• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Why does FW Client allow UNAUTHENTICATED traffic?

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 Firewall] >> Firewall Client >> Why does FW Client allow UNAUTHENTICATED traffic? Page: [1]
Login
Message << Older Topic   Newer Topic >>
Why does FW Client allow UNAUTHENTICATED traffic? - 19.Jul.2002 9:28:00 AM   
wi11iam

 

Posts: 173
Joined: 29.May2002
From: Middelburg, South Africa
Status: offline
Hi there

I have been using GFI LanGuard RealTime Monitor for ISA and have noted that I have a lot of UNAUTHENTICATED traffic permitted through my firewall. Now I understand that the "...array.dll?Get.Routing.Script" traffic will be shown as unauthenticated as that is the first method that the browser tries, but thereafter it is then authenticated and I can see the usernames of the people that are surfing.

The problem I have is that I am seeing the following:
unauthenticated 160.115.68.44 8:57:6 4196 http://www.lockergnome.com/images/ads/icon.outlook4team.1.gif
unauthenticated 160.115.68.44 8:57:6 4196 http://www.capitalintellect.net/lg1/images/shortcut.gif
unauthenticated 160.115.68.44 8:57:6 4196 http://images.lockergnome.com/images/issue/sidebar.gif
unauthenticated 160.115.68.44 8:57:6 4196 http://www.lockergnome.com/images/webcam/webcam32.jpg
unauthenticated 160.115.68.44 8:57:6 4196 http://images.lockergnome.com/images/shoppingbag.gif
etc etc..

Now I know that these are just advertisements used by some download managers and instant messaging clients, but I would have thought that all of this traffic would be denied because of the following:
1) The users whose traffic I am seeing are blocked by an ISA schedule and they may only surf After Hours. So why are they permitted to do anything during office hours.
2) I have setup the HTTP Redirector Filter to "Reject HTTP requests from Firewall and SecureNAT clients", so why is the FW Client in any way permitted to surf?

By the way, my Instant Messaging clients (AOL, ICQ etc) are still able to function, even though I have changed the HTTP Redirector (as mentioned above), I would have thought that they would not be able to function. I do however notie that there are some PAcket Filters defined explicitly for these instant messaging tools, so I just need someone to confirm that this is in fact why they are able to function, even though I have denied HTTP requests from FW & SecureNAT clients?

Cheers
William R.
Post #: 1
RE: Why does FW Client allow UNAUTHENTICATED traffic? - 19.Jul.2002 6:09:00 PM   
skipster

 

Posts: 550
Joined: 12.Oct.2001
From: newport beach
Status: offline
2) I have setup the HTTP Redirector Filter to "Reject HTTP requests from Firewall and SecureNAT clients", so why is the FW Client in any way permitted to surf?
Instead of doing this, try controling access based on user\group, set the HTTP redirector back to redirect to local web proxy service. If you have a site and content rule, and a protocol rule in place that requires authentification, then firewall and SNAT clients wont be able to authenticate. If your SNAT clients and firewall clietns are web proxy clients as well then they will be able to authenticate, and if there is a deny rule in place for a user or group, then they will be denied.

(in reply to wi11iam)
Post #: 2
RE: Why does FW Client allow UNAUTHENTICATED traffic? - 23.Jul.2002 7:59:00 AM   
wi11iam

 

Posts: 173
Joined: 29.May2002
From: Middelburg, South Africa
Status: offline
Hi Skipster

I already have a S&C and a Protocol Rule allowing only a specific group of people access to surf the internet.

Based upon your statement:
"If you have a site and content rule, and a protocol rule in place that requires authentification, then firewall and SNAT clients wont be able to authenticate."
As much as I would love to believe that, I am just not seeing that this is true. As noted, I have rules in place controlling access on group membership. But how will this prevent SNat and FW Client traffic from being accepted. Surely they also pass authentication requests to the ISA Server and depending on what type of request (WEB Proxy, Firewall Client, SNat) it is, it will just get authenticated at a different place. E.g. WEB Proxy request is authenticated against WEB Proxy service, FW Client is authenticated against FW Service and then passed to WEB Proxy service as anonymous/unauthenticated connection, and SNat client is validated against a Client Address Set.

Another thing, if the FW Service passes requests to the WEB Proxy service as anonymous/unathenticated traffic, and I have enabled the tickbox on Outgoing WEB Requests which says "Ask unauthenticated users for identification", then why is all traffic from the FW Service permitted through the WEB Proxy if it is received from the FW Service as anonymous/unauthenticated?

Is it because the WEB Proxy service implicitly trusts the FW Service and therefore doesn't care what the FW Service passes to it?

Regards,
A very confused ISA enthusiast!

(in reply to wi11iam)
Post #: 3
RE: Why does FW Client allow UNAUTHENTICATED traffic? - 24.Jul.2002 6:57:00 PM   
skipster

 

Posts: 550
Joined: 12.Oct.2001
From: newport beach
Status: offline
Hey William are you using WPAD file in your DNS? if so this traffic will be loggedd as unathenticated, it will look like this, unauthenticated 192.168.0.57 9:58:4 1592 /wspad.dat. All my clients use the WSPAD file to automatically detect the ISA server, and ISA logs this traffic as not being able to authenticate.

(in reply to wi11iam)
Post #: 4
RE: Why does FW Client allow UNAUTHENTICATED traffic? - 25.Jul.2002 7:58:00 AM   
wi11iam

 

Posts: 173
Joined: 29.May2002
From: Middelburg, South Africa
Status: offline
Hi Skipster

I do not use the DNS WPAD entries. Instead I have configured all of my clients to use the AutoConfiguration Script http://<servername>:8080/array.dll?Get.Routing.Script

I do see that the inital connection that a client makes is UNAUTHENTICATED but that is just to get the Routing.Script file, thereafter most of the time it is shown as AUTHENTICATED. It just so happens that every now and then I may see some UNAUTHENTICATEd traffic for actual HTTP websites going through the logs.

Cheers
William R.

(in reply to wi11iam)
Post #: 5
RE: Why does FW Client allow UNAUTHENTICATED traffic? - 25.Jul.2002 10:34:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi William,

For the Web Proxy client, ALL HTTP requests are unauthenticated at first, then the Web Proxy services asks for authentication and the request goes through if the credentials are appropriate.

HTH,
Tom

(in reply to wi11iam)
Post #: 6

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 Firewall] >> Firewall Client >> Why does FW Client allow UNAUTHENTICATED traffic? Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts