2008-07-16
Article continued from Page 2
I find it very interesting to see so much HTTP traffic out of Brazil -- most of which is not needed in my environment. The beauty of this system is that it allows for easy correction to my web server logs to match up connection sources with HTTP requests in order to subsequently validate the traffic itself to make determinations of what to block and from where (or what to allow). In my environment (and that of my colleagues), we actually receive a non-trivial amount of valid traffic from Brazilian sources, so even though a vast percentage of the traffic is indeed invalid for our purposes, we've made the decision to allow HTTP from Brazil in order to best serve the people who count on access to the data we provide. In this case, we have to take the bad with the good -- but at least we arrived at the decision based on fact. Here's one that took some research to nail down:
| Country | Prot | Port | Connections |
|---|---|---|---|
| United States | TCP | 32085 | 199137 |
| United States | UDP | 32085 | 122667 |
| United Kingdom | TCP | 32085 | 72960 |
| Japan | TCP | 32085 | 62946 |
| Poland | TCP | 32085 | 42408 |
| Canada | TCP | 32085 | 41916 |
| France | TCP | 32085 | 41226 |
| Germany | UDP | 32085 | 40236 |
| Israel | TCP | 32085 | 36858 |
| France | UDP | 32085 | 35874 |
| Spain | UDP | 32085 | 32877 |
| United Kingdom | UDP | 32085 | 27249 |
| Canada | UDP | 32085 | 26754 |
| Australia | TCP | 32085 | 21942 |
| Sweden | UDP | 32085 | 18444 |
| Mexico | TCP | 32085 | 18066 |
| Germany | TCP | 32085 | 14790 |
| Australia | UDP | 32085 | 13839 |
| Netherlands | UDP | 32085 | 13194 |
| Poland | UDP | 32085 | 10668 |
| Norway | TCP | 32085 | 9780 |
At first, I had no idea what UDP/TCP 32085 was for -- yet I was seeing substantial traffic from all over the world. Nothing turned up on Google, so a quick packet capture got me the information I needed. It was BitTorrent. Seems that someone inside one of our networks was "a bit active" in the torrent scene. This traffic is easy enough to block in its entirety without respect to the source countries, but I found the distribution of players in other countries interesting in its own right.
Creating Objects in ISA
When one is finally ready to create firewall rules based on the research they've done, one first has to take the IPAddress table information and use it to create "sets" or collections of the IP ranges each country "owns" in ISA. When the appropriate computer set is created, it's a simple matter of selecting that computer set as a From or To source or destination in the rule to block or allow the traffic. Again, I've already created these for you in .xml format that can easily be imported into ISA, but here's how I went about programmatically creating the sets.In my test VM, I installed ISA Server and Microsoft Access. The Access database simply has a copy of the IPAddresses table imported from SQL (or as a linked database, your choice) . This was done in a test VM as you would never load Microsoft Office products on your production firewall.
This code creates the Computer Sets based on the IPAddress data:
Private Sub BuildISAComputerSets_Click()
On Error Resume Next
' Create the root FPC object.
Dim root ' The FPCLib.FPC root object
Set root = CreateObject("FPC.Root")
' Declare the other ISA objects needed.
Dim isaArray
Dim ComputerSets
Dim ComputerSet
Dim AddressRanges
Dim AddressRange
Dim rstCountries As Recordset
Dim rstAddresses As Recordset
Dim sCountry As String
Dim sSQL As String
Dim sRangeName As String
Dim sLogText As String
'Connect to ISA
Set isaArray = root.GetContainingArray()
Set ComputerSets = isaArray.RuleElements.ComputerSets
Log.SetFocus
'Get a distinct list of countries
sSQL = "SELECT distinct IPAddresses.FullCntry
FROM IPAddresses order by FullCntry "
Set rstCountries = CurrentDb.OpenRecordset(sSQL)
Do 'Countries loop
Log.Text = ""
sCountry = rstCountries!CountryName
Log.Text = Log.Text + "Working on " + sCountry
+ Constants.vbNewLine
Set ComputerSet = ComputerSets.Add("ThorSet_" + sCountry)
sSQL = "Select BegIP,EndIP,BegIPLong,EndIPLong,Cntry,FullCntry
from IPAddresses where CountryName = '" + sCountry
+ "' Order by BegIPLong"
Set rstAddresses = CurrentDb.OpenRecordset(sSQL)
Log.Text = Log.Text + Str(rstAddresses.RecordCount)
+ " address ranges found" + Constants.vbNewLine
Do 'Addresses Loop
sRangeName = Trim(rstAddresses!Country)
+ Trim(Str(rstAddresses!BegIpNo))
+ "-" + Trim(Str(rstAddresses!EndIpNo))
Set AddressRanges = ComputerSet.AddressRanges
Set AddressRange = AddressRanges.Add(sRangeName,
rstAddresses!BegIP, rstAddresses!EndIP)
rstAddresses.MoveNext
Loop Until rstAddresses.EOF
Log.Text = Log.Text + "... saving"
'ComputerSet.Save
rstCountries.MoveNext
Loop Until rstCountries.EOF
ComputerSets.Save
MsgBox ("Done.")
End Sub
