RE: Firewall Policy Rules Order

• From: "Paul Deen" <pdeen@xxxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Wed, 6 Oct 2004 00:55:15 -0500

I am no expert at ISA 2004, so I want to make sure I understand this.

So are you saying that if I have any 'User-based' rules BEFORE any of my
'Anonymous' rules the traffic will be blocked regardless of protocol?

Now that I hear/see this, this makes a huge difference! 

The way I thought of it was as the traffic comes in, it looks in order
(top down) for a rule that -specifically- allows or denies that protocol
specified only. Then I set my last rule to 'Deny All'. 

What happens if I 'require authentication' for all users on the internal
interface itself instead of requiring authentication only on individual
rules? Would my SMTP traffic stop flowing out?

Like I said, I am still new at this.

Environment: ISA 2004 using an 'Edge Firewall' configuration, Published
Internal SMTP server, Mixed: Web Proxy (laptops) and Firewall clients
(workstations).

Thanks for your insight,
Paul

-----Original Message-----
From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] 
Sent: Tuesday, October 05, 2004 11:47 AM
Subject: RE: Firewall Policy Rules Order

That statement is absolutely, blatantly incorrect.
Rule order is very much important.
For instance, if you have a rule that allows anonymous SMTP for your
mail server that follows a rule allowing HTTP for authenticated 
users, the mail server will fail at the HTTP rule.

Generally speaking, you want to order your rules as:
Anonymous Deny rules
Anonymous Allow rules
User-based Deny rules
User-based Allow rules

  Jim Harrison
  MCP(NT4, W2K), A+, Network+, PCG
  http://isaserver.org/Jim_Harrison/
  http://isatools.org
  Read the help / books / articles!

----- Original Message ----- 
From: "Ara Avvali" <ara@xxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Monday, October 04, 2004 04:59
Subject: [isalist] RE: Firewall Policy Rules Order


http://www.ISAserver.org

Hi
Add rules based on group or ip address to it. Also as far as I know it
doesn't matter what order they are; it matters to see what will be the
effective permissions


-----Original Message-----
From: Raji Arulambalam [mailto:RajiA@xxxxxxxxxxxxxx]
Sent: October 4, 2004 12:28 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Firewall Policy Rules Order

http://www.ISAserver.org

Hi

I know that the rules are executed top down, but what is best practice
in
grouping the rules in Firewall Policy
1) Outgoing Access rules
2) Incoming Access rules
3) Web Server Publish
4) Mail Server
5) Server Publish


Thanks
Email disclaimer: This email and any attachments are confidential. If
you
are not the intended recipient, do not copy, disclose or use the
contents in
any way. If you receive this message in error, please let us know by
return
email and then destroy the message. Environment Bay of Plenty is not
responsible for any changes made to this message and/or any attachments
after sending.
******************************************************
This e-mail has been checked for viruses and no viruses were detected.

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
ara@xxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx




------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

Other related posts:

• » Firewall Policy Rules Order
• » RE: Firewall Policy Rules Order
• » RE: Firewall Policy Rules Order
• » RE: Firewall Policy Rules Order
• » RE: Firewall Policy Rules Order
• » RE: Firewall Policy Rules Order
• » RE: Firewall Policy Rules Order
• » RE: Firewall Policy Rules Order
• » RE: Firewall Policy Rules Order

1. Home
2. isalist
3. Archive
4. 10-2004

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---