First post here and I'm confused as hell so please be kind ;)
I'm new to ISA 2006 and attempting to configure the 180 trial version of the standard edition. We currently have everthing set up on one network segment sitting behind a Cisco ASA5505 which is setup as our gateway.
I have 35 IP cameras whose access I need to restrict based on AD group membership. For the sake of an example imagine that we have some cameras located in an unrestricted area where all authenticated users would have access. Other cameras a in more secure areas and access needs to be limited based on AD group membership. None of the cameras will need to be accessed from the internet and I want to block camera access when users are remotely connected to the network via VPN.
None of the cameras support AD integration and using their built-in user account functionality (which is laughable) is not feasible. I'd like to put the cameras on seperate VLANs to control who has access to which camera. Three VLANS should give me the access levels I need; unrestricted, restricted, highly restricted. Since the "unrestricted" cameras could be put on our existing lan segment, I need to add 2 VLANs
I'm assuming my ISA box would need 3 NICs; 1 NIC per VLAN. I'm keeping the Cisco ASA5505 and don't want the cameras accessable from outside our network so I'm assuming I don't need a fourth NIC for an outside interface?
None of built int ISA configuration templates seem to be even remotely close to what I'm trying to do. Can anyone provide some direction on how I might go about setting this up?
I'm assuming that these are network-attacked IP cameras with a built-in mini web server? Ones that you can directly access via a browser?
If so, my first idea would be to put all the cameras in one isolated VLAN, create a perimeter network in ISA for that VLAN, then treat each of the cameras as a web site. You could then use web publishing rules to control who does (and doesn't) have access to each camera.
There will be a little DNS work involved; every camera will need it's own record.
Each camera could have it's own Host ("A") record. They would all share the same IP address (the ISA gateway address on your internal network), and you'd have to build your publishing rules using host headers to distinguish one camera from another.
You could also have a host record for your internal ISA gateway, then create alias ("CNAME") records for each camera. From a DNS perspective, this is easier to manage because if the gateway address changes, you only have to change the master Host record that the CNAME records point to. However, depending on your software this could cause problems; during the resolution process, some DNS configurations will return the host name in the A record when you resolve a CNAME record, instead of just looking up the actual address and giving it back to you. I haven't yet figured out why (or when) this occurs, but it does. so be careful with this option.
Conversely, if special software is required to access the camera, you could create access rules instead of publishing rules, and still control who has access to what camera. You'll still need DNS records for each camera.
I'm sure some of the real experts will come along with more information, but for AD authentication you could either force authentication on the ISA server when someone tries to access a published resource, or you could install the ISA Firewall Client on your workstations and use AD integrated authentication. The nice thing about the Firewall client is that you can get very granular with your rules; Group/User "A", coming from Workstation "B" (or a workstation in group "B") can access this resouce/resource group, during these times of the day/days of the week.
There are many, many more options available to you. But if the cameras work as web servers, then the web publishing scenario is probably the easiest one to set up and manage.
I think you'll find that ISA server will more than meet your needs, especially if you have to build rules that leverage Active Directory.
Good luck! Come back and tell us how it went.
< Message edited by mascalia -- 24.Oct.2008 9:55:31 AM >
Yes, the IP cameras all have built-in webservers. However, we're using a Windows app that I wrote rather than the web page served up by the camera. This allows us to manage grouping cameras, showing cameras on a floor plan, etc.The app spoofs what the web page would do to the display the mpeg stream, control camera, etc, so it really shouldn't make a difference from the ISA perspective.
I setup ISA using the 3-Leg Perimeter Template as it seemed like the best fit. I don't really have an external interface since our Cisco ASA is handling traffic to and from the outside. I just need ISA to manage traffic between 2 VLANs so I'm not entirely sure this is the correct configuration.
I picked up Tom's ISA Server 2006 book this afternoon--looks like I have some heavy reading to do.
If what you're wanting to do is prevent unauthorized direct access to the cameras, there's a myriad of options open to you. The three-leg perimeter is probably the best, with your cameras in the perimeter.
Since you're using a custom app to aggregate the streams, maybe you could mod your app to perform additional authentication/authorization functions?
I'm thinking you could segregate all cameras into a single perimeter network with ISA, and then build authentication into your app via a service account. The service account has access through the ISA array to the cameras, not individual users. You can then build AD authentication and authorization into your app to control who can see what camera.
I think the term the .NET code-jockeys around here use is "impersonation". Might take a little work, but you'd end up with a very flexible system, a minimal ISA configuration, and you could manage the security from within your app (instead of at the ISA firewall).
Or, you could do it all as you've suggested with segregated VLAN's, multiple NICs in ISA, and A/D authentication.
Going that route, you'd probably put in one access rule for each Network/VLAN, regardless of which camera in that VLAN you want to view. To keep it simple, each VLAN should have a distinct (and valid) subnet assignment. You could then treat ISA like a router and simply throw all traffic for those VLANs at ISA's "internal" interface. ISA would inspect the traffic, apply rules, and then route it to the appropriate camera.
This way, you only have one access rule per VLAN instead of one per camera. Easier, but less granular (you control access to an entire VLAN instead of individual cameras). Additionally, you may still need to mod your app so that attempts to access restricted cameras are handled in "friendly" manner.
One more thing: you're using an eval copy of ISA Standard edition. If you decide to actually buy ISA and go with Enterprise Edition instead of Standard Edition, you won't be able to export the configuration from your eval SE server to your new EE array. Just a heads-up.
Just my two cents, but I hope it helps. There are a lot of ways to make your situation work, but overall I think ISA is a good choice for you (regardless of which path you choose).
ORIGINAL: mascalia I'm thinking you could segregate all cameras into a single perimeter network with ISA, and then build authentication into your app via a service account.
I'm currently doing something quite similar to this. The app uses .NET DirectoryServices to check user credentials and AD group membership before displaying the camera stream. If the user doesn't belong to a group authorized to view the camera, the app logs the attempt, informs the user, and blocks access.
There's a significant security hole however; all of the cameras can still be accessed with a browser if you have the camera's IP address. So it would be pretty easy for a curious user to gain access. All of the cameras support a limited number of built in user accounts. So the app accesses the camera using username:password@ prefaced querystrings. But I have a dozen or so cameras that don't support sending the user credentials as part of the querystring so these are essentially unsecurred.
Even if all the cameras could be accessed this way it's all sent in clear text so it's less than ideal.
The service account has access through the ISA array to the cameras, not individual users. You can then build AD authentication and authorization into your app to control who can see what camera.
Excellent idea--this would be ideal as it would require very little coding changes to the app. Need to do more reading.
Hi again. I've made some progress since my last post but have run into a problem that I don't quite understand. But first, here's what I've done thus far:
Our network layout consists of 2 network segments; 10.13.1.0 is our internal lan that includes our files servers, DCs, desktops, etc. The 10.39.1.0 lan segment includes all of our IP Cameras. I have one Win 2003 box configured as a Routing and Remote Access Server with 2 NICs; one connected to the 10.13.1.0 segment the other to the 10.39.1.0 segment.
The RRAS box has a static route defined and I can access the IP Cameras on the 10.39.1.0 segment from the 10.13.1.0 segment by IP address.
I have created a DNS Host "A" record and a WINS Static Mapping for each camera. I can reach all cameras using it's host name or IP address from the 10.13.1.0 network.
I Installed ISA 2006 EE trial configured as 3-leg perimeter. The ISA box is part of our AD domain. ISA's "Internal" network uses address range 10.13.1.1 - 10.13.1.255. ISA's "Perimeter" network uses addresses 10.39.1.0 - 10.39.1.25.
I created an "All Open" access rule and confirmed that I can still access the cameras by host name and IP address.
I created an Access Rule called "CAM130 Access" with the following settings:
Actions: allow Protocol: All outbound traffic From/Listener: Internal To: [Name]CAM130 [Computer IP Address]10.39.1.140 (same info as the Host "A" record)
Users: IP Camera Admins (a user set that contains an AD Group of which I am a member)
Moved "CAM130 Access Rule" above "All Open" rule.
At this point I would expect that only members of "IP Camera Admins" group should be able to access this camera. All users should still be able to access all other cameras because of the "All Open" access rule. I can connect to all cameras except CAM130. The connection times out and I get the IE "Internet Explorer cannot display the webpage" page. Ping using either the host name or ip address both fail. With diagnostic debugging enabled I see the following entries when I try to connect to CAM130 using a browser:
<SNIP> 82 11/6/2008 13:47:49 0000154e Firewall service ISA Server is evaluating the rule CAM130 Access Rule. 83 11/6/2008 13:47:49 0000154e Firewall service The rule does not match because the rule requires authentication and no user is specified in the packet. 84 11/6/2008 13:47:49 0000154e Firewall service ISA Server denied a request because policy rule CAM130 Access Rule requires authentication before allowing traffic. 85 11/6/2008 13:47:49 0000154e Firewall service The rule CAM130 Access Rule requires user authentication for evaluation. 86 11/6/2008 13:47:49 0000154e Firewall service The rule CAM130 Access Rule requires user authentication. </SNIP>
I am already authenticated on the network, so why is ISA denying the request?
doubt you are still working on this but... I have a similar problem and some suggestions for you/others attempting this.
I have a somewhat similar situation and fought the authentication problem for awhile to use Dameware. For one the machine you are using to access the cameras needs the firewall client.
The client ensures that the windows creds are passed.
This article might also help since you can reach your 10.39.1.0 network from your 10.13.1.0 network. http://www.isaserver.org/articles/2004netinnet.html I am using a terminal server in my configuration that our support personal will login to which was slightly different but the article should help for any circumstance.
The gotch ya may still come for you after this though...
I also have a DVR app that may run similar to yours. Authentication is working for this but the app ultimately needs to connect to the camera via http which ISA wants to NAT instead of route. Attempts to alter this have caused Dameware to break. I am certain this will work but it may require some special tweaking which I haven't figured out yet.