Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Serious flaw in web proxy filter.
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Serious flaw in web proxy filter. - 6.Jul.2004 3:38:00 PM
|
|
|
penrose.l@2college.nl
Posts: 474
Joined: 29.Jan.2004
From: Netherlands
Status: offline
|
Hi ,
whether it's by design or a critical bug , it's very annoying :
When we allow HTTP traffic from internal to external only outbound port 80 ( default ) and no secondary connections , any user that has access to this rule ( for instance they can go to http://www.google.com/ ) can also access ANY other website on ANY other port. For instance , we tested with a webmail server running on port 2095 and users are allowed connection to this webmail server.
http://webmail.testserver.com:2095/
-> connection established.
There is no rule that allows users to connect to TCP port 2095. I verified that the rule that allows this transaction is the HTTP rule.
Anyone experienced this , and anyone know if it's a bug ? Can't connect to the beta newsgroups anymore so I can't post this on the microsoft site.
Kind regards,
LEx P.
|
|
|
|
|
RE: Serious flaw in web proxy filter. - 6.Jul.2004 11:24:00 PM
|
|
|
ClintD
Posts: 1833
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
|
Scratch that. <removed my post>
[ July 06, 2004, 11:28 PM: Message edited by: ClintD ]
|
|
|
|
|
RE: Serious flaw in web proxy filter. - 8.Jul.2004 2:06:00 PM
|
|
|
tshinder
Posts: 47659
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Lex,
I think their philosophy is that you are allowing access to *protocols*, not ports. Ports mean nothing and is a Cisco-oid packet filtering router pix type of thinking. Ports, in and of themselves are only a convention that we agree upon that services will listen on. The ISA team's approach here is that it doesn't matter what the destination port is, what is important is the protocol, and the HTTP protocol is subjected to very deep application inspection.
So, I think they are using the right philosophy, they just need to document the behavior and warn a "port oriented" world.
HTH,
Tom
|
|
|
|
|
RE: Serious flaw in web proxy filter. - 10.Jul.2004 8:26:00 AM
|
|
|
Bunshaw
Posts: 28
Joined: 8.Feb.2004
From: USA
Status: offline
|
It's like Tom said, the filter deeply inspects HTTP traffic and opens the port on your behalf. There's a way around it but you pretty much have to give up your web filtering entirely unless you want to create site-by-site or specific rules for each domain.
It's possible to convert ISA to a "dumb box" by not using the filters. Don't mess with the existing protocols though, easier to set up a new protocol, excuse me, port =). In this case, port 80, create a rule allowing it out and don't assign the web proxy filter to it. ISA will then treat it as any other connection, web proxy client or not, and only allow that specific port. If you try to connect to port 2095 via http it should fail then since there's nothing watching to dynamically open the port for you. You can even leave SSL as is.
I like the "feature" but I can see how in really secure/restricted configurations it may be necessary or even a requirement to disable it. In less restricted scenarios I don't think most admins would want to enable all the numerous ports that some sites use.
|
|
|
|
|
RE: Serious flaw in web proxy filter. - 10.Jul.2004 6:09:00 PM
|
|
|
tshinder
Posts: 47659
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Lex,
I don't think you're going to find any docs on this when the product is released. They never doc'd it in ISA 2000. Personally, I think they should not allow this behavior and limit access to the ports that you allow. It would be OK for the Web proxy to use alternate ports, but you should be able to configure the alternate ports its allowed to use.
HTH,
Tom
|
|
|
|
|
RE: Serious flaw in web proxy filter. - 4.Aug.2004 8:12:00 PM
|
|
|
frond
Posts: 8
Joined: 29.Jul.2004
Status: offline
|
It does appear that they've changed this behavior in ISA 2004 because I'm fighting with it right now.
I guess I see it differently than most of the others in this thread. There are *lots* of different sites out there which run HTTP services on non standard ports. For example, any kind of a web management console or agent is guaranteed to be running on something other than port 80. With that in mind, I can't imagine why we'd want to run around opening ports every time somebody finds another new URL with yet another port number. If you wind up specifying 200 different port numbers that the web proxy is allowed to use, what's the point? You're just making everyone's life difficult for no reason.
So, how do I make ISA 2004 go back to the way ISA 2000 did it? If I allow web proxy traffic outbound, I don't want to restrict the allowed port numbers.
Just for clarification, I'm not saying I want to allow all ports outbound. I'm saying that I want to allow all ports for outbound HTTP connections. (http://server:1500, http://server:2000, etc.) Any filtering that we need to do would make more sense to do by content type, not by port number.
|
|
|
|
|
RE: Serious flaw in web proxy filter. - 4.Aug.2004 8:47:00 PM
|
|
|
frond
Posts: 8
Joined: 29.Jul.2004
Status: offline
|
I guess I spoke too soon. It appears that my problem was related to the access policy, not the behavior of the web proxy. Once I changed the rule to make sure that the local host was allowed to connect outbound on all the required ports, it now works as I would expect.
|
|
|
|
|
RE: Serious flaw in web proxy filter. - 5.Aug.2004 2:16:00 PM
|
|
|
tshinder
Posts: 47659
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Frond,
I would reconsider that access policy. If you allow the local host network access to all ports outbound, you set up the firewall for a possible trojan infection that can open up a listener pretty easily.
HTH,
Tom
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
![[Wink]](/image/smiles/wink.gif)
![[Smile]](/image/smiles/smile.gif)
