spacer search

After Hours Information Technology -
The small IT business for your small business.

Main Menu
Web Hosting
Domain Lookup
Speed Test
Contact Us
Privacy Policy
News Feeds
Microsoft ISA Server

How to ensure your network security PDF Print E-mail
Frequently Asked Questions - Microsoft ISA Server

I routinely have new customers contact me saying that they've got security problems in their network.

They say that their ISA server isn't controlling/limiting traffic like it should.

Or they say that they're concerned about their exposure to viruses etc.


Let's have a look at how your Internet network infrastructure SHOULD be setup and then some of the reason why people have these concerns.

For those of you who DON'T use an ISA Server to protect your network, bear with me for a minute as I'll get to you. Read on though as you may see that there's benefit in your increasing your network security by implementing an ISA server.


Correct ISA infrastructure & network layout

If you utilize ISA as a network security device to protect your internal network from some of the "nasties" out there on the Internet, then let it do it's job (!!) and be the only device that has direct access to the Internet.

Many of the networks I see where they've installed ISA have the ISA server connected to the internal network but they infrastructure has not been designed such that ISA is the ONLY entry/exit point to your network. The ISA server often only has 1 network card and is therefore only being used as a proxy server to cache content, but users can easily disable the proxy to get "direct access". If you're going to install a network security product like Microsoft ISA, then design your network so that all traffic MUST go through it.

I've seen ISA servers that only had 1 interface (Hint: a firewall MUST have at least 2 network interfaces!) attached to the internal LAN and people thought they were secure because they were running a firewall product. Hah!

Remember our bouncer story [The case of the unusual credential popop.] talking about authentication? Lets use that scenario again as an example.

Our bouncerguy is employed to stop undesirables entering our nightclub, just like a firewall is used to do the same for networks.

If the bouncerguy stands at the front door looking imposing he cant stop the nasties from getting in..... in that door anyway! If there's a great big roller door as aback entrance, and there's no bouncerguy, anybody can get in there. Similarly if your firewall product is not the only way traffic can get in and out of your network then your thoughts about network safety is merely a pipedream.

Despite is being a great application layer firewall, we still think there's benefit to other "firewall" products. Admittedly most other firewalls are pretty dumb. "Are you port 80 traffic? Yep, then I assume your http and I'll let you through". We know that port 80 is nowadays used for much more than just conventional HTTP traffic. Other firewalls don't know this and just do rudimentary packet filtering.

Hang on, I just send there's still benefits to other firewall technology. The reason is simple. Most ADSL/cable-modem routers (as well as higher end ISDN/frame really routers) offer NAT (Network Address Translation) and simple packet filters. Use one of these devices to filter out some of the "crap" before it even gets to your "main" edge firewall device, your ISA server. Why? These simple routers can reject lots of unnecessary port based traffic with little overhead. The advantage? Whilst it's true to say that ideally your should never run any other applications/services on your ISA server, that's an expensive server you've got there and you want to get the most for the bucks you paid for it. By limiting the amount of traffic that the ISA server see's, you've limited the amount of otherwise "wasted" CPU cycles in dealing with it. That CPU time can now be used to do things YOU want to do... like run SPAM filters, or a web-server, or a mail-server on your Server computer. "But you're not supposed to do that!" I hear some of you shout. Probably not but it can be done - and as proof of that Microsoft's own SBS (Small Business Server) product is designed to do exactly that with firewalls and mail & databases all running off one single machine.

Another distinct advantage of using an inexpensive router like this (Billion, Draytek, D-link, Netgrear etc) is that the router can do the DSL authentication for you. DSL usually (but not always) requires authentication before you can get online. You need to login as or something simialr and a password. The router can do this tak for you so you don't need to screw around with PPPoE clients and the like on your ISA server. The router can also do auto-dial, keep the link alive etc etc. For my money, spend the few extra dollars and get a DSL router instead of just a DSL modem - you'll appreciate the difference.

Now, onto the virus concerns (Non ISA users can join us again now!)

What is the "payload" or effect of most modern viruses? Fortunately they don't often go deleting hard disk MBR (Master Boot Records) and the like anymore. Most of them time they damage the do is pretty limited. One thing they all do however is mail out copies of themselves to addresses found in your address book or in other files on the hard drive. The usually contain their own SMTP (Simply Mail Transport Protocol) engine or mail-server. A side effect of this is that because they try to send mail directly to the intended mail-server you can stop the mass mail out dead in its tracks. How?

If you utilize the packet-filtering feature of your DSL/cable router, you can deny the ability to send mail by blocking traffic destined to port 25. Most packet filter tools in routers will allow you to define what client/source IP addresses these rules apply to. So, you can still allow outbound port 25 traffic from your internal mail-server but deny it to all other machines. The virus is too stupid to find a SMTP relay on the local network and just wants to send it directly itself - but you've denied it. Virus sending problem solved. And of course, even if the virus DOES get smart enough to use a local SMTP server to relay it's mail through, you run an anti-virus package over all your inbound/outbound mail.... don't you!

Now, back to our friends who run ISA server. Whilst we've been talking about packet filters above, forget that term. Packet filters in ISA are only used for giving access to/for the ISA server itself. Packet filters DO NOT affect the functioning of client machines behind ISA. What you want to use is a Protocol Rule. Create a protocol rule for SMTP (port 25) allowing in/outbound access for your internal mail-server. Now create a rule blocking it for everybody else. In fact, you shouldn't need a rule to block it for everybody else because by default, ISA blocks everything unless you specifically allow it.

Regardless of whether you use Microsoft ISA or not, I hope this article was useful to you.

< Prev   Next >
Who's Online
We have 6 guests online
Locations of visitors to this page
I plan on installing Microsoft Vista:


Copyright 2004 2005 After Hours Information Technology