• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Design Planning Help

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 General] >> Installation and Planning >> Design Planning Help Page: [1]
Login
Message << Older Topic   Newer Topic >>
Design Planning Help - 22.Jan.2007 11:33:46 AM   
Cuzmarc

 

Posts: 1
Joined: 12.Jan.2007
Status: offline
I have the privilege of getting to do a complete Proof of Concept Microsoft lab using only ISA 2006 for the firewall/protection solution. I am relatively new to ISA and I have been reading through these forums, which has an immense amount of information. I am going for all new technologies and will be using Exchange 2007 with OWA, SharePoint 2007 portal and a website, all of which need to be published securely using ONLY ISA 2006. One main requirement is two factor authentication. I have access to RSA for this lab if needed but I would like to try and do this without if it can be done securely.
The lab has a beefy physical box to use for the ISA firewall and two high end servers which will be housing the Domain in a virtual environment. This will be only used by a test bed of users at most 20 people.
I have a few questions regarding the design which I am hoping the community can help me out with.
Can I accomplish this securely using a Single ISA server joined to the domain or do I need to do a front end back end solution?
If I need to use the front-end back-end solution should the front-end server be a domain member or not? I have read the articles and even the thread where Tom says his front end is not a domain member so I am not sure on the best approach to this.  
For the design I was thinking of edge firewall on the physical box (ISA) DMZ Backend ISA (virtual) Domain
Any suggestions or input would be welcomed. Once this is configured the security (l33t Haxxors team) will be pen testing this pretty hard.  
Post #: 1
RE: Design Planning Help - 24.Jan.2007 12:37:09 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Can I accomplish this securely using a Single ISA server joined to the domain or do I need to do a front end back end solution?
TOM: You can do it securely with a single front-end ISA Firewall joined to the domain. There is virtually no difference in terms of relative risk whether or not the ISA Firewall is domain joined -- so I always go with joining the ISA Firewall to the domain becuase it actually increases your overall security posture because you can leverage more advanced authentication features.

If I need to use the front-end back-end solution should the front-end server be a domain member or not? I have read the articles and even the thread where Tom says his front end is not a domain member so I am not sure on the best approach to this.  
TOM: If I used a FE/BE ISA Firewall configuration, I won't make the front-end a domain member, since that's not required. However, if I'm using a single ISA Firewall without FE/BE, then I make the machine a domain member. The only reason for a FE/BE, in my opinion, is if you want to have an anonymous access DMZ in front of the BE ISA Firewall

For the design I was thinking of edge firewall on the physical box (ISA) DMZ Backend ISA (virtual) Domain
TOM: If you have the extra hardware and software, then go ahead and FE/BE if you want an anonymous access DMZ in front of the BE ISA Firewall, but I don't really think it enhances security, although it could enhance performance as you'll filter out junk connections to the BE ISA Firewall.
HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to Cuzmarc)
Post #: 2
RE: Design Planning Help - 24.Jan.2007 7:20:31 PM   
Boedus

 

Posts: 195
Joined: 8.Sep.2006
Status: offline
Myself this is what I do usually.
2 different firewall vendors as FE/BE
ISA is perfectly able to handle a FE job and a BE job as well, but usually as a good security practice we recommend to use 2 different vendors.
In the following high level design as well, ISA is working as a BE firewall and as a proxy server and it is mandatory for the users to go through it to browse internet. Anonymously or not, it really depends of your needs. But at least security is here.



< Message edited by Boedus -- 24.Jan.2007 7:24:17 PM >

(in reply to tshinder)
Post #: 3
RE: Design Planning Help - 28.Jan.2007 11:59:56 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Boedus,

The only change I'd make to this is to put a third NIC in one of the ISA Firewall and create a DMZ there. However, for unauthenticated traffic, this type of DMZ works fine.

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to Boedus)
Post #: 4

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 General] >> Installation and Planning >> Design Planning Help Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts