ISA Server 2000
®
Firewall Security Services with Microsoft Internet Security
and Acceleration Server 2000
Abstract
Microsoft® Internet Security and Acceleration (ISA) Server 2000 provides an extensible enterprise
firewall and Web cache server that integrates with Windows® 2000 for policy-based security,
acceleration, and management of internetworking. This paper focuses on the ISA Firewall services,
which provide enterprise level security for your network connection. A state-of-the-art firewall is
straightforward to manage; provides substantial network protection; detects and reacts upon an
intrusion; and facilitates operational requirements, such as Virtual Private Network tunneling and
bandwidth rules. These issues along with the firewall architecture of ISA Server are explored.
The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication.
Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and
Microsoft cannot guarantee the accuracy of any information presented after the date of publication.
This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED,
AS TO THE INFORMATION IN THIS DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright,
no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or
by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express
written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering
subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the
furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual
property.
 2001 Microsoft Corporation. All rights reserved.
Microsoft, Active Directory, Windows, and Windows NT are either registered trademarks or trademarks of Microsoft
Corporation in the United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
Microsoft Corporation • One Microsoft Way • Redmond, WA 98052-6399 • USA
Firewall Security Services
ISA Server 2000
1
CONTENTS
INTRODUCTION .......................................................................... 4
ISA Server Editions
6
Security Policy
6
Four Areas of Security Policy
6
MANAGING NETWORK SECURITY ............................................. 8
Windows 2000 Integration
8
Policy-based Access Control
9
Policy Elements
9
Rules for ISA Server Security
10
Rules Processing Order
11
PROTECTING THE NETWORK .................................................. 12
IP Packet Filters
12
Protocol Rules
13
Protocol Rules and SecureNAT Clients
14
Application Filters
14
SMTP Filter
14
FTP Access Filter
15
Web Filters
15
System Hardening
15
Secure Communication
16
High Availability
16
ISA Server Arrays
16
Bandwidth Rules
17
DETECTING INTRUSIONS AND REACTING .............................. 18
Intrusion Detection at the IP Packet-layer
18
Intrusion Detection at the Application Layer
19
Detecting other Critical Events
19
Reacting to Events with Alerts
19
FACILITATING OPERATIONAL REQUIREMENTS ..................... 21
Application Filters
21
Virtual Private Networks
21
Web Publishing
22
Server Publishing
22
INSIDE ISA SERVER ARCHITECTURE ...................................... 24
ISA Server Components
24
Multilayer Firewall
25
IP Packet Filtering
25
Circuit-Level Filtering
25
Application-Level Filtering
26
Dynamic Packet Filtering
26
Incoming Requests
27
Firewall Security Services
ISA Server 2000
2
Outgoing Requests
Firewall Chaining
Chained Authentication
Active Directory Integration
27
28
28
28
SUMMARY ................................................................................. 29
Firewall Security Services
ISA Server 2000
3
INTRODUCTION
Internet access is a powerful tool. Yet, as with other powerful tools, it can significantly improve or
deteriorate productivity. A healthy respect for Internet hazards is the best way to achieve positive
effects. For example, just connecting to the Internet provides an access point for miscreants
throughout the world to attempt illegitimate access to information on your organization’s network. It is
critical to safeguard your organization’s network from such misuse, whether casual or deliberate. In
some cases, there is a need to secure the connections between internal networks. A firewall is an
integral part of the protection against these threats.
Microsoft® Internet Security and Acceleration (ISA) Server 2000 is an extensible enterprise firewall
and Web cache server that integrates closely with Windows® 2000 for policy-based security and
straightforward management of internetworking. ISA Server provides three modes: a high-performance
Web cache server, a multi-layer firewall, and an integrated mode combining both firewall and cache.
The cache improves network performance and end-user experience by storing frequently requested
Web information, while the multilayer firewall provides enterprise-class security. The firewall screens
communication at the IP packet, circuit, and application layers. It controls access policy and the routing
of network traffic. The cache and firewall can be deployed separately on dedicated servers, or used
together on the same box. ISA Server’s ability to meet a broad range of criteria earned it ICSA Labs’
Certification. ICSA Labs is one of the most respected independent laboratories for the IT Security
industry. Their testing criterion is developed in conjunction with security experts and users throughout
the industry.
Sophisticated management tools simplify policy definition, traffic routing, server publishing, and
monitoring. ISA Server builds on Windows 2000 security, directory, virtual private networking (VPN),
and bandwidth control.
Whether deployed as separate cache and firewall servers, or in integrated mode, ISA Server
improves Internet access speed, maximizes employee productivity, and enforces network security
policies and Internet usage policies for organizations of all sizes.
This paper examines the security benefits of ISA Server, including its ability to secure
communications between networks using VPN technology. One of the key benefits of ISA Server is
manageability. A difficult to manage firewall increases the potential for security vulnerabilities. ISA
Server provides a rich set of easily managed security features through a Microsoft Management
Console (MMC) snap-in. The MMC snap-in provides easy to use security wizards and the ability to
tweak security-setting details.
A common security approach is to restrict inbound connections from the Internet while allowing
outbound connections for internal clients. This simplistic approach is problematic because a misused
outbound connection is just as dangerous as an inbound connection. For example, a misbehaving
program running on the internal network could connect to an external computer, allowing someone to
execute commands remotely on the internal network.
ISA Server makes securing both inbound and outbound connections possible while allowing rich
communication over the Internet. ISA Server provides this capability through the following features:

MULTILAYER FIREWALL ISA Server provides security at three levels. IP packet filtering provides
security by inspecting individual packets passing through the firewall. Circuit-level filtering inspects
connections established through the firewall and provides the ability to establish secondary
connections required for some protocols. Application-level filtering allows ISA Server to
intelligently inspect and secure popular applications such as HTTP, DNS, and SMTP.
Firewall Security Services
ISA Server 2000
4

STATEFUL INSPECTION Dynamic-filtering uses stateful inspection to open communication ports only
when requested by clients and close them when they are no longer needed. This reduces the
number of communication ports that are statically open to inbound connections.

SYSTEM HARDENING ISA Server allows you to set the security level that make securing the
operating system easy. You can choose between a dedicated mode that shuts down unnecessary
system services and a shared mode that allows ISA Server to share the OS with another
application. A combination of these security modes is also possible.

INTRUSION DETECTION In most situations it is just as important to detect unauthorized access, as it
is to prevent it. ISA Server provides built-in intrusion detection that identifies attempts to hack the
network using several well-known attack methods. Upon detecting an attack, such as a port scan
attack, ISA Server generates an event, and issues an alert. The intrusion detection filters included
with ISA Server are based on technology from Internet Security Systems (ISS).

APPLICATION FILTERS Many hacking incidents are attacks on known vulnerabilities in open Internet
applications such as the DNS and SMTP. Application filters provide intelligent inspection of
communication protocols used by popular applications. Application filters can intercept suspicious
commands that might be used for a network intrusion. The filters can also modify and redirect
application protocols as needed.
AUTHENTICATION AND ACCESS CONTROL The optional Firewall Client allows the ISA Server to
authenticate all Windows communication before it is allowed through the firewall. This allows you to
restrict protocols and applications by usernames or security groups.
ISA Server not only enables a company to secure the internal network, but also provides a range of
features for enhancing the usefulness of the Internet. These features include the following:

BROAD APPLICATION SUPPORT ISA Server supports a large variety of applications. The optional
Firewall Client provides secured communication through the firewall for almost any Windows
Winsock-compatible application. Clients that do not have the Firewall Client installed can use the
built-in SOCKS filter. In addition, the SecureNAT feature of ISA Server allows traffic destined for
the Internet using most common protocols to be routed through the firewall. SecureNAT clients
can be Windows or non-Windows platforms. No special software configuration is required.

TRANSPARENCY Through support for SecureNAT clients, the ISA Server Firewall can be installed
without requiring additional configuration on client computers. This allows you to implement
security transparently without interrupting business requirements.

VIRTUAL PRIVATE NETWORKING Windows 2000 includes the ability to establish Virtual Private
Network (VPN) connections across public networks, using PPTP or a combination of L2TP and
IPSec. ISA Server includes wizards to set up both the local and remote firewalls for secure
communication over the Internet. One ISA Server wizard can configure the server to accept
connections from remote users. Another set of wizards can configure a VPN connection between
two branch offices for a private connection over the Internet.

SECURE PUBLISHING ISA Server allows you to place servers behind the firewall and securely
publish their services to the Internet. Secure publishing enables ISA Server to inspect the
communication and detect bad or insecure requests made to the published servers.
Security is a complicated and sensitive subject for an organization. Properly securing a network is a
balance between functionality and security. ISA Server’s rich feature set provides a secure solution
while enabling rich communication over the Internet.
Firewall Security Services
ISA Server 2000
5
ISA Server Editions
ISA Server is available in two editions to meet the varying needs of different organizations. ISA
Server Standard Edition provides enterprise-class firewall security and Web caching capabilities for
small businesses, workgroups or departmental environments. ISA Server Enterprise Edition offers the
scalability and management capabilities required by a large organization. Table 1 shows the
differences between the Enterprise and Standard editions of ISA Server.
Table 1 Feature Differences of Enterprise and Standard Editions
Features
Scalability
Distributed and Hierarchical Caching
Active Directory Integration
Tiered Policy
Multi-server Management
ISA Server Standard
Edition
ISA Server Enterprise
Edition
Limited
Hierarchical Only
Limited
No
No
Yes
Yes
Yes
Yes
Yes
Security Policy
ISA Server is a highly effective tool for implementing an overall security policy. All organizations,
whether large or small, develop a security policy that establishes a plan to protect the organization’s
assets. Large organizations have elaborate, written security policies, while smaller organizations might
take a more informal approach. Even in your own home, you have some concern for security. You lock
doors, put money in a safe place, and install an alarm system. A security policy is simply a plan to
protect valuable assets from being damaged, stolen or used improperly.
A proper security policy is a balance between a barricade and an invitation. For an organization to
meet its operational goals, some assets must remain available for employee scrutiny. Consequently,
an organization is continually faced with a residual risk that an intruder will exploit a vulnerability and
gain access to a privileged asset. Additionally, the security policy must specify how the organization
will detect and react to an intrusion.
For a physical building, a security policy specifies the methods for securing doorways, protecting
against fires and other disasters and monitoring the building using cameras or security personnel. A
network security policy is similar to a building security policy. You must protect the entry points to the
network and prevent disasters such as viruses and network outages. Finally, you specify in the security
policy how intrusions are detected, who is notified when an intrusion occurs, and what follow up
actions are taken.
Four Areas of Security Policy
Every security policy should address four major areas. Each area involves the use of tools to
implement the security policy. ISA Server plays a unique role as a tool in implementing these four
areas of security policy (See Figure 1 The Four Areas of Security Policy).
Firewall Security Services
ISA Server 2000
6
Figure 1 The Four Areas of Security Policy

MANAGING NETWORK SECURITY A security policy specifies the management of tools and resources
used in the security plan. Managing the tools and resources should be simple enough that
configuration changes are implemented easily while allowing for a wide range of security options
to satisfy specific needs.

PROTECTING THE NETWORK The security policy assures that the organization’s assets are
protected. This assurance comes in three forms: assurance against unauthorized access,
assurance of privacy, and assurance of availability.

DETECTING INTRUSIONS AND REACTING A complete security policy acknowledges that residual risks
are inevitable and prepares for threats to network security. Proper preparation includes a plan for
detecting network intrusions and swiftly reacting to the intrusions by eliminating vulnerabilities and
preventing damage.

FACILITATING OPERATIONAL REQUIREMENTS The last area provides the organization with the
functionality needed to meet operational requirements. Operational requirements often include
safely accessing Internet resources, providing services to Internet users and connecting networks
across the Internet.
Firewall Security Services
ISA Server 2000
7
MANAGING NETWORK SECURITY
An aspect critical to network security is the ability to effectively and efficiently manage the tools and
resources that implement your organization’s security policy. When management is burdensome and
inefficient, discovering and eliminating vulnerabilities and threats becomes difficult. Therefore, a tool
set that is easy to configure and flexible enough to manage changing requirements is a must.
ISA Server is closely integrated with Windows 2000 to provide robust management and dependable
security. The management interface assures that your network security policy is configured correctly.
Using familiar scripting interfaces via windows scripting host, you can automate the configuration of
ISA Server parameters to match your security policies.
Windows 2000 Integration
The tight integration of ISA Server with Windows 2000 allows you to use the security, performance and
management technologies of Windows 2000 in your security implementation. ISA Server uses the
following Windows 2000 technologies.

MMC ADMINISTRATION Windows 2000 administrators should be familiar with Microsoft Management
Console (MMC). ISA Server uses an MMC snap-in for an easy and familiar management interface.

ACTIVE DIRECTORY STORAGE (ENTERPRISE) ISA Server Enterprise Edition allows configuration
information to be stored in the Active Directory™ service. This simplifies management of multiple
firewalls in an array by sharing a single configuration set.

TIERED-POLICY MANAGEMENT (ENTERPRISE) Active Directory manages enterprise-wide policies for
ISA Server Enterprise Edition. These policies are configured in Active Directory and applied to all
servers in an enterprise using Active Directory replication.

AUTHENTICATION ISA Server supports all of the Windows 2000 Authentication methods.
Authentication methods include Basic, Digest, NTLM, Kerberos, and digital certificates.
Authentication uses the same usernames and passwords used to log on to the Windows 2000
domain or Windows NT® 4.0 domain.

SYSTEM HARDENING Wizards included in the ISA Server management console make it easy to
shutdown unnecessary services in Windows 2000. This ensures that the computer running ISA
Server is as secure as possible.

VIRTUAL PRIVATE NETWORKING You can use ISA Server to configure secure VPN connections
across a public network. Wizards within the ISA Server management console configure both the
Windows 2000 VPN and ISA Server access polices in one place. Windows 2000 VPN technology
supports Layer 2 Tunneling Protocol (L2TP), Secure Internet Protocol (IPSec), and Point-to-Point
Tunneling Protocol (PPTP).

NETWORK ADDRESS TRANSLATION ISA Server improves upon the Network Address Translation
features of Windows 2000 with SecureNAT. SecureNAT assures ISA Server compatibility with all
Internet applications, regardless of the platform or protocol. All SecureNAT traffic passing through
the firewall is subject to ISA Server’s policies and rules.

MULTIPROCESSOR SUPPORT ISA Server performance is scalable using the symmetric
multiprocessing (SMP) architecture of Windows 2000.
Firewall Security Services
ISA Server 2000
8
Policy-based Access Control
Easily managing firewall access rules is key to securing the network. If managing rules is complicated
and difficult, the firewall can be vulnerable to configuration mistakes. ISA Server simplifies the
management of access rules through policies.
ISA Server access is policy based. Policies make it easy to understand what rules are being
enforced on data passing through the firewall. The policies use elements to hide addresses and
protocol numbers behind easy to understand descriptions. By default, ISA Server denies all access
through the firewall unless explicitly allowed by a policy rule. As an added assurance, you can set
“Deny” rules. Rules that deny access take precedence over rules that allow access. You can
determine what is allowed through the firewall by browsing the list of access policies.
Policy Elements
Policy elements are applied to ISA Server policies and to groups of objects. For example, all of the
computers in the Marketing Department can be grouped in a client address set called “Marketing
Computers.” Policies can then be applied to this client address set. This eliminates recalling which
computers belong to Marketing each time you want to configure a new policy for that group. In
addition, you may add or remove computers from the “Marketing Computers” client address set,
instead of managing the policies for individual computers.
The following policy elements are available when ISA Server is installed in firewall mode:

SCHEDULES You can create rules that are only in effect at certain times. For example, you might
create a schedule for after hour’s access. Sets define time periods during the day and the days
during the week. A schedule can restrict access to specific resources during specified times while
allowing access at others.

BANDWIDTH PRIORITIES You can associate a name with an inbound and outbound bandwidth
priority. Associating a bandwidth priority with a bandwidth rule, provides special precedence to
specific protocols such as real-time communication or access to your website. Bandwidth priorities
are assigned a number between 1 and 200. The higher the number, the more priority is assigned
to the communication.

DESTINATION SETS Destinations sets define locations on the Internet by hostname, IP address or a
range of IP addresses. Destination sets may also include a path. You can configure a destination
set for a specific destination or a group of destinations using wildcards or IP address ranges. You
can use a destination set to apply a rule to a specific URL. For example, you can define a
destination set for restricted websites. You can use this destination set in an access policy rule to
deny access to all of the restricted websites.

CLIENT ADDRESS SETS You specify clients by a range of IP addresses. Client address sets can
represent internal clients with access to Internet resources or external clients that access internal
servers published to the Internet. They are used to associate a rule with a group of computers. A
site and content rule might be restricted to a specific set of computers defined in a client address
set.

PROTOCOL DEFINITIONS These represent the primary and secondary connections required for
communication using a specific protocol. Protocol definitions also define the direction of the
communication as inbound or outbound.
Firewall Security Services
ISA Server 2000
9

CONTENT GROUPS Content groups define groups of content types using file extensions and MIME
types. Content groups restrict or grant access to content resources based upon content type.

DIAL-UP ENTRIES These elements define dial-up entries that tell the ISA Server how to connect to
the Internet. A dial-up entry might be applied to all content or used in a routing rule to access an
upstream ISA Server. For example, after defining a dial-up entry, a routing rule may instruct the
ISA Server to dial an Internet service provider.

WINDOWS ACCOUNTS Although Windows accounts do not appear as policy elements in ISA
Management, you can use them to restrict rules to specific users or groups. You can use
accounts and security groups from a Windows 2000 Active Directory service or from a Windows
NT 4.0 domain.
Rules for ISA Server Security
Rules instruct ISA Server to accept and process requests from internal and external Web clients in a
specified manner. ISA Server’s rules are processed in the following order.
INCOMING REQUESTS:
1
2
3
4
Packet filters
Web publishing rules (integrated-mode only)
Routing rules
Bandwidth rules
OUTGOING REQUESTS:
1
2
3
4
5
Bandwidth rules
Protocol rules
Site and content rules
Routing rules
Packet filters

PACKET FILTER Packet filters control the types of IP packets accepted on the external interface.
Packet filters are available in Integrated and Firewall mode only. When enabled, all packets on the
external interface are dropped unless a specific packet type is configured to be accepted.
Typically, you create packet filters to control incoming traffic or traffic that is routed between the
perimeter network and external network. For outgoing requests, ISA Server opens ports
dynamically as they are needed and monitors the ports for responses.

WEB PUBLISHING RULES You use Web publishing rules to configure ISA Server to forward requests
from external clients to internal Web servers. These rules are used in a reverse caching scenario
to accelerate access to an organization’s Web servers. Web publishing rules determine security
restrictions for incoming requests, how the requests are encrypted, and when they are forwarded
to the internal server.

ROUTING RULES Routing rules route requests to upstream ISA Server computers or redirect
requests to alternate destination servers. Routing rules specify which requests are routed,
redirected, or retrieved directly from the destination server. You use routing rules to configure
caching policies specific to destination sets. Additionally, routing rules specify whether or not to
serve objects from the cache and whether or not to cache the responses from the destination
server.

BANDWIDTH RULES Windows 2000 Server and Windows 2000 Advanced Server include built-in
Quality of Service (QoS) functionality for controlling the amount of bandwidth available to a
Firewall Security Services
ISA Server 2000
10
particular application or to a group of users. ISA Server uses bandwidth rules to determine what
priority to request from the QoS service. You can use these rules to specify a priority to real-time
communications or to a group of users who depend on Internet access.

PROTOCOL RULES Protocol rules control access to specific protocols that are allowed to pass
through the ISA Server. In cache mode, the only protocols available are HTTP, HTTPS, FTP, and
Gopher. In integrated and firewall mode, any protocols can be defined using protocol definitions
and allowed or denied using protocol rules.

SITE AND CONTENT RULES Site and content rules control access to specific destination servers and
content types by internal clients. You specify destinations using destination sets. A destination set
can be an entire domain, a specific server, or a specific URL. Content restrictions are first defined
using content groups and then restricted using site and content rules.
Rules Processing Order
You can group ISA Server rules into two types of rule sets. ISA Server processes the rules
differently depending on the type of rule set. The first type of rule set is an ordered rule set. The
second type is an unordered rule set.
Ordered rule sets include Web publishing rules, bandwidth rules, and routing rules. ISA Server
processes these rule sets in the order they appear in the list. The last rule in an ordered rule set is the
default rule and cannot be deleted. The default rule functions in different ways depending on the rule
set. You can inspect the default rule to see what action ISA Server will take; in some cases, you can
modify the default rule. When a request arrives related to one of these rule sets, ISA Server will use
the first rule in the list that matches the request.
Unordered rule sets include packet filters, protocol rules, and site and content rules. For these rule
sets, ISA Server processes “deny” rules first and then processes “accept” rules. The default for
unordered rule sets is to deny everything. This means that if no rules exist in a rule set, ISA Server will
pessimistically deny all requests for that rule set.
Firewall Security Services
ISA Server 2000
11
PROTECTING THE NETWORK
A firewall that protects a network must provide three assurances for the safety of an organization’s
assets. It must first protect and assure that the information on the network is harmless. This includes
protecting information on the network against unauthorized access. Additionally, the firewall should
assure that users on the network are accessing appropriate and safe information on the Internet.
Second, the firewall must assure the privacy and accuracy of the information transferred to and from
the network. Finally, the firewall needs to protect the reliability and availability of web and email servers
and other network services. ISA Server provides firewall features that fulfill each of these
requirements.
IP Packet Filters
Packet filters control access to the network at the lowest level by inspecting the IP (Internet Protocol)
packets transferred through the firewall. Basically, IP packets are packages of bits that transfer
information between computers. An IP packet can take several forms depending on the transmission
protocol used. The most familiar of the transmission protocols is TCP (Transmission Control Protocol),
but IP also uses UDP (User Datagram Protocol), ICMP (Internet Control Message Protocol). Others
can be defined per application. All IP packets contain a source and destination address. TCP and UDP
packets include a communications port for the source and destination computer. Communication ports
are often associated with applications, such as port 80 for HTTP (Hyper Text Transmission Protocol) or
port 25 for SMTP (Simple Mail Transport Protocol). These are referred to as well-known ports. The use
of a particular communication port is not restricted to the associated application at the IP level.
When the firewall inspects an IP packet, it is unaware of the application-specific information inside
the packet. It examines the packet’s source and destination information and its transmission protocol.
The firewall disregards routing at the IP packet filtering level. If an inbound packet passes through the
IP packet filters, it still must be answered by a local service, routed to an internal server by a publishing
rule, or translated to an internal client by SecureNAT.
Think of IP packet filtering as a wall directly in front of the Internet. The wall has several different
shaped windows. If an IP packet has the correct shape, it passes through the wall to be processed by
the next set of rules. If the IP packet does not have the correct shape, it is dropped and nothing behind
the wall ever knows it existed.
You define IP packet filters by setting the criteria for packets transferred through the firewall. Each IP
packet filter is set to accept or deny the packet type, with “deny” packet filters having priority. If no
packet filters exist, the default rule of “deny everything” applies. You use the following criteria to define
an IP packet filter:

IP PROTOCOL ISA Server allows you to define packet filters for TCP, UDP, ICMP and a Custom
Protocol. You may also define a filter that encompasses all protocols by selecting Any.

PROTOCOL NUMBER If you define a custom protocol, you must specify a protocol number. For
example, the GRE protocol for PPTP connections is protocol 47.

DIRECTION This parameter defines the direction of the packet defined by this filter. In most cases,
the direction is defined by Inbound, Outbound or Both. For the UDP protocol, the directional
choices are Receive only, Send only, or Both. You can also define the direction as Receive Send
or Send Receive. The UDP direction options allow you to create packet filters that match the
special format of UDP packets.

PORT NUMBERS A TCP or UDP packet filter defines a local and remote port. The local and remote
Firewall Security Services
ISA Server 2000
12
ports are defined by a Fixed port number, All Ports, or the Dynamic (1025-5000) ports.

ICMP TYPE AND CODE If you define a packet filter for the ICMP protocol, you must also define a
type and a code for the packet to be filtered. The type value defines the ICMP packet message
type. For example, a trace route message is type 30. Depending on the message type, ICMP
packets are also defined by a Code. The message type 3 (Destination Unreachable) might have a
code of 6 for Destination Network Unknown. Potential intruders often use ICMP messages to
profile a network for configuration information, so it is a good idea to understand ICMP
communication and decide what messages should be permitted through the firewall.

LOCAL COMPUTER The local computer is defined by a specific IP address on the external interface
of the ISA Server, a specific computer or a range of computers on the perimeter network. You may
also define the local computer as the default IP addresses on the external interface(s).

REMOTE COMPUTER The remote computer is set to include all remote computers by default. You
can specify a specific remote computer or a range of remote computers using a subnet and
subnet mask.
IP packet filters are useful for allowing inbound connections for server publishing rules. For outbound
connections, it is best to use protocol rules and application filters. This enables ISA Server to only
open ports when a client is communicating with the Internet. Opening only the specific filters, when
required, increases the security of the ISA Server.
Protocol Rules
ISA Server uses protocol rules to define the types of connections that clients are allowed to make to
the Internet. Protocol rules define a hybrid filter type that makes use of both circuit-level and dynamic
IP packet filtering. Protocol rules allow ISA Server to dynamically filter the packets necessary for a
client requested connection. Each dynamically created connection adheres to a strict definition of
source and destination IP addresses, as well as a time limit when the connection filters will be deleted.
You define protocol rules using protocol definitions. Protocol definitions define the primary and
secondary connections required for a protocol. Only outbound protocol definitions apply to protocol
rules. You can allow or deny multiple protocols with one protocol rule by selecting one or more protocol
definition. You can also choose to allow all IP Traffic or disallow specific protocol definitions.
Additionally, protocol definitions can include a set of secondary connections. When a client requests
communication using the primary connection as defined by the protocol definition, the ISA Server will
create filters for the secondary connections. Applications like FTP, requiring multiple connections to
function, make use of secondary connections. In this case, the client requests data with the primary
connection and the FTP server makes a secondary connection back to the client to send the data.
In addition to allowing or denying a particular protocol, you can schedule a protocol rule. The protocol
rule will only be applied during the scheduled time. For example, you might create a protocol rule that
denies streaming media protocols during office hours.
Finally, you have the option to restrict protocol rules by specific computers or by security objects such
as usernames or security groups. For example, you can restrict use of the Streaming Media protocols
to a group called “Media Users.” Only members of this group will be permitted to use the Streaming
Media protocol. It is important to note that SecureNAT clients are unable to authenticate with the
server using a username and password. Therefore, you can only restrict SecureNAT clients by the
computer IP address.
Firewall Security Services
ISA Server 2000
13
Protocol Rules and SecureNAT Clients
Protocol rules apply to all clients including Firewall and SecureNAT clients. In order to use secondary
connections, a client must have the Firewall client software installed. Alternatively, the protocol rule
must be defined by an application filter.
If a protocol defines secondary connections, and is not defined by an application filter, the secondary
connections will not apply to SecureNAT clients. See Table 2 Application of Primary and Secondary
Connections.
Table 2 Application of Primary and Secondary Connections
Firewall Client
SecureNAT Client
Application Filter
(SecureNAT and
Firewall Client)
Primary Connections
Secondary Connections
Yes
Yes
Yes
Yes
No
Yes
Finally, SecureNAT clients only work with protocols that have a protocol definition on the ISA Server.
For example, consider a Web server called ServerA that uses an uncommon port such as port 8000 for
serving HTTP content. You define a protocol rule on the ISA Server that allows all IP traffic, but you do
not create any special protocol definitions. You find that your Firewall, SOCKS, and Web Proxy clients
are able to communicate on port 8000, but your SecureNAT clients are unable to communicate with
ServerA on port 8000. This is because ISA Server needs a protocol definition to know how to handle
requests from SecureNAT clients on port 8000. The Firewall and SOCKS clients and Web Proxy
Service can use Circuit-Level Filtering to open port 8000 and connect to ServerA.
Application Filters
ISA Server’s application filters offer the most intelligence in securing your network. Application filters
intercept specific communication transferring through the firewall and inspect the actual payload or
content of the packet. For example, the SMTP filter intercepts communication on port 25 and inspects
it to make sure the SMTP commands are authorized before passing the communication to the
destination server.
Application filters can serve three different purposes. First, they can provide protection at the
application layer by inspecting communication. Second, they can redirect communication to another
destination or create dynamic IP packet filters. For example, the HTTP Redirector filter redirects HTTP
traffic to a Web Proxy Service. Finally, application filters can detect and alert the system of possible
network intrusions.
ISA Server includes several built-in application filters that have the purpose of protecting the
network. ISA Server also includes an API for creating new application filters. The following are
application filters included with ISA Server that are used to protect the network.
SMTP Filter
The SMTP Filter works by intercepting communication that arrives on port 25 and comparing the
SMTP commands against a rule set. If the communication is allowed it is passed along to the
destination server. There are several ways to define SMTP filtering rules.
Firewall Security Services
ISA Server 2000
14

ATTACHMENTS Attachments are defined by name, file extension or the size of the attachment. If an
attachment meets the rule criteria, you can specify that ISA Server delete, hold, or forward the
message to an alternate email address.

KEYWORDS You can use keywords to define rules. ISA Server will search for the keywords in the
message header, body or both the message header and body. As with attachments, the message
can be deleted, held or forwarded.

SPECIFIC COMMANDS You can specify which commands are allowed through the SMTP filter and
the length of each command. This option prevents buffer overflows and other SMTP vulnerabilities
that may exist.

SPECIFIC NAMES OR DOMAINS You can restrict passage of a sender’s name or a specific domain.
For example, you might block all messages from the domain unsolicitedmail.com.
FTP Access Filter
The FTP access filter serves two purposes. First, it enables SecureNAT clients to use the FTP protocol
secondary connections. Second, it allows you to restrict the use of the FTP protocol by adding protocol
definitions to ISA Server. The FTP access filter creates three protocol definitions that enable you to
control what types of FTP communication are allowed through the firewall. The FTP client read only
definition permits only read (get, dir, etc.) commands. If only this protocol definition is permitted, then
any write (put, mkdir, etc.) commands are denied access. The other two definitions, FTP client and
FTP server, define outbound and inbound FTP connections. Enabling the FTP client protocol allows
internal users to make FTP connections to Internet servers. You can use the FTP server protocol
definition to create a server publishing rule that allows Internet users access to an internal FTP server.
Web Filters
ISA Server extends the security of the Web Proxy Service through Web filters. You can create Web
filters by using the ISA Server Software Development Kit (SDK), or you can purchase them from thirdparty vendors. Web filters process all HTTP requests that pass through the Web Proxy Service. A Web
filter might inspect requests for viruses or filter inappropriate content.
System Hardening
ISA Server provides special system hardening wizards that makes it easy to harden the operating
system of the ISA Server. The system hardening wizards apply policy objects to the local server,
reducing the number of services that are running and enabling security features inherent in Windows
2000. The following levels of security are available through the ISA Server security wizard:

SECURE Use the secure setting when you have other applications running on the computer (other
than ISA Server). For example, you could use this setting if the Internet Information Server (IIS) is
also installed on the ISA Server.

LIMITED SERVICES Use this setting for servers running in integrated-mode, operating both cache
and firewall services.

DEDICATED Use the dedicated setting when only the ISA Server Firewall Service is running on the
server. This is the most secure setting.
Firewall Security Services
ISA Server 2000
15
Secure Communication
ISA Server includes SSL tunneling and bridging. An SSL tunnel occurs when a Web Proxy client
makes an HTTPS request for a resource on the Internet. After assuring the connection is permitted,
the Web Proxy Service opens a secure tunnel between the client and the server. The communication
remains encrypted as it is transferred from the client, through the tunnel to the server.
SSL bridging occurs when ISA Server either encrypts or decrypts a request as it passes through the
firewall. ISA Server can either end or initiate an SSL connection. There are three possible scenarios for
SSL bridging:

HTTP REQUESTS FORWARDED AS SSL REQUESTS ISA Server encrypts the client’s request for an
HTTP object and forwards it to the Web server. The Web server returns the encrypted object to
ISA Server. ISA Server decrypts the object and sends it to the client.

SSL REQUESTS FORWARDED AS SSL REQUESTS ISA Server decrypts the client’s request for an SSL
object, encrypts it again, and forwards it to the Web server. The Web server returns the encrypted
object to ISA Server. ISA Server decrypts the object and sends it to the client.

SSL REQUESTS FORWARDED AS HTTP REQUESTS ISA Server decrypts the client’s request for an
SSL object and forwards it to the Web server. The Web server returns the HTTP object to ISA
Server. ISA Server encrypts the object and sends it to the client.
For example, SSL requests can be forwarded as HTTP requests in a reverse publishing scenario. In
this case, the Internet user makes an SSL request to the ISA Server for an internally published Web
site. Then, ISA Server decrypts the request and forwards it as an HTTP request to the internal server.
Internal clients can also benefit from SSL bridging. Normally, when a client makes an HTTPS
request to a destination server, the ISA Server uses SSL tunneling which establishes a direct
connection between the server and client. For clients that support secure communication with the ISA
Server, requests are first decrypted at the ISA Server. The ISA Server checks the cache to see if the
resource is available locally. If it is not, the ISA Server makes a new request to the destination server.
The new request may be HTTP or HTTPS depending on the routing rules.
High Availability
Not only does a firewall secure a network, it must ensure that network services are available for both
internal and external customers. ISA Server provides high availability and reliability through ISA Server
arrays (Enterprise Edition only) and bandwidth rules.
ISA Server Arrays
You can combine multiple ISA Servers as a single logical cache in a grouping of ISA Servers called
an array (Enterprise Edition only). For Web Proxy Clients, a queryless protocol, referred to as the
Cache Array Routing Protocol (CARP), makes efficient caching possible in even the largest of
enterprises.
CARP is queryless, making unlimited scaling of the array possible without negatively affecting
network performance. CARP’s high-speed hashing algorithm allows downstream clients or ISA Servers
specifying a server in an array to store and retrieve a cached object eliminating duplication of cached
objects. ISA Server uses CARP, rather than the more common ICP (Internet Cache Protocol) primarily
because of CARP’s increased performance and scalability.
For SecureNAT and Firewall clients, ISA Server arrays can use the Network Load Balancing
features of Windows 2000. Network Load Balancing provides increased scalability, performance, and
Firewall Security Services
ISA Server 2000
16
availability.
Bandwidth Rules
Windows 2000 includes a QoS feature providing a minimum level of bandwidth for network
applications. ISA Server utilizes the QoS service allowing you to specify special bandwidth priorities for
specific protocols. Bandwidth rules assign a number to each protocol. Protocols with higher numbers
receive a higher priority when bandwidth is tight. For example, you might configure real-time
communication to have the highest priority so that it is not interrupted by a surge in HTTP access.
Firewall Security Services
ISA Server 2000
17
DETECTING INTRUSIONS AND REACTING
Detecting an intrusion is equally as important as preventing one. Consider the locks on your office door
and the alarm system that monitors the interior. The locks help prevent an intrusion, while the alarm
system detects one. Ideally, of course, no one ever breaks in; however, prudent security practices
dictate that you should monitor for intrusions and alert the authorities upon the discovery of an intruder.
This same principle applies for your network security. Your security policy must consider the impact of
an intrusion and provide a method for detecting them. When an intrusion occurs, the persons
responsible for security in your organization must be alerted, so they can eliminate the vulnerability in
your network security.
Good intrusion detection necessitates predicting vulnerabilities using tools that continually monitor
the network for threats. Some obvious vulnerabilities are simply the characteristic of a particular
software or service. For example, the ability to scan a computer for open IP ports is an unavoidable
vulnerability due to the idiosyncrasies of the IP protocol. Additionally, unknown vulnerabilities exist that
nevertheless must be predicted. For example, a buffer overflow attack on a DNS server. If an anomaly
exists in the DNS server, sending a command with a long hostname could cause the DNS server to
crash. It is the responsibility of intrusion detection software to monitor a network for attempts to exploit
a known or unknown vulnerability.
ISA Server includes intrusion detection, based on technology from Internet Security Systems (ISS),
which monitors for several well-known vulnerabilities. ISA Server detects intrusions at two different
network layers. First, ISA Server detects intrusions at the IP packet layer. This enables ISA Server to
detect vulnerabilities that are inherent to the IP protocol. Second, ISA Server uses application filters to
detect intrusions at the application layer. You can use third-party application filters to add more
intrusion detection or create your own application filters, using the filter APIs defined in the ISA Server
SDK.
Upon detecting an intrusion, ISA Server fires a predefined alert. Alerts can be configured to send an
email message, run a program, report to the event log or start and stop services on the ISA Server.
You can also define thresholds for alerts that prevent random detections that pose no immediate
danger.
Intrusion Detection at the IP Packet-layer
The IP packet filtering engine in ISA Server provides intrusion detection for well-known IP
vulnerabilities. The IP vulnerabilities are exploited to scope information about a network, disable it, or
trick a firewall into allowing access to the network.
ISA Server’s IP packet filtering Engine detects the following IP vulnerabilities:

WINDOWS OUT-OF-BAND This is a denial-of-service attack used to disable a Windows network. If
successful, the attack causes the computer to crash or makes the network interface unavailable.

LAND ATTACK The land attack causes the networking on a susceptible computer to loop and
eventually crash. The attacker creates an IP packet with a spoofed (fake) IP address and source
port that matches the destination IP address and destination port.

PING OF DEATH The Ping of Death attack uses an exceptionally large ICMP echo packet. The
target computer attempts to respond resulting in a buffer overflow resulting in a computer crash.

PORT SCAN A method that attackers use to scope the open IP ports on a target computer or
network. The intrusion detection engine detects multiple attempts to connect to IP ports and sends
Firewall Security Services
ISA Server 2000
18
an alert. You can specify a threshold for connection attempts before an alert is activated.

IP HALF SCAN The IP Half Scan method is used to avoid detection. TCP communication uses a
three-step process to establish a connection. The IP half scan completes only half the connection,
avoiding detection. The intrusion detection engine detects the half connections and activates an
alert when a threshold is met.

UDP BOMB This attack uses a UDP packet with incorrect values that cause susceptible operating
systems to crash.
Intrusion Detection at the Application Layer
ISA Server provides built-in support that detects DNS and POP protocol intrusions. You can create
additional intrusion detection filters using the application filters interfaces in the ISA Server SDK or you
can add an intrusion detection filter from a third-party provider.
The DNS intrusion detection filter detects the following known DNS exploits:

DNS HOSTNAME OVERFLOW An overflow occurs when the actual length of a message is greater
than the expected length. The targeted computer does not handle the exception and crashes, or
executes an undesired behavior. The DNS hostname overflow occurs when a DNS server returns
a hostname that is longer than the expected length.

DNS LENGTH OVERFLOW A DNS application expects a hostname lookup response to contain a
four-byte length field. The DNS length overflow occurs when the length of the field is longer than
four-bytes.

DNS ZONE TRANSFER FROM PRIVILEGED PORTS (1-1024) A malicious user executes a zone transfer
to gather a list of all the hostnames in a domain. In most cases, it is unwise to share the internal
list of hostnames with Internet users. This filter detects when an Internet user attempts to execute
a zone transfer using one of the privileged ports.

DNZ ZONE TRANSFER FROM HIGH PORTS (ABOVE 1024) This filter detects when an Internet user
attempts to execute a zone transfer using one of the high (unprivileged) ports.
Detecting other Critical Events
You can use ISA Server’s built-in events to detect Intrusions or server problems that might result in
vulnerability. ISA Server’s events allow you to define the conditions that trigger an alert. Server Events
include detected intrusions, server failures, dropped packets, and log in or authentication failures.
Reacting to Events with Alerts
Once an event is triggered, ISA Server checks the list of alerts for an action to perform. Actions
include: sending an email, running a program or a custom script, creating a log entry, or stopping and
starting services.
ISA Server has predefined alerts for all event types. Alerts can be modified to perform the action
appropriate for your network. The following options are configurable for each individual alert:

SEND EMAIL You can send alert messages to a specific SMTP server, to primary recipients, and to
carbon-copy recipients. Additionally, you can specify a reply address for the alert message.

RUN PROGRAM An alert can execute a program under the service account or under an account
Firewall Security Services
ISA Server 2000
19
specified in the alert configuration.

REPORT TO EVENT LOG This option allows you to control whether or not an event log entry is
created for the alert.

START AND/OR STOP SERVICES You can specify one or more of the ISA Server services to start or
stop when an event occurs.
ISA Server allows you to specify when an alert is issued. You can specify the number of occurrences
and the number of events per second before an alert is issued. After the initial alert, you can specify
when the alert will be triggered a second time. The options include: immediately, after a manual reset,
or a specified amount of time in minutes.
Firewall Security Services
ISA Server 2000
20
FACILITATING OPERATIONAL REQUIREMENTS
Security policies must assure that operational requirements are met while maintaining network
security. A network administrator must weigh the importance of a specific functionality and its impact
on overall security before implementation. Often increasing the network functionality means exposing
the network to additional vulnerabilities. ISA Server provides several value-added capabilities that
allow secure use of popular network applications with minimal impact to overall security. Application
filters, Virtual Private Network (VPN) wizards, Web publishing, and server publishing capabilities add
significant and secure benefits to an organization’s network.
Application Filters
The following application filters enhance security for popular network applications:

HTTP REDIRECTOR FILTER This filter intercepts HTTP traffic originating from Firewall clients and
SecureNAT clients, and either drops or redirects the request to the Web Proxy Service. Dropping
the requests enforces a security policy requiring Web clients to configure settings for the Web
Proxy to request HTTP content. Redirecting the packets provides Web clients transparent access
to the proxy service and the caching benefits of the Web proxy. In other words, no configuration is
required for the Web client, yet the client still benefits from the local Web cache, Web Proxy
Routing and CARP.

FTP ACCESS FILTER FTP clients use port 21 to establish a connection to the server and request
data but the connection back to the client uses port 20. The FTP Access Filter allows SecureNAT
clients to use the bi-directional FTP protocol. Firewall and Web Proxy clients do not require the
FTP Access Filter.

SOCKS FILTER This filter intercepts SOCKS communication and forwards it to the firewall. This
enables non-windows applications that are SOCKS 4.3 compatible, to communicate through the
firewall. SOCKS requires configuration in the client software. Additional support for SOCKS 5.0 is
available via third-party filters.

RPC FILTER The RPC filter allows you to publish internal RPC services to the Internet. A publishing
rule can direct all RPC traffic to a specific server or to an Exchange connection.

STREAMING MEDIA FILTER This filter allows streaming media applications through the firewall. It is
compatible with Microsoft Windows Media (MMS), Progressive Networks protocol (PNM) and Real
Time Streaming Protocol (RTSP). In addition, this filter enables you to serve multiple clients by
splitting and redirecting live Windows Media streams to a Windows Media server pool and thereby
saving the precious bandwidth on the external side.

H.323 PROTOCOL FILTER The H.323 protocol filter allows conferencing applications like Netmeeting
3.0 through the firewall. The filter, which works with an H.323 Gatekeeper, adds several protocol
definitions to the ISA Server. It allows you to enable incoming and outgoing calls, and control
audio, video and application sharing.
Virtual Private Networks
ISA Server takes advantage of Windows 2000 Server’s built-in support for Virtual Private Networking.
Windows 2000 supports VPN connections based upon PPTP or a combination of L2TP and IPSec.
Both technologies provide either a secure connection over a public network, or a secure remote
access connection from a client across a public network.
Firewall Security Services
ISA Server 2000
21
ISA Server provides three wizards that make the configuration of VPN connections a simple process.
The wizards accomplish two tasks at once. First, the wizard configures an interface in the Routing and
Remote Access Service (RRAS) to establish a connection. It then creates the necessary inbound and
outbound IP Packet filters allowing PPTP or L2TP based connections.
The following wizards create VPN connections:

LOCAL ISA VPN WIZARD This wizard establishes a local routing interface for a network-to-network
VPN circuit. The wizard collects the information necessary to initiate or accept the connection. The
wizard prompts you for the parameters of the remote network including the IP addresses. You
specify if either server or only the remote network will initiate communication. After all the
information is collected, the wizard configures the local ISA server creating a password protected
configuration file. This file can be transferred to the remote ISA server for automatic configuration.

REMOTE ISA VPN WIZARD The remote wizard uses the configuration file created by the VPN wizard
run on the remote ISA server. This configuration file is password protected which keeps the
information private during transit. The remote wizard prompts for the configuration file and
establishes the VPN connection using the provided parameters.

SET UP CLIENTS TO ISA SERVER VPN WIZARD This wizard configures the local ISA server to accept
connections from remote access clients. This option allows remote users to connect to the network
over the Internet using any Internet Service Provider.
After using the ISA Server wizards to configure a VPN connection, you can reconfigure the
connections, using RRAS.
The VPN wizard establishes a routing interface and a demand-dial connection for network-tonetwork connections. Additionally, it establishes VPN connection ports for client VPN connections.
Web Publishing
ISA Server allows you to publish internal Web servers on the Internet and cache the content for a
quicker response to client requests. By configuring the ISA Server with the IP address of your Web
site, requests are directed to the Web Proxy Service. The Web Proxy Service answers the request,
compares it to publishing, site and content rules, and routing rules, and determines what action to take.
Web publishing rules define which IP addresses or domain names are answered and redirected to
internal Web servers. If the request fits a publishing rule, the request is passed through the Web Proxy
Service, where it encounters Web Proxy routing rules and finally bandwidth rules. When possible, ISA
Server resolves the request from its cache. Otherwise, the requests are forwarded downstream to an
internal Web server, located behind the ISA Server computer.
When a request matches the destination specified in a Web publishing rule, an action occurs. The
action might be to discard the request or redirect it to an internal Web server. If the rule redirects the
request, a Web server can be specified by domain name or IP address. Additionally, you can configure
requests for the standard HTTP, HTTPS, and FTP ports to something other than the defaults.
Incoming HTTP or SSL requests can be redirected to the internal server as HTTP, SSL, or FTP
requests. You can specify a certificate for authenticating to the SSL Web server. Redirected FTP
requests result in HTML rendered pages.
Server Publishing
ISA Server allows you to publish other Internet services using a feature called server publishing.
Server publishing is to incoming requests as protocol rules are to outgoing requests. In fact, server
Firewall Security Services
ISA Server 2000
22
publishing rules use inbound protocol definitions just as protocol rules use the outbound protocol
definitions. The difference is that when an incoming request matches a server publishing rule, it is
redirected to another server or another port on the ISA Server. Server publishing rules can be
restricted by a client address set if they are not intended for all Internet users.
Server publishing rules are easy to configure. You only need to specify the external IP address on
the ISA Server that will answer the request and the internal IP address of the server providing the
service. The protocol definition defines which ports to answer and forwards the request to the internal
server. Server publishing makes use of SecureNAT, so there is no need to reconfigure or install
software on the internal server in order to publish services.
Firewall Security Services
ISA Server 2000
23
INSIDE ISA SERVER ARCHITECTURE
ISA Server Components
ISA Server is comprised of several services, each providing different functions in the firewall
architecture. These services are closely integrated with Windows 2000 providing a robust architecture.
Depending upon the options selected at installation, all or some of the services are present (See
Figure 2 ISA Server architecture).
Figure 2 ISA Server architecture
The ISA Server Control Service is a Windows 2000 service that handles starting and restarting the
other ISA Server services. It manages synchronization of configuration information in ISA Server
Arrays, updating client configuration files and deleting unused log files. The Control Service generates
alerts and executes actions in response to server security and health conditions.
The ISA Server Firewall Service responds to requests from Firewall and SecureNAT clients. It acts
as a secure router, routing permitted IP traffic between the external and internal networks. The Firewall
Service also makes use of an application filter to intercept HTTP requests and redirect them to the
Web Proxy service. This service is present only when ISA Server is installed in firewall or integrated
mode.
The Web Proxy Service handles requests from HTTP, FTP, and Gopher clients. It makes requests to
origin servers on behalf of clients. The Web Proxy Service caches content locally and determines
when the requests are served from the local cache. This service is present when ISA Server is
installed in cache or integrated mode.
The Scheduled Cache Content Download Service downloads HTTP content into the cache on a
schedule predetermined by the administrator. Once in the cache, requests for the content can be
retrieved from the local network instead of transporting them across the upstream link. This service is
present when ISA Server is installed in either cache or integrated mode.
The H.323 Gateway Service is an optional component that provides a directory and router for
Firewall Security Services
ISA Server 2000
24
internal H.323 clients such as NetMeeting 3.0 or higher.
Multilayer Firewall
Firewalls control access at several different communication layers.

IP packet filtering

Circuit-level filtering

Application-level filtering

Dynamic packet filtering
Each layer has advantages and disadvantages that balance increased security against maximum
performance. ISA Server makes the best use of all four firewall design strategies to provide an efficient
and secure firewall.
IP Packet Filtering
IP packet filtering works by intercepting and evaluating packets prior to allowing passage through the
firewall. Any packets allowed through must meet conditions specified by the administrator. If a packet
is denied passage through the firewall, it is dropped. IP packet filters control access by source and
destination IP addresses, communication protocol, and the IP port (communication channel) used.
ADVANTAGES

IP packet filters are fast, since little processing is required to inspect each packet and compare it
to the rule set.

IP packet filters are pessimistic. All packets are dropped unless explicitly permitted.

No configuration is required on the client to process IP packet filters.
DISADVANTAGES

IP packet filters do not inspect the information they transfer. For example, IP packet filters cannot
block specific e-mail addresses from sending or receiving SMTP mail.

IP packet filters cannot manipulate the packet as it passes through the firewall.
Circuit-Level Filtering
The second level of access control is circuit-level. At this level, the firewall monitors communication
sessions between computers on different networks. The firewall verifies a session by determining if a
data packet is a connection request; belongs to a connection; or consists of a virtual circuit between
two peer transport layers. If a session is valid, communication is permitted through the firewall. A
common example of this method is allowing internal clients to establish connections to the Internet
using specific protocols such as FTP. The return connection completes the communication.
ADVANTAGES

Circuit-level filters are faster than application filters, as less processing needs to occur for each
packet.

Circuit-level filters are pessimistic. All packets are dropped unless explicitly permitted by a rule.
Firewall Security Services
ISA Server 2000
25
DISADVANTAGES

Circuit level filters do not inspect the information they transfer. As with IP packet filters, specific
email addresses cannot be blocked from sending and receiving SMTP mail.

Caching is not available with circuit-level filters.

Authentication is not available with circuit-level filters, unless the request originates from a Firewall
client.
Application-Level Filtering
Access can also be controlled at the application level. By understanding an application’s
communication protocol, the firewall uses inherent intelligence to protect against dangerous or
inappropriate communication. Only those packets that comply with the protocol’s definitions are
allowed passage through the firewall. For example, the firewall might understand and inspect SMTP
communication to protect against illegal commands or inappropriate content. Additionally, applicationlevel firewalls can provide detailed session logs and user authentication.
ADVANTAGES

Application-level filters are intelligent enough to inspect the information passing through the
firewall. Therefore, these filters can close application specific vulnerabilities.

Firewall rules can specify application specific resources to grant or deny access. For example, an
SMTP filter might deny executable attachments.
DISADVANTAGES

Some performance degradation is inherent in application-level filters, due to the extra processing.

Each application type must have an application-level filter configured to inspect or proxy the
communication.
Dynamic Packet Filtering
The final method of filtering data through a firewall is dynamic packet filtering. This type of filtering has
the ability to dynamically manipulate the firewall rules in response to user requests. When a client
makes a request for information through the firewall, IP packet filters are opened for the duration of the
communication to allow a response from the server. When the communication ends, these temporary
IP packet filters are removed. This is a highly secure method of filtering because only a minimum
number of specific IP Packet filters are open at any given time.
ADVANTAGES

Dynamic packet filters have the same advantages as IP packet filters, but have the added
advantage of allowing a minimum number of open IP filters at any given time.
DISADVANTAGES

Dynamic IP packet filters do not inspect the information they transfer. For example, dynamic IP
packet filters cannot block specific e-mail addresses from sending and receiving SMTP mail.

Dynamic IP packet filters cannot manipulate the packet as it passes through the firewall.
Firewall Security Services
ISA Server 2000
26
ISA Server uses a combination of all these filters in a hybrid solution that produces the best
performance, the highest security and includes the most features.
Incoming Requests
Incoming requests are processed in the following order (See Figure 3 Flow of inbound request
packets):
1
2
3
Packet filters
Web publishing rules/Server publishing rules
Routing rules
Figure 3 Flow of inbound request packets
Outgoing Requests
Outgoing requests are processed in the following order (See Figure 4 Flow of outbound request
packets):
1
2
3
4
5
Application filters
Protocol rules
Site and content rules
Routing rules/Firewall Chaining
Packet filters
Firewall Security Services
ISA Server 2000
27
Figure 4 Flow of outbound request packets
Firewall Chaining
Requests from Firewall clients can be routed to upstream ISA Servers or Proxy 2.0 servers using
firewall chaining. Firewall chaining can specify that a dial-up entry be used for the direct or chained
connection. When configuring firewall chaining, you can specify a username and authentication
password be used for the upstream server.
Chained Authentication
Chained authentication is used when ISA Server is challenged for security credentials while routing a
request to an upstream server. Chained authentication is supported for requests routed to upstream
servers running Microsoft Proxy 2.0 or ISA Server.
Chained authentication begins when the downstream server requests the client to authenticate.
While the request is being routed to an upstream server, the upstream server may also request that
the client authenticate. ISA Server passes the client authentication to the upstream server.
If the upstream server cannot identify the client’s authentication, the downstream ISA Server may
pass its own security credentials in order to access the requested content. The security credentials to
access the upstream server are defined when configuring the firewall chaining.
Active Directory Integration
ISA Server Enterprise Edition provides integration with Active Directory for easy and consistent
management. Active Directory integration allows administrators to create enterprise policies and apply
them to all ISA Server arrays in an organization. When the enterprise policy is updated, the settings
are propagated via Active Directory replication to all locations on the network. Each array may apply
the enterprise policy to its own array policy.
When there are two or more ISA Servers in an array, their configuration is stored in an array policy
accessible by all of the servers. This eliminates the need to update the servers individually when the
array configuration needs to be changed.
Firewall Security Services
ISA Server 2000
28
SUMMARY
Microsoft Internet Security and Acceleration Server (ISA) Server provides enterprise-class firewall
protection for organizations of any size. Its sophisticated management features make it particularly
interesting to large organizations that have struggled previously with the administration of multiple
firewalls. Yet smaller organizations will enjoy its ease of configuration. ISA Server helps protect your
network with packet, circuit and application layer services, while even providing wizards that make
VPN tunneling simple and secure. ISA Server is a comprehensive firewall solution that has earned
ICSA certification and its place in your network.
Firewall Security Services
ISA Server 2000
29