Our organisation is currently trialling ISA 2006 as a replacement for a Checkpoint firewall. Currently, the Checkpoint is configured in such a way that external systems see our outbound connections as being from an IP address that is not the actual external IP of the checkpoint (the firewall is on a .3 address, whereas systems we connect to will see the connection as being from .26) This was apparently done for added security.
My boss is asking if we can do a similar thing on ISA 2006?
OK, let me get this straight. The Check Point Server hides its source address from the destintination host, but hijacking another computer's IP address, is that right? But it's not even doing that, because it actually doesn't own that IP address? Is that right?
Something sounds fishy here. Can you point to the CP Server docs on what this feature actually is and then we can look up it and see what ISA Firewalls have in the same category.
Yes, essentially destination hosts on the Internet 'see' the connection as coming from an IP address other than the single IP that is bound to our external interface.
The IP that it is 'spoofing' is an IP address that is on the IP range we own (we're not hijacking some other guys IP here), but any inbound connections to that IP will go nowhere, since there is nothing using that IP at present.
I can't give you a specific feature name, it seems to simply be a NAT rule that's on the Checkpoint config - the last rule in the NAT listing shows that for an originating connection that has a source of 'internal', the 'final' packet will instead appear to have a source of the 'spoof' address.
Choosing the Valid External Address for Hide Mode You can choose to hide the internal IP addresses either behind the IP address of the gateway's external interface, or behind an imaginary IP address.
Let me tell you what I think that is: A big s**t! What are they doing? They are HIDING between real terms with a real meaning to give you a crappy explanation of what the NAT process is. If you have patience enough to read that crap support doc you will figure it yourself. Security? What security? A mess maybe! What is the purpose when doing so? It is not a big deal to find out what IP addresses you are using. This maybe can confuse some dumb people who are trying to hack you. But these guys are actually no problem when using a firewall like ISA to protect your network because these ones will only try some cheap tricks and ISA will easily defeat them. You don't need such a "Feature" within a firewall. If your boss has problem understanding that get him the pages with the vulnerabilities of the CheckPoint. Make sure you feed enough paper into your printer. The big problem with ISA is that you don't have 1:1 NAT and a support for multiple external interfaces. You will need another device in front of ISA to do that. Read the white papers for ISA 2006 and for the Checkpoint you are using to understand the differences and to make sure that ISA 2006 will fill your needs. a good start here(if you haven't already read it): http://www.isaserver.org/articles/White-Paper-Why-ISA-2006-Better-Solution-than-ISA-2000-2004.html Have fun!
Thanks for that - I'm sensing that this is probably not doable, but I understand that it's not really adding any additional security.
We're pretty happy moving over to ISA 2006 anyway, as our Checkpoint system is now pretty old, and we need a replacement. ISA Server will allow us to do a straight forward replacement now, and then improve the security by taking advantage of the ISA Servers additional functions over time.
With that in mind, I have one other question. Our configuration (initially) will be to replicate the Checkpoint's configuration, which is that there is an Internal network, an External network, and a public DMZ.
Following one of Tom's articles, the DMZ has been setup to have a routed relationship with the External network, and a NAT relationship with the internal network.
When publishing DMZ servers to the Internet, we'll be using access rules, as advised in the article - but for 'publishing' the DMZ Servers to the internal network, are we better off using Access rules or Publishing rules? Are publishing rules the only option accross a NATted network? Or will access rules work just as well to get the access working?
I understand the general advantages offered by publishing rules vs access rules - I just need to get a hold of which ones will work when it comes to getting the initial (fairly basic) configuration working - as we'll undoubtedly be working to take better advantage of the ISA Server over time, moving to a more 'best practices' configuration.
RE: 'Hide' the IP address of an ISA Firewall? - 5.Jan.2007 7:47:08 AM
hmmm. confused? look at this: Celebrity Deathmatch: Access Policy Rules vs. Server Publishing Rules http://blogs.technet.com/isablog/archive/2006/01/16/AccessPolicyRulesVsServerPublishingRules.aspx please read carefully. you will find your answers there. by the way pay attention to the fact that your dmz network must be on a different network(subnet) id then the external interface: two options: subnet your public range or use a separate IP range(I've noticed you do have two from your post). That's because ISA can't function in transparent mode(bridging mode). The first question to answer is this: do you really need that public DMZ? as I said before you can't do 1:1 NAT with ISA.
As for our DMZ - our checkpoint currently has a subnet of our external range allocated to the DMZ. With the ISA Server, we plan to move the DMZ servers to a second internal network, and then use publishing rules - but we can't do this right away because it would mean changing the local IP of the DMZ servers - and due to quirks in the way that the applications they run interact with each other, the internal network servers, and our partners - we aren't ready to do it right away.
If anyone foresees any major problem there - we'd appreicate the insight! Otherwise we'll push ahead with it as soon as we can :)
RE: 'Hide' the IP address of an ISA Firewall? - 5.Jan.2007 8:40:23 AM
With the ISA Server, we plan to move the DMZ servers to a second internal network
what do you mean with that? they should remain in DMZ(Perimeter) if they are accessed anonymous(public). there must be a difference between security zones. the internal network and the dmz have different level of trust.
Well, what I mean is that we plan to move the servers to a network on the ISA Server that has a NAT relationship with the internal network, as opposed to a DMZ network with a routed relationship (as it stands now on the checkpoint).
RE: 'Hide' the IP address of an ISA Firewall? - 5.Jan.2007 8:54:20 AM
no problem with that. The DMZ(Perimeter on ISA) can have a NAT relationship or a route relationship with internal network(your choice). You would choose the route relationship when you configure an authenticated DMZ, actually allowing intradomain communications (this will not work with NAT). a more detailed link explaining those in that blog(it was actually there in one of the comments made to that post): http://www.microsoft.com/technet/isa/2004/plan/internalclientaccess.mspx
< Message edited by adrian_dimcev -- 5.Jan.2007 9:22:05 AM >
What many people have done with Checkpoint and Cisco firewalls is use a different IP address for the outbound PAT translations than the IP address bound to the outside interface of the firewall. You could even use different outside IP's based on the subnet of the internal user. I believe that with ISA, there is no way to change the outside IP of outbound traffic to anything but the IP Address of the outside NIC. In my opinion, the "security by obscurity" you gain by changing the IP from the one bound to the outside interface doesn't buy you much anyway. However, it WOULD be nice to be able to change specific servers to use the IP of their NAT rule (i.e. SMTP servers for DNS reasons..).