Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Comments on DMZ Config from you guys
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Comments on DMZ Config from you guys - 19.Apr.2007 11:33:07 AM
|
|
|
DavyJonesLocker
Posts: 14
Joined: 19.Apr.2007
Status: offline
|
Hi,
I have a quick question about an idea I have for using ISA. Can any of you suggest any problems with this approach. I am tryng to secure access to an internal mail system.
Forgive the URL but a picture vs a thousand words...
http://www.imagehosting.com/show.php/494452_RoughIdeaoutlineforArchitecture.jpg.html
All the best,
DavvyJones.
< Message edited by DavyJonesLocker -- 19.Apr.2007 11:40:24 AM >
|
|
|
|
|
RE: Comments on DMZ Config from you guys - 20.Apr.2007 2:47:47 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi DavyJones,
why making it so complex? I would just drop the ISA 2006 Front End server.
HTH,
Stefaan
|
|
|
|
|
RE: Comments on DMZ Config from you guys - 24.Apr.2007 8:17:12 AM
|
|
|
DavyJonesLocker
Posts: 14
Joined: 19.Apr.2007
Status: offline
|
Stefaan,
Many thanks for showing an interest. The reason I would like to have such an architecture is not to expose the internal domain member ISA server to random internet attacks. If I can filter traffic significantly with a front ISA doing RSA SecureID checks the level of risk associated with the rear ISA is reduced significantly.
Also the outer ISA and Firewall are not going to be owned by my company but a third party hosting organisation.
The domain member ISA server will have some IDS agent running on it too but if it was effectively 'exposed' to the internet directly I would feel that the risk was considerable.
Does my architecture hang together given my aims?
Many thanks for your thoughts,
DavvyJL.
|
|
|
|
|
RE: Comments on DMZ Config from you guys - 4.May2007 3:53:34 AM
|
|
|
DavyJonesLocker
Posts: 14
Joined: 19.Apr.2007
Status: offline
|
Thanks for your comments...I have some other concerns...Please continue to explain my idiocy if it takes your fancy...All comments and explanations are appreciated...
1. My client expects 2 factor authentication
2. I wish to use RSA SecurID and also Certificates with KCD
3. I thought that I could not combine both the SecurID challenge in the web listener and also run a certifciate KCD configuration - I thought I would need to have one listener challenge for SecureID with a rule that forwarded requests on to a rear ISA2006 server that had a listener that requested an SSL client certificate.
4. The gateway provider also has several layers of ISA in their configuration and I wanted to avoid as many network latency issues as possible. If I can put my first ISA2006 server behind their front firewall then I can perhaps cut down on initial challenge timeouts...
Please offer your advice (and probably explanations) freely,
Many thanks,
Davy.
|
|
|
|
|
RE: Comments on DMZ Config from you guys - 7.May2007 5:11:51 PM
|
|
|
mylo
Posts: 138
Joined: 26.Mar.2002
Status: offline
|
Davy,
As was suggested earlier, I think the solution is overkill.. IMO the client certificates don't add any particular security in this scenario as the RSA SecurID is your point solution for authentication. You have your two factors right there.. something you have (the card) and something you know (the OTP PIN).
As Stefaan said kill the front-end ISA and run SecurID as the authenticator on the web listener and then do KCD into the backend.
Regards,
Mylo.
|
|
|
|
|
RE: Comments on DMZ Config from you guys - 8.May2007 10:48:20 AM
|
|
|
DavyJonesLocker
Posts: 14
Joined: 19.Apr.2007
Status: offline
|
Mylo,
I would do that but I don't know how to use SecurID on the listener and also certificate based KCD (using a client certificate) on the rule. Can you explain how this is possible on just one ISA 2006 server?
I am obviously a little confused about this.
Many thanks,
Davy.
|
|
|
|
|
RE: Comments on DMZ Config from you guys - 8.May2007 3:21:50 PM
|
|
|
mylo
Posts: 138
Joined: 26.Mar.2002
Status: offline
|
Davy,
Put simply ... you can't, well not on the same box. I can understand why you were going for a 'deep' solution with many layers but the point I was trying to make was that you only need one ISA server in your design and the SecurID should suffice as your primary authenticator, as it meets the two-factor requirement you defined. The client certificates weren't really adding particularly value to the solution, apart from making the solution significantly more complex. Why? Because they're user certs and then you'll need an internal certificate infrastructure, will need to worry about things like certificate distribution points, cert renewal, revokation etc.....
What I was suggesting was:
- Make your ISA server a domain member
- Use SecurID on your web listener
- Use Kerberos constrained delegation once users have passed SecurID auth to enable access to "trusting" domain resources (see below)
Remember that the credentials are collected via the ISA form, and those credentials are then presented to the authentication provider (in your case SecurID)... at this point you are either authenticated or not.
If Kerberos constrained delegation were not setup, then you'd be challenged by the next authentication provider you met (e.g. IIS and lets say integrated auth on the website). If, however, the IIS server has been configured to trust the ISA server for Kerberos Constrained Delegation (for say the http service), then IIS as a published server is configured to "trust" the ISA server and the user will not be challenged again.
Check out the following Tom Shinder article:
http://www.isaserver.org/tutorials/Configuring-ISA-Firewalls-ISA-2006-RC-Support-User-Certificate-Authentication-using-Constrained-Delegation-Part1.html
Another great article comes from Stefaan Poussele' blog .. this is a nice intensive article on OTP, Kerberos delegation (and RADIUS).
http://blogs.isaserver.org/pouseele/2006/12/26/playing-with-radius-authentication-and-isa-server-2006/
Regards,
Mylo
|
|
|
|
|
RE: Comments on DMZ Config from you guys - 11.May2007 9:24:24 AM
|
|
|
DavyJonesLocker
Posts: 14
Joined: 19.Apr.2007
Status: offline
|
Mylo,
Thanks for your comments but the user certificates are very important in the solution. The purpose of the certificate is two fold. It allows the ISA server to associate a certificate to a user to read the kerberos ticket and act as a proxy. The user is making use of a Windows Mobile device that has no user context and so the certificate is essential in this scenario. Also the certificate is used to create an SSL comms channel between the proxy server and the device for the safe transfer of mail.
I accept the need for a CA infrastructure but this is an existing component.
So I think I still will require a front ISA server. This gives me some problems. I want to authentciate on ISA2006 and set an extended cookie on the device but I am not sure that this is possible.
All the best,
Davy.
|
|
|
|
|
RE: Comments on DMZ Config from you guys - 11.May2007 11:12:55 AM
|
|
|
mylo
Posts: 138
Joined: 26.Mar.2002
Status: offline
|
Hi Davy,
By extended cookie do you mean persistent or extending the cookie duration ? By design the cookies have a limited lifetime (whereupon then you have to reauthenticate).
Have you look at possible solutions using RADIUS as the bridge between SecurID and AD?
Regards,
Mylo
|
|
|
|
|
RE: Comments on DMZ Config from you guys - 11.May2007 11:34:11 AM
|
|
|
DavyJonesLocker
Posts: 14
Joined: 19.Apr.2007
Status: offline
|
Hi Mylo,
Thanks for taking the time to reply. I do really appreciate the interest.
I don't know if you remember the diagram I put up but if I don't have an extended cookie every time a user initiates a connection over ActiveSync they would be challenged to authenticate on the front ISA. This makes things unworkable.
I had been told by an account manager at RSA that they had an update for ISA2006 that would allow cookie duration to be extended on the PDA when working with ActiveSync. This turns out not to be true at the current time. They do have an RSA agent that runs on the Exchange FE server that allows cookie extension when a device connects directly to the FE. I see this as a increased security risk and my architecture does not support this level of risk.
I want to carry out my RSA validation at the boundary of my network not in the heart of it. Once that is done and the cookie set for say 5 hours then I want to have the rear firewall challenge for the Certificate and establish an SSL tunnel between the device and the rear ISA box. The provision of the certificate will also allow the ISA box to read the Kerberos details of the associated user in AD and act as a proxy for the user. Data will be passed over the encrypted tunnel and all is well. I have everything working except for boundary two factor authentication. Which is a real annoyance and threatens my work so far.
If ISA2006 can support the cookie extension then I would be OK I think...
The use of RADIUS is an option but I was just planning on creating unique user accounts or perhaps linking direct from authentication manager to AD and reading in a subset of user credentials.
Thanks,
Davy.
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
