My Firewall Policy

I decided to write a description of my firewall policy today. I have been tweaking it again to get the RSS Reader webpart to work. I think if I write it out I will better be able to see any logic errors.

General Firewall Policy Description

  1. Allow computers in the local domain complete access to other computers in the local domain.
  2. Deny inbound access from the internet.
  3. Allow computers in the local domain anonymous outbound access to the internet with the following protocols:
    1. HTTP
    2. HTTPS
    3. FTP
    4. POP3
    5. SMTP
    6. NTP(UDP)
  4. Authenticate the user using Windows integrated authentication for IP protocols other than the ones listed above.
  5. Minimize the downloading of advertising and sexual content.

 

Firewall Rules and Implementation

  1. Direct Access Rule – Direct access to computers in the local domain is granted via the proxy client configuration for the web browser.
  2. Default Inbound Access Rule – Inbound access from the Internet is denied by the ISA firewall by default.
  3. Protocol rule #1 – If the client is from the local domain, anonymous outbound access is granted to the Internet for the normal protocol set, HTTP, HTTPS, FTP, POP3, SMTP, and NTP. Almost all internet access will go through this rule.
  4. Protocol rule #2 – If a client requires access to an IP protocol outside of the normal protocol set, that client must be authenticated using windows integrated authentication.
  5. Site and content rule #1 – Deny content from known advertising websites listed in the “No Ads” destination set and redirect the link to a local web page. This rule increases bandwidth by reducing the amount of unnecessary content being downloaded from the internet.
  6. Site and content rule #2 – Deny content from known sexual websites listed in the “No Sex” destination set and redirect the link to a local policy web page.
  7. Site and content rule #3 – Allow clients from the local domain access to all domains that have not been explicitly denied.
  8. Do not authenticate outbound listener. I think this is a temporary fix to get the RSS reader webpart to work and requires that the web.config have a <defaultproxy> statement. This is opposite of what the folks at www.isaserver.org recommend but their recommendation does not work for my server. All http connections end up being anonymous but I don't care.