Most organizations have started to realize the true benefit of ISA 2004 as an enterprise grade firewall and I have noticed a trend emerging among numerous enterprises moving towards using ISA to protect critical information assets. ISA is also being used to replace competitive products that do not offer similar application level protection for Microsoft networks. For this reason the creation and segmentation of networks is pertinent within ISA.
ISA Server 2004 is built to provide a multi-networking model that affords granular control of network traffic between networks. These networks can be defined within the network objects in the ISA Server Management; by configuring these options, advanced configurations of multiple networks with intricate relationships can be achieved.
ISA networks are designed or created depending on the location of ISA server in relation to the other network elements within the network. For example if a DMZ is required and it is critical to protect the resources on the DMZ, then it would be necessary to place ISA between the open net and the DMZ. The DMZ being a non standard network would need to be created (unless an ISA template is used) and then rules assigned defining the source destination and permission.
For best practice it is recommended that critical networks be divided by ISA by using a NIC port per network. This practice helps physically and forces a logical design to follow. Note: this is not because software firewalls are not good enough but because it helps in a security in-depth approach and lends itself to best practice.
Figure 1: Depicts physical and logical portioning available within ISA
The above figure 1 helps in understanding what Firewalls do. In practice a firewall is a logical and/or a physical portioning of a network or computer grouping. More so traditionally from the internal soft protected core to the External “wild” network.
The following are the built-in network elements within ISA 2004 Standard edition (SE) and for Enterprise edition (EE):
External network – this consists of any address that does not belong to any other defined network. For example the internal network and VPN network are defined as their own networks and are not part of the External network. All other non defined networks would constitute the External network. These undefined networks can also be called un-trusted network elements.
VPN Clients network – this network includes all the addresses assigned to VPN clients.
Quarantined VPN Clients network – this network includes all the addresses assigned to Quarantined VPN clients.
Local Host network – includes the addresses on the ISA Server computer.
Internal network (Created at install) – this network is typically used to harbor internal clients and internal client networks.
Other networks will be represented once created, typically a network representing the internal client network is created; this can be done at the installation stage by assigning an adapter to the newly created network, this in turn will utilize a Local address table of the NIC and can auto configure the available network addresses for you.
The value of creating Networks
Networks are typically created to define or to partition a logical grouping of computers. Typically this logical partitioning allows for granular control of traffic between the source and destination network with return paths if applicable. This methodology is particularly useful in remote office environments or to control extensions to the LAN, like for use when an extra ADSL is introduced to the LAN for an alternate method for internet access.
Before installing ISA, label your NIC to reflect the networks that they attach to. This will help at a later stage and also simplify administration. It is also recommended that the network cables be of contrasting colors for ease of use. Typically the internal cable is green while the external network cable is red. At a later stage, if remote administration and troubleshooting is necessary, it is useful as you can telephonically help the remote user through visual troubleshooting steps.
The usefulness of network sets
On many occasions the network professional will find it useful to group one or more networks together so that certain rules and relationships between the concerned networks can be established. This may be to partition or to mask similar network ranges from each other. Network sets are used in ISA to create groupings of networks, for use as network elements within network rules or in standard ISA rules for granular protocol control.
The control achieved from creating network rules is significant and can be used to pipe defined traffic to a predetermined path, essentially reacting like a router, but with more control and possibly application layer filtering and authentication. This not only adds in various layers of security but also helps in logging and limiting traffic on the network to traffic that the organization wants on the wire.
These rules list, define, and describe the current network topology. The rules resolve whether there is an association between two network entities, and what type of relationship is defined. When no relationship is found between networks, ISA Server will drop traffic between the two networks.
The key in designing networks within ISA is to understand the relationships between each network and whether the traffic is to be routed between the networks, or if network address translation (NAT) needs to be applied. Creating networks so that they become a network element can be useful. These network elements are created so that they can later be used in rules as source or destination networks within the rules. By doing this, granular control can be achieved to the protocol level. Advanced techniques of publishing such services so that they are available to remote networks can be used. With ISA add-ons bandwidth management can also be achieved.
Typically NAT rules and relationships are used to mask the internal network addresses from the external networks and this would be used to an internet facing network. Routing rules could be used between branch offices and other trusted networks that you may want to route traffic between.
Created networks can consist of various elements such as IP ranges, computers, network sets, subnets, domains, and URL sets.
Using this knowledge, various rules can be created that allow or deny traffic in various sequences ether routed or NATed between the available networks. Included in this, network chaining can also be utilized to conditionally forward traffic to alternate preconfigured networks using multiple mechanisms, including dialup. This mechanism can be used to link networks over the internet for alternate communication and file transfer. An example would be an office in London and HQ in Hong Kong. The office in London has a fast internet connection so a rule can be structured to send all HTTP traffic to the ISP locally via the IP of the ISP router, however all other traffic must go to HQ as this is where the application server is hosted. A rule can be structured to send such traffic to the HQ based server with delegated authentication if required. This feature is a valuable asset that builds networks that span the Internet and that need remote authentication to communicate.
Benefits for Wireless?
Bearing the information in this article in mind, it is reasonable to surmise that wireless networks can also be controlled using ISA networks. By assigning another NIC to the ISA server and plugging the wireless access point to the newly assigned network card, a static IP address can be assigned to the NIC and a new ISA network created. New rules attributed to the new network element can now be created “and thus the birth of a new way of controlling wireless effectively” said one of my students. Various methods of access to the internal network can be suggested, for example VPN using IPsec but methods differ from one environment to another.
Enterprise network rules (Enterprise Edition only)
Network rules can be created at the enterprise and at array level. Enterprise-level network rules can be used when they are applicable to all arrays, and array rules specific to one array.
Network rule Processing order
Network rules are ordered. The network rule order is processed by order of priority. ISA Server starts by looking for a rule that matches the addresses. Then the matching rule defines the address relationship between the networks. Overriding rules are setup higher in the rule stack.
In an enterprise environment ISA Server will process array-level network rules first, and then enterprise-level network rules. Enterprise-level network rules are overridden by creating array-level network rules.