• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

'Hide' the IP address of an ISA Firewall?

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 General] >> General >> 'Hide' the IP address of an ISA Firewall? Page: [1]
Login
Message << Older Topic   Newer Topic >>
'Hide' the IP address of an ISA Firewall? - 4.Jan.2007 9:04:44 AM   
mlomas

 

Posts: 19
Joined: 4.Jan.2007
Status: offline
Hello!

Our organisation is currently trialling ISA 2006 as a replacement for a Checkpoint firewall.  Currently, the Checkpoint is configured in such a way that external systems see our outbound connections as being from an IP address that is not the actual external IP of the checkpoint (the firewall is on a .3 address, whereas systems we connect to will see the connection as being from .26)  This was apparently done for added security.

My boss is asking if we can do a similar thing on ISA 2006?

Many thanks!

--
Mark Lomas
Post #: 1
RE: 'Hide' the IP address of an ISA Firewall? - 4.Jan.2007 10:11:53 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Mark,

OK, let me get this straight. The Check Point Server hides its source address from the destintination host, but hijacking another computer's IP address, is that right? But it's not even doing that, because it actually doesn't own that IP address? Is that right?

Something sounds fishy here. Can you point to the CP Server docs on what this feature actually is and then we can look up it and see what ISA Firewalls have in the same category.

Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to mlomas)
Post #: 2
RE: 'Hide' the IP address of an ISA Firewall? - 4.Jan.2007 10:42:57 AM   
mlomas

 

Posts: 19
Joined: 4.Jan.2007
Status: offline
Yes, essentially destination hosts on the Internet 'see' the connection as coming from an IP address other than the single IP that is bound to our external interface.

The IP that it is 'spoofing' is an IP address that is on the IP range we own (we're not hijacking some other guys IP here), but any inbound connections to that IP will go nowhere, since there is nothing using that IP at present.

I can't give you a specific feature name, it seems to simply be a NAT rule that's on the Checkpoint config - the last rule in the NAT listing shows that for an originating connection that has a source of 'internal', the 'final' packet will instead appear to have a source of the 'spoof' address.

--
Mark Lomas

(in reply to tshinder)
Post #: 3
RE: 'Hide' the IP address of an ISA Firewall? - 5.Jan.2007 5:50:42 AM   
Guest
Hi Mark and Tom,
I've searched a little because I was curios myself and this is what I have found:
http://www.checkpoint.com/support/technical/online_ug/nat.html#10836
scroll down and find imaginary IP address.
quote:

Choosing the Valid External Address for Hide Mode
You can choose to hide the internal IP addresses either behind the IP address of the gateway's external interface, or behind an imaginary IP address.

Let me tell you what I think that is:
A big s**t!
What are they doing?
They are HIDING between real terms with a real meaning to give you a crappy explanation of what the NAT process is.
If you have patience enough to read that crap support doc you will figure it yourself.
Security?
What security?
A mess maybe!
What is the purpose when doing so?
It is not a big deal to find out what IP addresses you are using.
This maybe can confuse some dumb people who are trying to hack you. But these guys are actually no problem when using a firewall like ISA to protect your network because these ones will only try some cheap tricks and ISA will easily defeat them.
You don't need such a "Feature" within a firewall.
If your boss has problem understanding that get him the pages with the vulnerabilities of the CheckPoint.
Make sure you feed enough paper into your printer.
The big problem with ISA is that you don't have 1:1 NAT and a support for multiple external interfaces. You will need another device in front of ISA to do that.
Read the white papers for ISA 2006 and for the Checkpoint you are using to understand the differences and to make sure that ISA 2006 will fill your needs.
a good start here(if you haven't already read it):
http://www.isaserver.org/articles/White-Paper-Why-ISA-2006-Better-Solution-than-ISA-2000-2004.html
Have fun!

(in reply to mlomas)
  Post #: 4
RE: 'Hide' the IP address of an ISA Firewall? - 5.Jan.2007 6:35:46 AM   
mlomas

 

Posts: 19
Joined: 4.Jan.2007
Status: offline
Thanks for that - I'm sensing that this is probably not doable, but I understand that it's not really adding any additional security.

We're pretty happy moving over to ISA 2006 anyway, as our Checkpoint system is now pretty old, and we need a replacement.  ISA Server will allow us to do a straight forward replacement now, and then improve the security by taking advantage of the ISA Servers additional functions over time.

With that in mind, I have one other question.  Our configuration (initially) will be to replicate the Checkpoint's configuration, which is that there is an Internal network, an External network, and a public DMZ.

Following one of Tom's articles, the DMZ has been setup to have a routed relationship with the External network, and a NAT relationship with the internal network.

When publishing DMZ servers to the Internet, we'll be using access rules, as advised in the article - but for 'publishing' the DMZ Servers to the internal network, are we better off using Access rules or Publishing rules?  Are publishing rules the only option accross a NATted network?  Or will access rules work just as well to get the access working?

I understand the general advantages offered by publishing rules vs access rules - I just need to get a hold of which ones will work when it comes to getting the initial (fairly basic) configuration working - as we'll undoubtedly be working to take better advantage of the ISA Server over time, moving to a more 'best practices' configuration.

(in reply to Guest)
Post #: 5
RE: 'Hide' the IP address of an ISA Firewall? - 5.Jan.2007 7:47:08 AM   
Guest
hmmm.
confused?
look at this:

Celebrity Deathmatch: Access Policy Rules vs. Server Publishing Rules
http://blogs.technet.com/isablog/archive/2006/01/16/AccessPolicyRulesVsServerPublishingRules.aspx
please read carefully.
you will find your answers there.
by the way pay attention to the fact that your dmz network must be on a different network(subnet) id then the external interface: two options: subnet your public range or use a separate IP range(I've noticed you do have two from your post). That's because ISA can't function in transparent mode(bridging mode).
The first question to answer is this: do you really need that public DMZ?
as I said before you can't do
1:1 NAT with ISA.

(in reply to mlomas)
  Post #: 6
RE: 'Hide' the IP address of an ISA Firewall? - 5.Jan.2007 8:32:25 AM   
mlomas

 

Posts: 19
Joined: 4.Jan.2007
Status: offline
Thanks for the link!

As for our DMZ - our checkpoint currently has a subnet of our external range allocated to the DMZ.  With the ISA Server, we plan to move the DMZ servers to a second internal network, and then use publishing rules - but we can't do this right away because it would mean changing the local IP of the DMZ servers - and due to quirks in the way that the applications they run interact with each other, the internal network servers, and our partners - we aren't ready to do it right away.

If anyone foresees any major problem there - we'd appreicate the insight!  Otherwise we'll push ahead with it as soon as we can :)

--
Mark Lomas

(in reply to Guest)
Post #: 7
RE: 'Hide' the IP address of an ISA Firewall? - 5.Jan.2007 8:40:23 AM   
Guest
quote:

With the ISA Server, we plan to move the DMZ servers to a second internal network

what do you mean with that?
they should remain in DMZ(Perimeter) if they are accessed anonymous(public).
there must be a difference between security zones. the internal network and the dmz have different level of trust.

(in reply to mlomas)
  Post #: 8
RE: 'Hide' the IP address of an ISA Firewall? - 5.Jan.2007 8:48:06 AM   
mlomas

 

Posts: 19
Joined: 4.Jan.2007
Status: offline
Well, what I mean is that we plan to move the servers to a network on the ISA Server that has a NAT relationship with the internal network, as opposed to a DMZ network with a routed relationship (as it stands now on the checkpoint).

--
Mark Lomas

(in reply to Guest)
Post #: 9
RE: 'Hide' the IP address of an ISA Firewall? - 5.Jan.2007 8:54:20 AM   
Guest
no problem with that. The DMZ(Perimeter on ISA) can have a NAT relationship or a route relationship with internal network(your choice). You would choose the route relationship when you configure an authenticated DMZ, actually allowing intradomain communications (this will not work with NAT).
a more detailed link explaining those in that blog(it was actually there in one of the comments made to that post):
http://www.microsoft.com/technet/isa/2004/plan/internalclientaccess.mspx

< Message edited by adrian_dimcev -- 5.Jan.2007 9:22:05 AM >

(in reply to mlomas)
  Post #: 10
RE: 'Hide' the IP address of an ISA Firewall? - 6.Jan.2007 9:43:04 AM   
tonygauderman

 

Posts: 107
Joined: 6.Feb.2006
Status: offline
What many people have done with Checkpoint and Cisco firewalls is use a different IP address for the outbound PAT translations than the IP address bound to the outside interface of the firewall.  You could even use different outside IP's based on the subnet of the internal user.  I believe that with ISA, there is no way to change the outside IP of outbound traffic to anything but the IP Address of the outside NIC.  In my opinion, the "security by obscurity" you gain by changing the IP from the one bound to the outside interface doesn't buy you much anyway.  However, it WOULD be nice to be able to change specific servers to use the IP of their NAT rule (i.e. SMTP servers for DNS reasons..).

(in reply to tshinder)
Post #: 11
RE: 'Hide' the IP address of an ISA Firewall? - 6.Jan.2007 6:02:29 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Tony,

everybody expects that the next ISA version should have a much more flexible NAT solution. Let's hope it will be true...

HTH,
Stefaan

(in reply to tonygauderman)
Post #: 12

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 General] >> General >> 'Hide' the IP address of an ISA Firewall? Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts