We will need to create a second rule that is similar to
the fi rst except that we will set the source as only the list of internal DNS servers.
We will want to make an identical rule for SMTP that has only the list of
outbound mail relays as the source.
Keeping our outbound traffi c locked down as much as possible like this is
good practice. We could allow all internal hosts to send outbound DNS or SMTP
traffi c, but this opens the possibility that our internal hosts can actually cause
some havoc if they are ever compromised. A great deal of e-mail is sent by
workstations that are compromised and have a lightweight SMTP server
installed, and nothing blocks this traffi c from getting out to the Internet. We
want to block this traffi c, and we want it to trigger alerts on our ISA Server due
to dropped packets so that we can identify problematic hosts as soon as possible.
NOTE
Remember that if you create a rule that allows a specifi c type of traffi c from
the internal network, your ISA Server will not necessarily be able to establish
these types of connections. In order to include your ISA Server as a legitimate
source of traffi c you need to include ???Local Host??? in the Access Rule Sources
selection. Another option is to enable the system rule related to the protocol
you want to enable since system rules are generally rules that enable certain
forms of traffi c to and from the ISA Server. Although you shouldn??™t allow the
ISA Server to be used for web browsing it may need to log to a remote host,
fi re e-mail alerts, and download Microsoft updates from an internal server.
Pages:
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404