通过

16 Rules for Deploying Access Rules

  • 项目

Note from isablog: Our blog is now accepting postings from Microsoft MVPs. We’ve discussed firewall policy in this space before, but there’s nothing like the voice of an ISA Server enthusiast and MVP from China who deals with firewall policy every day. Read these tips, and then see Best Practices Firewall Policy for ISA Server 2004.

For the Chinese version, please visit : http://www.isacn.org/info/info.php?sessid=&infoid=194.

 

1. A Computer does not have a brain. You should check your ISA Server configuration when its behavior doesn’t match your expectations.

2. Allow access selectively. Only allow access for users, sources, destinations, and protocols that you need, and check each rule carefully. Only use deny rules when you can’t control access with allow rules.

3. A deny rule must come before an allow rule when both apply to the same policy elements such as users or source IPs.

4. When you must use a deny rule, an explicit deny rule, such as a deny rule for a specific user or source IP, should be considered first.

5. Place rules that will have high match rates near the top of the rule base if you can do so without changing the effect of your firewall policy. These are rules that are very likely to be matched, such as rules that apply to “All users” or “All authenticated users”. This enables ISA Server to evaluate rules more efficiently.

6. Keep your firewall policy as simple as possible.

7. Never use an allow all to all rule in a production environment. ISA Server cannot control access if you do.

8. Don’t create a rule that duplicates a system policy rule.

9. Remember that every rule is evaluated independently. Though rules are evaluated in order, each one is evaluated on its own when the firewall is going through the rules.

10. Never allow access for all to Local host. The Internal network should be considered untrusted in this regard, too.

11. SecureNAT clients can’t be authenticated, so use Web proxy clients and Firewall clients when you require user authentication.

12. When possible, use IP-address-based rule elements over user-name-based elements, because they are evaluated more quickly.

13. Configure clients as Web proxy clients when you use domain name sets or URL sets in your rules. Otherwise, the access rule maybe ignore by failed reverse domain name resolution, and may cause a slow response.

14. Only use application filtering (such as the HTTP filter) when you real need it. Use of the filters may affect performance

15. Remember that there is a deny all rule at the base of the firewall policy.

16. Finally, always test your policy in a laboratory environment before testing and then using it in production.

 

Thanks to my ISA Server mentors for all their help: Thomas Shinder and Ronald Beekelaar.

 

Meibo Zhang

ISA Server MVP

Comments

  • Anonymous
    January 01, 2003
    a guide on the subject (in three parts). The guide covers most aspects

  • Anonymous
    April 11, 2007
    Great rules! Here’s another one that I’ve found useful. It’s important to carefully consider and select the relationship between network entities before you create a rule. NAT and route relationships have a direct impact on the creation of access and publishing rules.

  • Anonymous
    April 11, 2007
    in fact, when ISA seems not do what we would like, these are the steps to go through:

  1. check your NICs configuration
  2. check static routes, if present
  3. check Netork Configuration
  4. check Network Rules only after these steps you can start working in Firewall Policy

  • Anonymous
    May 08, 2007
    The comment has been removed

  • Anonymous
    June 28, 2007
    The comment has been removed

  • Anonymous
    June 28, 2007
    The comment has been removed

  • Anonymous
    September 26, 2007
    I Installed ISA 2004 Kindly Tell Me How Can I Allow  Messenger. Kindly Help me Configure ISA With Step By Step Process. (Mail me Screenshots If Possible crazy4stacy@yahoo.com

  • Anonymous
    October 27, 2007
    Can somebody help me out with a couple of issues in  ISA 2006 ? 1.I need to allow yahoo's voice chat and web cams thru ISA 2006 2.is Content filtering possible in ISA 2006 ? if yes please tell me how to configure it

  1. how can i allocate bandwidth to the users in ISA 2006. kindly email me a solution on sameer_202_us@yahoo.com                            Thank you in advance                              yours greatfully                                  sameer
  • Anonymous
    November 21, 2007
    The comment has been removed