Basic Concepts to ISA:
Each TCP/IP packet is made up of multiple components. The components correspond to the following four protocol layers:
Network Interface Layer. This layer handles placing TCP/IP packets on the network medium and receiving TCP/IP packets off the network medium. TCP/IP was designed to be independent of the network interface layer. The network interface layer header includes addressing information required for the physical devices connected to the network to communicate with each other.
Internet Layer. This layer handles addressing packets, fragmentation and reassembly of packets, and routing packets between networks. The most important protocol at this layer is the Internet Protocol (IP).
Transport Layer. This layer provides session and datagram communication services. The core protocols of the transport layer are the Transmission Control Protocol (TCP) and the User Datagram Protocol (UDP).
Application Layer. This layer lets applications access the services of the other layers and defines the protocols that applications use to exchange data. Hypertext Transfer Protocol (HTTP), File Transfer Protocol (FTP), Simple Mail Transfer Protocol (SMTP), Telnet, and Domain Name System (DNS) are all examples of application layer protocols.
IP is a network layer protocol primarily responsible for addressing and routing packets between hosts. An IP packet consists of an IP header and an IP payload. The following table describes the key fields in the IP header.
IP Head Filed
The IP address of the original source of the IP datagram
The IP address of the final destination of the IP datagram
Informs IP at the destination host whether to pass the packet up to TCP, UDP, Internet Control Message Protocol (ICMP), or other protocols
TCP is a reliable, session-oriented delivery service. Session-oriented means that a session must be established before hosts can exchange data. Reliability is achieved by assigning a sequence number to each segment transmitted. An acknowledgment is used to verify that the data is received. TCP provides a one-to-one, session-oriented, reliable communications service.
TCP Header Field
TCP port of sending host
TCP port of destination host
Sequence number of the first byte of data in the TCP segment
Sequence number of the byte the sender expects to receive next from the other side of the connection
UDP provides a sessionless datagram service that offers unreliable, best-effort delivery of data transmitted in messages. This means that neither the arrival of datagrams nor the correct sequencing of delivered packets is guaranteed. UDP does not recover from lost data through retransmission. The UDP header contains a source port and destination port, but does not include sequence information or acknowledgment. Ensuring that UDP packets are delivered is the responsibility of the application layer protocols that use UDP as a transport.
Most Internet applications running on Microsoft WindowsÆ use Windows Sockets to communicate with the lower protocol layers. Windows Sockets provides services that allow applications to bind to a particular port and IP address on a host, initiate and accept a connection, send and receive data, and close a connection.
A socket is defined by a protocol and an address on the host. In TCP/IP, the address is the combination of the IP address and port. Two sockets, one for each end of the connection, form a bidirectional communications path.
To communicate, an application specifies the protocol, the IP address of the destination host, and the port of the destination application. After the application is connected, information can be sent and received.
For detailed information on TCP/IP, see TCP/IP Technical Reference, one of the technical references located at
What Is Packet Filtering?
Packet filters control access to the network at the network layer by inspecting and allowing or denying the IP packets to transfer through the firewall. When the firewall inspects an IP packet, it examines only information in the network and transport layer headers, including the packets source and destination information, and its protocol and port numbers.
The firewall can evaluate IP packets using the following criteria:
Destination address. The destination address may be the actual IP address of the destination computer in the case of a routed relationship between the two networks being connected by ISA Server. The destination may also be the external interface of ISA Server in the case of a Network Address Translation (NAT) network relationship.
Source address. This is the IP address of the computer that originally transmitted the packet.
IP Protocol and protocol number. You can configure packet filters for TCP, UDP, ICMP, and any other protocol. Each protocol is assigned a number. For example, TCP is protocol 6, and the Generic Route Encapsulation
(GRE) protocol for Point-to-Point Tunneling Protocol (PPTP) connections is protocol 47.
Direction. This is the direction of the packet through the firewall. In most cases, the direction can be defined by inbound, outbound, or both. For some protocols, such as FTP or UDP, the directional choices may be Receive only, Send only, or Both.
Port numbers. A TCP or UDP packet filter defines a local and remote port. The local and remote ports can be defined by a fixed port number, or as a dynamic port number.
Packet filtering has a number of advantages and disadvantages.
Some of the advantages include:
Packet filtering has to inspect only the network and transport layer headers, so packet filtering is very fast.
Packet filtering can be used to block a particular IP address or to allow a particular IP address. If you detect an application-level attack from an IP address, you can block that IP address at the packet-filter level. Or, if you need to enable access to your network and you know that all access attempts will be coming from a particular address, you can enable access only for that source address.
Packet filtering can be used for ingress and egress filtering. Ingress filtering blocks all access on the external interface of the firewall to packets that have a source IP address that is logically on the internal network. For example, if your internal network includes the 192.168.20.0 network, an ingress filter will block a packet arriving at the external interface that claims to be coming from 192.168.20.1. An egress filter prevents packets from leaving your network that have a source IP address that is not on the internal network.
Packet filtering also has some disadvantages:
Packet filters cannot prevent IP address spoofing or source-routing attacks. An attacker can substitute the IP address of a trusted host as the source IP address and the packet filter will not block the packet. Or the attacker can include routing information in the packet that includes incorrect routing information for return packets so that the packets are not returned to the actual host, but to the attacker computer.
Packet filters cannot prevent IP-fragment attacks. An IP-fragment attack splits a single IP packet into multiple fragments. Most packet-filtering firewalls check only the first fragment and assume that the other fragments of the same packet are acceptable. The additional fragments may contain malicious content.
Packet filters are not application aware. You may be blocking the default Telnet port (port 23) on your firewall, but allowing access to the HTTP port (port 80). If an attacker can configure a Telnet server to run on port 80 on your network, the packets would be passed to the server. ISA Server 2004 does not have an option to directly configure packet filtering. However, ISA Server does operate as a packet filter firewall inspecting traffic at the network and transport layers. For example, if you define a firewall access rule that enables all protocol traffic from a computer on one network to a computer on another network, ISA Server uses a packet filter to allow that traffic. Or, if you configure a firewall access rule that denies the use of the default Telnet port (TCP port 23), ISA Server will use a packet filter to block that port. ISA Server 2000 supported direct configuration of packet filters. If you upgrade to ISA Server 2004 from ISA Server 2000, packet filters are replaced by access rules. ISA Server 2004 and packet filtering
What Is Stateful Filtering?
When a firewall uses stateful filtering, it not only examines the packet header information, but also examines the status of the packet. For example, the firewall can inspect a packet at its external interface and determine whether the packet is a response to a request from the internal network. This check can be performed at both the transport and application layers.
Stateful filtering uses information about the TCP session to determine if a packet should be blocked or allowed through the firewall. TCP sessions are established using the TCP three-way handshake. The purpose of the three-way handshake is to synchronize the sequence number and acknowledgment numbers of both sides of the connection and exchange other information defining how the two hosts will exchange packets. The following steps outline the process:
Advantages and disadvantages of stateful filtering
One of the advantages of stateful filtering is that it ensures that all network traffic forwarded by the firewall is part of an existing session, or matches the rules for creating a new session.
Another advantage is that stateful filtering implements dynamic packet filtering, which ensures that specific ports are available only when a valid session exists.
For example, if a client requests that the server respond on port 1159 (as shown in the previous example), ISA Server will listen on port 1159 only as long as the connection exists. However, stateful filtering still does not provide enough protection against the threats to network security. Many of the newest attacks happen at the
application level. For example, a client computer may download malicious code in an HTTP packet that is part of a legitimate session. Only application layer stateful inspection can block these types of attacks.
ISA Server connection rules
ISA Server uses connection rules to keep track of sessions. Whenever a packet arrives at the server, ISA Server attempts to associate the packet with a connection rule, based on the protocol, source, and destination. A connection rule has the following attributes:
Source (IP address and port/endpoint)
Destination (IP address and port/endpoint)
Source address translation (used for NAT connections)
Destination address translation (used for NAT connections)
Statistics (number of bytes transferred, last access time)
Misc. (checksum delta, used when doing address translation)
If the packet matches a connection rule, the packet is forwarded. If the packet does not match a connection rule, ISA Server checks the firewall access rules to determine if a new connection rule can be created. If no firewall access rule blocks the creation of the connection rule, then ISA Server creates the connection and forwards the packet. If a firewall rule blocks the creation of the connection rule, then the packet is dropped.
What is application filtering?
Application filtering enables the firewall to open up the entire TCP/IP packet and inspect the application data for unacceptable commands and data. For example, an SMTP filter intercepts communication on port 25 and inspects it to make sure the SMTP commands are authorized before passing the communication to the destination server. An HTTP filter performs the same function on all HTTP packets. Firewalls that are capable of application-layer filtering can stop dangerous code at the edge of the network before it can do any damage.
Application-layer filtering can also be used to stop attacks from sources such as viruses and worms. Most worms look like legitimate software code to the packet-filtering firewall. The headers of the packets are identical in format to those of legitimate traffic. It is the payload that is malicious; only when all the packets are put together can the worm be identified as malicious code, so these exploits often travel straight through to the private network because the firewall allowed what looked like normal code.
Advantages and disadvantages of application filtering
The advantages of application-layer filtering go beyond the prevention of attacks. It can also be used to protect your network and systems from the harmful actions that unaware employees often take. For example, you can configure filters that prevent potentially harmful programs from being downloaded via the Internet, or ensure that critical customer data does not leave the network in an e-mail.
Application-layer filtering can also be used to more broadly limit employee actions on the network. You can use an application filter to restrict common types of inappropriate communication on your network. For example, you can block peer-to-peer file-exchange services. These types of services can consume substantial network resources and raise legal liability concerns for your organization.
The most significant disadvantage of application-filtering firewalls is performance. Because an application-filtering firewall examines the actual payload of each packet, it is usually slower than packet or stateful filtering.
ISA Server and application filtering
The most important benefit of implementing ISA Server 2004 is that it is a powerful and complete application-layer firewall. ISA Server includes many built-in application filters. In addition, ISA Server 2004 includes powerful and flexible interfaces with which administrators can create custom filters to detect virtually any attack. ISA Server is also highly extensible. This means your in-house programmers or third-party vendors can extend much of its functionality, including its filtering capabilities.
What is an intrusion detection system?
An intrusion detection system (IDS) that is located at the edge of a network inspects all traffic in and out of the network and identifies patterns that may indicate a network or system attack. An IDS is usually configured with information about a wide variety of known attacks. It then monitors the network traffic for signatures that indicate that a known attack is occurring. An IDS can also be configured with information about normal network traffic and then be configured to detect variations from the normal traffic.
A complete IDS also includes several layers. One device may be located at the network perimeter and monitor all traffic entering and leaving the network. Additional devices may be deployed on the internal networks, or on routers connecting networks. A final layer of protection is provided by host-based systems in which an IDS is configured on individual computers. The most sophisticated IDS can collect information from all the layers and correlate data to make the most accurate intrusion detection decisions.
Intrusion detection systems also provide options for configuring alerts or responses to intrusion attempts. At the very least, IDS should alert an administrator when an attack is detected. More sophisticated IDSs provide additional responses to attacks, including shutting down or limiting the functionality of the systems under attack.
Although they both relate to network security, an IDS differs from a firewall in that a firewall looks out for intrusions to stop them from happening. The firewall limits the access between networks to prevent intrusion and does not signal an attack from inside the network. An IDS evaluates a suspected intrusion once it has taken place and signals an alarm. An IDS also watches for attacks that originate from within a system.
ISA Server and intrusion detection
ISA Server includes intrusion detection that monitors for several well-known vulnerabilities. ISA Server detects intrusions at two different network layers. First, ISA Server detects intrusions at the Network layer. This enables ISA Server to detect vulnerabilities that are inherent to the IP protocol. Second, ISA Server uses application filters to detect intrusions at the application layer.
ISA Server filtering architecture
When a network packet arrives at the firewall, it goes through one or more components in the ISA Server architecture. The network packets may be inspected and allowed or denied by each of the following components:
1. Packet filtering. The firewall engine, which runs in kernel mode, receives the packets as they pass through the network layer. The packets are associated with a connection rule, and then the packets are filtered. The firewall engine applies the packet filters. If no packet filters apply, the packet is passed to the firewall service.
2. Stateful and protocol filtering. The firewall service, which runs in user mode, performs protocol and stateful filtering. The firewall service creates and manages firewall connections. The firewall service also handles communication with and connections via Firewall Client. If an application filter or Web filter is associated with the connection protocol, the packet is passed to the appropriate application filter or Web filter.
3. Application filtering. The application filters expand the network packet and inspects the application data. If the packet uses the HTTP or Hypertext Transfer Protocol Secure (HTTPS) protocols, the message is passed through the Web Proxy filter to a HTTP Web filter, which inspects the application data. The Web Proxy filter also manages and accesses the Web cache.
4. Kernel mode data pump. If the data entering the firewall engine can be associated with an existing connection rule, the data is forwarded through ISA Server using the kernel mode data pump. This means that data that will be accepted by the higher layers in the architecture can be passed through ISA Server without ever leaving the kernel mode driver. The rules engine communicates with all of the other major components, including with both the firewall engine and the firewall service, as well as with application and Web filters. Introduction
Implementing ISA Server 2006 as a Firewall
Configuring ISA Server as a firewall includes the following steps.
Determine perimeter network configuration. The primary role for a firewall is to protect the network perimeter. The first step in deploying ISA Server as a firewall is to design the perimeter network configuration and determine the role of ISA Server in that configuration.
Configure networks and network rules. The second step in deploying ISA Server as a firewall is to configure networks and network rules based on your perimeter network design. You can use network templates in ISA Server to simplify this process.
Configure system policy. System policy is used in ISA Server to define how the ISA Server will be managed. One step in your deployment should be to ensure that the system policy enables only required functionality.
Configure intrusion detection. ISA Server provides built-in intrusion detection. Configure intrusion detection so that you can be alerted when an attack occurs on your ISA Server.
Configure access rule elements and access rules. To grant users access to the Internet, you need to configure access rule elements and access rules.
Configure server and Web publishing. The final step in configuring ISA Server as a firewall is to enable server and Web publishing. This step makes internal resources accessible from the Internet.
Contoso, Ltd. is implementing a new firewall solution. The organization needs to provide access to the Internet for all internal employees using any protocol. However, the organization must be able limit what types of content and files users can download from the Internet. Contoso, Ltd. has a Web site that is located on a perimeter network behind the firewall. The security logs indicate that 80 percent of attack attempts on the Web site come from five IP addresses on the Internet. The organization wants to prevent any network connections from those IP addresses, but also needs to be alerted when any other attack attempts occur.
Tailspin Toys is implementing a new firewall solution. The organization needs to provide access to the Internet for all internal employees using any protocol. Tailspin Toys has an internal Web site that is located on a perimeter network behind the firewall. This internal Web site should be accessible only to employees of a partner organization, and only when the users are in the partner organizationís office. The security logs indicate that the previous firewall frequently received packets that were not part of a current connection with a client inside the network. The organization needs to ensure that this type of attack will not succeed in the future.
Fabrikam, Inc. is implementing a new firewall solution. The organization needs to provide access to the Internet for all internal employees using any protocol. In the past, several employees have been reprimanded for accessing inappropriate Web content. The organization must be able to limit which Web sites employees can connect to and must be able to log all user access to Web sites. Fabrikam, Inc has a Web site that is hosted by an ISP, so there is no need for any HTTP or HTTPS traffic originating from the Internet to enter the company network. The organization does have an internal SMTP server. In the past, several security breaches have occurred when users received viruses by e-mail, so the organization needs to be able to prevent this from happening again.