• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Need help planning an ISA2K6 EE implementation

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 General] >> Installation and Planning >> Need help planning an ISA2K6 EE implementation Page: [1]
Login
Message << Older Topic   Newer Topic >>
Need help planning an ISA2K6 EE implementation - 5.Oct.2006 1:35:38 AM   
rmbell34

 

Posts: 5
Joined: 5.Oct.2006
From: Chicago
Status: offline
Hello.  I am new to this site and am really impressed (and overwhelmed!) with all the great information available on this site.  I am fairly new to network security and want to learn both Cisco PIX and Microsoft ISA technologies.  I am currently building a sandbox.  My initial plan is to have it consist of 3 servers.  I will have one on the LAN acting as my domain controller, I will have one on my LAN acting as a web server, and I will have one on my edge acting as the ISA server. My current plans for the design of the architecture are this:

1) I will have two NICs on the ISA server.  One will connect to my 2610 router, the other NIC will connect to a switch on my internal network.

2) I will not use a DMZ.  I plan on running the web server inside my ISA firewall with initial rules set up to only allow inbound 80 and 443 traffic to the web server IP.  I will probably add more ports later on for remote access and such.

3) According to some of the articles that Dr. Shinder has written here I think I will not run DNS on the ISA server, but will join it to the domain, and have it point to an internal DNS server for name resoultion.  DHCP will be set up on the internal network and not run on the ISA server.  I will also have the ISA server external NIC on a separate subnet than the private network.

4)  I also like to turn SNMP on.  I find it useful for obtaining information on my different nodes.  I figure since it is UDP, it is not really a security risk.  Is this true?  Should I not use SNMP with my ISA server or my nodes in general?

5)  Should I run anti-virus on the ISA server?  Are there any other non-native application considerations I should keep in mind (i.e. spam filter, etc.)?

I have read the tips and tricks for ISA and think that there are some really helpful tips for building the ISA server on it.  If there are any other articles of interest here or anywhere please point them out to me.  This is what I have to start.  Can anyone offer me some pointers or tell me what I should reconsider?  Thank you in advance for your help!

- Bob

< Message edited by rmbell34 -- 5.Oct.2006 10:20:33 PM >
Post #: 1
RE: Need help planning an ISA2K6 EE implementation - 6.Oct.2006 5:50:04 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Bob,

1) I will have two NICs on the ISA server.  One will connect to my 2610 router, the other NIC will connect to a switch on my internal network.
TOM: Sounds good.

2) I will not use a DMZ.  I plan on running the web server inside my ISA firewall with initial rules set up to only allow inbound 80 and 443 traffic to the web server IP.  I will probably add more ports later on for remote access and such.
TOM: No problem with that. You can add DMZ NICs later if you want to increase security through network segmentation.

3) According to some of the articles that Dr. Shinder has written here I think I will not run DNS on the ISA server, but will join it to the domain, and have it point to an internal DNS server for name resoultion.  DHCP will be set up on the internal network and not run on the ISA server.  I will also have the ISA server external NIC on a separate subnet than the private network.
TOM: That's a good plan. If you have internal DNS servers, use them. Always minimize services on the ISA Firewall when you can.

4)  I also like to turn SNMP on.  I find it useful for obtaining information on my different nodes.  I figure since it is UDP, it is not really a security risk.  Is this true?  Should I not use SNMP with my ISA server or my nodes in general?
TOM: You can use SNMP and the ISA Firewall has SNMP mibs you can use when the service is enabled. UDP can be as unsecure as TCP, so the transport isn't the issue. But you can configure the ISA Firewall to communicate only with the SNMP management station.

5)  Should I run anti-virus on the ISA server?  Are there any other non-native application considerations I should keep in mind (i.e. spam filter, etc.)?
TOM: I never run AV on the ISA Firewall becasue when its correctly configured and managed, there's no reason to have it. However, there are various schools of thought on this, so if someone provides you a compelling argument to do so, then go ahead. Just remember that you'll pay a performance cost for a marginal gain in security.
 
HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to rmbell34)
Post #: 2
RE: Need help planning an ISA2K6 EE implementation - 9.Oct.2006 8:12:12 AM   
rmbell34

 

Posts: 5
Joined: 5.Oct.2006
From: Chicago
Status: offline
Dr. Shinder,

Thanks for getting back to me.  I was wondering if I should read your ISA 2K4 book or should I just wait until you publish the 2K6 book instead?  I am new to the world of ISA and would like to learn as much as I can.  I think security is a fascinating aspect of IT.  Can I apply the principles and concepts of 2K4 to 2K6?  Thanks again for your help!

(in reply to tshinder)
Post #: 3
RE: Need help planning an ISA2K6 EE implementation - 11.Oct.2006 11:11:26 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Robert,

The ISA 2004 book covers 90% of what is included in ISA 2006. The exceptions being some improvements in Web publishing and also in worm and flood control.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to rmbell34)
Post #: 4
RE: Need help planning an ISA2K6 EE implementation - 12.Oct.2006 4:34:30 PM   
rmbell34

 

Posts: 5
Joined: 5.Oct.2006
From: Chicago
Status: offline
Awesome, I will be getting the book today after work.  Hey do you ever travel and give seminars on ISA?  If you are ever in the Chicago area I would love to see you speak.  Thanks again!

(in reply to tshinder)
Post #: 5
RE: Need help planning an ISA2K6 EE implementation - 9.Nov.2006 10:59:28 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Robert,

I do occasionally. This week I presented two sessions (the second session is in about two hours) on how to use the ISA Firewall to protect Exchange at the ExchangeConnections conference in Las Vegas (www.devconnections.com).

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to rmbell34)
Post #: 6

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 General] >> Installation and Planning >> Need help planning an ISA2K6 EE implementation Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts