I am a bit of an ISA newby, but have a very specific network/routing question about it.
At my work (school) we have several differents sites (locations), all of them on their own subnet (10.0.0.0/16) which is fully connected and routed between the different sites. On this network i am deploying ISAserver 2004 EE, where all sites have their own internetconnection with their own isaserver. All servers run in their own array, and all of them use a shared policy so i have one single point of management and one rulebase.
At one of our locations we have currently two isaservers. One is connected to the company network (10.x.x.x/16) and a DSL-router. The other one is connected to it's own (192.168.x.x/16) network (which is used to supply wireless internet to our student with their private laptops) and the same router but it's own ip.
With isa2000 we choose for this setup cause we dont' want ANY connection between the company network and the wireless network.
At the moment we are replacing our ISA 2000, desktop computer-based isaservers for more advanced servers running ISA2004 EE (as described above), but because of management reasons i would like to combine the two servers into the new server.
Would it be possible to connect the insecure 192.168.x.x and the secure 10.x.x.x network to the internet by the same isaserver, without A N Y contact between the two internal networks ? At the moment i have two nics (one for the secure network, and one for the internetconnection) in the isaserver, but ofcourse i would have to add an extra nic for the insecure network. Or would it be advisable or even neccessary to add another one as the internet-nic for the insecure network ?
Requirements : - The secure and insecure networks are NOT allowed to communicate in any way. - The secure network should obey the company rulebase - The insecure network should have it's own rulebase (which is basically HTTP(S) and FTP Access to the internet) but preferably in a later stadium maybe more ports.)
I hope you guys don't blame me for being a newby , as i'm very curious to your reactions.
From: United Kingdom
The ISA2k4 model is totally different than ISA2k and you now create discrete networks and provide full access control between them. This would allow ISA to isolate your two secure and insecure internal networks unless you create specific network rules and firewall policies that allow connectivity.
From what you are asking, you would need three NIC's in your ISA (probs spec more than this to allow for other networks) one for internet, one for secure network and one for insecure. Before you can create firewall policies to permit/deny traffic you will need to create network rules. In your setup, you would create a network rule to allow communication between the insecure network and the internet, but create no network rule to allow insecure to access the secure network. Once the network rule is created, you can then use firewall policies to control protocol use for traffic from insecure=>internet. If you do ever need insecure to connect to secure you can using ISA publishing or VPN connectivity, just like you would from the Internet.
So to asnswer your questions:
Requirements : - The secure and insecure networks are NOT allowed to communicate in any way. >> This is totally possible if you create discrete ISA networks use seperate physcial interfaces, one for each network. If you do not create network rules and firewall rules, traffic will be denied between the networks.
- The secure network should obey the company rulebase >> Just create firewall polcies that reference the secure network
- The insecure network should have it's own rulebase (which is basically HTTP(S) and FTP Access to the internet) but preferably in a later stadium maybe more ports.) >> Just create firewall polcies that reference the insecure network
Personally, I strongly recommend multiple ISA interface designs as this allows ISA to segment traditional "internal" networks as opposed to the simple "in and out" firewall model. This topology combined with application layer filtering and authenticated access makes for a very strong secruity model for internal communications rather than just traditional perimeter firewall security.