New DMZ Infastructure

New DMZ Infastructure (Full Version)

All Forums >> [ISA Server 2004 Firewall] >> Network Infrastructure

Message

rayleask -> New DMZ Infastructure (24.Jun.2008 2:09:20 PM)
Hi, I want your views about my ideas for a new DMZ infastructure. We have just connected a new Internet link which makes our existing one a bit complex and we are going to move to a new HQ. I would like to design one which we could move en masse when the time comes. Our current ISA is 2004. What we have now internet 1(Surfing only) \| Bridge \| ISA/Proxy - DMZ - Remote access security box \| Internet 2 (VPNs) - Cisco Firewall - external Organsisation \| Internal Network Its a mess, for historical reasons. What I was thinking off was a front end DMZ which uses only one Internet link Internet \| Cisco Firewall \| DMZ --------ISA Acting as Proxy \| Security Box \| Email Front End \| External Organisation ISA acting as firewall \| Internal Network This gives me a few questions. Should I have an ISA acting as a proxy as well in the DMZ? We have three VPNs coming in from external organisations currently ending at the Cisco box. How should these be handled in this new setup? We have had little success with VPNs here hence the Cisco box being brought in. Any views, criticisms are welcome Thanks, Ray

pwindell -> RE: New DMZ Infastructure (24.Jun.2008 4:39:37 PM)
You either have to stop using the Cisco as the VPN Router and start using the ISA as the VPN Router... OR Place the ISA and the Cisco Side-by-Side so they can work independently of each other. There would be no DMZ, which pretty much would not have been doing anything usefull anyway. In this option you can even have both the Cisco and the ISA acting as a VPN Router independently at the same time. Option #1 Internet \| Cisco Firewall (VPN Pass-through enabled) \| Back-2-Back DMZ (pretty much doing nothing) \| ISA acting as firewall & VPN Router \| Internal Network Option #2 Internet \| ----------- / \ / \ \| \| Cisco FW ISA Firewall \| \| \ / \ / ------------ \| Internal LAN

rayleask -> RE: New DMZ Infastructure (25.Jun.2008 6:41:36 AM)
Hi Phillip, thanks for your reply. Having two boxes that can both handle VPNs is a confusing factor. I want to stay with the Cisco for those but this wont work with my current design idea. You state that the DMZ is pretty much not doing anything. Can you expand on this? The idea is to isolate those services from the Internal Network. Thanks, Ray

pwindell -> RE: New DMZ Infastructure (25.Jun.2008 9:27:35 AM)
If you put the email front end in the Back-to-Back DMZ then that is what the DMZ would be doing. I wasn't thinking of the mail front end,..I never use one of those, I don't see the point of buying two mail servers to do the job of one,...so I never use a FE/BE mail setup, I just have the mail server on the LAN behind the firewall and that is all.

justmee -> RE: New DMZ Infastructure (25.Jun.2008 11:41:05 AM)
Hi, Ahh, the Cisco - ISA back to back with VPN connections stuff... There was some kung-fu fighting here: http://forums.isaserver.org/m_2002067633/mpage_1/key_/tm.htm#2002067988 Jason seems to have the black belt[;)]... It looks that what you want is to terminate the site-to-site VPN connections on ASA(people seem to agree that this is a good idea). In this case you will have a route relationship on ISA between the Internal and External Networks. If you follow this approach personal I would not place any device in the DMZ between ISA and Cisco FW. At a first glance I would put that "FE email server" on an ISA DMZ. If you have a two cent anonymous web server you can put it on a Cisco FW DMZ. It would be better to terminate VPN remote access connections on ISA. So you offload VPN site-to-site traffic from ISA(in theory better performance, for example you have the Cisco FW dealing with decrypting/encrypting site-to-site VPN traffic, fast junk incoming traffic cleaner, DoS limiting, IPS maybe; ISA deals with remote access VPN traffic, web proxy, if you use the FWC you can control other traffic than web traffic based on users credentials thus better control over outbound access, offers better protection for your Exchange servers-OWA SSL bridging with pre-authentication...), and maybe eliminate some worries/problems associated with IPsec tunnel mode connections and ISA. The DMZ between firewalls is used to retain some attacks. However in order that this to happen, you need to know exactly what traffic you pass through your firewalls and have only the required firewall policies allowing just needed traffic on both firewalls. You need to understand the routing/traffic path too. And also to understand the goods and bads of your firewalls, their strong and weak points. For example if the Cisco FW would be alone, a vulnerability of it may permit traffic to escape through it. But with the back to back design, ISA may stop the exploit blocking the malicious traffic. Or if a vulnerability of ISA permits some traffic to escape through it, the Cisco FW may block that traffic. Or maybe if some malicious traffic may pass through the inspection of one of the firewalls, the other firewall may stop this traffic. The front end FW will apply its own DoS limiting policies, so ISA will have to handle fewer connections in case of a DoS attack(assuming that the front edn FW "will still stand", and not become DoS-ed itself). Everybody has its own ideas about "DMZs". Personal I like and take into serious security zones. I've cascaded once 10 firewalls. That was fun. As you can see with the back to back approach you have some flexibility and better security, you can distribute a little bit your requirements(ISA handles better some of them, the Cisco FW others). Due to the distribution you may get better performance, and performance is related to security. Personal I'm not a fan of the parallel approach with ISA and Cisco FW. IMHO, the back to back design offers better security because each firewall functions as a trully gateway for traffic, traffic must pass through it to go in or out. It's like having two back to back doors to your house, and you need to unlock both of them in order to enter your house or to get out of it. But maybe you will find that the parallel design will have certain advantages for you. Your call... Regards!

pwindell -> RE: New DMZ Infastructure (25.Jun.2008 3:08:31 PM)
Ahh, the Cisco - ISA back to back with VPN connections stuff... There was some kung-fu fighting here: http://forums.isaserver.org/m_2002067633/mpage_1/key_/tm.htm#2002067988 Jason seems to have the black belt[;)]... Ah! Yes, Jason's my man! In this case you will have a route relationship on ISA between the Internal and External Networks. Yes. In fact Jason's the one that turned me on to that idea of a routed relationship in a B2B DMZ. I just haven't gotten used to thinking about it that way,... and I forget sometimes. As far as the FE Mail Server it doesn't matter to me if it is in the B2B DMZ or in the Tri-H DMZ off the ISA, either way it the same to me because for myself I doubt I would ever use the FE/BE model with Exchange. It may have some advantages (I suppose) but not enough for me to consider it worth the trouble.

justmee -> RE: New DMZ Infastructure (26.Jun.2008 4:50:32 AM)
Hi Phillip, So you take no prisoners, eh [:)]? Now, tell me, you have some money, so you go and buy a safe, put the money in it, grab a chain, attach the safe with a chain to the tree in front of your house and go to sleep[8D] ? Why bother to bring the safe into your house, it's too heavy[;)]... Take it to the basement, in a room with concrete walls locked with a metal door, hell no, it's a safe anyway...[:D] Just kidding, hope you do not mind. Regards, J

pwindell -> RE: New DMZ Infastructure (26.Jun.2008 10:07:16 AM)
I just don't believe that not having a DMZ is unsafe. And I don't believe that a DMZ nessesarily makes things that much more safer,...in some cases I don't believe there is any difference at all. I know if I were wanting to get into someones system I could do it (theoretically speaking) no matter if there were no DMZ or 15 DMZs between them and the Interenet. The DMZs just simply wouldn't matter. But that is a side track anyway,..my real point was that I don't see the real need for a FE mail server sitting outside the LAN. I believe I am fine having a single mail server sitting on the internal LAN that is published by ISA. Now in my particular case Exchange is not published at all,...I have a Barracuda SPAM Filtering Applicance sitting on the LAN that is Published by ISA "as if" it was the Exchange. The Exchange itself only has simple outbound SMTP permissions. I guess if you want to consider that a type of FE Mail server that is fine, but in any case it is all on the Internal LAN with ISA doing the Publishing, and no DMZ. As far as the illustration of the Safe, I just don't acknowledge illustrations like that too much because they never accurately represent the way things really work and often feed people's misconceptions of how things really work. That's how we end up calling home user NAT Firewalls "routers" when they are not routers and calling the Layer3 action of Reverse NAT "port forwarding" when there is no such thing as "port forwarding" and even if there was it would be Layer4,...which isn't the Layer the action is happening at. There is no safe, no chain, no metal door, and no basement,...it is just a few PCs arranged in a particular Topology that are subject to whatever the sofware and the physical arrangment allow them to do.

justmee -> RE: New DMZ Infastructure (26.Jun.2008 11:33:53 AM)
Hi Phillip, So you did mind.[:(] The idea is that I'm not referring to "DMZs". I'm referring to security zones. Big difference IMHO. I've just used the word because I thought it would be easier to understand within this topic, the author mentioned it. Yes, everything is in theory. If we would had a definitive solution... And it's not about only "I were wanting to get into someones system I could do it (theoretically speaking)", it's also about the time you would need to do so, I would say. 5 minutes compared to 50 minutes time to react can make the difference... With the security zones approach we can talk about least privilege and we can "buy time". With a flat network design made of flat devices sharing flat data we cannot. Or at least I can't see how. Interesting vendors like Microsoft take security zones into serious(at least from my humble point of view), for example see the IAG 2007 or the future UAG products(ISA is for a long time a part of the picture). I do not see the word DMZ say, in relationship with remote workers. After all, these remote workers are not flat devices accessing flat data on a flat network. They are security zones themselves IMHO. Take it easy, I got your point, just hit google with "DMZ"+"dead", you're not alone out there... A war involving "DMZs" was started some time ago... Regards, J

Jason Jones -> RE: New DMZ Infastructure (26.Jun.2008 12:02:56 PM)
Hey guys, thought I felt my ears burning! [:)] Not sure about Kung Fu, but I would love to get a black belt in "least privilige" as this is one of my favourite ISA design topics [8\|] [:D] Totally agree with J on the security zones model...not got a problem with people called them DMZs as long as they realised that ISA DMZs are VERY different to traditional and network firewall DMZs. ISA does a very good job most of time, but sometimes ISA cannot protect you (a badly written web applications being a good example) and with this regard least privilige or defence in depth is your savour and the damage is at least contained so that you can still protect other more critical assests. Maybe DMZ should stand for "Damage Management Zone"? [8D] Just becuase an application is shielded from the Internet by ISA shouldn't mean that the application should share the same security zone as you domain controllers. ISA is just one part of the overall soltuion (albeit a key one) but you do need to consider the entire security model. Good network topology design which includes DMZ is still very valid IMHO. If ISA is at the heart of this topology then even better! Anyhow, back to the OP's original question! [:)] Cheers JJ

pwindell -> RE: New DMZ Infastructure (26.Jun.2008 12:13:56 PM)
Hi Phillip, So you did mind.[:(] No,..I didn't mind. You're reading emotions into my post that were not there. However I am not really interesting in debating about DMZs,...I simply stated by opinion about them. The same if true about FE mail servers,..and you can have one of those without a DMZ by having the FE on the Public side and a BE on the LAN side, so they are two separate ideas.

Jason Jones -> RE: New DMZ Infastructure (26.Jun.2008 12:16:43 PM)
Hi Ray, I still stand by my comments in the post provided by J (here) J put an interesting spin on things, which is also worthy of consideration. Given the budget I would separate inbound and outbound with separate servers/arrays. If not, I would just go with a standard B2B topology with ISA at the back; closest to your important assests. Terminate site-to-site VPNs on the ASA, terminate client-to-site VPNs on the ISA. If you are contemplating using a separate ISA Server (unihomed) in the DMZ then I would sugegst you actually place this as a dual homed service in parallel to the back ISA firewall. The whole point of putting in two vendor technology soltuion is to get the best of both and no matter what the vendor tells you, they each have their own strenght and IMHO the above approach is playing to their strengths. If you are going to use application DMZs, use ISA to protect these networks. If you have more traditional DMZ requirements e.g. for IDS or other networks type devices then you could also used the ASA DMZs or the security zone between the firewalls. I always prefer to leave the network between the front-end and back-end firewall (the original DMZ concept) as a transit network that contains no hosts/servers at all. Use ISA to create multiple DMZs or security zones and then place relevant servers into appropriate security zones dependent upon their risk, assest value, importance to the business, internet facing necessity etc. Cheers JJ

Jason Jones -> RE: New DMZ Infastructure (26.Jun.2008 12:35:05 PM)
In summary [:)] So, if you are tight for money, go for: Internet \| Cisco ASA \| Transit DMZ \| \| ISA acting as firewall/proxy----L7 security zone DMZs \| Internal Network If you are feeling flush, go for: Internet \| Cisco ASA \| Transit DMZ \| \| \| L7 DMZs-----ISA ISA inbound outbound \| \| Internal Network If you you want to be really flash, your internal network could actually be one (or many) of your L7 DMZs so that even the internal network has segmentation [;)] Cheers JJ

justmee -> RE: New DMZ Infastructure (26.Jun.2008 2:38:17 PM)
Hi Jason, I would add that along with the control finesse you get having a route relationship between ISA's Internal and External from ASA's point of view, you also get some finesse over certain NAT scenarious that ISA cannot handle(say the 1:1 NAT issue). I don't think my design is needed here. My scenario may work in what Tom does here with the parallel design: http://www.isaserver.org/tutorials/creating-parallel-isa-firewall-configuration-netscreen-dmz.html enabling you to use the FWC on the branch offices while keeping the back to back design in place. You loose the finesse over the NAT scenarious and some of the control finesse over certain outbound traffic. Also the web proxy on ISA is available for branch offices. It enables a "virtual link" to exist between sites too(if desired). You loose here and gain there. But, as said above, I do not see any need for my design in the scenario of this topic. Your draws are just spot on[;)]. Regards, J

rayleask -> RE: New DMZ Infastructure (27.Jun.2008 11:07:37 AM)
Hi, thanks for everyones input. Interesting stuff that I will take a more in depth look at over the weekend. One thing I have found useful of a non-technical nature is printing out a large map of our current typology and sticking in front of my desk. Just sitting back every now and again and looking at it helps! Thanks, Ray

Page: [1]