Configure ISA 2004 as a Network Services Segment Perimeter Firewall – Part 1: Perimeter Network Design Principles and Considerations

By /

 

If you missed the other parts of this series please read:

Configure ISA 2004 as a Network Services Segment Perimeter Firewall – Part 2
Configure ISA 2004 as a Network Services Segment Perimeter Firewall – Part 3
Configure ISA 2004 as a Network Services Segment Perimeter Firewall – Part 4
Configure ISA 2004 as a Network Services Segment Perimeter Firewall – Part 5

 

The ISA firewall can act in a number of roles: a front-end edge firewall that sits in front of the entire company, as a back-end firewall located behind another edge firewall that might be an ISA firewall or another type of firewall, or a perimeter network firewall that walls off critical network servers and services from the rest of the network. It’s this latter configuration we’ll focus on in this article.

In spite of eye-catching headlines about the death of the DMZ or the imminent demise of network security zones, the fact is that we who live in the trenches still need to live with the current reality, where network perimeters need to be defined to provide access controls on hosts connecting to other hosts belonging to a different security zone. And while Network Access Protection (NAP – expected to be implemented in Longhorn/Vista) and IPSec-based domain isolation hold a lot of promises, there are and will be significant technological hurdles that have to be met before those methodologies will be applicable to widespread use.

Instead of proclaiming the death of the DMZ, security experts should be making the clarion call for increased perimeterization. You’ll go a long way at improving your network’s security position by grouping hosts into different security zones and putting firewalls and other network security devices between those zones that enable strong access controls on communications between those zones.

In this article we’ll examine the requirements and procedures involved with creating a network services segment separated from the rest of the corporate network by an ISA firewall. You can put an ISA firewall in front of the network services located on the services segment to help protect those critical network services from being adversely affected by outbreaks that take place on other network segments.

The key concept here is that only required communications are allowed to and from the network services segment; all other communications are blocked. In addition to limiting communications only to those hosts and protocols that are required for access, we will leverage the ISA firewall’s advanced stateful packet and application layer inspection mechanisms to help secure the communications allowed to the network services segment.

Network Services Segment Configuration Options

As with all network security devices, and especially for network firewalls, there is no such thing as “one size fits all” when it comes to configuration. There is no replacement for understanding how your firewall works, and how to configure it to meet your organization’s specific requirements.

There are two scenarios we should look at before proceeding with a step by step example for configuring a network services segment behind an ISA firewall. These scenarios are:

  • A LAN router separates the ISA firewall from the rest of the corporate network
  • No LAN router separates the ISA firewall from the rest of the corporate network

While there are variations on the second theme, out discussions of these two scenarios will hopefully make clear what your configuration options are when you don’t have a LAN router on your network.

Scenario 1: LAN Router between ISA Firewall and Corporate Network

A high level view of scenario 1 appears in the figure below. In this scenario, there is a LAN router between the ISA firewall and the rest of the network. There is a route relationship between all internal networks located behind the edge ISA firewall. NAT is used only for communications to the Internet.

In this scenario, hosts on the corporate network in front of the network services perimeter ISA firewall use a default gateway that is the local address of the LAN router. The LAN router is configured with a route of last resort (which allows it to access the Internet) that is the internal address on the edge ISA firewall. The LAN router is configured with a routing table entry that provides a route to the network ID located behind the network services perimeter network ISA firewall.

When a user makes a request to a server on the network services segment located behind the network services perimeter ISA firewall, the request is forwarded to the client’s default gateway address, since the connection is to a non-local (remote) network. The packet is then forwarded based on the routing table entry on the LAN router to the IP address on the external interface of the network services perimeter ISA firewall, and then the network services perimeter ISA firewall routes the request to the server on the network services segment.

The request path is seen with the black arrows. The response path is seen in the Red arrows. The server on the services segment sends the response to its default gateway, which is the IP address on the internal interface of the network services segment perimeter ISA firewall. The response is forwarded directly to the client making the request since the ISA firewall has knowledge of all network IDs to which it is directly connected. The response is not forwarded to the LAN router and then back to the client. Note that the request and response paths are not the same.


Figure 1

The figure below shows the request and response paths for connections made to the Internet. Notice in this case the request and response paths are the same.


Figure 2

Scenario 2: No LAN Routers

Now let’s look at scenario 2, where there is no router between the ISA firewall and the rest of the network. In this case, the clients on the corporate network use the internal interface of the edge ISA firewall as their default gateway address. The edge ISA firewall is configured with a routing table entry informing the edge ISA firewall of the correct route to network ID 10.0.0.0/24. The ISA firewall forwards the connection to the IP address on the external interface of the network services perimeter ISA firewall, which then routes the connection to the server on the network services segment.

The response from the server on the network services segment is forwarded to the server’s default gateway address, which is the IP address on the internal interface of the network services perimeter ISA firewall, which in turn forwards the response directly to the client machine that made the request. Notice that the request and response paths are not the same. This scenario works because the ISA firewall is handling traffic that it has knowledge of and is not dealing with response traffic to connections it is not aware of. This will be made clear in the next figure.


Figure 3

 

ISA Firewall Stateful Packet Inspection and Request/Response Paths

The figure below shows a scenario where a system on the network services segment needs to initiate a connection to a host on the corporate network. A network management server on the network services segment makes a connection to a workstation on the corporate network in front of the network services perimeter ISA firewall.

The connection is first sent to the network services perimeter ISA firewall’s internal interface, as this is the default gateway of the network management server. The connection is then sent directly to the workstation, because the ISA firewall has knowledge of all networks to which is it directly connected. That is to say, the ISA firewall can do an ARP broadcast to get the MAC address of the workstation and send the request directly to that workstation.

A problem arises when the workstation tries to respond to the management server on the network services segment. Since the destination IP address of the management server is on a network remote from the workstation’s network ID, the workstation sends the response to its default gateway, which is the internal interface of the edge ISA firewall. The response traffic is denied by the ISA firewall because the client is sending a SYN-ACK message back to the management server, but the ISA firewall never “saw” the SYN message from the management server to the workstation. Since the ISA firewall is a stateful packet inspection firewall, it drops the SYN-ACK because it isn’t associated with an preceding SYN.


Figure 4

There are several ways you can deal with this issue:

  • Make sure that no servers on the network services segment behind the perimeter ISA firewall ever need to create new outbound TCP connections to hosts on the corporate network in front of the network services perimeter ISA firewall. This means that not only can you not place servers making outbound connections through the network services perimeter ISA firewall, but also cannot use protocols where the clients make primary connections to the servers on the network services segment and require secondary connections from the servers on the network services segment.
  • Put a LAN router between the ISA firewall and the rest of the corporate network
  • Put a LAN router between the network services segment perimeter ISA firewall and the rest of the network
  • Create routing table entries on the hosts located on the corporate network in front of the network services perimeter ISA firewall so that they know the gateway address to reach the network services segment, which in this case would be the IP address on the external interface of the network services perimeter ISA firewall
  • Use multiple NICs on the ISA firewall and place the network services segment on an ISA firewall Network associated with one of the NICs. This avoids the routing and network with a Network issue

Most enterprise networks will have LAN routers in place, so it’s easy for these organizations to create the appropriate routing table entries to support this scenario. For small organizations that do not have LAN routers in place, you can get complete support for connections to and from the network services segment by automating routing table entries on the corporate network hosts located in front of the network services segment perimeter ISA firewall. You could use a log on script to enter these routing table entries on the clients using the route add –p command.

Multiple Departmental Networks/Security Zones Connected to a Backbone Network

Note that these issues are specific for the network within a Network configuration and when there are clients systems that are “on subnet” with an ISA firewall that must be reached from a host on a remote subnet that is part of the same ISA firewall Network. This is not a problem when you have backbone network configured and clients and servers are all behind ISA firewalls.

For example, consider the network in the figure below. In this scenario we do not run into similar problems because there are no host systems on the backbone network, and therefore no host systems that are “on-subnet” of the edge ISA firewall’s internal interface. All ISA firewalls contain routing table entries directing them to the external interface of the appropriate ISA firewall to reach the appropriate network ID(s) located behind any specific ISA firewall. Hosts behind each of the ISA firewalls use the internal interface of their local ISA firewall as their default gateway, and the routing table entries on the ISA firewalls route the connection to the correct ISA firewall’s external interface.

Note that we are assuming a Route relationship between all ISA firewall networks in this scenario, although a mix of Route and NAT relationships will work too, and can potentially simplify the routing table entries, since segments that use a NAT relationship do not require routing table entries on the ISA firewall to reach the addresses behind the NAT – the responder only needs to reach the IP address on the external interface of the ISA firewall sending the connection, and in a backbone network scenario, all the external interfaces are likely on the same network ID.


Figure 5

Note that in order for this configuration to work most efficiently, each ISA firewall requires the appropriate routing table entries. However, you could get around this requirement if each ISA firewall used the edge ISA firewall as its default gateway, and the edge ISA firewall contained the appropriate routing table entries. This solution could potentially work, but performance would be abysmal because the edge ISA firewall would be routing connections between all network IDs on the corporate network.

Example Network and Perimeter Network Design for this Article Series

In this article series we will use the sample network seen in the figure below. The default gateway for all servers on the network services segment will be the IP address on the internal interface of the network services perimeter ISA firewall. The default gateway for all hosts on the corporate network containing client systems is the IP address on the internal interface of the edge ISA firewall. Client systems are configured with a routing table entry that forwards connections to network ID 10.0.0.0/24 to the IP address on the external interface of the network services perimeter ISA firewall.


Figure 6

There is a Windows 2000 file server and an Exchange 2003 server located on the network services segment. The Exchange Server is also a domain controller, DNS server, WINS server, DHCP server, certificate server and RADIUS server. We will create access rules that enable connections to all the network services on the Exchange Server and also to file shares on the File server. The File server will host the Firewall client installation files so that we can avoid allowing file sharing protocols to any of the ISA firewall’s Local Host Network. The network services perimeter ISA firewall is already joined to the domain.

In the articles that follow this one you will perform the following procedures:

  • Create an ISA firewall Network representing the corporate network on the network services perimeter ISA firewall
  • Create a Network Rule on the network services perimeter ISA firewall that sets a Route relationship between the corporate network and the network services network
  • Create an intradomain communications Access Rule on the network services perimeter ISA firewall that allows corporate network hosts access to the DC on the services segment for intradomain communications and a DNS Server Publishing Rule that enables the DNS application layer inspection filter
  • Create Access Rules Controlling Outbound Access from the Network Services Segment on Perimeter ISA Firewall
  • Create network services Access Rules on the network services perimeter ISA firewall enabling clients access to network services (OWA, Outlook MAPI, SMTP, POP3, IMAP4, file shares)
  • Create a routing table entry on the edge ISA firewall providing a path to the network services segment network ID
  • the front-end ISA Firewall to the domain
  • Create a routing table entry on the network clients (only required if there are no LAN routers installed) providing route information to reach the network services segment network ID
  • Join the network clients to the domain
  • Create a wpad entry in DNS to enable autodiscovery for Firewall and Web proxy clients
  • Configure the Firewall client settings on the edge ISA firewall (including Web proxy client configuration)
  • Install the Firewall client share on the network services segment file server
  • Install the Firewall client on the network clients
  • Connect the corporate network clients to resources on the network services segment and the Internet

 

Summary

In this article we reviewed issues and concepts related to using the ISA firewall as a network services segment perimeter firewall. We discussed issues related to routing connections to remote network IDs and how these issues interact with the ISA firewall’s stateful packet inspection feature. Several scenarios were discussed and routing options available in each scenario. We finished off the article by describing the sample network that will be used in the remainder of this article series. Subsequent articles in this series will go over the procedures required to complete the solution and in depth discussions on the rationale behind the configuration decisions made at each juncture.

 you missed the other parts of this series please read:

Configure ISA 2004 as a Network Services Segment Perimeter Firewall – Part 2
Configure ISA 2004 as a Network Services Segment Perimeter Firewall – Part 3
Configure ISA 2004 as a Network Services Segment Perimeter Firewall – Part 4
Configure ISA 2004 as a Network Services Segment Perimeter Firewall – Part 5

About The Author

Tom Shinder is a Program Manager at Microsoft and has two decades of networking and security experience. He has written dozens of books, thousands of articles, and spoken at large industry conferences on the topics of IT infrastructure, Cloud computing, and cybersecurity. In his free time, Tom enjoys participating in equine prediction markets.

Read Next

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top