Re: Packet Filtering on non-default external IP Address
- From: "Joseph" <cismic@xxxxxxx>
- To: "'[ISAserver.org Discussion List]'" <isalist@xxxxxxxxxxxxx>
- Date: Tue, 19 Feb 2002 13:53:40 -0800
I'm actually parsing the unknown items from the logs now and placing
into a holding area that can be used to apply the filters you're looking
to do.
One thing, I'm working on is a web filter to pass in the IP address of
the true client because web publishing looses that important
information. Just having memory problems and making sure the cache does
not get corrupted. Also, performance with filters is very critical and
I'm wondering if an application process might be much better at
processing filters. I'll tackle that next. Just need to get my
function finished and then thoroughly tested. I would not want anyone's
machine getting slower or crashing because of a filter that I've
written!
But, with you're processes I would think that real time is good however,
you can accomplish the same thing nightly. I've noticed from my logs
that the same sites (worm) hit every day. So, I just build the rules up
from what I import from my ISA logs. All worms I ban for life!
Joseph
-----Original Message-----
From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
Sent: Tuesday, February 19, 2002 12:50 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: Packet Filtering on non-default external IP
Address
http://www.ISAserver.org
That's quite an ambitious undertaking!
If I can help with testing (my present profession), feel free to holler.
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/authors/harrison/
Read the books!
----- Original Message -----
From: "Max" <max.bene@xxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Tuesday, February 19, 2002 06:45
Subject: [isalist] Re: Packet Filtering on non-default external IP
Address
http://www.ISAserver.org
Hi Jim,
There's not a special need...
I've tought it would be great for my work to extend some capabilities of
ISA server, for example blocking an IP address for a certain time after
a
Port Scan (just like Firewall-One for example does), or to automatically
block traffic with people who tries something like:
http://www.worm.com/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNnn... or
http://.../scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir
or blocking access to the SMTP relayer to those clients who tried a
spam...
or enhance the log capabilities building a Web based application in
order
to get a real-time monitoring of traffic...
I'm trying to build a full-integrated firewall solution with ISA SDK, MS
PLatform SDK and a Web Application for my customers, as I have to
remotely
support and check their arrays...
You're right, for Web worms I use a "deny" Web Publishing rule for All
Internal Destination Sets, populating a client address set with those IP
addresses... I've thought it would be more appropriated...
If you have any suggestion I'd really appreciate...
Thanks again
Max
> It's pretty much a guarantee that any additional decision-making you
apply
> to any proxy/firewall will affect performance.
> I'd also be careful auto-blocking; sometimes a client address set is
more
> appropriate than a packet filter.
> Also, since ISA recognizes many of the more common intrusion attacks
and
> blocks them by default, what is it you're adding?
>
> Jim Harrison
> MCP(NT4, W2K), A+, Network+, PCG
> http://isaserver.org/authors/harrison/
> Read the books!
>
> ----- Original Message -----
> From: "Max" <max.bene@xxxxxxxxxxxx>
> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> Sent: Tuesday, February 19, 2002 00:55
> Subject: [isalist] Re: Packet Filtering on non-default external IP
Address
>
>
> http://www.ISAserver.org
>
>
> Thanx Jim.
> I'm trying to develope some addtional features on ISA, for example
> Auto-Blocking Spammers, Intruders and Worm attacks on Web Proxy...
> This means that I have to create a Packet Filter for each Intruder IP
on
> each External IP Address of each Server of the Array...
>
> Can this affect server performance, as each packet has to be checked
with
> all the filter conditions before being allowed to pass?
>
> Thanks Again
> Max
>
> > Nope; packet filtering is IP-specific on the external NIC.
> >
> > Jim Harrison
> > MCP(NT4, W2K), A+, Network+, PCG
> > http://isaserver.org/authors/harrison/
> > Read the books!
> >
> > ----- Original Message -----
> > From: "Max" <max.bene@xxxxxxxxxxxx>
> > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> > Sent: Monday, February 18, 2002 02:52
> > Subject: [isalist] Packet Filtering on non-default external IP
Address
> >
> >
> > http://www.ISAserver.org
> >
> >
> > Hi all,
> > I'm getting some trouble with packet filters...
> > My ISA has 4 IP Addresses on the external interface, and I've found
out
> > that blocking traffic with packet filters on non-default IP
addresses
> > requires filling the "This ISA Server's external IP Address" field
on
the
> > "Local Computer" Tab...
> > Is there any way to block traffic on all external IP addresses?
> >
> > PS: I've tried with the "These computers (on the perimeter
network)..."
> > option but it doesn't seem to work...
> >
> >
> >
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion List
as:
> > jim@xxxxxxxxxxxx
> > To unsubscribe send a blank email to
$subst('Email.Unsub')
>
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> jim@xxxxxxxxxxxx
> To unsubscribe send a blank email to
$subst('Email.Unsub')
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
cismic@xxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
Other related posts:
