Packet filters ???

  • From: "Francois Malherbe" <Francois@xxxxxxxxxxxxxx>
  • To: <isalist@xxxxxxxxxxxxx>
  • Date: Thu, 19 Jun 2003 20:33:01 +0200

Hi anyone

Please bear with me on what is probably quite a common and maybe a
simple question.

I have spent quite a lot of time looking for what I think is a simple
answer and I still can't get a simple answer.
I have gone through Technet, ISA homepage and isaserver.org and so far I
have either not found the answer or I have found it, and I haven't
understood.


Quite simply, ISA help says a packet filter can be created to allow
traffic flow between the internal network and the external network.

To me, an example of this would be to ceate an TCP filter to allow the
following:
outbound traffic from source_TCP:dynamic to destination_TCP:1100 and
from Internal IP 192.168.168.168 to External IP 196.44.44.44

My difficulty in answering this question is that I have not seen
anything on Microsoft Technet or ISA homepage or isaserver.org which
says that this is impossible. But, I have seen many references which say
it is not advisable. Also, in tests on my systems, I have not been able
to get even the simplest packet filter working from the externel network
to the internal network or vice versa.


I know that it is recommended to use server publishing for external -
internal traffic, and I do use it in our environment, but I still would
like a definite answer - just for arguments sake, can I create such a
packet filter and if so, what addresses are applied for the local and
remote computers?



ISA Help says the following:

IP packet filters are defined by the following parameters:

Protocol, port, and direction.
The filter allows or blocks traffic at the specified port, using the
specified protocol. 

Local computer.
The IP address of the computer in the INTERNAL network for which
communication is open or blocked.
You can specify a range or a single IP address on the ISA Server
computer. 

Remote computer.
The IP address of the computer on the Internet for which communication
is allowed or blocked. 




Practical experience and isaserver.org tutorials says the following:

ISA Server uses packet filtering to control inbound and outbound access
to and from the EXTERNAL interface of the ISA Server. Packet filtering
is the ISA Server's first line of defense against INBOUND attack.

You should always use Protocol Rules to allow outbound access to
external network resource for internal network clients. You should Web
Publishing and Server Publishing Rules to allow inbound access from
external network clients to internal network servers.


Basically, to me, this means that packet filters apply to the EXTERNAL
NIC and the PERIMETER (DMZ) NIC ONLY, NOT the internal NIC.
Looking at the layout of the packet filter creation tool, it
specifically mentions external network and perimeter network, NOT
internal network at all.


Please assist me with this, the answer may well be all too obvious to
others, but it's driving me nuts.


Thanks

Francois






Other related posts: