Welcome to ISAserver.org

RE: Discussion about article Creating Multiple Security Perimeters with a Multihomed ISA Firewall Part 2

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA Server 2004 Firewall] >> DMZ >> RE: Discussion about article Creating Multiple Security Perimeters with a Multihomed ISA Firewall Part 2

Page: << < prev 1 [2]

Message

<< Older Topic Newer Topic >>

RE: Discussion about article Creating Multiple Security... - 1.May2006 3:08:25 PM

tshinder

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline

quote:

ORIGINAL: PCC

I'm also using a WSUS server on our internal network and would like to use it to update the servers in the Anonymous DMZ. I would also like my Symantec Anti-Virus server to update them as well. Not sure that will work though since the Anonymous DMZ servers are not part of the domain.

Any ideas?

Pete

Hi Pete,

That's right. NO domain members in the anonymous access DMZ. The only domain member that should ever have an interface on the Internet or anonymous access DMZ is a firewall -- like the ISA firewall -- because the firewall is the most secure box on your network.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to PCC)

Post #: 21

Featured Links*

RE: Discussion about article Creating Multiple Security... - 8.May2006 11:41:46 AM

bctgroup

Posts: 30
Joined: 29.Nov.2005
From: Paul Welsh
Status: offline

Currently I have a setup that looks a bit like this. I have 2 ISA 2004 firewalls, each with 2 NICs, each connected to a separate Internet connection:

Internet1 ---- ISA1 ----|
                                    |----- Internal Network, 2 x IIS Servers
Internet2 ---- ISA2 ----|

The 2 connections are for redundancy and to separate traffic. One connection, an 8 Mb ADSL, is used for web browsing and the other, a 2 Mb leased line, is for incoming traffic to our 2 x IIS servers, one of which is live and the other test/backup.

As you'll notice, there's no DMZ. This is because I was persuaded by the "swiss cheese" argument that Microsoft use and that Tom quotes in his article: "you have to make cheese out of the firewall to allow intradomain communications, or use an IPSec tunnel through the firewall, so there�s no sense in having a firewall there at all�.

Our IIS servers connect to (a) a SQL Server and (b) a file server so yes, I would have to make some "holes" in the DMZ to allow this traffic. The SQL Server connection will always be required. However, there are plans at some later date to change the code in the web app so as to use a web service rather than having to allow the CIFS protocol through.

Internal clients also connect to the IIS servers. The application on the IIS servers authenticate internal users via Active Directory, so there's another hole in the firewall were a DMZ implemented.

I'm thinking about implementing a DMZ for another IIS server that I'm rolling out shortly. This will also need access to a SQL db and to Active Directory. It will run SurfControl's Mobile Filter. In terms of access from the outside world, only port 80 will need to be open.

In terms of the network topology, it would look like this, with each ISA server having a 3rd NIC and both of them connected to the DMZ. In the event of one Internet connection going down, the hosts on the DMZ would have their default gateways changed to go via the alternative Internet connection. Naturally we'd use DNS failover to point external users to the alternative ISA server if there was a problem with one of the connections.

Internet1 ---- ISA1 -------|
                       |                |
                       |                |
                       | --DMZ    | ----- Internal Network
                       |                |
                       |                |
                       |                |
Internet2 ---- ISA2 -------|

My questions are as follows:

1. Is there any merit in the swiss cheese argument? I can clearly see the benefits of a DMZ for "standalone" web servers that don't communicate with the Internal network except in limited circumstances or, say, an SMTP server, but in my case there's a good deal of traffic between the internal network and the IIS servers - SQL, Active Directory, CIFS.

2. Tom's topology has an edge ISA server and a network services perimeter ISA firewall. In my situation, I don't think I can justify the expenditure of another server, 2003 Server licence and ISA 2004 licence in order to have a network services perimeter ISA firewall. Does this make a difference as to whether or not to go with a DMZ?

(in reply to tshinder)

Post #: 22

RE: Discussion about article Creating Multiple Security... - 9.May2006 4:35:26 PM

tshinder

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline

Hi BCT,

What article did you get my quote from?

It might have been ISA 2000?

Even if its not, I've completely changed my thinking regarding this "swiss cheeze" argument. I admit that I was really wrong about that. That what comes with experience and learning. In fact, you should read my DMZ articles that I've done in the last year where I recommend putting domain members in an authenticated access DMZ. This is especially important when publishing front-end Exchange Server, which should never be placed on the same network as the back-end Exchange Server.

I know that the Exchange guys think you should put the FE and BE on the same network, but remember they're Exchange guys, not network security guys, so they don't fully understand the network security implications of their recommendations.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to bctgroup)

Post #: 23

RE: Discussion about article Creating Multiple Security... - 11.May2006 11:51:55 AM

bctgroup

Posts: 30
Joined: 29.Nov.2005
From: Paul Welsh
Status: offline

quote:

ORIGINAL: tshinder

What article did you get my quote from?

It might have been ISA 2000?

Hi Tom

In the article you were quoting the Exchange people - it wasn't something you said. You disagreed.

Can I just clarify that you'd recommend a DMZ even if the server in the DMZ has to connect to:

1. A SQL server in the internal network.
2. Active Directory in the internal network.

I guess that RADIUS could be used instead of allowing the DMZ server to access the Active Directory.

(in reply to tshinder)

Post #: 24

RE: Discussion about article Creating Multiple Security... - 12.May2006 4:02:08 PM

tshinder

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline

Hi BCT,

Yes, definitely. Remember there are two types of DMZs:

Anonymous Access
Authenticated Access

Domain members should not be placed in anonymous access DMZs

Domain members can be placed in the authenticated access DMZ

So, if the Web server that communicates with the SQL server on the back-end requires pre-authentication at the ISA firewall, then you're good. If you're not pre-authenticating, then you have an anonymous access DMZ and you shouldn't be domain members on it.

This is why the Exchange people are so wrong. The front-end Exchange Server is placed on a authenticated access DMZ. They don't understand ISA firewall's pre-auth feature and so they put the corpnet at needless risk by putting the FE and BE on the same network.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to bctgroup)

Post #: 25

RE: Discussion about article Creating Multiple Security... - 6.Jun.2006 4:39:33 PM

waynewhittle

Posts: 96
Joined: 21.Apr.2004
From: Cardiff
Status: offline

I seem to be banging my head on a brick wall regarding placement of the FE Exchange as there seems to be no common consensus out there. I am however swayed by your idea that it should be placed in an authenticated DMZ. We have a fairly complicated Back to Back ISA 2004 config:

| (External)
|
FE ISA-------Public DNS - Split Brain (Anonymous Access DMZ)
|
|
Hub-----------Public Web Server (Anonymous Access DMZ)
|
|
BE ISA-------FE Exchange (Authenticated Access DMZ)
|
| (Internal)
BE Exchange and other internal hosts

The reason for this (over) complicated setup is because we have to provide x2 public (routable) DNS servers that give out the addresses (External ISA interface address) for our published web servers so I just created an Unauthenticated Access (UA) DMZ on our FE ISA and put them both in there.

The published web servers are also in a UA DMZ between the two ISAs. They are standalone but they access SQL data from one of our internal servers. This is why they are place there.

The BE Exchange - well I know now that the preferred location is on an Authenticated Access (AA) DMZ and that it will be a domain member. This is where I am unsure. Exactly where do I put the FE Exchange ? Do I add a third NIC to my BE and create the AA DMZ here ? Can I still publish OWA from here to the outside world ? Also all routing relationships between the various networks are routed with the exception of the UA DMZ (the one between the x2 ISAs) and the External which is NAT.

Does this sound about right ?

Best regards

Wayne

< Message edited by waynewhittle -- 6.Jun.2006 4:46:56 PM >

(in reply to tshinder)

Post #: 26

RE: Discussion about article Creating Multiple Security... - 6.Jun.2006 5:25:02 PM

waynewhittle

Posts: 96
Joined: 21.Apr.2004
From: Cardiff
Status: offline

Hi Tom,

I've managed to track down your comments at http://forums.isaserver.org/m_290017800/mpage_1/key_authenticated%2caccess%2cdmz/tm.htm#2001997350 where you advise putting a third NIC in the back-end ISA firewall and then create an authenticated access DMZ there. At last an answer! You also state to move the SMTP relay to the UA DMZ between the two ISA servers. Are you talking about inbound or outbound relay ?

The setup we would like to have is:

1. Inbound mail (from internet):           FE ISA (Inbound Smart Host) --> FE Exchange --> BE Exchanges
2. Outbound mail (to internet):            BE Exchange --> Outbound Smart Host

Regarding 2 could I use our public facing DNS server on our FE ISA as our outbound Smart Host - does this pose any security risk allowing SMTP and DNS from the BE Exchange on our internal network to this host ?

Best regards

Wayne

(in reply to waynewhittle)

Post #: 27

RE: Discussion about article Creating Multiple Security... - 11.Jun.2006 5:21:44 PM

tshinder

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline

Hi Wayne,

While any extra service on the ISA firewall increases the attack service, I regularly put DNS advertisers and SMTP relays on a front-end ISA firewall. Those services are pretty robust and I haven't heard of any exploits against those services for a long time. Just be careful in watching disk space, as DNS and SMTP logs can get pretty big relatively quickly. If you use MOM or a simlar network management solution, you won't have any problems.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to waynewhittle)

Post #: 28

Page: << < prev 1 [2]	<< Older Topic Newer Topic >>

All Forums >> [ISA Server 2004 Firewall] >> DMZ >> RE: Discussion about article Creating Multiple Security Perimeters with a Multihomed ISA Firewall Part 2

Page: << < prev 1 [2]