RE: destination sets question
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Sun, 23 Nov 2003 09:39:33 -0600
Hi Morvan,
No one ever said effective security was easy or fast :)
The principle of least priviledge says that you give users access to
what they need. So, you need to define in advance what those resources
are, and then continue to track usage requirements. Blocking sites on a
too granular basis incurs too much overhead. You're better off creating
a network access policy and then reviewing usage reports and whacking
employees who violate the network use policy.
HTH,
Tom
-----Original Message-----
From: Morvan [mailto:mmuller@xxxxxxxxxxxxxxxx]
Sent: Friday, November 21, 2003 9:11 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: destination sets question
http://www.ISAserver.org
Hi Thom!
I understand but I can't do it.
My police is allow all and deny somethings. What isn't explicit denied
is allowed, ok!
In Site and Content Rules I have one open_access ALLOW rule and a set of
DENY rules based on destinations sets and/or content, to implement this
policy.
If I create a rule like you say:
destinations = all destinations except (http://br.groups.yahoo.com,
PATH=/group/superwaba/), action=deny
I will deny everthing else (http://br.groups.yahoo.com,
PATH=/group/superwaba/).
I can't do it, cause my users need access all sites on the web, that I
don't deny.
With such rule I will implement a restrictive policy "deny all and allow
especific destinations".
I can't determine all sites where my users need to go, my organization
have interest that they can search solutions in the internet, so I can't
use such restrictive police.
I need something in ISA in site and content rules:
destinations = selected destinations set (xxxx-sets) except (xxxx-sets),
but it isn't available. Site and content rules have only the option
destinations = all destinations except (xxxx-sets).
I can't belive that I can't resolve this problem with ISA, Im thinking a
lot about this question and can't see one way to do this with ISA.
Some form will be create a destination set and list the maximum number
of PATHs and subdomains to deny into yahoo.com, and create a deny rule
based on this destinations, i.e, all domains and paths that differ from
http://br.groups.yahoo.com, PATH=/group/superwaba/. Such form is no
efective and very bad, for don't say impossible (How I will know all
paths and subdomains into yahoo.com?).
Thanks,
Morvan.
At 19:58 11/11/2003 -0600, you wrote:
http://www.ISAserver.org
>Hi Morvan,
>OK, I see what you're trying to do. You should be able to create the
>exception in the Deny Rule, and then create an allow rule with the
>exception destination set. However, You can not use a wildcard in both
>the FQDN and the path.
>HTH,
>Tom
>www.isaserver.org/shinder
-----Original Message-----
From: Morvan [mailto:mmuller@xxxxxxxxxxxxxxxx]
Sent: Monday, November 10, 2003 8:49 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: destination sets question
Hi Tom!
>>At 19:44 06/11/2003 -0600, you wrote:
>>http://www.ISAserver.org
>>If you want to block the entire yahoo site, try *.yahoo.com and
>>yahoo.com
>OK, I do it like follow:
>Destinations sets:
>-----------------
>1. deny-sites = (*.yahoo.com, yahoo.com) 2.
>allowed_URLs_into_deny-sites = ( http://br.groups.yahoo.com,
>PATH=/group/superwaba/* )
>Content Rules:
>-------------
>1. Name= DenyWholeYahoo, destinations=[(selected destination
>sets)=deny-sites], action=deny, applies_to=any-request
>This Content Rule deny the whole yahoo site, and the unique field where
>I can put exceptions is in the (applies_to) field, but it is only
>related to (client_sets) don't to (destination sets).
>If I create and allow rule pointed to
>destination_set=(allowed_URLs_into_deny-sites) (see 2 above) the deny
>rule (DenyWholeYahoo) have more priority, and match first!
>>If you need to create an exception, instruct the Site and Content Rule
>>that you need to create an exception. Make sure to create the
>>Desitnation Set that represents the exception before you create the
>So I didn't understand where I instruct the Site and Content Rule (ex.
>DenyWholeYahoo - see 1 bove) to create an exception pointing to an
>destination set like (allowed_URLs_into_deny-sites) (see 2 above).
>My intention is deny the whole yahoo for (any_request) but allow the
>URL (http://br.groups.yahoo.com, PATH=/group/superwaba/*) into the
>yahoo site for (any_request too). The client (client sets) who try to
>access is indeferent for me.
>Thanks in advance,
>Morvan.
>===============================================
>-----Original Message-----
>From: Morvan [mailto:mmuller@xxxxxxxxxxxxxxxx]
>Sent: Thursday, November 06, 2003 8:57 AM
>To: [ISAserver.org Discussion List]
>Subject: [isalist] destination sets question
>http://www.ISAserver.org
>I have configured destinations sets for ex:
>deny-sites = (*.yahoo.com, yahoo.com)
>and have a content rule:
>action=deny destination="deny-sites" aplly-to="everyone"
>With this I deny the whole yahoo site.
>But my intention is deny the whole yahoo site, except some destination
>like:
>br.groups.yahoo.com/* (and other 2 yahoo subdomains)
>How can I do it with ISA?
>Thanks,
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
Other related posts:
