Filter Types
You can develop a wide range of application filters by using the
Forefront TMG Software Development Kit (SDK). Examples of filter
types are:
- Protocol-enabling filters. These application filters
enable the usage of complicated protocols that require more than a
single TCP connection to traverse the Microsoft Firewall service.
These filters dynamically configure the Firewall service computer
to allow future secondary connections, and edit secure network
address translation (SecureNAT) addresses. The FTP access filter
and the H.323 filter, which are provided with Forefront TMG, are
examples of protocol-enabling filters. The FTP access filter
handles all aspects of configuring the Forefront TMG computer to
automatically allow an FTP secondary data channel.
- Protocol-scanning filters. These filters scan data from
specific protocols for items such as an intrusion or virus.
Examples of protocol-scanning filters are the POP intrusion
detection filter and the DNS intrusion detection filter that are
based on technology from Internet Security Systems (ISS), and are
provided with Forefront TMG.
- Redirection filters. A redirection filter may cause
specific connections to be redirected into its control. The filter
can then act as a server.
- NAT-supporting filters. Many protocols pass IP addresses
of internal servers as part of their data. In a network address
translation (NAT) environment, these internal IP addresses are
hidden, and need to be translated to externally visible addresses.
An application filter can monitor the traffic and modify the
relevant fields within a message to include the correct external
addresses according to existing publishing rules, or according to
some other criteria. Using the FTP access filter, an FTP client
behind the Forefront TMG computer may direct an FTP server to
connect to it, passing its address and port information as part of
the protocol. The FTP access filter translates this information to
an externally visible listening socket, enabling the file transfer
to take place without disclosing the internal address.
- Intrusion-detection filters. Application filters can
examine traffic going through the Forefront TMG computer and look
for known attack signatures. Firewall service provides two such
filters, which detect known intrusion signatures for DNS and
POP3.
- Content-filtering filters. Application filters can parse
high-level application protocols, look for actual data (the
payload), and apply rules and processing based on the content.
Examples include applying protocol-level syntax validation,
antivirus scanning on file transfers, SOAP or XML filtering, and
content categorization. The Firewall service HTTP and SMTP filters
demonstrate this capability. In these scenarios, the overall
structure of the application filter is the same. It typically
attaches itself to each connection, and implements the
specifications and RFCs relevant to the protocols it represents to
handle the traffic and apply rules to it. The filter should keep a
session state and use it to control the data transfer through the
Forefront TMG computer. It may modify the data flow, change the
session payload, stop sessions that seem to violate the policy, or
call Forefront TMG APIs to automatically configure allow/deny rules
for expected future traffic. Content filtering for HTTP traffic is
accomplished by developing an ISAPI filter, called a Web filter in
the context of Forefront TMG and the Firewall service.
- Other filters. The Forefront TMG architecture allows you to
create a wide range of other filters.
Send comments
about this topic to Microsoft
Build
date: 11/30/2009
© 2008 Microsoft Corporation. All rights reserved.