1 advanced application and web filtering. 2 common security attacks finding a way into the network...

1

Advanced Application and Web Filtering

2

Common security attacks

• Finding a way into the network• Exploiting software bugs, buffer overflows• Denial of Service• TCP hijacking• Packet sniffing• Social problems

3

Common security attacks

• Finding a way into the network• Exploiting software bugs, buffer overflows• Denial of Service• TCP hijacking• Packet sniffing• Social problems

FirewallsFirewalls

Intrusion Detection SystemsIntrusion Detection Systems

Ingress filtering, IDSIngress filtering, IDS

IPSecIPSec

Encryption (SSH, SSL, HTTPS)Encryption (SSH, SSL, HTTPS)

EducationEducation

4

Types of Firewalls

• Packet Filtering• Stateful Inspection• Application-Layer Inspection

InternetInternet

5

Application filter and Web Filter

• Application filters work with the firewall service in ISA Server to intercept and process network packets as they pass through ISA Server

• Application filters examine the application-level

• Web filters are used to mediate HTTP, HTTPS, and FTP tunneled

6

Application Filters• SMTP filter• DNS filter• POP Intrusion Detection filter• SOCKS V4 filter• FTP Access filter• H.323 filter• MMS filter• PNM filter• PPTP filter• RPC filter• RTSP filter

7

The SMTP Filter

if a command that is sent over the SMTP channel is

not on this list, it is dropped

if a command that is sent over the SMTP channel is

not on this list, it is dropped

8

The DNS Filter

Three attacks:• DNS host name overflow• DNS length overflow• DNS zone transfer

9

The SOCKS V4 Filter

10

Web Filters

• HTTP Security filter• ISA Server Link Translator• Web Proxy filter• SecurID filter• OWA Forms-based Authentication filter

11

The HTTP Security Filter (HTTP Filter)

• HTTP Security Filter Settings• HTTP Security Filter Logging• Disabling the HTTP Security Filter for Web Requests• Exporting and Importing HTTP Security Filter Settings• Investigating HTTP Headers for Potentially Dangerous

Applications• Example HTTP Security Filter Policies• Commonly Blocked Application Signatures• The Dangers of SSL Tunneling

12

The HTTP Security Filter (HTTP Filter)

13

Overview of HTTP Security Filter Settings

General Tab can configure the following options:•Maximum header length•Payload length•Maximum URL length•Verify normalization• Block high bit characters• Block responses containing Windows executable content

14

Overview of HTTP Security Filter Settings

• Methods tab control what HTTP methods are used through an Access Rule or Web Publishing Rule

• Three options:– Allow all methods– Allow only specified

methods– Block specified methods

(allow all others)

15

Overview of HTTP Security Filter Settings

• Add new method

16

Overview of HTTP Security Filter Settings

• The Extensions Tab control what file extensions are allowed to be requested through the ISA firewall

• Option:– Allow all extensions– Allow only specified

extensions– Block specified extensions

(allow all others)– Block requests containing

ambiguous extensions

17

Overview of HTTP Security Filter Settings

• Add file extensions

18

Overview of HTTP Security Filter Settings

• An HTTP header contains HTTP communication specific information that is included in HTTP requests made from a Web client and HTTP responses sent back to the Web client from a Web server.

• Option on Header Tab:– Allow all headers except the

following– Server header– Via header

19

Overview of HTTP Security Filter Settings

Common HTTP headers:• Content-length• Pragma• User-Agent• Accept-Encoding

20

Overview of HTTP Security Filter Settings

The Via Header The Server Header Option

21

Overview of HTTP Security Filter Settings

• The Signatures tab allows you to control access through the ISA firewall based on HTTP signatures you create

• These signatures are based on strings contained components of an HTTP communication:– Request UR L– Request headers– Request body– Response headers– Response body

22

The ISA Server Link Translator

• Link Translation solves a number of issues that may arise for external users connecting through the ISA firewall to an internal Web site

Link Translation Tab in Web Publishing Rule Properties

23

The Web Proxy Filter

• The Web Proxy filter allows connections from hosts not configured as Web Proxy clients to be forwarded to the ISA firewall’s Cache and Web Proxy components

24

The OWA Forms-Based Authentication Filter

• Used to mediate Forms-based authentication to OWA Web sites that are made accessible via ISA firewall Web Publishing Rules.

25

IP Filtering and Intrusion Detection/IntrusionPrevention

• Common Attacks Detection and Prevention• DNS Attacks Detection and Prevention• IP Options and IP Fragment Filtering

26

Common Attacks Detection and Prevention

27

DNS Attacks Detection and Prevention

• DNS host name overflow• DNS length overflow• DNS zone transfer

28

IP Options and IP Fragment Filtering

The IP Options Tab The IP Fragments Tab