• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Creating Multiple Security Perimeters with a Multihomed ISA Firewall Part 1

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> DMZ >> Creating Multiple Security Perimeters with a Multihomed ISA Firewall Part 1 Page: [1]
Login
Message << Older Topic   Newer Topic >>
Creating Multiple Security Perimeters with a Multihomed... - 29.Nov.2005 2:52:26 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Discuss the article on creating multiple DMZ segments on a multihomed ISA firewall at http://www.isaserver.org/tutorials/Creating-Multiple-Security-Perimeters-Multihomed-ISA-Firewall-Part1.html

Thanks!
Tom

< Message edited by tshinder -- 29.Nov.2005 2:59:23 PM >


_____________________________

Thomas W Shinder, M.D.
Post #: 1
RE: Creating Multiple Security Perimeters with a Multih... - 29.Nov.2005 10:42:49 PM   
unitas99007

 

Posts: 1
Joined: 29.Nov.2005
Status: offline
Say you wanted to go just nuts with security, and are employing  a a server setup similar to, but not exactly like Figure 2 in scenario two. The difference here is that there would be a back to back ISA setup with a DMZ (unauthenticated) in between instead of a single ISA between the internal network and router. So it would be like critical services on one network segment, internal firewall, then work group network segment, then another firewall, then a DMZ, then finally an edge firewall. Where's the best place to put the front-end Exchange Server? I'd say in the DMZ, but on a different segment, so one is authenticated, one's not.  It's sort of a back-to-back-to-back firewall setup. Any ideas?

_____________________________

Unitas99007
ISA 2004 Standard

(in reply to tshinder)
Post #: 2
RE: Creating Multiple Security Perimeters with a Multih... - 29.Nov.2005 11:42:01 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Unitas,

As long as the front-end Exchange Server is located in an authenticated access only DMZ segment, then you're good.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to unitas99007)
Post #: 3
RE: Creating Multiple Security Perimeters with a Multih... - 4.Jan.2006 3:51:00 PM   
linuxuser1

 

Posts: 2
Joined: 4.Jan.2006
Status: offline
Hi Tom,

What should be the DNS address for the AUthenticated Front End Exchange Server and Unnanimous DMZ  SMTP Relay.

Thanks.

(in reply to tshinder)
Post #: 4
RE: Creating Multiple Security Perimeters with a Multih... - 4.Jan.2006 7:12:02 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi LU1,

Not sure what you asking here.

Are you asking what the DNS settings on the NICs of the FE Exchange Server and SMTP relay should be?

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to linuxuser1)
Post #: 5
RE: Creating Multiple Security Perimeters with a Multih... - 5.Jan.2006 2:52:06 PM   
linuxuser1

 

Posts: 2
Joined: 4.Jan.2006
Status: offline
Hi Tom,

Are you asking what the DNS settings on the NICs of the FE Exchange Server and SMTP relay should be?    Yes Tom.  That is what am asking for. 

Thanks.

Linuxuser1

(in reply to tshinder)
Post #: 6
RE: Creating Multiple Security Perimeters with a Multih... - 5.Jan.2006 5:50:44 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi LU1,

For the FE Exchange Server, it depends on what you want to do with it. If you want to provide a authenticating SMTP relay for your external users, it will need to resolve external names. I set it up with the FE Exchange Server using the DNS server on the internal network. Since there is a route relationship between the authentication access DMZ and the Internal network, you would configure it to use the IP address of the DNS server on the internal network.

The anonymous access SMTP server doesn't require a DNS server address at all. This helps prevent spammers from using it as a relay (in case the SMTP server was misconfigured). It also prevents sending of NDRs.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to linuxuser1)
Post #: 7
RE: Creating Multiple Security Perimeters with a Multih... - 11.Jan.2006 4:11:40 AM   
carorieta

 

Posts: 102
Joined: 15.Dec.2005
Status: offline
Tom,

I am sorry this is out of this topic, but aare you aware of this?
http://forums.isaserver.org/Get_Paid_To_Watch_Movies/m_2002002950/tm.htm



_____________________________

carorieta

(in reply to tshinder)
Post #: 8
RE: Creating Multiple Security Perimeters with a Multih... - 11.Jan.2006 3:44:32 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Carorieta,

Looks like it was taken down already.

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to carorieta)
Post #: 9
RE: Creating Multiple Security Perimeters with a Multih... - 26.Jan.2006 4:10:32 AM   
Voltech

 

Posts: 5
Joined: 7.Jun.2004
Status: offline
Tom,

Thanks for all the articles, they are always great, keep up the good work. The first part of this article states:

"We use ISA firewall best practices and make the firewall a domain member, so that we can enhance the overall level of security provided by the ISA firewall."

I think I know some of the reasons why this might be true (mainly control of the ISA server through policy i.e. auditing, account rename, security templates, etc...), but feel like there has to be a lot of reasons why you would not want to do this as well. I know if this topic has ever come up with any of my colleagues it has always been a tough sell... but then again most of them are Cisco bigots and would never put an ISA server on the edge of their network :)

So, could you detail the points that would make it more secure and "best pactice" to make the ISA server a member of your domain? Maybe a dedicated article on why to do it and how to actually secure the ISA server once it is in the domain.

Also, if you have any comments or references for my Cisco friends that ammunition is welcome as well.

Many Thanks in Advance,
Voltech

(in reply to tshinder)
Post #: 10
RE: Creating Multiple Security Perimeters with a Multih... - 27.Jan.2006 5:38:58 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Voltech,

Cisco guys are very good at routing and switching, but they usually have no concept of security other than "open a port". Any organization that allows the "network guys" to have any control over the security infrastrucuture has some serious problems. Network guys are not security guys, and security guys are not network guys. However, there are some "network security guys" but you don't find them in the Cisco camp very often.

I actually have a comprehensive outline of the advantages of making the ISA firewall a domain member, that I can mail to you if you like. I'll probably include a comprehensive coverage of this issue in our ISA 2006 book

Also, I should make it clear that its best practice to make the ISA firewall a domain member when you get the security benefits (Firewall client, user certificate authentication, regulatory compliance via AD centralized management, etc), but if the scenario of the ISA firewall deployment doesn't take advantage of them (for example, unihomed ISA firewall) then there's no need to make it a domain member.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to Voltech)
Post #: 11
RE: Creating Multiple Security Perimeters with a Multih... - 27.Jan.2006 6:41:24 PM   
LLigetfa

 

Posts: 2187
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
Tom,
Could you expand on your reasoning in the case of two ISA firewalls; A Front (edge) and a Back (internal).  What reasoning would apply to the one on the edge?

_____________________________

The School of Hard Knocks is a mean teacher. She gives the exam before the lesson.

(in reply to tshinder)
Post #: 12
RE: Creating Multiple Security Perimeters with a Multih... - 28.Jan.2006 6:48:09 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Les,

With a back to back ISA firewall config, I don't see any reason to make the FE ISA firewall a domain member. You can get the AD auth and all the advantages domain membership provides on the back-end, so there's no reason to make the FE a domain member. Of course, you could create a DMZ domain if you want, and use that for partners, etc. But for internal users only, I only make the BE ISA firewall a domain member.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to LLigetfa)
Post #: 13
RE: Creating Multiple Security Perimeters with a Multih... - 3.Jan.2007 5:22:01 PM   
ttjrm1

 

Posts: 1
Joined: 3.Jan.2007
Status: offline
Hi There,

I have attempted the "Creating Multiple Security Perimeters ..." tutorial on ISA server 2006, but I believe I have been able to configure ISA 2006 as dictated but the tutorial for isa 2004. I am new to this software and beginning to pull my hair out. The configuration offered in the tutorial is what I am wanting for my network, but unfortunately I have as of yet been unable to access the OWA, RPC etc for the exchange servers outside or the inside. I have been throught the settings time and again not being able to find the answer. For example I try and log into the owa.(site name)/Exchange from the internet side of the firewall, I get the ISA log in screen and then I get a server error 'The network logon failed'.

I would be most grateful if you could offer guidance for implementing the brilliant tutorial you have written on isa 2006 in an effort to solve my current nightmare and further my knowledge of using isa 2006. Also you mention about the servers in the Anonymous DMZ but could you offer some information on how to set them up for this network situation.

I appologise for what may seem like a very bare report of my situation. Needless to say I am using ISA server 2006 with Windows server 2003 and I would like to implement the network topology and setup from the turorial. As of yet I have had no luck!!

Many thanks for your assistance with this matter.

ttjrm1

(in reply to tshinder)
Post #: 14

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> DMZ >> Creating Multiple Security Perimeters with a Multihomed ISA Firewall Part 1 Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts