This document and what comes with it are
provided as-is with blunt warning: Use at your own risk,
buyer beware. You break your system; you own the resolution
as well. We have no liability for what you do, or can't
do, or fail to do with this information. Your entire protection
is to start over again with a protected backup, or from
protected system. If you don't want to accept this idea,
please don't use this document.
|
|
Anyone with a basic understanding of ISA knows it can perform two primary tasks: act as a firewall and as a web cache. Since we very rarely see many questions regarding the web cache functions of ISA, or misconceptions and confusion regarding web caching, it will not be addressed in this paper. Instead, we are going to focus on ISA as a firewall. To get an understanding of how ISA protects your network, we must first look at the different ways ISA protects your SBS network. ISA provides protection on two separate fronts, protecting against external and internal threats. The primary role of ISA as a firewall is to protect your SBS from external (internet) threats. For right now, forget about any clients on the network – our only concern is the SBS itself – one box with an internet connection. So how does ISA protect this box? Simple - packet filters. Simply put, packet filters are rules that determine what traffic is allowed to enter or exit the server itself. For an ultimately secure server, we would not accept any packets from the internet or allow any packets to leave our server. However, if we didn’t want to allow any packets in or out, we wouldn’t need an internet connection at all, and wouldn’t need ISA. But in reality, we may decide that we want to host our own email, so we have to accept email traffic from the internet which requires a packet filter allowing inbound traffic on port 25.
The good news is that if you have a standard installation of SBS, the Internet Connection Wizard (ICW) creates all of the necessary packet filters for you, allowing for email, VPN, and any other traffic you chose to be able to access your server from the internet. If you do not have 3rd party software installed on your SBS that requires internet access, you should not need to manually adjust the default packet filters created by the ICW. Any adjustments to these packet filters are best made by running the ICW. However, on occasion, you may need to create your own packet filters for third party software on the server that needs to access the internet, such as anti-virus software or to configure your server to reach an internet time server. Creating packet filters is simple and straight forward, so long as you have four key pieces of information: The IP protocol (ICMP, TCP or UDP), the direction you want (Inbound / Outbound) and the local and remote ports. Luckily, this information for most software titles can be found online through simple searches at groups.google.com, or by contacting technical support for the software title that needs access. When it comes to specifying the direction on your packet filter, allowing inbound traffic will result in your server accepting connections from the internet on the port you specify, and that port will show as open on a port scan. Allowing outbound access simply allows apps on your server to access the internet using the port you specify. A port listed in an outbound packet filter will not show as open on a port scan. If you do encounter the situation where you have to create your own packet filters (or modify existing filters), remember that when the ICW is ran, all existing packet filters are disabled. Therefore, you will need to go into ISA Management and re-enable any custom filters you had created.
I strongly suggest that SBS administrators download the SuperScan tool from Foundstone. (www.foundstone.com/knowledge/proddesc/superscan.html) and use this tool to scan your external IP address. I should note that I have gotten false positives (reported open ports that are actually closed) when running SuperScan from inside the LAN, thus I would suggest running SuperScan from outside your network. SuperScan will list any open ports you may have, allowing you the opportunity to close any unnecessary open ports before a problem arises. And just how do you close an open port? By disabling the packet filter that is allowing inbound traffic on that port. You may notice that a port scan is indicating that ports 80 and 443 are open, even though you cannot find any packet filters allowing traffic on those ports. To find out why these ports show as open and find out how to close them, check out Why does GRC.com report that port 80 and 443 are open? In summary, if you want your server to accept incoming connections from the internet, you need to create an inbound packet filter. If you have an application on your server that needs to access the internet, you will need to create an outbound packet filter. For the most part, packet filters are that simple. If you have any questions on what a specific port is used for, check out www.eventid.net/searchprot.asp or www.iana.org/assignments/port-numbers
|