ISA Team Blog on Http Filtering

The ISA team has started blogging and today's post inparticulr is an interesting one. ISA Server Product Team Blog Because it's a short post I've copied it below but do be sure to check out their blog directly as well. What I like about this post is it describes how easy it is to use one of the most over looked features of ISA, Http Filtering. Http Filtering lets you block unwanted applications. You simply add the applications signature to the filter and you'll never see that app again on your network. It works for file types to as several people pointed out during the .WMF scare.



Application Signatures for HTTP Filtering
You allow your internal clients to access the Internet, but want to limit their use of some applications. You can block their use of applications that run over HTTP by using the HTTP filtering capability of ISA Server 2004. But to block the application, you need the application signature. Here's how you find the signature:

Use a network traffic capturing utility, such as Network Monitor (known affectionately in some circles as NetMon). Install the utility on ISA Server. Best to do this sort of thing in a lab, unless you're completely comfortable about the security effects of the utility you use. Configure the utility to capture packets from a specific client.

On that client, access the application you're interested in. In the monitoring utility, find the HTTP request packet from the client (usually follows handshake packets) and look for a signature in the packet. A little finesse is needed, because you want to pick a signature that is general enough to always block the application, but not so specific that it blocks everything. For example, the signature "a" is a little too generic.

Once you've located a signature, you can add it to the Signatures tab of the HTTP policy for the access rule, and test it in production.

You can read more about this in the document "HTTP Filtering in ISA Server 2004", at White Paper

Nathan Bigman, ISA Server Product Team