Hi. Can someone please answer my question regarding secure web publishing:
Situation: 3 legged ISA 2004 server, with 2 public IP addresses on the external interface, 1 private IP address on the user interface and 1 private IP address on the DMZ interface. We want to configure a secure web publishing rule, publishing one of the web servers in the DMZ to the internet. The web listener listens on one of the public ip addresses on the external interface of the ISA server. We want to use https from external client to ISA and only http from ISA to web server. ( Client <-- HTTPS --> ISA <-- HTTP--> Web server ) the reason for this is that we want to use a wildcard certificate on the ISA, and no certificate on the web server.
So far, so good! Now we want to reach that published server from the internal user zone. Using only http is not an option, and neither is installing a dedicated certificate on the web server. Can this be done?
Tom! Why not use ssl to ssl bridging? Well, it costs more CPU cycles, and it complicates the scenario a bit more. (I guess you are right about the certificates, though, I assume there's no problem with using a public one on the ISA and a private on on the mail frontend?) And I just cannot see why ssl to http bridging is unsecure! Both mail frontend and ISA resides in the same server rack, both connected to the same Catalyst 3560 switch, using VLANs. Server room is locked, nobody but me has access at any time. Sniffing the traffic is therefore impossible. Is there anything I have forgotten, Tom? I'd really like to know why such a setup is unsecure!
Is your website really getting that much hits that SSL traffic will take to much CPU cycles ?? In that case you should consider using an offload SSL network card :)
You should strongly consider using SSL between your ISA and the published webserver:
1) Defence in depth strategy 2) VLAN's are an administrative network solution not a security solution (VLAN hopping, etc.)
Hi, No my website is not getting that much hits. It's rather a decision because of implementing more security involves more complexity.
I probably could encrypt all traffic going from anywhere to anywhere in my server room, but I just don't see the point. Implement too much security and you might get blinded in discovering the real security threats. My policy is to secure the things that should be secured, and leave everything else as is, for improved configuration understanding and future maintenace. And I still haven't seen a good reason to encrypt an allready secured link. It's like putting a vpn tunnel inside a vpn tunnel just for the heck of it. (and I disagree with your opinion on VLANs, I consider a properly configured VLAN switch to be secure. But luckily, we are both entitled to have our own opinion! :-)
This issue got sidetracked a bit, I'd still really like to know if my original setup is possible. If not, I guess I have to use Toms suggestion, to use a private certificate internally on the mail frontend.
Have you tried creating a new weblistener ? Weblistener with internal IP adres ISA server --> bind the SSL cert to that listener and create a publishing rule that uses that weblistener
Stefan, that is a good idea! I don't see any reason why this shouldn't work, of course we have to use split dns but that is not a problem since we have that already. There is no reason why the wildcard certificate wouldn't work for two listeners at the same time, is there? I think you just solved my problem!
Tom! Why not use ssl to ssl bridging? Well, it costs more CPU cycles, and it complicates the scenario a bit more. (I guess you are right about the certificates, though, I assume there's no problem with using a public one on the ISA and a private on on the mail frontend?) And I just cannot see why ssl to http bridging is unsecure! Both mail frontend and ISA resides in the same server rack, both connected to the same Catalyst 3560 switch, using VLANs. Server room is locked, nobody but me has access at any time. Sniffing the traffic is therefore impossible. Is there anything I have forgotten, Tom? I'd really like to know why such a setup is unsecure!
Thanks!
Øyvind
Hi Oyvind, Yes, but you should be willing to pay the CPU cost for security. A single stolen username and password combination will make you wish you had deployed a secure configuration. The certificate issue is not complicated, and there are dozens of articles on this site on how to deploy things correctly and securely.
However, if the ISA firewall and the mail server are directly connected, then that would be reasonably secure, although realize that VLANs are not secure
Hi, No my website is not getting that much hits. It's rather a decision because of implementing more security involves more complexity.
I probably could encrypt all traffic going from anywhere to anywhere in my server room, but I just don't see the point. Implement too much security and you might get blinded in discovering the real security threats. My policy is to secure the things that should be secured, and leave everything else as is, for improved configuration understanding and future maintenace. And I still haven't seen a good reason to encrypt an allready secured link. It's like putting a vpn tunnel inside a vpn tunnel just for the heck of it. (and I disagree with your opinion on VLANs, I consider a properly configured VLAN switch to be secure. But luckily, we are both entitled to have our own opinion! :-)
Thanks for your input!
Øyvind
Hi Oyvind, Just read the articles on this site. Implementing SSL to SSL bridging is quite easy. And once you do it, you'll be more secure, and there's no substitute for that.
You probably have convinced me regarding to SSL to SSL (using private certificates in the internal side of the bridge) I will seriously consider it, I know it's not a big hassle to implement and even though the servers are almost directly connected (using VLANS) on he same switch, I will look into it!
But on to a more serious matter: Both you, Tom, and Stefan claim that VLANs aren't safe. I would REALLY like to hear why you think that! The reason is actually not the ISA implementation I am talking about in this thread, but another project I am working on: A major network/security implementation in a new hospital, aprox 50 mill euros/dollars in IT alone! We are talking heavy use of virtualization on Cisco and Check Point and VLANs are in the CORE of this infrastructure/design. Being assured by major companies, (guess who) that VLANs are safe if configured correctly, I find your statements quite upsetting! So, if you guys can elaborate on your claim that VLANs aren't safe, I'd really apreciate it!
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Printable Version
All Forums >> [ISA Server 2004 General ] >> Web Publishing >> publising a secure web server internally 
publising a secure web server internally - 
RE: publising a secure web server internally - 
New Messages
No New Messages
Hot Topic w/ New Messages
Hot Topic w/o New Messages
Locked w/ New Messages
Locked w/o New Messages
Post New Thread