1. The ISA firewall should be a domain member to get the highest level of security the ISA firewall can provide, so the POC will have the ISA firewall as a member of the user domain
I agree and I hope that I can make it a domain member and still do what I want securely. Will there be any issues with making it a domain member in a DMZ? Also are there any issues using RADIUS (or RSA) when ISA is a domain member?
TOM: Of course, domain member ISA firewalls are 9 times out of 10 more secure than non-domain members. Its a hard thing for clipboard based "security guys" who don't understand how things work, but you'll find that if you can get them off your back, you'll end up with a much more secure ISA firewall solution.
2. RADIUS is a kludge solution for ISA authentication. I realize why MS included this option, but if someone doesn't have a gun to your head or a knife in your back, then avoid RADIUS and use integrated Windows authentication. Again, its more secure and more flexible
My reason for using RADIUS is out of my companies security policy which requires two-factor authentication for remote users (ie. OWA, software based VPNs clients, Citrix or other applications over a VPN). I am still trying to decide between RSA Secure ID and Secureword from Secure Computing. Seems like RADIUS had some minor advantages over the integrated RSA Secure ID but I can't recall what it was at this point.
TOM: OK, I didn't take into account the two-factor auth issue. It might be that RADIUS auth would be more simple to implement.
3. For Secure Exchange RPC Publishing, there is no pre-authentication at the ISA firewall. However, the ISA firewall's Secure Exchange RPC filter will scrub the RPC/MAPI communications to make sure they're not worm traffic and are legitimate Exchange/Outlook connections
While I want to be able to offer RPC over HTTP to my clients, but I may not be able to unless I can find a mechanism to add another layer of authentication. Perhaps a VPN will be the solution. (And I do know that RPC over HTTP is in itself a SSL tunnel "VPN" but I still have to require two-factor authentication.) I am open to ideas.
TOM: I wasn't talking about RPC/HTTP, I was thinking of Secure Exchange RPC. In both cases, you won't be able to implement two-factor authentication. However, if you're using a VPN connection to allow the Outlook clients, you don't even need to mess with RPC/HTTP and you can use the native MAPI/RPC connection to the Exchange Server.
4. I highly recommend using the Firewall client. The Firewall client is one of the core security technologies that puts the ISA firewall several orders of magnitude more security than just about any firewall in the market today. Give the Firewall client very serious consideration, as the network you save could be yours :)
I am thinking about continuing to use the Netscreens for the Site-to-Site VPNs. But I may be willing to replace my Netscreen-remote (software VPN) with the integrated ISA VPN for my traveling folks. I am looking for a good VPN system that can use IPSec and require two-factor authentication (both company requirements). Would ISA be able to to that?
TOM: The solution I put together doesn't require you to change your site to site VPN configuration and it doesn't require that you change any of the host's default gateways.
... but essentially the setup is a parallel config, with the ISA firewall and the other one have three NICs. Clients use the netscreen server as their default gateway, and the netscreen server has routing table entries for the remote site network, and the gateway of last resort will be the DMZ interface of the ISA firewall, which is connected to the same switch/hub as the DMZ interface of the netscreen server. Seems to work fine and doesn't require changing the default gateway config on any servers or clients and will also support the publishing scenarios.
That is interesting. Much more sophisticated than I first thought. It is sort of a hybrid parallel/DMZ method. A couple of questions thought...
TOM: Yea, unfortunately my initial thoughts won't work. My new solution will work better.
a)Did you mean that my ISA server would have three interfaces or just two (only the Netscreen would have three interfaces?)
TOM: No, in the new design the ISA firewall only has two interfaces.
b)So the Netscreen would require static routes for all the IPs of VPN enpoints? Right? I think this is so the Netscreen sends VPN bound traffic direct to the internet using its external interface (as opposed to the DMZ interface). Otherwise it would use the ISA server as its DG.
TOM: No, in the new solution there is no changes to the routing tables on the netscreen, but there is a new entries on the routing table of the ISA firewall.
c)Also, in the a DMZ should I use private or public IP?
TOM: The DMZ between the ISA firewall and the netscreen should use private addresses.
Thomas W Shinder, M.D.