IP Packet Filter Overview

Access rules and packet filtering should be configured on firewalls to control both source and destination addresses and ports. With packet filtering, you can manage the flow of IP packets to ISA Server and from ISA Server. Packet filtering inspects the header of each packet for protocol, port, and destination address and source address information. Packets are dropped if they are not explicitly allowed.

IP packet filters can be configured when ISA Server is installed in either of these modes:

  • Firewall mode

  • Integrated mode

Packet filters are typically used if you want to publish services that reside on the ISA server, or if you want to publish servers that reside on the perimeter network.

  • If you want to restrict remote access connections to only certain protocols, configure IP packet filters to only allow these protocols.

  • If you want to restrict remote access connections to only a specific computer(s), configure IP packet filters that restrict access to only these specific IP addresses.

Packet filters uses the information in packets to either allow or deny the packet:Configuring the ISA Firewall

  • Protocol

  • Port

  • Protocol and port

  • Direction:

    • Inbound

    • Outbound

    • Inbound and outbound.

  • Remote computer that packet arrived from.

  • Remote computer the packet is intended for.

Packet filters must be used in the following situations:

  • When you want to publish servers residing in the perimeter network (demilitarized zone).

  • When there are services, such as Web servers and mail servers running on the ISA Server computer that access the Internet.

  • When there are applications running on the ISA Server computer that need to access the Internet.

  • When you are using protocols that are not TCP or UDP.

ISA Server includes a built-in intrusion-detection mechanism that can protect the network from several common attacks. The built-in intrusion-detection mechanism can be configured to send an alert when an intrusion is detected.

ISA Server implements intrusion-detection at the following levels:

  • Packet filter level

  • Application filter level

ISA Server can detect attacks at the packet filter level:

  • All Ports Scan Attack; an attacker is attempting to access more than the configured number of ports. Port scanning or simply scanning, is the process whereby which intruders collect information on the network services on a target network. Here, the intruder attempts to find open ports on the target system.

  • Enumerated Port Scan Attack; the unauthorized intruder uses a number of methods to collect information on applications and hosts on the network, and to count the services running on a computer. The intruder probes the ports for a response.

  • IP Half Scan Attack; the attacker makes numerous connection attempts to a computer, but does not actually log on. The purpose of the attack is to probe for open ports.

  • Land Attack; TCP SYN packets are sent with a spoofed source IP address and port number that match the destination IP address and port number.

  • Ping of Death Attack; a large amount of information is appended to a internet Control Message Protocol (ICMP) echo request (ping) packet in an attempt to cause a kernel buffer overflow and crash the computer.

  • UDP Bomb Attack; UDP packets that contain illegal values in certain fields are sent in an attempt to cause older operating systems to crash.

  • Windows Out of Band Attack; a denial-of-service attack against an internal computer protected by ISA Server.

Understanding the Default Packet Filters

The default ISA Server configuration created during ISA Server setup drops all packets at the external interface, except when it is specifically configured not to.

The default packet filters that are created to implement this rule are listed here:

  • ICMP outbound; allows the ISA Server computer to send ICMP messages.

  • ICMP ping response (in); allows the ISA Server computer to receive ping responses (inbound).

  • ICMP source quench; allows the ISA Server computer to receive messages to decrease the packet sending rate.

  • ICMP timeout (in); allows the ISA Server computer to receive messages, such as ping requests, on timeouts.

  • ICMP unreachable; allows the ISA Server computer to receive messages on any unreachable addresses.

  • DNS filter; allows requests for DNS lookups.

  • DHCP Client; enables the external interface to run as a DHCP client. The rule is however disabled by default.

Understanding the Predefined Filter Types

When you create the IP packet filter, there are a number of predefined filter types that you can select:

  • DNS lookup; allow or deny DNS lookups

    • Send and Receive

    • Port 53

  • ICMP query; allow or deny ICMP ping queries

    • Inbound

  • PPTP call; allow or deny PPTP call. If you are configuring ISA Server VPNs, you need PPTP call and PPTP receive.

    • Inbound and outbound

    • Port 47

  • PPTP receive; allow or deny PPTP receive. If you are configuring ISA Server VPNs, you need PPTP call and PPTP receive.

    • Inbound and outbound

    • Port 47

  • SMTP; allow or deny access to the internal SMTP server.

    • Inbound

    • Port 25

  • POP3; allow or deny access to the internal POP3 server.

    • Inbound

    • Port 110

  • Identd; allow or deny access to the Identd server.

    • Inbound

    • Port 113

  • HTTP server (port 80); allow or deny access to Web servers.

    • Inbound

    • Port 80

  • HTTPS server (port 443); allow or deny access to Web servers to establish SSL connections.

    • Inbound

    • Port 443

  • NetBIOS (WINS client only); allow or deny NetBIOS clients to access NetBIOS ports.

    • Inbound and Outbound

  • NetBIOS (all); allow or deny access to NetBIOS ports.

    • Inbound and Outbound

Configuring IP Packet Filter Property Settings

You can access the IP packet filter property settings by:

  1. Open the ISA Management console.

  2. Expand the Access Policy node and then select IP Packet Filters.

  3. Existing IP packet filters are displayed in the details pane.

  4. Right-click IP Packet Filters and select Properties from the shortcut menu.

On the General tab, you can configure the following settings:

  • Enable Packet Filtering: Use this setting to enable/disable packet filters. The setting is enabled by default.

  • Enable Intrusion Detection: Use this setting to enable/disable the preconfigured intrusion detection settings. The setting is disabled by default.

  • Enable IP Routing: Use this setting to enable/disable IP routing. The setting is disabled by default. You have to enable IP packet filtering before you can enable IP routing.

On the Packet Filters tab, you can configure the following settings:

  • Enable Filtering of IP Fragments: Use this setting to enable/disable the filtering of IP fragments. The setting is disabled by default, and should nt be enabled when allowing video streaming through the ISA Server. When enabled, IP fragments are dropped.

  • Enable Filtering IP Options: When enabled, packets that contain the phrase, IP Options, are dropped. The setting is disabled by default.

  • Log Packets From "Allow": When enabled, all packets passing through the ISA server can be logged. The setting is disabled by default.

On the Intrusion Detection tab, you can configure Intrusion Detection configuration settings. These settings are disabled by default.

On the PPTP tab, you can enable/disable the PPTP Through ISA Firewall setting to allow PPTP packets to pass through the ISA server.

How to create an IP packet filter

  1. Open the ISA Management console.

  2. Expand the Access Policy node and then expand IP Packet Filters.

  3. Right-click IP Packet Filters and select New and then Filter from the shortcut menu.

  4. The New IP Packet Filter Wizard launches.

  5. Provide a name for the packet filter in the IP Packet Filter Name textbox and click Next.

  6. On the Servers page, specify whether the packet filter should be applied to.

    • Single server within the ISA array.

    • Entire ISA array

Click Next

  1. On the Filter Mode page, choose whether packets are allowed or blocked:

    • Allow Packet Transmission

    • Block Packet Transmission

    Click Next.

  1. On the Filter Type page, select the predefined filter option or a custom filter option. Click Next.

  2. If you have selected the predefined filter option, choose the filter from the available drop-down list box.

  3. If you have selected the custom filter option, use the Filter Settings page to specify the following settings:

    • IP Protocol; select the protocol ID:

      • Custom

      • Any

      • ICMP

      • TCP

      • UDP

    • Number; enter the protocol number.

    • Direction; select the direction:

      • Inbound

      • Outbound

      • Both

    • Local Port; select between the following options:

      • All ports

      • Fixed port

      • Dynamic (1025-5000)

    • Port Number; if you have selected the Fixed port option, enter the port number.

    • Remote Port; select between the following options:

      • All ports

      • Fixed port

      • Dynamic (1025-5000)

Click Next.

  1. On the Local Computer page, specify the IP address that the packet filter is applied to. The options are:

    • Default IP addresses for each external interface on the ISA Server computer.

    • This ISA server's external IP address – provide the IP address of the ISA server in the ISA Server array.

    • This computer (on the perimeter network) – enter the IP of the computer.

  2. Click Next.

  3. On the Remote Computers page, specify the IP address that the packet filter is applied to and then click Next.

  4. Click Finish.

How to configure a protocol for an IP packet filter

  1. Open the ISA Management console.

  2. Click the View menu and click the Advanced view option.

  3. Expand the Access Policy node and then select IP Packet Filters.

  4. Existing IP packet filters are displayed in the details pane.

  5. Right-click that IP packet filter that you ant to configure and select Properties from the shortcut menu.

  6. Click the Filter Type tab.

  7. If you want to use a predefined filter type, select the filter.

  8. You can alternatively select Custom and then choose a protocol from the IP Protocol drop-down list box.

  9. If you have selected the Custom option and the ICMP protocol,

    • Select the direction from the Direction drop-down list box.

    • Select the type from the Type drop-down list box.

    • Select the code from the Code drop-down list box.

  1. If you have selected the Custom setting and the Any IP protocol option,

    • Select the direction from the Direction drop-down list box.

  1. If you selected the Custom setting and the TCP protocol option,

    • Select the direction from the Direction drop-down list box.

    • Select the appropriate setting from the Local Port box.

    • Select the appropriate setting from the Remote Port box.

  1. If you selected the Custom setting and the UDP protocol option,

    • Select the direction from the Direction drop-down list box.

    • Select the appropriate setting from the Local Port box.

    • Select the appropriate setting from the Remote Port box.

  1. Click OK.

How to apply an IP packet filter to an ISA server

  1. Open the ISA Management console.

  2. Click the View menu and click the Advanced view option.

  3. Expand the Access Policy node and then select IP Packet Filters.

  4. Existing IP packet filters are displayed in the details pane.

  5. Right-click that IP packet filter that you want to apply to the ISA server and select Properties from the shortcut menu.

  6. On the General tab select one of the following options:

    • All Servers In The Array

    • Only This Server

  1. Click OK.

How to configure an IP packet filter for the local ISA Server computer

  1. Open the ISA Management console.

  2. Click the View menu and click the Advanced view option.

  3. Expand the Access Policy node and then select IP Packet Filters.

  4. Existing IP packet filters are displayed in the details pane.

  5. Right-click the IP packet filter that you want to configure and select Properties from the shortcut menu.

  6. Click the Local Computer tab.

  7. If you want to apply the IP packet filter to the default IP address of the external interfaces of the local ISA Server computer, then select the Default IP Address(es) On The External Interface(s) option.

  8. If you want to apply the IP packet filter to a specific IP address of the local ISA Server computer, then select the This ISA Server's External IP Address option. Enter the IP address that the IP packet filter should be applied to.

  9. If you want to apply the IP packet filter to a specific computer on the perimeter network, select the This Computer (On The Perimeter Network) option. Enter the IP address that the IP packet filter should be applied to.

  10. If you want to apply the IP packet filter to a range of IP addresses on the perimeter network, select the These Computers (On The Perimeter Network) option. Enter the appropriate information in the Subnet box and Mask box.

  11. Click OK.

How to configure an IP packet filter for a remote computer

  1. Open the ISA Management console.

  2. Click the View menu and click the Advanced view option.

  3. Expand the Access Policy node and then select IP Packet Flters.

  4. Existing IP packet filters are displayed in the details pane.

  5. Right-click that IP packet filter that you want to configure and select Properties from the shortcut menu.

  6. Click the Remote Computer tab.

  7. If you want to apply the IP packet filter to all remote computers, select the All Remote Computers option.

  8. If you want to apply the IP packet filter to a specific remote computer, select the This Remote Computer option. Enter the IP address of the specific remote computer that the IP packet filter should be applied to.

  9. If you want to apply the IP packet filter to a range of remote computers, select the This Range Of Computers option. Enter the appropriate information in the Subnet box and Mask box.

  10. Click Next.

How to enable IP fragment filtering

  1. Open the ISA Management console.

  2. Click the View menu and click the Advanced view option.

  3. Expand the Access Policy node and then select IP Packet Filters.

  4. Right-click IP Packet Filters and select Properties from the shortcut menu.

  5. Select the Enable Packet Filtering checkbox on the General tab.

  6. Click the Packet Filters tab.

  7. Select the Enable Filtering of IP Fragments checkbox.

  8. Click OK.

How to enable IP options filtering

  1. Open the ISA Management console.

  2. Click the View menu and click the Advanced view option.

  3. Expand the Access Policy node and then select IP Packet Filters.

  4. Right-click IP Packet Filters and select Properties from the shortcut menu.

  5. Select the Enable Packet Filtering checkbox on the General tab.

  6. Click the Packet Filters tab.

  7. Select the Enable Filtering IP Options checkbox.

  8. Click OK.

How to configure logging of allowed packets

  1. Open the ISA Management console.

  2. Click the View menu and click the Advanced view option.

  3. Expand the Access Policy node and then select IP Packet Filters.

  4. Right-click IP Packet Filters and select Properties from the shortcut menu.

  5. Click the Packet Filters tab.

  6. Select the Log Packets From 'Allow' Filters checkbox.

  7. Click OK.

How to create an IP packet filter to allow SMTP mail

  1. Open the ISA Management console.

  2. Expand the Access Policy node and then expand IP Packet Filters.

  3. Right-click IP Packet Filters and select New and then Filter from the shortcut menu.

  4. The New IP Packet Filter Wizard launches.

  5. Provide a name for the SMTP packet filter in the IP Packet Filter Name textbox and then click Next.

  6. On the Servers page, specify All ISA Server Computers In The Array option and then click Next.

  7. On the Filter Mode page, select the Allow Packet Transmission option. Click Next.

  8. On the Filter Type page, select the Custom option. Click Next.

  9. On the Filter Settings page, select TCP from the IP Protocol drop-down list box.

  10. Select Dynamic from the Local Port drop-down list box.

  11. Select Fixed Port from the Remote Port drop-down list box.

  12. Enter the appropriate port number, 25, in the Port Number box. Click Next.

  13. On the Local Computer page, select the Default IP addresses for each external interface on the ISA Server computer option. Click Next.

  14. On the Remote Computers page, select the All Remote Computers option and click Next.

  15. On the Completing the New IP Packet Filter Wizard page, click Finish.

How to create an IP packet filter to allow POP3 mail

  1. Open the ISA Management console.

  2. Expand the Access Policy node and then expand IP Packet Filters.

  3. Right-click IP Packet Filters and select New and then Filter from the shortcut menu.

  4. The New IP Packet Filter Wizard launches.

  5. Provide a name for the POP3 packet filter in the IP Packet Filter Name textbox and then click Next.

  6. On the Servers page, specify All ISA Server Computers In The Array option and then click Next.

  7. On the Filter Mode page, select the Allow Packet Transmission option. Click Next.

  8. On the Filter Type page, select the Custom option. Click Next.

  9. On the Filter Settings page, select TCP from the IP Protocol drop-down list box.

  10. Select Dynamic from the Local Port drop-down list box.

  11. Select Fixed Port from the Remote Port drop-down list box.

  12. Enter the appropriate port number, 110, in the Port Number box. Click Next.

  13. On the Local Computer page, select the Default IP addresses for each external interface on the ISA Server computer option. Click Next.

  14. On the Remote Computers page, select the All Remote Computers option and click Next.

  15. On the Completing the New IP Packet Filter Wizard page, click Finish.

How to create an IP packet filter to allow DNS queries

  1. Open the ISA Management console.

  2. Expand the Access Policy node and then expand IP Packet Filters.

  3. Right-click IP Packet Filters and select New and then Filter from the shortcut menu.

  4. The New IP Packet Filter Wizard launches.

  5. Provide a name for the DNS queries packet filter in the IP Packet Filter Name textbox and then click Next.

  6. On the Servers page, specify All ISA Server Computers In The Array option and then click Next.

  7. On the Filter Mode page, select the Allow Packet Transmission option. Click Next.

  8. On the Filter Type page, select the Custom option. Click Next.

  9. On the Filter Settings page, select UDP from the IP Protocol drop-down list box.

  10. Select Dynamic from the Local Port drop-down list box.

  11. Select Fixed Port from the Remote Port drop-down list box.

  12. Enter the appropriate port number, 53, in the Port Number box. Click Next.

  13. On the Local Computer page, select the Default IP addresses for each external interface on the ISA Server computer option. Click Next.

  14. On the Remote Computers page, select the All Remote Computers option and click Next.

  15. On the Completing the New IP Packet Filter Wizard page, click Finish.

How to create an IP packet filter to allow Web content

  1. Open the ISA Management console.

  2. Expand the Access Policy node and then expand IP Packet Filters.

  3. Right-click IP Packet Filters and select New and then Filter from the shortcut menu.

  4. The New IP Packet Filter Wizard launches.

  5. Provide a name for the packet filter in the IP Packet Filter Name textbox and then click Next.

  6. On the Servers page, specify All ISA Server Computers In The Array option and then click Next.

  7. On the Filter Mode page, select the Allow Packet Transmission option. Click Next.

  8. On the Filter Type page, select the Custom option. Click Next.

  9. On the Filter Settings page, select TCP from the IP Protocol drop-down list box.

  10. Select Dynamic from the Local Port drop-down list box.

  11. Select Fixed Port from the Remote Port drop-down list box.

  12. Enter the appropriate port number, 80, in the Port Number box. Click Next.

  13. On the Local Computer page, select the Default IP addresses for each external interface on the ISA Server computer option. Click Next.

  14. On the Remote Computers page, select the All Remote Computers option and click Next.

  15. On the Completing the New IP Packet Filter Wizard page, click Finish.

How to create an IP packet filter to allow the NNTP service

  1. Open the ISA Management console.

  2. Expand the Access Policy node and then expand IP Packet Filters.

  3. Right-click IP Packet Filters and select New and then Filter from the shortcut menu.

  4. The New IP Packet Filter Wizard launches.

  5. Provide a name for the packet filter in the IP Packet Filter Name textbox and click Next.

  6. On the Servers page, specify All ISA Server Computers In The Array option and then click Next.

  7. On the Filter Mode page, select the Allow Packet Transmission option. Click Next.

  8. On the Filter Type page, select the Custom option. Click Next.

  9. On the Filter Settings page, select TCP from the IP Protocol drop-down list box.

  10. Select Dynamic from the Local Port drop-down list box.

  11. Select Fixed Port from the Remote Port drop-down list box.

  12. Enter the appropriate port number, 119, in the Port Number box. Click Next.

  13. On the Local Computer page, select the Default IP addresses for each external interface on the ISA Server computer option. Click Next.

  14. On the Remote Computers page, select the All Remote Computers option and click Next.

  15. On the Completing the New IP Packet Filter Wizard page, click Finish.

How to enable intrusion detection

  1. Open the ISA Management console.

  2. Expand the Access Policy node and then expand IP Packet Filters.

  3. Right-click IP Packet Filters and select Properties from the shortcut menu.

  4. Select the Enable Packet Filtering checkbox.

  5. Select the Enable Intrusion Detection checkbox.

  6. Click the Intrusion Detection tab.

  7. Select the Windows Out-Of-Band (WinNuke) checkbox.

  8. Select the Land checkbox.

  9. Select the Ping Of Death checkbox.

  10. Select the IP Half Scan checkbox.

  11. Select the UDP Bomb checkbox.

  12. Select the Port Scan checkbox.

  13. In the Well-Known Ports textbox, specify the maximum number of well-known ports that should be scanned prior to an event being generated.

  14. In the Ports textbox, specify the number of ports that should be scanned prior to an event being generated.

  15. Click OK.

How to configure incoming and outgoing Web request authentication

  1. Open the ISA Management console.

  2. Right-click the ISA server and select Properties from the shortcut menu.

  3. Click the Incoming Web Requests tab or click the Outgoing Web Requests tab.

  4. Select the Ask Unauthenticated Users for Identification checkbox.

  5. Select the Configure Listeners Individually per IP address option.

  6. Click Add.

  7. The Add/Edit Listeners dialog box opens.

  8. Select the ISA server from the Server drop-down list box.

  9. Select the IP address from the IP address drop-down list box.

  10. Select the authentication method.

  11. Click OK in the Add/Edit Listeners dialog box.

  12. Click OK.

How to configure system hardening using the Security Configuration Wizard

  1. Open the ISA Management console.

  2. Right-click the ISA server and select Secure from the shortcut menu.

  3. Click Next.

  4. Select the system security level:

    • Dedicated

    • Limited Services

    • Secure

Click Next.

  1. Click Finish

  2. Restart the computer.

The configuration changes made by the Limited Services settings are listed here:

  • Password history: Information on 24 passwords is retained.

  • Minimum password age: Changed to 2 days.

  • Minimum password length: Changed to 8 characters.

  • Account lockout threshold: Changed to 5 invalid logon attempts.

  • Password complexity settings are enabled.

  • Auditing is configured as follows:

    • Audit account logon events: Success, Failure.

    • Audit policy changes: Success, Failure.

    • Audit logon events: Failure

    • Audit privilege use: Failure

  • The maximum security log size is changed to 5,120 bytes.

  • Events are changed to be overridden as necessary.

  • Guest access to logs is changed to enabled.

  • Restrictions for anonymous connections

    • Do Not Allow Enumeration of Sam Accounts and Shares

  • The LAN Manager Authentication Level setting is changed to NTLM Only.

  • Digitally sign server communication is changed to enabled.