Welcome to ISAserver.org

Network Infrustructure Design

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA 2006 Firewall] >> Network Infrastructure >> Network Infrustructure Design

Page: [1]

Message

<< Older Topic Newer Topic >>

Network Infrustructure Design - 24.Jan.2007 5:55:01 PM

JesusisLord

Posts: 64
Joined: 19.Aug.2006
Status: offline

Dear Experts, it's only me :)

Please could you kindly have a quick look at my plan / thoughts on design and try and give me some advice on whether it can be done, or a better way of doing it, thanks ever so much:-

Ok, I've got a project for a college, I'm suggesting that we use ISA2006 because it is a pretty good product, i like it very much, like using it and hopefully it will provide what we need (if we can get a decent enough admin to administer it :)

I'm thinking of defining these networks:-

Staff
Students
nameofdevice (these devices really on wireless network but don't support any wireless encyrption, big security issue for me)
wireless
finance

Big issue at this place, is that they don't really have much of a physical network, they really upon a wireless network which has to be open because the speciallist devices they use don't support any encyrption protocols!

So what I'm thinking of doing, is allowing the wireless network to access the student network, but each wireless laptop having the isa firewall client installed, and then turning on the setting that says dont allow clients to communicate with this network which dont have the isa client installed, so anyone on the outside world, maybe able to connect to the wireless network, but if they dont have the isa firewall client installed, they shouldn't be able to communicate with the internal lan? if they do get an isaclient, not sure what would happen, anyone have any ideas?

I was also going to allow the 'nameofdevice' network to have full access to the internal network and internet, there are only ten of these devices at the college.

I was going to allow the student network to access the internet and was going to allow the staff network to access the student network.

I was going to get a server purely for finance department and have the finance team computers only access the finance server.

Becuase the backup device is going to be on the main file server which will be on the student network, and the student network isn't going to be able to access the hr network, i was wondering whether i could add an exception, i think i could say deny access from the student network to the hr network, accept this computer (and then specify the computer object for the file server) in order for that server to be able to backup those resources.

These are my thoughts so far, I was thinking of doing this at the ip layer, at the moment some computers are used by both staff and students, so i was thinking that this will have to stop and that some pcs will only be usuable via staff and other pcs only usable via students...

Unfortunatly getting a physical network is out of the question, and so I'm stuck with a wireless network which can't have encyrption turned on, so my only thoughts are to stick the isa firewall client on the laptops, and just only allow communication from machines which have the firewall client turned on, I don't think that is really the best solution but would love to hear someones thoughts and help as soon as possible as i got to present my best solution very soon :)

If anyone needs any more information, please let me know, and if you think things can be done much better i would love to hear the suggestions.

Kindest Regards,

JIL

Post #: 1

Featured Links*

RE: Network Infrustructure Design - 28.Jan.2007 12:30:10 PM

tshinder

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline

Hi JIL,

Are all the client systems going to be behind the same ISA Firewall interface? That is to say, on the same ISA Firewall Network?

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to JesusisLord)

Post #: 2

RE: Network Infrustructure Design - 28.Jan.2007 5:38:55 PM

JesusisLord

Posts: 64
Joined: 19.Aug.2006
Status: offline

Hi Tom,

Thanks for your reply, please forgive me if I'm not explaining things very clearly, I'm still learning the product and have much to learn :)

I think the answer is yes..

The DHCP, DNS, AD, Fileservers, Mail server etc will all be physically connected to the same switch, and that switch will patched into one of the interfaces on the ISA server (could name that interface - physical lan perhaps)

The other interface will be for the wireless devices, so my plan is to connect the switch which has the wireless access points patched into it, into an Interface on ISA and labell it wireless or something.

Another interface will be connected to the router and that will be the ISA servers default gateway.

Well that's the physicall side at least, I was thinking of seperating the networks logically, so I would use reservations in DHCP to MAC addressess, and so I was thinking of setting a range of IPs for the ten specialist devices which actually now support wep encyrption (not great but better than nothing), and allowing these devices to have full access to the internal range, and then have another range set aside for the wireless laptops, and was thinking of allowing full access from the wireless laptops to the internal network but only allowing communications from laptops that have the isa firewall client installed (but this is probably not a very good idea, as i think u could download the isa firewall client from microsoft.com install it on your laptop and then do a bit of guess work with IPs and get onto the network.

I would really love to hear what you think the best ISA / Secure Network config would be, there must be a way to secure this college network (wireless networks are a nightmare :)

I hope above answers your question ok

Thanks for your time,

JIL

(in reply to tshinder)

Post #: 3

RE: Network Infrustructure Design - 29.Jan.2007 8:38:51 PM

tshinder

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline

Hi JIL,

You really can't secure devices from one another when they're behind the same ISA Firewall interface, that is to say, when they're on the same ISA Firewall Network, since the ISA Firewall doesn't mediate communications between hosts on the same ISA Firewall Network.

One way you might get around this is to create virtual network segmentation using VLANs. The ISA Firewall does support VLAN tagging, with each tagged network being represented as a different physical interface. However, you will need to number each VLAN so that hosts on each VLAN are on different network IDs.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to JesusisLord)

Post #: 4

RE: Network Infrustructure Design - 30.Jan.2007 3:55:42 AM

JesusisLord

Posts: 64
Joined: 19.Aug.2006
Status: offline

Dear Tom,

Thanks again for your reply, just a quick couple of questions for you.

Would you be able to point me in the right direction for setting up VLans on switches and how to configure ISA server to work with them? I don't know very much about Vlans, do you have any articles you have written?

I have both of your books which I use for referencing when I get stuck, have you written anything about this kind of setup in them at all?

Time is running out for me so I would be very grateful for any help, as I got to propose a solution either by the end of the day or tomorrow morning, but most likely today and I just want to know what my best options are for putting security into this network.

Kindest Regards,

JIL

(in reply to JesusisLord)

Post #: 5

RE: Network Infrustructure Design - 30.Jan.2007 9:50:17 AM

tshinder

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline

Hi JIL,

Check out the manual for the switch to configure the VLAN tagging. The driver for the ISA Firewall's NIC will tell you if it supports VLAN tagging. My Intel VE NIC driver supports VLAN tagging, for example.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to JesusisLord)

Post #: 6

RE: Network Infrustructure Design - 30.Jan.2007 1:18:39 PM

JesusisLord

Posts: 64
Joined: 19.Aug.2006
Status: offline

Hi Tom,

Thanks again for your reply. If you was in my shoes, and the network was mainly wireless, but you had ten devices that only worked with Wep, what would you do to secure it?

I'm thinking of doubling up on the access points, one access point could be using TKIP with Radius or something like that, and be broadcasting on a specific channel and specific SSID, the other access point could be using WEP and be broadcasting on a different channel and different SSID.

Not ideal solution, but can't think of anything better, although i think u can get devices that enable u to configure different encryption methods based on SSID name, for example, SSID1 - will use Wep, SSID2 will use WPA, but we haven't got these devices I don't think with out double checking.

Are there any network specialists who would like to just give me there advice on what they would do if they were in my shoes? how they would go about securing the network, and whether they would use ISA server with vlans?

Would love to hear someone else share how they would secure the network?

Kindest Regards,

JIL

(in reply to tshinder)

Post #: 7

RE: Network Infrustructure Design - 31.Jan.2007 11:22:00 AM

tshinder

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline

Hi JIL,

Actually, if most of the network is wireless, that makes things a lot easier, as you can assign each WAP to a NIC in the ISA Firewall and perform access controls that way. One thing you should make sure of is that the WEP-only hosts are segregated from the rest of the networks, because they'll most likely be compromised by untrusted and unauthorized hosts on that network.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to JesusisLord)

Post #: 8

RE: Network Infrustructure Design - 1.Feb.2007 5:08:24 PM

JesusisLord

Posts: 64
Joined: 19.Aug.2006
Status: offline

Dear Tom,

I like the idea of plugging the differnt network points into different ports on the isa server, the only problem I forsee is that i think there are about 10 access points at the moment, I dont know how I can get that many network ports in a server very cheaply? i think network cards with multilple ports are expensive? but if i by three nics which have four network ports in, that my solve my problem.

This maybe an easier solution that creating VLANS on switches, but maybe doing that will be cheaper? but I'm not confident enough at this stage to try and implement VLANS with ISA unless i really have to, as i still got lots to learn :( and unfortunatly I don't have enough time to play around with it.

your help is greatly valued.

Kind Regards,

JIL

(in reply to tshinder)

Post #: 9

RE: Network Infrustructure Design - 1.Feb.2007 6:58:46 PM

tshinder

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline

Hi JIL,

What more important to think about here how many security zones you need to create. Once you have that determined, then you can figure out how many NICs you want on the ISA Firewall or how many VLANs you want to create.

Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to JesusisLord)

Post #: 10

RE: Network Infrustructure Design - 2.Feb.2007 6:29:41 AM

JesusisLord

Posts: 64
Joined: 19.Aug.2006
Status: offline

Hi Tom,

At the moment I'm concerned that the wireless network is unsecure and as it is the main infrastructure, i'm just trying to work out what the best and practical way i can lock down the network internally, externally.

do you think if i had one switch which had all the secure wireless access points in, and a seperate switch which had the non secure access points connected, i could then get away with using two nics on ISA, rather than having to use seperate network cards for each access point?

One thing I'm a liitle confused about, is that if the wireless network is going to be able to access all the servers internally, how can i secure it so that only the devices on my wireless network are allowed to access the internal network? MAC filtering is one prevention (but i hear pretty easy to get past) i assume i would use user authentication or something like that? I would appreciate any advice you can give and what things you would implement to make only authenticated users access from the wireless network access the internal network.

Kind Regards,

JIL.

(in reply to tshinder)

Post #: 11

RE: Network Infrustructure Design - 2.Feb.2007 11:59:29 AM

tshinder

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline

Hi JIL,

Let's go back some and try to define your security zones.

Here's how I misunderstand them now:

External (Internet)
Internal -- wherever your DCs, Mail Servers, DNS servers, etc exist
Wired Domain Users
Wired Non-Domain Users
WLAN WPA2 Users
WLAN WEP Users

That makes six security zones. Are the WLAN WPA2 users? If so, we can reduce the security zones by one. Are the WEP users non-domain users? If so, we can reduce it by another one.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to JesusisLord)

Post #: 12