• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Active Directory Authentication Secure? how?

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 General] >> Installation and Planning >> Active Directory Authentication Secure? how? Page: [1]
Login
Message << Older Topic   Newer Topic >>
Active Directory Authentication Secure? how? - 6.Nov.2008 12:58:18 PM   
shankaran

 

Posts: 6
Joined: 6.Nov.2008
Status: offline
Currently I am running ISA Server 2006 for Exchange services.

I have a Cisco firewall allowing only port 443 into my ISA server sitting on the DMZ. The ISA server is part of our AD network. On our internal firewall, only 443 and AD related (DNS, etc) ports areopened from ISA server to our internal network.

Now  users come in through forms based authentication with Active Directory.

I have been told this is the best setup, by reading documents etc. Please correct me if I am mislead.

My question is, I'm  looking for an article, preferably a Microsoft article, stating that authenticating outside users on ISA through our internal AD is secure.


Thanks in advanced.
Post #: 1
RE: Active Directory Authentication Secure? how? - 6.Nov.2008 5:08:33 PM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
With ISA in a DMZ network topology like this, and assuming you are using ISA merely as an application proxy, then no this is not the best setup IMHO. You should be using LDAP based authentication (actually LDAPS to be specific) which will significantly reduce the level protocol access on your Cisco firewall (providing least privilige) and does not require ISA to be a domain member.

There are many benefits to making ISA a domain member; if you need these benefits, you are better with a bridging model whereby ISA is connected to both the DMZ and the Internal network. ISA is then able to act as a true firewall whilst also providing necessary applications proxy services. Placing an application layer firewall into the DMZ of a network level firewall just doesn't make sense if you think about it, especially when you consider that ISA can probably secure your Microsoft assests much better than your Cisco firewall could ever dream of...

These articles may be handy:

http://www.isaserver.org/tutorials/Debunking-Myth-that-ISA-Firewall-Should-Not-Domain-Member.html

http://www.isaserver.org/tutorials/LDAP-Pre-authentication-ISA-2006-Firewalls-Part1.html

Cheers

JJ

< Message edited by Jason Jones -- 6.Nov.2008 5:11:44 PM >


_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to shankaran)
Post #: 2
RE: Active Directory Authentication Secure? how? - 6.Nov.2008 5:11:06 PM   
shankaran

 

Posts: 6
Joined: 6.Nov.2008
Status: offline
Thank you for the response.

Sorry I wasnt clearer. The ISA server is connected to both the internal and dmz networks. A splitdns is setup on ISA also.

(in reply to Jason Jones)
Post #: 3
RE: Active Directory Authentication Secure? how? - 6.Nov.2008 5:29:03 PM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
quote:


On our internal firewall, only 443 and AD related (DNS, etc) ports areopened from ISA server to our internal network.


So why do you need to do this if ISA is connected directly to the internal network??

Maybe a diagran would help?

Cheers

JJ

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to shankaran)
Post #: 4
RE: Active Directory Authentication Secure? how? - 6.Nov.2008 5:34:25 PM   
shankaran

 

Posts: 6
Joined: 6.Nov.2008
Status: offline
Since only ports 443 and AD related ports are being used. It might seem pointless, but I was just giving a little more detal

so basically

internet - - external firewall port 443 - - ISA server
                                                                  -
                                                                  -
                                                         internal firewall 443 and dns ports
                                                                  -
                                                                  -
                                                             exchange

(in reply to Jason Jones)
Post #: 5
RE: Active Directory Authentication Secure? how? - 7.Nov.2008 9:15:59 AM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
Right, given that topology I would suggest using ISA as a non-domain member and using LDAP authentication - this is the closest "least privilige" design given the constraints.

A better design would be to place ISA in parallel to your internal firewall. ISA then provides both firewall and application proxy functionality and removes the need to pass any traffic through the internal firewall which is probably not very good at inspecting Exchange and AD related protocols anyhow...remember, the most intelligent security device should be closest to your assets; in this particular case, ISA should be closest to Exchange to provide the best protection.

If the internal firewall is as advanced as ISA and can provide application-level protection for AD related services like DNS, RPC etc. then your current design may be more workable; if not, use ISA for what it is good at, protecting Microsoft assests and services and let this drive the overall design, as opposed to trying to squeeze ISA in as an afterthough...

Cheers

JJ 


_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to shankaran)
Post #: 6
RE: Active Directory Authentication Secure? how? - 7.Nov.2008 9:43:54 AM   
shankaran

 

Posts: 6
Joined: 6.Nov.2008
Status: offline
Thanks again for your responses.

I remember reading this article:

http://www.isaserver.org/tutorials/Debunking-Myth-that-ISA-Firewall-Should-Not-Domain-Member.html

Then another article which talked about the parallel deployment, so I had my ISA on 2 interfaces, internal and DMZ. But then since I had my hardware firewall, I figured why not take it one step further and just lock it down there too.

Forgive me. I'm looking over through my settings on ISA again, it's been awhile since I configured and left it. Under general configuration and LDAP servers, I do have my DC LDAP server specified. Under my rules for exchange, my listener is using LDAP. I guess this conversation  just served as a refresher course! ;] But, the ISA server is still part of the domain....So in order to be the most secure, I would need to take it out?

So when doing authentication, LDAP is the way to go? Does this apply to when using ISA to authenticate for web servers also?

(in reply to shankaran)
Post #: 7
RE: Active Directory Authentication Secure? how? - 7.Nov.2008 4:07:10 PM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
quote:

ORIGINAL: shankaran

Thanks again for your responses.

I remember reading this article:

http://www.isaserver.org/tutorials/Debunking-Myth-that-ISA-Firewall-Should-Not-Domain-Member.html

Then another article which talked about the parallel deployment, so I had my ISA on 2 interfaces, internal and DMZ. But then since I had my hardware firewall, I figured why not take it one step further and just lock it down there too.

Forgive me. I'm looking over through my settings on ISA again, it's been awhile since I configured and left it. Under general configuration and LDAP servers, I do have my DC LDAP server specified. Under my rules for exchange, my listener is using LDAP. I guess this conversation  just served as a refresher course! ;] But, the ISA server is still part of the domain....So in order to be the most secure, I would need to take it out?

So when doing authentication, LDAP is the way to go? Does this apply to when using ISA to authenticate for web servers also?


If you intend keeping ISA in front of your internal firewall as opposed to in parallel, then yes, I would consider taking it out of the domain to greatly simplify the firewall rules on the internal firewall...especially if it cannot provide any application-layer protection for services like RPC. I am not sure if by LDAP you actually mean LDAPS, but this should be used as a minimum, if you are not doing so already.

LDAPS is not "normally" the way to go, but given your constraints and placing a firewall between ISA and your internal Microsoft services, this is the probably the most sensible option. Is ISA is not a domain member, then any authentication that you wish to perform based upon AD can be provided via LDAP, and this will minimise the number of protocols required to pass through your internal firewall. If you want to pre-authenticate access to other internal web servers (I guess this is what you mean) then LDAP will work for these too...

If it were me, I would alter the architecture and place ISA in parallel; as the internal firewall will need to be configured with a whole host of allowed services for AD connectivity (which it probably cannot application layer inspect) it is not providing an awful lot of benefit IMHO.

Cheers

JJ

Cheers

JJ

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to shankaran)
Post #: 8
RE: Active Directory Authentication Secure? how? - 7.Nov.2008 4:12:06 PM   
shankaran

 

Posts: 6
Joined: 6.Nov.2008
Status: offline
JJ,

I thought I was running in parallel?

The ISA server has 2 NICs, one on DMZ and one on internal... Or am I misunderstanding parallel

(in reply to shankaran)
Post #: 9
RE: Active Directory Authentication Secure? how? - 7.Nov.2008 5:46:12 PM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
quote:

ORIGINAL: shankaran

JJ,

I thought I was running in parallel?

The ISA server has 2 NICs, one on DMZ and one on internal... Or am I misunderstanding parallel


By parallel I mean this:

          Internet
               |
   External Firewall
    |                     |
ISA         Internal Firewall
    |                     |
   Internal Network

or have I misunderstood your drawing??

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to shankaran)
Post #: 10

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 General] >> Installation and Planning >> Active Directory Authentication Secure? how? Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts