Microsoft Internet Security and
Acceleration Server 2004 SDK
You can develop a wide range of application filters by using the
ISA Server Software Development Kit (SDK). Examples of filter types
Protocol-enabling filters. These application filters
enable the usage of complicated protocols that require more than a
single TCP connection to traverse the Microsoft Firewall service.
These filters dynamically configure the Firewall service computer
to allow future secondary connections, and edit secure network
address translation (SecureNAT) addresses. The FTP access filter
and the H.323 filter, which are provided with ISA Server, are
examples of protocol-enabling filters. The FTP access filter
handles all aspects of configuring the ISA Server computer to
automatically allow an FTP secondary data channel.
Protocol-scanning filters. These filters scan data from
specific protocols for items such as an intrusion or virus.
Examples of protocol-scanning filters are the POP intrusion
detection filter and the DNS intrusion detection filter that are
based on technology from Internet Security Systems (ISS), and are
provided with ISA Server.
Redirection filters. A redirection filter may cause
specific connections to be redirected into its control. The filter
can then act as a server.
NAT-supporting filters. Many protocols pass IP addresses
of internal servers as part of their data. In a network address
translation (NAT) environment, these internal IP addresses are
hidden, and need to be translated to externally visible addresses.
An application filter can monitor the traffic and modify the
relevant fields within a message to include the correct external
addresses according to existing publishing rules, or according to
some other criteria. Using the FTP access filter, an FTP client
behind the ISA Server computer may direct an FTP server to connect
to it, passing its address and port information as part of the
protocol. The FTP access filter translates this information to an
externally visible listening socket, enabling the file transfer to
take place without disclosing the internal address.
Intrusion-detection filters. Application filters can
examine traffic going through the ISA Server computer and look for
known attack signatures. Firewall service provides two such
filters, which detect known intrusion signatures for DNS and
Content-filtering filters. Application filters can parse
high-level application protocols, look for actual data (the
payload), and apply rules and processing based on the content.
Examples include applying protocol-level syntax validation,
antivirus scanning on file transfers, SOAP or XML filtering, and
content categorization. The Firewall service HTTP and SMTP filters
demonstrate this capability. In these scenarios, the overall
structure of the application filter is the same. It typically
attaches itself to each connection, and implements the
specifications and RFCs relevant to the protocols it represents to
handle the traffic and apply rules to it. The filter should keep a
session state and use it to control the data transfer through the
ISA Server computer. It may modify the data flow, change the
session payload, stop sessions that seem to violate the policy, or
call ISA Server APIs to automatically configure allow/deny rules
for expected future traffic. Content filtering for HTTP traffic is
accomplished by developing an ISAPI filter, called a Web filter in
the context of ISA Server and the Firewall service.
Other filters. The ISA Server architecture allows you to create
a wide range of other filters.