The Hunt For HTTP Signatures - ISA 2006 Firewall HTTP Filter

You've bought an ISA 2006 Firewall and you want to use it to block IM applications like Yahoo Messenger or Windows Live Messenger just to name a few. You may want to block the download of attachments from Web Mail(like Yahoo Mail, Windows Live Mail or Google Mail) or the upload of files through Web Mail(and not only).

Currently you cannot afford investing in an advanced web filtering solution like the one offered by WebSense. So you must manually block such applications(not the most nice job in the world).

You are aware of the fact that these applications have a "signature". Thus you must try and identify this signature and then configure the HTTP filter on ISA to block it.

Note that the HTTP signatures you can apply on ISA are found in the Request URL or in the HTTP Headers or Bodies. Both Request or Response Headers or Bodies can be inspected.

Be careful with the Request or Response body, if you enable ISA to search "deep" into them(increase the maximum number of bytes inspected by ISA) you will suffer from performance degradation.

We will search for signatures within the Request URL or within the HTTP Headers or Bodies.

A great tool for the hunt of signatures is our favourite network protocol analyzer, Wireshark.

For the ones not used with Wireshark, the use of it combined with the need to identify signatures can be intimidating. Therefore let's spend a few minutes playing with Wireshark first.


Comments are closed