publising a secure web server internally (Full Version)

All Forums >> [ISA Server 2004 General ] >> Web Publishing



Message


oyvind -> publising a secure web server internally (10.Mar.2006 11:37:54 AM)

Hi.
Can someone please answer my question regarding secure web publishing:

Situation: 3 legged ISA 2004 server, with 2 public IP addresses on the external interface, 1 private IP address on the user interface and 1 private IP address on the DMZ interface.
We want to configure a secure web publishing rule, publishing one of the web servers in the DMZ to the internet. The web listener listens on one of the public ip addresses on the external interface of the ISA server. We want to use https from external client to ISA and only http from ISA to web server.
( Client <-- HTTPS --> ISA <-- HTTP--> Web server  )
the reason for this is that we want to use a wildcard certificate on the ISA, and no certificate on the web server.

So far, so good!
Now we want to reach that published  server from the internal user zone. Using only http is not an option, and neither is installing a dedicated certificate on the web server.
Can this be done?

Thanks in advance.
Řyvind




tshinder -> RE: publising a secure web server internally (10.Mar.2006 4:53:44 PM)

Hi Oyvind,

Why do you want to do SSL to HTTP bridging? That is a very unsecure configuration.

Why can't you install a certificate on the Web server? You know you can make your own, so it won't cost anything.

Thanks!
Tom




oyvind -> RE: publising a secure web server internally (12.Mar.2006 2:53:03 PM)

Tom!
Why not use ssl to ssl bridging? Well, it costs more CPU cycles, and it complicates the scenario a bit more.
(I guess you are right about the certificates, though, I assume there's no problem with using a public one on the ISA and a private on on the mail frontend?)
And I just cannot see why ssl to http bridging is unsecure!
Both mail frontend and ISA resides in the same server rack, both connected to the same Catalyst 3560 switch, using VLANs. Server room is locked, nobody but me has access at any time. Sniffing the traffic is therefore impossible.
Is there anything I have forgotten, Tom?
I'd really like to know why such a setup is unsecure!

Thanks!

Řyvind 




steavg -> RE: publising a secure web server internally (13.Mar.2006 3:11:08 PM)

Hi,

Is your website really getting that much hits that SSL traffic will take to much CPU cycles ?? In that case you should consider using an offload SSL network card :)

You should strongly consider using SSL between your ISA and the published webserver:

1) Defence in depth strategy
2) VLAN's are an administrative network solution not a security solution (VLAN hopping, etc.)


Just my 2 cents,

Greetings,

stefan




oyvind -> RE: publising a secure web server internally (14.Mar.2006 1:50:17 PM)

Hi,
No my website is not getting that much hits. It's rather a decision because of implementing more security involves more complexity.

I probably could encrypt all traffic going from anywhere to anywhere in my server room, but I just don't see the point.
Implement too much security and you might get blinded in discovering the real security threats.
My policy is to secure the things that should be secured, and leave everything else as is, for improved configuration understanding and future maintenace.
And I still haven't seen a good reason to encrypt an allready secured link. It's like putting a vpn tunnel inside a vpn tunnel just for the heck of it.
(and I disagree with your opinion on VLANs, I consider a properly configured VLAN switch to be secure. But luckily, we are both entitled to have our own opinion! :-)

Thanks for your input!

Řyvind





steavg -> RE: publising a secure web server internally (14.Mar.2006 2:19:56 PM)

Hi oyvind,

Thanks for the feedback...indeed we both are entitled to our own opinion ;)

Good luck with your setup,

Greetings,

Stefan




oyvind -> RE: publising a secure web server internally (14.Mar.2006 3:53:33 PM)

This issue got sidetracked a bit, I'd still really like to know if my original setup is possible.
If not, I guess I have to use Toms suggestion, to use a private certificate internally on the mail frontend.

Anyone?

Thanks,

Řyvind




steavg -> RE: publising a secure web server internally (14.Mar.2006 4:02:48 PM)

Hi,

Have you tried creating a new weblistener ? Weblistener with internal IP adres ISA server --> bind the SSL cert to that listener and create a publishing rule that uses that weblistener

Hope this helps,

Greetings,

stefan




oyvind -> RE: publising a secure web server internally (15.Mar.2006 1:59:06 PM)

Stefan, that is a good idea!
I don't see any reason why this shouldn't work, of course we have to use split dns but that is not a problem since we have that already.
There is no reason why the wildcard certificate wouldn't work for two listeners at the same time, is there?
I think you just solved my problem!

Thanks, again!

Řyvind




tshinder -> RE: publising a secure web server internally (17.Mar.2006 4:19:04 PM)

quote:

ORIGINAL: oyvind

Tom!
Why not use ssl to ssl bridging? Well, it costs more CPU cycles, and it complicates the scenario a bit more.
(I guess you are right about the certificates, though, I assume there's no problem with using a public one on the ISA and a private on on the mail frontend?)
And I just cannot see why ssl to http bridging is unsecure!
Both mail frontend and ISA resides in the same server rack, both connected to the same Catalyst 3560 switch, using VLANs. Server room is locked, nobody but me has access at any time. Sniffing the traffic is therefore impossible.
Is there anything I have forgotten, Tom?
I'd really like to know why such a setup is unsecure!

Thanks!

Řyvind 


Hi Oyvind,
Yes, but you should be willing to pay the CPU cost for security. A single stolen username and password combination will make you wish you had deployed a secure configuration. The certificate issue is not complicated, and there are dozens of articles on this site on how to deploy things correctly and securely.

However, if the ISA firewall and the mail server are directly connected, then that would be reasonably secure, although realize that VLANs are not secure

HTH,
Tom 




tshinder -> RE: publising a secure web server internally (17.Mar.2006 4:20:29 PM)

quote:

ORIGINAL: oyvind

Hi,
No my website is not getting that much hits. It's rather a decision because of implementing more security involves more complexity.

I probably could encrypt all traffic going from anywhere to anywhere in my server room, but I just don't see the point.
Implement too much security and you might get blinded in discovering the real security threats.
My policy is to secure the things that should be secured, and leave everything else as is, for improved configuration understanding and future maintenace.
And I still haven't seen a good reason to encrypt an allready secured link. It's like putting a vpn tunnel inside a vpn tunnel just for the heck of it.
(and I disagree with your opinion on VLANs, I consider a properly configured VLAN switch to be secure. But luckily, we are both entitled to have our own opinion! :-)

Thanks for your input!

Řyvind




Hi Oyvind,
Just read the articles on this site. Implementing SSL to SSL bridging is quite easy. And once you do it, you'll be more secure, and there's no substitute for that.

HTH,
Tom




oyvind -> RE: publising a secure web server internally (20.Mar.2006 8:38:44 AM)

Tom, Stefan!

You probably have convinced me regarding to SSL to SSL (using private certificates in the internal side of the bridge) I will seriously consider it, I know it's not a big hassle to implement and even though the servers are almost directly connected (using VLANS) on he same switch, I will look into it!

But on to a more serious matter:
Both you, Tom, and Stefan claim that VLANs aren't safe. I would REALLY like to hear why you think that!
The reason is actually not the ISA implementation I am talking about in this thread, but another project I am working on: A major network/security implementation in a new hospital, aprox 50  mill euros/dollars in IT alone!
We are talking heavy use of virtualization on Cisco and Check Point and VLANs are in the CORE of this infrastructure/design.
Being assured by major companies, (guess who) that VLANs are safe if configured correctly, I find your statements quite upsetting!
So, if you guys can elaborate on your claim that VLANs aren't safe, I'd really apreciate it!

Thanks,

Řyvind




tshinder -> RE: publising a secure web server internally (21.Mar.2006 2:59:33 PM)

Hi Oyvind,

Here's one http://www.randybias.com/archives/000019.html

But you can do a google search for VLAN security issues and see that VLANs are only a network managment solution, not a security solution.

HTH,
Tom




Page: [1]