I'm currently in a situation where I look after a network that I'm quite unhappy with, I'm looking to propose some changes to the infrastructure.
Our ISA server is a single network card machine doing proxy stuff only and to put it frankly our internet performance is garbage and always has been, failed page loads and general misery. I'm almost certain that the problems are a mixture of bad rules and the layout.
What I want to do is start making better use if the ISA server, but not sure that it is required. Here is a picture of our current situation..
Now my problem is, if I was to use the ISA server in a firewall situation, I'm not sure where I would exactly put it, the network is complicated (for me) slightly by the MPLS connection.
At the moment our hardware firewall is a tri homed solution so the DMZ is handled by it, not sure there is a need for a back end firewall as well.
However, Our ISA is currently doing network access rules using the EXTERNAL network in the 'to' section of the firewall policy. While I understand this shouldn't be the case in a single nic config, I have tried changing it to internal and all internet communication ceases to function. I wonder if this is because the 'internal' networks are specified by ip range? Should I remove these entries specifying our internal network (since everything is the internal network) or add an 'internal' entry for our externally provided upstream firewall?
Posts: 84
Joined: 26.Jan.2006
From: Kenya
Status: offline
Hi,
For starters, in this and your previous postings, you have raised administrative/managerial issues ie what you desire versus what your boss wants. The 1st step to me is to understand your own idea and sell it as a comprehensive one identifying any vulenerabilities that your config may bring (security is very relative in people's perception!)
Two, you need to approach the issues of ISA and Name Resolution separately because they are fairly independent.
Once you understand what kind of security that you company is looking for (through) your boss, then you should be able to give your boss a proposal that incorporates it but includes the configuration changes that you need.
With regard to DNS, I think you should have an Internal DNS service, but I am not sure (based on necessity, resource requirement & security concerns) that you need a public DNS. Your explanation of your current implementation isnt clear
If you are agreeable, then that would allow you to set up an Internal DNS service with forwarders whereby all traffic meant for internet is forwarded to your ISPs DNS servers.
As far as ISA is concerned, I'd go for a dual-homed ISA (add 1 NIC, or even more). This would allow ISA to bring to bear its firewall capabilities.
By the way, you are talking about configuring access rules - isa will not control access in this single card mode so note that the rules are not useful
You also need to depart from the change-no-change formula that is applied by IT people - they want to add new capabilities without changing their current configurations and they are therefore forced to compromise the new capabilites so much they become useless. Review the Network entirely to see where ISA fits and in what role. That's why you need your boss on board and also a mastery of DNS and ISA!
Thanks for the reply hantahipi, some clarification.
Management basically agrees that there is some issues but wants a very secure solution, that is the prime concern.
My main issue stems from the fact that I think our ISA server is basically hopelessly misconfigured. We have a single network card using a firewall policy and trying to pass traffic from the internal network to the external network. I can tell you for a fact that this certainly does work to an extent, in that it blocks some traffic, assumes some traffic is 'anonymous' when we are trying authenticate to websites and generally behaving unpredictably. So it does control access, in a way, but in an unpredictable and unusable way. This is a long standing problem that I think has been ignored and labelled 'that's the way it is'. Which I want to repair basically.
The trouble with making the ISA server dual homed, is that because of the MPLS connection, I'm not sure where the server should actually sit, I mean there isn't another segment to connect the other network card to currently.
I hope I'm putting this across clearly, its a lot more difficult to type than to point at a drawing!
I'm starting to get the feeling that, because we have a tri homed hardware firewall and an offsite externally provided virus/message scanning solution, our ISA server is just needlessly overcomplicating the network and should be reduced to proxying only without attempting to allow/block traffic at all.
Posts: 84
Joined: 26.Jan.2006
From: Kenya
Status: offline
quote:
ORIGINAL: catfish
The trouble with making the ISA server dual homed, is that because of the MPLS connection, I'm not sure where the server should actually sit, I mean there isn't another segment to connect the other network card to currently.
That part isn't clear - what other network card?
Important to mention though is you have two options - implement ISA as a proxy and enjoy that or implement isa as firewall/proxy and enjoy that too. As long as the roles you get you are happy with i.e. you do not have rules (or the need for rules) that will not work.
The ways i see it, you can always have a multi-homed (read tri-homed) ISA. Traffic from your Other Network can come in on the third card either fully trusted as an internal network (if you trust the traffic or your other firewall) or filtered - that is if traffic from this network is incoming and not outgoing
ORIGINAL: hantahipi That part isn't clear - what other network card?
Well our server has 2 network cards. however, 1 is disabled and the ISA is in a unihomed config.
Can you expand a bit on what exactly you mean by 'access rules are not useful' in a unihomed config? I mean, I can start generating internet traffic and look at the iSA servers logs in real time and see that it is blocking requests based on rules that are set up on the box.
I do however feel that it isn't working correctly and my understanding was that if it is unihomed then it's a proxy server, nothing more, HOWEVER I can see that it is actually actively denying traffic.
That's my whole confusing with this ISA server, I've inherited a unihomed server with bunch of access rules and they appear to be working sometimes, not all the time and rather unpredictably.
If I run an ISA best practices server scan, I can see the message
"the external adapter is used in a single network card scenario, When the ISA server computer has 1 network adapter all non local network addresses are included in the internal network. Policy rules should allow or deny traffic from internal to internal network"
This tells me that in a unihomed scenario, access rules do work, with the caveat that things requiring application level filters will not work.
Posts: 84
Joined: 26.Jan.2006
From: Kenya
Status: offline
quote:
When you install ISA Server on a computer with a single network adapter, ISA Server is only aware of two networks: the Local Host network that represents the ISA Server computer itself, and the Internal network, which includes all unicast Internet Protocol (IP) addresses that are not part of the Local Host network. In this configuration, when an internal client browses the Internet, ISA Server sees the source and destination addresses of the Web request as belonging to the Internal network.
From the same page you will learn that multi-network policies will not work - like the access rule you referred to with a destination of External! These are the access rules I was indicating that will not work.
Again to emphasize, the supported scenarios are:
Forward webproxy and caching
OWA and Web publishing
On the basis of this, you should be able to exclude all other rules that show up on your ISA as doing anything other than the above; they are not very useful
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Printable Version
All Forums >> [ISA Server 2004 Firewall] >> Network Infrastructure >> Network reconfiguration ISA server 1 Nic -> 2 NICs 
Network reconfiguration ISA server 1 Nic -> 2 NICs - 
New Messages
No New Messages
Hot Topic w/ New Messages
Hot Topic w/o New Messages
Locked w/ New Messages
Locked w/o New Messages
Post New Thread