MSMVPS.COM
The Ultimate Destination for Blogs by Current and Former Microsoft Most Valuable Professionals.
Dr. Tom's ISA Server 2004 Firewall Blog » ISA 2004 HTTP Security Filter - Will It Meet Its Potential?

ISA 2004 HTTP Security Filter - Will It Meet Its Potential?

ISA 2004 firewalls include a very powerful HTTP Security Filter. This filter allows you to block virtually any HTTP connection attempt, based on the settings you configure in the filter. The HTTP Security filter allows you to configure the ISA 2004 firewall to perform detailed searches of the HTTP header and body, and block connections that match your criteria. When used properly, this has the potential to be the ISA 2004 firewall's “killer app”.

However, most firewall admins have to do double, triple, quadruple and quintiple duties. They don't have time to make the ISA 2004 firewall their avocation. They need to handle WinXP/Win9x/Win2000 clients, WinNT4/Win2003/Win2003 servers, SQL Servers, Exchange Servers, SharePoint Servers, Certificate Servers, RRAS Servers, IIS Servers, and lots more. There are only so many hours in a day, and the attraction to a firewall like ISA 2004 is that it appears easy to configure. And, on the whole, they would be right.

However, while the HTTP Security filter has a powerful and easy to use interface, the documentation of the feature is abysmal. What do I mean by “abysmal“? Search your dictionary for “tautology“ and then read the Help file and any other MS docs on this subject you might find.

Most firewall admins who opt for ISA 2004 firewalls do so because they want to take advantage of the unique protection provided by ISA 2004, especially for the ISA 2004 firewall's one of a kind VPN and Exchange security features. This level of protection can be made even better if MS would actually explain and define the various components of this filter and how it works. Otherwise, the HTTP Security Fitler's power and utility will end up in the dustbin of history like the H.323 Gatekeeper and possibly the VPN-Q feature (I'll moan about VPN-Q in a future posting).

So the celebrity challange for MS is to come up with clear (not concise! concise usually means “I don't have the time or inclination to fully explain the subject and explore implications), complete and useful documentation on the HTTP filter. This is how ISA 2004 firewalls can displace Checkpoint and PIX, and prevent users from adopting a Linux based solutution. After all, if I'm going to have to spend hours, days or weeks figuring out how to configure a key piece of a firewall, I don't have to pay for it, I'll just use Linux! :-)

So, MS docs team -- belly up to the bar and give the ISA 2004 firewall community what it needs, not what you think they need.

Thanks!
Tom

Posted Apr 29 2004, 02:51 AM by shinder
Filed under:

Comments

shinder wrote re: ISA 2004 HTTP Security Filter - Will It Meet Its Potential?
on 05-03-2004 18:51
Tom

Couldnt agree more!!!!

Greg
shinder wrote re: ISA 2004 HTTP Security Filter - Will It Meet Its Potential?
on 05-11-2004 10:56
I absolutely agree.

HTTP filters could be a killer use for ISA2k4. Think along the lines of true application firewalls which protect against sql injection and XSS attacks and not just web server misconfiguration. These app firewalls definately fit a gap in the market, but they are enormously expensive in comparision to ISA. $20K $1k is a no brainer! In addition other f/w vendors such as checkpoint offer "app layer" stuff these days, but the perimeter isn't always the right place for app layer protection - you need that stuff inside and as a reverse proxy.

Given ISAs sales positioning as a app layer f/w and all the hype around web server misconfig vulnerabilities and app liabilities this is too good an opportunity to waste - I know for a fact there are many orgs who would deploy ISA if it did true app layer protection - behind 'traditional' permiter devices.

Microsoft must either develop some decent sample filters or engage a partner to develop them - its just not that difficult to write a sql injection definition in C++, but the sysadmin aint gonna do it.

At the very least they need to get the documentation up to scratch - not just leave us with a dead basic SMTP sample!
shinder wrote re: ISA 2004 HTTP Security Filter - Will It Meet Its Potential?
on 08-22-2004 16:20
HELLO ALL IN THERE,..
FIRST OF ALL I TELL U ABOUT ME SOMETHING,..
I'SHANI FROM PAKISTAN,..I HAVE A NET CAFE,..& I USE WINDOWS 2000 SERVER WITH ISA SERVER 2000,...
MY SERVICES R FINE BUT ITS NOT MUCH TO ME I KNOW ISA SERVER PROVIDE THE BEST SERVICE AFTER ALL MY SERVICES COZ I SE MY NEIGHBOUR SERVICE THAT HAVE TOO ISA SERVER 2000
BUT HIS SERVICE IS BETER THEN ME COZ HE KNOW TO CONFIGURE HIS ISA SERVER FOR BEST SERVICE BUT I DONT,..I LEARN NOT SO MUCH ABOUT IT SO I WANA KNOW THAT HOW I CAN CONFIGURE MY ISA SERVER 2000 FOR BEST,..IS ANY BUDY THERE THAT CAN HELP ME,..
THANKS
SHAANI
shinder wrote re: ISA 2004 HTTP Security Filter - Will It Meet Its Potential?
on 11-12-2004 10:30
ISA 2004 proxy breaks connection from remote clients (they connect to ISA via external NIC). Is it by design to prohibit external connections? How to avoid this?
shinder wrote re: ISA 2004 HTTP Security Filter - Will It Meet Its Potential?
on 11-19-2004 4:21
is there any books arround on how to configure the web filtering ?
TrackBack wrote re:ISA 2004 HTTP Security Filter - Will It Meet Its Potential?
on 04-12-2005 23:32
^_^,Pretty Good!
TrackBack wrote re:ISA 2004 HTTP Security Filter - Will It Meet Its Potential?
on 05-19-2005 19:41
^_~,pretty good!csharpsseeoo
TrackBack wrote re:ISA 2004 HTTP Security Filter - Will It Meet Its Potential?
on 07-22-2005 10:13
ISA 2004 HTTP Security Filter - Will It Meet Its Potential?ooeess

Add a Comment

(required)  
(optional)
(required)  
Remember Me?


Copyright © is the original authors. Blog site is an independent site not sponsored by Microsoft. The Yoda blog server and the Brianna SQL server would like to thank www.ownwebnow.com and www.exchangedefender.com. They wouldn't be here and broadcasting without the generosity of Vlad Mazek and his companies.

Powered by Community Server (Commercial Edition), by Telligent Systems