• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

ISA 2004 EE / two internal networks

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> Network Infrastructure >> ISA 2004 EE / two internal networks Page: [1]
Login
Message << Older Topic   Newer Topic >>
ISA 2004 EE / two internal networks - 17.Feb.2006 9:32:16 PM   
Gholleman

 

Posts: 6
Joined: 1.Feb.2006
Status: offline
I am a bit of an ISA newby, but have a very specific network/routing question about it.

At my work (school) we have several differents sites (locations), all of them on their own subnet (10.0.0.0/16) which is fully connected and routed between the different sites. On this network i am deploying ISAserver 2004 EE, where all sites have their own internetconnection with their own isaserver. All servers run in their own array, and all of them use a shared policy so i have one single point of management and one rulebase.

At one of our locations we have currently two isaservers. One is connected to the company network (10.x.x.x/16) and a DSL-router. The other one is connected to it's own (192.168.x.x/16) network (which is used to supply wireless internet to our student with their private laptops) and the same router but it's own ip.

With isa2000 we choose for this setup cause we dont' want ANY connection between the company network and the wireless network.

At the moment we are replacing our ISA 2000, desktop computer-based isaservers for more advanced servers running ISA2004 EE (as described above), but because of management reasons i would like to combine the two servers into the new server.

Would it be possible to connect the insecure 192.168.x.x and the secure 10.x.x.x network to the internet by the same isaserver, without A N Y contact between the two internal networks ?
At the moment i have two nics (one for the secure network, and one for the internetconnection) in the isaserver, but ofcourse i would have to add an extra nic for the insecure network. Or would it be advisable or even neccessary to add another one as the internet-nic for the insecure network ?

Requirements :
- The secure and insecure networks are NOT allowed to communicate in any way.
- The secure network should obey the company rulebase
- The insecure network should have it's own rulebase (which is basically HTTP(S) and FTP Access to the internet) but preferably in a later stadium maybe more ports.)

I hope you guys don't blame me for being a newby , as i'm very curious to your reactions.

Thnx in advance !
Post #: 1
RE: ISA 2004 EE / two internal networks - 17.Feb.2006 11:54:19 PM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
The ISA2k4 model is totally different than ISA2k and you now create discrete networks and provide full access control between them. This would allow ISA to isolate your two secure and insecure internal networks unless you create specific network rules and firewall policies that allow connectivity. 

From what you are asking, you would need three NIC's in your ISA (probs spec more than this to allow for other networks) one for internet, one for secure network and one for insecure. Before you can create firewall policies to permit/deny traffic you will need to create network rules. In your setup, you would create a network rule to allow communication between the insecure network and the internet, but create no network rule to allow insecure to access the secure network. Once the network rule is created, you can then use firewall policies to control protocol use for traffic from insecure=>internet. If you do ever need insecure to connect to secure you can using ISA publishing or VPN connectivity, just like you would from the Internet.

So to asnswer your questions:

Requirements :
- The secure and insecure networks are NOT allowed to communicate in any way.
>> This is totally possible if you create discrete ISA networks use seperate physcial interfaces, one for each network. If you do not create network rules and firewall rules, traffic will be denied between the networks.

- The secure network should obey the company rulebase
>> Just create firewall polcies that reference the secure network

- The insecure network should have it's own rulebase (which is basically HTTP(S) and FTP Access to the internet) but preferably in a later stadium maybe more ports.)
>> Just create firewall polcies that reference the insecure network

Personally, I strongly recommend multiple ISA interface designs as this allows ISA to segment traditional "internal" networks as opposed to the simple "in and out" firewall model. This topology combined with application layer filtering and authenticated access makes for a very strong secruity model for internal communications rather than just traditional perimeter firewall security.

A good article that covers this type of stuff is available here: http://www.isaserver.org/tutorials/2004wirelessdmzpart1.html

Cheers

JJ



_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to Gholleman)
Post #: 2

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> Network Infrastructure >> ISA 2004 EE / two internal networks Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts