Re: ISA - Block External IP from Accessing Server
- From: "Dana Epp" <dana@xxxxxxxxxxx>
- Date: Mon, 18 Dec 2006 09:09:35 -0800
Hey Bernie,
You just need to build a rule that meets these requirements. Before I give you instructions on how to do this, I want to remind you that trying to defend against attackers using blacklisting is not as effective as whitelisting. In other words, you are better off to block ALL access to that service except for those people who absolutely need it. This helps to reduce the attack surface of your server by eliminating any foreign host from accessing your system unless explicity allowed. The security principle of least privilege comes into play here.
With that said, here is what you could do to quickly make a firewall rule for your needs:
* Open up the ISA Server Management Console
* Select the "Firewall Policy" tree-node on the left side of the window
* Highlight the first rule in the set of policies
* On the right side of the window under "Firewall Policy Tasks" click "Create a new Access Rule"
* Enter a friendly name. As an example "Block certain IPs FTP access". Click Next
* Set the rule action to Deny. Click Next
* Change the drop down to "Selected Protocols".
* Click the Add button. Expand the "All Protocols" tree and select "FTP". Click Add. Click Next.
* For Access Rule Source, Click Add, and provide the IP addresses of the sources you wish to block. Normally these would be under the "Computers" section. When done adding the hosts you want to block, click Next.
* For Access Rule Destination, Click Add, expand Networks and select "Local Host". Click Next.
* For User Sets, make sure All users is present. Click Next.
* Verify the final settings, and then hit Finish.
* Hit the Apply button to update the firewall.
There you have it. Because ISA applies its rules in assending order and the rule is at the top, it will match your attacker quickly and drop them before any other rule is processed.
Again, I can't stress enough that this isn't as effective a policy as going the other way. Instead of setting a DENY action, set an ALLOW action and provide the source IP of those hosts you WANT to access the FTP server. Then create a second rule right after it that has an action of DENY and blocks all other connections. In this way... you prevent all access unless explicity allowed... a much safer firewall policy.
As a side note, by default there is already an SBS FTP policy. You could simply change the Source from "External" to a specific set of IPs and block all other access. Just a thought.
HTH. Good luck.
---
Regards,
Dana Epp [Microsoft Security MVP]
"Bernie Hunt" <bhunt@xxxxxxxxxxxxx> wrote in message news:5f5eff823c67a8c8f08e87978e63@xxxxxxxxxxxxxxxxxxxxx
I have a SBS server that is being attached from specific external IPs. What rule do I need to write to block the external access without shutting down all of the business.
I'd like to be able to block a specific IP from specific ports. For example, block 123.456.789.123 from getting to the ftp server on port 21.
Thanks for any help you can give.
Bernie
.
- Follow-Ups:
- Re: ISA - Block External IP from Accessing Server
- From: Bernie Hunt
- Re: ISA - Block External IP from Accessing Server
- References:
- ISA - Block External IP from Accessing Server
- From: Bernie Hunt
- ISA - Block External IP from Accessing Server
- Prev by Date: I'm getting the same thing.
- Next by Date: Re: Exchange Tabs Missing on ADS
- Previous by thread: Re: ISA - Block External IP from Accessing Server
- Next by thread: Re: ISA - Block External IP from Accessing Server
- Index(es):
Relevant Pages
|
