Configuring Microsoft Internet Security and Acceleration Server 2006 ??? Chapter 11 407
Not all these rules are enabled, and some actually pass no traffi c in their default
state. Some require internal destinations or service confi gurations on the ISA Server
to be defi ned, and all are defi ned to allow protocols to and from the local host. However,
it is troubling that Microsoft would hide these rules from the management interface by
default. Firewall administrators should have a clear and accurate understanding of the
entire rule set at all times, but ISA Server comes with these 30 rules hidden. Additionally,
for some fi rewall administrators these rules represent too loose of a confi guration.
There will obviously be those that argue that the rules found here pose little or no
risk, and are needed for minimal functionality of the firewall. However, firewall
administrators need to be a cautious bunch in order to survive, and these rules do not
Figure 11.13 The??“Firewall Policy Rules Screen
408 Chapter 11 ??? Confi guring Microsoft Internet Security and Acceleration Server 2006
adequately represent this sort of cautiousness. There are two separate rules related to
the passing of NetBIOS traffi c. Anyone familiar with the myriad of vulnerabilities
associated with NetBIOS and the numerous worms that have preyed on ports 137, 138,
and 139 should be concerned that these rules exist.
These rules do not specifi cally allow NetBIOS traffi c from the outside to pass the
fi rewall and reach the inside.
Pages:
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405