• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Discussion about article Creating Multiple Security Perimeters with a Multihomed ISA Firewall Part 2

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> DMZ >> Discussion about article Creating Multiple Security Perimeters with a Multihomed ISA Firewall Part 2 Page: [1] 2   next >   >>
Login
Message << Older Topic   Newer Topic >>
Discussion about article Creating Multiple Security Per... - 6.Dec.2005 4:28:55 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
This thread is for discussing the article on Creating Multiple Security Perimeters with a Multihomed ISA Firewall Part 2 at http://www.isaserver.org/tutorials/Creating-Multiple-Security-Perimeters-Multihomed-ISA-Firewall-Part2.html

Thanks!
Tom

< Message edited by tshinder -- 6.Dec.2005 4:34:47 PM >


_____________________________

Thomas W Shinder, M.D.
Revisions: 1 | Post #: 1
RE: Discussion about article Creating Multiple Security... - 12.Dec.2005 9:46:54 PM   
tavistar

 

Posts: 1
Joined: 12.Dec.2005
Status: offline
Do machines on the Internal and on the Authorized DMZ Networks need to have routing table entries to the other network, or does the Default Gateway entry handle that?

(in reply to tshinder)
Post #: 2
RE: Discussion about article Creating Multiple Security... - 13.Dec.2005 3:19:07 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Tavistar,

For the scenario discussed in the article, no routing table entries are needed.

If there are hosts on remote network IDs behind a specific ISA firewall interface, then the LAN routers they use should have a route to the destination network, which would be the local interface address on the ISA firewall.

However, if you have only a single network ID located behind each of the ISA firewall interfaces, then there is no reason to create routing table entries.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to tavistar)
Post #: 3
RE: Discussion about article Creating Multiple Security... - 2.Apr.2006 7:36:48 AM   
wrinklebrain

 

Posts: 1
Joined: 2.Apr.2006
Status: offline
In ISA 2006 STD, would I use Exchange RPC publishing instead of all. 

http://blogs.technet.com/isablog/archive/2006/01/16/AccessPolicyRulesVsServerPublishingRules.aspx

says publishing, allows inspection vs pass thru.  sure this takes a lot longer to make the rules, but security would bennifit from it. would it not?

(in reply to tshinder)
Post #: 4
RE: Discussion about article Creating Multiple Security... - 2.Apr.2006 5:04:26 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi WB,

This sounds like an interesting question, but can you expand on it a little bit?

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to wrinklebrain)
Post #: 5
RE: Discussion about article Creating Multiple Security... - 6.Apr.2006 1:28:12 AM   
bpatlen

 

Posts: 23
Joined: 5.Aug.2004
From: VA
Status: offline
I happen to be setting up a new network and want to configure my ISA2004 according to these articles. I have a few questions but will start with the simplest ones. First, I've read Tom's book and articles which are very helpful, but I can't find any details on configuring the ISA interface cards in a 4 NIC setup. Everything I found deals with the standard inside/outside approach but not the inside/outside/authenticated/anonymous setup like the scenario in the articles.  I assume the DMZ NICs would be the same as the internal NIC but I'm not sure.  Second, it seems that there's a DNS resolver in the Anonymous DMZ but I can't find any discussion about this. Assuming I have one master domain controller on the internal network that's doing DNS, WINS, and DHCP, do I forward all DNS queries to an external DNS (ie, my ISPs DNS) or use a DNS resolver on one of the DMZs? Does it go in the Anon DMZ? Is it a stub zone or is it authoritative for my domain name? How is it setup? If someone can point me to book/chapter/verse or a previous article about this, I would be grateful. Thanks.

Brian

(in reply to tshinder)
Post #: 6
RE: Discussion about article Creating Multiple Security... - 6.Apr.2006 2:31:30 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Brian,

1. The NICs on the DMZ segments only need IP address and subnet masking information. Only one NIC, the primary adapter in the list of interfaces, needs the DNS server address, and that will be the internal interface.

2. You can provide a DNS resolver in the DMZ, that's a secure configuration. Or you can put a DNS resolver on the ISA firewall. In any case, the DC will use that resolver at its forwarder.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to bpatlen)
Post #: 7
RE: Discussion about article Creating Multiple Security... - 6.Apr.2006 4:43:28 PM   
bpatlen

 

Posts: 23
Joined: 5.Aug.2004
From: VA
Status: offline
Hey, thanks, Tom!

1. So the DMZ NICs will have their IP, subnet, and gateway info but no DNS. What about Client for Microsoft Networks, File and Printer Sharing, and the binding order? Are these also setup like the internal NIC?

2. If I have an SMTP relay and a WAP hanging in the Anonymous DMZ, then how are DNS calls handled? I'm assuming that the WAP has DHCP integrated and guessing that DNS on that appliance points to my ISPs DNS. But if I have a DNS resolver here, then can the WAP use that for DNS? Otherwise, it seems that there'll be 2 sources of DNS calls: 1 from internal-to-external via the DNS resolver and 1 from wireless users via the WAP itself (none of this assumes that I'll have users on the wireless-anonymous DMZ accessing internal resources.

3. Regarding certificates, I have a corporate CA and can set this up but wouldn't it be easier to use Server Publishing Rules instead of Web Publishing Rules and skip the certificate assignments. If the connection is passed directly to the FE Exch Server and decrypted there, then it seems simpler and better to do it this way. Is this not the case and why?

Thanks for your help. Brian.

(in reply to tshinder)
Post #: 8
RE: Discussion about article Creating Multiple Security... - 6.Apr.2006 6:00:36 PM   
PCC

 

Posts: 199
Joined: 13.Nov.2001
From: Michigan
Status: offline
Personally I prefer to keep my WAP on it's own physical anonymous DMZ network so that the WAP clients don't have direct access to the servers in my Anonymous DMZ.  So my server has 4 NIC's....Internet, LAN, Anonymous DMZ & Anonymous WAP DMZ.  When I build my new server I will be adding another NIC for an Authenticated DMZ for a front end Exchange server.

I have DHCP set up on the ISA Server and use that to assign addresses for my WAP clients.  DHCP assigns DNS IP addresses for the WAP clients that points to my ISP's DNS forwarders.  I don't need a split DNS for my WAP network so I decided this was the easiest setup.  I decided to set up DHCP on the ISA server because I have several WAP's in our office.  This allows the WAP clients to receive an IP address from DHCP no matter which WAP they are hooking up to.

Not sure if this answers any of your questions but I hope it helps in some way.

Pete

(in reply to bpatlen)
Post #: 9
RE: Discussion about article Creating Multiple Security... - 6.Apr.2006 6:31:01 PM   
bpatlen

 

Posts: 23
Joined: 5.Aug.2004
From: VA
Status: offline
Thank you, Pete.

It helps with #2 and I still need some guidance with #s 1 & 3. I see what you're doing and agree that a 5th NIC to create a wireless DMZ is the best way to go. My problem, however, is that I'm using a Dell PE1850 and I'm maxed out with 4 NICs so I'm going to rethink the WAP architecture at a different time. Right now, I need to get the original plan going which is to setup the Multiple Security Perimeter configuration using Tom's articles as my guide and hence my outstanding requests for those other 2 issues (btw, I was mistaken when I stated that the DMZ NICs would include gateway info; they don't).

Brian

(in reply to tshinder)
Post #: 10
RE: Discussion about article Creating Multiple Security... - 6.Apr.2006 6:36:44 PM   
LLigetfa

 

Posts: 2187
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
quote:

I'm maxed out with 4 NICs

They do make 2 and 4 port NICs.  You can also use VLAN tagging to separate a single NIC into several logical NICs.

_____________________________

The School of Hard Knocks is a mean teacher. She gives the exam before the lesson.

(in reply to bpatlen)
Post #: 11
RE: Discussion about article Creating Multiple Security... - 7.Apr.2006 9:31:52 PM   
donb

 

Posts: 10
Joined: 14.Mar.2006
Status: offline
Hi all,

I am totally confused!  In article 2 of Toms series about this subject, he is discussing and showing the BE Exchange Server sitting on a DC and then, about half way down, he changes to a separate DC from the Exchange Server.  I have been fighting with a newly setup network taking all Linux out of the picture and going with all MS product.  I am trying to get a simple setup working properly so my life will not be the 17 hour days that have been going on for the past month +.  There are so many articles and even mixed interpretations for the same processes.

I realize that Mr. Shinder is a guru and a man with awesome experiences to share, but what I am getting out of all of this is that we setup our networks and add 1 thing here and another there. Away with frustration!

My question:
I am preparing to reinstall everything and start from scratch tonight.  I have 3 questions that I can't seem to find a common ground that anyone is on.
1) I cannot put a FE Exchange Server out there yet.  Lack of OS at this moment is the problem.  So, I currently have my BE Exchange behind the ISA2004 Firewall and even a server in front of my ISA 2004 (called Metavize Edgeguard http://www.metavize.com) this server is blocking 89% of spam coming into my servers.  My company is actually processing 2 spam per Second so this is a very HUGE addition to our firewalling. OWA is what my goal is, but not necessary at this point - until I get my FE setup.  Will I have to reconfigure my ISA totally when I am ready to put the FE in place?

2) Is it not a good practice to put my DNS, DHCP, and DC all on the same box?  when supporting only 19 workstations but a HUGE amount of email coming in, I haven't seen it necessary to put each service on different servers.

3) I think I have read an article from Tom about loading up the ISA Server Software.  If I remember we are to load the OS, no service packs, load ISA 2004 Server, install service pack 1 on ISA, then load SP1 on the OS - for security enhancements.  Then attach to the domain?  (which I have done on the current load), or is it better to load the OS, attach to Domain, load ISA, ISA SP1, OS SP1? 

I have been experiencing some problems with ISA SP2 so I am not sure I am ready to reload that on.  I have a program that has to have SSL communications but cannot connect to their servers and suspect the issue with Direct Sites.  Is there anyone with some thoughts on this?

Much thanks,
Don Brooksby

(in reply to LLigetfa)
Post #: 12
RE: Discussion about article Creating Multiple Security... - 8.Apr.2006 3:46:07 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:

ORIGINAL: bpatlen

Hey, thanks, Tom!

1. So the DMZ NICs will have their IP, subnet, and gateway info but no DNS. What about Client for Microsoft Networks, File and Printer Sharing, and the binding order? Are these also setup like the internal NIC?

2. If I have an SMTP relay and a WAP hanging in the Anonymous DMZ, then how are DNS calls handled? I'm assuming that the WAP has DHCP integrated and guessing that DNS on that appliance points to my ISPs DNS. But if I have a DNS resolver here, then can the WAP use that for DNS? Otherwise, it seems that there'll be 2 sources of DNS calls: 1 from internal-to-external via the DNS resolver and 1 from wireless users via the WAP itself (none of this assumes that I'll have users on the wireless-anonymous DMZ accessing internal resources.

3. Regarding certificates, I have a corporate CA and can set this up but wouldn't it be easier to use Server Publishing Rules instead of Web Publishing Rules and skip the certificate assignments. If the connection is passed directly to the FE Exch Server and decrypted there, then it seems simpler and better to do it this way. Is this not the case and why?

Thanks for your help. Brian.


Hi Brian,
1. The DMZ NICs don't have gateway information, since the ISA firewall can only have a single default gateway and that's configured on the external interface

2. What type of addresses do you want the wireless clients to resolve? What type of addresses do you want the SMTP relay to resolve? Is it an inbound SMTP relay? outbound SMTP relay? or both inbound and outbound?

3. Easier yes. Secure, no.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to bpatlen)
Post #: 13
RE: Discussion about article Creating Multiple Security... - 8.Apr.2006 4:00:01 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:

ORIGINAL: donb

Hi all,

I am totally confused!  In article 2 of Toms series about this subject, he is discussing and showing the BE Exchange Server sitting on a DC and then, about half way down, he changes to a separate DC from the Exchange Server.  I have been fighting with a newly setup network taking all Linux out of the picture and going with all MS product.  I am trying to get a simple setup working properly so my life will not be the 17 hour days that have been going on for the past month +.  There are so many articles and even mixed interpretations for the same processes.

I realize that Mr. Shinder is a guru and a man with awesome experiences to share, but what I am getting out of all of this is that we setup our networks and add 1 thing here and another there. Away with frustration!

My question:
I am preparing to reinstall everything and start from scratch tonight.  I have 3 questions that I can't seem to find a common ground that anyone is on.
1) I cannot put a FE Exchange Server out there yet.  Lack of OS at this moment is the problem.  So, I currently have my BE Exchange behind the ISA2004 Firewall and even a server in front of my ISA 2004 (called Metavize Edgeguard http://www.metavize.com) this server is blocking 89% of spam coming into my servers.  My company is actually processing 2 spam per Second so this is a very HUGE addition to our firewalling. OWA is what my goal is, but not necessary at this point - until I get my FE setup.  Will I have to reconfigure my ISA totally when I am ready to put the FE in place?

2) Is it not a good practice to put my DNS, DHCP, and DC all on the same box?  when supporting only 19 workstations but a HUGE amount of email coming in, I haven't seen it necessary to put each service on different servers.

3) I think I have read an article from Tom about loading up the ISA Server Software.  If I remember we are to load the OS, no service packs, load ISA 2004 Server, install service pack 1 on ISA, then load SP1 on the OS - for security enhancements.  Then attach to the domain?  (which I have done on the current load), or is it better to load the OS, attach to Domain, load ISA, ISA SP1, OS SP1? 

I have been experiencing some problems with ISA SP2 so I am not sure I am ready to reload that on.  I have a program that has to have SSL communications but cannot connect to their servers and suspect the issue with Direct Sites.  Is there anyone with some thoughts on this?

Much thanks,
Don Brooksby


Hi Don,

1) I cannot put a FE Exchange Server out there yet.  Lack of OS at this moment is the problem.  So, I currently have my BE Exchange behind the ISA2004 Firewall and even a server in front of my ISA 2004 (called Metavize Edgeguard http://www.metavize.com) this server is blocking 89% of spam coming into my servers.  My company is actually processing 2 spam per Second so this is a very HUGE addition to our firewalling. OWA is what my goal is, but not necessary at this point - until I get my FE setup.  Will I have to reconfigure my ISA totally when I am ready to put the FE in place?
TOM: Two spams per second isn't very busy. The ISA firewall won't be impacted by that. If you're uncomfortable with the perimeterization plan, you can always put the FE and BE in the same security zone. Sure, its not a best practice or secure, but it'll end up being more secure than you trying to do something that's over your head right now. 

2) Is it not a good practice to put my DNS, DHCP, and DC all on the same box?  when supporting only 19 workstations but a HUGE amount of email coming in, I haven't seen it necessary to put each service on different servers.
TOM: No problem with that. With such a small environment, that's a fine solution.

3) I think I have read an article from Tom about loading up the ISA Server Software.  If I remember we are to load the OS, no service packs, load ISA 2004 Server, install service pack 1 on ISA, then load SP1 on the OS - for security enhancements.  Then attach to the domain?  (which I have done on the current load), or is it better to load the OS, attach to Domain, load ISA, ISA SP1, OS SP1? 
TOM: The point where you join the domain isn't an issue. I tend to join the machine to the domain during installation, but either way is fine -- the key to success is getting the box joined to the domain so that you can fully leverage the entire array of security technologies that ISA firewall has to offer.
HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to donb)
Post #: 14
RE: Discussion about article Creating Multiple Security... - 8.Apr.2006 6:35:35 PM   
donb

 

Posts: 10
Joined: 14.Mar.2006
Status: offline
quote:

ORIGINAL: tshinder

Hi Don,

1) I cannot put a FE Exchange Server out there yet.  Lack of OS at this moment is the problem.  So, I currently have my BE Exchange behind the ISA2004 Firewall and even a server in front of my ISA 2004 (called Metavize Edgeguard http://www.metavize.com) this server is blocking 89% of spam coming into my servers.  My company is actually processing 2 spam per Second so this is a very HUGE addition to our firewalling. OWA is what my goal is, but not necessary at this point - until I get my FE setup.  Will I have to reconfigure my ISA totally when I am ready to put the FE in place?
TOM: Two spams per second isn't very busy. The ISA firewall won't be impacted by that. If you're uncomfortable with the perimeterization plan, you can always put the FE and BE in the same security zone. Sure, its not a best practice or secure, but it'll end up being more secure than you trying to do something that's over your head right now. 

2) Is it not a good practice to put my DNS, DHCP, and DC all on the same box?  when supporting only 19 workstations but a HUGE amount of email coming in, I haven't seen it necessary to put each service on different servers.
TOM: No problem with that. With such a small environment, that's a fine solution.

3) I think I have read an article from Tom about loading up the ISA Server Software.  If I remember we are to load the OS, no service packs, load ISA 2004 Server, install service pack 1 on ISA, then load SP1 on the OS - for security enhancements.  Then attach to the domain?  (which I have done on the current load), or is it better to load the OS, attach to Domain, load ISA, ISA SP1, OS SP1? 
TOM: The point where you join the domain isn't an issue. I tend to join the machine to the domain during installation, but either way is fine -- the key to success is getting the box joined to the domain so that you can fully leverage the entire array of security technologies that ISA firewall has to offer.
HTH,
Tom


Tom,
Thank you for the reply.  I feel better hearing that 2spam per second isn't that big of a deal.  I thought we were on the high side, so I have been stressing over keeping them out of the way.  We have blocked out as many as just over 3 million spam email in a 24 hour period, average days for us is the 2 per second. 

You are right, the CPU usage on my ISA Firewall was still small.  Today I am working on the reconfig of all of my components on some new equipment.  I found that when I loaded the new setup, a month ago, on old equipment (4 yrs old) I had some inherent issues with the hardware causing me much heart ache.

When I am at the point for the FE server, I'll put it in a DMZ but the configuration should be no problem for the ISA Firewall and email going to my BE server right now then inserting the FE later on, correct?

Again, thanks for the help
DonB

(in reply to tshinder)
Post #: 15
RE: Discussion about article Creating Multiple Security... - 9.Apr.2006 4:38:13 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Don,

That's right.

Let us in the loop as you roll out your evolving design.

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to donb)
Post #: 16
RE: Discussion about article Creating Multiple Security... - 20.Apr.2006 9:15:33 PM   
jelzinga

 

Posts: 2
Joined: 20.Apr.2006
From: Netherlands
Status: offline
Hi Tom,

Great article, but i was wondering: why did you choose to set up a nat relation between the Internal Network and Anonymous DMZ and not a routed relation (just like the relation between the Authenticated DMZ and the Internal Network)?

I'm asking because i want to use a WSUS server on the Internal Network to update servers that are on the Anonymous DMZ and defining an Access Rule with HTTP/HTTPS/Kerberos-Sec (UDP) doesn't seem to work (That is logical because the NAT is one way? Internal to AnonDMZ?).

So as far as i can see i need to:
1) make a NAT relation from AnonDMZ to Internal. I'm not sure if that is wise.

OR

2) Make a routed relation between Internal and AnonDMZ and throw the NAT relation between those 2 networks out

Thanks!

Johan Elzinga

(in reply to tshinder)
Post #: 17
RE: Discussion about article Creating Multiple Security... - 20.Apr.2006 9:23:55 PM   
PCC

 

Posts: 199
Joined: 13.Nov.2001
From: Michigan
Status: offline
I'm also using a WSUS server on our internal network and would like to use it to update the servers in the Anonymous DMZ.  I would also like my Symantec Anti-Virus server to update them as well.  Not sure that will work though since the Anonymous DMZ servers are not part of the domain.

Any ideas?

Pete

(in reply to jelzinga)
Post #: 18
RE: Discussion about article Creating Multiple Security... - 21.Apr.2006 8:57:29 AM   
jelzinga

 

Posts: 2
Joined: 20.Apr.2006
From: Netherlands
Status: offline
Pete,

The only way to allow traffic from the AnonDMZ to the Internal Network would be if the relationship between those 2 networks is a Route relationship (=bidirectional) instaid of a NAT relationship (=unidirectional). I finaly found the article where i seen that: Understanding ISA Firewall Networks (v1.1). Read the section: Defining Routing Relationships with Network Rules.

My only remaining question: Is there a reason why i should not use a route relationship between the Internal Network and the AnonDMZ?

Johan

(in reply to PCC)
Post #: 19
RE: Discussion about article Creating Multiple Security... - 1.May2006 3:06:17 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:

ORIGINAL: jelzinga

Hi Tom,

Great article, but i was wondering: why did you choose to set up a nat relation between the Internal Network and Anonymous DMZ and not a routed relation (just like the relation between the Authenticated DMZ and the Internal Network)?

I'm asking because i want to use a WSUS server on the Internal Network to update servers that are on the Anonymous DMZ and defining an Access Rule with HTTP/HTTPS/Kerberos-Sec (UDP) doesn't seem to work (That is logical because the NAT is one way? Internal to AnonDMZ?).

So as far as i can see i need to:
1) make a NAT relation from AnonDMZ to Internal. I'm not sure if that is wise.

OR

2) Make a routed relation between Internal and AnonDMZ and throw the NAT relation between those 2 networks out

Thanks!

Johan Elzinga



Hi Johan,

Just for a little bit more security, since the anonymous access DMZ is the least trusted security zone in the design. The NAT Network Rule isn't required, you can certainly use ROUTE if you like.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to jelzinga)
Post #: 20

Page:   [1] 2   next >   >> << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> DMZ >> Discussion about article Creating Multiple Security Perimeters with a Multihomed ISA Firewall Part 2 Page: [1] 2   next >   >>
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts