• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

How to setup ISA in my network

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 General] >> Installation and Planning >> How to setup ISA in my network Page: [1]
Login
Message << Older Topic   Newer Topic >>
How to setup ISA in my network - 12.Nov.2008 10:05:07 PM   
weisshole

 

Posts: 3
Joined: 12.Nov.2008
Status: offline
I know this gets asked quite a bit, but my current network contains a Cisco ASA 5510.  The network is as below.  We are looking to possibly deploy an ISA server into our environment for the reverse web proxy features, to protect our public web sites and OWA and possibly a future SharePoint deployment.

Internet router
  |
ASA -- DMZ 10.10.30.x
|
Internal LAN 192.168.0.x


What would be the best way to deploy ISA.  Should we do a unihomed setup in the DMZ or place one NIC in the DMZ and one NIC on the internal LAN and then move the public servers to the internal LAN.

Thanks for the help.
Post #: 1
RE: How to setup ISA in my network - 15.Nov.2008 7:35:04 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
The best setup, and the one that will create the fewest issues, is to put the ISA firewall on the edge with the ASA. The firewall was designed to be an edge firewall, so there are no security implications, plus you can also take advantage of the ISA firewall's superior outbound access control if you like.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to weisshole)
Post #: 2
RE: How to setup ISA in my network - 16.Nov.2008 4:31:38 PM   
weisshole

 

Posts: 3
Joined: 12.Nov.2008
Status: offline
Thnaks for the reply. So to make sure I understand basically run it side by side with the ASA so both would have an IP on either the DMZ netowork or internal network or both if we have three nics.

(in reply to tshinder)
Post #: 3
RE: How to setup ISA in my network - 17.Nov.2008 8:47:21 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Correct. The ISA firewall would exist side by side with the ASA, so the external interface of the ISA firewall is plugged into the router, another NIC into the DMZ, and another NIC into the intenral network.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to weisshole)
Post #: 4
RE: How to setup ISA in my network - 17.Nov.2008 9:16:20 AM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
For my 2c worth, I would place ISA as a back firewall behind your existing ASA.

You can then place internet facing servers into ISA DMZs or just publish them direct from the LAN.

Internet
|
ASA - ASA protected DMZs
|
ISA - ISA application layer protected DMZs
|
LAN

This is more complicated than a side by side setup, but does have some advantages in terms of NAT capability and site-to-site VPN termination amongst others...

Cheers

JJ

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to tshinder)
Post #: 5
RE: How to setup ISA in my network - 17.Nov.2008 9:29:14 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Jason,

Don't you thing that putting the ISA firewall on the edge, in parallel with the ASA would be easier to manage? That way, you don't expose the ISA firewall to ASA issues.

Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to Jason Jones)
Post #: 6
RE: How to setup ISA in my network - 17.Nov.2008 10:36:25 AM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
quote:

ORIGINAL: tshinder

Hi Jason,

Don't you thing that putting the ISA firewall on the edge, in parallel with the ASA would be easier to manage? That way, you don't expose the ISA firewall to ASA issues.

Tom


Easier, but not necessarily better

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to tshinder)
Post #: 7
RE: How to setup ISA in my network - 17.Nov.2008 7:00:16 PM   
weisshole

 

Posts: 3
Joined: 12.Nov.2008
Status: offline
Thanks to both of you for your suggestions, I will keep them in mind if we end up moving forward with this project.  However if we were to set it up as a backend firewall, I would assume for every rule created on the ASA the same rule would have to be created on the ISA?

(in reply to Jason Jones)
Post #: 8
RE: How to setup ISA in my network - 18.Nov.2008 5:16:05 AM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
Yes, there will be some overlap of firewall policies. However, there will likely be more rules on ISA due to the addtional web proxy publishing duties.

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to weisshole)
Post #: 9
RE: How to setup ISA in my network - 19.Nov.2008 9:47:49 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:

ORIGINAL: Jason Jones

quote:

ORIGINAL: tshinder

Hi Jason,

Don't you thing that putting the ISA firewall on the edge, in parallel with the ASA would be easier to manage? That way, you don't expose the ISA firewall to ASA issues.

Tom


Easier, but not necessarily better


Hi Jason,

Why not better? the ISA firewall can easily be deployed on the edge, when the inevitable troubleshooting issues come up you don't need to deal with the ASA issues, and you can advantage of the full ISA firewall feature set while not having to accomodate complications and limitations introducted by the ASA.

Its seems to be all good and no bad!

Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to Jason Jones)
Post #: 10
RE: How to setup ISA in my network - 19.Nov.2008 11:05:51 AM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
I like multi-tier designs that follow some form of defense in depth philosophy. The front firewall is a good place to offload a lot of "noise" and also utilise a device that is very good at static NAT functionality in addition to S2S VPN termination...as you are aware (I was trying to avoid name and shame ) ISA ain't that great when it comes to NAT flexibility and S2S VPN is a little behind some of the competition (AES anyone?).

I think ISA is fab (as you know) but I don't see why it can't be combined with other solutions so that they complement each other. As good as ISA is, it still isn't a complete one stop shop (yet) IMHO and I like to let a good network firewall look after networks and a good application firewall look after applications. I think TMG will further close this gap and my view may change at this time...

If you want simple, yep, ISA on it's own provides an awful lot of value, but why not merge technologies to raise the bar even further? 

Cheers

JJ 

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to tshinder)
Post #: 11
RE: How to setup ISA in my network - 19.Nov.2008 5:21:02 PM   
adimcev

 

Posts: 380
Joined: 19.Oct.2008
Status: offline
I think Jason has a good point here with the NAT and s2s stuff. Also may help if the front firewall can handle multiple Internet connections in certain scenarios.
Having the back to back model, we can expose the site-to-site traffic to ISA's firewall inspection, which we cannot directly do with the parallel model, unless we control or own the remote office. And it may add a little bit in terms of DoS if the front firewall can SYN-proxy for the published servers(which ISA does only for protocols that have an application filter), assuming the SYN-proxy thing does not break communications, while still having ISA inline in the back closed to the xorp ner(a thing that I suspect we all like).

I also think that Tom has a good point too, the parallel approach can be better if SIP is involved, or maybe if we need to pass OSPF over the VPN tunnel.

IMHO, AES is just a tiny problem in respect with site-to-site VPNs. Anyway, the way the others use it in the past and now, does not automatically give them more "confidentiality" over 3DES(unless 3DES has or will have a serious flaw-for the moment not-), and Microsoft knows that, they waited to bring inline with AES' strength the "rest" of the pieces(AES is present on TMG for VPN).
If they(Microsoft) focus only on AES, they are wrong, deeply wrong. Their implementation of IPsec tunnel mode with ISA is rather broken(well, somebody had to say it, don't shoot me). In certain cases we are more secure using pre-shared keys than authenticating with certificates(my oh my...). There is a basic and simple thing with IPsec tunnel mode, we specify the local subnet and remote subnet, so I'm not sure how this went wrong..., there are many cases when we do not want/need to specify the entire Internal Network as local subnet.
A proper IPsec tunnel mode implementation is critical in order to have a robust and powerful VPN gateway, otherwise the site-to-site scenarios and posibilities would be limited.

Adrian

< Message edited by adimcev -- 19.Nov.2008 5:23:42 PM >


_____________________________

Blog: http://www.carbonwind.net/blog

Get Our ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to Jason Jones)
Post #: 12
RE: How to setup ISA in my network - 19.Nov.2008 6:49:50 PM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
Hi Adrian,

I was being kind by only mentioning AES

As I said, TMG will probably solve some of these issues and hopefully bring ISA closer to the "all encompassing edge product" it strives to be...I still think there will always be a place for defence in depth with complimentary solutions though, but maybe that's just me

Cheers

JJ



_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to adimcev)
Post #: 13
RE: How to setup ISA in my network - 20.Nov.2008 9:39:34 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
I think that we're all right!

If the back to back meets requirements, then go with that.

If parallel meets requirements, then go with that.

If back to back and parallel meet requirements, then use two ISA firewalls!

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to Jason Jones)
Post #: 14

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 General] >> Installation and Planning >> How to setup ISA in my network Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts