Configuring an Untrusted Wireless DMZ on the ISA Firewall: Part 1: Defining the Infrastructure and Setting Up the Split DNS

Configuring an Untrusted Wireless DMZ on the ISA Firewall
Part 1: Defining the Infrastructure and Setting Up the Split DNS

By Thomas W Shinder MD, MVP

Part 2 of this article is at:
http://isaserver.org/articles/2004wirelessdmzpart2.html

A popular request over the years on the ISAServer.org Web boards and mailing list is how to configure DMZ segments on the ISA firewall. One of the great improvements included with the new ISA firewall (ISA Server 2004) is its enhanced support for multiple networks. You can configure an ISA firewall with as many NICs as you like, and then use ISA firewall Firewall Policy to control all traffic between any two Networks moving through the ISA firewall.

One simple implementation of ISA firewall DMZ networks includes configuration of a wireless DMZ segment hosting untrusted users and computers. This configuration includes three network interfaces on the ISA firewall (the ISA firewall can have more NICs, but only three are used in this scenario): one interface is connected to the Internet (this is the interface with the default gateway), one interface connected to the Default Internal Network (this is the interface connected to the production network) and one interface connected to the wireless DMZ segment.

The figure below shows the configuration used in the sample network discussed in this article.

On the Default Internal Network there is an Exchange Server that also acts as a domain controller, DHCP server, DNS server and OWA server. The DNS server component on this machine is configured to enable Internet DNS host name resolution. Its important to note that this isn’t a security best practice, but is a typical configuration for a small office network. A more secure configuration would be a dedicated DNS resolver that lies in a DMZ segment and hosts no domain records.

The wireless DMZ segment contains a wireless access point (WAP) that has its DHCP server component enabled so that hosts on wireless DMZ segment are assigned addresses on the same network ID assigned to the network interface connecting the ISA firewall to the wireless DMZ segment. The wireless DMZ segment interface on the ISA firewall does not used DHCP to obtain its own address; that address is hard coded on the NIC.

The external interface of the ISA firewall is connected to an upstream DSL NAT device. You could also use a cable NAT device, a FiOS NAT device, or even a packet filter firewall that performs NAT. In fact, you don’t have to NAT between the front-end device and the ISA firewall. I use a front-end NAT device in this example because many smaller businesses are DSL PPPoE setups.

The ISA firewall configuration is much simpler when you use a front-end NAT device when using PPPoE or when you don’t have dedicated addresses bound to the external interface of the ISA firewall. The ISA firewall’s external interface is assigned a static address and the default gateway is set to the LAN (internal) address of the NAT device. You can connect the ISA firewall directly to the NAT device using a crossover cable, or you can use a switch to which you connect the LAN interface of the NAT device and the external interface of the ISA firewall. I recommend that you use a switch, then you have a DMZ segment that you can publish resources on the DMZ between the NAT device and the ISA firewall’s external interface.

We’ll cover the following procedures In this two part series on how to configure the ISA firewall to support an untrusted wireless DMZ segment:

The first step is to install three NICs into the ISA firewall device. One will be used as the external interface, one will interface with the Default Internal Network, and one will connect to the DMZ network.

We want the clients on the DMZ network to work correctly as SecureNAT clients. The DNS server on the ISA firewall will be used by the DMZ network SecureNAT clients.

Once the interfaces and the DNS server are installed and configured on the ISA firewall, you’re ready to install the ISA firewall software. The Default Internal Network is configured

After installing the ISA firewall software, the next step is to configure an ISA firewall Network representing the DMZ segment on which the wireless clients are located.

After creating the DMZ ISA firewall Network, you might want to configure that Network to support Web proxy and Firewall clients. This step is not required if you don’t want or need to support domain members on the wireless DMZ segment.

Network Rules determine the route relationship between any two connected networks and defines the connection (routing) between the two. You can route and NAT between any two connected ISA firewall Networks.

The last step is to create a firewall policy. In the example we’ll use in this article, we’ll create the following Firewall rules:

DNS to DMZ interface

The SecureNAT clients on the DMZ segment need to resolve Internet host names using the DNS server on the ISA firewall. This requires an Access Rule allowing hosts on the DMZ segment access to the DNS server on the ISA firewall.

Secure Exchange RPC Server Publishing Rule (optional)

This rule is optional. However, if you have users who need to access the Exchange Server on the Default Internal Network, you can create a Secure Exchange RPC Server Publishing Rule to allow full Outlook MAPI client access to the Exchange Server without requiring a VPN

SMTP Server Publishing Rule (optional)

This rule is optional. If you are hosting your own SMTP services on the Exchange Server, you can create an SMTP Server Publishing Rule allowing inbound SMTP access to the Exchange Server’s SMTP service.

HTTP DMZ to Internet

You want to provide limited and secure connections from the DMZ segment. For this reason, we typically allow only HTTP connections outbound. The leaves the option open to configure the HTTP Security Filter to block dangerous applications and block dangerous SSL tunneled applications (such as SSL “VPN” connections).

All Open Internal to Internet (not recommended)

We’ll create an “All Open” rule allowing all protocols from the Default Internal Network to the Internet. OK, if this isn’t recommended, why am I creating such a rule for this article? Because each network will have its own security policy, which can be potentially complex. I’m taking the easy way out here by creating an All Open rule.

Enable the VPN Server Component on the ISA Firewall

You might want to allow clients on the wireless DMZ more comprehensive access to Internal Network resources. You can use a VPN connection from the wireless DMZ to make this happen in a secure fashion

In this, part 1, of the two part series, we’ll discuss the components of the infrastructure and go through the details of the split DNS configuration to fully support our solution.

The ISA firewall device will need at least three network interfaces:

You should configure these interfaces before installing the ISA firewall software. The table below shows the interface configuration used in the example network discussed in this article.

The next step, before installing the ISA firewall software, is to install the DNS server service on the ISA firewall. Reasons why we want to install a DNS server on the ISA firewall include:

• Avoiding DNS queries to the internal network DNS server
• Providing a split DNS infrastructure for hosts on the DMZ network
• Providing name resolution services for DMZ SecureNAT clients without requiring them to access Internet DNS servers

We want to avoid allowing DMZ hosts access to resources on the production network. Since the wireless clients on the DMZ are not managed computers, and the users are not part of the production network’s Active Directory domain, there is no reason why we should trust either users or computers on the DMZ network. If there will be occasional trusted users and computers on the DMZ, you can use a VPN connection to allow more wide-ranging access to production network resources.

The split DNS infrastructure supporting the DMZ hosts is an optional feature. In this example, we use the split DNS infrastructure for the DMZ host to support full Outlook MAPI client connections to the corporate network. This is required because we will create a Server Publishing Rule that allows secure Exchange RPC to the Exchange Server on the corporate network. This is useful when you want to allow secure access from the wireless DMZ to the Exchange Server without requiring VPN access.

We need to create a split DNS in order to allow the DMZ hosts to resolve the name of the Exchange Server to the IP address used on the DMZ interface. We can’t use (and don’t want to access to) the production network DNS server because the Exchange Server resolves to the internal address on the production network DNS server. This won’t work for the DMZ wireless clients, because they need to connect to the Exchange Server via a Secure Exchange RPC Server Publishing Rule that listens on the IP address bound to the DMZ interface.

Finally, we want to support SecureNAT clients on the wireless DMZ. SecureNAT clients must be able to resolve Internet host names themselves; the ISA firewall does not perform “proxy” DNS for SecureNAT clients, as it does for Web proxy and Firewall clients. We also do not want to allow clients on the wireless DMZ network access to more protocols that absolutely required when connecting to the Internet. The SecureNAT clients on the wireless DMZ use the DNS server installed on the ISA firewall to resolve names, and the DNS server on the ISA firewall then performs recursion to resolve Internet host names for the SecureNAT clients on the wireless DMZ.

Perform the following steps to install and configure the DNS server on the ISA firewall device:

1. From the Start menu, open the Control Panel and click Add and Remove Programs.
2. In the Add and Remove Programs applet, click the Add/Remove Windows Components button in the left pane.
3. In the Windows Components dialog box, scroll down to the Network Services entry, click it and then click Details.
4. In the Network Services dialog box, put a checkmark in the Domain Name System (DNS) checkbox and click OK.
5. Click Next in the Windows Components dialog box.
6. Follow the instructions on subsequent Wizard pages and then click Finish when the Wizard completes.

Now you’re ready to configure the Properties of the DNS server running on the ISA firewall:

1. Click Start, point to Administrative Tools and click DNS.
2. In the DNS Management console, right click the server name in the left pane of the console and click Properties.
3. In the DNS server’s Properties dialog box, click the Interfaces tab. Select the Only the following IP addresses option. In the IP address list, click on each IP address that is not the IP address bound to the DMZ interface of the ISA firewall, then click Remove. The only IP address you want left on the list is the IP address on the DMZ interface of the ISA firewall.

4. Click Apply and then click OK.

We can now create the forward and reverse lookup zones for our split DNS. The internal network domain is msfirewall.org. Because the Exchange Server belongs to this domain, we want to make sure clients have anywhere access to the Exchange Server without requiring users to reconfigure their clients based on their location. To achieve this goal, we will create a forward lookup zone with the same name as the internal network domain, msfirewall.org. However, we will create a reverse zone representing the network ID on which the ISA firewall’s DMZ interface is located.

Its critical to note that the split DNS infrastructure is not a security risk. Many commentators who do not understand split DNS infrastructures believe that they may expose critical information about their internal network. This is not true. A split DNS represents two or more zones that have the same name, but do not contain the same resource record information. Because the zone on the ISA firewall contains no information about the internal network numbering, attackers cannot leverage this zone to attack the internal network. In addition, we will configure this zone to prevent zone transfers (although this is not required).

You should always create the reverse lookup zone first, and then create the forward lookup zone. Perform the following steps to create the reverse lookup zone:

1. In the DNS console, right click the server name and then click the New Zone command.
2. Click Next on the Welcome to the New Zone Wizard page.
3. On the Zone Type page, select the Primary zone option and click Next.
4. On the Forward or Reverse Lookup Zone page, select the Reverse lookup zone option and click Next.

5. On the Reverse Lookup Zone Name page, enter the network ID used on your DMZ. In this example, we are using network ID 172.16.0.0/16, so we enter 172.16.0 in the text box next to the Network ID option. Click Next.

6. On the Zone File page, accept the default entry in the Create a new file with this file name text box and click Next.
7. On the Dynamic Update page, select the Do not allow dynamic updates option and click Next.
8. Click Finish on the Completing the New Zone Wizard page.

Perform the following steps to create the Forward lookup zone:

1. In the DNS console, right click the server name and then click the New Zone command.
2. Click Next on the Welcome to the New Zone Wizard page.
3. On the Zone Type page, select the Primary zone option and click Next.
4. On the Forward or Reverse Lookup Zone page, select the Reverse lookup zone option and click Next.
5. On the Zone Name page, enter the domain name that matches the domain name used on the production network (the internal network). In this example, the domain controllers and Exchange Servers are located in the msfirewall.org domain. So we’ll enter msfirewall.org in the Zone name text box. Click Next.

6. On the Zone File page, accept the default entry in the Create a new file with this file name text box and click Next.
7. On the Dynamic Update page, select the Do not allow dynamic updates option and click Next.
8. Click Finish on the Completing the New Zone Wizard page.

With the forward and reverse lookup zone in place, we can now enter some Host (A) resource records in the forward lookup zone. In this example, there are two Host (A) records we need to add: one for the DNS server itself and one that maps the name of the Exchange Server to the IP address on the DMZ interface that we will use for the Secure Exchange RPC Server Publishing Rule listener.

Note that these records are specific for the scenario discussed in this article. You might not want to publish the Exchange Server or any other servers if you don’t wish clients on the wireless DMZ to have access to resources on the production network (at least, not without a VPN connection). A comprehensive discussion of DNS and a split DNS infrastructure is beyond the scope of this article, but I’ll follow up in the future with a comprehensive discussion of split DNS for this scenario and many others.

Perform the following steps to create the Host (A) records:

1. Right click on the forward lookup zone you created (in this example, msfirewall.org) and click New Host (A).
2. In the New Host dialog box, enter the host name of the ISA firewall in the Name (uses parent domain name if blank) text box. In this example, the name of the ISA firewall running the DNS service is named ISALOCAL, so we will enter isalocal into the text box. The FQDN will automatically appear in the Fully qualified domain name (FQDN) text box. Enter the IP address bound to the DMZ interface in the IP address text box and place a checkmark in the Create associated pointer (PTR) record checkbox. Click the Add Host button.

3. Click OK in the DNS dialog box informing you that the host record was successfully created.
4. Repeat the procedures in the New Host text box, but this time, enter the name of the Exchange Server in the Name (uses parent domain name if blank) text box. In this example, the name of the Exchange Server on the production network is exchange2003be, so we enter that name into the text box. Enter the IP address bound to the DMZ interface in the IP address text box and place a checkmark in the Create associated pointer (PTR) record checkbox. Click Add Host.

5. Click OK in the DNS dialog box informing you that the host record was successfully created.
6. Click Done in the New Host dialog box.
7. The two resource record entries should appear in the DNS console as seen in the figure below.

In this part 1 of a two part series on how to configure the ISA firewall to support a wireless DMZ segment we discussed the basic infrastructure elements required to carry out the solution. The ISA firewall requires at least three network interfaces, where one of the interfaces is external, one is on the Default Internal Network, and the last one is on the untrusted wireless DMZ segment. We went over the principles of a split DNS and how the split DNS infrastructure enhances the level of name resolution support for the wireless DMZ clients. We then finished up by installing and configuring the DNS server on the ISA firewall device itself.

In the second part of this article (which I will post next week), we’ll complete the design by installing and configuring the ISA firewall with the appropriate ISA firewall Networks, Access Rules and VPN server configuration.

I hope you enjoyed this article and found something in it that you can apply to your own network. If you have any questions on anything I discussed in this article, head on over to http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=29;t=000119 and post a message. I’ll be informed of your post and will answer your questions ASAP. Thanks! –Tom

If you would like us to email you when Tom Shinder releases another article on ISAserver.org, subscribe to our ‘Real-Time Article Update’ by clicking here. Please note that we do NOT sell or rent the email addresses belonging to our subscribers; we respect your privacy