Welcome to ISAserver.org

Why do a DMZ's addresses have to be public?

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA Server 2000 Firewall] >> DMZ >> Why do a DMZ's addresses have to be public?

Page: [1]

Message

<< Older Topic Newer Topic >>

Why do a DMZ's addresses have to be public? - 30.Jun.2003 7:30:00 AM

AbqBill

Posts: 478
Joined: 3.Jun.2003
From: Albuquerque NM USA
Status: offline

Suppose you have a hardware firewall (e.g. Linksys), and it's internal interface has a non-routable IP address (e.g. 192.168.15.1). This router is performing NAT. Then you have an ISA Server behind it that has an external interface of 192.168.15.2, gateway 192.168.15.1. Subnet mask is 27 bits, so that network segment has 28 unused addresses.

The ISA Server has a bogus loopback adapter which is the only address in the LAT, and a third interface connected to the (actual) internal network. IP routing is enabled, but packet filtering is disabled. The idea here is to use ISA Server for outbound access control only, but we don't need ISA Server's NAT, so we fool it into thinking there's a DMZ, but of course the "DMZ" is actually the internal network.

According to repeated posts, the DMZ can't use non-routable addresses. Why not, if an upstream device is performing the NAT?

Post #: 1

Featured Links*

RE: Why do a DMZ's addresses have to be public? - 30.Jun.2003 11:45:00 PM

spouseele

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline

Hi Bill,

by configuring the ISA that way, ISA is no longer configured as a firewall but as a simple router. Therefore you can't use outbound access control anymore! [Big Grin]

Why not taking the Linksys out of the picture?

HTH,
Stefaan

(in reply to AbqBill)

Post #: 2

RE: Why do a DMZ's addresses have to be public? - 1.Jul.2003 4:14:00 PM

AbqBill

Posts: 478
Joined: 3.Jun.2003
From: Albuquerque NM USA
Status: offline

Why not? Suppose the upstream router only accepts traffic from the external interface of the ISA Server. A client can't just point their default gateway to the router and get out of the network; they have to use the ISA Server.

What I am getting at here is that there are some very good reasons that ISA Server should let the administrator control the NATting.

(in reply to AbqBill)

Post #: 3

RE: Why do a DMZ's addresses have to be public? - 1.Jul.2003 6:59:00 PM

md3v

Posts: 308
Joined: 22.Jan.2002
Status: offline

ISA is designed to be the perimeter firewall and a single point of entry/exit. The addition of the LinkSys device reduces ISA's status to a 'cache server' as ISA no longer has 100% control over the I/O on your external connection.

(in reply to AbqBill)

Post #: 4

RE: Why do a DMZ's addresses have to be public? - 2.Jul.2003 4:36:00 AM

tshinder

Posts: 47669
Joined: 10.Jan.2001
From: Texas
Status: online

quote:
Originally posted by Bill Stewart:
Why not? Suppose the upstream router only accepts traffic from the external interface of the ISA Server. A client can't just point their default gateway to the router and get out of the network; they have to use the ISA Server.

What I am getting at here is that there are some very good reasons that ISA Server should let the administrator control the NATting.

Hi Bill,

There are reasons, but you don't have that control with ISA. Since ISA is LAT based, hosts are LAT and non-LAT. DMZ interfaces can be in the LAT, but then ISA will not apply firewall policies, and that "DMZ" is just another internal network segment.

So, true DMZ segments in ISA must have public addresses.

That's how it works for now [Smile]

Thanks!
Tom

(in reply to AbqBill)

Post #: 5

RE: Why do a DMZ's addresses have to be public? - 2.Jul.2003 6:50:00 PM

AbqBill

Posts: 478
Joined: 3.Jun.2003
From: Albuquerque NM USA
Status: offline

quote:
Christopher wrote:
ISA is designed to be the perimeter firewall and a single point of entry/exit. The addition of the LinkSys device reduces ISA's status to a 'cache server' as ISA no longer has 100% control over the I/O on your external connection.

Not if you configure the external firewall to only accept Internet-bound traffic from the "external" interface of the ISA Server. Not possible with a Linksys, but easy with a more capable product.

quote:
tshinder wrote:
So, true DMZ segments in ISA must have public addresses.

If both of ISA's interfaces use private addresses, if the external interface's subnet is not in the LAT, and the internal interface of the upstream firewall also has a private address in that subnet, then that subnet is a DMZ using private addresses. The external box could provide the appropriate "publishing" to make the DMZ appear on the public network, and appropriate packet filtering settings could make the DMZ servers available to clients behind the ISA Server.

It seems to me that this would be a very secure configuration...

(in reply to AbqBill)

Post #: 6

RE: Why do a DMZ's addresses have to be public? - 2.Jul.2003 8:50:00 PM

tshinder

Posts: 47669
Joined: 10.Jan.2001
From: Texas
Status: online

Hi Bill,

Excellent point! If you have another firewall in front of the ISA firewall, and the DMZ between the ISA and non-ISA firewall is private address, then you can use private addresses on the 3rd NIC of the internal ISA Server firewall.

Good one!

Thanks!
Tom

(in reply to AbqBill)

Post #: 7

RE: Why do a DMZ's addresses have to be public? - 2.Jul.2003 10:03:00 PM