Creating Networks with ISA 2004

Most organizations have started to realize the true benefit of ISA 2004 as an enterprise grade firewall and I have noticed a trend emerging among numerous enterprises moving towards using ISA to protect critical information assets. ISA is also being used to replace competitive products that do not offer similar application level protection for Microsoft networks. For this reason the creation and segmentation of networks is pertinent within ISA.

ISA Server 2004 is built to provide a multi-networking model that affords granular control of network traffic between networks. These networks can be defined within the network objects in the ISA Server Management; by configuring these options, advanced configurations of multiple networks with intricate relationships can be achieved.

ISA networks
ISA networks are designed or created depending on the location of ISA server in relation to the other network elements within the network. For example if a DMZ is required and it is critical to protect the resources on the DMZ, then it would be necessary to place ISA between the open net and the DMZ. The DMZ being a non standard network would need to be created (unless an ISA template is used) and then rules assigned defining the source destination and permission.

Tip:
For best practice it is recommended that critical networks be divided by ISA by using a NIC port per network. This practice helps physically and forces a logical design to follow. Note: this is not because software firewalls are not good enough but because it helps in a security in-depth approach and lends itself to best practice






Figure 1: Depicts physical and logical portioning available within ISA

The above figure 1 helps in understanding what Firewalls do. In practice a firewall is a logical and/or a physical portioning of a network or computer grouping. More so traditionally from the internal soft protected core to the External “wild” network.

The following are the built-in network elements within ISA 2004 Standard edition (SE) and for Enterprise edition (EE):

• External network – this consists of any address that does not belong to any other defined network. For example the internal network and VPN network are defined as their own networks and are not part of the External network. All other non defined networks would constitute the External network. These undefined networks can also be called un-trusted network elements.
• VPN Clients network – this network includes all the addresses assigned to VPN clients.
• Quarantined VPN Clients network – this network includes all the addresses assigned to Quarantined VPN clients.
• Local Host network – includes the addresses on the ISA Server computer.
• Internal network (Created at install) – this network is typically used to harbor internal clients and internal client networks.

Other networks will be represented once created, typically a network representing the internal client network is created; this can be done at the installation stage by assigning an adapter to the newly created network, this in turn will utilize a Local address table of the NIC and can auto configure the available network addresses for you.

The value of creating Networks
Networks are typically created to define or to partition a logical grouping of computers. Typically this logical partitioning allows for granular control of traffic between the source and destination network with return paths if applicable. This methodology is particularly useful in remote office environments or to control extensions to the LAN, like for use when an extra ADSL is introduced to the LAN for an alternate method for internet access.

Tip:
Before installing ISA, label your NIC to reflect the networks that they attach to. This will help at a later stage and also simplify administration. It is also recommended that the network cables be of contrasting colors for ease of use. Typically the internal cable is green while the external network cable is red. At a later stage, if remote administration and troubleshooting is necessary, it is useful as you can telephonically help the remote user through visual troubleshooting steps.

The usefulness of network sets
On many occasions the network professional will find it useful to group one or more networks together so that certain rules and relationships between the concerned networks can be established. This may be to partition or to mask similar network ranges from each other. Network sets are used in ISA to create groupings of networks, for use as network elements within network rules or in standard ISA rules for granular protocol control.

The control achieved from creating network rules is significant and can be used to pipe defined traffic to a predetermined path, essentially reacting like a router, but with more control and possibly application layer filtering and authentication. This not only adds in various layers of security but also helps in logging and limiting traffic on the network to traffic that the organization wants on the wire.

Network rules
These rules list, define, and describe the current network topology. The rules resolve whether there is an association between two network entities, and what type of relationship is defined. When no relationship is found between networks, ISA Server will drop traffic between the two networks.

The key in designing networks within ISA is to understand the relationships between each network and whether the traffic is to be routed between the networks, or if network address translation (NAT) needs to be applied. Creating networks so that they become a network element can be useful. These network elements are created so that they can later be used in rules as source or destination networks within the rules. By doing this, granular control can be achieved to the protocol level. Advanced techniques of publishing such services so that they are available to remote networks can be used. With ISA add-ons bandwidth management can also be achieved.

Typically NAT rules and relationships are used to mask the internal network addresses from the external networks and this would be used to an internet facing network. Routing rules could be used between branch offices and other trusted networks that you may want to route traffic between.

Created networks can consist of various elements such as IP ranges, computers, network sets, subnets, domains, and URL sets.

Using this knowledge, various rules can be created that allow or deny traffic in various sequences ether routed or NATed between the available networks. Included in this, network chaining can also be utilized to conditionally forward traffic to alternate preconfigured networks using multiple mechanisms, including dialup. This mechanism can be used to link networks over the internet for alternate communication and file transfer. An example would be an office in London and HQ in Hong Kong. The office in London has a fast internet connection so a rule can be structured to send all HTTP traffic to the ISP locally via the IP of the ISP router, however all other traffic must go to HQ as this is where the application server is hosted. A rule can be structured to send such traffic to the HQ based server with delegated authentication if required. This feature is a valuable asset that builds networks that span the Internet and that need remote authentication to communicate.

Benefits for Wireless?
Bearing the information in this article in mind, it is reasonable to surmise that wireless networks can also be controlled using ISA networks. By assigning another NIC to the ISA server and plugging the wireless access point to the newly assigned network card, a static IP address can be assigned to the NIC and a new ISA network created. New rules attributed to the new network element can now be created “and thus the birth of a new way of controlling wireless effectively” said one of my students. Various methods of access to the internal network can be suggested, for example VPN using IPsec but methods differ from one environment to another. Enterprise network rules (Enterprise Edition only)

Note:
Network rules can be created at the enterprise and at array level. Enterprise-level network rules can be used when they are applicable to all arrays, and array rules specific to one array.

Network rule Processing order
Network rules are ordered. The network rule order is processed by order of priority. ISA Server starts by looking for a rule that matches the addresses. Then the matching rule defines the address relationship between the networks. Overriding rules are setup higher in the rule stack.

In an enterprise environment ISA Server will process array-level network rules first, and then enterprise-level network rules. Enterprise-level network rules are overridden by creating array-level network rules.

ISA server is used to divide networks and that networks are able to be defined and policies assigned to each network in form of a defined rule base for each network.

Contrary to sensationalist belief, the DMZ and networks like it are still alive and well and have a place in networking. In fact the very people that say that the DMZ is dead are the ones that are paranoid about publishing servers that reside on the internal network and for this reason prefer to have an extremely secure back to back firewall scenario in place that offers highly secure access. This in itself is an advanced type of DMZ solution.

By default, after the installation of ISA, no traffic can traverse from one network to another. As you add rules to the ISA server, networks will be allowed to send traffic from one network to the next. This enables ISA to have Packet filtering on all interfaces. For this reason, in the previous article, I recommended that the networks be defined by interface if possible as it allows for granular control over the protocols and network elements. This element also allows for any topology approach that enables ISA to connect to any number of networks of any configuration with multiple policies per interface. Let’s take a closer look at how this can be used.

One of the great security elements: access control
Using ISA 2004 to control network traffic with the rule set and its capability to define access control to each interface, you as the ISA firewall professional are able to have a granular level of access control that is more advanced on the Microsoft network than other competing technologies. Because of ISA’s tight integration with Microsoft Active Directory and other MS network authentication mechanisms this access control method is successful.

Compliance and logging
Comprehensive logging of all traffic is becoming more and more important as worldwide the compliance drive is prominent in business. Logging of traffic and information is becoming a legal requirement in most jurisdictions. ISA performs well in this regard as all traffic and information can be verbosely logged to SQL for analysis live or at a later stage. Many firewall products lack in this arena and the shining ISA logging mechanism is growing on each version release to improve performance and scalability.

VPN construed as a network
Because VPNs are regarded as a network, close integration and again granular traffic control is evident by use of the rules from source to destination. This is particularly useful when defining who has access to what protocols when VPNing into your corporate network. It may also be required that the users first VPN onto a network that has limited resources and then from there they may be NATed with limited functionality to other services. Other scenarios may be that users VPN into a network that bespoke so that typical LAN services are available in a limited fashion or in published secure environment.

VPN for ISA Server 2004 Enterprise Edition only
In ISA EE one has the ability to create Site-to-site VPN using IPSec. IPSec is a security enhancement over IP. For site to site connection it is highly recommended that additional security measures like IPSec be used as this type of network traverses the public Internet.

When clients connect to the VPN using Internet Protocol security (IPsec), you must complete the following steps:

1. Create a Network rule allowing traffic to and from the VPN network.
2. Create Access rules allowing traffic to and from this network.
3. Verify IPsec protocol settings using properties of the newly created VPN network.

Local host is regarded as a network
This is a feature that makes ISA stand out from all the rest. A typical argument by the uneducated is that ISA is insecure because it runs on Microsoft operating systems and underlying software. However all traffic is blocked to and from the ISA server. ISA server is regarded as a local host and rules, allowing traffic to and from the local host, need to be created in order for packets to flow. In essence no traffic can reach the local host as ISA has a low level network driver installed that encapsulates the windows kernel. All traffic to the Local host is intercepted by ISA, first inspected matched against the rule base and then let through based on the rules to the destination.

Diagram A
The above diagram, diagram A, depicts how multiple networks can be added to ISA in an example, respectively LAN (Internal), NET2 (Internal2), NET3 (Internal2) and Internet (External).

Typically in this scenario one would install ISA server 2004 with four Network Interface Cards. The external network NIC connected to the Router outbound to the internet. The Internal NIC would be connected to the LAN switch or core router that would then tier off to the LAN switch. The internal2 network card could be an internal isolated network that critical services reside on a separate VLAN or segmented network that ISA has portioned. The final network being Internal 3, a network that is used to download applications or content form the internet as an alternate to the primary internet connection also partitioned via ISA to ensure secure communication.

All of these networks can have different relationships between them. For example, the network labeled LAN can route traffic from LAN to NET 2. The IP on the LAN maybe 10.0.0.0 and the IP on NET 2 is 10.0.10.0, in this way traffic would route. Traffic from the LAN may be NATed to NET 3 as the network admin may want the traffic to look like its originating on the native NET 3 network. For example, traffic on LAN is 10.0.0.0 and on NET 3 is 192.168.0.0. Once the traffic is NAT from network marked LAN to network marked NET 3 then traffic appears to be from an IP native to the 192.168.0.0 address.

Similarly, a network set could be created with networks marked LAN and network marked internal 2 with a NAT relationship to the External network. Typically this is done if the networks are defined at installation, but if the networks are added at a later stage the relationship will need to be defined.

Defining network elements within networks
Once networks are created, there are certain elements and element detail that can be defined and configured for each network. These elements will help ISA identify essentials for routing traffic and for use with the firewall clients. I will cover the features below. Note that at array level (ISA2004 EE), a new site-to-site VPN can be created.

• The Domains tab (This will apply to Firewall clients only). In this tab you can specify the domains that are included in the network you are defining. Client requests to these domains will be deemed to be local and will not be forwarded.
• The Web browser tab. This tab is for the configuration of the properties of the web browser and how the Web browsers specify ISA Server in the configuration script.
• Automatic discovery. Defines how clients automatically find the ISA Server. Firewall
• Web Proxy client support. Specify if this network listens for requests from Web Proxy clients. This option is where the port can be changed to reflect a non standard proxy port.