Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
New DMZ Infastructure
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
New DMZ Infastructure - 24.Jun.2008 2:09:20 PM
|
|
|
rayleask
Posts: 10
Joined: 15.Aug.2006
Status: offline
|
Hi, I want your views about my ideas for a new DMZ infastructure. We have just connected a new Internet link which makes our existing one a bit complex and we are going to move to a new HQ. I would like to design one which we could move en masse when the time comes. Our current ISA is 2004.
What we have now
internet 1(Surfing only)
|
Bridge
|
ISA/Proxy - DMZ - Remote access security box
|
Internet 2 (VPNs) - Cisco Firewall - external Organsisation
|
Internal Network
Its a mess, for historical reasons. What I was thinking off was a front end DMZ which uses only one Internet link
Internet
|
Cisco Firewall
|
DMZ --------ISA Acting as Proxy
| Security Box
| Email Front End
| External Organisation
ISA acting as firewall
|
Internal Network
This gives me a few questions.
Should I have an ISA acting as a proxy as well in the DMZ?
We have three VPNs coming in from external organisations currently ending at the Cisco box. How should these be handled in this new setup? We have had little success with VPNs here hence the Cisco box being brought in.
Any views, criticisms are welcome
Thanks, Ray
|
|
|
|
|
RE: New DMZ Infastructure - 24.Jun.2008 4:39:37 PM
|
|
|
pwindell
Posts: 663
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
|
You either have to stop using the Cisco as the VPN Router and start using the ISA as the VPN Router...
OR
Place the ISA and the Cisco Side-by-Side so they can work independently of each other. There would be no DMZ, which pretty much would not have been doing anything usefull anyway. In this option you can even have both the Cisco and the ISA acting as a VPN Router independently at the same time.
Option #1
Internet
|
Cisco Firewall (VPN Pass-through enabled)
|
Back-2-Back DMZ (pretty much doing nothing)
|
ISA acting as firewall & VPN Router
|
Internal Network
Option #2
Internet
|
-----------
/ \
/ \
| |
Cisco FW ISA Firewall
| |
\ /
\ /
------------
|
Internal LAN
_____________________________
Phillip Windell
www.wandtv.com
|
|
|
|
|
RE: New DMZ Infastructure - 25.Jun.2008 6:41:36 AM
|
|
|
rayleask
Posts: 10
Joined: 15.Aug.2006
Status: offline
|
Hi Phillip, thanks for your reply. Having two boxes that can both handle VPNs is a confusing factor. I want to stay with the Cisco for those but this wont work with my current design idea. You state that the DMZ is pretty much not doing anything. Can you expand on this? The idea is to isolate those services from the Internal Network.
Thanks, Ray
|
|
|
|
|
RE: New DMZ Infastructure - 25.Jun.2008 9:27:35 AM
|
|
|
pwindell
Posts: 663
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
|
If you put the email front end in the Back-to-Back DMZ then that is what the DMZ would be doing. I wasn't thinking of the mail front end,..I never use one of those, I don't see the point of buying two mail servers to do the job of one,...so I never use a FE/BE mail setup, I just have the mail server on the LAN behind the firewall and that is all.
_____________________________
Phillip Windell
www.wandtv.com
|
|
|
|
|
RE: New DMZ Infastructure - 25.Jun.2008 11:41:05 AM
|
|
|
justmee
Posts: 497
Joined: 14.May2007
Status: offline
|
Hi,
Ahh, the Cisco - ISA back to back with VPN connections stuff...
There was some kung-fu fighting here:
http://forums.isaserver.org/m_2002067633/mpage_1/key_/tm.htm#2002067988
Jason seems to have the black belt ...
It looks that what you want is to terminate the site-to-site VPN connections on ASA(people seem to agree that this is a good idea).
In this case you will have a route relationship on ISA between the Internal and External Networks.
If you follow this approach personal I would *not* place any device in the DMZ between ISA and Cisco FW. At a first glance I would put that "FE email server" on an ISA DMZ. If you have a two cent anonymous web server you can put it on a Cisco FW DMZ.
It would be better to terminate VPN remote access connections on ISA.
So you offload VPN site-to-site traffic from ISA(in theory better performance, for example you have the Cisco FW dealing with decrypting/encrypting site-to-site VPN traffic, fast junk incoming traffic cleaner, DoS limiting, IPS maybe; ISA deals with remote access VPN traffic, web proxy, if you use the FWC you can control other traffic than web traffic based on users credentials thus better control over outbound access, offers better protection for your Exchange servers-OWA SSL bridging with pre-authentication...), and maybe eliminate some worries/problems associated with IPsec tunnel mode connections and ISA.
The DMZ between firewalls is used to retain some attacks. However in order that this to happen, you need to know exactly what traffic you pass through your firewalls and have *only* the required firewall policies allowing just needed traffic on both firewalls. You need to understand the routing/traffic path too. And also to understand the goods and bads of your firewalls, their strong and weak points.
For example if the Cisco FW would be alone, a vulnerability of it may permit traffic to escape through it. But with the back to back design, ISA may stop the exploit blocking the malicious traffic. Or if a vulnerability of ISA permits some traffic to escape through it, the Cisco FW may block that traffic.
Or maybe if some malicious traffic may pass through the inspection of one of the firewalls, the other firewall may stop this traffic.
The front end FW will apply its own DoS limiting policies, so ISA will have to handle fewer connections in case of a DoS attack(assuming that the front edn FW "will still stand", and not become DoS-ed itself).
Everybody has its own ideas about "DMZs". Personal I like and take into serious security zones. I've cascaded once 10 firewalls. That was fun.
As you can see with the back to back approach you have some flexibility and better security, you can distribute a little bit your requirements(ISA handles better some of them, the Cisco FW others). Due to the distribution you may get better performance, and performance is related to security.
Personal I'm not a fan of the parallel approach with ISA and Cisco FW. IMHO, the back to back design offers better security because each firewall functions as a trully gateway for traffic, traffic must pass through it to go in or out. It's like having two back to back doors to your house, and you need to unlock both of them in order to enter your house or to get out of it. But maybe you will find that the parallel design will have certain advantages for you. Your call...
Regards!
|
|
|
|
|
RE: New DMZ Infastructure - 26.Jun.2008 4:50:32 AM
|
|
|
justmee
Posts: 497
Joined: 14.May2007
Status: offline
|
Hi Phillip,
So you take no prisoners, eh  ?
Now, tell me, you have some money, so you go and buy a safe, put the money in it, grab a chain, attach the safe with a chain to the tree in front of your house and go to sleep ?
Why bother to bring the safe into your house, it's too heavy...
Take it to the basement, in a room with concrete walls locked with a metal door, hell no, it's a safe anyway...
Just kidding, hope you do not mind.
Regards,
J
|
|
|
|
|
RE: New DMZ Infastructure - 26.Jun.2008 10:07:16 AM
|
|
|
pwindell
Posts: 663
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
|
I just don't believe that not having a DMZ is unsafe.
And I don't believe that a DMZ nessesarily makes things that much more safer,...in some cases I don't believe there is any difference at all. I know if I were wanting to get into someones system I could do it (theoretically speaking) no matter if there were no DMZ or 15 DMZs between them and the Interenet. The DMZs just simply wouldn't matter.
But that is a side track anyway,..my real point was that I don't see the real need for a FE mail server sitting outside the LAN. I believe I am fine having a single mail server sitting on the internal LAN that is published by ISA. Now in my particular case Exchange is not published at all,...I have a Barracuda SPAM Filtering Applicance sitting on the LAN that is Published by ISA "as if" it was the Exchange. The Exchange itself only has simple outbound SMTP permissions. I guess if you want to consider that a type of FE Mail server that is fine, but in any case it is all on the Internal LAN with ISA doing the Publishing, and no DMZ.
As far as the illustration of the Safe, I just don't acknowledge illustrations like that too much because they never accurately represent the way things really work and often feed people's misconceptions of how things really work. That's how we end up calling home user NAT Firewalls "routers" when they are not routers and calling the Layer3 action of Reverse NAT "port forwarding" when there is no such thing as "port forwarding" and even if there was it would be Layer4,...which isn't the Layer the action is happening at. There is no safe, no chain, no metal door, and no basement,...it is just a few PCs arranged in a particular Topology that are subject to whatever the sofware and the physical arrangment allow them to do.
_____________________________
Phillip Windell
www.wandtv.com
|
|
|
|
|
RE: New DMZ Infastructure - 26.Jun.2008 11:33:53 AM
|
|
|
justmee
Posts: 497
Joined: 14.May2007
Status: offline
|
Hi Phillip,
So you did mind.
The idea is that I'm not referring to "DMZs". I'm referring to security zones. Big difference IMHO. I've just used the word because I thought it would be easier to understand within this topic, the author mentioned it.
Yes, everything is in theory. If we would had a definitive solution...
And it's not about only "I were wanting to get into someones system I could do it (theoretically speaking)", it's also about the time you would need to do so, I would say. 5 minutes compared to 50 minutes time to react can make the difference...
With the security zones approach we can talk about least privilege and we can "buy time". With a flat network design made of flat devices sharing flat data we cannot. Or at least I can't see how.
Interesting vendors like Microsoft take security zones into serious(at least from my humble point of view), for example see the IAG 2007 or the future UAG products(ISA is for a long time a part of the picture). I do not see the word DMZ say, in relationship with remote workers. After all, these remote workers are not flat devices accessing flat data on a flat network. They are security zones themselves IMHO.
Take it easy, I got your point, just hit google with "DMZ"+"dead", you're not alone out there... A war involving "DMZs" was started some time ago...
Regards,
J
< Message edited by justmee -- 26.Jun.2008 11:44:47 AM >
|
|
|
|
|
RE: New DMZ Infastructure - 26.Jun.2008 12:16:43 PM
|
|
|
Jason Jones
Posts: 1801
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
|
Hi Ray,
I still stand by my comments in the post provided by J (here)
J put an interesting spin on things, which is also worthy of consideration. Given the budget I would separate inbound and outbound with separate servers/arrays. If not, I would just go with a standard B2B topology with ISA at the back; closest to your important assests. Terminate site-to-site VPNs on the ASA, terminate client-to-site VPNs on the ISA.
If you are contemplating using a separate ISA Server (unihomed) in the DMZ then I would sugegst you actually place this as a dual homed service in parallel to the back ISA firewall.
The whole point of putting in two vendor technology soltuion is to get the best of both and no matter what the vendor tells you, they each have their own strenght and IMHO the above approach is playing to their strengths.
If you are going to use application DMZs, use ISA to protect these networks. If you have more traditional DMZ requirements e.g. for IDS or other networks type devices then you could also used the ASA DMZs or the security zone between the firewalls.
I always prefer to leave the network between the front-end and back-end firewall (the original DMZ concept) as a transit network that contains no hosts/servers at all. Use ISA to create multiple DMZs or security zones and then place relevant servers into appropriate security zones dependent upon their risk, assest value, importance to the business, internet facing necessity etc.
Cheers
JJ
< Message edited by Jason Jones -- 26.Jun.2008 12:21:07 PM >
_____________________________
Jason Jones
Silversands Ltd
http://www.silversands.co.uk
View My Blog: http://blog.msfirewall.org.uk/
Get Our NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: New DMZ Infastructure - 27.Jun.2008 11:07:37 AM
|
|
|
rayleask
Posts: 10
Joined: 15.Aug.2006
Status: offline
|
Hi, thanks for everyones input. Interesting stuff that I will take a more in depth look at over the weekend. One thing I have found useful of a non-technical nature is printing out a large map of our current typology and sticking in front of my desk. Just sitting back every now and again and looking at it helps!
Thanks, Ray
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
