• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

University Scenerio

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 General ] >> Installation >> University Scenerio Page: [1]
Login
Message << Older Topic   Newer Topic >>
University Scenerio - 12.Jul.2004 9:24:00 PM   
grinn253

 

Posts: 76
Joined: 12.Jul.2004
From: Seattle
Status: offline
Hello,

I work at one of those Universities where all wall ports have public internet IP addresses. So every machine that is plugged in to the wall is instantly susceptible/can be accessed via the internet. Currently we utilize host based firewalls and are looking at ISA.

It is not possible to reconfigure the network to place ISA in between the internet and the private network. Regarding 'network templates,' I'm asking for the forums help deciding "[Confused]" .

'Edge Firewall,' can be applied to protect a single room (in our situation) which is fine to protect servers (by creating a private network?)

'3-Leg Perimeter,'would this be possible/better?

Basically my question is, how to deply ISA when all machines have public IPs and ISA cannot be placed between the internal/external networks. (The machines i want to protect are all on the same subnet/domain)

Thanks!
Edgardo

[ July 12, 2004, 09:26 PM: Message edited by: grinn253 ]
Post #: 1
RE: University Scenerio - 13.Jul.2004 3:55:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Edgardo,

Why can't you place the ISA firewall between the clients and the external network? You don't have to use NAT between the Internet and the Internal network. The firewall policy and Access Rules will still apply even if you use a route relationship between the Internet and the Internal network.

Also, please do *not* use the network templates. While they had their heart in the right place when they designed these, they end up causing more confusion than helping simplify the firewall configuration. Its better to determine what your design goals are, and then configure the ISA firewall to meet those goals.

HTH,
Tom

(in reply to grinn253)
Post #: 2
RE: University Scenerio - 13.Jul.2004 10:17:00 AM   
sdsmtss

 

Posts: 45
Joined: 5.Nov.2003
Status: offline
I have the same scenario on a University campus and I'm in the process of deploying ISA. The way I am setting it up is to have ISA protect Exchange and my DC's and publish the Exchange services through ISA. The workstations all need to be joined to the domain via VPN. I was also considering having the users communicate with the DC's via IPSec policy. I would publish the required ports for IPSec through the firewall so that the worksatations don't need to VPN in to the private network. I'm still open for suggestions too so that would be great if anybody would like to comment.

(in reply to grinn253)
Post #: 3
RE: University Scenerio - 13.Jul.2004 12:16:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Slacker,

Why do you need to use VPN to join the workstations to the domain? You can create Access Policies that allow intradomain communications between any two segments between the ISA firewall.

Thanks!
Tom

(in reply to grinn253)
Post #: 4
RE: University Scenerio - 14.Jul.2004 7:40:00 PM   
grinn253

 

Posts: 76
Joined: 12.Jul.2004
From: Seattle
Status: offline
quote:
Originally posted by tshinder:
Hi Edgardo,
Why can't you place the ISA firewall between the clients and the external network?...

Hello, and thanks for the reply!
Here are some links that may explain why placing ISA between clients & external network isn't feasible: 3rd paragraph

The university offers the 'logical firewall' approach utilizing Gibralter (linux) which can be placed anywhere on the network:
Logical Firewall
And if you just want to read more [Smile] Extra Reading

Currently the goal with ISA is to secure a couple of servers, and perhaps utilize ISA Firewall client to secure the workstation machines (later going with VPN w/XP Remote Access)

Are there any considerations you may forsee when implementing ISA in this scenerio?

Thanks!
Edgardo (eagerly awaiting your ISA 2004 book!)

[ July 14, 2004, 07:41 PM: Message edited by: grinn253 ]

(in reply to grinn253)
Post #: 5
RE: University Scenerio - 15.Jul.2004 1:22:00 AM   
grinn253

 

Posts: 76
Joined: 12.Jul.2004
From: Seattle
Status: offline
On another note, I performed a system scan from: Audit My PC and found that port 1745 is open. After reading MS03-012 it seems that this port is supposed to only be open is specifically configured.
I don't believe it is configured open. Only open to allow HTTP & DNS from internal to external (8080 was found open as well but this was expected.) This is a clean/new installation.

If this has been discussed already, i'm on my way to searching, but comments are welcome as well.

Viewing the "Logging" tab, indicates three instances for port 1745:
1) Initiate Connection
2) Closed Connection
3) Denied Connection

Thus when the test results appear, either on grc.com (shields up!) or auditmypc, shows that port 1745 is open.
Thoughts / thanks!
Edgardo

[ July 15, 2004, 01:32 AM: Message edited by: grinn253 ]

(in reply to grinn253)
Post #: 6
RE: University Scenerio - 15.Jul.2004 10:34:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by grinn253:
quote:
Originally posted by tshinder:
Hi Edgardo,
Why can't you place the ISA firewall between the clients and the external network?...

Hello, and thanks for the reply!
Here are some links that may explain why placing ISA between clients & external network isn't feasible: 3rd paragraph

The university offers the 'logical firewall' approach utilizing Gibralter (linux) which can be placed anywhere on the network:
Logical Firewall
And if you just want to read more [Smile] Extra Reading

Currently the goal with ISA is to secure a couple of servers, and perhaps utilize ISA Firewall client to secure the workstation machines (later going with VPN w/XP Remote Access)

Are there any considerations you may forsee when implementing ISA in this scenerio?

Thanks!
Edgardo (eagerly awaiting your ISA 2004 book!)

Hi Edwardo,

Thanks! Great reading. I don't agree with much of what they say, and believe a lot of it is based on lack of control over their networks and an incomplete understanding of what you can accomplish in the year 2004 [Big Grin] It takes a lot of work and planning and good design to come up with designing a firewall solution to support the appropriate perimeters, but it can be done.

However, you have to deal with the realities of your situation. So, yes, that is a good design, to put the ISA firewall's in front of the server assets. That way the clients can infect and hack each other, but the servers will be protected. Hey, its better than nothing [Wink]

HTH,
Tom

(in reply to grinn253)
Post #: 7
RE: University Scenerio - 15.Jul.2004 10:35:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by grinn253:
On another note, I performed a system scan from: Audit My PC and found that port 1745 is open. After reading MS03-012 it seems that this port is supposed to only be open is specifically configured.
I don't believe it is configured open. Only open to allow HTTP & DNS from internal to external (8080 was found open as well but this was expected.) This is a clean/new installation.

If this has been discussed already, i'm on my way to searching, but comments are welcome as well.

Viewing the "Logging" tab, indicates three instances for port 1745:
1) Initiate Connection
2) Closed Connection
3) Denied Connection

Thus when the test results appear, either on grc.com (shields up!) or auditmypc, shows that port 1745 is open.
Thoughts / thanks!
Edgardo

Hi Edwardo,

That is the firewall client port, and that would only be open if your endabled Firewall client support on the external network, which can't be done, so I think you have a configuration issue here!

HTH,
Tom

(in reply to grinn253)
Post #: 8
RE: University Scenerio - 15.Jul.2004 12:16:00 PM   
sdsmtss

 

Posts: 45
Joined: 5.Nov.2003
Status: offline
quote:
Hi Slacker,
Why do you need to use VPN to join the workstations to the domain? You can create Access Policies that allow intradomain communications between any two segments between the ISA firewall.
Thanks!
Tom

Tom,

All of my workstations are on the public Internet. My department has several projects with offices that are located on various different subnets on and off campus. Is this what you had pictured? What kind of access policies would I create for intradomain communication. Could you give a little more detail?
Thanks again.
Stephen

(in reply to grinn253)
Post #: 9

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 General ] >> Installation >> University Scenerio Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts