ISA and PIX DMZ (Full Version)

All Forums >> [ISA Server 2000 Firewall] >> DMZ



Message


oleary -> ISA and PIX DMZ (12.Nov.2003 7:24:00 PM)

Am getting ready to install a PIX in front of our ISA box to allow for the creation of DMZ. The PIX comes with 3 interfaces, but in Tom's books, and many other posts The DMZ is located on the segment between the External firewall (PIX in my case) and the ISA box. Is there an advantage to this, rather than placing it on the 3rd interface of the PIX? Also I should Public or private IP's be used on the DMZ, and the network between the PIX and ISA boxes.

Thanks in advance.

Shawn




spouseele -> RE: ISA and PIX DMZ (12.Nov.2003 8:50:00 PM)

Hi Shawn,

the whole idea behind a back-to-back DMZ scenario is that the inner firewall (the ISA server) controls the traffic from/to the internal network and that the outer firewall (the PIX) is responsible for controlling the traffic from/to the DMZ. Keep in mind that the inner firewall is just another DMZ host for the outer firewall and that the DMZ hosts are just other external hosts for the inner firewall. By using the segment between both firewalls as DMZ, you are also optimizing the traffic flow.

Now, the choice between public and private IP's for the DMZ is a whole other story. Personally I prefer public IP's for the DMZ because you prevent then double NAT, once in the inner and once in the outer firewall. However, if you can't get enough public IP's you might as well use private ones. Just be aware that you might have some problems with some complex protocols if the firewalls don't have the proper NAT editors for those protocols.

HTH,
Stefaan




oleary -> RE: ISA and PIX DMZ (13.Nov.2003 9:54:00 PM)

Stefaan,

Thanks for the response. What you are saying about traffic flow makes perfect sense, but by hanging the DMZ off of the PIX, don't you allow for more protection from the servers sitting on the DMZ, (Web,OWA,FTP,SMTP, etc) accessing the internal network. They will have to have some access to internal resources and I would like to protect those resources as best as I can. In that scenario they have to go back through the PIX and the ISA to get to the internal network. Or is it just making it to complex? What do you think?




spouseele -> RE: ISA and PIX DMZ (13.Nov.2003 10:23:00 PM)

Hi Shawn,

in my opinion you are making it more complex without adding security! [Wink]

The point is that ISA server (inner firewall) is responsible to control access from the DMZ to the internal network, not the PIX (outer firewall). Adding extra filtering on the PIX on top of the ISA publishing feature will *not* increase the overall security. If it would then that would mean that the ISA server was not properly configured in the first place! [Big Grin]

HTH,
Stefaan

[ November 13, 2003, 10:30 PM: Message edited by: spouseele ]




Glen -> RE: ISA and PIX DMZ (17.Nov.2003 12:00:00 PM)

With the back to back configuration will it be possible to use the IPSEC VPN on the PIX and then pass this through the ISA server to the Internal LAN. If this is possible should a public or private addressed DMZ be used




oleary -> RE: ISA and PIX DMZ (17.Nov.2003 3:54:00 PM)

Good Question, also should the OWA,WWW, SMTP and FTP servers on the DMZ be members of the internal domain?




spouseele -> RE: ISA and PIX DMZ (17.Nov.2003 7:55:00 PM)

Hi Glen,

if the VPN users should have access to internal resources behind the ISA server, then the ISA server should be the VPN endpoint, NOT the PIX.

I strongly suggest you run ISA server on Windows 2003. You can then use L2TP/IPSec with NAT-T. This is even a requirement if you want to use a private addressed DMZ. For more info, check out http://www.isaserver.org/articles/isa2000vpndeploymentkit.html .

HTH,
Stefaan




spouseele -> RE: ISA and PIX DMZ (17.Nov.2003 7:58:00 PM)

Hi Shawn,

the purpose of creating a DMZ is to isolate the external accessible services from the internal network. So, DMZ hosts should NEVER be a member of the internal domain.

HTH,
Stefaan




oleary -> RE: ISA and PIX DMZ (25.Nov.2003 3:48:00 PM)

Then you can't put an Exchange 2000/2003 front end server in the DMZ, so it will have to go behind the ISA server. At least it will be scanned by the ISA filters.




oleary -> RE: ISA and PIX DMZ (3.Dec.2003 6:42:00 PM)

Stefaan,

You mentioned above about doing not doing double NAT, would you use PAT on the outer PIX then, if so can't you just use private addresses?

Thanks

Shawn




spouseele -> RE: ISA and PIX DMZ (3.Dec.2003 9:41:00 PM)

Hi Shawn,

I used the term NAT as generic term for NAT and/or PAT. As said before, you can use private IP's for the DMZ. Just be aware that you might run into problems if you have a need to use some complex protocols (such as H.323, Multimedia, etc..) and the outer firewall doesn't support them explicitely.

HTH,
Stefaan




oleary -> RE: ISA and PIX DMZ (4.Dec.2003 3:17:00 AM)

Then you mean just setting up the PIX as a router?




spouseele -> RE: ISA and PIX DMZ (4.Dec.2003 9:04:00 PM)

Hi Shawn,

it is a general misconception that implementing NAT or PAT is a security measure. the use of NAT and/or PAT is all about address hiding and that is something quite different.

My suggestion is that if you have enough public IP's then implement a public DMZ. If you haven't, go for a private DMZ.

HTH,
Stefaan




Glen -> RE: ISA and PIX DMZ (8.Dec.2003 4:46:00 PM)

In our case the PIX is already in place with Cisco VPN clients using it to access the internal LAN. We would like to add a DMZ using an ISA server as the internal Firewall in a back to back configuration. Will it be possible to 'push' the Cisco VPN clients through the PIX and then through the ISA server to the Internal LAN ? If this is not possible I guess we would use the ISA as the end point and open the l2tp ports on the pix but I would like to explore the first senario ?

Thanks




spouseele -> RE: ISA and PIX DMZ (9.Dec.2003 12:18:00 AM)

Hi Glen,

as stated before, if the VPN users must have access to internal resources behind the ISA server, then the ISA server must be the VPN endpoint, NOT the PIX! [Big Grin]

This implies also you should use the latest native Microsoft L2TP/IPSec clients (update MSKB 818043) and run ISA on Win2003.

HTH,
Stefaan

[ December 09, 2003, 12:18 AM: Message edited by: spouseele ]




Page: [1]