• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Help with Network Setup

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 General] >> Installation and Planning >> Help with Network Setup Page: [1] 2   next >   >>
Login
Message << Older Topic   Newer Topic >>
Help with Network Setup - 6.Aug.2008 1:43:43 PM   
clint_garner

 

Posts: 8
Joined: 6.Aug.2008
Status: offline
I need a little help with how to properly setup my ISA's Network Objects and Network Rules, I've given it a go, but with the way I have it setup it, I don't need any rules and its working( not desired).  I'll explain...

Setup Info:
ISA 2006 Standard
Topology:

Internet
|
_________
|Cisco ASA | ----- DMZ1 (10.62.11.0) ------ Nic 1 of ISA Server -10.62.11.20
|_________| ------ DMZ 2 (10.62.12.0) ------ Nic 2 of ISA Server10.62.12.10
|
Internal Network (10.2.5.0)
  |
Server (10.2.5.100)

Flow details:
Request hits internet port of ASA, ASA then NATS Public ip to a 10.62.11.20 address, then ideally ISA server NATS 10.62.11.20 to 10.62.12.10 (the request appears to come from ISA's internal DMZ port) then routes to 10.2.5.100 server (I added route statement to ISA's routing table for the 10.2.5.0 network)

Hope that makes sense... Currently I"m able to public a website on the Server, but it appears that I don't need any Network Rules, in monitor it's showing that the local host is routing it.  The firewall rules appear to apply but I was assuming I would have to have valid network rules to allow access.  I've tried all sorts of combos defining the network objects (ip range etc) and network rules (which network to network and nat vs route, etc) nothing seems to matter.

Can anyone shed some light?
Post #: 1
RE: Help with Network Setup - 6.Aug.2008 2:42:26 PM   
paulo.oliveira

 

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi,

sorry, did not understand your question. Do you want to set up a back-to-back scenario or the topology that you posted is the one you want to use?

Regards,
Paulo Oliveira.

(in reply to clint_garner)
Post #: 2
RE: Help with Network Setup - 6.Aug.2008 2:48:15 PM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
It is suposed to look something like this.


    Internet
         |
         |
    External Nic of ASA (???.???.???.???)
   [Cisco ASA]
    Internal Nic of ASA (???.???.???.???)
         |
         |
  <back-to-back DMZ>
         |
         |
   External Nic of ISA (???.???.???.???)
   [MS ISA]
   Internal Nic of ISA  (10.2.5.???)
          |
          |
   <Internal Network (10.2.5.0)>
          |
          |
   Server (10.2.5.100)


_____________________________

Phillip Windell

(in reply to clint_garner)
Post #: 3
RE: Help with Network Setup - 6.Aug.2008 4:38:40 PM   
clint_garner

 

Posts: 8
Joined: 6.Aug.2008
Status: offline
Would the topology i'm trying to use work? 
... and does it make sense that traffice would route from one ISA nic to the other with out any network rules setup (other than default local host, which can't delete)?

Thanks,

Clint

(in reply to paulo.oliveira)
Post #: 4
RE: Help with Network Setup - 6.Aug.2008 4:51:29 PM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
No. It is not even a valid firewall topology.  You just can't stick them together like a jigsaw puzzle and expect them to work.

Valid Topologys are shown right in the ISA Templates during the intallation and in the MMC after the Installation.

_____________________________

Phillip Windell

(in reply to clint_garner)
Post #: 5
RE: Help with Network Setup - 6.Aug.2008 4:58:55 PM   
clint_garner

 

Posts: 8
Joined: 6.Aug.2008
Status: offline
Can you have one port of the ISA on the ASA's DMZ network, and the other port on the internal network?

I assume you could easily specify multiple internal networks, for example the VLAN the the internal nice of the ISA is on 10.1.x.x, but the servers are on 10.2.x.x so would the internal network object contain  both subnets, then a route path added for the 10.2.x.x network?

(in reply to pwindell)
Post #: 6
RE: Help with Network Setup - 6.Aug.2008 5:21:28 PM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
Can you have one port of the ISA on the ASA's DMZ network, and the other port on the internal network?

Depending on the ASA firewall and how it treats the DMZ port,...yes,...I never would,...but yes you can.  Personally, I would have replaced the ASA with the ISA itself and there would be no DMZ.

I assume you could easily specify multiple internal networks, for example the VLAN the the internal nice of the ISA is on 10.1.x.x, but the servers are on 10.2.x.x so would the internal network object contain  both subnets, then a route path added for the 10.2.x.x network?

Yes you can.  An ISA "network" is not the same thing as an IP network.
An ISA "network" consists of All IP networks that are reachable from the one particular physical interface.  You  could have 5,000 subnets on the LAN with 3,735 routers between all of them but to the ISA it is all one network if they are reached off of the same internal nic.  The ISA would need all 5000 subnets added to the Internal Network Definition and would need Static Routes added to the OS's routing table to tell it which LAN Router to use for which Subnet or group of Subnets.  I chose extreme numbers just to make the point.

Do not get ISA involved in VLANs.  VLANs can exist in the Switch ISA connects to but keep the physical switch port, cable, and physical ISA nic on one static subnet.



_____________________________

Phillip Windell

(in reply to clint_garner)
Post #: 7
RE: Help with Network Setup - 6.Aug.2008 5:52:06 PM   
clint_garner

 

Posts: 8
Joined: 6.Aug.2008
Status: offline
This info is good thank you.

I'm thinking I should backup a bit...

What configuration would you suggest for this scenerio...

We are trying to use the ISA to publish websites and services (owa, sharepoint, etc.) that are hosted on servers internally.  This way we don't have to punch through ports on the firewall... Our main firewall is the ASA and won't be changing.  So my first thought was to put the ISA into the DMZ and use the single network configuration, but ran into a problem as I needed to publish a service that didnt run on port 80 or 443.
So I started looking into other configs, the reason I was trying to do the one above was to force traffic through the ASA 2 times for enhanced security, not bridging the internal network with the DMZ/External network.

What would be your specific recomendation for our setup with the given requirements?

I appreciate your help on this,
Clint

(in reply to pwindell)
Post #: 8
RE: Help with Network Setup - 7.Aug.2008 8:15:30 AM   
paulo.oliveira

 

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi,

if Iīm allowed to post my opinion, I would sugest you to use a back-to-back configuration. This way you can publish the servers you want to and have more secure, cuz the traffic will pass through both firewalls.

Check Philipīs draw:
quote:


   Internet
         |
         |
    External Nic of ASA (???.???.???.???)
   [Cisco ASA]
    Internal Nic of ASA (???.???.???.???)
         |
         |
  <back-to-back DMZ>
         |
         |
   External Nic of ISA (???.???.???.???)
   [MS ISA]
   Internal Nic of ISA  (10.2.5.???)
          |
          |
   <Internal Network (10.2.5.0)>
          |
          |
   Server (10.2.5.100)


Thatīs how it will be. On ISA network templates, you have to choose back firewall template.

Regards,
Paulo Oliveira.

(in reply to clint_garner)
Post #: 9
RE: Help with Network Setup - 7.Aug.2008 9:07:44 AM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
In my mind the two options would be a back-to-back DMZ scenario like in my previous diagram,..as Paulo pointed out, and the other option would be to run the ISA and the ASA "side-by-side" so they operate totally independent of each other. 

At our place I run the ISA side-by-side with a Sonicwall.  There is no DMZ anywhere at all. The Sonicwall is nothing more than a "backup" firewall if the ISA is down for an extended period. During normal operation the Sonicwall could be powered off and no one would know the difference.

I trust the security of ISA more than any other firewall product that is out there,...ISA does not need any "help" from another firewall to do its job.


_____________________________

Phillip Windell

(in reply to clint_garner)
Post #: 10
RE: Help with Network Setup - 7.Aug.2008 9:07:46 AM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
Bridging mode, where you connect the ISA between and ASA DMZ and the LAN, is admittedly not as good as back-to-back mode, but in the real world is often a better (and easily achieveable) starting place as putting ISA "in line" between the ASA and the LAN is logistically difficult for many customers in my experience. It is often not a 5 minute job and has implications for *all* inbound and outbound services which need to be considered carefully to minimise impact to the business.

Ultimately back-to-back is the best security topology, but I would rather have ISA in bridging mode than not use it at all. The key problem with bridging mode is that if the ASA is compromised, ISA will not be able to protect you as the ASA is connected directly to the LAN.

You could start with ISA in bridging mode and publish the key services you need initially. As you gain confidence with ISA, you can then migrate services across to ISA by redirecting the ASA NAT entires for individual services. Once you have migrated all services, you can then disconnect the ASA from the LAN and voila, you have a back to back topology

Cheers

JJ

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to paulo.oliveira)
Post #: 11
RE: Help with Network Setup - 7.Aug.2008 9:19:27 AM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
quote:

ORIGINAL: pwindell

In my mind the two options would be a back-to-back DMZ scenario like in my previous diagram,..as Paulo pointed out, and the other option would be to run the ISA and the ASA "side-by-side" so they operate totally independent of each other. 

At our place I run the ISA side-by-side with a Sonicwall.  There is no DMZ anywhere at all. The Sonicwall is nothing more than a "backup" firewall if the ISA is down for an extended period. During normal operation the Sonicwall could be powered off and no one would know the difference.

I trust the security of ISA more than any other firewall product that is out there,...ISA does not need any "help" from another firewall to do its job.



Hi Phil,

I trust ISA implicitly too, but in the real world it does lack some functionality that can be provided by a network-based front firewall (or maybe even a clever router), namely the ability to control both source and destination NAT as the current version of ISA is not that great in this respect.

Not all customers have this need, but for those that do, ISA at the edge is not always the best solution.

I love ISA too, but the back-to-back model is still a very elegant solution and not only provides security benefit, but often functionality benefits too. I would rather have two firewalls that each have their own strengths and weakness, that combine to provide an ultimate solution in terms of *both* functionality and security than a single firewall tier...but maybe that is just me 

As long as ISA is providing the back-layer of proection, I am happy, and you can put whatever you like in front of it, if you fell it adds value of any sort...from a security standpoint ISA can easily hold its own, but it is not always the all encompassing solution in terms of functionality in certain scenarios...

Cheers

JJ  

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to pwindell)
Post #: 12
RE: Help with Network Setup - 7.Aug.2008 10:02:52 AM   
clint_garner

 

Posts: 8
Joined: 6.Aug.2008
Status: offline
I was trying to avoid the bridging model to start with, but it seems like its my only option at this time, as putting the ISA inline right from the start would be a challenge.  But I like the idea of moving things over bit by bit, great suggestion.

Okay, maybe you could shed some light... I've reconfiged to bridge, here's the setup:

Port 1(10.50.21.66) of the ISA is plugged into the DMZ network (10.50.21.0)
Port 2 (10.40.22.60) of the ISA is plugged into a leg of the internal network (10.40.22.0)
The server to be published is on another leg of the internal network (10.5.5.0)

So I setup a Network called DMZ with the above subnet
Setup an Network called Internal with the with both internal subnets above
Created a route in the OS for the 10.5.5.0 network

Published a website on the server setup the listener on the dmz network, and the bloody thing works.  Which is good, but, I would have expected to have had to create some Network Rules defining NAT/Route relationships between the networks in order to get it to work.  Does that make any sense as to why it would be working?  Maybe I'm not understanding how the Local Host Network Rule is used, is it used if no other Rules exist?

Again, thanks for the help,

Clint

(in reply to Jason Jones)
Post #: 13
RE: Help with Network Setup - 7.Aug.2008 10:35:18 AM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
quote:

I trust ISA implicitly too, but in the real world it does lack some functionality that can be provided by a network-based front firewall (or maybe even a clever router), namely the ability to control both source and destination NAT as the current version of ISA is not that great in this respect.

Not all customers have this need, but for those that do, ISA at the edge is not always the best solution.


I run two as well. I just don't run a Back-to-Back DMZ.
I run them side-by-side.  The extra simpler Sonicwall is handy for outbound user initiated VPNs that is such a hassle with ISA.  Although right now I don't have any of those and so the Sonicwall isn't doing anything but burning electricity.

I guess actrually I run three.  There is also a cisco ASA "side-by-side" with the ISA and Sonicwall. It is dedicated solely for a Site-to-site VPN that we use.  I mentioned this somewhere else in this thread (I think,..it's getting hard to keep track of the thread)

_____________________________

Phillip Windell

(in reply to Jason Jones)
Post #: 14
RE: Help with Network Setup - 7.Aug.2008 4:04:25 PM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
My only cocern in this model is that if a vulnerability *does* exist in any of the "other" firewalls in parallel, it makes no difference that you have ISA at the edge and it is game over...

Also, if you make a mistake in any of the the rulesets on any firewall, you have nothing behind to try and catch your mistake...

I like two tier (back to back) just to ease my paranoia, but each to their own.

Cheers

JJ 



_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to pwindell)
Post #: 15
RE: Help with Network Setup - 7.Aug.2008 4:21:46 PM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
It wouldn't be just any Rule because generally the Rules are outbound only.  Inbound Rules are Reverse-NAT Rules (regardless of what wierd name the manufacture may call them), so it would have to be a fouled up Reverse-NAT Rule which would be easy to spot since it probably would fail to perform its orginginally intended job.

I'm not too worried about that happening,...I am more worried about what the VPN users themselves over the VPN link might do and having 10 DMZs in the way wouldn't stop that. If they are given access to the LAN,..then they have access to the LAN,...it doesn't matter what they had to cross to get there.

There's also something to be said for competent Admins.  If the company hires an incompetent Admin,..then he is the security risk, and a much more dangerous one than the topology design.  Net Admins have the "keys to the kingdom",...you can't afford to hire an idiot or some "shifty" untrustworthy person for that position.

Anyway, I could also get run over by an airplane on the way to work on the highway.  With the crop-dusters flying around here, that is more likely than a network breach.

_____________________________

Phillip Windell

(in reply to Jason Jones)
Post #: 16
RE: Help with Network Setup - 7.Aug.2008 4:34:16 PM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
quote:

ORIGINAL: pwindell

It wouldn't be just any Rule because generally the Rules are outbound only.  Inbound Rules are Reverse-NAT Rules (regardless of what wierd name the manufacture may call them), so it would have to be a fouled up Reverse-NAT Rule which would be easy to spot since it probably would fail to perform its orginginally intended job.

I'm not too worried about that happening,...I am more worried about what the VPN users themselves over the VPN link might do and having 10 DMZs in the way wouldn't stop that. If they are given access to the LAN,..then they have access to the LAN,...it doesn't matter what they had to cross to get there.

There's also something to be said for competent Admins.  If the company hires an incompetent Admin,..then he is the security risk, and a much more dangerous one than the topology design.  Net Admins have the "keys to the kingdom",...you can't afford to hire an idiot or some "shifty" untrustworthy person for that position.

Anyway, I could also get run over by an airplane on the way to work on the highway.  With the crop-dusters flying around here, that is more likely than a network breach.


Yeah agreed, but that is for *your* scenario...we also need to think about other peoples designs and think a bit more generically, but as I said that is IMHO

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to pwindell)
Post #: 17
RE: Help with Network Setup - 7.Aug.2008 4:36:41 PM   
clint_garner

 

Posts: 8
Joined: 6.Aug.2008
Status: offline
And in reply to my scenario?  ;P   Doing some testing it's not looking like I need particular Network Rules ( Only have the default Local Host one) to do Publishing... ??

Clint

(in reply to Jason Jones)
Post #: 18
RE: Help with Network Setup - 7.Aug.2008 4:53:37 PM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
Yeah agreed, but that is for *your* scenario...we also need to think about other peoples designs and think a bit more generically, but as I said that is IMHO

That's what I got you here for.  When I can't forcebly bend them to my will kicking and screaming, I'll turn them over to you.  :-)

And in reply to my scenario?  ;P   Doing some testing it's not looking like I need particular Network Rules ( Only have the default Local Host one) to do Publishing... ??
 
You're right. We kinda got misdirected.  Maybe instead of debating the gory little details of the Topology we should look at the true final end goal and work from there.  It is hard to get somewhere when you don't actually know where you are trying to go and why.  But, I'm sorry, I just hate over-complexity.  I don't think anything should be any more complex then the task at hand requires.  Excessive complexity invites mistakes and mistakes invites risks,.. the worst kind of risks,..the kind you don't know are there.

_____________________________

Phillip Windell

(in reply to Jason Jones)
Post #: 19
RE: Help with Network Setup - 7.Aug.2008 5:05:31 PM   
paulo.oliveira

 

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi,

quote:

Published a website on the server setup the listener on the dmz network, and the bloody thing works.  Which is good, but, I would have expected to have had to create some Network Rules defining NAT/Route relationships between the networks in order to get it to work.  Does that make any sense as to why it would be working?  Maybe I'm not understanding how the Local Host Network Rule is used, is it used if no other Rules exist?

ISA server evaluate rules in the following way:
1- User request for a resource through ISA;
2- ISA server evaluates if authentication is needed or not;
3- ISA server checks network rules to verify the two networks are connected. If no network relationship is defined between the two networks, the request is refused;
4- If thereīs a definition between the source and destination network, the access rules are applied;
5- If the request is allowed by an access rule, ISA checks the network rules again to determine how the networks are connected;
6- The request is forwarded to the resource.

Check your network rules and for sure youīll see one between these two networks.

Regards,
Paulo Oliveira.

(in reply to clint_garner)
Post #: 20

Page:   [1] 2   next >   >> << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 General] >> Installation and Planning >> Help with Network Setup Page: [1] 2   next >   >>
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts