Use ISA Server 2004 to restrict applications' Internet access
PROBLEM: Differences in user needs make it difficult to block application access to the Internet, but allowing such access across the board opens your network to malicious activity
SOLUTION: Use an ISA Server 2004 firewall to lock down application access
WHAT YOU NEED: ISA Server 2004 Standard Edition or Enterprise Edition, installed on a server that has two or more network interface cards; Web browsers that can be configured to use a Web proxy server; Firewall client for ISA Server 2004
DIFFICULTY: 2 out of 5
The challenge: You need to block certain network applications from accessing the Internet, according to your company's network-use policy. The complication: Some users or groups have a legitimate need for Internet access through those applications. The solution: Deploy a Microsoft Internet Security and Acceleration (ISA) Server 2004 firewall to obtain granular control over the applications and services that users can access through the firewall.
The ISA firewall includes and supports several technologies that you can use to control which applications, protocols, and servers users on an ISA firewall-protected network can access. The ISA firewall provides the advantages of both stateful packet and application-layer inspection. The firewall's stateful packet inspection feature enables it to stop attacks at the network and transport layers of the TCP/IP protocol stack. ISA Server's application-layer inspection capabilities enable the firewall to control network access at the application layer. The ISA firewall can perform application-layer inspection through both proxied (Web and Winsock) and non-proxied connections.
You can configure the ISA firewall to enable Internet access for network applications for some users, while blocking that same access for other users. This solves the problem of differential access requirements for different users and groups and also gives you the means to create a strong audit trail to track which users use which applications to connect to which sites at which time of day. You can use three methods in particular to obtain a high level of access control over application access through the firewall:
Use Access Rules to Block Application Access to Dangerous Sites
Access rules control outbound access through the ISA firewall. The concept of outbound access through an ISA Server 2004 firewall is a bit different than in earlier ISA firewalls because ISA Server 2004 firewalls have no concept of a trusted network. The idea of outbound access from an internal, trusted network to an external, untrusted network no longer applies. In ISA Server 2004, outbound access is always configured through access rules; inbound access is always configured through Web or server publishing rules. Access rules control application access through the firewall based on the following parameters:
Access rules are useful when applications (such as HTTPTunnel) require access to specific port numbers or servers. For example, there's a class of applications that malicious entities can use to subvert firewall and network-usage policy by tunneling other application protocols in an HTTP header, making HTTP the transport for the tunneled application protocol. An HTTP header can be used to encapsulate protocols such as Internet Relay Chat (IRC), Network News Transfer Protocol (NNTP), POP3, and SMTP. These application protocols then can be used to transfer data to and from the corporate network when a firewall is configured to allow outbound connections to TCP port 80 (the standard Web port) or 443 (the secure Web port).
You can use the ISA firewall to stop the use of dangerous HTTP tunneling applications by preventing connections to well-known HTTP tunneling proxy gateways. This method stops connections to the third-party application gateway and stops users from using an otherwise unapproved protocol.
Blocking access to these HTTP tunneling proxies also solves another problem. Tunneling applications often use Secure Sockets Layer (SSL)/ Transport Layer Security (TLS) encryption to prevent HTTP filtering firewalls such as the ISA firewall from inspecting application headers in outbound HTTP communications. (The ISA firewall can perform HTTP inspection on inbound SSL encrypted sessions but it can't inspect outbound SSL sessions.)
The following example uses an access rule to block connections to an HTTP tunneling proxy named www.httptunnel.com.
The ISA firewall evaluates access rules from the top down. In general, you should place Deny rules above Allow rules so that you don't inadvertently allow a connection you want to block. Consider moving the new rule you just created to the top of your rules list. At the very least, move the rule above any other rule that includes the HTTP protocol.
Use the HTTP Security Filter to Block Unapproved Web-Enabled Applications
You can use the ISA firewall's HTTP Security Filter to inspect virtually any characteristic of an outbound HTTP communication that isn't SSL encrypted and to block the connection according to information in the HTTP application layer protocol stream. The major advantage of using the HTTP Security Filter is that ISA Server places filter controls on allow rules. Therefore, you can allow HTTP traffic to approved locations but block suspicious communications moving though the otherwise approved channel.
The HTTP Security Filter is especially helpful in blocking communications from peer-to-peer (P2P) applications that use HTTP. Many companies want to enable outbound HTTP communications through the firewall without limiting the sites that users can access—but don't want P2P applications to use HTTP to access the Internet. You can use the HTTP Security Filter to block P2P applications while still giving HTTP access to other applications.
The next example blocks outbound TCP port 80 access to the Kazaa client.
Remember that the ISA firewall applies firewall policy from the top down. Even though this is an Allow rule, it will block HTTP connections that include the string that the signature specifies. Therefore, you should place this access rule above any other Allow access rules.
You can use a network analyzer to perform a packet trace and discover HTTP headers for the applications you want to block. Before doing so, you might want to look at Microsoft's published list of common application signatures (http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/common applicationsignatures.mspx). You can also visit Jim Harrison's ISA Server Tools Repository (http://www.isatools.org) to download scripts that will automatically configure your HTTP Security Filter to protect against common exploits.
Use the ISA Server 2004 Firewall Client to Block Unapproved Applications
The Firewall client is a generic Winsock proxy client. In contrast to SOCKS proxies, which require you to configure each application with the address and port of the SOCKS proxy, the Firewall client transparently accepts Winsock calls from all Winsock-enabled network applications.
The Firewall client intercepts all Winsock calls from Winsock applications and forwards those calls to the ISA firewall according to the Firewall client settings. These settings are managed centrally on the ISA firewall device and include
In addition to transparently proxying connections from Firewall client machines to the ISA firewall, the Firewall client also sends user credentials through an encrypted channel to the ISA firewall for granular user- or group-based control over all Winsock application connections that occur through the firewall. You can make your network routing infrastructure transparent to the Firewall client-enabled device, which needs know only the route to the IP address of the ISA firewall system. When you do so, you don't need to enable or change a route of last resort on your network routers.
First, let's look at how to prevent applications (in this example, Kazaa Lite) from using the Firewall client to access resources through the ISA firewall.
The changes take effect immediately on the ISA firewall but can take as long as 6 hours to propagate to the Firewall client systems on your network. If you don't want to wait for the automatic refresh of the Firewall client settings, you can manually update the settings by using the Firewall client application-on the Firewall client computer, or you can restart the Firewall client agent.
Another way to leverage the Firewall client to block applications and worms on a global basis is to block selected ports for all applications. This capability prevents any connection for the specified ports from being remoted to the ISA firewall. Blocking selected ports for all applications is especially helpful in blocking traffic from network worms that don't have a predictable application name. For example, the MyDoom worm, which assigns itself a random application name. Because of this behavior, you can't use the name of a specific application to block outgoing connections from MyDoom-infected Firewall client devices. However, because we know that MyDoom uses TCP ports 3127 to 3198 to spread itself to other devices over the network, you can configure the Firewall client settings to prevent the Firewall client from remoting connections to the ISA firewall for all applications that attempt to use one of these ports. You can use this type of configuration to prevent the spread of worms through the firewall and to prevent worms from creating a possible Denial of Service (DOS) condition at the firewall.
The next example globally configures Firewall clients to block selected ports.
A Powerful Combination
You can get very fine-tuned control over application access by combining the power of ISA Server 2004 access rules, HTTP security filter, and centralized Firewall client configuration. At the same time, you can protect your network and workstations from malicious code that might other through the ISA firewall.