ISA 2004 HTTP Security Filter – Will It Meet Its Potential?

ISA 2004 firewalls include a very powerful HTTP Security Filter. This filter allows you to block virtually any HTTP connection attempt, based on the settings you configure in the filter. The HTTP Security filter allows you to configure the ISA 2004 firewall to perform detailed searches of the HTTP header and body, and block connections that match your criteria. When used properly, this has the potential to be the ISA 2004 firewall’s “killer app”.

However, most firewall admins have to do double, triple, quadruple and quintiple duties. They don’t have time to make the ISA 2004 firewall their avocation. They need to handle WinXP/Win9x/Win2000 clients, WinNT4/Win2003/Win2003 servers, SQL Servers, Exchange Servers, SharePoint Servers, Certificate Servers, RRAS Servers, IIS Servers, and lots more. There are only so many hours in a day, and the attraction to a firewall like ISA 2004 is that it appears easy to configure. And, on the whole, they would be right.

However, while the HTTP Security filter has a powerful and easy to use interface, the documentation of the feature is abysmal. What do I mean by “abysmal“? Search your dictionary for “tautology“ and then read the Help file and any other MS docs on this subject you might find.

Most firewall admins who opt for ISA 2004 firewalls do so because they want to take advantage of the unique protection provided by ISA 2004, especially for the ISA 2004 firewall’s one of a kind VPN and Exchange security features. This level of protection can be made even better if MS would actually explain and define the various components of this filter and how it works. Otherwise, the HTTP Security Fitler’s power and utility will end up in the dustbin of history like the H.323 Gatekeeper and possibly the VPN-Q feature (I’ll moan about VPN-Q in a future posting).

So the celebrity challange for MS is to come up with clear (not concise! concise usually means “I don’t have the time or inclination to fully explain the subject and explore implications), complete and useful documentation on the HTTP filter. This is how ISA 2004 firewalls can displace Checkpoint and PIX, and prevent users from adopting a Linux based solutution. After all, if I’m going to have to spend hours, days or weeks figuring out how to configure a key piece of a firewall, I don’t have to pay for it, I’ll just use Linux! 🙂

So, MS docs team — belly up to the bar and give the ISA 2004 firewall community what it needs, not what you think they need.

Thanks!
Tom

62 thoughts on “ISA 2004 HTTP Security Filter – Will It Meet Its Potential?

  1. I absolutely agree.

    HTTP filters could be a killer use for ISA2k4. Think along the lines of true application firewalls which protect against sql injection and XSS attacks and not just web server misconfiguration. These app firewalls definately fit a gap in the market, but they are enormously expensive in comparision to ISA. $20K $1k is a no brainer! In addition other f/w vendors such as checkpoint offer "app layer" stuff these days, but the perimeter isn’t always the right place for app layer protection – you need that stuff inside and as a reverse proxy.

    Given ISAs sales positioning as a app layer f/w and all the hype around web server misconfig vulnerabilities and app liabilities this is too good an opportunity to waste – I know for a fact there are many orgs who would deploy ISA if it did true app layer protection – behind ‘traditional’ permiter devices.

    Microsoft must either develop some decent sample filters or engage a partner to develop them – its just not that difficult to write a sql injection definition in C++, but the sysadmin aint gonna do it.

    At the very least they need to get the documentation up to scratch – not just leave us with a dead basic SMTP sample!

  2. HELLO ALL IN THERE,..

    FIRST OF ALL I TELL U ABOUT ME SOMETHING,..

    I’SHANI FROM PAKISTAN,..I HAVE A NET CAFE,..& I USE WINDOWS 2000 SERVER WITH ISA SERVER 2000,…

    MY SERVICES R FINE BUT ITS NOT MUCH TO ME I KNOW ISA SERVER PROVIDE THE BEST SERVICE AFTER ALL MY SERVICES COZ I SE MY NEIGHBOUR SERVICE THAT HAVE TOO ISA SERVER 2000

    BUT HIS SERVICE IS BETER THEN ME COZ HE KNOW TO CONFIGURE HIS ISA SERVER FOR BEST SERVICE BUT I DONT,..I LEARN NOT SO MUCH ABOUT IT SO I WANA KNOW THAT HOW I CAN CONFIGURE MY ISA SERVER 2000 FOR BEST,..IS ANY BUDY THERE THAT CAN HELP ME,..

    THANKS

    SHAANI

  3. ISA 2004 proxy breaks connection from remote clients (they connect to ISA via external NIC). Is it by design to prohibit external connections? How to avoid this?

  4. Now two years have passed since you wrote this. And still no better docu available. It really sucks. There are two articles by MS that give you a set of parameters supposedly working for OWA, OMA and ActiveSync. Go ahead and try, it will definitely break all three.

    http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/owa-walkthrough.mspx
    http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/httpfiltering.mspx

    And the worst thing is, you won’t be able to fix it, as you will not be able to figure out what the b***y filter really does. Try playing around with the extension blocker and you will see what I mean. Set the filter for OMA as prescribed by MS and you will end up with URLs getting blocked for extensions not specified though they don’t even contain a single f***g extension at all.

    Man, am I pissed off by this product!

    Henrik

  5. I am so [url=http://access.2surf.eu]lucky[/url] on having what I have! And good luck in yours [url=http://2access.2surf.eu]search[/url].
    Just visit [url=http://access.122mb.com]my site[/url].

  6. ���� � ��� ��� ��������� ���� ���������� , ���������� ��� ������� ����������� ,
    ����������� �� ������� � ���.:
    ���� ������� ���� : ������������ �� ����������� �������, ������������� � ��� �� �������.
    ��� ���� ������� ����!
    http://www.rebcentr.org
    rebcentr@inbox.ru
    (495) 505-51-52
    8-916-201-15-70

Leave a Reply

Your email address will not be published. Required fields are marked *