Microsoft Internet Security and Acceleration Server 2000 in Education Deployment Kit
Controlling Internet Access for Campus Computers using ISA Server 2000
Dr. Thomas W Shinder
Table of Contents
A big issue for schools, colleges and universities is potential vicarious liability when students or others use the computers on their networks to launch attacks. Additionally, educational institutions deal with a large amount of confidential information and in many cases are mandated by privacy laws to ensure that such information is not released to unauthorized persons. It’s often essential to prevent employees or others on campus from sending this restricted information outside the campus network.
Thus, outbound access control is critical for campus networks. Traditional firewall administrators have considered the firewall to be more of a “one way” technology that blocks external intruders from attacking the campus network behind the firewall. However, now that 21st century attackers are now able to take advantage of campus network clients to launch attacks against hosts on other networks by using Internet worms and Trojans, and with an increasing need to keep sensitive internal data in, this has changed. To be effective, a firewall must now do double duty, controlling both incoming and outgoing information.
ISA Server 2000 allows you to control outbound access for all your campus network clients behind the ISA Server 2000 Firewall and Web Proxy server. Outbound access control allows you to specify which sites campus users can connect to and which protocols they can use to connect to the Internet. In addition, you can use the ISA Server 2000 outbound access control mechanisms to log user names for each Internet connection a campus user makes. This allows you to compile useful reports that include Internet usage on a per user basis.
Outbound access control is an effective method for preventing various exploits. For example, many Internet Trojans use the IRC protocol to allow attackers to transfer remote control applications on campus computers. ISA Server 2000 outbound access control can be used to control who has access to IRC and block IRC for all unapproved clients on the network.
In this ISA Server 2000 in Education document, we will discuss the following topics that deal with outbound access control:
There are three types of ISA Server 2000 client configurations that can be implemented on the campus networks behind an ISA Server 2000 Firewall and Web Proxy server. These client types are:
The SecureNAT client is any computer behind the ISA Server 2000 firewall and Web Proxy server that is configured with a default gateway that routes Internet-bound requests to the internal interface of the ISA Server 2000 machine. This machine can run any operating system that supports TCP/IP. If the SecureNAT client computer is located on the same network ID as the internal interface of the ISA Server 2000 machine, then the default gateway is the IP address of the internal interface of the ISA Server 2000 machine. If the SecureNAT client is located on a network ID remote from the internal interface, then the default gateway used by the SecureNAT client must be able to route Internet-bound requests to the internal interface of the ISA Server 2000 machine. SecureNAT clients cannot send credentials to the ISA Server 2000 machine and access control for SecureNAT clients is done via client address sets. The SecureNAT client can only access protocols listed in the Protocol Definitions node in the ISA Management console. Application filters are required for multi-connection protocols.
The Firewall client is any machine with the Firewall client software installed on it. The Firewall client software can only be installed on Windows-based computers. The Firewall client does not need to rely on the default gateway configuration of the Firewall client machine because requests made by the Firewall client are sent directly to the internal interface of the ISA Server 2000 computer. The Firewall client computer only needs to know the route to the internal interface of the ISA Server 2000 machine. The Firewall client can send user credentials to the ISA Server 2000 machine. In addition, the Firewall client can access all TCP and UDP protocols it is given permission to access.
The Web Proxy client is a machine with its Web browser configured to use the ISA Server 2000 machine as its Web Proxy. It can be running any operating system, so long as the browser is configured properly. The Web Proxy client configuration is used to access HTTP, HTTPS, FTP and Gopher download protocols. The Web Proxy client, like the Firewall client, is independent of the default gateway configuration on the machine because the requests made by Web Proxy clients are sent directly to the ISA Server 2000 machine’s internal interface. In addition, the Web Proxy client can send user credentials to the ISA Server 2000 Web Proxy service.
The ISA Server 2000 client types are not mutually exclusive. A single machine can be configured as all three ISA Server 2000 client types. However, a machine cannot act as both a SecureNAT and Firewall client for the same connection. The reason for this is that while the SecureNAT client configuration can be used to access TCP and UDP protocols, the Firewall client software will always intercept these requests and forward them directly to the Firewall service on the ISA Server 2000 firewall computer.
Protocol Rules can be used to specify which protocols can be used to connect to Internet resources by users behind the ISA Server 2000 firewall. Protocol Rule rules should be created to allow access to protocols required by specific users and groups. There must be a Protocol Rule that allows access before a user can access the Internet using a particular protocol.
You should never need to create a Protocol Rule that denies access. If you use the principle of least privilege, then users are given access only to protocols they require and none others. It may take some time to determine what the required protocols are, as users may not be aware of the protocols they use to get their routine work done. However, you will be able to prevent external intruders from using a number of Trojan-like mechanisms from attacking your network if you create Protocol Rules that allow access only to required protocols.
Protocol Rules apply to all ISA Server 2000 client types. For example, if a group is given access to the HTTP protocol, group members using the Web Proxy and Firewall client types will be able to connect via HTTP. If a client address set is given access to the HTTP protocol, then all three client types will be able to access the protocol (the SecureNAT client is not able to send credentials to the ISA Server 2000 firewall, so SecureNAT users must be given access via a client address set).
You will need to create a Global Group and a user account in order to perform the following exercise. In this exercise, we will give permission to use the HTTP and HTTPS (SSL) protocols to user2. This user is a member of the HTTP Protocol Access group. Create the HTTP Protocol Access group in the Active Directory Users and Computers console and then create the user2 user account. Place user2 in the HTTP Protocol Access group. In addition, you will need to install the Firewall client on the CLIENT2 computer. Please refer to the ISA Server 2000 in Education document Protecting Departmental/Student LAN segments with ISA Server 2000 for information on how to install the Firewall client.
Perform the following steps to create the restrictive Protocol Rule:
Click Apply and then click OK in the DNS Access Properties dialog box.
Now we can create the Protocol Rule that allows members of the HTTP Protocol Access group access to the HTTP and HTTPS (SSL) protocols:
1. Expand the Access Policy node in the left pane of the ISA Management console and right click on the Protocol Rules node. Point to New and click Rule.
2. On the Welcome to the New Protocol Rule Wizard page, enter a name for the Protocol Rule in the Protocol rule name text box. In this example, we will name the rule HTTP/HTTPS Access. Click Next.
3. On the Rule Actions page, select the Allow option and click Next.
4. On the Protocols page, select the Selected protocols option from the Apply this rule to drop down list. In the Protocols list, put checkmarks in the HTTP and HTTPS checkboxes. Put a checkmark in the Show only selected protocols checkbox. Click Next.
5. On the Schedule page, use the default entry, Always, and click Next.
6. On the Client Type page, select the Specific users and groups option and click Next.
7. On the Select Users or Groups page, click the Add button. Click the Object Types button and put a checkmark in the Groups checkbox. Click the Locations button and select the msfirewall.org location. In the Enter the object names to select text box, enter HTTP Protocol Access group and click the Check Names button to confirm that the group name was entered correctly. Click OK in the Select Users or Groups dialog box. Click Next on the Users and Groups page.
8. Click Finish on the Completing The New Protocol Rule Wizard page.
9. Go to the CLIENT1 machine and open Internet Explorer. Go to the www.microsoft.com Web site. The connection request is allowed.
10. Open a command prompt and at the command line, enter ftp ftp.microsoft.com and press ENTER. You will see the response Connection request refused.
ISA Server 2000 Site and Content Rules enable you to control what sites and content users on the internal network behind the ISA Server 2000 machine can access on the Internet. In the context of Site and Content Rules, the terms “sites” refers to a computer, identified by either fully qualified domain name or IP address. The term “content” refers to the types of files and resources that are accessed via the Web Proxy service. Although you can control access to all sites for all ISA Server 2000 clients, you can only control content access for clients that access the content via the Web Proxy service.
Web Proxy, SecureNAT and Firewall clients can all access Internet content via the Web Proxy service. The Web Proxy client connects to the Web Proxy service directly. The SecureNAT and Firewall clients connect to the Web Proxy service indirectly through the HTTP Redirector filter. If the HTTP Redirector filter is disabled, then Content Rules will not be applied to SecureNAT and Firewall clients.
In the following example, we will create a Site and Content Rule that blocks access to .zip files for members of the Block Zip Files group. In order to prepare for this exercise, create a group in the Active Directory Users and Computers console named Block ZIP Files. Then create a user named user2 and add this user to the group.
In addition, you will need to install the ISA Server 2000 hotfix noted in KB article FIX: Site and Content Rules do Not Filter Based on File Name Extensions at http://support.microsoft.com/default.aspx?scid=kb;en-us;813864. After installing the hotfix, you will need to configure the Registry according to the KB article.
Perform the following steps to create a rule to prevent members of the Block ZIP Files group from accessing zip files on the Internet:
Click OK in the New Content Group dialog box.
Now we are ready to create the Site and Content Rule that limits users in the Block Zip Files group from downloading zip files. Perform the following steps to create the Site and Content Rule:
1. In the ISA Management console, expand the Access Policy node and right click on the Site and Content Rules node. Point to New and click Rule.
2. On the Welcome to the New Site and Content Rule Wizard page, enter the name Block ZIP Downloaders in the Site and content rule name text box. Click Next.
3. On the Rule Action page, select the Deny option. You have the option to redirect users to a Web Page explaining why the request was blocked by selecting the If HTTP request, redirect request to this site option. We will not select this option in this example. Click Next.
4. On the Rule Configuration page, select the Custom option.
5. On the Destination Sets page, select the All Destinations page and click Next.
6. On the Schedule page, select the Always option and click Next.
7. On the Client Type page, select the Specific users and groups option and click Next.
8. On the Users and Groups page, click the Add button. In the Select Users or Groups dialog box, click the Object Types button and select the Groups option. Click the Locations button and change the location to the msfirewall.org location. In the Enter the object names to select text box enter Block ZIP Files and click OK. Click Next.
9. On the Content Groups page, select the Only the following content types option. In the Content type list, put a checkmark in the Zip Files checkbox. Click Next.
10. Review your settings on the Completing the New Site and Content Rule Wizard page and click Finish.
11. Log onto the CLIENT1 computer as user2. Visit the Microsoft ISA Server 2000 Feature Pack 1 page at http://www.microsoft.com/downloads/details.aspx?FamilyID=2f92b02c-ac49-44df-af6c-5be084b345f9&DisplayLang=en and try to download the docs.zip file. You will be presented with a dialog box asking for authentication. After failing authentication, client access to the zip file is denied.
12. You can avoid the authentication dialog boxes before the request is denied if you redirect the connection request to a Web page.
There are a number of tools that help make it easier for you to control access to Web sites. One of the primary issues with Web site access control is that it is not easy to import a large group of Web sites into a Destination Set. You can use tools located at Jim Harrison’s www.isatools.org Web site to import large number of sites contained in Squid and XML files into an ISA Server 2000 Destination Set.
We mention using packet filters to control access only as a reminder that you cannot use packet filters to control outbound access from the internal network to the Internet. Packet filters have a limited application when controlling access.
ISA Server 2000 uses packet filtering to control inbound and outbound access on the external interface of the ISA Server computer. The packet filtering mechanism is the ISA Server's first line of defense against inbound attacks. The packet filtering feature supplements the RRAS packet filtering and you should not run both on the same machine. If you have RRAS packet filtering enabled to control inbound access, then you should disable the filters that control inbound and outbound access through the external interface of the ISA Server 2000 machine. For example, these filters are created when you run the RRAS VPN Server Wizard. However, if you are using RRAS packet filters to control access between directly connected internal networks, then you may leave the RRAS packet filters in place.
To check whether packet filtering has been enabled, right click on the IP Packet Filters node in the left pane of the ISA Management console and click Properties. On the General tab, put a checkmark in the Enable packet filtering checkbox to activate packet filtering. Packet filtering is enabled by default when ISA Server 2000 is installed in Firewall or Integrated mode. Packet filtering is not available when the ISA Server 2000 machine is installed in Caching only mode.
You should enable packet filtering in the following situations:
· When the ISA Server is at the edge of the network
· When you configure a trihomed ISA Server
· When you need to run services and applications on the ISA Server itself
When you enable packet filtering, ISA Server 2000 denies inbound access to all ports on the external interface that do not have packet filter explicitly created to allow inbound and/or outbound access to the ISA Server 2000 machine. If you have packet filtering enabled and you have no packet filters, then there will be no inbound or outbound access unless you have created Protocol or Publishing rules.
Packet filtering should always be enabled when the ISA Server is at the edge of the network. When the ISA Server has an external interface with an untrusted network, you can ensure that no ports are open inadvertently by enabling packet filtering. By default, the only traffic that will be allowed when packet filtering is enabled is based on some ICMP filters required for basic network management, and the DNS filter which allows the ISA Server to make DNS queries on the behalf of ISA Server clients on the internal network and so that the ISA Server 2000 machine can perform reverse lookups for FQDNs.
You need to enable packet filtering and configure packet filters if you create a trihomed ISA Server with a DMZ segment. Traffic to and from the DMZ segment is controlled by the use of packet filters. If there is no filter allowing the traffic into or out of the DMZ, then the traffic will be blocked at the external interface of the ISA Server.
Services and Applications running on the ISA Server require packet filters. For example, if you want to run a mail client such as Outlook Express on the ISA Server itself, you must create a packet filter for outbound access to TCP Port 25 and TCP Port 110 at a minimum to allow access to external SMTP and POP3 servers. You can add other packet filters such as TCP 119 for NNTP or TCP 143 for IMAP access.
An exception to the packet filter requirement for client applications running on the ISA Server 2000 computer is the Web browser running on the ISA Server itself. In this case, you can configure the web browser to be a Web Proxy client.
Packet filters should not be used for the following purposes:
· To control inbound access to internal network services
· To control outbound access for ISA Server clients
You can configure access to servers on the internal network by using either Server Publishing or Web Publishing rules. These rules allow you to "publish" servers (make them available) to external network users. When you create the publishing rules, ISA Server will open inbound access to the ports required to connect to internal servers.
Outbound Access Control for ISA Server clients should be done with Protocol Rules and Site and Content Rules. However, only the Protocol Rules have influence on outbound protocol access, since Site and Content rules are focused only on site names.
When a Protocol Rule is created, ISA Server allows inbound and outbound access to the ports specified in the rule. You never need to create packet filters to support your Protocol Rules. If the Protocol Rule is not working, then you should check for other factors that may be causing this situation.
Something to keep in mind regarding Protocol Rules is that if you enable a rule that allows "All IP Traffic,” it will work differently depending on which type of client is accessing that rule. Firewall Client computers will have outbound access to all TCP/UDP ports, but SecureNAT clients only have access to the protocols that are specified in the Protocol Definitions that are configured on the ISA Server.
In this ISA Server 2000 in Education document, we discussed how you can use ISA Server 2000 to control outbound access to help make the campus network more secure. We began with a discussion on the different ISA Server 2000 client types. We then went over how to use Site and Content Rules and Protocol Rules to control outbound access on a user/group basis. Finally, we discussed the purpose of ISA Server 2000 packet filters and showed you how to use packet filters in an ISA Server 2000 environment.