Peer-to-peer applications and instant messengers can present special threats to your network's security. Here's how you can use HTTP filtering with ISA Server 2004 to block these applications from communicating.
ISA firewall's HTTP security filter controls outbound access through the ISA firewall by acting as a regulator for allow rules that pass the HTTP protocol through the ISA firewall. This means that even if the rule allows the connection, the communications will be subjected to additional application layer inspection checks and only after they pass these checks does the ISA firewall allow the communication through.
You can also use the HTTP security filter to block many different instant messenger applications. Not only can the HTTP security filter be used to block instant messenger applications, you can also use it to block many dangerous peer-to-peer applications, such as eDonkey, eMule, Kazaa, Morpheus, Bearshare, or Bitorrent. In this article, I'll show you how it works.
Instant messenger caveats
One thing to keep in mind when using the HTTP security filter to block instant messenger and peer-to-peer applications is that control is exerted only when the client application uses the HTTP protocol. If the client is able to access the Internet using a protocol other than HTTP, then the HTTP security filter will not be able to stop the application. You must then be very careful about applying the principle of least privilege if you want to block applications that can also use other protocols to connect to the Internet.
This can be difficult if you don't use a well crafted outbound access control firewall policy. For example, some instant messenger and P2P applications will scan all ports or a large number of ports, before failing over to using HTTP to access the Internet. This means you need to configure your firewall policy so that access to protocols other than HTTP is limited to specific sites, or if users do not need access to protocols other than HTTP, then do not create any access rules allowing users access to those protocols.
Another method you can use for some of the instant messenger or P2P applications is to block a critical server or block of IP addresses that the client must connect to before it becomes fully operational. In this case, you won't use the HTTP security filter to block sites. Instead, you use Network Objects such as Domain Name Sets, URL Sets, Computer Sets, or even Networks and Network Sets.
HTTP security filter settings for common instant messenger and peer-to-peer applications
Tables A and B provide information on HTTP security filter settings you can use to block a number of instant messenger and peer-to-peer applications. In Table A, each of these settings is configured on the Signatures tab. The Search in column matches the selection you would select in the Search in drop down list. The HTTP header column includes information you enter into the HTTP header text box. The entries in the Signature column are the strings you enter into the Signature text box.
Table B includes settings you make on the Headers and Extensions tabs. The Location column includes the name of the tab where you configure the settings.
To demonstrate how to configure the settings, I'll show you how to set the HTTP security filter to block MSN Messenger and BitTorrent extensions. At the ISA firewall console, right click the Access Rule you created earlier and click the Configure HTTP command to access the Configure HTTP policy for rule dialog box. Then perform the following steps:
- In the Configure HTTP policy for rule dialog box, click the Signatures tab.
- On the Signatures tab, click the Add button.
- In the Signature dialog box, enter MSN Messenger in the Name text box. Select the Request headers option from the Search in drop down list. In the HTTP header text box, enter User-Agent: In the Signature text box, enter MSN Messenger. Your Signature text box should look like that in the figure A. Click OK.
- Click the Extensions tab. On the Extensions tab, select the Block specified extensions (allow all others) option from the Specify the action taken for file extensions drop down list. Click the Add button.
- In the Extension dialog box (Figure B), enter .torrent in the Extension text box. Click OK.
- Click Apply in the Configure HTTP policy for rule text box.
- Enter the remainder of the entries in tables 1 and 2. If that's too much work for you, then read on. I'll show you a way to export this configuration to an .xml file and then import the configuration to another machine. Since I've already created the .xml file for you, all you'll need to do is import the .xml file settings.
- After entering all the entries, click OK in the Configure HTTP policy for rule dialog box.
- Click Apply to save the changes and update the firewall policy.
- Click OK in the Apply New Configuration dialog box.
|Entering a signature to block MSN Messenger|
|Entering an extension to block BitTorrent connections.|
How to export and import HTTP security filter settings
Entering a comprehensive HTTP security filter configuration can take a lot of time. This is especially the case when you want to take the same HTTP security filter settings and apply them to other ISA firewalls, or even to other rules on the same ISA firewall. Remember what I said earlier: you can apply different HTTP security filter settings for each rule that allows the HTTP protocol through the ISA firewall.
Microsoft did us all a big favor by providing a tool that prevents us from making an avocation out of configuring HTTP security filters. This tool is the HttpFilterConfig.vbs file located in the SDK\samples\Admin directory on the ISA Server 2004 CD. This tool can be used to export and import HTTP filter settings from one rule to another, even on different machines.
The syntax of the script is quite simple:
<path_to_script> <import or export> <rule_name> <path_to_file>
- <path_to_script> is the path to the HttpFilterConfig.vbs script file. I typically copy the script to the root of the C: drive to make it easier, as I can open a command prompt and change the focus to the root of the C: drive pretty easily. This way, I don't have to worry about what the path to the CD is or the typo's that inevitably come from typing long command strings.
- <import or export> You use either the import or export option. Import imports the settings to a rule, and export exports the settings from a rule.
- <rule_name> This is the name of the firewall policy rule that you want to import the settings to, or export the settings from. For example, if the name of the rule that you want to import the settings to is named HTTP Access, then you would enter "HTTP Access", including the quotes. You must include the quotes if there is a space in the name of the rule.
- <path_to_file> This is the path to the .xml file that will contain the exported settings, or contains the settings you want to import.
For example, if we want to export the HTTP security filter policy that was configured on our HTTP/HTTPS Outbound rule we created earlier, when the HttpFilterConfig.vbs is copied to the root of the C: drive and the focus of the command prompt window is set to the root of the C: drive, and the name of the file will block BLOCKBADAPPS.xml located at the root of the C: drive, we would enter the following at the command prompt and press ENTER:
Httpfilterconfig export "HTTP/HTTPS Outbound" c:\BLOCKBADAPPS.xml
Before running the HttpFilterConfig.vbs script, make sure you have configured the HTTP security filter policy and that you have saved it along with the rule that it's applied to by clicking the Apply button. If you don't do this, then the import or export won't work. The same is true if you want to import the policy to a rule. Make sure you create the rule first, and then save the firewall policy by clicking the Apply button to save the changes to the ISA firewall policy before running the script.
|Exporting the HTTP security configuration using the httpfilterconfig.vbs script|
Now you can take the BLOCKBADAPPS.xml file and use the HttpFilterConfig.vbs script to import the settings into another rule, this time using the import option.
Click HERE to download a preconfigured BLOCKBADAPPS.xml file you can use to import into your own HTTP security filters.
Doing the HTTP security filter instant messenger demo
Now you're ready to replicate the demo. Here are the configuration settings I made to the ISA firewall, client and DNS server before doing the demo:
- The client was configured as a Web proxy, Firewall and SecureNAT client. The SecureNAT client is not required, but DHCP had set the default gateway on the client.
- The client was a member of the same Active Directory domain as the ISA firewall
- The ISA firewall was a member of the Active Directory domain, so that we can fully leverage the security provided by the Firewall client
- A WPAD entry was created in DNS so that the client could autodetect the ISA firewall
- A Computer Network Object was created to allow the DNS server outbound access to the DNS protocol
- A Protocol Rule was created to allow the DNS server outbound access to the DNS protocol
- The Properties of the default internal network were configure so that the settings on the Firewall client tab would configure the Web browser to use the FQDN of the ISA firewall, instead of the default setting of the NetBIOS name of the ISA firewall. In addition, only the autoconfiguration script setting was enabled.
Note that autodiscovery is not required, as you can manually configure the Firewall client. In addition, the Firewall client itself is not required, since the Web proxy client can authenticate with the ISA firewall, but I always deploy the Firewall client on client operating systems, so I saw no reason to change this in the demo.
Create the Access rule
Before we test the configuration, let's create the Access Rule allowing the DNS server outbound access to the DNS protocol. We'll also create the DNS server computer object "on the fly" while creating the Access Rule:
- In this ISA firewall console, expand the server name and then click the Firewall Policy node in the left pane of the console.
- Click the Tasks tab in the Task Pane and then click the Create New Access Rule link.
- On the Welcome to the New Access Rule Wizard page, enter DNS Outbound in the Access Rule name text box and click Next.
- On the Rule Action page, select the Allow option and click Next.
- On the Protocols page, select the Selected protocols option from the This rule applies to list. Click the Add button.
- In the Add Protocols dialog box (Figure D), click the Common Protocols folder and then double click the DNS entry. Click Close.
- Click Next on the Protocols page.
- On the Access Rule Sources page, click the Add button.
- In the Add Network Entities dialog box, click the New menu and click Computer.
- In the New Computer Rule Element dialog box (Figure E), enter DNS Server in the Name text box. Enter the IP address of the DNS server in the Computer IP Address text box. Click OK.
- In the Add Network Entities dialog box (Figure F), click the Computers folder and double click the DNS Server entry. Click Close.
- Click Next on the Access Rule Sources page.
- On the Access Rule Destinations page, click the Add button.
- In the Add Network Entities dialog box, double click the External entry and click Close.
- Click Next on the Access Rule Destinations page.
- On the User Sets page, accept the default setting, All Users, and click Next.
- Click Finish on the Completing the New Access Rule Wizard page.
- Click Apply to save the changes and update the firewall policy.
- Click OK in the Apply New Configuration dialog box.
|The Add Protocols dialog box|
|The New Computer Rule Element dialog box|
|The Add Network Entities dialog box|
Your firewall policy should appear like that in Figure G
|Firewall policy used to support the demo|
Notice that the DNS rule is above the HTTP/HTTPS rule. The reason for this is that you should put anonymous access rules before authenticated access rules. While this is a bit of a gross overgeneralization, if you follow this general principle you'll end up with fewer unexpected denied connections.
Now launch the MSN Messenger application from a client behind the ISA firewall. In the demo I used a Windows XP client and MSN Messenger version 7.5. You should see the dialog box that appears in Figure H on the client machine after the log on attempt fails.
|Error dialog box that appears when the MSN Messenger fails to connect|
You can use the ISA firewall's log viewer to see the details of the failed connection attempt by the MSN Messenger application. In the ISA firewall console, click the Monitoring node in the left pane of the console and then click the Logging tab. The first thing you want to do is add the Filter Information column to the log viewer window so that you can see the information reported by the HTTP security filter to the ISA firewall's log files. To do this, right click on any of the column headers and click the Add/Remove Column's command, as seen in Figure I.
|Adding columns to the ISA firewall's log viewer|
In the Add/Remove Columns dialog box, select the Filter Information entry from the Available columns list and click the Add button. This moves the Filter Information column to the Displayed columns list, as seen in Figure J.
|Adding columns to the ISA firewall log viewer|
Now click the Start Query link on the Tasks tab in the Task Pane. After logging starts, try to connect the MSN Messenger client to the Internet. After the connection attempt fails, click the Stop Query link and look at the results. Scroll across the screen so that you can see the entries in the Filter Information column.
Log file entries that have information listed in the Filter Information column were denied by the HTTP security filter. You can see in the Action column that these connection attempts were denied. You can also see the URLs the client requested and other valuable information about the connection attempt in those lines. Figure K shows a portion of the ISA firewall's log file depicting entries HTTP security filter denied connection requests.
|Log file entries showing connections blocked by the HTTP security filter|
Discovering connections that were denied by the HTTP security filter
This is possible using the ISA firewall's built-in log viewer's filtering capabilities. To filter records to display only those that have HTTP security filter entries, click the Edit Filter link in the Tasks tab of the Task Pane. In the Edit Filter dialog box (Figure L), click the down arrow for the Filter by drop down list. In the Condition drop down list box, select the Contains entry. In the Value text box, enter Blocked. All HTTP security filter entries will include the word Dropped in them, so this assures that you will see all the HTTP security filter log file entries. Click Add to List and click Start Query.
|Editing the log filter settings to display only connections blocked by the HTTP security filter|
Notice in the Edit Filter dialog box that I've added a few custom entries to make the log file cleaner for real time viewing. These entries aren't required when you set the Filter Information condition. However, they are useful when you don't have such a restrictive condition such as looking only for Filter Information. In the example in Figure 12, I've added conditions to prevent the viewer from displaying broadcast messages (destination IP address 255.255.255.255) and NetBIOS communications, most of which are all subnets or limited subnet broadcasts.
After you click Start Query, you will see a list of log file entries that apply only to connections that were blocked by the HTTP security filter (Figure M).
|Log file entries filter to show only those blocked by the HTTP security filter (click the figure to see full size)|
You can click on the Sessions tab and get some useful information on the nature of the current connections through the ISA firewall. Note that not all columns are displayed by default. Right click one of the column headers and click the Application Name entry. You then will be able to see something like what appears in Figure N.
Notice that you can see the user names and the name of the applications users are using to connection through the ISA firewall. You can also see the name of the computer making the connection. However, you must have the Firewall client installed on the client operating system in order to get this enhanced reporting. This isn't a bad deal, since the Firewall client also significantly enhances security and performance. With the Firewall client, it's all good.
|The Sessions tab in the ISA firewall's Monitoring node|
That's all there is to it
In this two part series on using the HTTP security filter to control outbound access through the ISA firewall, we began with a discussion of the HTTP security and the configuration options provided the filter, along with recommendations for when and how to use many of these configuration options. After getting a good grounding in HTTP security filter basics, we proceeded to configure the HTTP security filter to block dangerous applications, such as instant messengers and peer-to-peer applications. We finished up by testing the solution and using the ISA firewall's integrated log viewer to see characteristics of HTTP security filter blocked connections.