1

I have a network of around 60 users who have access to the internet through ISA Server 2004 and a hardware firewall. As a matter of course I've always blocked anonymous requests to the outside world.

We are installing a new piece of software that needs to lookup data from a particular website and the only way it will work is if I allow anonymous requests out through the firewall.

Am I taking a huge risk, or have I just been overly cautious in the past?

Marko Carter
  • 4,092
  • 1
  • 29
  • 38
  • something just does not sound right, you say "I've always blocked anonymous requests to the outside" somehow I get the feeling this is almost a double negative. Do you mean FROM the outside? – tony roth Jun 29 '10 at 16:10
  • He means TO the outside. ISA serer can be set up to control firewall passthrough by ORIGINATING USER. This is done either by http proxy, or using a client installed on windows server. Very nice to allow different users different type of access, if needed. – TomTom Jun 29 '10 at 16:25
  • OTOH, lots of administrative work. That said, it is a great feature - one that makes ISA Server a FIREWALL, not a stupid packet filter. – TomTom Jun 29 '10 at 16:25
  • @TomTom: I don't think the packet filters like you calling them stupid. ;) – joeqwerty Jun 29 '10 at 16:38
  • I'm not saying they're not stupid... just that it hurts their feelings. – joeqwerty Jun 29 '10 at 16:39
  • Well, years ago "outgoing user identification" was part of what made a packet filter a firewall. Today, most Linux people think they havea firewall with a packet filter... that does not know WHO sends packets from the inside ;) – TomTom Jun 29 '10 at 16:53
  • 1
    I'm not familiar with ISA, but can you open up anonymous access to just that one site? Seems like the easiest way to let the program work without opening up a whole slew of potential attack vectors. – Catherine MacInnes Jun 29 '10 at 18:09
  • Almost all http traffic is anonymous so this does not make sense. – tony roth Jun 29 '10 at 19:19
  • @tony - sure it does. The internal users (as configured) need to be authenticated to the ISA server before they can browse the web. – mfinni Jun 29 '10 at 20:59
  • @mfinni true but once allowed thru the traffic is anonymous and the traffic he's talking about will be anonmyously exposed to the remote server. – tony roth Jun 29 '10 at 21:53
  • This "piece of software" does it run as a service (like collecting new data etc) or do the users actually run the process? – tony roth Jun 29 '10 at 21:57

2 Answers2

0

It sounds like you're using the authentication functionality of the ISA web proxy to authenticate user access to web sites. Now you've got a piece of software that can't handle proxy authentication and, as such, you're forced to break down and allow anonymous access to the site that the non-proxy-friendly software wants to access.

To my mind, opening anonymous HTTP access to a single site, assuming that the site doesn't have any kind of "proxy" or "proxy-like" functionality (think Google Translate, the Google cache, etc), probably isn't a very big deal.

If the software actually runs on your client computers and you're determined to have per-user authentication you might look at deploying the Microsoft Firewall Client to your client computers. The Firewall Client shims into the Windows Sockets API (which is rather a clever trick) and allows per-user authorization and auditing of TCP connections thru the ISA server from client computers. Since all the authentication happens at the sockets layer there's no HTTP proxy authentication occurring.

Evan Anderson
  • 141,071
  • 19
  • 191
  • 328
  • Some feedback on the downvote would be nice. What's the gripe about allowing anonymous HTTP access from the LAN to a single web site (assuming that's what the poster's asking for)? – Evan Anderson Jun 30 '10 at 04:20
  • Hi Evan, I've thought about installing the ISA client on the client machines, but it's just one more administrative burden! I haven't been able to work out how to open up anonymous access to just one site but if you say it can be done... Can't work out why the answer has been downvoted, it makes sense to me. Upvoted! – Marko Carter Jun 30 '10 at 08:08
  • Finally got it sorted - I'd been doing everything right but my server wasn't happy about something - said it was applying the rule when it actually wasn't. Single site anonymous access enabled, all ok. – Marko Carter Jun 30 '10 at 09:30
0

Yes this is a risk. A malicious user could use your connection to send spam, this can be avoided by blocking outgoing tcp 25 (smtp) and tcp 465 (smtps). A couple of years ago it was very common for worms (like blaster) to scan for port tcp 445 and spread using one of the many vulnerabilities in windows dcom/rpc. This could result in a Cease and Desist (C&D) Order being filed against you. In another case a malicious hacker could use your connection to safely carry out attacks. Or another scnario is a malicious hacker could purposeful scan ip ranges owned by the Department of Defense which will result in your internet connection being turned off within a few days, which is a nasty Denial of Service attack.

Rook
  • 2,615
  • 5
  • 26
  • 34
  • The poster's statement "software that needs to lookup data from a particular website " made me think that he's talking about opening up HTTP access to a specific site to anonymous users. That's a whole lot different than opening up anonymous arbitrary outgoing TCP/IP to the entire 'net. – Evan Anderson Jun 29 '10 at 21:53
  • @Evan Anderson it isn't clear if that is his configuration, although even with only HTTP access you can piss of the DoD and get a nasty C&D in the mail. – Rook Jun 29 '10 at 22:12