1 advanced application and web filtering. 2 common security attacks finding a way into the network...
TRANSCRIPT
1
Advanced Application and Web Filtering
2
Common security attacks
• Finding a way into the network• Exploiting software bugs, buffer overflows• Denial of Service• TCP hijacking• Packet sniffing• Social problems
3
Common security attacks
• Finding a way into the network• Exploiting software bugs, buffer overflows• Denial of Service• TCP hijacking• Packet sniffing• Social problems
FirewallsFirewalls
Intrusion Detection SystemsIntrusion Detection Systems
Ingress filtering, IDSIngress filtering, IDS
IPSecIPSec
Encryption (SSH, SSL, HTTPS)Encryption (SSH, SSL, HTTPS)
EducationEducation
4
Types of Firewalls
• Packet Filtering• Stateful Inspection• Application-Layer Inspection
InternetInternet
5
Application filter and Web Filter
• Application filters work with the firewall service in ISA Server to intercept and process network packets as they pass through ISA Server
• Application filters examine the application-level
• Web filters are used to mediate HTTP, HTTPS, and FTP tunneled
6
Application Filters• SMTP filter• DNS filter• POP Intrusion Detection filter• SOCKS V4 filter• FTP Access filter• H.323 filter• MMS filter• PNM filter• PPTP filter• RPC filter• RTSP filter
7
The SMTP Filter
if a command that is sent over the SMTP channel is
not on this list, it is dropped
if a command that is sent over the SMTP channel is
not on this list, it is dropped
8
The DNS Filter
Three attacks:• DNS host name overflow• DNS length overflow• DNS zone transfer
9
The SOCKS V4 Filter
10
Web Filters
• HTTP Security filter• ISA Server Link Translator• Web Proxy filter• SecurID filter• OWA Forms-based Authentication filter
11
The HTTP Security Filter (HTTP Filter)
• HTTP Security Filter Settings• HTTP Security Filter Logging• Disabling the HTTP Security Filter for Web Requests• Exporting and Importing HTTP Security Filter Settings• Investigating HTTP Headers for Potentially Dangerous
Applications• Example HTTP Security Filter Policies• Commonly Blocked Application Signatures• The Dangers of SSL Tunneling
12
The HTTP Security Filter (HTTP Filter)
13
Overview of HTTP Security Filter Settings
General Tab can configure the following options:•Maximum header length•Payload length•Maximum URL length•Verify normalization• Block high bit characters• Block responses containing Windows executable content
14
Overview of HTTP Security Filter Settings
• Methods tab control what HTTP methods are used through an Access Rule or Web Publishing Rule
• Three options:– Allow all methods– Allow only specified
methods– Block specified methods
(allow all others)
15
Overview of HTTP Security Filter Settings
• Add new method
16
Overview of HTTP Security Filter Settings
• The Extensions Tab control what file extensions are allowed to be requested through the ISA firewall
• Option:– Allow all extensions– Allow only specified
extensions– Block specified extensions
(allow all others)– Block requests containing
ambiguous extensions
17
Overview of HTTP Security Filter Settings
• Add file extensions
18
Overview of HTTP Security Filter Settings
• An HTTP header contains HTTP communication specific information that is included in HTTP requests made from a Web client and HTTP responses sent back to the Web client from a Web server.
• Option on Header Tab:– Allow all headers except the
following– Server header– Via header
19
Overview of HTTP Security Filter Settings
Common HTTP headers:• Content-length• Pragma• User-Agent• Accept-Encoding
20
Overview of HTTP Security Filter Settings
The Via Header The Server Header Option
21
Overview of HTTP Security Filter Settings
• The Signatures tab allows you to control access through the ISA firewall based on HTTP signatures you create
• These signatures are based on strings contained components of an HTTP communication:– Request UR L– Request headers– Request body– Response headers– Response body
22
The ISA Server Link Translator
• Link Translation solves a number of issues that may arise for external users connecting through the ISA firewall to an internal Web site
Link Translation Tab in Web Publishing Rule Properties
23
The Web Proxy Filter
• The Web Proxy filter allows connections from hosts not configured as Web Proxy clients to be forwarded to the ISA firewall’s Cache and Web Proxy components
24
The OWA Forms-Based Authentication Filter
• Used to mediate Forms-based authentication to OWA Web sites that are made accessible via ISA firewall Web Publishing Rules.
25
IP Filtering and Intrusion Detection/IntrusionPrevention
• Common Attacks Detection and Prevention• DNS Attacks Detection and Prevention• IP Options and IP Fragment Filtering
26
Common Attacks Detection and Prevention
27
DNS Attacks Detection and Prevention
• DNS host name overflow• DNS length overflow• DNS zone transfer
28
IP Options and IP Fragment Filtering
The IP Options Tab The IP Fragments Tab