In part one of this article series we focused on network creation and network relationships. In this article we will focus on advanced network design and network flow within ISA 2004. We have already established in the previous article that the ISA server is used to divide networks and that networks are able to be defined and policies assigned to each network in form of a defined rule base for each network.
Contrary to sensationalist belief, the DMZ and networks like it are still alive and well and have a place in networking. In fact the very people that say that the DMZ is dead are the ones that are paranoid about publishing servers that reside on the internal network and for this reason prefer to have an extremely secure back to back firewall scenario in place that offers highly secure access. This in itself is an advanced type of DMZ solution.
By default, after the installation of ISA, no traffic can traverse from one network to another. As you add rules to the ISA server, networks will be allowed to send traffic from one network to the next. This enables ISA to have Packet filtering on all interfaces. For this reason, in the previous article, I recommended that the networks be defined by interface if possible as it allows for granular control over the protocols and network elements. This element also allows for any topology approach that enables ISA to connect to any number of networks of any configuration with multiple policies per interface. Let’s take a closer look at how this can be used.
One of the great security elements: access control
Using ISA 2004 to control network traffic with the rule set and its capability to define access control to each interface, you as the ISA firewall professional are able to have a granular level of access control that is more advanced on the Microsoft network than other competing technologies. Because of ISA’s tight integration with Microsoft Active Directory and other MS network authentication mechanisms this access control method is successful.
Compliance and logging
Comprehensive logging of all traffic is becoming more and more important as worldwide the compliance drive is prominent in business. Logging of traffic and information is becoming a legal requirement in most jurisdictions. ISA performs well in this regard as all traffic and information can be verbosely logged to SQL for analysis live or at a later stage. Many firewall products lack in this arena and the shining ISA logging mechanism is growing on each version release to improve performance and scalability.
VPN construed as a network
Because VPNs are regarded as a network, close integration and again granular traffic control is evident by use of the rules from source to destination. This is particularly useful when defining who has access to what protocols when VPNing into your corporate network. It may also be required that the users first VPN onto a network that has limited resources and then from there they may be NATed with limited functionality to other services. Other scenarios may be that users VPN into a network that bespoke so that typical LAN services are available in a limited fashion or in published secure environment.
VPN for ISA Server 2004 Enterprise Edition only
In ISA EE one has the ability to create Site-to-site VPN using IPSec. IPSec is a security enhancement over IP. For site to site connection it is highly recommended that additional security measures like IPSec be used as this type of network traverses the public Internet.
When clients connect to the VPN using Internet Protocol security (IPsec), you must complete the following steps:
Create a Network rule allowing traffic to and from the VPN network.
Create Access rules allowing traffic to and from this network.
Verify IPsec protocol settings using properties of the newly created VPN network.
Local host is regarded as a network
This is a feature that makes ISA stand out from all the rest. A typical argument by the uneducated is that ISA is insecure because it runs on Microsoft operating systems and underlying software. However all traffic is blocked to and from the ISA server. ISA server is regarded as a local host and rules, allowing traffic to and from the local host, need to be created in order for packets to flow. In essence no traffic can reach the local host as ISA has a low level network driver installed that encapsulates the windows kernel. All traffic to the Local host is intercepted by ISA, first inspected matched against the rule base and then let through based on the rules to the destination.
The above diagram, diagram A, depicts how multiple networks can be added to ISA in an example, respectively LAN (Internal), NET2 (Internal2), NET3 (Internal2) and Internet (External).
Typically in this scenario one would install ISA server 2004 with four Network Interface Cards. The external network NIC connected to the Router outbound to the internet. The Internal NIC would be connected to the LAN switch or core router that would then tier off to the LAN switch. The internal2 network card could be an internal isolated network that critical services reside on a separate VLAN or segmented network that ISA has portioned. The final network being Internal 3, a network that is used to download applications or content form the internet as an alternate to the primary internet connection also partitioned via ISA to ensure secure communication.
All of these networks can have different relationships between them. For example, the network labeled LAN can route traffic from LAN to NET 2. The IP on the LAN maybe 10.0.0.0 and the IP on NET 2 is 10.0.10.0, in this way traffic would route. Traffic from the LAN may be NATed to NET 3 as the network admin may want the traffic to look like its originating on the native NET 3 network. For example, traffic on LAN is 10.0.0.0 and on NET 3 is 192.168.0.0. Once the traffic is NAT from network marked LAN to network marked NET 3 then traffic appears to be from an IP native to the 192.168.0.0 address.
Similarly, a network set could be created with networks marked LAN and network marked internal 2 with a NAT relationship to the External network. Typically this is done if the networks are defined at installation, but if the networks are added at a later stage the relationship will need to be defined.
Defining network elements within networks
Once networks are created, there are certain elements and element detail that can be defined and configured for each network. These elements will help ISA identify essentials for routing traffic and for use with the firewall clients. I will cover the features below. Note that at array level (ISA2004 EE), a new site-to-site VPN can be created.
The Domains tab (This will apply to Firewall clients only). In this tab you can specify the domains that are included in the network you are defining. Client requests to these domains will be deemed to be local and will not be forwarded.
The Web browser tab. This tab is for the configuration of the properties of the web browser and how the Web browsers specify ISA Server in the configuration script.
Automatic discovery. Defines how clients automatically find the ISA Server. Firewall
Web Proxy client support. Specify if this network listens for requests from Web Proxy clients. This option is where the port can be changed to reflect a non standard proxy port.
In this article we looked at access control and how granular network access can be achieved. We also took a look at the local host and how it’s regarded as a network element, VPN networks and traffic control to and from VPN networks and how to make effective use of network sets in ISA by bundling like networks. From this article series I hope that you found the information of value and that you benefited from some of the tips and knowledge shared.