Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Why are Allow rules Denying?
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Why are Allow rules Denying? - 1.Dec.2005 10:03:42 PM
|
|
|
aybab2u
Posts: 4
Joined: 1.Dec.2005
Status: offline
|
I was curious as to why if you place an allow rule that applies to specific users or groups above another allow rule that applies to specific IP's, that any request that doesn't authenticate is denied by the allow rule that applies to specific users or groups. For instance, the below config would cause the users of the ComputerSet1 one to be denied by the allow rule that applies to domain users.
Action:Allow Protocols:All From:Internal To:External Users:Domain\Domain Users
Action:Allow Protocols:All From:ComputerSet1 To:External Users:All Users
Default Deny Rule
I understand that the rule that applies to ComputerSet1 can be placed above the other to correct the issue, but when you get into highly complicated setups, it gets to be a huge headache having to order the rules specifically and create multiples of some rules to do the job that one should do. Shouldn't the traffic simply pass down the line until it is specifically denied by a DENY rule? I thought that was the purpose of the default deny rule was to block any traffic that wasn't specified by any other rules. I've heard arguments that it's a security feature but I disagree considering I can't get an explaination. I think thats just the easy way of saying "I don't know why its like that". I don't recall ever seeing any cisco access list allow statements block traffic because the traffic didn't apply, the default deny any any at the end always took care of that.
My apologies if it sounds like I'm blowing up on my first post, I've just been all over trying to get an answer that no one could give and I heard this would be the place to come to get it. Thanks in advance for any suggestions.
|
|
|
|
|
RE: Why are Allow rules Denying? - 1.Dec.2005 10:14:51 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi aybab2u,
did you already check out my article http://www.isaserver.org/articles/ISA2004_AccessRules.html ? Those 'strange' behaviors are by design. I agree, they are not always intuitive but apparently the designers did make the safest choice: can't validate it => deny the traffic.
HTH,
Stefaan
|
|
|
|
|
RE: Why are Allow rules Denying? - 1.Dec.2005 11:15:17 PM
|
|
|
aybab2u
Posts: 4
Joined: 1.Dec.2005
Status: offline
|
Hi spouseele,
Thanks for the article. I understand that if the traffic can't be validated that it should be denied, but by the allow rule? If the traffic isn't coming from a user specified in that rule, it seems that it should be passed on until it's denied by the default deny rule or is allowed by a rule that applies specifically to that traffic. I see why it could be the safest choice, but it sounds like the programmers have little faith in the end-users ability to configure their policy correctly. Shouldn't the "can't validate it => deny the traffic" example you stated in the previous post apply to the example I gave earlier in the following way? :
If the user hasn't authenticated, it should be passed onto the rule that uses ComputerSet1, if that user isn't specified in ComputerSet1, it should be passed on down to the default deny rule.
Am I wrong in thinking it should function that way? It just seems logical to me.
|
|
|
|
|
RE: Why are Allow rules Denying? - 2.Dec.2005 10:55:25 AM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi aybab2u,
as already said, I agree they are not always intuitive but I expect that the designers did have some very specific reasons for making those choices.
BTW --- there is a difference between can't authenticate at all, that means that no credentials at all are presented to the ISA Server (i.e. SecureNAT client), and can authenticate but belong to the wrong user set.
HTH,
Stefaan
< Message edited by spouseele -- 2.Dec.2005 10:59:09 AM >
|
|
|
|
|
RE: Why are Allow rules Denying? - 2.Dec.2005 6:08:05 PM
|
|
|
aybab2u
Posts: 4
Joined: 1.Dec.2005
Status: offline
|
Hi spouseele,
I appreciate the info so far, more than I've received anywhere else. What I'm after though is what you stated in your last post - the specific reason the designers had for making those choices. I know that info would probably have to come from the designers themselves because I've even had technicians from Microsoft agree with my argument and not be able to tell me why it behaves in that fashion. Having an answer to that question would answer the real question - Bug or Feature?
Again, thank you for the replies. If anyone else is experiencing the same dilemma or can point me to some additional info on this subject it would be much appreciated.
|
|
|
|
|
RE: Why are Allow rules Denying? - 2.Dec.2005 8:58:37 PM
|
|
|
ClintD
Posts: 1833
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
|
Just to add to Stefaan's reply, I worked in MS' PSS for 5 years in the Networking support team in charge of supporting Windows and ISA. I worked the Beta for PSS for ISA 2004 and can tell you definitively that this is not a bug, but by design. I'm not sure who you're talking to in MSFT Support but this was well known behavior for the team i worked in and everyone knew the reason why - if a parameter can't be verified, then that traffic is denied, even though it's an Allow Rule.
It certainly has a 'buggy' feel to it, but the product is designed this way. Some people like it, most don't, but if the product was designed to work a certain way, then it's not a bug. Call it a design limitation, or whatever you want to call it...
Now that I no longer work there, I personally feel that the MSFT guys should come out with an article explaining in detail why this decision was made, at least to give official documentation for the reason and a clear example when this behavior is needed.
|
|
|
|
|
RE: Why are Allow rules Denying? - 2.Dec.2005 10:33:44 PM
|
|
|
aybab2u
Posts: 4
Joined: 1.Dec.2005
Status: offline
|
Hey spouseele,
I haven't seen the webcast, thanks for the link, I'll check it out.
In response to ClintD, I couldn't agree with you more. I nearly applauded.
quote:
I personally feel that the MSFT guys should come out with an article explaining in detail why this decision was made, at least to give official documentation for the reason and a clear example when this behavior is needed.
It would be nice to at least have the option to use it. For instance, if the behavior was on by default but had an option to disable it if needed. Does anyone agree? Or do you feel this is something that should be left as is?
|
|
|
|
|
RE: Why are Allow rules Denying? - 3.Dec.2005 7:19:34 AM
|
|
|
ClintD
Posts: 1833
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
|
I had a heated (my own fault) discussion about this about this and whether or not it's a bug or design limitation (and what the difference is between those two points) so the article would definitely be worthwhile.
Since the ISA team loves long registry keys, something like SkipUserVerificationForAccessRuleProcessing, available for each rule, would be great. :P
< Message edited by ClintD -- 3.Dec.2005 7:21:05 AM >
|
|
|
|
|
RE: Why are Allow rules Denying? - 3.Dec.2005 4:20:29 PM
|
|
|
LLigetfa
Posts: 2184
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
|
quote:
I had a heated (my own fault) discussion
Is that what set your exit path from PSS? :p
_____________________________
The School of Hard Knocks is a mean teacher. She gives the exam before the lesson.
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
