and Organizing Access Rules How to Block Logging for Selected Protocols Disabling Automatic Web Proxy Connections for SecureNAT Clients Using Scripts to Populate Domain Name Sets Using the Import Scripts Extending the SSL Tunnel Port Range for Web Access to Alternate SSL Ports Avoiding Looping Back through the ISA Firewall for Internal Resources Anonymous Requests Appear in Log File Even When Authentication is Enforced For Web (HTTP Connections) Blocking MSN Messenger using an Access Rule Allowing Outbound Access to MSN Messenger via Web Proxy Changes to ISA Firewall Policy Only Affects New Connections Configure the Routing Table on the Upstream Router Configure the Network Adaptors Install the ISA Server 2004 Firewall Software Install and Configure the IIS WWW and SMTP Services on the DMZ Server Create the DMZ Network Create the Network Rules Between the DMZ and External Network and for the DMZ and Internal Network Create Server Publishing Rule Allowing DNS from DMZ to Internal Create an Access Rule Allowing DNS from Internal to External Create an Access Rule Allowing DNS from Internal to External Create an Access Rule Allow HTTP from External to DMZ Create an Access Rule Allowing SMTP from External to DMZ Test the Access Rules from External to DMZ Test the DNS Rule from the DMZ to the Internal Network Change the Access Rule Allowing External to DMZ by Disabling the Web Proxy Filter Allowing Intradomain Communications through the ISA Firewall Solutions Fast Track Configuring Access Rules for Outbound Access through the ISA Firewall Using Scripts to Populate Domain Name Sets Creating and Configuring a Public Address Trihomed DMZ Network Frequently Asked Questions Chapter 8: Publishing Network Services with ISA 2004 Firewalls Overview of Web Publishing and Server Publishing Web Publishing Rules Server Publishing Rules The Select Rule Action Page The Define Website to Publish Page The Public Name Details Page The Select Web Listener Page and Creating an HTTP Web Listener The User Sets Page The Web Publishing Rule Properties Dialog Box Creating and Configuring SSL Web Publishing Rules SSL Bridging Importing Web Site Certificates into The ISA Firewall's Machine Certificate Store Requesting a User Certificate for the ISA Firewall to Present to SSL Web Sites Creating an SSL Web Publishing Rule Creating Server Publishing Rules The Server Publishing Rule Properties Dialog Box Server Publishing HTTP Sites Creating Mail Server Publishing Rules The Web Client Access: Outlook Web Access (OWA), Outlook Mobile Access, Exchange Server ActiveSync Option The Client Access: RPC, IMAP, POP3, SMTP Option Summary Solutions Fast Track Overview of Web Publishing and Server Publishing Creating and Configuring Non-SSL Web Publishing Rules Creating and Configuring SSL Web Publishing Rules Frequently Asked Questions Chapter 9: Creating Remote Access and Site-to-Site VPNs with ISA Firewalls Overview of ISA Firewall VPN Networking Firewall Policy Applied to VPN Client Connections Firewall Policy Applied to VPN Site-to-Site Connections VPN Quarantine User Mapping of VPN Clients SecureNAT Client Support for VPN Connections Site-to-Site VPN Using Tunnel Mode IPSec Publishing PPTP VPN Servers Pre-shared Key Support for IPSec VPN Connections Advanced Name Server Assignment for VPN Clients Monitoring of VPN Client Connections Creating a Remote Access PPTP VPN Server Enable the VPN Server Create an Access Rule Allowing VPN Clients Access to Allowed Resources Enable Dial-in Access Test the PPTP VPN Connection Issue Certificates to the ISA Firewall and VPN Clients Test the L2TP/IPSec VPN Connection Monitor VPN Clients Using a Pre-shared Key for VPN Client Remote Access Connections Creating a PPTP Site-to-Site VPN Create the Remote Site Network at the Main Office Create the Network Rule at the Main Office Create the Access Rules at the Main Office Create the VPN Gateway Dial-in Account at the Main Office Create the Remote Site Network at the Branch Office Create the Network Rule at the Branch Office Create the Access Rules at the Branch Office Create the VPN Gateway Dial-in Account at the Branch Office Activate the Site-to-Site Links Enable the System Policy Rule on the Main Office Firewall to Access the Enterprise CA Request and install a Web Site Certificate for the Main Office Firewall Configure the Main Office ISA Firewall to Use L2TP/IPSec for the Site-to-Site Link Enable the System Policy Rule on the Branch Office Firewall to Access the Enterprise CA Request and Install a Web Site Certificate for the Branch Office Firewall Configure the Main Office ISA Firewall to Use L2TP/IPSec for the Site-to-Site Link Activate the L2TP/IPSec Site-to-Site VPN Connection Configuring Pre-shared Keys for Site-to-Site L2TP/IPSec VPN Links IPSec Tunnel Mode Site-to-Site VPNs with Downlevel VPN Gateways Using RADIUS for VPN Authentication and Remote Access Policy Configure the Internet Authentication Services (RADIUS) Server Create a VPN Clients Remote Access Policy Remote Access Permissions and Domain Functional Level Changing the User Account Dial-in Permissions Changing the Domain Functional Level Controlling Remote Access Permission via Remote Access Policy Enable the VPN Server on the ISA Firewall and Configure RADIUS Support Create an Access Rule Allowing VPN Clients Access to Approved Resources Make the Connection from a PPTP VPN Client Using EAP User Certificate Authentication for Remote Access VPNs Configuring the ISA Firewall Software to Support EAP Authentication Enabling User Mapping for EAP Authenticated Users Issuing a User Certificate to the Remote Access VPN Client Machine Supporting Outbound VPN Connections through the ISA Firewall Installing and Configuring the DHCP Server and DHCP Relay Agent on the ISA Firewall Creating a Site-to-Site VPN Between an ISA Server 2000 and ISA Firewall Run the Local VPN Wizard on the ISA Server 2000 firewall Change the Password for the Remote VPN User Account Change the Credentials the ISA Server 2000 Firewall uses for the Demand-dial Connection to the Main Office Change the ISA Server 2000 VPN Gateway's Demand-dial Interface Idle Properties Create a Static Address Pool for VPN Clients and Gateways Run the Remote Site Wizard on the Main Office ISA firewall Create a Network Rule that Defines the Route Relationship Between the Main and Branch Office Create Access Rules Allowing Traffic from the Main Office to the Branch Office Create the User Account for the Remote VPN Router Test the connection A Note on VPN Quarantine Summary Solutions Fast Track Overview of ISA Firewall VPN Networking Creating a Remote Access PPTP VPN Server Creating a Remote Access L2TP/IPSec Server Frequently Asked Questions Chapter 10: ISA 2004 Stateful Inspection and Application Layer Filtering Introduction Application Filters The SMTP Filter and Message Screener The DNS Filter The POP Intrusion Detection Filter The SOCKS V4 Filter The FTP Access Filter The H.323 Filter The MMS Filter The PNM Filter The PPTP Filter The RPC Filter The RTSP Filter Web Filters The HTTP Security Filter (HTTP Filter) The ISA Server Link Translator The Web Proxy Filter The SecurID Filter The OWA Forms-based Authentication Filter The RADIUS Authentication Filter IP Filtering and Intrusion Detection/Intrusion Prevention Common Attacks Detection and Prevention DNS Attacks Detection and Prevention IP Options and IP Fragment Filtering Summary Solutions Fast Track Application Layer Filters Web Filters Intrusion Detection and Prevention Frequently Asked Questions Chapter 11: Accelerating Web Performance with ISA 2004 Caching Capabilities Understanding Caching Concepts Web Caching Types Web Caching Architectures Web Caching Protocols Understanding ISA Server 2004's Web Caching Capabilities Using the Caching Feature Understanding Cache Rules Understanding the Content Download Feature Configuring ISA Server 2004 as a Caching Server Enabling and Configuring Caching How to Configure Caching Properties Creating Cache Rules Configuring Content Downloads Summary Fast Track Frequently Asked Questions Chapter 12: Using ISA Server 2004's Monitoring, Logging, and Reporting Tools Introduction Exploring the ISA Server 2004 Dashboard Dashboard Sections Configuring and Customizing the Dashboard Creating and Configuring ISA Server 2004 Alerts Alert-triggering Events Viewing the Predefined Alerts Creating a New Alert Modifying Alerts Viewing Triggered Alerts Monitoring ISA Server 2004 Connectivity, Sessions, and Services Configuring and Monitoring Connectivity Monitoring Sessions Monitoring Services Working with ISA Server 2004 Logs and Reports Understanding ISA Server 2004 Logs Generating, Viewing, and Publishing Reports with ISA Server 2004 Using ISA Server 2004's Performance Monitor Solutions Fast Track Exploring the ISA Server 2004 Dashboard Creating and Configuring ISA Server 2004 Alerts Monitoring ISA Server 2004 Sessions and Services Working with ISA Server 2004 Logs and Reports 1Using ISA Server 2004's Performance Monitor Frequently Asked Questions Appendix: Network Security Basics Introduction Security Overview Defining Basic Security Concepts Knowledge is Power Think Like a Thief Security Terminology Addressing Security Objectives Controlling Physical Access Preventing Accidental Compromise of Data Preventing Intentional Internal Security Breaches Preventing Unauthorized External Intrusions Recognizing Network Security Threats Understanding Intruder Motivations Classifying Specific Types of Attacks Designing a Comprehensive Security Plan Evaluating Security Needs Understanding Security Ratings Legal Considerations Designating Responsibility for Network Security Designing the Corporate Security Policy Educating Network Users on Security Issues Incorporating ISA Server in your Security Plan ISA Server Intrusion Detection Implementing a System Hardening Plan with ISA Summary Index Numbers Index A Index B Index C Index D Index E Index F Index G Index H Index I Index J Index K Index L Index M Index N Index O Index P Index Q Index R Index S Index T Index U Index V Index W Index Z List of Figures List of Tables List of Sidebars

توضیحات
افزودن یادداشت جدید












Application Filters


The ISA firewall includes a number of Application filters. In this section, we discuss:





SMTP filter and Message Screener





DNS filter





POP Intrusion Detection filter





SOCKS V4 filter





FTP Access filter





H.323 filter





MMS filter





PNM filter





PPTP filter





RPC filter





RTSP filter





The SMTP Filter and Message Screener



The SMTP filter and Message Screener are used to protect published SMTP servers. The SMTP filter protects published SMTP servers from buffer overflow attacks, and the SMTP Message Screener protects your company from unwanted e-mail messages.


The SMTP Message Screener can be placed in a number of locations:





On the ISA firewall





On a dedicated SMTP relay on a Protected Network Segment





On the Exchange Server





We recommend that you put the SMTP Message Screener either on the ISA firewall or on a dedicated SMTP relay either on the corporate network or on a DMZ segment. The reason why we recommend that you do not place the SMTP Message Screener on the Exchange Server is that message screening consumes a great deal of processor cycles, which will have a negative impact on the Exchange Server's overall performance.


In this section, we focus on our preferred configuration, which is to put the SMTP Message Screener on a dedicated SMTP relay machine. This option is the most secure, provides the best performance, and introduces the SMTPcred tool, which is required


when the SMTP Message Screener is used on a machine where the SMTP Message Screener is not installed on the ISA firewall itself.



Installing the SMTP Message Screener on a Dedicated SMTP Relay



Installing and configuring the SMTP Message Screener on a dedicated SMTP relay on a Protected Network Segment (corporate network or DMZ) is relatively easy. However, for the complete solution to work, you will need to perform other configurations and setup tasks:





The Exchange Server will need to be able to resolve the MX domain names of mail it sends outbound, or the SMTP relay will need to be able to resolve MX domain names of outbound mail if the SMTP Message Screener machine will also act as an outbound SMTP relay.





An Access Rule is required for the machine that performs the name solution for the Exchange Server. Ideally, this will be a DNS server on the corporate network that is capable of resolving Internet host names.





You'll need to configure an Access Rule that allows outbound SMTP for any machine that needs to send outbound SMTP mail.





You'll need to create a Server Publishing Rule to allow external SMTP servers to send mail to the SMTP relay running the SMTP Message Screener.





In this section, we discuss the installation and configuration of the SMTP Message Screener. Refer to the appropriate chapters in this book for details on the required Access Rules and Server Publishing Rules.


The SMTP Message Screener is an optional ISA Server 2004 component. This feature integrates with the IIS 6.0 SMTP service to examine and block SMTP mail based on parameters you configure in the Message Screener.



Install the SMTP Message Screener on the SMTP Relay


Perform the following steps to install the SMTP Message Screener on the ISA Server 2004 firewall computer:





Locate the ISA Server 2004 installation media and double-click the isaautorun.exe file.





In the Autorun menu, click the Install ISA Server 2004 icon.





Click Next on the Welcome to the Installation Wizard for Microsoft ISA Server 2004 page.





On the Program Maintenance page, select the Modify option and click Next.





On the Custom Setup page, click the Message Screener option, click This feature, and all subfeatures will be installed on local hard drive. Click Next. (See Figure 10.1.)





Figure 10.1: The Custom Setup Dialog Box





Click Next on the Services page that informs you that the SNMP and IIS Admin Service will be stopped during installation.





Click Install on the Ready to Modify the Program page.





Put a checkmark in the Invoke ISA Server Management when the wizard closes checkbox, and then click Finish on the Installation Wizard Completed page.





Close the Autorun menu.





The SMTP Message Screener must communicate with the ISA Server 2004 firewall to obtain settings information, including the keywords, domains, and attachments you want to block. You configure the SMTP Message Screener settings on the ISA Server 2004 firewall machine in the SMTP Filter interface, not on the SMTP relay machine on which the SMTP Message Screener is installed.


The smtpcred.exe tool is used to facilitate the transfer of information between the SMTP Message Screener machine and the ISA Server 2004 firewall. You will enter user, computer, and domain information in the smtpcred.exe tool to set up this connection.







Warning


In ISA Server 2000, the communication between the Message Screener and the ISA Server 2000 machine used DCOM calls. The new ISA firewall removes this requirement and DCOM is not longer required. This improves the overall security for the connection between the SMTP Message Screener machine and the ISA firewall.




Perform the following steps to run the smtpcred.exe tool:





In the Microsoft Internet Security and Acceleration Server 2004 management console, expand the computer name and then click the Firewall Policy node. Right-click the Firewall Policy node and click Edit System Policy.





In the System Policy Editor, find the Remote Management group and click the Microsoft Management subfolder. Click the From tab.





On the From tab, click the Add button.





In the Add Network Entities dialog box, click the Computers node. Double-click the SMTP Relay entry and click Close.





In the System Policy Editor, click OK. (See Figure 10.2.)





Figure 10.2: The System Policy Editor





Click Apply to save the changes and update the Firewall policy.





Click OK in the Apply New Configuration dialog box.





At the SMTPRELAY computer, navigate to the C:\Program Files\Microsoft ISA Server folder and double-click the smtpcred.exe tool.


In the Message Screener Credentials dialog box, enter the name of the ISA Server 2004 firewall in the ISA Server text box. In the Retrieve settings every … min text box, enter a value for the number of minutes you want the SMTP Message Screener to wait between retrieving the configuration settings from the ISA Server 2004 firewall. In the Authentication data frame, enter the Username, Domain, and Password of a user who is an administrator on the ISA Server 2004 firewall. (See Figure 10.3.)





Figure 10.3: The Message Screener Credentials Dialog Box





Click the Test button. A Warning dialog box appears, informing you that some values have not been written to storage. Click OK.





An SMTP Message Screener Configuration Test Completed dialog box will appear, informing you that no errors were detected. Click OK.





Click OK in the Message Screener Credentials dialog box.






Configuring the SMTP Message Screener


We're now ready to configure the SMTP Message Screener, an application filter that examines all incoming messages that go through the ISA Server 2004 firewall via the SMTP Server Publishing Rule.







Warning


You should be judicious about your configuration of the SMTP Message Screener. You need to be sure that your settings are not so restrictive that legitimate mail is blocked. As with all e-mail filtering applications, there is the potential for blocking mail required by your users.




Perform the following steps on the Inbound SMTP Relay Server Publishing Rule:





In the Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name and then expand the Configuration node. Click the Add-ins node.





In the Add-ins node, right-click the SMTP Filter in the Details Pane and click Properties. (See Figure 10.4.)





Figure 10.4: The SMTP Filter





Click the General tab in the SMTP Filter Properties dialog box. Confirm that there is a checkmark in the Enable this filter checkbox.





Click the Keywords tab. Click the Add button. In the Mail Keyword Rule dialog box, enter mail enhancement in the Keyword text box. Select the Message header or body option. Select the Hold message option from the Action list. Click OK.





Click the Keywords tab. Confirm that there is a checkmark in the Enable keyword rule checkbox. You can select one of the following options in the Apply action if keyword is found in frame:





Message header or body If the keyword is found in either the message header or message body, the Action you configure for the rule will be applied.





Message header If the keyword is found in the header (subject line), the Action you configure for the rule will be applied.





Message body If the keyword is found in the body of the message, the Action you configure for the rule will be applied.





Click the down arrow for the Action drop-down list box. You have the following options:





Delete message The SMTP message is deleted without being saved or notifying anyone that it has been deleted.





Hold message The SMTP message is held in the BADMAIL directory in the SMTP service's folder hierarchy. You can view components of the held message, but the message is not saved in a format that you can easily forward to the recipient.





Forward message to The SMTP message is forwarded to an e-mail address you configure in this rule. Each rule can have a different e-mail address to which the message is forwarded.







Click the Add button. In the Mail Keyword Rule dialog box, enter mail enhancement in the Keyword text box. Select the Message header or body option. Select the Hold message option from the Action list. Click OK. (See Figure 10.5.)





Figure 10.5: The SMTP Filter Properties Dialog Box





Click the Users / Domains tab. You can configure the SMTP Message Screener to block messages based on the sender's user account or e-mail domain on the Users/Domains tab. Enter a user e-mail account in the Sender's name text box and click Add. The sender's e-mail address appears in the Rejected Sender's list. Type in an e-mail domain in the Domain name text box and click Add. The e-mail domain appears in the Rejected Domains list.


E-mail messages processed by the SMTP Message Screener matching e-mail addresses or e-mail domains found in these lists are deleted. These messages are not stored anywhere on the server, nor are they forwarded to any user or administrator. If a message from a rejected sender or rejected domain also contains a keyword that matches a keyword rule, and that keyword rule is configured to hold the message, the message will not be held because it is rejected before the keyword search begins.





Click Apply and then click OK. (See Figure 10.6.)





Figure 10.6: The User / Domains Tab





Click the Attachments tab and click the Add button. Confirm that there is a checkmark in the Enable attachment rule checkbox on the Mail Attachment Rule dialog box. You have three options in the Apply action to messages containing attachments with one of these properties frame:





Attachment name Select this option and enter a name for the attachment, including filename and file extension, in the text box next to this option. Use this option if you don't want to block all attachments with a particular file extension, but you do want to block a specific filename. For example, you do not want to block all .zip files, but you do want to block a file named exploit.zip.





Attachment extension It is more common to block all files with a specific file extension. For example, if you want to block all files with the exe file extension, select this option and then enter either exe or .exe in the text box to the right of this option.





Attachment size limit (in bytes) You can block attachments based on their size. Select this option and enter the minimum size of the file extensions you want to block.







Click the down arrow for the Action drop-down list box. You have the following options:





Delete message The SMTP message is deleted without being saved or notifying anyone that it has been deleted. Choose to delete the messages when you are sure that there will be no 'false positives,' meaning that no one would possibly want the deleted message.





Hold message The SMTP message is held in the BADMAIL directory in the SMTP service's folder hierarchy. You can view components of the held message, but the message is not saved in a format that you can easily forward to the recipient. Use the HOLD option when you think there is a possibility that someone may want the message. When the message is held, you will be able to retrieve it later if a user is concerned that mail was inadvertently deleted.





Forward message to The SMTP message is forwarded to an e-mail address you configure in this rule. Each rule can have a different e-mail address to which the message is forwarded. Use this option if you have an e-mail administrator dedicated to reviewing spam messages for potential false positives. You can also use this option to save spam messages that can be used to train other anti-spam applications using Bayesian filtering and other filter training mechanisms. (See Figure 10.7.)





Figure 10.7: The Mail Attachment Rule Dialog Box





In this example, we'll select the Forward message to option so that you can see how to enter the forwarding address.





When you select the Forward message to option, a text box appears that allows you to enter an e-mail address to which the message will be forwarded. However, the server must be able to resolve the address of the mail domain of this user.


For example, in Figure 10.8, we entered the e-mail address smtpsecurityadmin@msfirewall.org. The ISA Server firewall must be able to access an MX record for the internal.net domain. The ISA Server firewall forwards the message to the SMTP server responsible for the internal.net mail based on the information in the MX record.





Figure 10.8: The Mail Attachment Rule Dialog Box


In this example, the firewall is configured with a DNS server address of a DNS server on the internal network that can resolve both internal and external network names. The message is forwarded to the internal address of the Exchange server. You must configure a split DNS infrastructure if the internal.net domain is available to both internal and external users.





The settings on the SMTP Commands tab are mediated by the SMTP filter component. The SMTP Message Screener does not evaluate SMTP commands and does not protect against buffer overflow conditions. The commands in the list are limited to a predefined length. If an incoming SMTP connection sends a command that exceeds the length allowed, the connection is dropped. In addition, if a command that is sent over the SMTP channel is not on this list, it is dropped. (See Figure 10.9.)





Figure 10.9: The SMTP Commands Tab






Click Apply and then click OK in the Configure SMTP Protocol Policy dialog box.





Click Apply to save the changes and update the Firewall policy.





Click OK in the Apply New Configuration dialog box.






Configuring SMTP Message Screener Logging


The ISA Server 2004 firewall keeps a separate log for messages that are processed by the SMTP Message Screener. This log provides valuable information regarding the messages that were blocked by the Message Screener and why they were blocked.


Perform the following steps to configure the SMTP Message Screener logging feature:





In the Microsoft Internet Security and Acceleration Server 2004 management console, click the Monitoring node in the left pane of the console.





In the Monitoring node, click the Logging tab in the Details Pane.





Click the Tasks tab in the Task Pane. On the Tasks tab, click the Configure SMTP Message Screener Logging link.





In the SMTP Message Screener Logging Properties dialog box, click the Log tab. Note that the only logging method available is File. This option creates a text-based log file. Select the ISA Server file format option from the Format list. This allows the log to use local time in the log files. Confirm that there is a checkmark in the Enable logging for this service checkbox. (See Figure 10.10.)





Figure 10.10: The Log Tab





Click the Options button. The default location for the logs is in the ISALogs folder on the local hard disk. Make a note of the options in the Log file storage limits frame. Note that the text log files are compressed by default, using NTFS compression. Accept the defaults and click Cancel. (See Figure 10.11.)





Figure 10.11: The Options Dialog Box





Click Apply and then click OK in the SMTP Message Screener Logging Properties dialog box.





Table 10.1 lists the SMTP service log fields and the nature of the information recorded in each. When a field is disabled in the SMTP Message Screener log, a dash '-' will appear in that field when ISA Server log format is used. If W3C format is used, the field will not appear. The Field column indicates the position of that field when using the ISA Server log file format (the position is important to note because there is no 'directive' or column header in the log indicating what that field is logging).






































Table 10.1: SMTP Service Log Fields



Field




W 3 C




Description




1




date




The date that the logged event occurred.




2




time




The time that the logged event occurred. In W3C format, this is in Coordinated Universal Time (UTC).




3




cs-sender




The sender name, as specified in the 'MAIL FROM:' SMTP header. Limited to 72 characters.




4




cs-recipient




The list of recipients, as specified in the 'RCPT TO:' SMTP header. Limited to 72 characters.




5




cs-subject




The message subject. Limited to 72 characters.




6




cs-messageid




The ID of the message. The ID is either the unique message ID generated by the sender, or the ID automatically assigned by the Windows SMTP service, when it is received. Limited to 72 characters.




7




x-action




The action that ISA Server took. One of the following:


Delete The message is deleted.


Hold The message is stored in the BADMAIL queue.


Forward The message is forwarded to a different recipient (not the recipient specified in the original message).


Pass The message is sent to the specified recipients (in cs-recipient).




8




x-reason




The reasons why ISA Server executed the action (xaction) are listed following the table. Potential reasons why ISA Server executed the action are listed below:


Some message properties could not be read. Taking default action.


(The default action is Hold).


Policy rule stamp could not be found in the message.


Taking default action.


(The default action is Hold). The policy rule stamp is an indication that ISA Server puts in the message to let the Message Screener know which rule should be applied to the message. This is generated if the message did not pass through the SMTP application filter before being passed to the SMTP Message Screener.


Logger is not initialized yet. Taking default action. (The default action is Hold).


Policy rule could not be read. Taking default action. (The default action is Hold).


Failed while trying to forward the message.


The specific error code is also listed here.


The SMTP Message Screener policy rule does not allow messages from sender.


The SMTP Message Screener policy rule does not allow attachment.


The SMTP Message Screener policy rule does not allow attachment extension.


The SMTP Message Screener policy rule does not allow


attachments of specified size.


The SMTP Message Screener policy rule does not allow messages with specified subject.


The SMTP Message Screener Policy rule does not allow messages with specified message body




The DNS Filter



The ISA firewall's DNS filter protects the DNS server published by the ISA firewall using Server Publishing Rules. You can access the configuration interface for the DNS filter's attack prevention configuration page in the Intrusion Detection dialog box. Expand the server name and then expand the Configuration node. Click the General node.


In the Details Pane, click the Enable Intrusion Detection and DNS Attack Detection link. In the Intrusion Detection dialog box, click the DNS Attacks tab. On the DNS Attacks tab, put a checkmark in the Enable detection and filtering of DNS attacks checkbox. (See Figure 10.12.)





Figure 10.12: The DNS Attacks Tab


Once detection is enabled, you can then enable prevention. You can protect yourself from three attacks:





DNS host name overflow





DNS length overflow





DNS zone transfer





The DNS host name overflow and DNS length overflow attacks are DNS denial-of-service (DoS) type attacks. The DNS DoS attack exploits the difference in size between a DNS query and a DNS response, in which all of the network's bandwidth is consumed by bogus DNS queries. The attacker uses the DNS servers as 'amplifiers' to multiply the DNS traffic.


The attacker begins by sending small DNS queries to each DNS server that contain the spoofed IP address (see IP Spoofing) of the intended victim. The responses returned to the small queries are much larger, so if a large number of responses are returned at the same time, the link will become congested and denial of service will take place.


One solution to this problem is for administrators to configure DNS servers to respond with a 'refused' response, which is much smaller than a name resolution response, when they receive DNS queries from suspicious or unexpected sources.


You can find detailed information for configuring DNS servers to prevent this problem in the U.S. Department of Energy's Computer Incident Advisory Capability information bulletin J-063, available at www.ciac.org/ciac/bulletins/j-063.shtml.


The POP Intrusion Detection Filter



The POP Intrusion Detection filter protects POP3 servers you publish via ISA firewall Server Publishing Rules from POP services buffer overflow attacks. There is no configuration interface for the POP Intrusion Detection filter.


The SOCKS V4 Filter



The SOCKS v4 filter is used to accept SOCKS version 4 connection requests from applications written to the SOCKS version 4 specification. Windows operating systems should never need to use the SOCKS filter because you can install the Firewall client on these machines to transparently authenticate to the ISA firewall and support complex protocol negotiation.


For hosts that cannot be configured as Firewall clients, such as Linux and Mac hosts, you can use the SOCKS v4 filter to support them. The SOCKS v4 filter is disabled by default. To enable the filter, open the Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name, and then expand the Configuration node. Click the Add-ins node. In the Details Pane, right-click the SOCKS V4 filter and click Enable.


You will need to configure the SOCKS V4 filter to listen on the specific network(s) for which you want it to accept connections. Double-click the SOCKS V4 filter. In the SOCKS V4 Filter Properties dialog box, click the Networks tab. On the Networks tab, you can configure the Port on which the SOCKS filter listens for SOCKS client connections. Next, put a checkmark in the checkbox next to the network for which you want the SOCKS filter to accept connections. Click Apply and then click OK. (See Figure 10.13.)





Figure 10.13: The SOCKS V4 Filter Properties Dialog Box


The SOCKS v4 filter supports SOCKS v4.3 client applications. The SOCKS filter is a generic sockets filter that supports all client applications that are designed to support the SOCKS v4.3 specification. The SOCKS filter performs duties similar to that performed by the Firewall client. However, there are some significant differences between how SOCKS and the Firewall client work:





The Firewall client is a generic Winsock Proxy client application. All applications designed to the Windows Sockets specification will automatically use the Firewall client.





The SOCKS filter supports applications written to the SOCKS v4.3 specification.





When the Firewall client is installed on the client machine, all Winsock applications automatically use the Firewall client, and user credentials are automatically sent to the ISA firewall. In addition, the Firewall client will work with the ISA firewall service to manage complex protocols that require secondary connections (such as FTP, MMS, and many others).





The SOCKS client must be configured on a per-application basis. Each application must be explicitly configured to use the ISA firewall as its SOCKS server. When the application is configured to use the ISA firewall as its SOCKS server, the SOCKS filter will manage complex protocols for the SOCKS client application.





The SOCKS 4.3a filter included with the ISA firewall does not support authentication. SOCKS 5 introduced the capability to authenticate the client application that attempts to access content through the SOCKS proxy.





We always recommend that you use the Firewall client because of the impressive advantages it provides by allowing you the ability to authenticate all Winsock connections made through the ISA firewall. However, SOCKS is a good 'second best' when you cannot install the Firewall client.


The FTP Access Filter



The FTP Access filter is used to mediate FTP connections between Protected Network clients and FTP servers on the Internet, and from external hosts and published FTP servers. The FTP Access filter supports both PASV and PORT (passive and standard) mode FTP connections.


The FTP Access filter is required for SecureNAT clients because FTP uses secondary connections for PORT-mode FTP connections. FTP is a complex protocol that requires outbound connections from the FTP PORT-mode client and new secondary inbound connections from the FTP server. While the Firewall client does not require application filter support for secondary connections, SecureNAT clients do require application layer filter support, which is why the ISA firewall dev team included the FTP Access application filter.







Note


If you plan to support PORT-mode FTP client connections, make sure that IP Routing is enabled on the ISA firewall (the default setting). When IP Routing is enabled, the secondary connections are handled in kernel mode rather than user mode. This kernel-mode handling of the secondary connections (which are data transfers from the FTP server to the FTP client) will significantly increase performance.




Stefaan Pouseele, an ISA Server MVP, has written an excellent article on the FTP protocol and how FTP challenges firewall security. Check out his article, How the FTP Protocol Challenges Firewall Security at http://isaserver.org/articles/How_the_FTP_protocol_Challenges_Firewall_Securityl.


This is no configuration interface for the FTP Access filter.


The H.323 Filter



The H.323 filter is used to support H.323 connections through the ISA firewall. To configure the H.323 filter, open the Microsoft Internet Security and Acceleration Server 2004 management console and expand the server name. Next, expand the Configuration node and click the Add-ins node. Double-click the H.323 Filter entry in the Details Pane.


In the H.323 Filter Properties dialog box, click the Call Control tab (see Figure 10.14). You have the following options:





Use this Gatekeeper





Use DNS gateway lookup and LRQs for alias resolution





Allow audio





Allow video





Allow T120 and application sharing





Figure 10.14: The Call Control Tab





Click the Networks tab. On the Networks tab, put a checkmark in the checkbox to the left of the networks on which you want the H.323 filter to accept connections requests. (See Figure 10.15.)





Figure 10.15: The Networks Tab


The MMS Filter



The MMS filter supports Microsoft Media Services connections through the ISA firewall for Access Rules and Server Publishing Rules. The MMS filter is an access filter that allows SecureNAT client access to the complex protocols and secondary connections required to connect to Microsoft Media Services hosted content. Firewall clients do not require the help of the MMS filter to connect to MMS servers. There is no configuration interface for the MMS filter.


The PNM Filter



The PNM filter supports connections for the Progressive Networks Media Protocol from Real Networks. The PNM filter is an access filter allowing SecureNAT client access to the complex protocols and secondary connection required to connect to Progressive Networks Media servers. There is no configuration interface for the PNM filter.


The PPTP Filter



The PPTP filter supports PPTP connections through the ISA firewall for outbound connections made through Access Rules and inbound connections made through Server Publishing Rules. The ISA firewall's PPTP filter differs from the ISA Server 2000 PPTP filter in that it supports both inbound and outbound PPTP connections. The ISA Server 2000 PPTP filter only supports outbound PPTP connections.


The PPTP filter is required by both SecureNAT and Firewall clients. In fact, a machine located on an ISA firewall protected network must be configured as a SecureNAT client to use the PPTP filter to connect to PPTP VPN servers through the ISA firewall. The reason for this is that the Firewall client does not mediate non-TCP/UDP protocols. The PPTP VPN protocol requires the use of the Generic Routing Encapsulation (GRE) protocol (IP Protocol 47) and TCP protocol 1723. The TCP session is used by PPTP for tunnel management.


When the outbound access to the PPTP protocol is enabled, the PPTP filter automatically intercepts the GRE and TCP connections made by the PPTP VPN client. You do not need to create an Access Rule allowing outbound access to TCP 1723 for VPN clients.


The RPC Filter



The RPC filter is used to mediate RPC connections to servers requiring Remote Procedure Calls (RPCs) for both outbound connections using Access Rules and inbound connections using Server Publishing Rules. This includes secure Exchange RPC publishing.


There is no configuration interface for the RPC filter.


The RTSP Filter



The RTSP filter supports Microsoft Real Time Streaming Protocol connections through the ISA firewall for Access Rules and Server Publishing Rules. The RTSP filter is an access filter that allows SecureNAT client access to the complex protocols and secondary connections required to connect to Microsoft Real Time Streaming Protocol hosted content (such as that on Windows Server 2003 Microsoft Media Servers). Firewall clients do not require the help of the MMS filter to connect to MMS servers.


There is no configuration interface for the RTSP filter.


/ 145