I have a network of around 60 users who have access to the internet through ISA Server 2004 and a hardware firewall. As a matter of course I've always blocked anonymous requests to the outside world.
We are installing a new piece of software that needs to lookup data from a particular website and the only way it will work is if I allow anonymous requests out through the firewall.
Am I taking a huge risk, or have I just been overly cautious in the past?
-
It sounds like you're using the authentication functionality of the ISA web proxy to authenticate user access to web sites. Now you've got a piece of software that can't handle proxy authentication and, as such, you're forced to break down and allow anonymous access to the site that the non-proxy-friendly software wants to access.
To my mind, opening anonymous HTTP access to a single site, assuming that the site doesn't have any kind of "proxy" or "proxy-like" functionality (think Google Translate, the Google cache, etc), probably isn't a very big deal.
If the software actually runs on your client computers and you're determined to have per-user authentication you might look at deploying the Microsoft Firewall Client to your client computers. The Firewall Client shims into the Windows Sockets API (which is rather a clever trick) and allows per-user authorization and auditing of TCP connections thru the ISA server from client computers. Since all the authentication happens at the sockets layer there's no HTTP proxy authentication occurring.
Evan Anderson : Some feedback on the downvote would be nice. What's the gripe about allowing anonymous HTTP access from the LAN to a single web site (assuming that's what the poster's asking for)?Marko Carter : Hi Evan, I've thought about installing the ISA client on the client machines, but it's just one more administrative burden! I haven't been able to work out how to open up anonymous access to just one site but if you say it can be done... Can't work out why the answer has been downvoted, it makes sense to me. Upvoted!Marko Carter : Finally got it sorted - I'd been doing everything right but my server wasn't happy about something - said it was applying the rule when it actually wasn't. Single site anonymous access enabled, all ok.From Evan Anderson -
Yes this is a risk. A malicious user could use your connection to send spam, this can be avoided by blocking outgoing tcp 25 (smtp) and tcp 465 (smtps). A couple of years ago it was very common for worms (like blaster) to scan for port tcp 445 and spread using one of the many vulnerabilities in windows dcom/rpc. This could result in a Cease and Desist (C&D) Order being filed against you. In another case a malicious hacker could use your connection to safely carry out attacks. Or another scnario is a malicious hacker could purposeful scan ip ranges owned by the Department of Defense which will result in your internet connection being turned off within a few days, which is a nasty Denial of Service attack.
Evan Anderson : The poster's statement "software that needs to lookup data from a particular website " made me think that he's talking about opening up HTTP access to a specific site to anonymous users. That's a whole lot different than opening up anonymous arbitrary outgoing TCP/IP to the entire 'net.Rook : @Evan Anderson it isn't clear if that is his configuration, although even with only HTTP access you can piss of the DoD and get a nasty C&D in the mail.From Rook
0 comments:
Post a Comment