Re: Packet Filtering on non-default external IP Address

• From: "Jim Harrison" <jim@xxxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Tue, 19 Feb 2002 12:49:53 -0800

That's quite an ambitious undertaking!
If I can help with testing (my present profession), feel free to holler.

Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/authors/harrison/
Read the books!

----- Original Message -----
From: "Max" <max.bene@xxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Tuesday, February 19, 2002 06:45
Subject: [isalist] Re: Packet Filtering on non-default external IP Address


http://www.ISAserver.org


Hi Jim,
There's not a special need...

I've tought it would be great for my work to extend some capabilities of
ISA server, for example blocking an IP address for a certain time after a
Port Scan (just like Firewall-One for example does), or to automatically
block traffic with people who tries something like:

http://www.worm.com/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNnn... or
http://.../scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir

or blocking access to the SMTP relayer to those clients who tried a
spam...
or enhance the log capabilities building a Web based application in order
to get a real-time monitoring of traffic...

I'm trying to build a full-integrated firewall solution with ISA SDK, MS
PLatform SDK and a Web Application for my customers, as I have to remotely
support and check their arrays...

You're right, for Web worms I use a "deny" Web Publishing rule for All
Internal Destination Sets, populating a client address set with those IP
addresses... I've thought it would be more appropriated...

If you have any suggestion I'd really appreciate...

Thanks again
Max

> It's pretty much a guarantee that any additional decision-making you apply
> to any proxy/firewall will affect performance.
> I'd also be careful auto-blocking; sometimes a client address set is more
> appropriate than a packet filter.
> Also, since ISA recognizes many of the more common intrusion attacks and
> blocks them by default, what is it you're adding?
>
> Jim Harrison
> MCP(NT4, W2K), A+, Network+, PCG
> http://isaserver.org/authors/harrison/
> Read the books!
>
> ----- Original Message -----
> From: "Max" <max.bene@xxxxxxxxxxxx>
> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> Sent: Tuesday, February 19, 2002 00:55
> Subject: [isalist] Re: Packet Filtering on non-default external IP Address
>
>
> http://www.ISAserver.org
>
>
> Thanx Jim.
> I'm trying to develope some addtional features on ISA, for example
> Auto-Blocking Spammers, Intruders and Worm attacks on Web Proxy...
> This means that I have to create a Packet Filter for each Intruder IP on
> each External IP Address of each Server of the Array...
>
> Can this affect server performance, as each packet has to be checked with
> all the filter conditions before being allowed to pass?
>
> Thanks Again
> Max
>
> > Nope; packet filtering is IP-specific on the external NIC.
> >
> > Jim Harrison
> > MCP(NT4, W2K), A+, Network+, PCG
> > http://isaserver.org/authors/harrison/
> > Read the books!
> >
> > ----- Original Message -----
> > From: "Max" <max.bene@xxxxxxxxxxxx>
> > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> > Sent: Monday, February 18, 2002 02:52
> > Subject: [isalist] Packet Filtering on non-default external IP Address
> >
> >
> > http://www.ISAserver.org
> >
> >
> > Hi all,
> > I'm getting some trouble with packet filters...
> > My ISA has 4 IP Addresses on the external interface, and I've found out
> > that blocking traffic with packet filters on non-default IP addresses
> > requires filling the "This ISA Server's external IP Address" field on
the
> > "Local Computer" Tab...
> > Is there any way to block traffic on all external IP addresses?
> >
> > PS: I've tried with the "These computers (on the perimeter network)..."
> > option but it doesn't seem to work...
> >
> >
> >
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion List as:
> > jim@xxxxxxxxxxxx
> > To unsubscribe send a blank email to $subst('Email.Unsub')
>
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> jim@xxxxxxxxxxxx
> To unsubscribe send a blank email to $subst('Email.Unsub')

------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

Other related posts:

• » Packet Filtering on non-default external IP Address
• » Re: Packet Filtering on non-default external IP Address
• » Re: Packet Filtering on non-default external IP Address
• » Re: Packet Filtering on non-default external IP Address
• » Re: Packet Filtering on non-default external IP Address
• » Re: Packet Filtering on non-default external IP Address
• » Re: Packet Filtering on non-default external IP Address
• » Re: Packet Filtering on non-default external IP Address

1. Home
2. isalist
3. Archive
4. 02-2002

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---