Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
App Level Traffic Identification & Blocking
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
App Level Traffic Identification & Blocking - 14.Jul.2005 2:00:00 PM
|
|
|
minerat
Posts: 131
Joined: 19.Mar.2003
From: Philadelphila
Status: offline
|
I'm looking for a more intelligent way to identify traffic flowing through ISA, so that I don't have any rogue applications flowing through allowed open ports. From what I gather when I create a generic rule, ISA isn't doing any kind of signature / fingerprinting of the TCP traffic flowing through allowed ports. If it's TCP outbound on a port defined in an allow rule, it goes - regardless of whether it's an intended application or something else masquerading on that port.
I've looked at the two articles about specifically blocking IM & using Akonix, but that doesn't seem to offer the bedth I'm looking for. I guess what I'm after is a packetseeker type classification (http://www.shaperworks.com/PacketSeeker.asp) combined with an active denial of all but allowed applications. Intentional use of rogue programs on the user desktop isn't a big problem, I'm just more worried about the unintentional. I don't need packetshaping / bandwith management; I just want more detailed inspection of allowed trafic.
[ July 14, 2005, 02:01 PM: Message edited by: AndrewM ]
|
|
|
|
|
RE: App Level Traffic Identification & Blocking - 14.Jul.2005 7:43:00 PM
|
|
|
nonsence
Posts: 57
Joined: 4.Aug.2003
From: Waterloo
Status: offline
|
i dont think what you want exists. or at least it doesnt exist in a full blown commercial or open source project. you'll more then likely have to install a commercial IDS or something like SNORT behind the isa server to watch for traffic that goes to it, and then script rules to block based on ids signatures.
i know what you're talking about, but it's basically impossible to filter to that degree of detail. even allowing icmp out opens the door for reverse shell servers that encapsulate data in icmp msg's and send out over the internet. it's just too hard to cath everything.
what you can try to do is block as much as you can using the port filtering, and use the proxy service to authenticate when users want access to the internet.
if you have a domain you can take a step further a use ipsec to issue out domain isolation group polices to winxp and windows 2003 systems. this way only those that are part of the domain can gain network access and internet access. and those part of the domain need to be authenticated to isa server's proxy before they can get internet access
|
|
|
|
|
RE: App Level Traffic Identification & Blocking - 15.Jul.2005 11:18:00 AM
|
|
|
minerat
Posts: 131
Joined: 19.Mar.2003
From: Philadelphila
Status: offline
|
That's unfortunate, it seems like all the pieces are out there, just not unified. Seems like it'd be an excellent feature for ISA (I know the overhead could get huge, but on a small network like mine, i think it could be managable). ISA bills itself as a step above just your regular old stateful firewall. To blindly pass traffic based on port rules (I don't consider user authentication much added protection, rogue pcs aren't an issue, if there was a rogue program, it'd probably authenticate to the FWC as that user anyway) seems to fly in the face of this.
[ July 15, 2005, 11:19 AM: Message edited by: AndrewM ]
|
|
|
|
|
RE: App Level Traffic Identification & Blocking - 9.Feb.2006 3:16:25 PM
|
|
|
CyberGuy
Posts: 13
Joined: 24.Oct.2005
Status: offline
|
It's possible to do this if you have the Microsoft Firewall Client for ISA installed on your workstations since the client sends the application name to the ISA server. I modified a Microsoft script to do such a thing as an example. I would be nice if a 3rd party turned this into an add-in.
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
' Copyright (c) Microsoft Corporation. All rights reserved.
' THIS CODE IS MADE AVAILABLE AS IS, WITHOUT WARRANTY OF ANY KIND. THE ENTIRE
' RISK OF THE USE OR THE RESULTS FROM THE USE OF THIS CODE REMAINS WITH THE
' USER. USE AND REDISTRIBUTION OF THIS CODE, WITH OR WITHOUT MODIFICATION, IS
' HEREBY PERMITTED.
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
' This script creates and executes a query on the FPCSessionsMonitor collection
' for the Firewall service sessions and displays the active sessions that
' existed when the query started.
' We recommend running this script from a command prompt by entering the
' following command:
' CScript ActiveSessions.vbs
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
Sub DisplayActiveSessions()
Const fpcNoSessionType = 0
Const fpcSecureNetSession = 1
Const fpcFirewallClientSession = 2
Const fpcProxySession = 3
Const fpcVpnRemoteAccessSession = 4
Const fpcVpnRemoteSiteSession = 5
'FpcNetworkTypes
Const fpcStandardNetwork = 0
Const fpcVPNClients = 1
Const fpcLocalHost = 2
Const fpcDefaultExternal = 3
Const fpcInternalNetworkfpc = 4
Const fpcQuarantinedVPNClients = 5
' Define constants.
const fpcSessionFound = 0
const bufferSize = 10000
' Create the root obect.
Dim root ' The FPCLib.FPC root object
Set root = CreateObject("FPC.Root")
'Declare the other objects needed.
Dim array ' An FPCArray object
Dim filter ' An FPCFilterExpressions collection
Dim sessionmonitor ' An FPCSessionsMonitor collection
Dim session ' An FPCSessionsMonitorEntry object
' Get references to the array object and the sessions monitor collection.
Set array = root.GetContainingArray
Set sessionmonitor = array.SessionsMonitors.SessionsMonitorFirewall
' create an FPCFilterExpressions collection.
Set filter = CreateObject("FPC.FPCFilterExpressions")
' Start a query to find the active sessions.
sessionmonitor.ExecuteQuery filter, bufferSize
WScript.Echo "ExecuteQuery was called. Please wait a few seconds."
Dim Index
Index = 1
On Error Resume Next
Do
Set session = sessionmonitor.Item(Index)
' An E_PENDING (0x80070002) error is raised when the index points beyond the
' end of the current list of active sessions.
If Err.Number <> 0 Then
WScript.Echo "All existing sessions have been retrieved."
Exit Do
End If
' An FPCSessionMonitorEntry object can be related to various session events.
' Here we are interested only in entries whose Event property equals
' fpcSessionFound, which indicates a session that existed when the query started.
' Display the client IP address of each session found.
If session.Event = fpcSessionFound Then
If session.ClientProcess = "Weather.exe" Then sessionmonitor.DisconnectSession session.ServerName, session.SessionID
If session.ClientProcess = "DesktopWeather." Then sessionmonitor.DisconnectSession session.ServerName, session.SessionID
If session.ClientProcess = "PowerDVD.exe" Then sessionmonitor.DisconnectSession session.ServerName, session.SessionID
If session.ClientProcess = "TWCSaver.scr" Then sessionmonitor.DisconnectSession session.ServerName, session.SessionID
End If
Index = Index + 1
Loop Until Err.Number <> 0
Err.Clear
' Stop the query.
sessionmonitor.EndQuery
End Sub
DisplayActiveSessions
|
|
|
|
|
RE: App Level Traffic Identification & Blocking - 9.Feb.2006 9:56:17 PM
|
|
|
ferrix
Posts: 363
Joined: 16.Mar.2005
Status: offline
|
Unfortunately it isn't as easy as just a single feature. Each protocol, application and service has unique requirements and aspects that must be taken into account if you want to provide advanced application layer security for a scenario. In many cases what you want to do with traffic at the application layer involve security related things (like the built in RPC filter or SMTP filter) and others are designed to provide for protocol enablement in unique scenarios (such as FTP with NAT).
ISA does have a variety of options around authentication and many common protocols, solutions and services. Beyond that many partners make more advanced plug-ins (such as us, at www.collectivesoftware.com, who now have a SIP/LCS P2P filter in beta for ISA 2004 :) ).
We here at Collective believe in continuing to innovate the capabilities of ISA in this space as do the many other partners that exist for ISA Server. We also like the article just posted by Tom Bartlett (from Microsoft) on his blog about how ISA differentiates itself in this space: http://blogs.technet.com/accessdenied/articles/419068.aspx
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
