Home > Articles

This chapter is from the book

Exploring Firewall Policy Settings

The heart and soul of ISA functionality lies in the Firewall Policy settings. These settings control the behavior of ISA and how it responds to traffic sent to it, and are therefore very important. It is critical to understand the functionality and terminology of the Firewall Policy settings, or run the risk of a misconfiguration that could jeopardize the server’s security.

Examining the Firewall Policy Node

The Firewall Policy node, shown in Figure 3.12, contains several critical and commonly used tools in the ISA Console. The Central Details pane details the rules deployed on the server. The rules are, by default, sorted by the order in which they are applied, with the first rules applied at the top of the list. This concept, familiar to many who are used to working with other firewalls, is a new concept for ISA Server 2004; ISA 2000 did not apply rules in a logical order.

Figure 3.12

FIGURE 3.12 Viewing the Firewall Policy node.

In the Tasks pane on the right, three tabs are presented. The requisite Help tab displays common questions and help topics related to firewall policy. The Tasks tab contains a list of common tasks related to the node. Lastly, the Toolbox tab contains a very useful list of the elements in the ISA Server, such as network entities, content types, protocol descriptions, and the like.

Understanding Firewall Access Rules

A Firewall Access rule is simply a mechanism by which access is granted or denied for specific types of traffic through the ISA server. Rules are the means by which specific ports, applications, and other types of network traffic are either blocked or opened. If, for example, web access to the Internet is necessary for clients on the Internet network of an ISA configuration, a specific Firewall Access rule needs to be configured to specifically allow this type of access.

In Figure 3.13, for example, several default rules that were created from the Network Template Wizard are illustrated.

Figure 3.13

FIGURE 3.13 Exploring sample firewall rules.

In this example, four rules control the flow of traffic and specify what is allowed and what is denied through the firewall. Each rule in the CCentral Details pane can be sorted by multiple variables, listed as follows:

  • Order  The order of the rule determines when it is processed. Whenever any type of traffic arrives at the ISA server, the firewall rules are applied in order, from lowest number to highest. If a match is made for the type of traffic, that firewall rule is processed and no further rules are parsed.
  • Name  Names of rules are displayed in the console to aid in the identification of what each rule does. Names chosen for rules should ideally indicate the rule’s function.
  • Action  The action of a rule is one of two choices: Allow or Deny. For obvious reasons, it is critical to ensure that the rules have this field set properly.
  • Protocols  The Protocols column displays to what common or custom-defined protocols the particular rule applies, such as HTTP, FTP, DNS, and others.
  • From/Listener  The From/Listener column displays the network or listener from which rule traffic will arrive. ISA examines only the traffic from this network when applying the rule.
  • To  The To column represents the destination of traffic. Only traffic sent to this network or set of networks will have the particular rule applied.
  • Condition  The Condition column allows for individual rules to only apply to particular users or groups of users. User granularity can be allowed only when the Firewall Client is deployed, so this is often simply set to All Users when the full client is not deployed.

Advanced information on configuring access rules can be found in Chapter 5.

Examining Publishing Rules and the Concept of Reverse Proxy

A server publishing rule is more complicated than a simple network access rule, in that it allows the ISA Server to mimic a destination server such as a web server and act as a reverse proxy server to the client requests. A reverse proxy server is a system that acts as a bastion host for requesting clients, protecting the server from direct attack by proxying all requests that are sent to it, making them go through the reverse proxy server itself.

ISA Server 2004 is commonly deployed for its reverse proxy capabilities, particularly in its ability to secure web servers and Exchange Outlook Web Access (OWA.) Through reverse proxy, clients on the Internet are directed to the external IP address of the ISA server, which they think is the actual server for the services that they require. In reality, ISA performs Network Address Translation (NAT), scans the traffic for exploits and threats at the Application layer, and forwards the traffic back to the server. This greatly reduces the threat posed by having servers and services exposed to the Internet.

Server publishing rules in ISA Server allow for advanced services securing of SQL servers, Exchange servers, Web servers, SharePoint portal sites, RPC servers, and many other predefined options. For more information on configuring and using server publishing rules, see Chapters 5 and 7, "Deploying ISA Server as a Reverse Proxy into an Existing Firewall DMZ."

Understanding System Policy Rules and the System Policy Editor

System policies are often misunderstood or not taken into consideration, but are a fundamental component to every ISA installation. System policies are essentially a default set of firewall policies that allow the ISA Server to perform various system functions. Without system policies in place, ISA would be unable to perform any network functions at all, such as Windows Update, without them being specifically designated in manually created firewall policies.

Basically speaking, system policies are really just firewall policies that have been preconfigured, but are hidden from view. Because the task of configuring an ISA Server would be time-consuming and ominous, these policies were configured as part of the firewall installation. It is wise, however, to examine each of these policies to ensure that they are truly necessary for the role that the ISA server will play in the organization. To view the system policies, click on the Show System Policy Rules link in the Tasks tab of the Firewall Policy node. Some of the default system policies are illustrated in Figure 3.14.

Figure 3.14

FIGURE 3.14 Viewing system policies.

To edit the system policy rules, right-click any one of the rules and click Edit System Policy. This displays the System Policy dialog box, as shown in Figure 3.15.

Figure 3.15

FIGURE 3.15 Editing the system policy.

The System Policy Editor allows for advanced configuration of the system policy rules in place on the Server. It is in this location that particular types of system access can be denied or enabled, based on the organization’s particular security needs. For more information on editing the system policy, see Chapter 15, "Securing RPC Traffic."

Defining the Contents of the Firewall Policy Toolbox

The Firewall Policy toolbox, shown in Figure 3.16, is an extremely useful function that organizes all the individual components of the firewall policies into one logical area. The toolbox is easily accessed by clicking on the toolbox tab in the Task pane.

Figure 3.16

FIGURE 3.16 Examining the Firewall Policy toolbox.

To examine individual items in the toolbox, click the down arrow to expand the particular section, such as Schedules or Users, and then select the object and click the Edit button. To create new objects, select the object container and click the New button.

The toolbox comprises the following elements:

  • Protocols  The Protocols toolbox contains a list of defined protocols that are used to communicate across networks. Common protocols such as DNS, HTTP, SMTP, POP, Telnet, MSN Messenger, and Ping are listed here, as well as more obscure protocols such as RIP, H.323, MMS, RTSP, and many others. By containing definitions for these protocols, you can easily configure ISA to create rules to block or allow them as necessary. In addition, you can create custom rules for protocols not in ISA’s default list by clicking the New button in the toolbox. For information on creating custom and advanced protocol support, see Chapter 15.
  • Users  The Users toolbox contains groupings of users that are useful for bulk application of firewall rules and other settings. The default groups created by ISA are All Authenticated Users, All Users, and System and Network Service. New groups can be created to logically organize different types of users to facilitate the creation of policies and rules. For more information on users and groups within ISA Server, refer to Chapter 11.
  • Content Types  The Content Types toolbox allows for different applications and files to be organized according to the type of content they are. For example, a file that is downloaded via the web may be an audio file, an image, text, video, or any of several other options. Files that are grouped by content type can be controlled more easily, giving the ISA administrator an easy way to perform such actions as not allowing specific types of dangerous executables or other file types to be accessed. For more information on configuring and creating Content Types, see Chapter 15.
  • Schedules  The Schedules toolbox allows for custom time schedules to be created. This can be extremely useful if there are organization-specific schedules that need to be consistently applied to multiple rules or parameters within projects. For example, a custom schedule could be created for scheduled maintenance, such as the dialog box shown in Figure 3.17 illustrates. This schedule can then be applied to default rules that deny connections during those periods of time.

    Figure 3.17

    FIGURE 3.17 Creating a custom schedule.

  • Network Objects  The Network Objects toolbox is perhaps the most important and commonly used of the toolboxes. All the configured network-related objects are listed in the toolbox, such as the Network Sets, Computer Sets, URL Sets, Address Ranges, and more. Even though the logical location for this toolbox would normally be under the network node, it has been placed with the rest of the toolboxes in the Firewall Policy node, so it is important to understand that distinction when looking for network settings, such as the location and configuration of web listeners and subnets. More information on using the Network Objects toolbox, including step-by-step descriptions, can be found in Chapter 5.

The toolbox serves as a "one-stop-shop" for many configuration settings in ISA, and can make the life of an administrator much easier through the creation of custom schedules, content types, users, protocols, and network objects. For these reasons, it is highly advisable to become familiar with these options.

InformIT Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from InformIT and its family of brands. I can unsubscribe at any time.

Overview


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information


To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites, develop new products and services, conduct educational research and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information


Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children


This site is not directed to children under the age of 13.

Marketing


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information


If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out


Users can always make an informed choice as to whether they should proceed with certain services offered by InformIT. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.informit.com/u.aspx.

Sale of Personal Information


Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents


California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure


Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact


Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice


We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020