RE: Priority of Firewall Rules
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Fri, 1 Oct 2004 05:09:40 -0500
How firewall policy worksUsing ISA Server 2004, you can create a
firewall policy, which includes a set of publishing rules and access
rules. These rules, together with the network rules, determine how
clients access resources across networks. For more information, see
Firewall Policy Rules.
Outgoing requests
One of the primary functions of ISA Server is to connect between source
and destination networks, while protecting from malicious access. To
facilitate this connectivity, you use ISA Server to create an access
policy that permits clients on the source network to access specific
computers on the destination network. The access policy determines how
clients access other networks.
When ISA Server processes an outgoing request, it checks network rules
and firewall policy rules to determine if access is allowed.
Some rules can be configured to apply to specific clients. In this case,
the clients can be specified either by IP address or by user name. ISA
Server processes the requests differently, depending on which type of
client requests the object, and how you configure ISA Server.
First, ISA Server checks the network rules, to verify that the two
networks are connected. If the network rules define a connection between
the source and destination network, ISA Server processes the access
policy rules. For more information, see Network rules.
Next, ISA Server checks the access rules, in order. If an allow rule
applies to the request, ISA Server will allow the request. Specifically,
ISA Server applies a rule if the request matches the following rule
conditions:
Protocol
From (source) address and port
Schedule
To (destination) addresses, names, URLs
Users
Content groups
Having applied a rule, ISA Server does not match the request to any
other rule and stops rule evaluation. Subsequently, ISA Server may
actually deny the request, depending on the additional protocol
filtering applied to the rule.
Finally, ISA Server checks the network rules again, to determine how the
networks are connected. ISA Server checks the Web chaining rules (if a
Web Proxy client requested the object) or the firewall chaining
configuration (if a SecureNAT or firewall client requested the object)
to determine how the request will be serviced.
For example, assume that you installed ISA Server on a computer with two
network cards: one connected to the Internet and the other connected to
your local network. You have permissive corporate guidelines that allow
all users access to all sites. In this case, your policy would consist
of the following access policy rules:
A network rule that establishes connectivity between the source network
(the local network) and the destination network (the Internet).
An access rule that allows all internal clients to access all sites at
all times, using any protocol.
Incoming requests
ISA Server can make servers securely accessible to clients on another
network. You use ISA Server to create a publishing policy to securely
publish servers. The publishing policy, which consists of Web publishing
rules, server publishing rules, secure Web publishing rules, and mail
server publishing rules, together with the Web chaining rules,
determines how published servers are accessed.
You can use one of the following ISA Server rules to publish servers:
Web publishing rules. To publish Web server content.
Server publishing rules. To publish any other content.
Secure Web publishing servers. To publish Secure Sockets Layer (SSL)
content.
When ISA Server processes an HTTP or HTTPS request from a client, it
checks publishing rules and Web chaining rules to determine whether the
request is allowed, and which server will service the request.
For non-HTTP requests, ISA Server checks the network rules, and then
checks the publishing rules to determine if the request is allowed.
For an incoming Web request, rules are processed in the following order:
Web publishing rules.
Web chaining rules. For more information, see Web chaining rules.
For example, consider a scenario, in which you have installed ISA Server
on a computer with two network adapters: one connected to the Internet
and the other connected to your local network. The following applies:
If a Web publishing rule specifically denies the requests, the requests
are denied.
If a Web chaining rule specifies that the requests be routed to a
specific upstream server or an alternate hosted site, the specified
server handles the request.
If a Web chaining rule specifies that the requests be routed to the
specified server, the internal Web server returns the object.
Web publishing rules and Web chaining rules
Web publishing rules are processed in order, with the default Web
publishing rule processed last. Web chaining rules are also processed in
order.
When an external client requests an object from an internal Web server,
rules are processed in the following order:
Web publishing rules
Web chaining rules
For example, consider the following rules:
A Web publishing rule that redirects requests from all clients for
widgets.microsoft.com to a hosted site (Web server) specified as msweb.
A Web chaining rule that routes requests for a destination that includes
msweb by servicing them directly.
When an external (Internet) user requests an object from
widgets.microsoft.com, ISA Server intercepts the request. First, it
processes the Web publishing rule, determining that the request will be
redirected to the msweb computer. Next, it processes the Web chaining
rule, determining that the request will be serviced directly by the
specified server (msweb).
The following example illustrates what happens when you create a Web
publishing rule, without creating an appropriate Web chaining rule:
A Web publishing rule that redirects requests from all clients for a
destination set that includes example.microsoft.com to a hosted site
specified as myinternalms
A Web chaining rule that routes requests for all destinations to an
upstream server.
In this case, the Web publishing rule is processed first. All requests
for example.microsoft.com are redirected to myinternalms. However, the
Web chaining rule specifies that the request will be routed to an
upstream server (and not sent directly to the destination server). The
request will always be routed to the upstream server.
Tom
www.isaserver.org/shinder
Get the book!
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
Other related posts:
