Microsoft Internet Security and Acceleration Server 2000 Application Layer
Filtering Kit
Chapter 9
Meeting the Challenge of Evolving
Attacks and Increasing User Sophistication
Dr. Thomas W Shinder
December
2003
Table of Contents
The
Problem: Meeting the Challenge of Evolving Attacks and Increasing User
Sophistication
The
Solution: The Ability to Enhance ISA Server 2000 Application Layer Filtering
Enhancing
Web Access Inspection and Control
Enhancing
SMTP Mail Access Inspection and Control
Enhancing
Network Security with Instant Messenger and P2P Access Inspection and Control
Abstract
Network attackers continue to develop new and more sophisticated methods to attack corporate networks. Modern application layer firewalls must be able to adapt to evolving application layer attacks. ISA Server 2000 firewalls are ideally suited to meet this challenge. ISA Server 2000 allows you to expand the level of application layer protection provided by the firewall. This expandability enables the ISA Server 2000 firewall to meet the application layer firewall filtering needs of today and keep pace with changes taking place in the network attacks landscape.
This document discusses the nature of evolving application layer attacks and explains the variety method you can use to expand on ISA Server 2000’s intelligent application layer filtering to enhance the built-in protection provided by the firewall.
The Problem: Meeting the Challenge of Evolving Attacks and Increasing User Sophistication
ISA Server 2000 comes with a number of application layer filters that allow you to monitor and block many types of attacks from Internet intruders. The built-in ISA Server 2000 application filters can block attacks against your network SMTP servers, DNS servers, Web servers, Outlook Web Access servers, and many more. These built-in features go a long way toward successfully meeting the challenges that face enterprise level firewalls today.
Network security professionals have another problem today, however. Attackers continue to work on and develop new types of attacks. An effective firewall must be able to adapt to the changing attack landscape without requiring the organization to purchase an entirely new set of hardware and software.
Network attackers are now able to take advantage of several popular new technologies in order to launch successful attacks against corporate networks. The popularity of Instant Messengers and Peer to Peer (P2P) applications have significantly improved a malicious attacker’s chances of destroying or stealing resources contained on the corporate network.
An even more important network security problem stems from the increasing sophistication of legitimate internal network users. There is a large amount of information on the Internet aimed at corporate users who are interested in subverting firewall policy so that they can use instant messaging and P2P applications. These users could use these same applications at home, but they prefer to use them at work because corporate Internet connections are typically much faster than home-based Internet connections.
Use of these programs on the corporate network do more than waste company bandwidth; they also pose a security risk. Corporate network users can, either deliberately or inadvertently, divulge proprietary corporate information via instant messenger chat sessions. Unlike with corporate SMTP servers that archive copies of every email message moving into and out of the corporate network, communications moving through the IM channel are not archived and thus users cannot be held accountable for the information that moves through IM chat sessions. Only by extending the firewall’s application layer filtering capabilities can you obtain this information.
IM programs allow more than just realtime chatting. Most also provide a mechanism for exchanging files. This feature allows corporate network users to transfer any file located on their own workstations, or files stored on a corporate file server to which they have access, to any person in the world. While most network firewalls allow you to control outbound file transfers using FTP or HTTP, file transfer control over IM channels is more difficult to implement.
While unwanted email is generally accepted as the greatest threat to network security and stability today, a close second is P2P applications. These applications, typically used for sharing MP3 music files, allow users to share any type of files with millions of users all over the world. A sophisticated user can easily share the entire contents of his hard disk, or even the hard disk of a corporate file server, and allow millions of users located anywhere on the globe to download the information to their own computers.
Even if a user does not give others on the P2P network access to his own files, using the application to download music or other files also threatens the corporate network. P2P applications allow users to download files that have not been screened by the firewall. These files can contain viruses, worms and Trojans, all of which can be used to destroy network services, take control of key infrastructure servers, and steal data from the corporate network. P2P applications can also expose the company to copyright infringement lawsuits. One of the most popular uses of P2P applications is to steal copyrighted material and many companies put themselves at risk of being sued because copyrighted material found on users’ machines.
Instant messengers and P2P applications are just two of the powerful technologies that are being used to attack networks today. There are many other exploits in use and being developed that will challenge today’s modern application layer aware firewalls. Today’s modern application layer aware firewalls must be able to keep pace with evolving attack methods and technologies. Otherwise, they will not be able to secure corporate networks in the 21st century.
The Solution: The Ability to Enhance ISA Server 2000 Application Layer Filtering
The solution to effectively responding to evolving attacks is to use ISA Server 2000’s ability to easily enhance its application layer filtering mechanisms. ISA Server 2000 allows you to purchase from a third party or develop your own application filtering security add-ons that provide additional security to your ISA Server 2000 firewall and corporate network.
Unlike traditional “hardware” firewalls that either do not allow you to easily enhance the level of security provided by the firewall or require very expensive upgrades, ISA Server 2000 allows you to easily and quickly plug in new sophisticated application layer filters that can inspect and control virtually any communication moving through the ISA Server 2000 firewall. This is the cornerstone of ISA Server’s “extensibility” feature.
Areas in which you can greatly enhance the application layer inspection functionality of the ISA Server 2000 firewall include:
- Web access inspection and control
- SMTP mail access inspection and control
- Instant messenger and P2P inspection and control
Enhancing Web Access Inspection and Control
ISA Server 2000 includes powerful application layer inspection and control mechanisms right out of the box. URLScan, Web Publishing Rules, Site and Content Rules, the HTTP Redirector filter, and others all provide powerful firewall access control for HTTP, SSL and HTTP proxied FTP connections.
You can enhance the ISA Server 2000 firewall’s ability to control Web communications by adding application filters that perform the following functions:
·
URL
filtering
Many organizations need to have control over which Internet sites their users visit. While ISA Server 2000 Site and Content rules allow you to obtain fine tuned control over the sites users visit by entering the sites you want to block into its list, it is difficult to keep up with the increasing number of malicious and salacious Web sites that are posted on the Internet each day. URL filtering security add-ons to the ISA Server 2000 firewall can be used to dynamically update your list of blocked Web sites. This allows you to easily block access to dangerous Web sites (without entering each individually) and reduce administrative overhead.
·
Page
Content Filtering
Another approach to Web access control is to block access to Web pages that contain unacceptable content. This method can be used in conjunction with URL filtering to ensure that users do not access inappropriate content. Page content filtering protects the organization by adding a second layer of protection, blocking access to Web pages that are contained in Web sites that are not blocked by the URL filtering features if they contain the keywords and strings that you want to block.
·
Web
bandwidth quotas
Internet bandwidth is a finite resource and needs to be allocated in an effective and intelligent manner. You can install an application filter on the ISA Server 2000 firewall that can enforce bandwidth quotas on users or groups within the organization. When users exceed their monthly allocations, they can be warned or you can block them from subsequent Internet connections using Web protocols. This allows you to limit bandwidth usage on the Internet connection and significantly reduces costs associated with users who abuse corporate Internet resources.
·
Antivirus
Viruses, worms and Trojans can enter the network when users connect to malicious Web sites. Even if users do not explicitly go to these Web sites, they can be unknowingly redirected to other Web sites by clicking links on unwanted email and other attack oriented email. You can install a security add-on so that the ISA Server 2000 firewall is able to block viruses, worms and Trojans at the perimeter. There’s no need to use a second hardware device to block these attacks; just plug them into the ISA Server 2000 firewall.
·
Script,
Java, ActiveX blocking
Many malicious Web site operators are using scripts, Java, ActiveX and other Web controls to compromise corporate users’ computers. Web site operators can run these applications without the knowledge of the user and potentially take control of the user’s computer. Once the attacker has control of the user’s computer, he can attack corporate network resources under the security context of the logged on user, or even attempt to elevate his privileges to do even more damage. You can install a powerful application layer filter on the ISA Server 2000 firewall that blocks these scripts and ActiveX type applications from running on the user’s computer.
·
File
blocking
Files downloaded from the Internet can contain viruses, worms and Trojans that can be used to attack, disable and steal resources on the corporate network. You can install an application filter on the ISA Server 2000 firewall that allows you to scan all downloads from Web sites and determine if the downloaded files contain dangerous code. You can also block access to files based on file name or filter extension. More sophisticated application filters are able to determine when the file is a Windows executable file, even when the attacker has renamed the file to use a .txt or other non-executable file extension.
·
Two-factor
authentication
The ISA Server 2000 firewall allows you to log the user names with each Web site access. This is a valuable feature because it creates an environment of accountability and increased security. A problem that many organizations have is that users may share their usernames and passwords. This allows users to log in with the same credentials from multiple workstations and subverts the ability to accurately log Web usage on a per user basis. This problem can be solved by using two-factor authentication. The Web users must use both a hardware device (key, token or smartcard) and a username and password to access the Web. You can install sophisticated two-factor authentication filters on the ISA Server 2000 firewall and prevent users from logging on to the Internet from multiple machines.
Enhancing SMTP Mail Access Inspection and Control
ISA Server 2000 firewalls include powerful application layer filters that enable you to prevent attackers using buffer overflow attacks from compromising your server and help block unwanted email from entering the corporate network. SMTP based attacks against the corporate network continue to evolve and all networks can benefit from enhanced protection against these attacks.
There are two ways that you can enhance the ISA Server 2000 firewall’s application layer defenses to further protect your network from attackers using SMTP mail messages against your network:
·
Antivirus
You can install an application layer filter on the ISA Server 2000 firewall so it examines all inbound SMTP messages for viruses, worms and other dangerous attachments. These ISA Server 2000 security add-ons block any dangerous attachments that users unknowingly open.
·
Unwanted
email Blocking
The ISA Server 2000 SMTP Message Screener can be installed on the ISA Server 2000 firewall and can block unwanted email based on source address, attachments and keywords. Spammers use evolving and increasingly sophisticated methods to attack corporate SMTP servers with unwanted email email messages. You can install intelligent SMTP application filters on the ISA Server 2000 firewall that are designed to meet the challenge of evolving unwanted email attack methods.
Enhancing Network Security with Instant Messenger and P2P Access Inspection and Control
Instant Messaging and P2P applications pose a significant threat to network security and stability. Inappropriate use of these applications can expose a company to viruses, worms, Trojans and attorneys. You can expand the ISA Server 2000 firewall’s application layer filtering capabilities to perform the following:
·
Antivirus
IM and P2P applications allow text and file transfers between communicating hosts. Many of these files contain viruses, worms and Trojans that can compromise network security and performance. You can install powerful application layer filters on the ISA Server 2000 firewall to prevent exploit-laden file transfers from taking place. These files can be quarantined so that a security administrator can later assess the nature of the potential compromise and take corrective actions to prevent future employee attempts at transferring infected files.
·
Logging
all IM and P2P communications
A number of organizations take advantage of IM and P2P applications to streamline customer and partner communications and file sharing. For these companies, it is important that all communications moving through the IM and P2P channels are logged so that reports can be created documenting all IM and P2P activity. You can install an ISA Server 2000 security add-on that allows you to log all communications moving across the ISA Server 2000 firewall.
·
Blocking
IM and P2P based file transfers
File transfers across the firewall represent significant security risks. Even if you install an IM and P2P antivirus application, this application may not prevent inbound and outbound file transfers. Users can use IM and P2P file transfer capabilities to send proprietary corporate data to competitors and other who do not have the company’s best interests in mind. To prevent this, you can install an application layer filter that prevents inbound and outbound file transfers from taking place. More sophisticated ISA Server 2000 application layer filters can allow file transfers on a per user or per group basis.
·
Keyword
Alerts for IM and P2P communications
IM and P2P applications allow users to use text based “chat” to communicate with one another. Valuable corporate information and secrets can be communicated through the chat channel without ever being recorded. You can install a sophisticated ISA Server 2000 application filter that sends an alert to a security administrator when keywords that indicate proprietary information is being shared cross the chat channel.
·
Keyword
blocking for IM and P2P communications
Application filters can block communications moving on the IM or P2P channel based on keywords. Often the same filters that block keywords can also alert a security administrator that such a keyword was used.
Summary
Network attackers continue to develop new and more sophisticated methods to attack corporate networks. Modern application layer firewall must be able to adapt to evolving application layer attacks. ISA Server 2000 firewalls are ideally suited to meet this challenge. ISA Server 2000 allows you to expand the level of application layer protection provided by the firewall. This expandability enables the ISA Server 2000 firewall to meet the application layer firewall filtering needs of today and keep pace with changes taking place in the network attacks landscape. This document described the nature of evolving application layer attacks and discussed ways you can expand on ISA Server 2000’s intelligent application layer filtering to enhance the built-in protection provided by the firewall.