• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Discussion for Using a Trihomed ISA/VPN Server to Secure Wireless Networks article

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 Firewall] >> VPN >> Discussion for Using a Trihomed ISA/VPN Server to Secure Wireless Networks article Page: [1] 2 3   next >   >>
Login
Message << Older Topic   Newer Topic >>
Discussion for Using a Trihomed ISA/VPN Server to Secur... - 5.Jun.2003 5:46:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
This thread is for the Using a Trihomed ISA/VPN Server to Secure Wireless Networks article at http://www.isaserver.org/tutorials/trihomedwirelessdmz.html.

HTH,
Tom

[ June 05, 2003, 01:25 PM: Message edited by: tshinder ]
Post #: 1
RE: Discussion for Using a Trihomed ISA/VPN Server to S... - 9.Jun.2003 8:29:00 PM   
far_jsloan

 

Posts: 20
Joined: 5.Sep.2002
Status: offline
What if all of your clients were wireless? I.E. Domain clients are all on a wireless network internally,(on LAT side of ISA and AD).

Want to prevent Parking lot Sniffers

Security Issues?

Do you still need to set up RRAS and VPN for client connections?

(in reply to tshinder)
Post #: 2
RE: Discussion for Using a Trihomed ISA/VPN Server to S... - 9.Jun.2003 10:05:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Far,

In that case, you need to invest in a more sophisticated WAP that allows 802.1x authentication, 128 bit WEP or preferably WPA or PEAP. Check out an excellent article by my friend and esteemed colleage, Steve Riley:

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/columns/security/askus/AUAS0303.asp

HTH,
Tom

(in reply to tshinder)
Post #: 3
RE: Discussion for Using a Trihomed ISA/VPN Server to S... - 9.Jun.2003 11:52:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Tom,

indeed, an excellent article! [Smile]

Also, check out http://www.microsoft.com/usa/webcasts/ondemand/1767.asp .

Thanks,
Stefaan

(in reply to tshinder)
Post #: 4
RE: Discussion for Using a Trihomed ISA/VPN Server to S... - 16.Jun.2003 3:26:00 PM   
ostadler

 

Posts: 15
Joined: 16.Jun.2003
Status: offline
Hello Tom,

First of all let me introduce myself as this is my first post here on the message-board :-)
Well my name is Oliver Stadler and I am the system-administrator of the veterinary teaching hospital in Munich, Germany. At the moment I am getting familar with Microsofts ISA Server (we will use it in conjunction with Server 2003, and I never used ISA before), and your two books are _the_ books to read when it comes to ISA servers (actually I compared them to German literature....sigh....) :-)

Currently we are in the process of constructing a brand-new bovine-clinic and I am responsible for the network-design. There is a demand for Wireless LAN (PocketPCs and TablePCs who should able to reach the internal network when walking within the stables).
So of course I read your article about the Trihomed VPN server.

Now my question is: Would it be usefull (or better: what would be the advantage) to place the WAPs within the DMZ of a back-to-back private adress DMZ? One reason would sure be that for the back-to-back scenario we would need another server, but just assume that this would not matter in that case ;-)
I could then place our official webserver and the WAPS within the DMZ.
From the DMZ the PocketPC could still enter the internal network using VPN via the internal ISA server. Is that right or do I make a mistake here? Maybe you have any other ideas about it, I would be very glad to hear about them!

Thanks a lot in advance,

Greetings from Germany,

Oli

(in reply to tshinder)
Post #: 5
RE: Discussion for Using a Trihomed ISA/VPN Server to S... - 17.Jun.2003 12:39:00 AM   
ostadler

 

Posts: 15
Joined: 16.Jun.2003
Status: offline
Hello again,

Just a little addendum question (its surely a newbie question [Smile] ):

When I have a Back-to-Back DMZ with private IPs in the DMZ, could I also have two internal network segments attached to the internal ISA server? So I would have three NICs installed in the internal ISA server, the external interface for the DMZ (not in the LAT), and two internal interfaces for two seperate subnets (contained in the LAT).

Thanks again,

Greetings,

Oli

(in reply to tshinder)
Post #: 6
RE: Discussion for Using a Trihomed ISA/VPN Server to S... - 17.Jun.2003 1:53:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by Oliver Stadler:
Hello Tom,

First of all let me introduce myself as this is my first post here on the message-board :-)
Well my name is Oliver Stadler and I am the system-administrator of the veterinary teaching hospital in Munich, Germany. At the moment I am getting familar with Microsofts ISA Server (we will use it in conjunction with Server 2003, and I never used ISA before), and your two books are _the_ books to read when it comes to ISA servers (actually I compared them to German literature....sigh....) :-)

Currently we are in the process of constructing a brand-new bovine-clinic and I am responsible for the network-design. There is a demand for Wireless LAN (PocketPCs and TablePCs who should able to reach the internal network when walking within the stables).
So of course I read your article about the Trihomed VPN server.

Now my question is: Would it be usefull (or better: what would be the advantage) to place the WAPs within the DMZ of a back-to-back private adress DMZ? One reason would sure be that for the back-to-back scenario we would need another server, but just assume that this would not matter in that case ;-)
I could then place our official webserver and the WAPS within the DMZ.
From the DMZ the PocketPC could still enter the internal network using VPN via the internal ISA server. Is that right or do I make a mistake here? Maybe you have any other ideas about it, I would be very glad to hear about them!

Thanks a lot in advance,

Greetings from Germany,

Oli

Hi Oli,

You can also use a private address back to back DMZ. That protects your internal network and also allows you outbound access control using ISA firewall policies.

HTH,
Tom

(in reply to tshinder)
Post #: 7
RE: Discussion for Using a Trihomed ISA/VPN Server to S... - 17.Jun.2003 1:54:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by Oliver Stadler:
Hello again,

Just a little addendum question (its surely a newbie question [Smile] ):

When I have a Back-to-Back DMZ with private IPs in the DMZ, could I also have two internal network segments attached to the internal ISA server? So I would have three NICs installed in the internal ISA server, the external interface for the DMZ (not in the LAT), and two internal interfaces for two seperate subnets (contained in the LAT).

Thanks again,

Greetings,

Oli

Hi Oli,

Yes, no problems with having multiple internal, LAT interfaces.

HTH,
Tom

(in reply to tshinder)
Post #: 8
RE: Discussion for Using a Trihomed ISA/VPN Server to S... - 18.Jul.2003 2:53:00 AM   
bittondb

 

Posts: 16
Joined: 30.Jun.2003
From: West New York, NJ
Status: offline
When configuring this setup, which adapter do I apply the packet filter, and in what direction? I haven't seen the part 2 of the article with the HOWTO. Thanks.

P.S. Tom, I know that you are promoting your book, but can you make the signature horizontal instead of vertical. It will make for less scrolling. [Smile]

(in reply to tshinder)
Post #: 9
RE: Discussion for Using a Trihomed ISA/VPN Server to S... - 18.Jul.2003 3:48:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi DFM,

RRAS packet filters can be applied to either or both of the LAT interfaces. I've got it on my list to do part two of that articles. I'm sort of focusing on Exchange 2003 lately, but I'll get to it.

Thanks!
Tom

(in reply to tshinder)
Post #: 10
RE: Discussion for Using a Trihomed ISA/VPN Server to S... - 19.Jul.2003 4:03:00 AM   
bittondb

 

Posts: 16
Joined: 30.Jun.2003
From: West New York, NJ
Status: offline
Tom,
I was able to achieve the desired results by applying an Inbound Filter on the DMZ intrfc dropping everything bound for the internal network (10.3.2.0/24). Should I go any farther than this?

(in reply to tshinder)
Post #: 11
RE: Discussion for Using a Trihomed ISA/VPN Server to S... - 19.Jul.2003 5:36:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Foo,

That'll do it!

Good to hear you got it working!

Tom

(in reply to tshinder)
Post #: 12
RE: Discussion for Using a Trihomed ISA/VPN Server to S... - 20.Jul.2003 5:03:00 AM   
bittondb

 

Posts: 16
Joined: 30.Jun.2003
From: West New York, NJ
Status: offline
I have another question. For the wireless segment, I am making use of the DHCP server in the WAP. Should I be using the one that is available in RRAS? One more question, my WAP supports 802.1x authentication. What is the most secure way for the WAP to communicate with my PDC on the LAN that is running IAS for RADIUS auth? Obviously this will require allowing the WAP to enter the LAN from the DMZ.

I'd like to do this the "best practices" way. Thanks.

(in reply to tshinder)
Post #: 13
RE: Discussion for Using a Trihomed ISA/VPN Server to S... - 21.Jul.2003 8:08:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Foo,

If your WAP supports 802.1x, you can certainly use that to supplement the security provided in the principles discussed in the article. The article focused on how you can provided secure access without using 802.1x, but if you have the resources to implement the infrastructure to support 802.1x, I'd go for it.

I would not allow the WAP to communicate with the secured, private network, since its considered an untrusted device. That's sort of the whole point to requiring VPN access for DMZ hosts that need access to the private network.

HTH,
Tom

(in reply to tshinder)
Post #: 14
RE: Discussion for Using a Trihomed ISA/VPN Server to S... - 24.Jul.2003 3:13:00 AM   
bittondb

 

Posts: 16
Joined: 30.Jun.2003
From: West New York, NJ
Status: offline
So, then based on what you are saying, i would need a box on the dmz running IAS (for RADIUS), and that box would VPN into the private LAN for auth. against the PDC, running AD. Is this correct?

(in reply to tshinder)
Post #: 15
RE: Discussion for Using a Trihomed ISA/VPN Server to S... - 24.Jul.2003 3:34:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi DFM,

Yes, that would be one way to do it. However, you are still allowing access to the internal network, and for security reasons, you want to completely wall off the internal network from the DMZ as much as possible. If you're allowing anonymous connections from the DMZ, then you should make all devices on that segment untrusted, except for those hosts that you've already decided to trust in advance (those machines that you've already assigned a certificate).

Otherwise, you could just create a packet filter and IPSec policy to allow the RADIUS messages between the LAT DMZ and the internal network.

HTH,
Tom

(in reply to tshinder)
Post #: 16
RE: Discussion for Using a Trihomed ISA/VPN Server to S... - 3.Sep.2003 4:54:00 AM   
kmbuchanan

 

Posts: 13
Joined: 3.Sep.2003
From: Lexington, NC
Status: offline
In the first article, you said there would be 2 other articles giving step-by-step instructions...what are the titles of those articles?

We are (currently) testing ISA and we are planning to replace our WLAN with Cisco 1200 WAPs. Any advice you can offer is GREATLY appreciated.

Thanks!

(in reply to tshinder)
Post #: 17
RE: Discussion for Using a Trihomed ISA/VPN Server to S... - 3.Sep.2003 6:05:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Kevin,

Its on my plate! Right now I'm revving up big time an ISA Server/Exchange Deployment Kit and cranking out about an article a day. But I'll get to this ASAP, because its an important issue, esp. in light of the recent worm outbreak.

Thanks!
Tom

(in reply to tshinder)
Post #: 18
RE: Discussion for Using a Trihomed ISA/VPN Server to S... - 11.Sep.2003 4:59:00 AM   
skinnygeek

 

Posts: 12
Joined: 6.Jul.2003
Status: offline
Hi Dr. Tom,

I read your article and I think i'm a bit lost and I have sort of a newbie question.

In the article, you mentioned about giving internet access to anonymous wifi clients of the WAP. These clients would have internet access without first connected to the internal VPN server. Wouldn't that be a big security issue, since it could be from an untrusted wifi client that stealing company bandwidth or putting a heavy load on the traffic with no interest in accessing company internal resources?

From time to time we have visitors to the company and they want to have internet access. These are mostly wifi laptops and pda users. Which would be the best method to allow them to have access to the internet without compromising the risk that I mentioned above. Thanks much!

-SG-

(in reply to tshinder)
Post #: 19
RE: Discussion for Using a Trihomed ISA/VPN Server to S... - 11.Sep.2003 5:18:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi SG,

Good question. Two things you can do to help with this:

1. Create a client address set for the wireless segment addresses. Then allow machines in this client address set acces only to the sites and protocols you want them to access

2. Create a bandwidth rule that assigns hosts the wireless client address set a lower priority than any other connection (at least lower than the default priority if you have no other bandwidth rules)

HTH,
Tom

(in reply to tshinder)
Post #: 20

Page:   [1] 2 3   next >   >> << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 Firewall] >> VPN >> Discussion for Using a Trihomed ISA/VPN Server to Secure Wireless Networks article Page: [1] 2 3   next >   >>
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts