Module 7: Advanced Application and Web Filtering Overview f © Advanced Application and Web Filtering Overview © Configuring HTTP Web Filters © Additional Application and Web Filters*Introduction f © Some of the most important features available in Microsoft® Internet Security and Acceleration (ISA) Server 2004 are application and Web filters. By implementing these filters, ISA Server administrators can configure very specific filtering of the traffic that flows through the computer running ISA Server. The filtering occurs at the application layer. For example, Hypertext Transfer Protocol (HTTP) filters can be configured to allow or block traffic based on file extensions or specific virus signatures. An ISA Server administrator needs ‘to be able to configure application and Web filtering to provide advanced protection for the organization's network. Lesson: Advanced Application and Web Filtering Overview f © What Is an Application Filter? © What Is a Web Filter? © Why Use Application and Web Filters? © Application and Web Filter Architecture*Introduction © A primary advantage of ISA Server over traditional firewalls is its ability to filter the application data in the network packets as they enter or leave the network. Application and Web filters provide this functionality. This lesson provides an overview of how application and Web filters work in ISA. Server 2004. What Is an Application Filter? Application filters can: Enable firewall traversal for complex protocols Enable protocol-level intrusion detection Enable protocol-level content filtering Application Server Generate alerts and log events*Introduction f © Application filters work with the firewall service in ISA Server to intercept and process network packets as they pass through ISA Server. Application filters examine the application-level data within those packets and then filter the packets based on firewall rules. What is an application filter? f © ISA Server application filters are implemented as Component Object Model (COM) - server dynamic link libraries (DLLs) in the process space of the firewall service. The firewall service in ISA Server 2004 runs in user mode. When the firewall service starts, all application filters that are registered with the firewall service are also loaded.© Application filters are add-ons to the firewall service. When a packet arrives, the firewall service uses firewall rules defined in the rules engine to check the packet. One check is to see if an application filter is associated with the protocol used by the packet. If there is, the firewall service passes the packet to the application filter for further inspection. An application filter can perform protocol-specific or system-specific tasks such as authentication and checking for viruses. © ISA Server includes many application filters, but also provides the application-filter application programming interface (API) that can be used to build custom application filters. *Application filter functionality © Application filters can be used in several different ways on ISA Server, including. Enabling firewall traversal for complex protocols Enabling protocol-level intrusion detection Enabling protocol-level content filtering Generating alerts and log eventsEnabling firewall traversal for complex protocols. Application fitters can extend the ability of ISA Server to handle complicated protocols that require more than a single transmission control protocol (TCP) connection. Some applications, such as fle transfer protocol (FTP) or media streaming applications, initiate a connection with a server using a specified port number. However, ‘once the initial connection has been established, the server and client negotiate one or more dynamic ports that will be used for further ‘communications. An application fiter can enable the firewall traversal of these protocols. The application filter enables ISA Server to track the negotiation between the client and server as they determine the secondary connections, and then ISA Server can dynamically configure the ports required for the secondary connections. An example of such a filter is the built-in FTP application filter that handles. all aspects of configuring a firewall to automatically allow a secondary FTP data channel. Enabling protocol-level intrusion detection. Application filters can examine the contents of application packets to check for protocol-level intrusion detection. A common example of this type of filtering is based on filtering commands to protect against buffer overflow attempts. ISA Server provides Post Office Protocol 3 (POP3), Simple Mail Transport Protocol (SMTP), and Domain Name System (DNS) application filters that provide this type of functionality.Enabling protocol-level content filtering. Application filters can parse high-level application protocols, look for actual data (the payload), and apply rules and processing based on the content. For example, you can use the feature to provide protocol-level syntax validation, antivirus scanning on file transfers, or scans of the content based on defined strings. The SMTP filter provided with ISA Server is an example of these types of application filters. Generating alerts and log events. Application filters can also be used to create alerts and log events based on the activity discovered by the application filter. For example, if a DNS application filter detects repeated attack attempts, the filter can create an alert or log the information.© Note: Many third-party vendors use application filters to implement features such as content filtering, access control, specialized authentication methods, and intrusion detection. Fora listing of many of the third-party products that are compatible with ISA Server, see http://www.isaserver.org and the Partners Web site at http:/www.microsoft.com/isaserver/partners. What Is a Web Filter? f Web filters can: ‘Scan and modify HTTP requests ‘Scan and modify HTTP responses web Block specified responses Server Log and analyze traffic Encrypt and compress data Implement custom authentication schemes re LL \*Introduction f © Web filters also extend the functionality of the firewall service in ISA Server by providing advanced filtering capability for hypertext transfer protocol (HTTP) packets as they pass through ISA Server. What is a Web filter? f © Web filters are DLLs that are based on the Internet Information Server (IIS) Internet Server Application Programming Interface (ISAPI) model. The Web filters are loaded by the Web proxy filter, which is an application filter. When a Web filter is loaded, it passes information to the Web proxy filter that specifies the types of events that the filter is configured to monitor. Each time one of those events occurs, the Web filter is notified.‘Web filter functionality f © Web filters can be used to perform a number of different tasks, including Request scanning and modification. A Web filter can scan HTTP client requests and modify or add a header to a request. For example, you could use a Web filter to add a cookie header to the request, or remove a header sent by the client. Response scanning and modification. Web filters can scan and modify the server responses. For example, during link translation, ISA Server substitutes the externally accessible server names for the internal names. The link translation filter included with ISA Server is a Web filter. Block specific responses. Web filters can be used to block access to particular sites based on the content of the server response. These features can also be used to scan HTTP packets for viruses. Traffic logging and analysis. Web filters can be used to log specific information about HTTP traffic and to create reports based on the logged informationData encryption or compression. Web filters can be used to apply custom data encryption or compression schemes to HTTP packets. Custom authentication schemes. Microsoft Office Outlook® Web Access (OWA) forms-based authentication, RSA SecurlD authentication, and Remote Authentication Dial-In User Service (RADIUS) authentication are all implemented as Web filters in ISA Server. Third-party vendors can use Web filters to implement additional authentication schemes. Why Use Application and Web Filters? Application and Web filters provide: © Protection against malicious code by blocking packets that have worm or virus characteristics © Protection against user actions by blocking the download of harmful programs or ensuring that some types of data do not leave the network © Protection against specific network connections by blocking connection attempts by specific applications © Integration with third-party or custom filters that have been developed using the application filter API or the Web filter API*Introduction f © Application and Web filters provide an extra layer of security for a network. These filters can examine every packet that flows through ISA Server and filter the packets based on the results of that inspection. This ensures that the packets, which may be exploit attempts or just unwanted information, never reach the target computer. “Benefits of using application and Web filters f © Application and Web filters provide many benefits including: Protection against malicious code Protection against user actions Protection against specific network communication Integration with third-party or custom fittersProtection against malicious code. You can use application-layer filters to stop random attacks from sources such as viruses and worms. When a new worm or virus is released, you can identify the characteristics by which the worm or virus spreads and then use an application or Web filter to block the virus. For example, if a worm uses a particular file extension in its attack, you can configure the SMTP filter or the HTTP filter to block this extension. Protection against user actions. You can also use application-layer filtering to protect your network and systems from the harmful actions of unaware employees. For example, you can configure filters that prevent potentially harmful programs from being downloaded via the Internet or ensure that critical customer data does not leave the network in an e-mail. Intemal security issues ‘such as these are as critical as external threats to your organization's network.Protection against specific network communication. Application-layer filtering can also more broadly limit employee actions on the network. ISA Server 2004 includes filtering capability that can restrict common types of inappropriate communication on your network such as peer-to-peer file-exchange services. The filtering capabilities of ISA Server can limit these and other types of undesirable network communication. Integration with third-party or custom filters. ISA Server 2004 includes an application programming interface (API) that can be used by your in-house programmers or third-party vendors to create custom filters that can deal with almost any new attack.Application and Web Filter Architecture ara Filters: |Web Filter API Web Proxy [2] Application Filter Filters | Application Filter API Firewall. (4] 1] service*")’ Rules — Engine Firewall Engine *"| eo *Introduction © Application and Web filters run in user mode within the firewall service on ISA Server 2004. The application- and Web-fltering architecture is designed to provide high performance as well as easy extensibility.“Application and Web filter architecture f © The application- and Web-filtering architecture includes the following components: Application filter API. This API is located above the firewall service and is used by the firewall services to pass packets to the application filters. This API provides a layer of abstraction between the firewall service and the application filters, which enables developers to write additional application filters that will operate on specific application-layer protocols. Web proxy filter. The Web proxy filter manages all HTTP and Hypertext Transfer Protocol Secure (HTTPS) protocol requests and replies. In ISA Server 2000, the Web proxy is implemented as a service, but in ISA Server 2004, it is implemented as an application filter. This change provides a unified architecture for the proxy filter, which enables it to use the services of the firewall service, including caching.Web filter API. This API is located above the Web proxy filter and is implemented at a higher level than the application filter API. The application filter is concerned with support for TCP and User Datagram Protocol (UDP) sessions, connections, and sockets; the Web filter API deals only with the specifics of managing HTTP (and HTTPS) requests. The Web proxy filter takes care of the application filter issues for the Web filters. The Web filter API is similar to the IIS ISAPI filter API. *How application and Web filters work f © The following steps describe how a client request flows through a computer running ISA Server, including the application and Web filters. 1 Accient connects to the computer running ISA Server and requests a resource located on another network. The firewall engine performs packet filtering on the request and, if the request is allowed at that level, a connection is created and the packet is passed to the firewall service. The firewall service also examines the packet, including determining the application protocol used by the packet. The firewall service then checks the firewall rules to see if an application or Web filter is associated with the protocol used by the packet.2. If an application filter is associated with the protocol, the firewall service passes the request to the application filter. The application filter evaluates the request based on the filter configuration and either rejects or accepts the request. 3. If the request is using HTTP or HTTPS, the firewall service checks to see if a Web proxy filter is registered for this traffic. If itis, the firewall service passes the request to the Web proxy filter, where the request is evaluated based on the Web filter configuration. The Web filter either accepts or rejects the request. 4. If the request is accepted by either the application filter or the Web filter, it is passed back to the firewall service and out the network interface to the destination server. Lesson: Configuring HTTP Web Filters f © HTTP Web Filtering Overview © How to Configure HTTP Web Filter General Properties © How to Configure HTTP Web Filter Methods © How to Configure HTTP Web Filter Extensions © How to Configure HTTP Web Filter Headers © How to Configure HTTP Web Filter Signatures © How to Identify an HTTP Application Signature e Best Practice: HTTP Filter Configuration for Web Publishing*Introduction © Almost all organizations allow users on the internal network to use HTTP to access Web resources. Most organizations also allow HTTP traffic into the network as Internet users access internal Web resources. The fact that HTTP is so widely used means HTTP-based attacks have become increasingly popular and sophisticated. Itis, therefore, critical to examine all HTTP traffic entering or leaving the organization’s network. This lesson describes how to implement and manage HTTP filtering in ISA Server 2004 HTTP Web Filtering Overview Use HTTP filtering to: ‘© Filter traffic from internal clients to other networks Filter traffic from Internet clients to internal Web servers HTTP filtering is rule specific so you can configure different filters for each access or publishing rule HTTP filters enable filtering of HTTP packets based on several criteria*Introduction f © One of the most important Web filters included with ISA. Server 2004 is the HTTP filter. Many Internet applications now use HTTP to tunnel the application traffic. For example, Microsoft MSN® Messenger uses HTTP as the application- layer protocol. The only way to block these types of applications without blocking all HTTP traffic is to use HTTP filtering, *HTTP filtering scenarios f © HTTP filtering can be applied in two general scenarios: Clients on an internal network accessing HTTP objects on another network through ISA Server. This access is controlled by ISA Server access rules, to which an HTTP policy can be applied using the HTTP filter. Clients on the Internet accessing HTTP objects on a Web server that is published through ISA Server. This access is controlled by ISA Server Web publishing tules, to which an HTTP policy can be applied using the HTTP filter.© HTTP filtering is rule specific, so that you can apply different levels and types of filtering depending on the specific requirements of your firewall policy. For example, you can use HTTP filtering to block the use of a particular peer-to- peer file-sharing service for one set of users, but allow it for another set, or you can allow Internet users to use specific methods such as POST for one Web publishing rule, but deny the method on another Web publishing rule. e Note: HTTP filters can also filter HTTPS traffic in a Web publishing Secure Sockets Layer (SSL) bridging scenario. In this case, ISA Server decrypts the packet and inspects it before re-encrypting the packet. HTTP filters cannot filter HTTPS traffic in an SSL tunneling scenario. For more details on configuring SSL bridging and tunneling, see Module 5, “Configuring Access to Internal Resources,” in Course 2824, Implementing Microsoft Internet Security and Acceleration Server 2004.*HTTP filter options f © The HTTP filter can block HTTP requests based on the following options: Length of request headers and payload. Limits the maximum HTTP header size and request body size for a client request. Length of Uniform Resource Locator (URL). Limits the maximum URL size for client requests. HTTP request method. Specifies the HTTP method, such as POST, GET, or HEAD, that will be blocked, HTTP request file name extension. Prevents the downloading of any content using HTTP based on file extensions such as .exe, .asp, or dll HTTP request or response header. Specifies how server headers will be returned or forwarded when the server responds to the client. For example, the request or response header may be Location, Server, or Via. Signature or pattern in the requester response headers or body. Specifies HTTP access based on ‘specific strings in the response header or body.© The HTTP filter is initially configured with defaults that help ensure secure HTTP access. However, depending on the specific deployment scenario, these options should be customized © Note: To fully understand how the HTTP filter works, you need to understand how HTTP works. For more information on the HTTP protocol, see Request for Comments (RFC) 2616: Hypertext Transfer Protocol HTTP/1.1, located at http://www ietf.org/rfc/rfc2616.txt. How to Configure HTTP Web Filter General Properties a Configure maximum See een cer ength = on erent se oom earth re = St et te ( Configure maximum —— seray essen payload length someantedingh a enn gseyingh bet — Configure maximum Re carraee URL and query length*Introduction f © HTTP filters are applied on a per-rule basis. To configure the HTTP filters on a particular access rule or Web publishing tule, modify the HTTP policy for that rule. © Important: The one exception to the per-rule application of the HTTP filter is the Maximum headers length setting on the General tab of the Configure HTTP policy for rule dialog box. This setting is applied to alll rules globally, which means that if you change it in one tule, it is changed in all rules. Configuring HTTP policy general properties f © To access the HTTP policy associated with a specific rule, right-click the rule in ISA Server Management and select Configure HTTP. © The following table describes the configuration options available on the General tab of an HTTP policy. Setting ConfigurHow to Configure HTTP Web Filter Methods (Configure allowed or blocked Set TTP methods betes ea pect*HTTP Methods f © An HTTP method (also known as an HTTP verb) is an instruction sent in a request message that notifies an HTTP server of the action to perform on the specified resource. For example, .GET. specifies that a resource is being retrieved from the server. The following table lists the HTTP 1.1 methods defined in RFC 2616. Method __Description cified Uniform R. HEAD f the specified URI Pos’ pt the enclosed information, such as a bul PUT DELETE RACE information as the specifi © (use for diagnost *Configuring HTTP policy methods f © To configure HTTP methods, follow this procedure. 1 To access the HTTP policy associated with a specific tule, right-click the rule in ISA Server Management and select Configure HTTP. 2. To modify the HTTP methods settings on the HTTP. policy, click the Methods tab.f 3. In Specify the action taken for HTTP methods, select one of the following. a. Allow all methods. No blocking according to method will be applied. b. Allow selected methods. All requests will be blocked except those with the specified methods. c. Block specified methods (allow all others). All requests will be allowed except those with methods specified in the list. 4. If you have selected either of the last two options, click Add to add a method to the list. 6. When you click Add, the Method dialog box opens. Provide the method (case-sensitive) and a description, and then click OK. © An example of blocking by method would be to block PUT so that internal clients cannot post data to an external Web page. This is useful in a secure network scenario where you want to prevent sensitive information from being posted on a Web site. This can also be useful in Web publishing, to prevent attackers from posting malicious material to your Web site.How to Configure HTTP Web Filter Extensions f (Configure allowed or blocked See ooo extensions tm eq fone sro Fett cate obsess a *How ISA Server determines extensions f © You can configure ISA Server to allow or deny HTTP downloads based on file extensions. When the HTTP filter is configured in this way, it analyzes each HTTP request to see if the request includes a configured extension. ISA Server considers an extension to be any character or characters that fall after the last period (.) of a URL and that end with a slash (/) or question mark (?) or the end of the URL if there is no slash or question mark. © In addition, if ISA Server identifies characters following a period that seem to be an extension (for example, .exe, .dll, or .com), the HTTP filter uses those as the extension. If there are multiple entries that appear to be extensions, ISA Server evaluates just the first extension.© The following table lists some examples of client requests and how ISA Server evaluates the extensions. Client quest Exter hap ext hitp://server/path/file.htm/additionalipath/info.asp asp In the last example listed in the table, if the HTTP filter allows exe extensions, the request will be allowed (even if the filter does not allow ext extensions). To work around this issue, configure a signature setting that denies the .ext signature in the URL. *Configuring HTTP policy for extensions f © To specify file extensions, follow this procedure. 1 To access the HTTP policy associated with a specific tule, right-click the rule in ISA Server Management and select Configure HTTP. 2. To modify the HTTP extensions settings on the HTTP policy, click the Extensions tab.3, In Specify the action taken for file extensions, select one of the following: a. Allow all extensions. No blocking according to requested file extensions will be applied. b. Allow selected extensions. All requests will be blocked except those with specified requested file extensions. c. Block specified extensions (allow all others). All requests will be allowed except those with requested file extensions specified in the list. Click Add to add an extension to the list. When you click Add, the Extension dialog box opens. Provide the extension (case-sensitive) and a description, and then click OK. Select Block requests containing ambiguous extensions if you want to block content when ISA Server cannot determine the extension.© A typical use of extension blocking is to block executable files such as .exe, .bat, or .cmd files. Another example is to use extension blocking to prevent worm attacks. For example, the Code Red Worm uses a header that included GET http///default ida?. so you could stop the ‘worm from entering the network by blocking .ida extensions. You can also use file extensions to enforce organizational policies that restrict the types of data that can be downloaded. How to Configure HTTP Web Filter Headers f Configure headers ieee at that will be blocked ~ Configure server header settings {Configure Via header settings*HTTP Headers f © When a client sends a request to a Web server, or when the server responds, the first part of that response is always the HTTP request or response. The HTTP request from the client includes the client's HTTP method (such as GET) as well as the URI that the client is requesting and the protocol version The server HTTP response contains the protocol version followed by a numeric status code and its associated textual phrase. For example, if the server responds with a 2xx code, the server is indicating that the request was successfully received, understood, and accepted. A 4xx code is a client error that indicates that the request contains bad syntax or cannot be fulfilled. © After the HTTP request or response, the client and server send an HTTP header. The request-header fields allow the client to pass additional information about the request, and about the client itself, to the server. Headers contain information about the client, including browser and operating system data, authorization information, and the format types that client supports for the server response. The client header can also use the User-Agent to indicate the specific application that is making the request. © You can use this header information to block HTTP packets.*Configuring HTTP policy for headers f e 1 2. 3. 4. To configure how the HTTP filter will manage headers, follow this procedure. To access the HTTP policy associated with a specific tule, right-click the rule in ISA Server Management and select Configure HTTP. To modify the HTTP headers settings on the HTTP policy, click the Headers tab. In Headers, list the headers that will be blocked. Click Add to add a header to the list. When you click Add, the Header dialog box opens. Specify whether the response or request header will be checked, provide the header, and then click OK. In Server Header, specify how the server header will be returned in the response. The server header is a response header that contains information such as the name of the server application and software version information, for example, HTTP: Server = Microsoft-IIS/6.0. The possible settings are: a. Send original header. The original header will be retumed in the response. b. Strip header from response. No header will be returned in the response. c. Modify. A modified header will be returned in the response. If you select this option, in Change to, type the value that will appear in the response.5. In Via Header, specify how the Via header will be forwarded in the request or returned in the response. Via headers provide a way for proxy servers in the path of a request to ensure that they are also included in the path of the response. Each server along the request's path can add its own Via header. Each sender along the response path removes its own Via header and forwards the response to the server specified in the next Via header on the stack. For example, you can use this feature to avoid disclosing the name of your computer running ISA Server in a response. The possible settings are a. Send default. The default header will be used. b. Modify header in request and response. The Via header will be replaced with a modified header. If you select this option, in the Change too box, type the header that will appear instead of the Via header. How to Configure HTTP Web Filter Signatures = cow |Mec|tsrses | Configure Blocked the corte cotanen bes ses signatures To 7 ee eee ecenaeet sr FT spans sectHTTP signatures f © An HTTP signature can be any string of characters in the HTTP header or body. To block an application based on signatures, you need to identify the specific pattems the application uses in request headers, response headers, and body, and then modify the HTTP policy to block packets based on that string e One of the difficulties in configuring the HTTP policy to block packets based on the signature is ensuring that the signature contains the specific information you need to block the chosen HTTP packet while not blocking other packets. For example, if you create an HTTP policy to block the word Mozilla,. You would block most Web browsers as well as other applications. This is because most Web browsers are Mozilla compatible and include this term in HTTP headers. In most cases, you should use a more application-specific string. For example, to block MSN Messenger, configure the tule to block User-Agent: MSN Messenger in the request header. e*Configuring HTTP policy for signatures f © To configure how the HTTP filter will manage signatures, follow this procedure. 1 To access the HTTP policy associated with a specific tule, right-click the rule in ISA Server Management and select Configure HTTP. 2. To modify the HTTP signatures settings on the HTTP policy, click the Signatures tab. The Signatures tab shows the signatures that will be blocked. 3. Click Add to add a signature to the list. In the Signature dialog box, in the Name text box, type a name for the signature search. cs Under Signature search criteria, in the Search in drop-down list, select the part of the client request or server response you want the Web filter to search. Then, in the Signature text box, type the string that you want to filter. 5. When you have added signatures to the list on the Signatures tab, you can enable or disable specific signatures using the check boxes next to the signature names. © Note: When you configure the HTTP policy to search the HTTP request body or response body, you can also specify how much of the body will be scanned for the signature and what format to use when scanning. By default, the filter will scan only the first 100 bytes of the request or response body. Increasing this number can negatively impact the server performance. You can also specify whether to search using text or binary format.© You can use HTTP signatures to block access to specific applications or to specific content. For example, if you configure the policy to block User-Agent: MSN Messenger in the request header, users will not be able to use MSN Messenger through the firewall. You can also block access to sites that might contain malicious code if you are aware of common malicious code. For example, a Web page containing