Cross-over of users and destinations
- From: "Bijen, J (Jeroen)" <Jeroen.Bijen@xxxxxxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Fri, 2 Nov 2001 10:00:15 -0000
Dear all,
We are about to use Isa server to support banking and trading applications
via the Firewall service.
We have however the following security requirement:
We need to be able to create connection based rules that can specify which
user is allowed to use what ports to what destination addresses.
While it is perfectly possible to allow ports to users, and to allow access
to Internet hosts on a per user base, the problem is combining these two
rules to a connection based rule, allowing a user to communicate via a port
or protocol to a specific host.
The limitation for example is that there doesn't seem to be a way for a
specific user or group to:
* allow access to any site via HTTP
* allow access to ftp.microsoft.com via FTP protocol
* deny access to ftp.adobe.com via FTP protocol
other than
* Creating a protocol rule which adds the user to the ACL of HTTP
protocol
* Creating a protocol rule which adds the user to the ACL of FTP
protocol
* creating a packet filter that allow HTTP traffic to any host;
* creating a packet filter that allow FTP traffic to
ftp.microsoft.com;
However, when another user needs access to ftp.adobe.com, then the following
needs to be done:
* adding this user to the ACL of FTP protocol
* creating a packet filter that allow FTP traffic to ftp.adobe.com;
This however will allow the first user access to ftp.adobe.com as well, if
thereafter a (site and content) rule is created to deny access to
ftp.adobe.com for that user, than all traffic, including HTTP will be denied
as well to this server.
This chance of cross-overs between users and destinations makes security a
little bit obscure.
Could anyone provide me if and if so how I can address the mentioned
requirements
with ISA Server?
Thanks in advance,
Jeroen Bijen
==================================================================
De informatie opgenomen in dit bericht kan vertrouwelijk zijn en
is uitsluitend bestemd voor de geadresseerde. Indien u dit bericht
onterecht ontvangt wordt u verzocht de inhoud niet te gebruiken en
de afzender direct te informeren door het bericht te retourneren.
==================================================================
The information contained in this message may be confidential
and is intended to be exclusively for the addressee. Should you
receive this message unintentionally, please do not use the contents
herein and notify the sender immediately by return e-mail.
==================================================================
Other related posts:
- » Cross-over of users and destinations
