In this article I will give you a high level overview of the ISA Server 2006 HTTP Filter. I will show how to use this HTTP Filter to protect your internal network from some types of attacks in Webserver Publishing scenarios. We will also see how to prevent users from using the Universal Firewall Bypass protocol (HTTP) to bypass the Firewall for network traffic like Microsoft Live Messenger, Yahoo Messenger or othes that have a function to use HTTP instead of their native protocols. To fully understand the concept and technologies of the HTTP protocol I would suggest reading this article.
Let’s start with some basics about the Webfilter in ISA Server 2006.
What is a Webfilter
A Webfilter in ISA Server 2006 is a set of Dynamic Link Libraries (DLLs) which are based on the IIS ISAPI (Internet Server Application Programming Interface) Model.
Webfilter in ISA Server 2006 will be loaded from the Webproxy Filter. If the Webfilter is loaded, all information will be forwarded to the Webproxy Filter. The Webproxy Filter is responsible for determining which type of events should be monitored. Each time such events occur the Webproxy Filter will be notified.
The following figure shows the HTTP Filter Add-in from ISA Server 2006.
Figure 1: ISA Server 2006 HTTP filter add-in
The Webfilter in ISA Server 2006 is responsible for the following tasks:
- Scanning and modifying HTTP requests
- Analyzing network traffic
- Scanning and modifying HTTP responses
- Blocking of specific HTTP responses
- Data encryption and compression
and many more.
The HTTP Filter in ISA Server 2006 is rule specific except for the Maximum Header length setting. The Maximum Header length is the same for all Firewall rules with HTTP protocol definitions.
The HTTP Filter in ISA Server 2006 is also capable of filtering HTTPS traffic but only in reverse web server publishing scenarios where HTTPS Bridging is used. If you want to use outgoing HTTPS inspection through ISA Server 2006 HTTP filter you have to use third party software.
HTTP Filter configuration
If you want to start configuring the HTTP filter, right click a rule that contains an HTTP protocol definition and select Configure HTTP from the context menu.
Figure 2: ISA Server 2006 HTTP filter general settings
Maximum Headers length (bytes):
The maximum Header length specifies the maximum number of bytes in the URL and HTTP Header for an HTTP request until ISA Server blocks the request.
Maximum payload length (bytes):
With this option it is possible to restrict the maximum length in bytes a user can send via an HTTP POST in a Web server publishing scenario.
Maximum URL Length (Bytes): The maximum length of an allowed URL
Maximum Query length (Bytes): The maximum length of a URL in the HTTP request
You can select this checkbox to specify that requests with URLs containing escaped characters after normalization will be blocked. Normalization is the process where URL coded requests will be decoded. After decoding the URL the URL will be normalized again to be sure that no process is using the % character to encode a URL. If the HTTP Filter finds a difference in the URL after the second normalization, the requests will be rejected.
Block High bit character
URLs that contain Double Byte Characters (DBCS) or Latin1 will be blocked if this setting is active. An active setting regulary blocks languages that require more than eight bits to display all language specific characters.
Block responses containing Windows executable content. This option blocks the download and executing of executable content like EXE files.
Next we should configure the allowed or blocked HTTP methods.
Figure 3: HTTP Methods
In this example we are blocking the HTTP POST command so that nobody can upload content on external websites.
With this option it is possible to block or allow some specific file extensions in the specific Firewall rule.
Figure 5: Using ISA Server 2006 to block some file extensions
Block requests containing ambiguous extensions
This option instructs the HTTP filter to block all file extensions which ISA Server 2006 cannot determine.
In this example we are blocking access to the .EXE file extension.
Figure 6: Blocking the .EXE file extension
HTTP Header handling
When a web client sends requests to a web server or the Web server is answering queries, the first part of an answer is an HTTP request or an HTTP response. After the HTTP request or HTTP response, the client or Server sends an HTTP Header. The request Header field allows the client to send additional information to the server. HTTP Header contains information about the Browser, operating system information, and authorization details and more. The client Header uses the attribute User-Agent which determines which application is responsible for the request.
With the help of the HTTP filter it is possible to block specific HTTP Headers.
Figure 7: HTTP filter Header section
The settings in the Server Header field give Administrators the control to remove the HTTP header from the response or to modify the HTTP Header in the response and some other settings.
In the following example we are using the HTTP Header feature in ISA Server 2006 to block Kazaa, information of which resides in the request header.
Figure 8: Blocking Kazaa
HTTP Filter signatures
An HTTP signature can exist in the HTTP body or HTTP header. You can use HTTP signatures to deny the execution from specific applications. To find a specific HTTP signature you must know which signature the application is using. There are some documents on the Internet that can give you some information about specific HTTP signatures but it is also possible to use a network sniffer to determine HTTP signatures. I will show you how to use a network sniffer later in this article.
Filtering HTTP signatures in ISA Server 2006 only works when the requests and responses are UTF-8 coded.
Figure 9: Blocking HTTP signatures
In the following example we are blocking the access for the Windows Live Messenger protocol.
Figure 10: Windows Live Messenger Block
If you want to know more about application signatures click here.
ISA Server 2006 inspects only the first 100 Bytes of the request and response body. It is possible to expand the maximum number of bytes but this can result in some Server performance degradation.
HTTP error message if the HTTP filter blocks some content
Figure 11: HTTP Filter access message
How to discover specific HTTP Headers
To determine HTTP signatures that are unknown to you, it is possible to use a network sniffer like Windows Netmon 3.0 to trace the HTTP network traffic.
The following frigure shows a sample network trace output from Microsoft Netmon 2.0, but you can use any other Network monitor like Wireshark (former Ethereal).
Figure 12: Netmon HTTP trace
This example shows the request type (GET), the HTTP request Header (HTTP/1.1) the User-Agent (Mozilla/4.0) and the signature (MSIE 6.0).
You can use HTTPFILTERCONFIG.VBS from the directory C:\PROGRAMME\MICROSOFT ISA SERVER 2006 SDK\SDK\SAMPLES\ADMIN from the ISA Server 2006 SDK to import and export HTTP-Filter configurations.
Figure 13: HTTPFILTERCONFIG.VBS from the ISA 2006 SDK
In this article I tried to show you how the ISA Server 2006 HTTP filter works. The HTTP filter in ISA Server 2006 is a great tool to block some dangerous content to protect against malicious code or Trojans and worms. You can also use the HTTP filter to block specific HTTP signatures. Blocking these signatures helps administrators to block some type of applications like Windows Live Messenger that can be tunnelled through HTTP if the normal protocol is blocked through firewall restrictions.