Solution Snapshot
PROBLEM: Differences in user needs make it difficult to block application access to the Internet, but allowing such access across the board opens your network to malicious activity
SOLUTION: Use an ISA Server 2004 firewall to lock down application access
WHAT YOU NEED: ISA Server 2004 Standard Edition or Enterprise Edition, installed on a server that has two or more network interface cards; Web browsers that can be configured to use a Web proxy server; Firewall client for ISA Server 2004
DIFFICULTY: 2 out of 5
SOLUTION STEPS:

  1. Use access rules to block application access to dangerous sites
  2. Use the HTTP Security Filter to block unapproved Web-enabled applications
  3. Use the ISA Server 2004 Firewall client to block unapproved applications

The challenge: You need to block certain network applications from accessing the Internet, according to your company's network-use policy. The complication: Some users or groups have a legitimate need for Internet access through those applications. The solution: Deploy a Microsoft Internet Security and Acceleration (ISA) Server 2004 firewall to obtain granular control over the applications and services that users can access through the firewall.

The ISA firewall includes and supports several technologies that you can use to control which applications, protocols, and servers users on an ISA firewall-protected network can access. The ISA firewall provides the advantages of both stateful packet and application-layer inspection. The firewall's stateful packet inspection feature enables it to stop attacks at the network and transport layers of the TCP/IP protocol stack. ISA Server's application-layer inspection capabilities enable the firewall to control network access at the application layer. The ISA firewall can perform application-layer inspection through both proxied (Web and Winsock) and non-proxied connections.

You can configure the ISA firewall to enable Internet access for network applications for some users, while blocking that same access for other users. This solves the problem of differential access requirements for different users and groups and also gives you the means to create a strong audit trail to track which users use which applications to connect to which sites at which time of day. You can use three methods in particular to obtain a high level of access control over application access through the firewall:

  • Method 1: Use access rules to block application access to dangerous sites
  • Method 2: Use the HTTP Security Filter to block unapproved Web-enabled applications
  • Method 3: Use the ISA Server 2004 Firewall client to block unapproved applications

METHOD 1:
Use Access Rules to Block Application Access to Dangerous Sites

Access rules control outbound access through the ISA firewall. The concept of outbound access through an ISA Server 2004 firewall is a bit different than in earlier ISA firewalls because ISA Server 2004 firewalls have no concept of a trusted network. The idea of outbound access from an internal, trusted network to an external, untrusted network no longer applies. In ISA Server 2004, outbound access is always configured through access rules; inbound access is always configured through Web or server publishing rules. Access rules control application access through the firewall based on the following parameters:

  • the source IP address of the host making the request
  • the destination address or Fully Qualified Domain Name (FQDN) of the requested resource
  • the source and destination port included in the request
  • the user making the request
  • the time of day that the request is made

Access rules are useful when applications (such as HTTPTunnel) require access to specific port numbers or servers. For example, there's a class of applications that malicious entities can use to subvert firewall and network-usage policy by tunneling other application protocols in an HTTP header, making HTTP the transport for the tunneled application protocol. An HTTP header can be used to encapsulate protocols such as Internet Relay Chat (IRC), Network News Transfer Protocol (NNTP), POP3, and SMTP. These application protocols then can be used to transfer data to and from the corporate network when a firewall is configured to allow outbound connections to TCP port 80 (the standard Web port) or 443 (the secure Web port).

You can use the ISA firewall to stop the use of dangerous HTTP tunneling applications by preventing connections to well-known HTTP tunneling proxy gateways. This method stops connections to the third-party application gateway and stops users from using an otherwise unapproved protocol.

Blocking access to these HTTP tunneling proxies also solves another problem. Tunneling applications often use Secure Sockets Layer (SSL)/ Transport Layer Security (TLS) encryption to prevent HTTP filtering firewalls such as the ISA firewall from inspecting application headers in outbound HTTP communications. (The ISA firewall can perform HTTP inspection on inbound SSL encrypted sessions but it can't inspect outbound SSL sessions.)

The following example uses an access rule to block connections to an HTTP tunneling proxy named www.httptunnel.com.

  1. Open the Microsoft Management Console (MMC) ISA Server Management snap-in, rightclick the Firewall Policy node in the left-hand pane, and select New, Access Rule. Name the access rule, then click Next.
  2. On the Rule Action page, select Deny, then click Next.
  3. On the Protocols page, accept the default setting (All outbound traffic) and click Next.
  4. On the Access Rule Sources page, click Add. In the Add Network Entities dialog box, click the Network Sets folder, then double-click All Protected Networks. Click Close, then click Next.
  5. On the Access Rule Destinations page, click Add. In the Add Network Entities dialog box, click New, then click Domain Name Set.
  6. In the New Domain Name Set Policy Element dialog box (which Figure 1 shows), enter a name for the set—HTTP Tunneling Sites, in this example. To block other HTTP tunneling sites in the future, you can use this domain name set and add multiple domains. Click New, then type the first name of the first domain you want to block (httptunnel.com) and press Enter. Click New and enter the name of the next domain (*.httptunnel.com) and press Enter. (You need to create both entries because the wildcard blocks only hosts and subdomains of httptunnel.com.)
  7. Click the Domain Name Sets folder. Double-click the HTTP Tunneling Sites entry. In the Add Network Entities dialog box click Close. Click Next.
  8. On the User Sets page, accept the default entry and click Next.
  9. On the Completing the New Access Rule Wizard page, click Finish, then click Apply to save the changes to the firewall policy.

The ISA firewall evaluates access rules from the top down. In general, you should place Deny rules above Allow rules so that you don't inadvertently allow a connection you want to block. Consider moving the new rule you just created to the top of your rules list. At the very least, move the rule above any other rule that includes the HTTP protocol.

METHOD 2:
Use the HTTP Security Filter to Block Unapproved Web-Enabled Applications
You can use the ISA firewall's HTTP Security Filter to inspect virtually any characteristic of an outbound HTTP communication that isn't SSL encrypted and to block the connection according to information in the HTTP application layer protocol stream. The major advantage of using the HTTP Security Filter is that ISA Server places filter controls on allow rules. Therefore, you can allow HTTP traffic to approved locations but block suspicious communications moving though the otherwise approved channel.

The HTTP Security Filter is especially helpful in blocking communications from peer-to-peer (P2P) applications that use HTTP. Many companies want to enable outbound HTTP communications through the firewall without limiting the sites that users can access—but don't want P2P applications to use HTTP to access the Internet. You can use the HTTP Security Filter to block P2P applications while still giving HTTP access to other applications.

The next example blocks outbound TCP port 80 access to the Kazaa client.

  1. Use the method described in the first example to create an access rule that allows outbound HTTP access.
  2. Right click the new access rule and select Configure HTTP.
  3. In the Configure HTTP policy for rule dialog box, go to the Signatures tab and click Add.
  4. In the Signature dialog box (which Figure 2 shows), enter a name for the signature—Kazaa Req header #1, in this example—and an optional Description. Select Request headers from the Search in drop-down list. Type P2P-Agent in the HTTP header text box, then type Kazaa in the Signature box. Click OK.
  5. In the HTTP policy for rule dialog box, click OK, then click Apply to save the changes to the firewall policy.

Remember that the ISA firewall applies firewall policy from the top down. Even though this is an Allow rule, it will block HTTP connections that include the string that the signature specifies. Therefore, you should place this access rule above any other Allow access rules.

You can use a network analyzer to perform a packet trace and discover HTTP headers for the applications you want to block. Before doing so, you might want to look at Microsoft's published list of common application signatures (http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/common applicationsignatures.mspx). You can also visit Jim Harrison's ISA Server Tools Repository (http://www.isatools.org) to download scripts that will automatically configure your HTTP Security Filter to protect against common exploits.

METHOD 3:
Use the ISA Server 2004 Firewall Client to Block Unapproved Applications

The Firewall client is a generic Winsock proxy client. In contrast to SOCKS proxies, which require you to configure each application with the address and port of the SOCKS proxy, the Firewall client transparently accepts Winsock calls from all Winsock-enabled network applications.

The Firewall client intercepts all Winsock calls from Winsock applications and forwards those calls to the ISA firewall according to the Firewall client settings. These settings are managed centrally on the ISA firewall device and include

  • which applications the Firewall client handles
  • which destinations the Firewall client should handle
  • Which destination ports the Firewall client shouldn't proxy

In addition to transparently proxying connections from Firewall client machines to the ISA firewall, the Firewall client also sends user credentials through an encrypted channel to the ISA firewall for granular user- or group-based control over all Winsock application connections that occur through the firewall. You can make your network routing infrastructure transparent to the Firewall client-enabled device, which needs know only the route to the IP address of the ISA firewall system. When you do so, you don't need to enable or change a route of last resort on your network routers.

First, let's look at how to prevent applications (in this example, Kazaa Lite) from using the Firewall client to access resources through the ISA firewall.

  1. In the ISA Server Management console, expand the server name in the left-hand pane, then expand the Configuration node. Click the General node, then click the Define Firewall Client Settings link in the middle pane.
  2. In the Firewall Client Settings dialog box, go to the Application Settings tab, then click New.
  3. Type the name of the application executable (e.g., KazaaLite) in the Application text box, as Figure 3 shows. Select Disable from the Key drop-down list and set the Value to 1 (1 enables the setting, 0 disables it). Click OK, then click Apply to save the changes to the firewall policy.

The changes take effect immediately on the ISA firewall but can take as long as 6 hours to propagate to the Firewall client systems on your network. If you don't want to wait for the automatic refresh of the Firewall client settings, you can manually update the settings by using the Firewall client application-on the Firewall client computer, or you can restart the Firewall client agent.

Another way to leverage the Firewall client to block applications and worms on a global basis is to block selected ports for all applications. This capability prevents any connection for the specified ports from being remoted to the ISA firewall. Blocking selected ports for all applications is especially helpful in blocking traffic from network worms that don't have a predictable application name. For example, the MyDoom worm, which assigns itself a random application name. Because of this behavior, you can't use the name of a specific application to block outgoing connections from MyDoom-infected Firewall client devices. However, because we know that MyDoom uses TCP ports 3127 to 3198 to spread itself to other devices over the network, you can configure the Firewall client settings to prevent the Firewall client from remoting connections to the ISA firewall for all applications that attempt to use one of these ports. You can use this type of configuration to prevent the spread of worms through the firewall and to prevent worms from creating a possible Denial of Service (DOS) condition at the firewall.

The next example globally configures Firewall clients to block selected ports.

  1. In the ISA Server Management snap-in, expand the server name in the left-hand pane, then expand the Configuration node. Click the General node, then click the Define Firewall Client Settings link in the middle pane.
  2. In the Firewall Client Settings dialog box, go to the Application Settings tab, then click New.
  3. In the Application Entry Setting dialog box, enter an asterisk (*) in the Application box, as Figure 4 shows. Type DontRemoteOutboundTcpPorts in the Key text box, then in the Value box enter the ports you want to block, using a comma to separate each port number. (To prevent the Firewall client from proxying through specific UDP ports, you can use the DontRemoteOutboundUdpPorts key.) Click OK, then click Apply to save the changes to the firewall policy. Note that the ability to prevent remoting of specific ports for all applications is available only with ISA Server 2004 Enterprise Edition.

A Powerful Combination
You can get very fine-tuned control over application access by combining the power of ISA Server 2004 access rules, HTTP security filter, and centralized Firewall client configuration. At the same time, you can protect your network and workstations from malicious code that might other through the ISA firewall.