Application-Layer Filtering in ISA Server
2004
White Paper
Published: June 2004
For the latest information, please see http://www.microsoft.com/isaserver/
Contents
Overview .....................................................................................................................................1
How Application-Layer Filtering Works .......................................................................................2
Available Filters ...........................................................................................................................3
Filters that Debuted with ISA Server 2000..............................................................................3
DNS Intrusion-Detection Filter .............................................................................................3
FTP Access Filter ................................................................................................................3
H.323 Protocol Filter ............................................................................................................4
POP Intrusion-Detection Filter .............................................................................................4
RPC Filter ............................................................................................................................4
SMTP Filter and Message Screener....................................................................................5
SOCKS V4 Filter ..................................................................................................................5
Filters Added in Feature Pack 1 .............................................................................................6
Link Translation Filter ..........................................................................................................6
SecurID Filter .......................................................................................................................7
Filters New to ISA Server 2004 ..............................................................................................7
HTTP Filter ..........................................................................................................................7
MMS Filter ...........................................................................................................................7
OWA Forms-Based Authentication Filter ............................................................................8
PNM Filter ............................................................................................................................8
PPTP Filter ..........................................................................................................................8
RADIUS Authentication Filter ..............................................................................................9
RTSP Filter ..........................................................................................................................9
Web Proxy Filter ..................................................................................................................9
ISA Server 2004 Web Proxy Compatibility with ISA Server 2000 .......................................9
Filter Extensibility ......................................................................................................................11
Conclusion ................................................................................................................................12
Overview
Over time, attackers have become more sophisticated in the techniques they use to intrude
into corporate networks. These intruders spend a large part of their time and effort seeking
ways to exploit weaknesses in the communication methods used by common services, such
as Web sites and e-mail. Attackers routinely send abnormal commands or data to these services in
an attempt to exploit both known and unknown weaknesses. Traditional firewalls are not able to
assess the validity of such communications because they do not understand them.
Microsoft® Internet Security and Acceleration (ISA) Server 2004 has built-in mechanisms
called application-layer filters that are designed to detect and prevent this type of malicious
communication. Because of the increase in security threats since the release of ISA Server
2000, Microsoft has enhanced ISA Server 2004 with an even deeper understanding of the
most popular communications methods in use on the Internet today.
Technologically speaking, these services run at the application layer of the network communication mechanism—the uppermost layer in the networking process, where Web servers,
e-mail applications, streaming media, and similar services operate. By offering broad and
enhanced protection at this level, ISA Server 2004 helps you secure your network against both
known and unknown vulnerabilities, now and in the future.
Application-Layer Filtering in ISA Server 2004
1
How Application-Layer Filtering Works
An application-layer-aware firewall sees abnormal commands and data and blocks them, so
the exploit attempt never reaches the target computer. Firewalls capable of application-layer
filtering, such as ISA Server 2004, can stop dangerous code at the edge of the network before
it can do any damage.
Attack prevention isn’t limited to just to these types of targeted attacks, however. Applicationlayer filtering can also be used to stop random attacks from sources such as viruses and
worms.
In addition to providing built-in filters to detect and block many different types of attacks,
ISA Server 2004 also includes powerful and flexible interfaces that you can use to create your
own custom filters. Furthermore, ISA Server 2004 is highly extensible, enabling your in-house
programmers or third-party vendors to further develop much of its functionality, including its
filtering capabilities.
To fully protect your organization’s network, you need to address not only external threats, but
also internal security issues. ISA Server 2004 can protect you from internal security threats, as
well, preventing harmful actions that unaware employees often take. For example, you can
configure the filters in ISA Server 2004 to stop employees from downloading potentially
harmful programs from the Internet—or to ensure that critical customer data does not leave
the network in an e-mail.
Application-layer filtering can also be used to more broadly limit employee actions on the
network. In addition to blocking specific downloads and limiting e-mail exposure, ISA Server
2004 includes filtering capabilities that can restrict common types of inappropriate communication on your network. For example, you can use application-layer filtering to block peer-topeer file exchange services, such as Kazaa and Grokster. These types of services not only
can consume substantial network resources, but also can raise legal liability concerns for your
organization. The advanced filtering capabilities in ISA Server 2004 can limit these and other
types of undesirable network communication.
Application-Layer Filtering in ISA Server 2004
2
Available Filters
This section provides an overview of the rich set of protective filters built into ISA Server 2004.
It begins with filters that debuted with ISA Server 2000. It then discusses the filters that were
added through ISA Server Feature Pack 1, a free set of additional features for to ISA Server
2000. Finally, it describes the new filters introduced with ISA Server 2004. All filters introduced
in ISA Server 2000 or Feature Pack 1 are included in ISA Server 2004 “out of the box.”
Filters that Debuted with ISA Server 2000
ISA Server 2000 included seven built-in filters. Some of these filters have newer versions that
were introduced in ISA Server Feature Pack 1 or ISA Server 2004; these enhancements are
noted below, in the discussion of the filter.
DNS Intrusion-Detection Filter
Intrusion-detection filters analyze all communications flowing through ISA Server and look for
behaviors that could indicate inappropriate access attempts. Including basic intrusiondetection software as a core part of ISA Server provides tremendous value. Because all traffic
moving between segregated networks (such as your company’s private network and the
Internet) passes through the ISA Server firewall, the firewall is an ideal location at which to
perform screening. Not only can the ISA Server firewall detect, isolate, and terminate
malicious traffic before it reaches your private network, but using the ISA Server firewall for
this purpose this eliminates the need to purchase and maintain additional specialized systems.
(See also POP Intrusion-Detection Filter, below, for more information on detecting and
preventing intrusion attempts.)
The DNS intrusion-detection filter specifically seeks out malicious communication attempts
that relate to the Domain Name System (DNS), used by computers to identify and locate each
other on the network. Because of the important role that DNS services play, they are present
in at least minimal form on most networks, making them a popular target of attackers. The
DNS intrusion-detection filter in ISA Server is designed to terminate attempted DNS attacks
before they can harm your network.
FTP Access Filter
Securing the File Transfer Protocol (FTP) at the firewall can be a very complex process. The
FTP access filter in ISA Server 2004, which provides secure management of all FTP connections, is specially designed to ease your administrative burden by handling the complexity
itself. You can use ISA Server both to provide client computers with secure access to FTP
servers and to protect your company’s FTP servers from malicious attacks. Because
ISA Server filters all incoming requests before they reach your FTP servers, it maximizes
these servers’ security.
Internal and external FTP servers. Administrators within an organization typically do not
have control of distant FTP servers on the Internet. However, ISA Server enables you to place
limits on FTP access regardless of whether the servers are located inside or outside your
organization. Because ISA Server sits between the user requesting a file and the FTP
server—whether that server is on your network or located outside your network—it can limit or
block FTP access requests to external and internal servers with equal effectiveness.
Multiple access levels. You can use the FTP access filter to set several levels of access,
enabling it to:
Block all access to FTP servers
Allow read-only access to FTP information
Application-Layer Filtering in ISA Server 2004
3
Provide full read-and-write access to FTP information
The access level specified through ISA Server is independent of and in addition to any access
restrictions placed on the FTP server itself (which might be configured, for example, to block
access entirely).
Enhancements in ISA Server 2004. Network services such as FTP have specifically assigned
addresses (ports). In most cases, administrators use standard, well-known port addresses for
their FTP services. However, it is sometimes advantageous to use a different, nonstandard
port. New functionality added In ISA Server 2004 provides filtering for FTP connections on
nonstandard addresses, enabling your company to “hide” its FTP services by using
nonstandard ports, while still permitting client systems to access these services.
H.323 Protocol Filter
H.323 is a communications method that is used by some audio/visual/text-based communications applications to manage the complex, multiconnection protocols that these communications require. One example of such an application is Microsoft NetMeeting® conferencing
software, which enables users to chat, share diagrams, communicate interactively with video
and audio, listen to audio presentations, or view video presentations.
You can use the H.323 protocol filter to selectively limit or allow communications that use the
H.323 protocol. For example, you can set it to allow or block:
Incoming connection attempts
Outgoing connection attempts
Audio
Video
Application sharing
POP Intrusion-Detection Filter
Post Office Protocol (POP) is a communications method that clients can use to download
e-mail from their e-mail server. The POP intrusion-detection filter in ISA Server 2000 is
designed to protect POP e-mail servers by screening requests that are directed to them. (For
an overview of the intrusion-detection concept, see DNS Intrusion-Detection Filter, above.)
The POP intrusion-detection filter specifically looks for a critical type of attack called a buffer
overflow. Attackers often use buffer overflows to cause a system to malfunction and become
unavailable—or to trick it into providing the attacker with administrative-level access. When the
POP intrusion-detection filter detects an attempted buffer overflow attack, it isolates and
terminates the attack, preventing it from causing a buffer overflow.
RPC Filter
Many enterprise-class network applications—such as e-mail servers—use the Remote
Procedure Call (RPC) communications mechanism to exchange information. For example,
communications between Microsoft Exchange Server and the Microsoft Outlook ® messaging
and collaboration client typically use this protocol.
Initial capabilities in ISA Server 2000. When using the RPC filter in ISA Server 2000,
administrators initially had to choose between opening the firewall to all RPC communication
or to none. While the ability to control RPC communications was beneficial, having to allow all
RPC communications when only some were needed created security risks for the network.
Such an approach enabled attackers to use a wide variety of RPC attacks, possibly exploiting
security weaknesses in critical enterprise-level applications on the organization’s private network.
Enhancements in ISA Server Feature Pack 1. ISA Server Feature Pack 1 extended the
administrative interface to allow granular control of RPC services. In other words, instead of
Application-Layer Filtering in ISA Server 2004
4
having to open up all RPC communications, you could allow communication only for certain
types of RPC traffic, such as Exchange Server-based RPC traffic. In addition, the update
enables you to set up ISA Server to encrypt all Outlook connections to Exchange Server.
SMTP Filter and Message Screener
SMTP is a primary method of e-mail transfer. In today’s environment, with a daily onslaught of
spam clogging companies’ Internet links and mail servers, SMTP filtering should be a
mandatory requirement. The SMTP filter in ISA Server provides this capability, performing
deep content inspection of SMTP e-mail messages moving through the firewall.
Two powerful screening features. ISA Server includes two powerful features to prevent
attackers from harming your e-mail servers. First, the SMTP filter uses content inspection to
examine SMTP commands and ensure that they are not harmful to your e-mail server.
Second, the Message Screener component can block spam by evaluating the following
characteristics of both incoming and outgoing e-mail:
Where it is going (destination)
Where it is coming from (source)
Whether it contains any administrator-defined keywords or character strings in the subject or
body
The name, file type, and size of any attachments
If the above characteristics match a pattern that has been identified by the ISA Server SMTP
filter as spam, you can configure ISA Server to immediately delete the message, to forward it
to an e-mail security administrator for further action, or to hold it in a special folder. You can
also configure the Message Screener to block mail containing attachments that are known to
contain viruses or other malicious software.
Enhancements in ISA Server 2004. ISA Server 2004 enhances SMTP filtering and screening
capabilities to increase the security of your e-mail servers. For example, a simple wizarddriven configuration process enables you to easily secure Outlook Web Access servers. Other
enhanced wizards further simplify the process of protecting your organization’s e-mail server
and other servers.
A key goal in the design of ISA Server 2004 was to provide added security for Microsoft
Exchange Server. A new feature in Exchange Server 2003 and Outlook 2003 is the ability for
clients to use RPC over HTTP to connect directly to the mail server over the Internet, without
the benefit of a VPN. This approach has not been possible in the past because using RPC
requires that secondary ports be opened—and traditional firewalls typically prevent Outlook
from traversing such ports because they do not understand the application protocol. ISA
Server, however, goes beyond looking at individual packets to look into the RPC traffic itself
and check for syntax such as bad keywords. This approach enables it to secure RPC traffic,
allowing only traffic that is specifically negotiated and required by the Outlook client. ISA
Server also has the ability to dynamically open and close secondary ports, opening them only
when needed and then closing them as soon as they are no longer needed. In this way, ISA
Server is able to enforce RPC encryption, providing a layer of defense against hijackers and
spoofers.
SOCKS V4 Filter
SOCKS is a protocol that enables hosts on one side of a SOCKS server to gain access to
hosts on the other side of the server, without requiring direct IP accessibility. The SOCKS
network communication method can support almost any client platform, including Microsoft
Windows®, Unix/Linux, Macintosh, and even nonstandard devices. It is most commonly used
on non-Windows machines in a mixed computing environment.
With the SOCKS network communication method, when an application client needs to connect
to an application server, the client connects to a SOCKS proxy server. The proxy server then
Application-Layer Filtering in ISA Server 2004
5
connects to the application server on behalf of the client and relays data between the client
and the application server. For the application server, the proxy server is the client.
ISA Server 2004 supports SOCKS version 4-compliant communication. If your client
application supports SOCKS-based communications, you can configure ISA Server to allow or
block SOCKS communications. When enabled, the filter will dynamically manage connections
to ensure smooth communications for this highly complex protocol.
Note: For security purposes, it is best to disable this filter if your network is a homogenous
Microsoft environment because the SOCKS protocol is not needed in these environments.
Filters Added in Feature Pack 1
The following two filters were first released with ISA Server Feature Pack 1.
Link Translation Filter
The addresses used to access Web content inside your organization’s network may not be
accessible from outside your network. For example, external users need addresses formatted
as standard URLs (such as http://www.mydomain.com), while internal addresses may be
based on NetBIOS names, such as http://myserver. This difference in address formats usually
isn’t an issue for an organization’s primary Web servers because content on those servers is
typically designed and addressed for both internal and external access. However, not all of
your Web content may be hosted on your primary Web servers.
Your organization might use other Web servers, such as internal intranet Web servers, to
make additional content available outside the organization. Because these servers are
primarily designed for access by internal employees, they often use an addressing scheme
that makes the content difficult or impossible to access from outside the internal network. In
such a case, when an external user clicks on a link, he or she might see a page announcing
that the content is not available. In fact, the content is available, but the address the link used
was not valid from outside the organization’s network.
Accessibility is not the only problem. Revealing internal server names to external users (who
can infer these names from the links) can also present a security risk.
Although you could change all your addresses to be accessible from outside as well as inside
the organization, this is an expensive and time-consuming process. It might even result in a
need to maintain two sets of the same content: one set addressed for internal employees (for
example, http://contoso_websrv3) and one for employees outside the private network (for
example, http://www.contoso.com).
With ISA Server 2004, there is an easier way. When you use ISA Server to screen traffic
between the public Internet and your internal networks, the link translation filter enables you to
map internal addresses (http://contoso_websrv3) to addresses that can be used externally
(http://www.contoso.com).
When you enable link translation, the original content on the intranet Web server remains
unchanged. When ISA Server detects a request from an external address, it retrieves the
requested content from the intranet Web server, inspects it for internal addresses, replaces
the addresses with valid externally accessible ones, and returns the content to the external
computer that requested it. This approach ensures that all requests for content from outside
your organization are sent to externally valid addresses, even if the links on your company’s
intranet pages point to internal addresses.
The link translation filter can scan Web pages for links to a wide range of content, replacing
links to all types of documents: audio, video, images, and much more. Its ability to replace
internal addresses in requested Web page content with the appropriate externally resolvable
addresses before returning the content to the requestor solves address-related accessibility
problems without exposing internal server names to external users.
Application-Layer Filtering in ISA Server 2004
6
SecurID Filter
The standard Windows logon process assumes that anyone who has a valid username and
password is a valid user and grants access accordingly. SecurID ,a product from RSA Security
Inc., enhances the security of the user logon process by requiring users to provide a second
means of proving their identities. Typically this involves a hardware- or software-based
authenticator device that generates a unique code every 60 seconds. With this two-factor
authentication process, the user must not only have a valid username and password, but must
also possess the authenticator device to be able to log onto the network. Without the correct
code for the SecurID system, logon is not possible.
The SecurID filter in ISA Server 2004 enables you to use this two-factor authentication
mechanism to protect Outlook Web Access servers and other Web servers. In this way, it
significantly increases logon security.
Filters New to ISA Server 2004
ISA Server 2004 includes eight new filters, representing significant enhancements in protecting key network services and communication protocols. Some of the filters secure new
capabilities introduced in ISA Server 2004, such as support for RADIUS authentication.
HTTP Filter
HTTP is the core information-transfer technology for Web-based content. The HTTP filter in
ISA Server 2004 enables it to comprehensively inspect all vital aspects of HTTP communications. You can use this filter to inspect requests for information from both internal and external
Web servers and block requests for specific file names, file types, or Web pages that contain
particular words or character strings. You can also use the HTTP filter to block dynamic
responses to Web pages (such as online forms that can be used to send sensitive
organization information).
With the HTTP filter, you can perform deeper Web content inspection and specify exactly what
information (called a “signature”) the firewall should look for and block, based on:
The requested Web site
Information contained in any portion of the user’s request
Information contained in any portion of the Web server’s response
For example, suppose your organization wants to block all Web pages that contain the word
Hacker. You can create a signature that detects this word and blocks it, ensuring that users
affected by the rule will never receive a Web page containing this term. For added flexibility,
you can configure these rules on a per-user or per-group basis, blocking the content only for
specified users rather than for all users.
HTTP filtering can also protect your Web servers by detecting and blocking potentially harmful,
abnormal information contained in a Web request or response, stopping hackers before they
are able to communicate with your Web server. For example, Internet intruders often depend
on uploading tools to a Web site they wish to attack—or using tools already located on the
Web server. HTTP application-layer filtering can be configured to block attackers from issuing
commands to run these tools.
MMS Filter
The Microsoft Media Server (MMS) protocol is the primary streaming-media technology used
by Microsoft products. MMS is a sophisticated protocol, and ISA Server 2004 includes an
MMS Filter to simplify the process of working with it. The MMS filter can handle both incoming
and outgoing MMS connections: it can protect internal clients using applications such as
Windows Media Player to access external streaming media content, and it can also protect
Application-Layer Filtering in ISA Server 2004
7
MMS streaming media servers, enabling them to be hosted securely from your organization’s
internal network
OWA Forms-Based Authentication Filter
Outlook Web Access (OWA) is a Web-based client for e-mail, calendaring, and other
capabilities found in Microsoft Outlook. Because of the sensitive nature of the information
provided by this application, it is important to secure it from attack. With the OWA formsbased authentication (FBA) filter, you can use ISA Server 2004 to screen all communications
destined for your organization’s OWA site.
Forms-based authentication, supported by Exchange Server 2003, provides a number of
security benefits. For example, it causes sessions that are inactive for a specified period of
time to expire, requiring users to reauthenticate themselves. It also prevents user credentials
from being cached, eliminates the vulnerabilities caused when users log off improperly, and
requires clients to use an SSL connection for greater security.
The OWA FBA filter enables ISA Server 2004 to receive authentication requests from users
attempting to log onto an OWA server. Rather than allowing users to contact the OWA server
directly, the ISA Server acts as an intermediary, preventing malicious authentication attacks or
unauthorized connection attempts from reaching the OWA server.
PNM Filter
The Progressive Networks Metafile (PNM) filter provides protection for media streams sent or
received using products from RealNetworks. This popular provider of streaming media
technology offers such products as the RealOne Player and RealPlayer application suites.
ISA Server 2004 enables you to manage incoming and outgoing PNM connections. It provides
protection both for internal users accessing external streaming content through RealNetwork
client applications and for RealNetwork streaming media servers that your organization hosts.
PPTP Filter
Point-to-point tunneling protocol (PPTP) is a virtual private networking (VPN) technology that
secures information as it is being exchanged between two computers. PPTP is one of the
most common VPN technologies, and PPTP client software is available in every current
Windows operating system. PPTP is highly complex, using sophisticated encryption and other
security measures. The PPTP filter included with ISA Server 2004 greatly simplifies the
process of managing this type of communication.
With ISA Server 2004, you can easily place a PPTP server behind the ISA Server firewall on
your internal network and use the PPTP filter to secure both incoming and outgoing PPTP
communications. The PPTP filter enables a computer on the internal side of the ISA Server
2004 firewall to establish a secure PPTP connection with a computer on the external side. If
the internal side of your ISA Server 2004 firewall is connected to your private network and the
external side is connected to the Internet, the PPTP filter can protect VPN communications
between internal clients and PPTP servers on the Internet.
The PPTP Filter also enables you to protect PPTP connections made from the external side of
an ISA Server 2004 firewall to PPTP servers on your internal network, so you can secure
PPTP servers made available to users through the Internet. This extra level of security is
critical because VPN servers are often a priority for attackers.
NOTE: Another way in which ISA Server 2004 improves VPN security is through its
support of pure IPSec tunneling for site-to-site VPN connections (for example, between a
branch office using ISA Server and a headquarters office using a Cisco firewall that
implements site-to-site VPN connections through IPSec tunnels). ISA Server 2004
provides a high degree of interoperability with third-party firewalls and VPN products,
making it useful in a wide variety of VPN environments.
Application-Layer Filtering in ISA Server 2004
8
RADIUS Authentication Filter
The RADIUS authentication filter expands the authentication methods available to you. You
can set up ISA Server 2004 as a standalone system, independent of the domain, and still have
it use your domain user accounts as a basis for granting or denying access. This approach
greatly increases security when ISA Server is on the perimeter of your organization's network.
The RADIUS authentication filter also enables ISA Server 2004 to support non-Windows-based
user authentication. Using RADIUS technology, the ISA Server 2004 firewall can authenticate
both Windows and non-Windows clients based on user accounts from a UNIX or other nonWindows system. With this capability, you can use ISA Server 2004 in mixed environments, in
which some users log on with Windows-based authentication and others do not. The RADIUS
authentication filter enables all users to log on with their standard usernames and passwords,
regardless of whether or not they have Windows-based user accounts.
RTSP Filter
Real-time streaming protocol (RTSP) is a popular streaming-media format used by several
vendors, including Apple Computer, Inc. in their QuickTime technology. You can configure the
RTSP Filter to allow or restrict incoming and outgoing RTSP connections. The RSTP filter
provides protection both for internal users who are accessing external streaming content
through RTSP-enabled client applications and for RTSP streaming media servers hosted
from your organization’s internal network.
Web Proxy Filter
The Web proxy filter enables all ISA Server 2004 clients to improve Internet access speeds by
taking advantage of the Web proxy cache. When Web proxy, firewall, and SecureNAT clients
connect to Internet Web resources through the ISA Server 2004 firewall, the Web proxy filter
intercepts all outgoing communications to TCP port 80 and compares the requests with the
cached Web content. If the content is available in cache, the firewall returns the requested
information from the Web proxy cache; if not, the firewall retrieves the content from the
Internet Web server, places the content in the Web proxy cache, and then returns the content
to the ISA Server 2004 client. The Web proxy filter is configurable, so you can turn it off on a
granular basis for specific access rules.
Because ISA Server 2004 has undergone significant architectural changes, distinctions
between using it as a Web proxy server or a firewall are no longer relevant: you can install
ISA Server 2004 as a Web proxy server, a firewall, or both. The Web proxy portion of the
product is now integrated into the core of ISA Server 2004, so you no longer have to select it
during installation.
As part of this change, the Web proxy filter has replaced key portions of the ISA Server 2000
Web proxy service: that service is now a filter that connects directly into the firewall service.
This tight integration means that you no longer need to configure firewall clients to also be
Web Proxy clients for situations requiring authenticated Web connections. Instead, the firewall
service transparently accepts user credentials from the firewall client computer and uses them
for connections that it hands off to the Web proxy filter. The end result is a seamless, secure,
and authenticated connection to Web content without additional client-configuration overhead.
ISA Server 2004 Web Proxy Compatibility with ISA Server 2000
Organizations with an existing investment in ISA Server 2000 can also benefit by introducing
new ISA Server 2004 firewalls into their network security infrastructure. The Web proxy
service in ISA Server 2000 is completely compatible with the ISA Server 2004 Web proxy filter,
enabling clients using an ISA Server 2000 firewall as a Web proxy server to use the ISA
Server 2004 firewall for the same purpose.
For example, suppose your organization has an ISA Server 2000 machine acting as a Web
proxy server for 5,000 corporate clients at the main office. You now want to install ISA Server
2004 firewalls in your branch offices in order to take advantage of the ISA Server Web proxy
Application-Layer Filtering in ISA Server 2004
9
chaining feature, which will speed up Internet access for both the main and branch offices.
Because the Web proxy filter in ISA Server 2004 works seamlessly with the Web proxy
service in the ISA Server 2000 firewall at the main office, you can configure the branch office
Web proxy machines to communicate with the Web proxy server in the main office. As a
result, the branch offices can now benefit from the enhanced Internet security features
provided by the ISA Server 2004 firewall while at the same time easily connecting to the ISA
Server 2000 Web proxy server at the main office.
Application-Layer Filtering in ISA Server 2004
10
Filter Extensibility
Security policies and implementations vary from organization to organization. ISA Server is
highly extensible and includes a comprehensive software development kit (SDK) so you can
customize it to meet your needs.
Using the SDK, you can create filters that intercept, analyze, or modify any communication.
You can also create Web filters to implement rules for viewing, analyzing, blocking, redirecting, or modifying HTTP and FTP traffic. If your organization does not have the developer
resources to create your own custom filters, a large number of independent vendors offer
solutions that extend the core ISA Server product and integrate it with other products.
Application-Layer Filtering in ISA Server 2004
11
Conclusion
ISA Server 2004 is a sophisticated, application-layer aware firewall that uses a number of
application filters to perform layer 7 inspection of communications moving through the firewall.
ISA Server 2000 moves beyond the limitations of traditional packet-filtering firewalls to perform
deep application-layer content inspection. This intelligent, application-layer filtering helps
secure your network against attacks launched by 21st-century attackers.
This is a preliminary document and may be changed substantially prior to final commercial release of the software described herein.
The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date
of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the
part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.
This white paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS
DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this
document may be reproduced, stored in, or introduced into a retrieval system, or transmitted in any form or by any means (electronic,
mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in
this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not
give you any license to these patents, trademarks, copyrights, or other intellectual property.
© 2004 Microsoft Corporation. All rights reserved.
Microsoft, NetMeeting, Outlook, and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United
States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
Application-Layer Filtering in ISA Server 2004
12