Wednesday, February 13, 2008

ISA Server 2004 Simply Complex

Your ISA firewall sucks. Never before have I seen such a perfect balance between overly complex and overly simple. Kudos.

Example: it's not uncommon to block an IP from your server. With most firewalls this is absolutely trivial, you just block incoming traffic from the IP. Like so:

iptables -I INPUT -s -j DROP

With a simple management tool like APF or Shorewall, it's very simple to maintain a list of IPs to block, typically by simply adding the IP to a file. Not real hard.

And here's how we do it in ISA Server 2004 (as best I can tell):

1) Create a "Computer Set" in the GUI by expanding your server name, clicking Firewall Policy, and then in the right hand panel choose the Toolbox tab, then click the Network Objects vertical tab thing then right click on Computer Sets and choose New Computer Set. Name your computer set something like "Blocked External IPs". Click the Add button and in the dropdown menu that appears out of nowhere, choose either Computer or Address Range. I chose Address Range for maximum flexibability (random choice). Add the IP and make sure to include the date in the description field so that you can unblock the IP in the future (although I'm not sure that there's a way to report on the description field, so it might be a manual process, horf).

2) Right click on Firewall Policy in the right hand pane, choose New, then choose Access Rule. In the wizard that appears, name your access rule something useful, like "testing", and click Next. When asked for the action to take when rule conditions are met, choose Deny, and click Next. Select "All outbound traffic" under "This rule applies to" on the Protocols page.

"Wait a sec. I want this rule to apply to INBOUND traffic!"

Not so fast, idiot. If you think about it, and really really think about it, there is only one kind of traffic, and its direction is completely relative. Sure in your case it's relative to you and your server, but you've really got to start thinking outside the box. All incoming traffic is really outgoing traffic from the internet to your server, dig? All outgoing traffic is traffic from your server to the net. Therefore, all traffic is outgoing. The formal proof of this concept can be downloaded from the Microsoft website, but you need to get through WGA to see it.

At any rate, we choose "All outbound traffic" to block the incoming traffic that is outgoing from the internet right into our server. On the next page in the wizard, you're asked for the source(s) that this awesome new rule applies to. Click the Add button, then choose Computer Sets, and then choose the computer set we created in step 1. Click next. Now we must select the traffic destination for our rule, so click Add and then choose Internal Network Set from the Network Sets list. But wait, you might also choose Local Host or Internal from the Networks list. Or maybe All Protected Networks? I chose the All Networks (and Local Host) just for the hell of it. That way, if the hacker tries hacking himself via my server, he'll be stopped. Or something. I don't really care.

Ok, finish the stupid wizard thing and you'll see your new access rule in your Firewall Policy. Note that the order in which rules appear in the policy is very important, and does not follow the logic you may already be familiar with.

Restart the firewall. Answer the phone and assure a dozen or so people who just got a popup saying the Outlook can't talk to the Exchange server, that everything will be ok. Just ignore the popup thing. No really, I know all about it, it's ok.

To add another IP, simply add it to the Computer Set we created in the first step. Smooth sailing, my friend. (and then restart the firewall and answer the phone)

What cracks me up about ISA is that it tries so hard to make the firewall easy to understand, but every time I look at this thing I have to figure out all over again what the hell is going on. I have no idea if this thing is really working.

No comments: