Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

DMZ and VLAN's

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> DMZ >> DMZ and VLAN's Page: [1]
Login
Message << Older Topic   Newer Topic >>
DMZ and VLAN's - 11.Jun.2007 10:26:38 AM   
brachclay

 

Posts: 2
Joined: 11.Jun.2007
Status: offline 		Hello,

I am hoping to get a little direction here.  I have a WAP internal network environment running ISA 2004.  I want to be able to give outside users access to the wireless environment for internet access while keeping them seperate from my internal network.  I have created a seperate SSID and VLAN through the switches for this purpose.  I have read the DHCP relay article and think I can set that up for addressing to the DMZ.  I have also read the Configuring an Untrusted Wireless DMZ article. Both articles call for a third NIC.  Having setup a VLAN is it possible to just use two NIC's?  If I keep the switch port that the ISA server connects to in both VLAN's, (default and new) won't this essentially act as if on a seperate NIC(network)?  

Thanks


_____________________________

Doug
Post #: 1
RE: DMZ and VLAN's - 14.Jun.2007 4:36:40 AM   
justmee

 

Posts: 505
Joined: 14.May2007
Status: offline 		Hi Doug,
So what's the story: you have two VLANs and two SSIDs: a guest vlan and one for internal users?
At a glance:
If so you can have on ISA a NIC that supports Vlan tagging or add on it two Nics, one for each VLAN.
Then you would have on ISA two networks, probably the Internal Network will serve the internal users and a DMZ the guests.
What's the use of that DHCP relay?
Keep in mind that these two networks must be totally separated.
I do not know what exactly means "outside users": visitors, parterners...
If so I would encrypt this guest WLAN. I'm aware it adds some overhead but greatly enhance security.
An unencrypted WLAN is nothing more than a public hotspot.
On the other hand using a separate WAP on the DMZ for outside users provides a more traditional way and more secure(in my opinion) of dealing things(I would go even further and use a different Internet connection for that, but it's all about the budget).
It would also force real physical segmentation as opposed to VLANs which provide logical segmentation and a more robust defense in depth arhitecture. Using one WAP and create two SSIDs and VLANs you have only one physical point of giving access to both type of users. If this is an unacceptable risk or not it is your call.
I would do a pen test to see if the configuration done is fine(if so then it should be OK).
Best regards!

(in reply to brachclay)
Post #: 2
RE: DMZ and VLAN's - 14.Jun.2007 8:47:03 AM   
brachclay

 

Posts: 2
Joined: 11.Jun.2007
Status: offline 		Justmee

It is funny how you mention an unencrypted WLAN as a publc hot spot.  That is essesntially what I am trying to do.  The "outside" users are the general public who come into the building.  However I need to do this using the WAP infrastucture that the internal network users use.  I need to keep both groups(public and internal) on seperate subnets therefore I need a seperate DHCP server of some variety to address the public users while the original DHCP server continues to address the internal network users.  That is why I am considering using the ISA DHCP relay.  That is also why I created the VLAN for the public users. 



_____________________________

Doug

(in reply to justmee)
Post #: 3
RE: DMZ and VLAN's - 14.Jun.2007 9:48:18 AM   
justmee

 

Posts: 505
Joined: 14.May2007
Status: offline 		About that unencrypted wireless LAN, you found it funny, I've actually mentioned it because there are still some folks that continue to believe in the myth of the signal strenght for protecting their WLAN(or any other dumb ways of doing it). if you want the WLAN to be protected then there is only one way to do it.
I get the picture now. It is quite simple to accomplish what you what as long you do what you should.
From an ISA point of view: you must have two networks on ISA: the Internal(for internal users) and a DMZ for visitors. Each of these NICs goes into the right port of your switch(the required VLAN). Doing so ISA will not be aware of the VLANs(actually if they are ISA is not aware of them).I t is very simple to put another NIC on ISA for the outside users VLAN.
If you add another subnet on ISA's Internal Network, you must instruct ISA how to reach this subnet(with a route).
Or put a NIC on ISA that supports VLAN tagging. Doing so you will still have two networks on ISA(this is how ISA will end up seeing the VLANs), but just one adapter.
You must not "relay" anything. Each "network"(VLAN) must be completely separated one from another.
You must have separate DHCP/DNS servers on each VLAN(subnet).
Relay to who?
To the internal DHCP server?
Excuse me but this is stupid. A simple unused box can do the trick(if you do not have hundreds of vistors).

(in reply to brachclay)
Post #: 4

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> DMZ >> DMZ and VLAN's Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts